diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-04 16:17:36 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-04 16:17:36 -0700 |
commit | 9ed9a893c0f2351f5681a04bc0ce1629110852d2 (patch) | |
tree | fc82bf4938e337236e52d538ca1eb574ca02e427 | |
parent | f12ac89af7329f321a4b38681b9b932a96457842 (diff) | |
download | longterm-queue-2.6.33-9ed9a893c0f2351f5681a04bc0ce1629110852d2.tar.gz |
.33 patches
8 files changed, 410 insertions, 0 deletions
diff --git a/queue-2.6.33/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch b/queue-2.6.33/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch new file mode 100644 index 0000000..2428e94 --- /dev/null +++ b/queue-2.6.33/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch @@ -0,0 +1,85 @@ +From a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 Mon Sep 17 00:00:00 2001 +From: Eric W. Biederman <ebiederm@xmission.com> +Date: Sun, 24 Apr 2011 01:54:57 +0000 +Subject: af_unix: Only allow recv on connected seqpacket sockets. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric W. Biederman <ebiederm@xmission.com> + +commit a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 upstream. + +This fixes the following oops discovered by Dan Aloni: +> Anyway, the following is the output of the Oops that I got on the +> Ubuntu kernel on which I first detected the problem +> (2.6.37-12-generic). The Oops that followed will be more useful, I +> guess. + +>[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference +> at (null) +> [ 5594.681606] IP: [<ffffffff81550b7b>] unix_dgram_recvmsg+0x1fb/0x420 +> [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0 +> [ 5594.693720] Oops: 0002 [#1] SMP +> [ 5594.699888] last sysfs file: + +The bug was that unix domain sockets use a pseduo packet for +connecting and accept uses that psudo packet to get the socket. +In the buggy seqpacket case we were allowing unconnected +sockets to call recvmsg and try to receive the pseudo packet. + +That is always wrong and as of commit 7361c36c5 the pseudo +packet had become enough different from a normal packet +that the kernel started oopsing. + +Do for seqpacket_recv what was done for seqpacket_send in 2.5 +and only allow it on connected seqpacket sockets. + +Tested-by: Dan Aloni <dan@aloni.org> +Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/unix/af_unix.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -503,6 +503,8 @@ static int unix_dgram_connect(struct soc + int, int); + static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *, + struct msghdr *, size_t); ++static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *, ++ struct msghdr *, size_t, int); + + static const struct proto_ops unix_stream_ops = { + .family = PF_UNIX, +@@ -562,7 +564,7 @@ static const struct proto_ops unix_seqpa + .setsockopt = sock_no_setsockopt, + .getsockopt = sock_no_getsockopt, + .sendmsg = unix_seqpacket_sendmsg, +- .recvmsg = unix_dgram_recvmsg, ++ .recvmsg = unix_seqpacket_recvmsg, + .mmap = sock_no_mmap, + .sendpage = sock_no_sendpage, + }; +@@ -1631,6 +1633,18 @@ static int unix_seqpacket_sendmsg(struct + return unix_dgram_sendmsg(kiocb, sock, msg, len); + } + ++static int unix_seqpacket_recvmsg(struct kiocb *iocb, struct socket *sock, ++ struct msghdr *msg, size_t size, ++ int flags) ++{ ++ struct sock *sk = sock->sk; ++ ++ if (sk->sk_state != TCP_ESTABLISHED) ++ return -ENOTCONN; ++ ++ return unix_dgram_recvmsg(iocb, sock, msg, size, flags); ++} ++ + static void unix_copy_addr(struct msghdr *msg, struct sock *sk) + { + struct unix_sock *u = unix_sk(sk); diff --git a/queue-2.6.33/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch b/queue-2.6.33/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch new file mode 100644 index 0000000..f8dd3f9 --- /dev/null +++ b/queue-2.6.33/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch @@ -0,0 +1,34 @@ +From 0f22072ab50cac7983f9660d33974b45184da4f9 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 29 Apr 2011 15:48:07 +0100 +Subject: ARM: 6891/1: prevent heap corruption in OABI semtimedop + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream. + +When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not +bound the nsops argument. A sufficiently large value will cause an +integer overflow in allocation size, followed by copying too much data +into the allocated buffer. Fix this by restricting nsops to SEMOPM. +Untested. