diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-02 15:10:08 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-02 15:10:08 -0700 |
commit | fb18ed10080ccb7474aaa457e04513bb6fd061a7 (patch) | |
tree | 892a426a430a415fe23deeb13deb4e183c2fbba3 | |
parent | af2f842760885ed70b850e3e5ea7254e77ec15a1 (diff) | |
download | longterm-queue-2.6.32-fb18ed10080ccb7474aaa457e04513bb6fd061a7.tar.gz |
.32 patches
13 files changed, 943 insertions, 0 deletions
diff --git a/queue-2.6.32/alpha-fix-several-security-issues.patch b/queue-2.6.32/alpha-fix-several-security-issues.patch new file mode 100644 index 0000000..ad1c281 --- /dev/null +++ b/queue-2.6.32/alpha-fix-several-security-issues.patch @@ -0,0 +1,91 @@ +From 21c5977a836e399fc710ff2c5367845ed5c2527f Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Wed, 15 Jun 2011 15:09:01 -0700 +Subject: alpha: fix several security issues + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream. + +Fix several security issues in Alpha-specific syscalls. Untested, but +mostly trivial. + +1. Signedness issue in osf_getdomainname allows copying out-of-bounds +kernel memory to userland. + +2. Signedness issue in osf_sysinfo allows copying large amounts of +kernel memory to userland. + +3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy +size, allowing copying large amounts of kernel memory to userland. + +4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows +privilege escalation via writing return value of sys_wait4 to kernel +memory. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Cc: Richard Henderson <rth@twiddle.net> +Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> +Cc: Matt Turner <mattst88@gmail.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/alpha/kernel/osf_sys.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -431,7 +431,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char + return -EFAULT; + + len = namelen; +- if (namelen > 32) ++ if (len > 32) + len = 32; + + down_read(&uts_sem); +@@ -618,7 +618,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + down_read(&uts_sem); + res = sysinfo_table[offset]; + len = strlen(res)+1; +- if (len > count) ++ if ((unsigned long)len > (unsigned long)count) + len = count; + if (copy_to_user(buf, res, len)) + err = -EFAULT; +@@ -673,7 +673,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned + return 1; + + case GSI_GET_HWRPB: +- if (nbytes < sizeof(*hwrpb)) ++ if (nbytes > sizeof(*hwrpb)) + return -EINVAL; + if (copy_to_user(buffer, hwrpb, nbytes) != 0) + return -EFAULT; +@@ -1035,6 +1035,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + { + struct rusage r; + long ret, err; ++ unsigned int status = 0; + mm_segment_t old_fs; + + if (!ur) +@@ -1043,13 +1044,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + old_fs = get_fs(); + + set_fs (KERNEL_DS); +- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r); ++ ret = sys_wait4(pid, (unsigned int __user *) &status, options, ++ (struct rusage __user *) &r); + set_fs (old_fs); + + if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) + return -EFAULT; + + err = 0; ++ err |= put_user(status, ustatus); + err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); + err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); + err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); diff --git a/queue-2.6.32/cifs-check-for-null-session-password.patch b/queue-2.6.32/cifs-check-for-null-session-password.patch new file mode 100644 index 0000000..b11f0a2 --- /dev/null +++ b/queue-2.6.32/cifs-check-for-null-session-password.patch @@ -0,0 +1,30 @@ +From 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Mon, 23 Aug 2010 11:38:04 -0400 +Subject: cifs: check for NULL session password + +From: Jeff Layton <jlayton@redhat.com> + +commit 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 upstream. + +It's possible for a cifsSesInfo struct to have a NULL password, so we +need to check for that prior to running strncmp on it. + +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/connect.