| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream
Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
from spoofing the signal code") made the check on si_code too strict.
There are several legitimate places where glibc wants to queue a
negative si_code different from SI_QUEUE:
- This was first noticed with glibc's aio implementation, which wants
to queue a signal with si_code SI_ASYNCIO; the current kernel
causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
fails with EPERM.
- Further examination of the glibc source shows that getaddrinfo_a()
wants to use SI_ASYNCNL (which the kernel does not even define).
The timer_create() fallback code wants to queue signals with SI_TIMER.
As suggested by Oleg Nesterov <oleg@redhat.com>, loosen the check to
forbid only the problematic SI_TKILL case.
Reported-by: Klaus Dittrich <kladit@arcor.de>
Acked-by: Julien Tinnes <jln@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Krzysztof Mazur <krzysiek@podlesie.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The new MMU/TLB code no longer sets ACCESSED unconditionally
so remove the exception.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Only update pte w.r.t ACCESSED if it isn't already set
Wrap ACCESSED with #ifndef NO_SWAP for too ease optimization.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Use the PTE #defines where possible instead of
hardcoded constants.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Now that 8xx can fixup dcbX instructions, start using them
where possible like every other PowerPc arch do.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
DTLB Error needs to adjust the HW PTE bits as DTLB Miss
does.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
8xx has not had WRITETHRU due to lack of bits in the pte.
After the recent rewrite of the 8xx TLB code, there are
two bits left. Use one of them to WRITETHRU.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
only DTLB Miss did set this bit, DTLB Error needs too otherwise
the setting is lost when the page becomes dirty.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
branch to common code in DTLB Miss instead.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is an assembler version to fixup DAR not being set
by dcbX, icbi instructions. There are two versions, one
uses selfmodifing code, the other uses a
jump table but is much bigger(default).
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Update the TLB asm to make proper use of _PAGE_DIRTY and _PAGE_ACCESSED.
Get rid of _PAGE_HWWRITE too.
Pros:
- PRESENT is copied to ACCESSED, fixing accounting
- DIRTY is mapped to 0x100, the changed bit, and is set directly
when a page has been made dirty.
- Proper RO/RW mapping of user space.
- Free up 2 SW TLB bits in the linux pte(add back _PAGE_WRITETHRU ?)
- kernel RO/user NA support. Not sure this is really needed, would save
a few insn if not required.
Cons:
- A few more instructions in the DTLB Miss routine.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The wrong register was loaded into MD_RPN.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
8xx sometimes need to load a invalid/non-present TLBs in
it DTLB asm handler.
These must be invalidated separately as 8xx MMU don't.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
dcbz, dcbf, dcbi, dcbst and icbi do not set DAR when they
cause a DTLB Error. Dectect this by tagging DAR with 0x00f0
at every exception exit that modifies DAR.
This also fixes MachineCheck to pass DAR and DSISR as well.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The kernel automatically evaluates partition tables of storage devices.
The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
a bug that causes a kernel oops on certain corrupted GUID partition
tables.
This bug has security impacts, because it allows, for example, to
prepare a storage device that crashes a kernel subsystem upon connecting
the device (e.g., a "USB Stick of (Partial) Death").
crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
There is no validation of (*gpt)->header_size before the efi_crc32 call.
A corrupted partition table may have large values for (*gpt)->header_size.
In this case, the CRC32 computation access memory beyond the memory
allocated for gpt, which may cause a kernel heap overflow.
Validate value of GUID partition table header size.
[akpm@linux-foundation.org: fix layout and indenting]
Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: Matt Domsch <Matt_Domsch@dell.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ WT: no bdev_logical_block_size() in 2.4, use get_hardsect_size() instead ]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Otherwise corrupted EFI partition tables can cause total confusion.
Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Userland should be able to trust the pid and uid of the sender of a
signal if the si_code is SI_TKILL.
Unfortunately, the kernel has historically allowed sigqueueinfo() to
send any si_code at all (as long as it was negative - to distinguish it
from kernel-generated signals like SIGILL etc), so it could spoof a
SI_TKILL with incorrect siginfo values.
Happily, it looks like glibc has always set si_code to the appropriate
SI_QUEUE, so there are probably no actual user code that ever uses
anything but the appropriate SI_QUEUE flag.
So just tighten the check for si_code (we used to allow any negative
value), and add a (one-time) warning in case there are binaries out
there that might depend on using other si_code values.
Signed-off-by: Julien Tinnes <jln@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ WT: removed the WARN_ON_ONCE() which is not available in 2.4 and not critical ]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
task_show_regs used to be a debugging aid in the early bringup days
of Linux on s390. /proc/<pid>/status is a world readable file, it
is not a good idea to show the registers of a process. The only
correct fix is to remove task_show_regs.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
xfs_fs_geometry() with a version number of 3. This code path does not
fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
the leaking of four bytes of uninitialized stack data to potentially
unprivileged callers.
v2 switches to memset() to avoid future issues if structure members
change, on suggestion of Dave Chinner.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Reviewed-by: Eugene Teo <eugeneteo@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The load_mixer_volumes() function, which can be triggered by
unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
a buffer overflow. Because the provided "name" argument isn't
guaranteed to be NULL terminated at the expected 32 bytes, it's possible
to overflow past the end of the last element in the mixer_vols array.
Further exploitation can result in an arbitrary kernel write (via
subsequent calls to load_mixer_volumes()) leading to privilege
escalation, or arbitrary kernel reads via get_mixer_levels(). In
addition, the strcmp() may leak bytes beyond the mixer_vols array.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- drivers/net/eql.c: prevent reading uninitialized stack memory
- sys_semctl: fix kernel stack leakage
- x25: Prevent crashing when parsing bad X.25 facilities
- rose: Fix signedness issues wrt. digi count.
- NET: SGIseeq: Add support for Challenge S Mezz board
- do_exit(): make sure that we run with get_fs() == USER_DS
- MTD: Add AMD Alchemy Mirage mapping driver.
- econet: fix CVE-2010-3848
- econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
- econet: fix CVE-2010-3850
- NET: hdlcdrv: Make driver stop method stop queue.
- CHAR: New key map for IBM WorkPad z50.
- irda: Fix parameter extraction stack overflow
- drivers/char/ppdev.c: fix information leak to userland
- ipc: shm: fix information leak to userland
- net: atm/clip does not work anymore as a module
- ext3: ext3_symlink should use GFP_NOFS allocations inside
- net: packet: fix information leak to userland
- usb: core: fix information leak to userland
- block: ioctl: fix information leak to userland
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Structure hd_geometry is copied to userland with 4 padding bytes
between cylinders and start fields uninitialized on 64-bit platforms.
It leads to leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(2.6 commit: a014741c0adfb8fb79952939ca087cf03d272bb9)
[WT: different fix from 2.6 because we could not centralize the ioctl, so
all affected drivers had to be fixed ]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized. It leads to leaking of contents of
kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
(cherry picked from commit 886ccd4520064408ce5876cfe00554ce52ecf4a7)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
packet_getname_spkt() doesn't initialize all members of sa_data field of
sockaddr struct if strlen(dev->name) < 13. This structure is then copied
to userland. It leads to leaking of contents of kernel stack memory.
We have to fully fill sa_data with strncpy() instead of strlcpy().
The same with packet_getname(): it doesn't initialize sll_pkttype field of
sockaddr_ll. Set it to zero.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 67286640f638f5ad41a946b9a3dc75327950248f)
|
|
The shmid_ds structure is copied to userland with shm_unused{,2,3}
fields unitialized. It leads to leaking of contents of kernel stack
memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Structure par_timeout is copied to userland with some padding fields
unitialized. Field tv_usec has type __kernel_suseconds_t, it differs from
tv_sec's type on some architectures. It leads to leaking of stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit b9b1134260e036fb75c468514569864dd6722f3e)
|
|
Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit 16c41745c7b92a243d0874f534c1655196c64b74)
|
|
Later parts of econet_sendmsg() rely on saddr != NULL, so return early
with EINVAL if NULL was passed otherwise an oops may occur.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit fa0e846494792e722d817b9d3d625a4ef4896c96)
|
|
Don't declare variable sized array of iovecs on the stack since this
could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
the user-supplied data into a new buffer and use a single iovec for it.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit a27e13d370415add3487949c60810e36069a23a6)
|
|
Now with improved comma support.
On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow. Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.
This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit a6331d6f9a4298173b413cf99a40cc86a9d92c37)
|
|
Cc: stable@kernel.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit efc463eb508798da4243625b08c7396462cabf9f)
|
|
The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.
The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.
The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56)
|
|
Just use explicit casts, since we really can't change the
types of structures exported to userspace which have been
around for 15 years or so.
Reported-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit 9828e6e6e3f19efcb476c567b9999891d051f52f)
|
|
The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "master_name" member of
the master_config_t struct declared on the stack in eql_g_master_cfg()
is not altered or zeroed before being copied back to the user. This
patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from 2.6 commit 44467187dc22fdd33a1a06ea0ba86ce20be3fe3c)
|
|
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.
This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.
A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.
Let's just stick it in do_exit instead.
(backported from 2.6 commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177)
[akpm@linux-foundation.org: update code comment]
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is a backport of 2.6 patch 0adb25d2e71ab047423d6fc63d5d184590d0a66f.
Sascha Umlang reported the exact same issue and traces and confirmed
that this backport fixes the issue for him.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
drivers/mtd/maps/Config.in | 3
drivers/mtd/maps/Makefile | 1
drivers/mtd/maps/mirage-flash.c | 194 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 198 insertions(+)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
arch/mips/config-shared.in | 1
drivers/char/Makefile | 7
drivers/char/ibm_workpad_keymap.map | 343 ++++++++++++++++++++++++++++++++++++
3 files changed, 349 insertions(+), 2 deletions(-)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Add support for Seeq 8003 on Challenge S Mezz board.
Thanks to Jö Fahlke for donating hardware.
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The stop method of a driver should ensure queueing is stopped ...