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/arm/kernel/sys_oabi-compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/sys_oabi-compat.c ++++ b/arch/arm/kernel/sys_oabi-compat.c +@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int + long err; + int i; + +- if (nsops < 1) ++ if (nsops < 1 || nsops > SEMOPM) + return -EINVAL; + sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); + if (!sops) diff --git a/queue-2.6.33/can-add-missing-socket-check-in-can-bcm-release.patch b/queue-2.6.33/can-add-missing-socket-check-in-can-bcm-release.patch new file mode 100644 index 0000000..212e3ad --- /dev/null +++ b/queue-2.6.33/can-add-missing-socket-check-in-can-bcm-release.patch @@ -0,0 +1,38 @@ +From c6914a6f261aca0c9f715f883a353ae7ff51fe83 Mon Sep 17 00:00:00 2001 +From: Dave Jones <davej@redhat.com> +Date: Tue, 19 Apr 2011 20:36:59 -0700 +Subject: can: Add missing socket check in can/bcm release. + +From: Dave Jones <davej@redhat.com> + +commit c6914a6f261aca0c9f715f883a353ae7ff51fe83 upstream. + +We can get here with a NULL socket argument passed from userspace, +so we need to handle it accordingly. + +Signed-off-by: Dave Jones <davej@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/can/bcm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1412,9 +1412,14 @@ static int bcm_init(struct sock *sk) + static int bcm_release(struct socket *sock) + { + struct sock *sk = sock->sk; +- struct bcm_sock *bo = bcm_sk(sk); ++ struct bcm_sock *bo; + struct bcm_op *op, *next; + ++ if (sk == NULL) ++ return 0; ++ ++ bo = bcm_sk(sk); ++ + /* remove bcm_ops, timer, rx_unregister(), etc. */ + + unregister_netdevice_notifier(&bo->notifier); diff --git a/queue-2.6.33/fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch b/queue-2.6.33/fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch new file mode 100644 index 0000000..a2014ff --- /dev/null +++ b/queue-2.6.33/fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch @@ -0,0 +1,72 @@ +From 22d3243de86bc92d874abb7c5b185d5c47aba323 Mon Sep 17 00:00:00 2001 +From: Jim Bos <jim876@xs4all.nl> +Date: Mon, 15 Nov 2010 21:22:37 +0100 +Subject: Fix gcc 4.5.1 miscompiling drivers/char/i8k.c (again) + +From: Jim Bos <jim876@xs4all.nl> + +commit 22d3243de86bc92d874abb7c5b185d5c47aba323 upstream. + +The fix in commit 6b4e81db2552 ("i8k: Tell gcc that *regs gets +clobbered") to work around the gcc miscompiling i8k.c to add "+m +(*regs)" caused register pressure problems and a build failure. + +Changing the 'asm' statement to 'asm volatile' instead should prevent +that and works around the gcc bug as well, so we can remove the "+m". + +[ Background on the gcc bug: a memory clobber fails to mark the function + the asm resides in as non-pure (aka "__attribute__((const))"), so if + the function does nothing else that triggers the non-pure logic, gcc + will think that that function has no side effects at all. As a result, + callers will be mis-compiled. + + Adding the "+m" made gcc see that it's not a pure function, and so + does "asm volatile". The problem was never really the need to mark + "*regs" as changed, since the memory clobber did that part - the + problem was just a bug in the gcc "pure" function analysis - Linus ] + +Signed-off-by: Jim Bos <jim876@xs4all.nl> +Acked-by: Jakub Jelinek <jakub@redhat.com> +Cc: Andi Kleen <andi@firstfloor.org> +Cc: Andreas Schwab <schwab@linux-m68k.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/char/i8k.