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1605,6 +1605,7 @@ cifs_find_smb_ses(struct TCP_Server_Info + MAX_USERNAME_SIZE)) + continue; + if (strlen(vol->username) != 0 && ++ ses->password != NULL && + strncmp(ses->password, + vol->password ? vol->password : "", + MAX_PASSWORD_SIZE)) diff --git a/queue-2.6.32/cifs-clean-up-cifs_find_smb_ses-try-2.patch b/queue-2.6.32/cifs-clean-up-cifs_find_smb_ses-try-2.patch new file mode 100644 index 0000000..b49d423 --- /dev/null +++ b/queue-2.6.32/cifs-clean-up-cifs_find_smb_ses-try-2.patch @@ -0,0 +1,93 @@ +From 4ff67b720c02c36e54d55b88c2931879b7db1cd2 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Tue, 6 Jul 2010 20:43:02 -0400 +Subject: cifs: clean up cifs_find_smb_ses (try #2) + +From: Jeff Layton <jlayton@redhat.com> + +commit 4ff67b720c02c36e54d55b88c2931879b7db1cd2 upstream. + +This patch replaces the earlier patch by the same name. The only +difference is that MAX_PASSWORD_SIZE has been increased to attempt to +match the limits that windows enforces. + +Do a better job of matching sessions by authtype. Matching by username +for a Kerberos session is incorrect, and anonymous sessions need special +handling. + +Also, in the case where we do match by username, we also need to match +by password. That ensures that someone else doesn't "borrow" an existing +session without needing to know the password. + +Finally, passwords can be longer than 16 bytes. Bump MAX_PASSWORD_SIZE +to 512 to match the size that the userspace mount helper allows. + +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +[dannf: backported to Debian's 2.6.32] +Cc: Moritz Muehlenhoff <jmm@debian.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + + +--- + fs/cifs/cifsglob.h | 2 +- + fs/cifs/connect.c | 26 ++++++++++++++++++-------- + 2 files changed, 19 insertions(+), 9 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -33,7 +33,7 @@ + #define MAX_SHARE_SIZE 64 /* used to be 20, this should still be enough */ + #define MAX_USERNAME_SIZE 32 /* 32 is to allow for 15 char names + null + termination then *2 for unicode versions */ +-#define MAX_PASSWORD_SIZE 16 ++#define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ + + #define CIFS_MIN_RCV_POOL 4 + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1588,17 +1588,27 @@ out_err: + } + + static struct cifsSesInfo * +-cifs_find_smb_ses(struct TCP_Server_Info *server, char *username) ++cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) + { +- struct list_head *tmp; + struct cifsSesInfo *ses; + + write_lock(&cifs_tcp_ses_lock); +- list_for_each(tmp, &server->smb_ses_list) { +- ses = list_entry(tmp, struct cifsSesInfo, smb_ses_list); +- if (strncmp(ses->userName, username, MAX_USERNAME_SIZE)) +- continue; +- ++ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { ++ switch (server->secType) { ++ case Kerberos: ++ if (vol->linux_uid != ses->linux_uid) ++ continue; ++ break; ++ default: ++ /* anything else takes username/password */ ++ if (strncmp(ses->userName, vol->username, ++ MAX_USERNAME_SIZE)) ++ continue; ++ if (strlen(vol->username) != 0 && ++ strncmp(ses->password, vol->password, ++ MAX_PASSWORD_SIZE)) ++ continue; ++ } + ++ses->ses_count; + write_unlock(&cifs_tcp_ses_lock); + return ses; +@@ -2362,7 +2372,7 @@ try_mount_again: + goto out; + } + +- pSesInfo = cifs_find_smb_ses(srvTcp, volume_info->username); ++ pSesInfo = cifs_find_smb_ses(srvTcp, volume_info); + if (pSesInfo) { + cFYI(1, ("Existing smb sess found (status=%d)", + pSesInfo->status)); diff --git a/queue-2.6.32/cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch b/queue-2.6.32/cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch new file mode 100644 index 0000000..0877b31 --- /dev/null +++ b/queue-2.6.32/cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch @@ -0,0 +1,35 @@ +From fc87a40677bbe0937e2ff0642c7e83c9a4813f3d Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Wed, 18 Aug 2010 13:13:39 -0400 +Subject: cifs: fix NULL pointer dereference in cifs_find_smb_ses + +From: Jeff Layton <jlayton@redhat.com> + +commit fc87a40677bbe0937e2ff0642c7e83c9a4813f3d upstream. + +cifs_find_smb_ses assumes that the vol->password field is a valid +pointer, but that's only the case if a password was passed in via +the options string. It's possible that one won't be if there is +no mount helper on the box. + +Reported-by: diabel <gacek-2004@wp.pl> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/connect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1605,7 +1605,8 @@ cifs_find_smb_ses(struct TCP_Server_Info + MAX_USERNAME_SIZE)) + continue; + if (strlen(vol->username) != 0 && +- strncmp(ses->password, vol->password, ++ strncmp(ses->password, ++ vol->password ? vol->password : "", + MAX_PASSWORD_SIZE)) + continue; + } diff --git a/queue-2.6.32/gre-fix-netns-vs-proto-registration-ordering.patch b/queue-2.6.32/gre-fix-netns-vs-proto-registration-ordering.patch new file mode 100644 index 0000000..98e1bfc --- /dev/null +++ b/queue-2.6.32/gre-fix-netns-vs-proto-registration-ordering.patch @@ -0,0 +1,72 @@ +From c2892f02712e9516d72841d5c019ed6916329794 Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan <adobriyan@gmail.com> +Date: Tue, 16 Feb 2010 07:57:44 +0000 +Subject: gre: fix netns vs proto registration ordering + +From: Alexey Dobriyan <adobriyan@gmail.com> + +commit c2892f02712e9516d72841d5c019ed6916329794 upstream. + +GRE protocol receive hook can be called right after protocol addition is done. +If netns stuff is not yet initialized, we're going to oops in +net_generic(). + +This is remotely oopsable if ip_gre is compiled as module and packet +comes at unfortunate moment of module loading. + +Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[dannf: backported to Debian's 2.6.32] +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/ipv4/ip_gre.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -1665,14 +1665,15 @@ static int __init ipgre_init(void) + + printk(KERN_INFO "GRE over IPv4 tunneling driver\n"); + +- if (inet_add_protocol(&ipgre_protocol, IPPROTO_GRE) < 0) { +- printk(KERN_INFO "ipgre init: can't add protocol\n"); +- return -EAGAIN; +- } +- + err = register_pernet_gen_device(&ipgre_net_id, &ipgre_net_ops); + if (err < 0) +- goto gen_device_failed; ++ return err; ++ ++ err = inet_add_protocol(&ipgre_protocol, IPPROTO_GRE); ++ if (err < 0) { ++ printk(KERN_INFO "ipgre init: can't add protocol\n"); ++ goto add_proto_failed; ++ } + + err = rtnl_link_register(&ipgre_link_ops); + if (err < 0) +@@ -1688,9 +1689,9 @@ out: + tap_ops_failed: + rtnl_link_unregister(&ipgre_link_ops); + rtnl_link_failed: +- unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops); +-gen_device_failed: + inet_del_protocol(&ipgre_protocol, IPPROTO_GRE); ++add_proto_failed: ++ unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops); + goto out; + } + +@@ -1698,9 +1699,9 @@ static void __exit ipgre_fini(void) + { + rtnl_link_unregister(&ipgre_tap_ops); + rtnl_link_unregister(&ipgre_link_ops); +- unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops); + if (inet_del_protocol(&ipgre_protocol, IPPROTO_GRE) < 0) + printk(KERN_INFO "ipgre close: can't remove protocol\n"); ++ unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops); + } + + module_init(ipgre_init); diff --git a/queue-2.6.32/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch b/queue-2.6.32/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch new file mode 100644 index 0000000..2134f32 --- /dev/null +++ b/queue-2.6.32/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch @@ -0,0 +1,52 @@ +From e924960dacdf85d118a98c7262edf2f99c3015cf Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan <adobriyan@gmail.com> +Date: Mon, 25 Jan 2010 10:28:21 +0000 +Subject: netns xfrm: fixup xfrm6_tunnel error propagation + +From: Alexey Dobriyan <adobriyan@gmail.com> + +commit e924960dacdf85d118a98c7262edf2f99c3015cf upstream. + +Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/ipv6/xfrm6_tunnel.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -344,13 +344,19 @@ static struct xfrm6_tunnel xfrm46_tunnel + + static int __init xfrm6_tunnel_init(void) + { +- if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0) ++ int rv; ++ ++ rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6); ++ if (rv < 0) + goto err; +- if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6)) ++ rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6); ++ if (rv < 0) + goto unreg; +- if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET)) ++ rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET); ++ if (rv < 0) + goto dereg6; +- if (xfrm6_tunnel_spi_init() < 0) ++ rv = xfrm6_tunnel_spi_init(); ++ if (rv < 0) + goto dereg46; + return 0; + +@@ -361,7 +367,7 @@ dereg6: + unreg: + xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); + err: +- return -EAGAIN; ++ return rv; + } + + static void __exit xfrm6_tunnel_fini(void) diff --git a/queue-2.6.32/powerpc-pseries-hvconsole-fix-dropped-console-output.patch