[Frugalware-darcs] frugalware-0.6: kernel-2.6.20-5terminus7-i686

VMiklos vmiklos at frugalware.org
Wed Jul 11 09:00:51 CEST 2007

Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070711065846-e2957-ad85459ec621306e8f68e2f497dbf301c9c0f077.gz;

VMiklos <vmiklos at frugalware.org>**20070711065846
 added CVE-2007-3104.diff
 closes #2199
] {
addfile ./source/base/kernel/CVE-2007-3104.diff
hunk ./source/base/kernel/CVE-2007-3104.diff 1
+From: Maneesh Soni <maneesh at in.ibm.com>
+o sysfs_d_iput() is invoked in dentry reclaim path under memory pressure. This
+  happens without i_mutex. It also nullifies s_dentry to indicate that
+  the associated dentry is evicted. sysfs_readdir() accesses the s_dentry,
+  and gets the inode number from the associated dentry->d_inode, if
+  there is one, else it invokes iunique(). This can create a race situation,
+  and crash while accessing the d_inode in sysfs_readdir().
+o The race happens when the dentry is getting reclaimed and detached from
+  the corresponding sysfs_dirent though sysfs_dirent is still a valid
+  node. Accessing dentry fields are ok as it is under RCU but the inode is
+  not hence we may see oops accessing dentry->d_inode->i_no.
+o The following patch always use i_unique() to get the inode number in
+  sysfs_readdir. This is ok as sysfs doesnot have permanent inode numbering.
+  It could be slower but avoids the oops.
+Signed-off-by: Maneesh Soni <maneesh at in.ibm.com>
+Cc: Dipankar Sarma <dipankar at in.ibm.com>
+Cc: Ethan Solomita <solo at google.com>
+Cc: Greg KH <greg at kroah.com>
+Cc: Martin Bligh <mbligh at google.com>
+Cc: Rohit Seth <rohitseth at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ fs/sysfs/dir.c |    5 +----
+ 1 files changed, 1 insertion(+), 4 deletions(-)
+diff -puN fs/sysfs/dir.c~fix-sysfs_readdir-oops fs/sysfs/dir.c
+--- a/fs/sysfs/dir.c~fix-sysfs_readdir-oops
++++ a/fs/sysfs/dir.c
+@@ -538,10 +538,7 @@ static int sysfs_readdir(struct file * f
+ 				name = sysfs_get_name(next);
+ 				len = strlen(name);
+-				if (next->s_dentry)
+-					ino = next->s_dentry->d_inode->i_ino;
+-				else
+-					ino = iunique(sysfs_sb, 2);
++				ino = iunique(sysfs_sb, 2);
+ 				if (filldir(dirent, name, len, filp->f_pos, ino,
+ 						 dt_type(next)) < 0)
hunk ./source/base/kernel/FrugalBuild 8
hunk ./source/base/kernel/FrugalBuild 10
-_F_kernel_patches=(CVE-2007-2525.diff CVE-2007-2878.diff)
+_F_kernel_patches=(CVE-2007-2525.diff CVE-2007-2878.diff CVE-2007-3104.diff)

More information about the Frugalware-darcs mailing list