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Patch 3aa199850f00529b4ec4126c2ef89ee682e28830 (net: permanent NUD pins
ethernet interfaces when ATM is compiled in) causes an unresolved symbol
when atm/clip is built as a module, due to the introduction of new function
neigh_table_init_no_netlink().
Reported-By: Thomas Bork <tom@eisfair.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- jfs: don't allow os2 xattr namespace overlap with others
- sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
- irda: Sock leak on error path in irda_create.
- FAT: do not continue in fat_get_block if bmap fails
- drivers/tun: MTU change for TUN/TAP interfaces
- net: permanent NUD pins ethernet interfaces when ATM is compiled in.
- sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set
- SCTP: Fix to encode PROTOCOL VIOLATION error cause correctly
- irda: correctly free memory on irda_bind() failure
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 9ecad877948deb2871d29e03786a7d7911687009)
Bad type/protocol specified result in sk leak.
Fix is simple - release the sk if bad values are given,
but to make it possible just to call sk_free(), I move
some sk initialization a bit lower.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is a backport of one memory leak issue fixed in 2.6 by Jesper Juhl,
which was more recently completed by David Miller based on a regression
reported by Tavis Ormandy.
Original 2.6 patch: 61e44b4815063a5cc31242d3669d5f87beeaa45f
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(CVE-2010-1173) (v4)
(backported from 2.6 commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
plus typo fixes from 2e3219b5c8a2e44e0b83ae6e04f52f20a82ac0f2)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[WT: not tested but changes are minor and builds OK ]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 00f1c2df)
PROTOCOL VIOLATION error cause in ABORT is bad encode when make abort
chunk. When SCTP encode ABORT chunk with PROTOCOL VIOLATION error cause,
it just add the error messages to PROTOCOL VIOLATION error cause, the
rest four bytes(struct sctp_paramhdr) is just add to the chunk, not
change the length of error cause. This cause the ABORT chunk to be a bad
format. The chunk is like this:
ABORT chunk
Chunk type: ABORT (6)
Chunk flags: 0x00
Chunk length: 72 (*1)
Protocol violation cause
Cause code: Protocol violation (0x000d)
Cause length: 62 (*2)
Cause information: 5468652063756D756C61746976652074736E2061636B2062...
Cause padding: 0000
[Needless] 00030010
Chunk Length(*1) = 72 but Cause length(*2) only 62, not include the
extend 4 bytes.
((72 - sizeof(chunk_hdr)) = 68) != (62 +3) / 4 * 4
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit a8170c35e738d62e9919ce5b109cf4ed66e95bde)
When calculating the INIT/INIT-ACK chunk length, we should not
only account the length of parameters, but also the parameters
zero padding length, such as AUTH HMACS parameter and CHUNKS
parameter. Without the parameters zero padding length we may get
following oops.
skb_over_panic: text:ce2068d2 len:130 put:6 head:cac3fe00 data:cac3fe00 tail:0xcac3fe82 end:0xcac3fe80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:127!
invalid opcode: 0000 [#2] SMP
last sysfs file: /sys/module/aes_generic/initstate
Modules linked in: authenc ......
Pid: 4102, comm: sctp_darn Tainted: G D 2.6.34-rc2 #6
EIP: 0060:[<c0607630>] EFLAGS: 00010282 CPU: 0
EIP is at skb_over_panic+0x37/0x3e
EAX: 00000078 EBX: c07c024b ECX: c07c02b9 EDX: cb607b78
ESI: 00000000 EDI: cac3fe7a EBP: 00000002 ESP: cb607b74
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process sctp_darn (pid: 4102, ti=cb607000 task=cabdc990 task.ti=cb607000)
Stack:
c07c02b9 ce2068d2 00000082 00000006 cac3fe00 cac3fe00 cac3fe82 cac3fe80
<0> c07c024b cac3fe7c cac3fe7a c0608dec ca986e80 ce2068d2 00000006 0000007a
<0> cb8120ca ca986e80 cb812000 00000003 cb8120c4 ce208a25 cb8120ca cadd9400
Call Trace:
[<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
[<c0608dec>] ? skb_put+0x2e/0x32
[<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
[<ce208a25>] ? sctp_make_init+0x279/0x28c [sctp]
[<c0686a92>] ? apic_timer_interrupt+0x2a/0x30
[<ce1fdc0b>] ? sctp_sf_do_prm_asoc+0x2b/0x7b [sctp]
[<ce202823>] ? sctp_do_sm+0xa0/0x14a [sctp]
[<ce2133b9>] ? sctp_pname+0x0/0x14 [sctp]
[<ce211d72>] ? sctp_primitive_ASSOCIATE+0x2b/0x31 [sctp]
[<ce20f3cf>] ? sctp_sendmsg+0x7a0/0x9eb [sctp]
[<c064eb1e>] ? inet_sendmsg+0x3b/0x43
[<c04244b7>] ? task_tick_fair+0x2d/0xd9
[<c06031e1>] ? sock_sendmsg+0xa7/0xc1
[<c0416afe>] ? smp_apic_timer_interrupt+0x6b/0x75
[<c0425123>] ? dequeue_task_fair+0x34/0x19b
[<c0446abb>] ? sched_clock_local+0x17/0x11e
[<c052ea87>] ? _copy_from_user+0x2b/0x10c
[<c060ab3a>] ? verify_iovec+0x3c/0x6a
[<c06035ca>] ? sys_sendmsg+0x186/0x1e2
[<c042176b>] ? __wake_up_common+0x34/0x5b
[<c04240c2>] ? __wake_up+0x2c/0x3b
[<c057e35c>] ? tty_wakeup+0x43/0x47
[<c04430f2>] ? remove_wait_queue+0x16/0x24
[<c0580c94>] ? n_tty_read+0x5b8/0x65e
[<c042be02>] ? default_wake_function+0x0/0x8
[<c0604e0e>] ? sys_socketcall+0x17f/0x1cd
[<c040264c>] ? sysenter_do_call+0x12/0x22
Code: 0f 45 de 53 ff b0 98 00 00 00 ff b0 94 ......
EIP: [<c0607630>] skb_over_panic+0x37/0x3e SS:ESP 0068:cb607b74
To reproduce:
sctp_darn ready to send...
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.0.21
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.1.21
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> snd=10
------------------------------------------------------------------
eth0 has addresses: 3ffe:501:ffff:100:20c:29ff:fe4d:f37e and 192.168.0.21
eth1 has addresses: 192.168.1.21
------------------------------------------------------------------
Reported-by: George Cheimonidis <gchimon@gmail.com>
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ WT: sctp in 2.4 has no auth not extensions ]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
It's currently possible to bypass xattr namespace access rules by
prefixing valid xattr names with "os2.", since the os2 namespace stores
extended attributes in a legacy format with no prefix.
This patch adds checking to deny access to any valid namespace prefix
following "os2.".
Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
Reported-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[WT: rediffed from 2.6 commit aca0fa34bdaba39bfddddba8ca70dba4782e8fe6]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
When ATM and Ethernet are compiled in, ATM and Ethernet create their
NEIGH/ARP tables, they are both assigned to family AF_INET.
int neigh_add(....) {
...
for (tbl=neigh_tables; tbl; tbl = tbl->next) {
if (tbl->family != ndm->ndm_family)
continue;
...
}
As ATM table is created before Ethernet(main?) table,
net/core/neighbour.c::neigh_add() function add all permanent IP ARP
Ethernet NUD to the IP ATM table, which is wrong.
Therefore, when net/core/neighbour.c::neigh_ifdown() is called ARP
entries are not cleared, leaving dev->refcnt to a value that will never
be able to reach 0 anymore.
So, when net/core/dev.c::unregister_netdevice() is called it stalls
without being able to destroy the interface leaving the system with no
network tools working anymore.
This is really easy to reproduce:
openvpn --mktun --dev tap10
ip addr add 10.20.30.20/24 dev tap10
ip link set up dev tap10
ip neighbour add 10.20.30.40 lladdr 01:02:03:04:05:06 nud permanent dev tap10
ip link set down dev tap10
openvpn --rmtun --dev tap10
and then kernel log starts being filled by:
unregister_netdevice: waiting for tap10 to become free. Usage count = 2
unregister_netdevice: waiting for tap10 to become free. Usage count = 2
unregister_netdevice: waiting for tap10 to become free. Usage count = 2
unregister_netdevice: waiting for tap10 to become free. Usage count = 2
Finally made a patch that follows what Linux 2.6 does, which consists of
having "netlink" and "no-netlink" tables.
Diagnosed-by: Sylvain Rochet <gradator@gradator.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This patch add the ability to change the MTU of TUN/TAP interfaces for
the 2.4.x kernels series.
Diagnosed-by: Sylvain Rochet <gradator@gradator.net>
[wt: code is similar to 2.6 so that's fine]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
There is no use in continuing the write operation after fat_bmap() fails.
(This successfully killed a VFAT FS for me).
The corresponding code in 2.6 does return here as well, AFAICT.