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/i8k.c ++++ b/drivers/char/i8k.c +@@ -119,7 +119,7 @@ static int i8k_smm(struct smm_regs *regs + int eax = regs->eax; + + #if defined(CONFIG_X86_64) +- asm("pushq %%rax\n\t" ++ asm volatile("pushq %%rax\n\t" + "movl 0(%%rax),%%edx\n\t" + "pushq %%rdx\n\t" + "movl 4(%%rax),%%ebx\n\t" +@@ -141,11 +141,11 @@ static int i8k_smm(struct smm_regs *regs + "lahf\n\t" + "shrl $8,%%eax\n\t" + "andl $1,%%eax\n" +- :"=a"(rc), "+m" (*regs) ++ :"=a"(rc) + : "a"(regs) + : "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory"); + #else +- asm("pushl %%eax\n\t" ++ asm volatile("pushl %%eax\n\t" + "movl 0(%%eax),%%edx\n\t" + "push %%edx\n\t" + "movl 4(%%eax),%%ebx\n\t" +@@ -167,7 +167,7 @@ static int i8k_smm(struct smm_regs *regs + "lahf\n\t" + "shrl $8,%%eax\n\t" + "andl $1,%%eax\n" +- :"=a"(rc), "+m" (*regs) ++ :"=a"(rc) + : "a"(regs) + : "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory"); + #endif diff --git a/queue-2.6.33/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch b/queue-2.6.33/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch new file mode 100644 index 0000000..f637b4d --- /dev/null +++ b/queue-2.6.33/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch @@ -0,0 +1,69 @@ +From c340b1d640001c8c9ecff74f68fd90422ae2448a Mon Sep 17 00:00:00 2001 +From: Timo Warns <Warns@pre-sense.de> +Date: Thu, 14 Apr 2011 15:21:56 -0700 +Subject: fs/partitions/ldm.c: fix oops caused by corrupted partition table + +From: Timo Warns <Warns@pre-sense.de> + +commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream. + +The kernel automatically evaluates partition tables of storage devices. +The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains +a bug that causes a kernel oops on certain corrupted LDM partitions. +A kernel subsystem seems to crash, because, after the oops, the kernel no +longer recognizes newly connected storage devices. + +The patch validates the value of vblk_size. + +[akpm@linux-foundation.org: coding-style fixes] +Signed-off-by: Timo Warns <warns@pre-sense.de> +Cc: Eugene Teo <eugeneteo@kernel.sg> +Cc: Harvey Harrison <harvey.harrison@gmail.com> +Cc: Richard Russon <rich@flatcap.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/partitions/ldm.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/partitions/ldm.c ++++ b/fs/partitions/ldm.c +@@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data + + BUG_ON (!data || !frags); + ++ if (size < 2 * VBLK_SIZE_HEAD) { ++ ldm_error("Value of size is to small."); ++ return false; ++ } ++ + group = get_unaligned_be32(data + 0x08); + rec = get_unaligned_be16(data + 0x0C); + num = get_unaligned_be16(data + 0x0E); +@@ -1306,6 +1311,10 @@ static bool ldm_frag_add (const u8 *data + ldm_error ("A VBLK claims to have %d parts.", num); + return false; + } ++ if (rec >= num) { ++ ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num); ++ return false; ++ } + + list_for_each (item, frags) { + f = list_entry (item, struct frag, list); +@@ -1334,10 +1343,9 @@ found: + + f->map |= (1 << rec); + +- if (num > 0) { +- data += VBLK_SIZE_HEAD; +- size -= VBLK_SIZE_HEAD; +- } ++ data += VBLK_SIZE_HEAD; ++ size -= VBLK_SIZE_HEAD; ++ + memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size); + + return true; diff --git a/queue-2.6.33/i8k-tell-gcc-that-regs-gets-clobbered.patch b/queue-2.6.33/i8k-tell-gcc-that-regs-gets-clobbered.patch new file mode 100644 index 0000000..005abc0 --- /dev/null +++ b/queue-2.6.33/i8k-tell-gcc-that-regs-gets-clobbered.patch @@ -0,0 +1,50 @@ +From 6b4e81db2552bad04100e7d5ddeed7e848f53b48 Mon Sep 17 00:00:00 2001 +From: Jim Bos <jim876@xs4all.nl> +Date: Sat, 13 Nov 2010 12:13:53 +0100 +Subject: i8k: Tell gcc that *regs gets clobbered + +From: Jim Bos <jim876@xs4all.nl> + +commit 6b4e81db2552bad04100e7d5ddeed7e848f53b48 upstream. + +More recent GCC caused the i8k driver to stop working, on Slackware +compiler was upgraded from gcc-4.4.4 to gcc-4.5.1 after which it didn't +work anymore, meaning the driver didn't load or gave total nonsensical +output. + +As it turned out the asm(..) statement forgot to mention it modifies the +*regs variable. + +Credits to Andi Kleen and Andreas Schwab for providing the fix. + +Signed-off-by: Jim Bos <jim876@xs4all.nl> +Cc: Andi Kleen <andi@firstfloor.org> +Cc: Andreas Schwab <schwab@linux-m68k.