Linux 2.6.32.22

Drop merged patches:
aio-check-for-multiplication-overflow-in-do_io_submit.patch
inotify-fix-inotify-oneshot-support.patch
inotify-send-IN_UNMOUNT-events.patch
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch

aio-check-for-multiplication-overflow-in-do_io_submit.patch

@@ -1,47 +0,0 @@
-From be18992d0630149403bfae5882601cf01a7d4eea Mon Sep 17 00:00:00 2001
-From: Jeff Moyer <jmoyer@redhat.com>
-Date: Fri, 10 Sep 2010 14:16:00 -0700
-Subject: [PATCH 4/4] aio: check for multiplication overflow in do_io_submit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Tavis Ormandy pointed out that do_io_submit does not do proper bounds
-checking on the passed-in iocb array:
-
-       if (unlikely(nr < 0))
-               return -EINVAL;
-
-       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
-               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^
-
-The attached patch checks for overflow, and if it is detected, the
-number of iocbs submitted is scaled down to a number that will fit in
-the long.  This is an ok thing to do, as sys_io_submit is documented as
-returning the number of iocbs submitted, so callers should handle a
-return value of less than the 'nr' argument passed in.
-
-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/aio.c |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 02a2c93..b84a769 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1639,6 +1639,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
- 	if (unlikely(nr < 0))
- 		return -EINVAL;
- 
-+	if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
-+		nr = LONG_MAX/sizeof(*iocbpp);
-+
- 	if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
- 		return -EFAULT;
- 
--- 
-1.7.2.3
-

inotify-fix-inotify-oneshot-support.patch

@@ -1,25 +0,0 @@
-#607327
-
-During the large inotify rewrite to fsnotify I completely dropped support
-for IN_ONESHOT.  Reimplement that support.
-
-Signed-off-by: Eric Paris <eparis@redhat.com>
----
-
- fs/notify/inotify/inotify_fsnotify.c |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
-index daa666a..388a150 100644
---- a/fs/notify/inotify/inotify_fsnotify.c
-+++ b/fs/notify/inotify/inotify_fsnotify.c
-@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
- 			ret = 0;
- 	}
- 
-+	if (entry->mask & IN_ONESHOT)
-+		fsnotify_destroy_mark_by_entry(entry);
-+
- 	/*
- 	 * If we hold the entry until after the event is on the queue
- 	 * IN_IGNORED won't be able to pass this event in the queue

inotify-send-IN_UNMOUNT-events.patch

@@ -1,29 +0,0 @@
-#607327 ?
-
-Since the .31 or so notify rewrite inotify has not sent events about
-inodes which are unmounted.  This patch restores those events.
-
-Signed-off-by: Eric Paris <eparis@redhat.com>
----
-
- fs/notify/inotify/inotify_user.c |    7 +++++--
- 1 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
-index 44aeb0f..f381daf 100644
---- a/fs/notify/inotify/inotify_user.c
-+++ b/fs/notify/inotify/inotify_user.c
-@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
- {
- 	__u32 mask;
- 
--	/* everything should accept their own ignored and cares about children */
--	mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
-+	/*
-+	 * everything should accept their own ignored, cares about children,
-+	 * and should receive events when the inode is unmounted
-+	 */
-+	mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
- 
- 	/* mask off the flags used to open the fd */
- 	mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));

irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch

@@ -1,35 +0,0 @@
-From: David S. Miller <davem@davemloft.net>
-Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
-Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
-
-irda: Correctly clean up self->ias_obj on irda_bind() failure.
-
-If irda_open_tsap() fails, the irda_bind() code tries to destroy
-the ->ias_obj object by hand, but does so wrongly.
-
-In particular, it fails to a) release the hashbin attached to the
-object and b) reset the self->ias_obj pointer to NULL.
-
-Fix both problems by using irias_delete_object() and explicitly
-setting self->ias_obj to NULL, just as irda_release() does.
-
-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
-
-diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
-index 79986a6..fd55b51 100644
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
- 
- 	err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
- 	if (err < 0) {
--		kfree(self->ias_obj->name);
--		kfree(self->ias_obj);
-+		irias_delete_object(self->ias_obj);
-+		self->ias_obj = NULL;
- 		return err;
- 	}
- 

kernel.spec

@@ -47,7 +47,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 169
+%global baserelease 170
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -59,7 +59,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 22
+%define stable_update 23
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -638,8 +638,6 @@ Patch21: linux-2.6-tracehook.patch
 Patch22: linux-2.6-utrace.patch
 Patch23: linux-2.6-utrace-ptrace.patch
 
-Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
-
 Patch141: linux-2.6-ps3-storage-alias.patch
 Patch143: linux-2.6-g5-therm-shutdown.patch
 Patch144: linux-2.6-vio-modalias.patch
@@ -829,16 +827,11 @@ Patch12923: mac80211-explicitly-disable-enable-QoS.patch
 # l2tp: fix oops in pppol2tp_xmit (#607054)
 Patch13030: l2tp-fix-oops-in-pppol2tp_xmit.patch
 
-Patch14020: inotify-fix-inotify-oneshot-support.patch
-Patch14030: inotify-send-IN_UNMOUNT-events.patch
-
 Patch14050: crypto-add-async-hash-testing.patch
 
 # Red Hat Bugzilla #610911
 Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 
-Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
-
 Patch14200: net-do-not-check-capable-if-kernel.patch
 
 # Mitigate DOS with large argument lists
@@ -846,10 +839,6 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch
 Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch
 Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch
 
-# CVE-2010-2960
-Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
-Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
-
 # ==============================================================================
 %endif
 
@@ -1323,8 +1312,6 @@ ApplyPatch linux-2.6-execshield.patch
 #
 # bugfixes to drivers and filesystems
 #
-# CVE-2010-3067
-ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
 
 # ext4
 
@@ -1546,18 +1533,11 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch
 # l2tp: fix oops in pppol2tp_xmit (#607054)
 ApplyPatch l2tp-fix-oops-in-pppol2tp_xmit.patch
 
-# fix broken oneshot support and missing umount events (F13#607327)
-ApplyPatch inotify-fix-inotify-oneshot-support.patch
-ApplyPatch inotify-send-IN_UNMOUNT-events.patch
-
 # add tests for crypto async hashing (#571577)
 ApplyPatch crypto-add-async-hash-testing.patch
 
 ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 
-# CVE-2010-2954
-ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
-
 # rhbz #598796
 ApplyPatch net-do-not-check-capable-if-kernel.patch
 
@@ -1566,10 +1546,6 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
 ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
 ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
 
-# CVE-2010-2960
-ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
-ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
-
 # END OF PATCH APPLICATIONS ====================================================
 %endif
 
@@ -2222,7 +2198,17 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
-* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.21-169
+* Mon Sep 27 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.23-170
+- Linux 2.6.32.22
+- Drop merged patches:
+  aio-check-for-multiplication-overflow-in-do_io_submit.patch
+  inotify-fix-inotify-oneshot-support.patch
+  inotify-send-IN_UNMOUNT-events.patch
+  irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+  keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
+  keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
+
+* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.22-169
 - Linux 2.6.32.22
 - Drop merged patches:
   01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch

keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch

@@ -1,52 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
-Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
-
-KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
-
-Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
-of the parent process's session keyring whether or not the parent has a session
-keyring [CVE-2010-2960].
-
-This results in the following oops:
-
-  BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
-  IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
-  ...
-  Call Trace:
-   [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
-   [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
-   [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
-   [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
-
-if the parent process has no session keyring.
-
-If the system is using pam_keyinit then it mostly protected against this as all
-processes derived from a login will have inherited the session keyring created
-by pam_keyinit during the log in procedure.
-
-To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
-
-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
-
-[ 2.6.32 backport ]
-
-diff a/security/keys/keyctl.c b/security/keys/keyctl.c
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void)
- 		goto not_permitted;
- 
- 	/* the keyrings must have the same UID */
--	if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
-+	if ((pcred->tgcred->session_keyring &&
-+	     pcred->tgcred->session_keyring->uid != mycred->euid) ||
- 	    mycred->tgcred->session_keyring->uid != mycred->euid)
- 		goto not_permitted;
- 
-

keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch

@@ -1,64 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
-Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
-
-KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
-
-There's an protected access to the parent process's credentials in the middle
-of keyctl_session_to_parent().  This results in the following RCU warning:
-
-  ===================================================
-  [ INFO: suspicious rcu_dereference_check() usage. ]
-  ---------------------------------------------------
-  security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
-
-  other info that might help us debug this:
-
-  rcu_scheduler_active = 1, debug_locks = 0
-  1 lock held by keyctl-session-/2137:
-   #0:  (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
-
-  stack backtrace:
-  Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
-  Call Trace:
-   [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
-   [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
-   [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
-   [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
-
-The code should take the RCU read lock to make sure the parents credentials
-don't go away, even though it's holding a spinlock and has IRQ disabled.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index b2b0998..3868c67 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
- 	keyring_r = NULL;
- 
- 	me = current;
-+	rcu_read_lock();
- 	write_lock_irq(&tasklist_lock);
- 
- 	parent = me->real_parent;
-@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
- 	set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
- 
- 	write_unlock_irq(&tasklist_lock);
-+	rcu_read_unlock();
- 	if (oldcred)
- 		put_cred(oldcred);
- 	return 0;
-@@ -1327,6 +1329,7 @@ already_same:
- 	ret = 0;
- not_permitted:
- 	write_unlock_irq(&tasklist_lock);
-+	rcu_read_unlock();
- 	put_cred(cred);
- 	return ret;
- 

sources

@@ -1,2 +1,2 @@
 260551284ac224c3a43c4adac7df4879  linux-2.6.32.tar.bz2
-da1431a1d659298c6bd11714416c840f  patch-2.6.32.22.bz2
+6eac9aebbf9e74546b7c44c0fb9348a7  patch-2.6.32.23.bz2