b/queue-2.6.32/powerpc-pseries-hvconsole-fix-dropped-console-output.patch new file mode 100644 index 0000000..07776a9 --- /dev/null +++ b/queue-2.6.32/powerpc-pseries-hvconsole-fix-dropped-console-output.patch @@ -0,0 +1,31 @@ +From 51d33021425e1f905beb4208823146f2fb6517da Mon Sep 17 00:00:00 2001 +From: Anton Blanchard <anton@samba.org> +Date: Tue, 5 Jul 2011 21:51:36 +0000 +Subject: powerpc/pseries/hvconsole: Fix dropped console output + +From: Anton Blanchard <anton@samba.org> + +commit 51d33021425e1f905beb4208823146f2fb6517da upstream. + +Return -EAGAIN when we get H_BUSY back from the hypervisor. This +makes the hvc console driver retry, avoiding dropped printks. + +Signed-off-by: Anton Blanchard <anton@samba.org> +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/powerpc/platforms/pseries/hvconsole.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/hvconsole.c ++++ b/arch/powerpc/platforms/pseries/hvconsole.c +@@ -73,7 +73,7 @@ int hvc_put_chars(uint32_t vtermno, cons + if (ret == H_SUCCESS) + return count; + if (ret == H_BUSY) +- return 0; ++ return -EAGAIN; + return -EIO; + } + diff --git a/queue-2.6.32/proc-restrict-access-to-proc-pid-io.patch b/queue-2.6.32/proc-restrict-access-to-proc-pid-io.patch new file mode 100644 index 0000000..727be0a --- /dev/null +++ b/queue-2.6.32/proc-restrict-access-to-proc-pid-io.patch @@ -0,0 +1,56 @@ +From 1d1221f375c94ef961ba8574ac4f85c8870ddd51 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Fri, 24 Jun 2011 16:08:38 +0400 +Subject: proc: restrict access to /proc/PID/io + +From: Vasiliy Kulikov <segoon@openwall.com> + +commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream. + +/proc/PID/io may be used for gathering private information. E.g. for +openssh and vsftpd daemons wchars/rchars may be used to learn the +precise password length. Restrict it to processes being able to ptrace +the target process. + +ptrace_may_access() is needed to prevent keeping open file descriptor of +"io" file, executing setuid binary and gathering io information of the +setuid'ed process. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/proc/base.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2454,6 +2454,9 @@ static int do_io_accounting(struct task_ + struct task_io_accounting acct = task->ioac; + unsigned long flags; + ++ if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ return -EACCES; ++ + if (whole && lock_task_sighand(task, &flags)) { + struct task_struct *t = task; + +@@ -2575,7 +2578,7 @@ static const struct pid_entry tgid_base_ + REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations), + #endif + #ifdef CONFIG_TASK_IO_ACCOUNTING +- INF("io", S_IRUGO, proc_tgid_io_accounting), ++ INF("io", S_IRUSR, proc_tgid_io_accounting), + #endif + }; + +@@ -2910,7 +2913,7 @@ static const struct pid_entry tid_base_s + REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations), + #endif + #ifdef CONFIG_TASK_IO_ACCOUNTING +- INF("io", S_IRUGO, proc_tid_io_accounting), ++ INF("io", S_IRUSR, proc_tid_io_accounting), + #endif + }; + diff --git a/queue-2.6.32/revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch b/queue-2.6.32/revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch new file mode 100644 index 0000000..b6e0cbd --- /dev/null +++ b/queue-2.6.32/revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch @@ -0,0 +1,84 @@ +From a68753aa46dad44915db20f715d9bfbc5815fb8d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@suse.de> +Date: Tue, 2 Aug 2011 14:45:26 -0700 +Subject: Revert "block: rescan partitions on invalidated devices on -ENOMEDIA + too" + +This reverts commit 5b2745db12a3f97a9ec9efd4ffa077da707d3e4c (commit +02e352287a40bd456eb78df705bf888bc3161d3f upstream) + +This should have only been commited on .38 and newer, not older kernels +like this one, sorry. + +Cc: Tejun Heo <tj@kernel.org> +Cc: David Zeuthen <zeuthen@gmail.com> +Cc: Martin Pitt <martin.pitt@ubuntu.com> +Cc: Kay Sievers <kay.sievers@vrfy.org> +Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> +Cc: Jens Axboe <jaxboe@fusionio.com> +Cc: Andi Kleen <ak@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + fs/block_dev.