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/char/i8k.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/i8k.c ++++ b/drivers/char/i8k.c +@@ -141,7 +141,7 @@ static int i8k_smm(struct smm_regs *regs + "lahf\n\t" + "shrl $8,%%eax\n\t" + "andl $1,%%eax\n" +- :"=a"(rc) ++ :"=a"(rc), "+m" (*regs) + : "a"(regs) + : "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory"); + #else +@@ -166,7 +166,8 @@ static int i8k_smm(struct smm_regs *regs + "movl %%edx,0(%%eax)\n\t" + "lahf\n\t" + "shrl $8,%%eax\n\t" +- "andl $1,%%eax\n":"=a"(rc) ++ "andl $1,%%eax\n" ++ :"=a"(rc), "+m" (*regs) + : "a"(regs) + : "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory"); + #endif diff --git a/queue-2.6.33/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch b/queue-2.6.33/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch new file mode 100644 index 0000000..42905d4 --- /dev/null +++ b/queue-2.6.33/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch @@ -0,0 +1,55 @@ +From 1574dff8996ab1ed92c09012f8038b5566fce313 Mon Sep 17 00:00:00 2001 +From: Sachin Prabhu <sprabhu@redhat.com> +Date: Wed, 20 Apr 2011 13:09:35 +0100 +Subject: Open with O_CREAT flag set fails to open existing files on non writable directories + +From: Sachin Prabhu <sprabhu@redhat.com> + +commit 1574dff8996ab1ed92c09012f8038b5566fce313 upstream. + +An open on a NFS4 share using the O_CREAT flag on an existing file for +which we have permissions to open but contained in a directory with no +write permissions will fail with EACCES. + +A tcpdump shows that the client had set the open mode to UNCHECKED which +indicates that the file should be created if it doesn't exist and +encountering an existing flag is not an error. Since in this case the +file exists and can be opened by the user, the NFS server is wrong in +attempting to check create permissions on the parent directory. + +The patch adds a conditional statement to check for create permissions +only if the file doesn't exist. + +Signed-off-by: Sachin S. Prabhu <sprabhu@redhat.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/nfsd/vfs.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1387,7 +1387,7 @@ nfsd_create_v3(struct svc_rqst *rqstp, s + goto out; + if (!(iap->ia_valid & ATTR_MODE)) + iap->ia_mode = 0; +- err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE); ++ err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_EXEC); + if (err) + goto out; + +@@ -1409,6 +1409,13 @@ nfsd_create_v3(struct svc_rqst *rqstp, s + if (IS_ERR(dchild)) + goto out_nfserr; + ++ /* If file doesn't exist, check for permissions to create one */ ++ if (!dchild->d_inode) { ++ err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE); ++ if (err) ++ goto out; ++ } ++ + err = fh_compose(resfhp, fhp->fh_export, dchild, fhp); + if (err) + goto out; diff --git a/queue-2.6.33/series b/queue-2.6.33/series index 0018bf3..8e71807 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -31,3 +31,10 @@ mmc-sdhci-check-mrq-cmd-in-sdhci_tasklet_finish.patch mmc-sdhci-check-mrq-null-in-sdhci_tasklet_finish.patch usb-fix-regression-in-usbip-by-setting-has_tt-flag.patch x86-amd-fix-apic-timer-erratum-400-affecting-k8-rev.a-e-processors.patch +af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch +arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch +i8k-tell-gcc-that-regs-gets-clobbered.patch +fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch +open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch +can-add-missing-socket-check-in-can-bcm-release.patch +fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch |