rpms/kernel/F-11 fnctl-f_modown-should-call-write_lock_irqsave-restore.patch, NONE, 1.1.2.1 tty-fix-race-in-tty_fasync.patch, NONE, 1.1.2.1 kernel.spec, 1.1784.2.8, 1.1784.2.9

Chuck Ebbert cebbert at fedoraproject.org
Sat Jan 30 19:38:12 UTC 2010 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19751

Modified Files:
      Tag: private-fedora-11-2_6_30
	kernel.spec 
Added Files:
      Tag: private-fedora-11-2_6_30
	fnctl-f_modown-should-call-write_lock_irqsave-restore.patch 
	tty-fix-race-in-tty_fasync.patch 
Log Message:
kernel: tty->pgrp races (#559100)

fnctl-f_modown-should-call-write_lock_irqsave-restore.patch:
 fcntl.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- NEW FILE fnctl-f_modown-should-call-write_lock_irqsave-restore.patch ---
>From b04da8bfdfbbd79544cab2fadfdc12e87eb01600 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh at suse.de>
Date: Tue, 26 Jan 2010 15:04:02 -0800
Subject: fnctl: f_modown should call write_lock_irqsave/restore

From: Chuck Ebbert <cebbert at redhat.com>
[ backport to 2.6.30 ]

commit b04da8bfdfbbd79544cab2fadfdc12e87eb01600 upstream.

Commit 703625118069f9f8960d356676662d3db5a9d116 exposed that f_modown()
should call write_lock_irqsave instead of just write_lock_irq so that
because a caller could have a spinlock held and it would not be good to
renable interrupts.

Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Al Viro <viro at ZenIV.linux.org.uk>
Cc: Alan Cox <alan at lxorguk.ukuu.org.uk>
Cc: Tavis Ormandy <taviso at google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>

---
 fs/fcntl.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -200,7 +200,9 @@ static int setfl(int fd, struct file * f
 static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
                      uid_t uid, uid_t euid, int force)
 {
-	write_lock_irq(&filp->f_owner.lock);
+	unsigned long flags;
+
+	write_lock_irqsave(&filp->f_owner.lock, flags);
 	if (force || !filp->f_owner.pid) {
 		put_pid(filp->f_owner.pid);
 		filp->f_owner.pid = get_pid(pid);
@@ -208,7 +210,7 @@ static void f_modown(struct file *filp, 
 		filp->f_owner.uid = uid;
 		filp->f_owner.euid = euid;
 	}
-	write_unlock_irq(&filp->f_owner.lock);
+	write_unlock_irqrestore(&filp->f_owner.lock, flags);
 }
 
 int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,

tty-fix-race-in-tty_fasync.patch:
 tty_io.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE tty-fix-race-in-tty_fasync.patch ---
>From 703625118069f9f8960d356676662d3db5a9d116 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh at suse.de>
Date: Thu, 17 Dec 2009 07:07:19 -0800
Subject: tty: fix race in tty_fasync

From: Greg Kroah-Hartman <gregkh at suse.de>

commit 703625118069f9f8960d356676662d3db5a9d116 upstream.

We need to keep the lock held over the call to __f_setown() to
prevent a PID race.

Thanks to Al Viro for pointing out the problem, and to Travis for
making us look here in the first place.

Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Al Viro <viro at ZenIV.linux.org.uk>
Cc: Alan Cox <alan at lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds at linux-foundation.org>
Cc: Tavis Ormandy <taviso at google.com>
Cc: Jeff Dike <jdike at addtoit.com>
Cc: Julien Tinnes <jln at google.com>
Cc: Matt Mackall <mpm at selenic.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 drivers/char/tty_io.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -1930,8 +1930,8 @@ static int tty_fasync(int fd, struct fil
 			pid = task_pid(current);
 			type = PIDTYPE_PID;
 		}
-		spin_unlock_irqrestore(&tty->ctrl_lock, flags);
 		retval = __f_setown(filp, pid, type, 0);
+		spin_unlock_irqrestore(&tty->ctrl_lock, flags);
 		if (retval)
 			goto out;
 	} else {


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.8
retrieving revision 1.1784.2.9
diff -u -p -r1.1784.2.8 -r1.1784.2.9
--- kernel.spec	30 Jan 2010 17:00:42 -0000	1.1784.2.8
+++ kernel.spec	30 Jan 2010 19:38:11 -0000	1.1784.2.9
@@ -868,6 +868,9 @@ Patch16513: e1000-e1000e-don-t-use-small
 # cve-2009-4537
 Patch16514: linux-2.6-net-r8169-improved-rx-length-check-errors.patch
 
+Patch16515: tty-fix-race-in-tty_fasync.patch
+Patch16516: fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1631,6 +1634,9 @@ ApplyPatch e1000-e1000e-don-t-use-small-
 # cve-2009-4537
 ApplyPatch linux-2.6-net-r8169-improved-rx-length-check-errors.patch
 
+ApplyPatch tty-fix-race-in-tty_fasync.patch
+ApplyPatch fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2219,6 +2225,9 @@ fi
 # and build.
 
 %changelog
+* Sat Jan 30 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.9
+- kernel: tty->pgrp races (#559100)
+
 * Sat Jan 30 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.8
 - CVE-2009-4537 kernel: r8169 issue reported at 26c3
   (fix taken from Red Hat/CentOS 5.4)

More information about the scm-commits mailing list