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1203,7 +1203,6 @@ static int __blkdev_get(struct block_dev + if (!bdev->bd_part) + goto out_clear; + +- ret = 0; + if (disk->fops->open) { + ret = disk->fops->open(bdev, mode); + if (ret == -ERESTARTSYS) { +@@ -1219,18 +1218,9 @@ static int __blkdev_get(struct block_dev + mutex_unlock(&bdev->bd_mutex); + goto restart; + } ++ if (ret) ++ goto out_clear; + } +- /* +- * If the device is invalidated, rescan partition +- * if open succeeded or failed with -ENOMEDIUM. +- * The latter is necessary to prevent ghost +- * partitions on a removed medium. +- */ +- if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM)) +- rescan_partitions(disk, bdev); +- if (ret) +- goto out_clear; +- + if (!bdev->bd_openers) { + bd_set_size(bdev,(loff_t)get_capacity(disk)<<9); + bdi = blk_get_backing_dev_info(bdev); +@@ -1238,6 +1228,8 @@ static int __blkdev_get(struct block_dev + bdi = &default_backing_dev_info; + bdev->bd_inode->i_data.backing_dev_info = bdi; + } ++ if (bdev->bd_invalidated) ++ rescan_partitions(disk, bdev); + } else { + struct block_device *whole; + whole = bdget_disk(disk, 0); +@@ -1264,14 +1256,13 @@ static int __blkdev_get(struct block_dev + put_disk(disk); + disk = NULL; + if (bdev->bd_contains == bdev) { +- ret = 0; +- if (bdev->bd_disk->fops->open) ++ if (bdev->bd_disk->fops->open) { + ret = bdev->bd_disk->fops->open(bdev, mode); +- /* the same as first opener case, read comment there */ +- if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM)) ++ if (ret) ++ goto out_unlock_bdev; ++ } ++ if (bdev->bd_invalidated) + rescan_partitions(bdev->bd_disk, bdev); +- if (ret) +- goto out_unlock_bdev; + } + } + bdev->bd_openers++; diff --git a/queue-2.6.32/series b/queue-2.6.32/series index 11f6902..5500752 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -36,3 +36,15 @@ ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch ehci-only-power-off-port-if-over-current-is-active.patch ehci-fix-direction-handling-for-interrupt-data-toggles.patch +powerpc-pseries-hvconsole-fix-dropped-console-output.patch +x86-hpet-avoid-the-comparator-readback-penalty.patch +x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch +revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch +cifs-clean-up-cifs_find_smb_ses-try-2.patch +cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch +cifs-check-for-null-session-password.patch +gre-fix-netns-vs-proto-registration-ordering.patch +netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch +tunnels-fix-netns-vs-proto-registration-ordering.patch +alpha-fix-several-security-issues.patch +proc-restrict-access-to-proc-pid-io.patch diff --git a/queue-2.6.32/tunnels-fix-netns-vs-proto-registration-ordering.patch b/queue-2.6.32/tunnels-fix-netns-vs-proto-registration-ordering.patch new file mode 100644 index 0000000..3327ac3 --- /dev/null +++ b/queue-2.6.32/tunnels-fix-netns-vs-proto-registration-ordering.patch @@ -0,0 +1,166 @@ +From d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan <adobriyan@gmail.com> +Date: Tue, 16 Feb 2010 09:05:04 +0000 +Subject: tunnels: fix netns vs proto registration ordering + +From: Alexey Dobriyan <adobriyan@gmail.com> + +commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 upstream. + +Same stuff as in ip_gre patch: receive hook can be called before netns +setup is done, oopsing in net_generic(). + +Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/ipv4/ipip.c | 13 ++++++------- + net/ipv6/ip6_tunnel.c | 28 +++++++++++++++------------- + net/ipv6/sit.c | 13 ++++++------- + net/ipv6/xfrm6_tunnel.c | 22 +++++++++++----------- + 4 files changed, 38 insertions(+), 38 deletions(-) + +--- a/net/ipv4/ipip.c ++++ b/net/ipv4/ipip.c +@@ -830,15 +830,14 @@ static int __init ipip_init(void) + + printk(banner); + +- if (xfrm4_tunnel_register(&ipip_handler, AF_INET)) { ++ err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops); ++ if (err < 0) ++ return err; ++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET); ++ if (err < 0) { ++ unregister_pernet_device(&ipip_net_ops); + printk(KERN_INFO "ipip init: can't register tunnel\n"); +- return -EAGAIN; + } +- +- err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops); +- if (err) +- xfrm4_tunnel_deregister(&ipip_handler, AF_INET); +- + return err; + } + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1466,27 +1466,29 @@ static int __init ip6_tunnel_init(void) + { + int err; + +- if (xfrm6_tunnel_register(&ip4ip6_handler, AF_INET)) { ++ err = register_pernet_device(&ip6_tnl_net_ops); ++ if (err < 0) ++ goto out_pernet; ++ ++ err = xfrm6_tunnel_register(&ip4ip6_handler, AF_INET); ++ if (err < 0) { + printk(KERN_ERR "ip6_tunnel init: can't register ip4ip6\n"); +- err = -EAGAIN; +- goto out; ++ goto out_ip4ip6; + } + +- if (xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6)) { ++ err = xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6); ++ if (err < 0) { + printk(KERN_ERR "ip6_tunnel init: can't register ip6ip6\n"); +- err = -EAGAIN; +- goto unreg_ip4ip6; ++ goto out_ip6ip6; + } + +- err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops); +- if (err < 0) +- goto err_pernet; + return 0; +-err_pernet: +- xfrm6_tunnel_deregister(&ip6ip6_handler, AF_INET6); +-unreg_ip4ip6: ++ ++out_ip6ip6: + xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET); +-out: ++out_ip4ip6: ++ unregister_pernet_device(&ip6_tnl_net_ops); ++out_pernet: + return err; + } + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1086,15 +1086,14 @@ static int __init sit_init(void) + + printk(KERN_INFO "IPv6 over IPv4 tunneling driver\n"); + +- if (xfrm4_tunnel_register(&sit_handler, AF_INET6) < 0) { +- printk(KERN_INFO "sit init: Can't add protocol\n"); +- return -EAGAIN; +- } +- + err = register_pernet_gen_device(&sit_net_id, &sit_net_ops); + if (err < 0) +- xfrm4_tunnel_deregister(&sit_handler, AF_INET6); +- ++ return err; ++ err = xfrm4_tunnel_register(&sit_handler, AF_INET6); ++ if (err < 0) { ++ unregister_pernet_device(&sit_net_ops); ++ printk(KERN_INFO "sit init: Can't add protocol\n"); ++ } + return err; + } + +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -346,36 +346,36 @@ static int __init xfrm6_tunnel_init(void + { + int rv; + +- rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6); ++ rv = xfrm6_tunnel_spi_init(); + if (rv < 0) + goto err; ++ rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6); ++ if (rv < 0) ++ goto out_type; + rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6); + if (rv < 0) +- goto unreg; ++ goto out_xfrm6; + rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET); + if (rv < 0) +- goto dereg6; +- rv = xfrm6_tunnel_spi_init(); +- if (rv < 0) +- goto dereg46; ++ goto out_xfrm46; + return 0; + +-dereg46: +- xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET); +-dereg6: ++out_xfrm46: + xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6); +-unreg: ++out_xfrm6: + xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); ++out_type: ++ xfrm6_tunnel_spi_fini(); + err: + return rv; + } + + static void __exit xfrm6_tunnel_fini(void) + { +- xfrm6_tunnel_spi_fini(); + xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET); + xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6); + xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); ++ xfrm6_tunnel_spi_fini(); + } + + module_init(xfrm6_tunnel_init); diff --git a/queue-2.6.32/x86-hpet-avoid-the-comparator-readback-penalty.patch b/queue-2.6.32/x86-hpet-avoid-the-comparator-readback-penalty.patch new file mode 100644 index 0000000..1f9627f --- /dev/null +++ b/queue-2.6.32/x86-hpet-avoid-the-comparator-readback-penalty.patch @@ -0,0 +1,119 @@ +From khlebnikov@openvz.org Tue Aug 2 14:42:04 2011 +From: Konstantin Khlebnikov <khlebnikov@openvz.org> +Date: Fri, 29 Jul 2011 14:07:43 +0400 +Subject: x86: Hpet: Avoid the comparator readback penalty +To: <stable@kernel.org> +Message-ID: <20110729100743.15668.89332.stgit@localhost6> + + +From: Thomas Gleixner <tglx@linutronix.de> + +(imported from commit v2.6.36-rc4-167-g995bd3b) + +Due to the overly intelligent design of HPETs, we need to workaround +the problem that the compare value which we write is already behind +the actual counter value at the point where the value hits the real +compare register. This happens for two reasons: + +1) We read out the counter, add the delta and write the result to the + compare register. When a NMI or SMI hits between the read out and + the write then the counter can be ahead of the event already + +2) The write to the compare register is delayed by up to two HPET + cycles in certain chipsets. + +We worked around this by reading back the compare register to make +sure that the written value has hit the hardware. For certain ICH9+ +chipsets this can require two readouts, as the first one can return +the previous compare register