Signed-off-by: Stefan Seyfried <seife@sphairon.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- e1000: enhance frame fragment detection (again)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Jesse Brandeburg from Intel notified me that my previous
merge of the fix went wrong, the changes to e1000_main.c
were not committed. Clearly a PEBKAC here :-/
This patch *really* fixes CVE-2009-4536
Signed-off-by: Willy Tarreau <w@1wt.eu>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
|
|
- e1000: enhance frame fragment detection (CVE-2009-4536)
- dmi: fix year parsing in dmi_check_blacklist()
- scsi: fix error with 'scsi remove-single-device' in kernel 2.4.x
- tty: also mark the a2232 driver as broken
- Makefile: add the 'cscope' target.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Some users asked for a backport of 2.6's "make cscope" target. It's
cleaned by "make distclean" as other tags.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 40a14deaf411592b57cb0720f0e8004293ab9865)
Originally From: Neil Horman <nhorman@tuxdriver.com>
Modified by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Hey all-
A security discussion was recently given:
http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
And a patch that I submitted awhile back was brought up. Apparently some of
their testing revealed that they were able to force a buffer fragment in e1000
in which the trailing fragment was greater than 4 bytes. As a result the
fragment check I introduced failed to detect the fragement and a partial
invalid frame was passed up into the network stack. I've written this patch
to correct it. I'm in the process of testing it now, but it makes good
logical sense to me. Effectively it maintains a per-adapter state variable
which detects a non-EOP frame, and discards it and subsequent non-EOP frames
leading up to _and_ _including_ the next positive-EOP frame (as it is by
definition the last fragment). This should prevent any and all partial frames
from entering the network stack from e1000.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
If removing an scsi device with
echo "scsi remove-single-device a b c d" > /proc/scsi/scsi
there is an error with kernel 2.4.x:
echo: write error: No such device or address
- but the device was removed. See also
http://lkml.indiana.edu/hypermail/linux/kernel/0604.3/0778.html
Here is a more complete fix for this in kernel 2.4.x, which also log
both cases of "scsi add-single-device" and "scsi remove-single-device"
in syslog.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This patch fixes bug which causes ACPI on BIOSes dated by 2008 and
2009 in 2-digit format (i.e. 08 and 09) to be blacklisted. This
happens because simple_strtoul() with "base" argument of 0 treats
these years as octal thus failing to parse it right. So base argument
must be forced to decimal. The same bug in 2.6 tree was fixed by Tejun
Heo [1].
[1] commit 02c24fa87724bb3af969463cd74dc3b3feb24740
Signed-off-by: Max Dmitrichenko <dmitrmax@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
As reported by Thomas Bork, commit da5456b680c407bb944af5b5c9d22bffdac68a64
failed to properly mark the A2232 driver as broken.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- tty: Mark generic_serial users as BROKEN
- net ax25: Fix signed comparison in the sockopt handler
- net: Make the copy length in af_packet sockopt handler unsigned
- appletalk: Fix skb leak when ipddp interface is not loaded
- drm/r128: Add test for initialisation to all ioctls that require it
- fs: pipe.c null pointer dereference
- R8169: Fix compilation error when RTL8169_DEBUG is defined
- net: Fix 64 bit DMA addressing for 8139cp and r8169
- bonding: fix a race condition in calls to slave MII ioctls
- netlink: fix typo in initialization
- Fix Kernel 2.4 build with bash 4
- AF_UNIX: Fix deadlock on connecting to shutdown socket
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 412145947adfca60a4b5b4893fbae82dffa25edd)
There isn't much else I can do with these. I can find no hardware for any
of them and no users. The code is broken.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[note: 2.4 does not have CONFIG_BROKEN, so we add a new option for those drivers]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit d9d5283228d0c752f199c901fff6e1405dc91bcb)
In mii monitor mode, bond_check_dev_link() calls the the ioctl
handler of slave devices. It stores the ndo_do_ioctl function
pointer to a static (!) ioctl variable and later uses it to call the
handler with the IOCTL macro.
If another thread executes bond_check_dev_link() at the same time
(even with a different bond, which none of the locks prevent), a
race condition occurs. If the two racing slaves have different
drivers, this may result in one driver's ioctl handler being
called with a pointer to a net_device controlled with a different
driver, resulting in unpredictable breakage.
Unless I am overlooking something, the "static" must be a
copy'n'paste error (?).
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit ad3960243e55320d74195fb85c975e0a8cc4466c)
This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:
=============================================================
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
=============================================================
Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
msleep(100);
mutex_lock(&inode->i_mutex);
Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.
The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.
The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.
Signed-off-by: Earl Chew <earl_chew@agilent.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 7dc482dfeeeefcfd000d4271c4626937406756d7)
Almost all r128's private ioctls require that the CCE state has
already been initialised. However, most do not test that this has
been done, and will proceed to dereference a null pointer. This may
result in a security vulnerability, since some ioctls are
unprivileged.
This adds a macro for the common initialisation test and changes all
ioctl implementations that require prior initialisation to use that
macro.
Also, r128_do_init_cce() does not test that the CCE state has not
been initialised already. Repeated initialisation may lead to a crash
or resource leak. This adds that test.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 77238f2b942b38ab4e7f3aced44084493e4a8675)
I found a deadlock bug in UNIX domain socket, which makes able to DoS
attack against the local machine by non-root users.
How to reproduce:
1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
namespace(*), and shutdown(2) it.
2. Repeat connect(2)ing to the listening socket from the other sockets
until the connection backlog is full-filled.
3. connect(2) takes the CPU forever. If every core is taken, the
system hangs.
PoC code: (Run as many times as cores on SMP machines.)
int main(void)
{
int ret;
int csd;
int lsd;
struct sockaddr_un sun;
/* make an abstruct name address (*) */
memset(&sun, 0, sizeof(sun));
sun.sun_family = PF_UNIX;
sprintf(&sun.sun_path[1], "%d", getpid());
/* create the listening socket and shutdown */
lsd = socket(AF_UNIX, SOCK_STREAM, 0);
bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
listen(lsd, 1);
shutdown(lsd, SHUT_RDWR);
/* connect loop */
alarm(15); /* forcely exit the loop after 15 sec */
for (;;) {
csd = socket(AF_UNIX, SOCK_STREAM, 0);
ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
if (-1 == ret) {
perror("connect()");
break;
}
puts("Connection OK");
}
return 0;
}
(*) Make sun_path[0] = 0 to use the abstruct namespace.
If a file-based socket is used, the system doesn't deadlock because
of context switches in the file system layer.
Why this happens:
Error checks between unix_socket_connect() and unix_wait_for_peer() are
inconsistent. The former calls the latter to wait until the backlog is
processed. Despite the latter returns without doing anything when the
socket is shutdown, the former doesn't check the shutdown state and
just retries calling the latter forever.
Patch:
The patch below adds shutdown check into unix_socket_connect(), so
connect(2) to the shutdown socket will return -ECONREFUSED.
Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
Signed-off-by: Masanori Yoshida <masanori.yoshida.tv@hitachi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way
The length of the to-copy data structure is currently stored in
a signed integer. However many comparisons are done with sizeof(..)
which is unsigned. It's more suitable for this variable to be unsigned
to make these comparisons more naturally right.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way
The ax25 code tried to use
if (optlen < sizeof(int))
return -EINVAL;
as a security check against optlen being negative (or zero) in the
set socket option.
Unfortunately, "sizeof(int)" is an unsigned property, with the
result that the whole comparison is done in unsigned, letting
negative values slip through.
This patch changes this to
if (optlen < (int)sizeof(int))
return -EINVAL;
so that the comparison is done as signed, and negative values
get properly caught.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit ad61df918c44316940404891d5082c63e79c256a)
Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing
initializations in dumped data") introduced a typo in
initialization. This patch fixes this.
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit ffcfb8db540ff879c2a85bf7e404954281443414)
And also do a better job of returning proper NET_{RX,XMIT}_ values.
Based on a patch and suggestions by Mark Smith.
This fixes CVE-2009-2903
Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Signed-off-by: Stefan <stefan.seyfried@googlemail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
sizeof(dma_addr_t) will be either 4(32 bit) or 8(64 bit)
Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Fixed following compilations error :
r8169.c: In function `rtl8169_print_mac_version':
r8169.c:458: parse error before '}' token
r8169.c:462: parse error before '}' token
r8169.c: In function `rtl8169_print_phy_version':
r8169.c:501: parse error before '}' token
r8169.c:505: parse error before '}' token
r8169.c: In function `rtl8169_hw_phy_config':
r8169.c:552: parse error before '}' token
r8169.c:553: parse error before '}' token
r8169.c: In function `rtl8169_init_one':
r8169.c:880: parse error before '}' token
r8169.c:884: parse error before '}' token
r8169.c:889: parse error before '}' token
r8169.c:891: parse error before '}' token
r8169.c: In function `rtl8169_hw_start':
r8169.c:1136: parse error before '}' token
make[2]: *** [r8169.o] Error 1
Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- tc: Fix unitialized kernel memory leak
- appletalk: fix atalk_getname() leak
- econet: Fix econet_getname() leak
- irda: Fix irda_getname() leak
- netrom: Fix nr_getname() leak
- rose: Fix rose_getname() leak
- proc: avoid information leaks to non-privileged processes
- do_sigaltstack: avoid copying 'stack_t' as a structure to user space
- [NETLINK]: Missing initializations in dumped data
- [NETLINK]: Clear padding in netlink messages
- [NETLINK]: Missing padding fields in dumped structures
- restrict reading from /proc/<pid>/maps to those who share ->mm or can ptrace pid
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit f83ce3e6b02d5e48b3a43b001390e2b58820389d)
By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
only allow processes that can ptrace() a given process to see information
that might be used to bypass address space layout randomization (ASLR).
These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
as the non-symbolic output from /proc/pid/wchan.
ASLR can be bypassed by sampling eip as shown by the proof-of-concept
code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
(http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were
also noted as possibly usable information leaks as well. The
start_stack address also leaks potentially useful information.
Cc: Stable Team <stable@kernel.org>
Signed-off-by: Jake Edge <jake@lwn.net>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: 2.4 has no wchan file and no aslr, still we don't want to leak
these potentially sensible information]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This work was inspired by the following 2.6 commit :
commit 831830b5a2b5d413407adf380ef62fe17d6fcbf2
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date: Wed Jan 2 14:09:57 2008 +0000
Contents of /proc/*/maps is sensitive and may become sensitive after
open() (e.g. if target originally shares our ->mm and later does exec
on suid-root binary).
Check at read() (actually, ->start() of iterator) time that mm_struct
we'd grabbed and locked is
- still the ->mm of target
- equal to reader's ->mm or the target is ptracable by reader.
The fix was adapted not to depend on __ptrace_may_attach(), which does
not exist in 2.4. Since we don't support mmu-less systems here, the fix
was much more straight forward than it was in 2.6.
Note that due to the fact that we still have the task_lock(), we are
not concerned by the race fixed by 2.6 commit 704b836cbf19e885f8366bccb2e4b0474346c02d.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25)
rose_getname() can leak kernel memory to user.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit f6b97b29513950bfbf621a83d85b6f86b39ec8db)
nr_getname() can leak kernel memory to user.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 09384dfc76e526c3993c09c42e016372dc9dd22c)
irda_getname() can leak kernel memory to user.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa)
econet_getname() can leak kernel memory to user.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 3d392475c873c10c10d6d96b94d092a34ebd4791)
atalk_getname() can leak 8 bytes of kernel memory to user
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 0083fc2c50e6c5127c2802ad323adf8143ab7856)
Ulrich Drepper correctly points out that there is generally padding in
the structure on 64-bit hosts, and that copying the structure from
kernel to user space can leak information from the kernel stack in those
padding bytes.
Avoid the whole issue by just copying the three members one by one
instead, which also means that the function also can avoid the need for
a stack frame. This also happens to match how we copy the new structure
from user space, so it all even makes sense.
[ The obvious solution of adding a memset() generates horrid code, gcc
does really stupid things. ]
Reported-by: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 16ebb5e0b36ceadc8186f71d68b0c4fa4b6e781b)
Three bytes of uninitialized kernel memory are currently leaked to user
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 8a47077a0b5aa2649751c46e7a27884e6686ccbf)
Plug holes with padding fields and initialized them to zero.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit b3563c4fbff906991a1b4ef4609f99cca2a0de6a)
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backport from 2.6 commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8)
Mostly missing initialization of padding fields of 1 or 2 bytes length,
two instances of uninitialized nlmsgerr->msg of 16 bytes length.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- build: fix for "make rpm" on RH9
- build: fix genksyms segfault in pcigame.c
- build: do not let genksyms silently fail anymore
- net: fix possible NULL dereference in sock_sendpage()
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is the equivalent of 2.6 commit e694958388c50148389b0e9b9e9e8945cf0f1b98.
It adds a test in sock_sendpage() to avoid calling sock->ops->sock_sendpage()
on protocols which do not support it, as it would be NULL. In such a case,
we now call sock_no_sendpage() instead, as does kernel_sendpage() in 2.6.
This patch has been tested and confirmed to be enough to fix the security
issues discovered and reported by Julien Tinnes and Tavis Ormandy.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
As reported in the previous patch, genksyms may silently fail. I
also noticed that building with MODVERSIONS on a machine without
genksyms did not get noticed. Let's fix the makefile in order to
ensure we stop if it fails. This has successfully been tested
against the previous issue.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Solar Designer reported a genksyms segfault. After investigation,
it turned out this was caused by defines overriding function
definitions in pcigame.c when CONFIG_INPUT_PCIGAME is disabled. Since
this only happens during make dep with MODVERSIONS and not when building
the module, the fix simply consists in undefining the offending names
in the C file itself.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Steve Bangert reported a long standing build failure with
"make rpm" on Red Hat 9, and confirmed this patch fixes it.
Reported-and-tested-by: Steve Bangert <sbangert@verizon.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- tulip: Fix for MTU problems with 802.1q tagged frames
- lib: memcmp must be exported without module versioning
- lib: fix again memcmp export issues in the arch ksyms only
- usb-storage: fix "READ CAPACITY failed" errors with USB flash drives
- md/raid5: silent out the "switching cache buffer size" messages
- personality: clear MMAP_PAGE_ZERO on exec if mmap_min_addr is set
- kernel/resource.c: fix sign extension in reserve_setup()
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Patch related to commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 in 2.6.
Executing an SVR4 binary causes page 0 to be mapped, bypassing the
mmap_min_addr setting. The kernel detects SVR binaries by checking
the ELF interpreter's name declared in the executable.
Unfortunately, some archs (at least x86_64) allow the caller of the
executable to change the personality to SVR4 before calling execve()
and this personality will remain in the callee (similar to what is
done in 2.6). This poses a problem because on such archs, if a setuid
program is called with that personality set, it will automatically
receive a mapped page 0 regardless of mmap_min_addr restrictions.
Even if it later drops privileges to call unsafe code, this unsafe
code will be able to change page 0 restrictions and use it as desired.
As of now, x86_64 is the only arch known to work like this, and i386
and alpha are the only ones known not to be affected.
The following patch closes this hole by clearing MMAP_PAGE_ZERO when
mmap_min_addr is set. That way, legacy SVR4 binaries relying on page
0 to be mapped will still work when mmap_min_addr is not set, and
people who don't run such binaries can maintain full protection by
setting mmap_min_addr to non-zero.
Special thanks go to Solar Designer for the time spent analysing the
issues, impacts and workarounds on 2.4, as well as for proposing this
patch.
Further work is needed to make an inventory of each arch's behaviour.
For more information, please refer to the 2.6 patch as well as
Julien Tinnes and Tavis Ormandy's work on this subject.
Reported-by: Solar Designer <solar@openwall.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Those messages can appear tens of times a second on setups where XFS
is used on top of RAID5. They're mostly debug messages as the admin
cannot do anything from them. When they're printed to the system
console, they can heavily slow the system down during writes,
especially when the console is directed to a serial port.
The fix consists in simply using PRINTK() instead of printk().
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
It's very common that inserting a USB flash device on a machine
running kernel 2.4 causes a "READ CAPACITY failed" error message,
and some devices require multiple attempts to be correctly detected.
Waiting 1 second once the device is detected is often more than
enough to definitely get rid of the problem.
I've been using this patch for over a year with a lot of success,
so let's merge it.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backported from 2.6 commit 0d3d2711b2dd74f39a21ed20b88d733e9509100a]
commit 1f8ae0a21d83f43006d7f6d2862e921dbf2eeddd upstream.
The original patch was submitted last year but wasn't discussed or applied
because of missing maintainer's CCs. I only fixed some formatting errors,
but as I saw tulip is very badly formatted and needs further work.
Original description:
This patch fixes MTU problem, which occurs when using 802.1q VLANs. We
should allow receiving frames of up to 1518 bytes in length, instead of
1514.
Based on patch written by Ben McKeegan for 2.4.x kernels. It is archived
at http://www.candelatech.com/~greear/vlan/howto.html#tulip
I've adjusted a few things to make it apply on 2.6.x kernels.
Tested on D-Link DFE-570TX quad-fastethernet card.
Signed-off-by: Tomasz Lemiech <szpajder@staszic.waw.pl>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
Acked-by: Grant Grundler <grundler@parisc-linux.org>
Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: 2.4 does not have tulip_poll(). Tested OK on alpha]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backported from 2.6 commit 01a6403211958921247f4e65b16376e6ec706a0d]
commit 8bc1ad7dd301b7ca7454013519fa92e8c53655ff upstream.
When the 32-bit signed quantities get assigned to the u64 resource_size_t,
they are incorrectly sign-extended.
Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13253
Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9905
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Reported-by: Leann Ogasawara <leann@ubuntu.com>
Cc: Pierre Ossman <drzeus@drzeus.cx>
Reported-by: <pablomme@googlemail.com>
Tested-by: <pablomme@googlemail.com>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[WT: 2.4 uses unsigned long instead of resource_size_t but the
problem is the same on 64-bit archs]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The last memcmp fix was not enough as Ralf Rösch just reported that it
did not fix build issues caused by the first one on mips (redefined
symbol). The proper fix finally consists in only exporting the symbol
in the affected architecture, i386. The final code is closer to what
it was prior to the first change.
If other architectures experience similar issues as i386 did, we'll add
the faulty symbols to their own export list. A cleaner solution would
have consisted in always exporting the symbols in string.c regardless
of the architecture as is done in 2.6, but this could have broken some
existing external patches, which is not desirable at this stage.
|
|
Recent fix to export memcmp() for gcc 3.4 caused a lot of warnings
on setups using CONFIG_MODVERSION=y.
This symbol must be exported with EXPORT_SYMBOL_NOVERS, since we don't
want its name to be mangled. Thanks to Solar Designer for reporting
the issue.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- vlan: Slab memleak fix
- br2684: allocation out of atomic context
- Add '-fno-delete-null-pointer-checks' to gcc CFLAGS
- br2684: fix double freeing skb
- usb: pr_debug ehci structure bug
- usb: Add support for Teac HD-35PU
- r8169: fix erroneous receive packet size settings
- r8169: reject fragmented frames to prevent panics with large frames
- r8169: avoid rx descriptors leak when receiving erroneous frames
- r8169: reset the chip on receive fifo overflows
- r8169: rate-limit the messages displayed in interrupt context
- lib: export memcmp for external modules to build with gcc 3.4
- agp: remove uid comparison as security check
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
When building external modules for a kernel built with gcc-3.4, it
sometimes happens that the module depends on memcmp() which is not
defined. x86 only relies on __builtin_memcmp() which is not always
available on other gccs. Since the mapping of memcmp() to
__builtin_memcmp() is performed using a #define, no memcmp() symbol
is declared. We have to export it in lib/string.c, as in 2.6.
Note that 2.6 also undefines a few other symbols and exports all
symbols. Right now this does not seem absolutely necessary on 2.4,
so let's not touch this for now.
|
|
Ehci structure bug on pr_debug.
Signed-off-by: Mario Witkowski <witkowsm@sphairon.com>
Signed-off-by: Frank Seidel <Frank.Seidel@sphairon.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Author: Peter Sieber <siep@sphairon.com>
Fix double freeing skb, see net/core/dev.c
dev_queue_xmit().
Signed-off-by: Peter Sieber <siep@sphairon.com>
Signed-off-by: Frank Seidel <Frank.Seidel@sphairon.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Moved GFP_Kernel allocation out of atomic context
Signed-off-by: Arne Redlich <redlicha@sphairon.com>
Signed-off-by: Frank Seidel <Frank.Seidel@sphairon.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Fix slab memleak on wan service restart
Signed-off-by: Arne Redlich <redlicha@sphairon.com>
Signed-off-by: Frank Seidel <Frank.Seidel@sphairon.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Support for Teac HD-35PU added
Signed-off-by: Rudolf Svanda <svandar@sphairon.com>
Signed-off-by: Frank Seidel <Frank.Seidel@sphairon.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backported from 2.6 commit a3ca86aea507904148870946d599e07a340b39bf]
Turning on this flag could prevent the compiler from optimising away
some "useless" checks for null pointers. Such bugs can sometimes become
exploitable at compile time because of the -O2 optimisation.
