--- git/kernel-source/kernel-source.changes 2009-06-18 00:52:07.000000000 +0200 +++ package/kernel-source.changes 2009-02-12 10:21:30.000000000 +0100 @@ -1,4 +1,27 @@ ------------------------------------------------------------------- +Wed Feb 11 20:22:21 CET 2009 - gregkh@suse.de + +- bugfix for the bugfix for the bugfix: patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch: + KABI: hack for scm_work_list in struct task_struct. + +------------------------------------------------------------------- +Wed Feb 11 20:06:03 CET 2009 - gregkh@suse.de + +- bugfix for: patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch: + KABI: hack for scm_work_list in struct task_struct. + +------------------------------------------------------------------- +Tue Feb 10 06:06:50 CET 2009 - gregkh@suse.de + +- patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch: + net: Fix recursive descent in __scm_destroy() (CVE-2008-5029) + (bnc#442364). +- patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch: + KABI: hack for scm_work_list in struct task_struct. +- patches.fixes/kabi-turn-off-kabi-check-for-struct-scm_fp_list-change.patch: + KABI: turn off kabi check for struct scm_fp_list change. + +------------------------------------------------------------------- Fri Jan 16 15:12:26 CET 2009 - jkosina@suse.de - patches.fixes/nfs-cleanup_rpc_wakeup_fix: NFS: Fix Oops in diff -ruN -x CVS -x '*.changes' git/kernel-source/patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch package/patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch --- git/kernel-source/patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch 1970-01-01 01:00:00.000000000 +0100 +++ package/patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch 2009-02-12 10:19:50.000000000 +0100 @@ -0,0 +1,191 @@ +Date: Mon, 09 Feb 2009 20:53:59 -0800 +From: Greg Kroah-Hartman <gregkh@suse.de> +Subject: KABI: hack for scm_work_list in struct task_struct +Patch-mainline: never + +This KABI patch is needed due to the addition of the scm_work_list field to +struct task_struct in the security fix in +patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch + +The idea for this, and the majority of the patch came from a patch from Neil +Horman <nhorman@redhat.com> that did the same hack for RHEL5 in order to +address the kabi issue that the ia64 platform had with this change. + +This patch should be removed in SLE10 SP3 + +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/exec.c | 4 ++-- + include/linux/sched.h | 12 +++++++++++- + kernel/fork.c | 22 ++++++++++++++++++---- + net/core/scm.c | 8 ++++---- + 4 files changed, 35 insertions(+), 11 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1396,7 +1396,7 @@ static void zap_threads (struct mm_struc + { + struct task_struct *g, *p; + struct task_struct *tsk = current; +- struct completion *vfork_done = tsk->vfork_done; ++ struct completion *vfork_done = task_aux(tsk)->vfork_done; + int traced = 0; + + /* +@@ -1404,7 +1404,7 @@ static void zap_threads (struct mm_struc + * otherwise we can deadlock when we wait on each other + */ + if (vfork_done) { +- tsk->vfork_done = NULL; ++ task_aux(tsk)->vfork_done = NULL; + complete(vfork_done); + } + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -763,6 +763,13 @@ static inline void prefetch_stack(struct + struct audit_context; /* See audit.c */ + struct mempolicy; + ++/* auxilliary task structure to avoid KABI breakage */ ++struct task_struct_aux { ++ struct completion *vfork_done; /* for vfork() [displaced from task_struct] */ ++ struct list_head *scm_work_list; /* displaced from task_struct for abi compat */ ++}; ++#define task_aux(tsk) ((tsk)->auxilliary) ++ + struct task_struct { + volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */ + struct thread_info *thread_info; +@@ -833,7 +840,11 @@ struct task_struct { + /* PID/PID hash table linkage. */ + struct pid pids[PIDTYPE_MAX]; + ++#ifndef __GENKSYMS__ ++ struct task_struct_aux *auxilliary; /* KABI-resistant auxilliary task data */ ++#else + struct completion *vfork_done; /* for vfork() */ ++#endif + int __user *set_child_tid; /* CLONE_CHILD_SETTID */ + int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */ + +@@ -959,7 +970,6 @@ struct task_struct { + + /* TASK_UNMAPPED_BASE */ + unsigned long map_base; +- struct list_head *scm_work_list; + }; + + static inline pid_t process_group(struct task_struct *tsk) +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -107,6 +107,7 @@ static kmem_cache_t *mm_cachep; + + void free_task(struct task_struct *tsk) + { ++ kfree(task_aux(tsk)); + free_thread_info(tsk->thread_info); + free_task_struct(tsk); + } +@@ -138,8 +139,11 @@ void __put_task_struct_cb(struct rcu_hea + } + EXPORT_SYMBOL(__put_task_struct_cb); + ++static struct task_struct_aux init_task_aux; ++ + void __init fork_init(unsigned long mempages) + { ++ task_aux(current) = &init_task_aux; + #ifndef __HAVE_ARCH_TASK_STRUCT_ALLOCATOR + #ifndef ARCH_MIN_TASKALIGN + #define ARCH_MIN_TASKALIGN L1_CACHE_BYTES +@@ -174,6 +178,7 @@ void __init fork_init(unsigned long memp + + static struct task_struct *dup_task_struct(struct task_struct *orig) + { ++ struct task_struct_aux *aux; + struct task_struct *tsk; + struct thread_info *ti; + +@@ -189,9 +194,18 @@ static struct task_struct *dup_task_stru + return NULL; + } + ++ aux = kmalloc(sizeof(*aux), GFP_KERNEL); ++ if (!aux) { ++ free_thread_info(ti); ++ free_task_struct(tsk); ++ return NULL; ++ } ++ + *tsk = *orig; ++ *aux = *task_aux(orig); + tsk->thread_info = ti; + setup_thread_stack(tsk, orig); ++ task_aux(tsk) = aux; + + /* One for us, one for whoever does the "release_task()" (usually parent) */ + atomic_set(&tsk->usage,2); +@@ -441,14 +455,14 @@ EXPORT_SYMBOL_GPL(get_task_mm); + */ + void mm_release(struct task_struct *tsk, struct mm_struct *mm) + { +- struct completion *vfork_done = tsk->vfork_done; ++ struct completion *vfork_done = task_aux(tsk)->vfork_done; + + /* Get rid of any cached register state */ + deactivate_mm(tsk, mm); + + /* notify parent sleeping on vfork() */ + if (vfork_done) { +- tsk->vfork_done = NULL; ++ task_aux(tsk)->vfork_done = NULL; + complete(vfork_done); + } + if (tsk->clear_child_tid && atomic_read(&mm->mm_users) > 1) { +@@ -1003,7 +1017,7 @@ static task_t *copy_process(unsigned lon + + INIT_LIST_HEAD(&p->children); + INIT_LIST_HEAD(&p->sibling); +- p->vfork_done = NULL; ++ task_aux(p)->vfork_done = NULL; + spin_lock_init(&p->alloc_lock); + spin_lock_init(&p->proc_lock); + +@@ -1350,7 +1364,7 @@ long do_fork(unsigned long clone_flags, + struct completion vfork; + + if (clone_flags & CLONE_VFORK) { +- p->vfork_done = &vfork; ++ task_aux(p)->vfork_done = &vfork; + init_completion(&vfork); + } + +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -105,12 +105,12 @@ void __scm_destroy(struct scm_cookie *sc + + if (fpl) { + scm->fp = NULL; +- if (current->scm_work_list) { +- list_add_tail(&fpl->list, current->scm_work_list); ++ if (task_aux(current)->scm_work_list) { ++ list_add_tail(&fpl->list, task_aux(current)->scm_work_list); + } else { + LIST_HEAD(work_list); + +- current->scm_work_list = &work_list; ++ task_aux(current)->scm_work_list = &work_list; + + list_add(&fpl->list, &work_list); + while (!list_empty(&work_list)) { +@@ -122,7 +122,7 @@ void __scm_destroy(struct scm_cookie *sc + kfree(fpl); + } + +- current->scm_work_list = NULL; ++ task_aux(current)->scm_work_list = NULL; + } + } + } diff -ruN -x CVS -x '*.changes' git/kernel-source/patches.fixes/kabi-turn-off-kabi-check-for-struct-scm_fp_list-change.patch package/patches.fixes/kabi-turn-off-kabi-check-for-struct-scm_fp_list-change.patch --- git/kernel-source/patches.fixes/kabi-turn-off-kabi-check-for-struct-scm_fp_list-change.patch 1970-01-01 01:00:00.000000000 +0100 +++ package/patches.fixes/kabi-turn-off-kabi-check-for-struct-scm_fp_list-change.patch 2009-02-12 10:19:35.000000000 +0100 @@ -0,0 +1,29 @@ +Date: Mon, 09 Feb 2009 20:53:59 -0800 +From: Greg Kroah-Hartman <gregkh@suse.de> +Subject: KABI: turn off kabi check for struct scm_fp_list change +Patch-mainline: never + +This KABI patch is needed due to the addition of the list field to struct +scm_fp_list in the security fix in +patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch + +This patch should be removed in SLE10 SP3 + +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/net/scm.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -13,7 +13,9 @@ struct scm_fp_list + { + int count; + struct file *fp[SCM_MAX_FD]; ++#ifndef __GENKSYMS__ + struct list_head list; ++#endif + }; + + struct scm_cookie diff -ruN -x CVS -x '*.changes' git/kernel-source/patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch package/patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch --- git/kernel-source/patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch 2009-03-19 00:12:41.000000000 +0100 +++ package/patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch 2009-02-12 10:23:13.000000000 +0100 @@ -29,10 +29,10 @@ --- include/linux/list.h | 11 +++++++++++ - include/linux/sched.h | 3 +++ - include/net/scm.h | 7 +++++-- + include/linux/sched.h | 1 + + include/net/scm.h | 5 +++-- net/core/scm.c | 24 +++++++++++++++++++++--- - 4 files changed, 40 insertions(+), 5 deletions(-) + 4 files changed, 36 insertions(+), 5 deletions(-) --- a/include/linux/list.h +++ b/include/linux/list.h @@ -56,29 +56,25 @@ * @head: the head for your list. --- a/include/linux/sched.h +++ b/include/linux/sched.h -@@ -959,6 +959,9 @@ struct task_struct { +@@ -959,6 +959,7 @@ struct task_struct { /* TASK_UNMAPPED_BASE */ unsigned long map_base; -+#ifndef __GENKSYMS__ + struct list_head *scm_work_list; -+#endif }; static inline pid_t process_group(struct task_struct *tsk) --- a/include/net/scm.h +++ b/include/net/scm.h -@@ -11,8 +11,11 @@ +@@ -11,8 +11,9 @@ struct scm_fp_list { - int count; - struct file *fp[SCM_MAX_FD]; -+#ifndef __GENKSYMS__ /* gotta love pointless api checks... */ -+ struct list_head list; -+#endif + int count; + struct file *fp[SCM_MAX_FD]; ++ struct list_head list; }; struct scm_cookie diff -ruN -x CVS -x '*.changes' git/kernel-source/series.conf package/series.conf --- git/kernel-source/series.conf 2009-06-18 00:52:03.000000000 +0200 +++ package/series.conf 2009-02-12 10:20:50.000000000 +0100 @@ -1259,6 +1259,8 @@ patches.fixes/ipv6-disallow-assigning-invalid-addresses.patch patches.fixes/ipv6-dont-forward-unspec-src.patch patches.fixes/net-fix-recursive-descent-in-__scm_destroy.patch + patches.fixes/kabi-turn-off-kabi-check-for-struct-scm_fp_list-change.patch + patches.fixes/kabi-hack-for-scm_work_list-in-struct-task_struct.patch patches.fixes/disable-tso-and-gso-during-urg patches.fixes/ipv6_na_no_warn_for_local_packets.patch