value. That's bad performance wise for +the normal case where the event is far enough in the future. + +As we already know that the write can be delayed by up to two cycles +we can avoid the read back of the compare register completely if we +make the decision whether the delta has elapsed already or not based +on the following calculation: + + cmp = event - actual_count; + +If cmp is less than 8 HPET clock cycles, then we decide that the event +has happened already and return -ETIME. That covers the above #1 and +#2 problems which would cause a wait for HPET wraparound (~306 +seconds). + +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Tested-by: Nix <nix@esperi.org.uk> +Tested-by: Artur Skawina <art.08.09@gmail.com> +Cc: Damien Wyart <damien.wyart@free.fr> +Tested-by: John Drescher <drescherjm@gmail.com> +Cc: Venkatesh Pallipadi <venki@google.com> +Cc: Arjan van de Ven <arjan@linux.intel.com> +Cc: Andreas Herrmann <andreas.herrmann3@amd.com> +Tested-by: Borislav Petkov <borislav.petkov@amd.com> +Cc: Suresh Siddha <suresh.b.siddha@intel.com> +LKML-Reference: <alpine.LFD.2.00.1009151500060.2416@localhost6.localdomain6> +Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + arch/x86/kernel/hpet.c | 43 +++++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 22 deletions(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -379,36 +379,35 @@ static int hpet_next_event(unsigned long + struct clock_event_device *evt, int timer) + { + u32 cnt; ++ s32 res; + + cnt = hpet_readl(HPET_COUNTER); + cnt += (u32) delta; + hpet_writel(cnt, HPET_Tn_CMP(timer)); + + /* +- * We need to read back the CMP register on certain HPET +- * implementations (ATI chipsets) which seem to delay the +- * transfer of the compare register into the internal compare +- * logic. With small deltas this might actually be too late as +- * the counter could already be higher than the compare value +- * at that point and we would wait for the next hpet interrupt +- * forever. We found out that reading the CMP register back +- * forces the transfer so we can rely on the comparison with +- * the counter register below. If the read back from the +- * compare register does not match the value we programmed +- * then we might have a real hardware problem. We can not do +- * much about it here, but at least alert the user/admin with +- * a prominent warning. +- * An erratum on some chipsets (ICH9,..), results in comparator read +- * immediately following a write returning old value. Workaround +- * for this is to read this value second time, when first +- * read returns old value. ++ * HPETs are a complete disaster. The compare register is ++ * based on a equal comparison and neither provides a less ++ * than or equal functionality (which would require to take ++ * the wraparound into account) nor a simple count down event ++ * mode. Further the write to the comparator register is ++ * delayed internally up to two HPET clock cycles in certain ++ * chipsets (ATI, ICH9,10). We worked around that by reading ++ * back the compare register, but that required another ++ * workaround for ICH9,10 chips where the first readout after ++ * write can return the old stale value. We already have a ++ * minimum delta of 5us enforced, but a NMI or SMI hitting ++ * between the counter readout and the comparator write can ++ * move us behind that point easily. Now instead of reading ++ * the compare register back several times, we make the ETIME ++ * decision based on the following: Return ETIME if the ++ * counter value after the write is less than 8 HPET cycles ++ * away from the event or if the counter is already ahead of ++ * the event. + */ +- if (unlikely((u32)hpet_readl(HPET_Tn_CMP(timer)) != cnt)) { +- WARN_ONCE((u32)hpet_readl(HPET_Tn_CMP(timer)) != cnt, +- KERN_WARNING "hpet: compare register read back failed.\n"); +- } ++ res = (s32)(cnt - (u32)hpet_readl(HPET_COUNTER)); + +- return (s32)((u32)hpet_readl(HPET_COUNTER) - cnt) >= 0 ? -ETIME : 0; ++ return res < 8 ? -ETIME : 0; + } + + static void hpet_legacy_set_mode(enum clock_event_mode mode, diff --git a/queue-2.6.32/x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch b/queue-2.6.32/x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch new file mode 100644 index 0000000..46d8296 --- /dev/null +++ b/queue-2.6.32/x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch @@ -0,0 +1,102 @@ +From khlebnikov@openvz.org Tue Aug 2 14:42:16 2011 +From: Konstantin Khlebnikov <khlebnikov@openvz.org> +Date: Fri, 29 Jul 2011 14:07:44 +0400 +Subject: x86: HPET: Chose a paranoid safe value for the ETIME check +To: <stable@kernel.org> +Message-ID: <20110729100744.15668.23742.stgit@localhost6> + + +From: Thomas Gleixner <tglx@linutronix.de> + +(imported from commit v2.6.37-rc5-64-gf1c1807) + +commit 995bd3bb5 (x86: Hpet: Avoid the comparator readback penalty) +chose 8 HPET cycles as a safe value for the ETIME check, as we had the +confirmation that the posted write to the comparator register is +delayed by two HPET clock cycles on Intel chipsets which showed +readback problems. + +After that patch hit mainline we got reports from machines with newer +AMD chipsets which seem to have an even longer delay. See +http://thread.gmane.org/gmane.linux.kernel/1054283 and +http://thread.gmane.org/gmane.linux.kernel/1069458 for further +information. + +Boris tried to come up with an ACPI based selection of the minimum +HPET cycles, but this failed on a couple of test machines. And of +course we did not get any useful information from the hardware folks. + +For now our only option is to chose a paranoid high and safe value for +the minimum HPET cycles used by the ETIME check. Adjust the minimum ns +value for the HPET clockevent accordingly. + +Reported-Bistected-and-Tested-by: Markus Trippelsdorf <markus@trippelsdorf.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +LKML-Reference: <alpine.LFD.2.00.1012131222420.2653@localhost6.localdomain6> +Cc: Simon Kirby <sim@hostway.ca> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Andreas Herrmann <Andreas.Herrmann3@amd.com> +Cc: John Stultz <johnstul@us.ibm.com> +Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + arch/x86/kernel/hpet.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -27,6 +27,9 @@ + #define HPET_DEV_FSB_CAP 0x1000 + #define HPET_DEV_PERI_CAP 0x2000 + ++#define HPET_MIN_CYCLES 128 ++#define HPET_MIN_PROG_DELTA (HPET_MIN_CYCLES + (HPET_MIN_CYCLES >> 1)) ++ + #define EVT_TO_HPET_DEV(evt) container_of(evt, struct hpet_dev, evt) + + /* +@@ -298,8 +301,9 @@ static void hpet_legacy_clockevent_regis + /* Calculate the min / max delta */ + hpet_clockevent.max_delta_ns = clockevent_delta2ns(0x7FFFFFFF, + &hpet_clockevent); +- /* 5 usec minimum reprogramming delta. */ +- hpet_clockevent.min_delta_ns = 5000; ++ /* Setup minimum reprogramming delta. */ ++ hpet_clockevent.min_delta_ns = clockevent_delta2ns(HPET_MIN_PROG_DELTA, ++ &hpet_clockevent); + + /* + * Start hpet with the boot cpu mask and make it +@@ -392,22 +396,24 @@ static int hpet_next_event(unsigned long + * the wraparound into account) nor a simple count down event + * mode. Further the write to the comparator register is + * delayed internally up to two HPET clock cycles in certain +- * chipsets (ATI, ICH9,10). We worked around that by reading +- * back the compare register, but that required another +- * workaround for ICH9,10 chips where the first readout after +- * write can return the old stale value. We already have a +- * minimum delta of 5us enforced, but a NMI or SMI hitting ++ * chipsets (ATI, ICH9,10). Some newer AMD chipsets have even ++ * longer delays. We worked around that by reading back the ++ * compare register, but that required another workaround for ++ * ICH9,10 chips where the first readout after write can ++ * return the old stale value. We already had a minimum ++ * programming delta of 5us enforced, but a NMI or SMI hitting + * between the counter readout and the comparator write can + * move us behind that point easily. Now instead of reading + * the compare register back several times, we make the ETIME + * decision based on the following: Return ETIME if the +- * counter value after the write is less than 8 HPET cycles ++ * counter value after the write is less than HPET_MIN_CYCLES + * away from the event or if the counter is already ahead of +- * the event. ++ * the event. The minimum programming delta for the generic ++ * clockevents code is set to 1.5 * HPET_MIN_CYCLES. + */ + res = (s32)(cnt - (u32)hpet_readl(HPET_COUNTER)); + +- return res < 8 ? -ETIME : 0; ++ return res < HPET_MIN_CYCLES ? -ETIME : 0; + } + + static void hpet_legacy_set_mode(enum clock_event_mode mode, |