See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html
An example that clearly shows this 'problem' is commit 6bf67672.
static void __devexit agnx_pci_remove(struct pci_dev *pdev)
{
struct ieee80211_hw *dev = pci_get_drvdata(pdev);
- struct agnx_priv *priv = dev->priv;
+ struct agnx_priv *priv;
AGNX_TRACE;
if (!dev)
return;
+ priv = dev->priv;
By reverting this patch, and compile it with and without
-fno-delete-null-pointer-checks flag, we can see that the check for dev
is compiled away.
call printk #
- testq %r12, %r12 # dev
- je .L94 #,
movq %r12, %rdi # dev,
Clearly the 'fix' is to stop using dev before it is tested, but building
with -fno-delete-null-pointer-checks flag at least makes it harder to
abuse.
Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: Wang Cong <amwang@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: make this flag conditional on 2.4 as older gccs don't have it]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Upon receive error, we may report one message per packet, which is
not acceptable. Apply net_ratelimit() to those messages.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
When the chip receives larger frames than configured, it spans them
across multiple fragments, causing very quick shortage of receive
descriptors, which translates into RX fifo overflows, after which
the chip cannot receive anything anymore. The only way to get out
of this situation is to reset it. Since this cannot be done in
interrupt context, we have to wake a dedicated task for this.
Some parts of the reset logic were taken from the 2.6 driver which
already does this.
With this patch applied, the driver now correctly recovers from
any unexpected situation caused by large incoming frames.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
When a frame is received with the RxRES bit, we must recycle its
descriptor otherwise it's definitely lost. This causes the driver
to stop receiving after a certain amount of receive errors.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This patch follows commit 8d5555548d0b2c57d798efd340b92706912fe138
which fixes crashes when receiving large frames.
When the r8169 receives frames larger than a receive descriptor, it
fragments it across multiple descriptors which are stuffed with 0x3FF0
instead of the real size. This causes the driver to interprete these
fragments as 8 kB packets (larger than the allocated skb), leading to
an immediate kernel panic during the call to skb_put().
The solution consists in rejecting fragmented frames, just as is done
in 2.6.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Eventhough the r8169 driver in kernel 2.4 is not directly affected
by CVE-2009-1389, it has some bugs which make it sensible to similar
stimuli. More specifically, when receive descriptors are recycled,
their announced size is not correctly set : instead of being set,
the size is ORed with the size of the last received packet. Since
the configured packet size is 1536 (0x600), we can have up to 0x7FF
(0x600|0x5ff) configured in a descriptor after it is recycled,
causing overflows of 511 bytes.
A second issue was that the NET_IP_ALIGN value was not accounted in
the call to alloc_skb().
Note that this fix alone is not enough, as fragmented frames do
still overflow the receive socket.
Check Eric Dumazet's patch for 2.6 for more information on the
subject (2.6 commit fdd7b4c3302c93f6833e338903ea77245eb510b4).
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
In the face of containers and user namespaces, a uid==0 check for
security is not safe. Switch to a capability check.
I'm not sure I picked the right capability, but this being AGP
CAP_SYS_RAWIO seemed to make sense.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- ipv6: Disallow rediculious flowlabel option sizes.
- net: amend the fix for SO_BSDCOMPAT gsopt infoleak
- e1000: fix bug with shared interrupt during reset
- e1000: add missing length check to e1000 receive routine
- sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID
- exit_notify: fix regression uncovered by the CAP_KILL fix
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Patch 3551c6a671cd7aa17ef6254276000ab8f3171708 silently uncovered
a bug waiting to strike. The problem is that request_module() does
not set the modprobe task's exit_signal and does not expect it to
send a signal when it dies, as it does a waitpid(pid, NULL, __WCLONE).
During exit_notify(), exit signal 0 was not changed when modprobe
exited because modprobe had CAP_KILL set ! Since we removed that
test, modprobe sees its exit_signal assigned to SIGCHLD, which does
not please its parent and leaves modprobe zombies everywhere.
The correct fix consists in not setting exit_signal to SIGCHLD if
exit_signal was not previously set.
This simple reproducer easily triggers the bug, with CONFIG_IPV6=m :
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
main() {
socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP);
getchar();
}
It causes the following line to be displayed in kernel logs :
request_module[net-pf-10]: waitpid(371,...) failed, errno 1
A modprobe zombie lies around until the reproducer dies.
Special thanks to Michael Niehren for reporting the issue and helping
in quickly narrowing the problem down by testing patches.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit ea30e11970a96cfe5e32c03a29332554573b4a10)
Patch to fix bad length checking in e1000. E1000 by default does two
things:
1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
doing an skb_put
Since the e1000 driver isn't written to support receiving packets that span
multiple rx buffers, it checks the End of Packet bit of every frame, and
discards it if its not set. This places us in a situation where, if we have a
spanning packet, the first part is discarded, but the second part is not (since
it is the end of packet, and it passes the EOP bit test). If the second part of
the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
underflow the length, and wind up in skb_over_panic, when we try to skb_put a
huge number of bytes into the skb. This amounts to a remote DOS attack through
careful selection of frame size in relation to interface MTU. The fix for this
is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
one ever pushed it to e1000. This is lifted straight from e1000e, and prevents
small frames from causing the underflow described above
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 50fee1dec5d71b8a14c1b82f2f42e16adc227f8b)
[WT: previous patch was not merged into 2.4 because the issue was not
present there. This second point still applies though - /WT]
The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
that the same problem of leaking kernel memory will reappear if someone
on some architecture uses struct timeval with some internal padding (for
example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
leak the padded bytes to userspace.
Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 684de409acff8b1fe8bf188d75ff2f99c624387d)
Just like PKTINFO, limit the options area to 64K.
Based upon report by Eric Sesterhenn and analysis by
Roland Dreier.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 15b2bee22a0390d951301b53e83df88d0350c499)
A nasty bug was found where an MTU change (or anything else that caused a
reset) could race with the interrupt code. The interrupt code was entered
by a shared interrupt during the MTU change.
This change prevents the interrupt code from running while the driver is in
the middle of its reset path.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(backported from 2.6 commit 9fcb95a105758b81ef0131cd18e2db5149f13e95)
If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
validity check, this may cause memory overflow when overwrite the TSN of
the stream ID.
The FORWARD-TSN chunk is like this:
FORWARD-TSN chunk
Type = 192
Flags = 0
Length = 172
NewTSN = 99
Stream = 10000
StreamSequence = 0xFFFF
This patch fix this problem by discard the chunk if stream ID is not
less than MIS.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- af_rose/x25: Sanity check the maximum user frame size
- exit_notify: kill the wrong capable(CAP_KILL) check
- copy_process: fix CLONE_PARENT && parent_exec_id interaction
- CAP_FS_MASK: add CAP_LINUX_IMMUTABLE and CAP_MKNOD
- ATM: ensure we don't listen twice on a socket
- scripts: backport checkpatch.pl from mainline 2.6
- net: Fix soft lockups/OOM issues w/ unix garbage collector (CVE-2008-5300)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 2d5516cbb9daf7d0e342a2e3b0fc6f8c39a81205]
CLONE_PARENT can fool the ->self_exec_id/parent_exec_id logic. If we
re-use the old parent, we must also re-use ->parent_exec_id to make
sure exit_notify() sees the right ->xxx_exec_id's when the CLONE_PARENT'ed
task exits.
Also, move down the "p->parent_exec_id = p->self_exec_id" thing, to place
two different cases together.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 432870dab85a2f69dc417022646cb9a70acf7f94]
The CAP_KILL check in exit_notify() looks just wrong, kill it.
Whatever logic we have to reset ->exit_signal, the malicious user
can bypass it if it execs the setuid application before exiting.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is a backport of 2.6 commit 5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3 :
This is an implementation of David Miller's suggested fix in:
https://bugzilla.redhat.com/show_bug.cgi?id=470201
It has been updated to use wait_event() instead of
wait_event_interruptible().
Paraphrasing the description from the above report, it makes sendmsg()
block while UNIX garbage collection is in progress. This avoids a
situation where child processes continue to queue new FDs over a
AF_UNIX socket to a parent which is in the exit path and running
garbage collection on these FDs. This contention can result in soft
lockups and oom-killing of unrelated processes.
Signed-off-by: dann frazier <dannf@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Eugene Teo <eteo@redhat.com>
[wt: yield the CPU after breaking a socket pair]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Some people have been asking for checkpatch in 2.4. It was
slightly modified not to check for presence of the Kbuild file
in top dir.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Otherwise we can wrap the sizes and end up sending garbage.
Closes #10423
Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
When POSIX capabilities were introduced during the 2.1 Linux
cycle, the fs mask, which represents the capabilities which having
fsuid==0 is supposed to grant, did not include CAP_MKNOD and
CAP_LINUX_IMMUTABLE. However, before capabilities the privilege
to call these did in fact depend upon fsuid==0.
This patch introduces those capabilities into the fsmask,
restoring the old behavior.
See the thread starting at http://lkml.org/lkml/2009/3/11/157 for
reference.
Reported-by: Igor Zhbanov <izh1979@gmail.com>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: stable@kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
From Chas Williams :
if sigd is running the only reason for a listen to fail would be it is
already listening (EADDRINUSE) or you dont have permission to listen on
that address which isnt going to get better with time.
Cc: Eugene Teo <eteo@redhat.com>
Cc: Chas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- bonding: fix panic when taking bond interface down before removing module
- security: avoid calling a NULL function pointer in drivers/video/tvaudio.c
- forcedeth: fix checksum flag
- net: Fix recursive descent in __scm_destroy().
- ext: Avoid printk floods in the face of directory
- hfsplus: fix Buffer overflow with a corrupted image
- doc: mention chain-compiling for really old gccs
- CVE-2008-3275 Linux kernel local filesystem DoS
- Remove suid/sgid bits on truncate() (CVE-2008-4210)
- tcp: Clear probes_out more aggressively in tcp_ack().
- netfilter: snmp nat leaks memory in case of failure
- i2c: The i2c mailing list is moving
- i2c: Update comment of I2C_FUNC_SMBUS_*_I2C_BLOCK
- sanitise mii.h for userspace
- backport vlan device unregister fix
- doc: fix examples and add suggestions about depmod
- ata_piix: get more PCI IDs in sync with 2.6 (ICH9/ICH10)
- i386: add configuration option for AMD Geode GX/LX
- i2c: add support for Geode Companion CS5535/5536 to scx200_acb
- i386: add support for AMD Geode MFGPT timers
- wdt: add support for AMD Geode GX/LX watchdog
- char: add support for AMD Geode LX hardware RNG
- netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This driver provides support for AMD Geode LX HW RNG. It
periodically collects entropy from the hardware to feed
it into the kernel pool.
This driver was partly inspired by the geoderng driver in
2.6.25 and by a few other drivers in 2.4.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is a backport of AMD's Geode watchdog driver from 2.6 to 2.4.
This driver requires the MFGPT infrastructure, which itself is
enabled when CONFIG_MGEODE_LX is set. Loading this driver will
cause the MFGPT code to initialize the timers. If the system hangs
because of a broken BIOS, it is recommended to pass "mfgptfix" to
the kernel command line to first reset the registers.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is a second backport of the 2.6 Geode MFGPT code to 2.4. It
enables use of the Geode on-chip MFGPT timers which may be used
by a watchdog timer. This code does not include the clocksource
nor IRQ features.
The driver does not try to touch anything as long as no timer
allocation is requested. This limits the risk of side effects
in presence of broken BIOSes for instance, which reset the timers
while they shouldn't. In such a case, simply passing "mfgptfix"
to the kernel command line is enough to fix the problem.
When the driver was backported, 2.6 driver was at commit ID
0d5cdc97e242a5589e5dca23277675f4b4482490.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The Geode Companion Chip CS5535/5536 provides an i2c controller
compatible with what is found in SCx200. Very little effort is
required to initialise it.
This code was backported from its 2.6 equivalent.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The Geode GX/LX processors support TSC, CMOV, MMX and 3DNow and as
such benefit from a dedicated configuration entry.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Some recent motherboards ship with ICH9/ICH10 SATA controllers. Update
ata_piix accordingly.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit f8d570a4745835f2238a33b537218a1bb03fc671]
__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.
Those, in turn, can close sockets and invoke __scm_destroy() again.
There is nothing which limits how deeply this can occur.
The idea for how to fix this is from Linus. Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput(). Inside of the initial __scm_destroy() we
keep running the list until it is empty.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 57812a4772fa73f264b59ae31c5cc277630b1ff5)
|
|
[backport of 2.6 commit edcfe5f7e307846e578fb88d69fa27051fded0ab]
Fix the checksum feature advertised in device flags. The hardware support
TCP/UDP over IPv4 and TCP/UDP over IPv6 (without IPv6 extension headers).
However, the kernel feature flags do not distinguish IPv6 with/without
extension headers.
Therefore, the driver needs to use NETIF_F_IP_CSUM instead of
NETIF_F_HW_CSUM since the latter includes all IPv6 packets.
A future patch can be created to check for extension headers and perform
software checksum calculation.
Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Cc: Jeff Garzik <jgarzik@pobox.com>
Cc: Manfred Spraul <manfred@colorfullife.com
Cc: <stable@kernel.org> [2.6.25.x, 2.6.26.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit b4343b5e489aeb2287d1f41a9cd176c987146cbe)
|
|
[backport of 2.6 commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40]
When an hfsplus image gets corrupted it might happen that the catalog
namelength field gets b0rked. If we mount such an image the memcpy() in
hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
field. Depending on the size of the overwritten data, we either only get
memory corruption or also trigger an oops like this:
[ 221.628020] BUG: unable to handle kernel paging request at c82b0000
[ 221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
[ 221.629066] *pde = 0ea29163 *pte = 082b0160
[ 221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
[ 221.629066] Modules linked in:
[ 221.629066]
[ 221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
[ 221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
[ 221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
[ 221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
[ 221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
[ 221.629066] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
[ 221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
[ 221.629066] 01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
[ 221.629066] 00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
[ 221.629066] Call Trace:
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c01302d2>] ? __kernel_text_address+0x1b/0x27
[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
[ 221.629066] [<c0109e32>] ? save_stack_address+0x0/0x2c
[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[ 221.629066] [<c013553d>] ? down+0xc/0x2f
[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c013da5d>] ? mark_held_locks+0x43/0x5a
[ 221.629066] [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[ 221.629066] [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
[ 221.629066] [<c013555c>] ? down+0x2b/0x2f
[ 221.629066] [<c022aa68>] ? hfsplus_iget+0xa0/0x154
[ 221.629066] [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[ 221.629066] [<c041c9e4>] ? string+0x2b/0x74
[ 221.629066] [<c041cd16>] ? vsnprintf+0x2e9/0x512
[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[ 221.629066] [<c01354d3>] ? up+0xc/0x2f
[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c041cfb7>] ? snprintf+0x1b/0x1d
[ 221.629066] [<c01ba466>] ? disk_name+0x25/0x67
[ 221.629066] [<c0183960>] ? get_sb_bdev+0xcd/0x10b
[ 221.629066] [<c016ad92>] ? kstrdup+0x2a/0x4c
[ 221.629066] [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
[ 221.629066] [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
[ 221.629066] [<c0183583>] ? vfs_kern_mount+0x3b/0x76
[ 221.629066] [<c0183602>] ? do_kern_mount+0x32/0xba
[ 221.629066] [<c01960d4>] ? do_new_mount+0x46/0x74
[ 221.629066] [<c0196277>] ? do_mount+0x175/0x193
[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[ 221.629066] [<c01663b2>] ? __get_free_pages+0x1e/0x24
[ 221.629066] [<c06ac07b>] ? lock_kernel+0x19/0x8c
[ 221.629066] [<c01962e6>] ? sys_mount+0x51/0x9b
[ 221.629066] [<c01962f9>] ? sys_mount+0x64/0x9b
[ 221.629066] [<c01038bd>] ? sysenter_do_call+0x12/0x31
[ 221.629066] =======================
[ 221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <
f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
[ 221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
[ 221.629066] ---[ end trace e417a1d67f0d0066 ]---
Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
the check is performed at the callsite.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 96de10c0b613c1f0f3712ef4e4d30b52884b68c6)
|
|
[backport of 2.6 commit ce39a800ea87c655de49af021c8b20ee323cb40d]
A panic was discovered with bonding when using mode 5 or 6 and trying to
remove the slaves from the bond after the interface was taken down.
When calling 'ifconfig bond0 down' the following happens:
bond_close()
bond_alb_deinitialize()
tlb_deinitialize()
kfree(bond_info->tx_hashtbl)
bond_info->tx_hashtbl = NULL
Unfortunately if there are still slaves in the bond, when removing the
module the following happens:
bonding_exit()
bond_free_all()
bond_release_all()
bond_alb_deinit_slave()
tlb_clear_slave()
tx_hash_table = BOND_ALB_INFO(bond).tx_hashtbl
u32 next_index = tx_hash_table[index].next
As you might guess we panic when trying to access a few entries into the
table that no longer exists.
I experimented with several options (like moving the calls to
tlb_deinitialize somewhere else), but it really makes the most sense to
be part of the bond_close routine. It also didn't seem logical move
tlb_clear_slave around too much, so the simplest option seems to add a
check in tlb_clear_slave to make sure we haven't already wiped the
tx_hashtbl away before searching for all the non-existent hash-table
entries that used to point to the slave as the output interface.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit b282a91df099f6ddc97936a882feac10859b1bcc)
|
|
This is a trivial backport of the following upstream commits:
- bd39597cbd42a784105a04010100e27267481c67 (ext2)
- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
This addresses CVE-2008-3528
ext[23]: Avoid printk floods in the face of directory corruption
Note: some people thinks this represents a security bug, since it
might make the system go away while it is printing a large number of
console messages, especially if a serial console is involved. Hence,
it has been assigned CVE-2008-3528, but it requires that the attacker
either has physical access to your machine to insert a USB disk with a
corrupted filesystem image (at which point why not just hit the power
button), or is otherwise able to convince the system administrator to
mount an arbitrary filesystem image (at which point why not just
include a setuid shell or world-writable hard disk device file or some
such). Me, I think they're just being silly. --tytso
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-ext4@vger.kernel.org
Cc: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[w@1wt.eu: backport from 2.6-stable to 2.4. Removed all ext4 references]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit b85ad79e46390c2774a7dc2056a2a719ae97a5ac)
|
|
(backport of 2.6 commit 311670f3ea90115f2f1840e3e9770ed71e06e6c3)
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ w@1wt.eu: file is ip_nat_snmp_basic.c in 2.4 ]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Update the comment of I2C_FUNC_SMBUS_*_I2C_BLOCK, makes it in line
with the external i2c repository and the 2.6 kernel.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
|
|
Replace all references (actually, just one) to the old i2c mailing
list.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
|
|
Hi.
The attached patch was merged into 2.6.8 kernel, see
http://www.linux.sgi.com/archives/netdev/2004-08/msg00076.html
However, no similar fix is in 2.4. I've faced the problem on a
2.4.26 kernel (with external patches) and with DEBUG_SLAB turned on.
When I unregister network device with attached vlan device, the vlan
device structure is freed too early (because of wrong refcounting) and
dev_mc_discard call in unregister_netdevice uses this freed memmory,
which causes oops.
Signed-off-by: Marcel Å ebek <sebek64@post.cz>
|
|
NULL function pointers are very bad security wise. This one got caught by
kerneloops.org quite a few times, so it's happening in the field....
Fix is simple, check the function pointer for NULL, like 6 other places
in the same function are already doing.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
[2.6 commit: 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 1f4142d8789d22527cc140f03f9cc8f6f8caa117)
|
|
Hi Willy,
I noticed that CVE-2008-4210 is missing from the linux-2.4.git tree.
Don (cc'ed) proposed this:
Cc: Don Howard <dhoward@redhat.com>
Test-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit ead60d38671fb5a0aa5e4f04dbc61736f2d9461f)
|
|
This is a backport for CVE-2008-3275.
"Lookup can install a child dentry for a deleted directory. This keeps
the directory dentry alive, and the inode pinned in the cache and on
disk, even after all external references have gone away.
This isn't a big problem normally, since memory pressure or umount
will clear out the directory dentry and its children, releasing the
inode. But for UBIFS this causes problems because its orphan area can
overflow.
Fix this by returning ENOENT for all lookups on a S_DEAD directory
before creating a child dentry."
Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
[ WT: problem and fix confirmed on ramfs using method described
at http://lkml.org/lkml/2008/7/2/83 ]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit f23e4db5d0462de3a3e74686d7e1a4b708bef002)
|
|
[2.6 commit: 8ca31ce52a5cfd03b960fd81a49197ae85d25347]
The current code ignores rules for internal options in HBH/DST options
header in packet processing if 'Not strict' mode is specified (which is not
implemented). Clearly it is not expected by user.
Kernel should reject HBH/DST rule insertion with 'Not strict' mode
in the first place.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 59a1f6d68cdd824f303554922a77ddaf0a2a887e)
|
|
In the 2.4 kernel mii.h is not suitable for normal inclusion outside
the kernel. This was fixed for 2.6 by David Woodhouse
<dwmw2@infradead.org> in April 2006. A patch for 2.4 (basically the
same as the one committed for 2.6) is included [1].
Inclusion of mii.h was necessary for me when I developed a userspace
networkdriver for OpenWRT.
Regards,
Jouke Witteveen
|
|
backport of 2.6 commit 4b53fb67e385b856a991d402096379dab462170a
Test conditions : 2.4.36 kernel using this iptables configuration
iptables -N SLOWLO
iptables -A SLOWLO -m limit --limit 2/sec --limit-burst 1 -j ACCEPT
iptables -A SLOWLO -j DROP
iptables -A OUTPUT -o lo -p tcp --dport 12000 -j SLOWLO
borrowed ss from iproute2-2.4.7-now-ss020116-try.tar.gz,
I had the same result on 2.4.36.7 as Eric Dumazet on 2.6.25 without the patch with his test program.
---- From David S. Miller commit log message
This is based upon an excellent bug report from Eric Dumazet.
tcp_ack() should clear ->icsk_probes_out even if there are packets
outstanding. Otherwise if we get a sequence of ACKs while we do have
packets outstanding over and over again, we'll never clear the
probes_out value and eventually think the connection is too sick and
we'll reset it.
This appears to be some "optimization" added to tcp_ack() in the 2.4.x
timeframe. In 2.2.x, probes_out is pretty much always cleared by
tcp_ack().
Here is Eric's original report:
----------------------------------------
Apparently, we can in some situations reset TCP connections in a couple of seconds when some frames are lost.
In order to reproduce the problem, please try the following program on linux-2.6.25.*
Setup some iptables rules to allow two frames per second sent on loopback interface to tcp destination port 12000
...
Then run the attached program and see the output :
./test_tcp-input
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,1)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,3)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,5)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,7)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,9)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,11)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,13)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,15)
write(): Connection timed out
wrote 880 bytes but was interrupted after 10 seconds
ESTAB 0 0 127.0.0.1:12000 127.0.0.1:32769
Exiting read() because no data available (4000 ms timeout).
read 860 bytes
While this tcp session makes progress (sending frames with 50 bytes of payload, every 500ms), linux tcp stack decides to reset it, when tcp_retries 2 is reached (default value : 15)
...
Source of program :
/*
* small producer/consumer program.
* setup a listener on 127.0.0.1:12000
* Forks a child
* child connect to 127.0.0.1, and sends 10 bytes on this tcp socket every 100 ms
* Father accepts connection, and read all data
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdio.h>
#include <time.h>
#include <sys/poll.h>
int port = 12000;
char buffer[4096];
int main(int argc, char *argv[])
{
int lfd = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in socket_address;
time_t t0, t1;
int on = 1, sfd, res;
unsigned long total = 0;
socklen_t alen = sizeof(socket_address);
pid_t pid;
time(&t0);
socket_address.sin_family = AF_INET;
socket_address.sin_port = htons(port);
socket_address.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
if (lfd == -1) {
perror("socket()");
return 1;
}
setsockopt(lfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(int));
if (bind(lfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) {
perror("bind");
close(lfd);
return 1;
}
if (listen(lfd, 1) == -1) {
perror("listen()");
close(lfd);
return 1;
}
pid = fork();
if (pid == 0) {
int i, cfd = socket(AF_INET, SOCK_STREAM, 0);
close(lfd);
if (connect(cfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) {
perror("connect()");
return 1;
}
for (i = 0 ; ;) {
res = write(cfd, "blablabla\n", 10);
if (res > 0) total += res;
else if (res == -1) {
perror("write()");
break;
} else break;
usleep(100000);
if (++i == 10) {
system("ss -on dst 127.0.0.1:12000");
i = 0;
}
}
time(&t1);
fprintf(stderr, "wrote %lu bytes but was interrupted after %g seconds\n", total, difftime(t1, t0));
system("ss -on | grep 127.0.0.1:12000");
close(cfd);
return 0;
}
sfd = accept(lfd, (struct sockaddr *)&socket_address, &alen);
if (sfd == -1) {
perror("accept");
return 1;
}
close(lfd);
while (1) {
struct pollfd pfd[1];
pfd[0].fd = sfd;
pfd[0].events = POLLIN;
if (poll(pfd, 1, 4000) == 0) {
fprintf(stderr, "Exiting read() because no data available (4000 ms timeout).\n");
break;
}
res = read(sfd, buffer, sizeof(buffer));
if (res > 0) total += res;
else if (res == 0) break;
else perror("read()");
}
fprintf(stderr, "read %lu bytes\n", total);
close(sfd);
return 0;
}
----------------------------------------
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gilles Espinasse g.esp@free.fr
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Grant Coady has reported these useful suggestions and workaround
for possible build errors related to building a new compiler.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Compiling gcc 2.95.3 directly with 4.x breaks. Mention
chain-compiling as a way to get around that, and end
up with as ancient a gcc as you might like.
Signed-off-by: Erik Inge Bolsø <knan-lkml@anduin.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
- Fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)
- add ICH9x support to ahci driver
- usb: add support for ADM8515 to pegasus.h
- asn1: additional sanity checking during BER decoding (CVE-2008-1673)
- usb-serial: back-port of pl2303.c from 2.6.24.1
- sit: Add missing kfree_skb() on pskb_may_pull() failure (CVE-2008-2136)
- sparc: Fix mmap VA span checking (CVE-2008-2137)
- sctp: Make sure N * sizeof(union sctp_addr) does not overflow (CVE-2008-2826)
- x86 SMP: don't report error on uniprocessor machines
- 2.4.x USB and 1394 hotplug
- wan: Missing capability checks in sbni_ioctl() (CVE-2008-3525)
- [PPPOE]: Missing result check in __pppoe_xmit().
- Kernel patch to add rootdelay feature
- udf: fix uid/gid permissions
- PCI ID updates for amd74xx
- ahci driver update
- ext2_readdir() filp->f_pos fix (try #2)
- Duplicate id in videodev.h
- Fix typo in acpi_boot_init
- 3c980-TX needs EXTRA_PREAMBLE
- net pppoe: Check packet length on all receive paths
- ide-generic: Marvell IDE 88SE6101 2.4.XX support
- ip-pnp-dhcp: wait lazily when doing dhcp for diskless systems
- ACPI: check a return value correctly in acpi_power_get_context()
- [TCP]: Fix shrinking windows with window scaling
- wireless, airo: waitbusy() won't delay
- IDE: fix panic during probe with negative IRQ
- ipv6: use timer pending
- signal.h: use an explicit cast to silent compiler warnings
- fix build error with some flavours of gcc 2.95.3
- ata_piix: add PCI ID for intel ICH8 controller
- linux-2.4 CLASSIFY patch.
- sctp: Do not leak memory on multiple listen() calls
- sctp: Allow only 1 listening socket with SO_REUSEADDR
- Do not complain about gcc 4.2 for user-space
- i386: fix setCx86/getCx86 race in macros
- security: insufficient range checks in certain fault handlers
- intermezzo: fix uninitialized use of pointer in error path
- Fix dnotify/close race (CVE-2008-1375)
- ide-generic: add support for JMicron 368
- ide-generic: add support for Marvell 6145 PATA port
- ata_piix: add support for ICH9 in IDE mode
- doc: explain how to build a suitable gcc in Documentation/using-newer-gcc.txt
- sound: fix warning due to incorrect error code checking in ad1889
- sky2: fix uninitialized "mss" variable in sky2_xmit_frame()
- x86 would not build without CONFIG_VT
- via-rhine: fix mii duplex detection during link monitoring
- pc_keyb: fix breakage on ia64/mips/mips64
- Correct the upto value during list conntrack information
- avoid semi-infinite loop when mounting bad ext2
- ext2: skip pages past number of blocks in ext2_find_entry
- memory leak when socket is release()d before PPPIOCGCHAN has been called on it
- 2.4: fix memory corruption from misinterpreted bad_inode_ops return values
- 2.4: [SCSI] aacraid: Fix security hole
- 2.4: USB: fix DoS in pwc USB video driver
- 2.4: [POWERPC] CHRP: Fix possible NULL pointer dereference
- old buffer overflow in moxa driver (CVE-2005-0504)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Commit f8db8c9c81afb4b04c146cae0e2a1fd311de1f22 fixed the keyboard
controller jammed issue on keyboard-less PCs, but introduced the
problem for other architectures (ia64/mips/mips64) which already
define their own keyboard probing method.
This patch gives precedence to these archs' probing method and only
defines the setup option if no arch-specific method was defined.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Booting i386 on an SMP system with only one processor reports
the following error :
Error: only one processor found.
This has always caused unnecessary worries to admins, and is
getting more frequent nowadays on virtual machines. The solution
simply consists in removing the cpucount test, which does not
exist anymore in 2.6 BTW. A boot on a quad-core "downcored"
to 1 core now correctly reports :
Total of 1 processors activated (6003.09 BogoMIPS).
Ditto for x86_64.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This patch has been in use locally for quite some time now and
makes working with USB and 1394 mass-storage devices in 2.4.x a
much less painful experience. When devices are plugged in, they
are automagically connected up to the scsi subsystem without the
need to rescan all scsi busses or echo things into
/proc/scsi/scsi. When devices are unplugged, they are
automagically removed from the scsi subsystem, instead of hanging
around registered but with no media actually present.
-Erik
--
Erik B. Andersen http://codepoet-consulting.com/
--This message was written using 73% post-consumer electrons--
Signed-off-by: Erik Andersen <andersen@codepoet.org>
|
|
via_rhine_check_duplex() is called from the link check timer to
detect if the link state has changed. It uses mii_if.full_duplex
as a cache for previous state. But with bonding regularly calling
netdev_get_settings(), we have mii_if.full_duplex magically change
below us, which implies that sometimes, via_rhine_check_duplex()
thinks the link was already set to full duplex while it had not
been yet.
We need a more reliable cache, so add a new field in structure
netdev_private. Getting rid of calls to mdio_read() in favor of
mii_check_media() makes the code cleaner and mii_status useless,
so it got removed.
With the above changes applied, I got all problems definitely
solved (and all link transitions were correctly detected).
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
I've been using this patch for a while without noticing it never
went into mainline. It is required to build i386 without CONFIG_VT.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This variable was initialized within the #if NETIF_F_TSO block
which is not used on kernel 2.4. This has probably caused a
bunch of unstability. This driver would need a new backport
anyway.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
ad1889.c: In function `ad1889_ac97_init':
ad1889.c:857: warning: comparison is always false due to limited range of data type
This is caused by a short being compared against 0xFFFFFF while
0xFFFF was indeed expected. The missing device would just never
have been detected.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Since many people are using recent distros which do not ship a compatible
gcc anymore, here's a procedure explaining in details how to build an older
gcc to build kernel 2.4.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
On my ASUS P5E3-WSPro, the SATA ports may be configured
as AHCI or IDE. The PCI IDs differ depending on the mode.
This patch adds IDs to support the controller in legacy
IDE mode. This has been tested with a SATA drive on each
port.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
My ASUS P5E3-WSPro has the PATA port attached to this
chip. The following patch is needed to make use of the
port. Tested with a CD-ROM drive.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This controller is present on my ASUS P5E motherboard.
This patch is needed to make the PATA port usable.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
Another one small patch to support Marvell IDE 88SE6101 controller.
I have one on Intel DG33BU motherboard. It is detected as
02:00.0 IDE interface: Marvell Technology Group Ltd. 88SE6101 single-port
PATA133 interface (rev b2)
I add it in kernel as generic IDE. This patch and the other which
is to support ICH9 AHCI works for me from few month.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This is an update of AHCI driver IDs from 2.6.26. Most
of the recent intel, nvidia and ATI controllers are
present.
Tested-by: Willy Tarreau <w@1wt.eu> (for ICH9)
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62]
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.
Therefore, enforce an appropriate limit.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 4e54064e0a13b7a7d4a481123c1783f770538e30]
When multiple socket bind to the same port with SO_REUSEADDR,
only 1 can be listining.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 23b29ed80bd7184398317a111dc488605cb66c7f]
SCTP permits multiple listen call and on subsequent calls
we leak he memory allocated for the crypto transforms.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This change made it into the 2.6 branch since 2.6.15 and fixes a problem
where the UDF code would change the ownership of files in a UDF filesystem
when they were different thatn the current user, when possible. Example: after
creating a CD using udf as a regular user, if you mounted the CD as root, the
udf code would reset the ownership of all the files on the cd, causing
unecessary write operations. I found this fix while working with an old patch
which adds packet-writing to the 2.4 kernel. This fix is from the original
author (or maintainer) of the udf code.
Note: this was fixed upstream in 4d6660eb3665f22d16aff466eb9d45df6102b254.
|
|
[backport of 2.6 commit f2455eb176ac87081bbfc9a44b21c7cd2bc1967e]
There are missing capability checks in the following code:
1300 static int
1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)
1302 {
[...]
1319 case SIOCDEVRESINSTATS :
1320 if( current->euid != 0 ) /* root only */
1321 return -EPERM;
[...]
1336 case SIOCDEVSHWSTATE :
1337 if( current->euid != 0 ) /* root only */
1338 return -EPERM;
[...]
1357 case SIOCDEVENSLAVE :
1358 if( current->euid != 0 ) /* root only */
1359 return -EPERM;
[...]
1372 case SIOCDEVEMANSIPATE :
1373 if( current->euid != 0 ) /* root only */
1374 return -EPERM;
Here's my proposed fix:
Missing capability checks.
Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 9bc18091a5e44a368827f539289b99788eb27d4e]
skb_clone() may fail, we should check the result.
Coverity CID: 1215.
Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 392fdb0e35055b96faa9c1cd6ab537805337cdce]
The length field in the PPPOE header wasn't checked completely.
This patch causes all packets shorter than the declared length
to be dropped.
It also changes the memcpy_toiovec call to skb_copy_datagram_iovec
so that paged packets (rare for PPPOE) are handled properly.
Thanks to Ilja of the Netric Security Team for discovering and
reporting this bug, and Chris Wright for the total_len check.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 847499ce71bdcc8fc542062df6ebed3e596608dd]
This fixes the bridge reference count problem and cleanups ipv6 FIB
timer management. Don't use expires field, because it is not a proper
way to test, instead use timer_pending().
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The problem:
When list numerous conntrack information from /proc/net/ip_conntrack,
we found some items are missing.
The solution:
This patch correct the upto value in conntrack_iterate() when the length
of conntrack information exceed the max length.
Cc: Patrick McHardy <kaber@trash.net>
Cc: coreteam@netfilter.org
|
|
I've attached the ide-probe.c patch. It disallows not only negative
IRQs, but also IRQ 0 - but the original code did the same (and in other
places as well). BTW, 2.6 has the same fishy code in ide-probe.c, so
maybe the problem is actually elsewhere (that is, maybe -1 is not a
valid value for that field, and maybe that is fixed in 2.6).
|
|
i have a simple patch for 2.4 which makes the kernel work on
modern mainstream server boards with intels ICH9x chipset. It
just adds the new PCI-IDs to the ahci-driver. Is very simple but
helped me a lot deploying my server environment to recent
hardware.
|
|
On a little project about a NAS from MCT ( www.openmct.org ) a user
requested to use an adapter USB2LAN based on an AMDTEK chipset. The
original module pegasus.o does not work. We use actual the kernel
2.4.35.3. After some searching he found a solution by patching the
pegasus.h in driver/usb/pegasus.h with following entry
PEGASUS_DEV( "ADMtek ADM8515 \"Pegasus II\" USB Ethernet",
VENDOR_ADMTEK, 0x8515,
DEFAULT_GPIO_RESET | PEGASUS_II )
We tested the patch and new rebuilded module works now. The adapter has
this IDs (vend/prod 0x7a6/0x8515)
> May 22 14:45:38 (none) user.info kernel: pegasus.c: v0.4.32 (2003/06/06):Pegasus/Pegasus II USB Ethernet driver
> May 22 14:45:38 (none) user.info kernel: usb.c: registered new driver pegasus
> May 22 14:46:47 (none) user.err kernel: hub.c: connect-debounce failed, port 1 disabled
> May 22 14:48:33 (none) user.info kernel: hub.c: new USB device 00:0f.2-3, assigned address 2
> May 22 14:48:33 (none) user.info kernel: pegasus.c: intr interval will be changed from 1ms to 128ms
> May 22 14:48:33 (none) user.info kernel: pegasus.c: eth1: ADMtek ADM8515 "Pegasus II" USB Ethernet
> May 22 14:48:33 (none) user.info kernel: pegasus.c: setup Pegasus II specific registers
My patch for this is quite simple.
|
|
This patches drivers/scsi/ata_piix.c
It allows the kernel to access a SATA drive on an Intel ICH8 controller
using the ich7 driver. This has been tested and it seems quite stable.
|
|
backport from 2.6.24 IDE NFORCE (MCP51, MCP61, MCP65, MCP67, MCP73, MCP77),
AMD CS5536
Signed-off-by: Gilles Espinasse <g.esp@free.fr>
|
|
Patch created against latest stable 2.4 tree: 2.4.36.2
ftp://borg.uu3.net/home/borg/patch/linux-2.4-classify.patch
CLASSIFY sources has been taken from:
https://svn.netfilter.org/netfilter/branches/patch-o-matic-ng/linux-2.6.11/CLASSIFY
Acked-by: Patrick McHardy <kaber@trash.net>
|
|
This patch adds the 'rootdelay' option to the kernel
command-line boot options. The feature was backported
from the 2.6 kernel series. This allows for mounting
root filesystems which are located on devices whose
drivers are slow to load, such as USB mass-storage devices.
Example: 'rootdelay=10' tells the kernel tp wait 10
seconds before trying to mount the rootfs device.
|
|
[backport of 2.6 commit ddb2c43594f22843e9f3153da151deaba1a834c5]
- Don't trust a length which is greater than the working buffer.
An invalid length could cause overflow when calculating buffer size
for decoding oid.
- An oid length of zero is invalid and allows for an off-by-one error when
decoding oid because the first subid actually encodes first 2 subids.
- A primitive encoding may not have an indefinite length.
Thanks to Wei Wang from McAfee for report.
Cc: Steven French <sfrench@us.ibm.com>
Cc: stable@kernel.org
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[w@1wt.eu: backported to 2.4 : no cifs ; snmp in ip_nat_snmp_basic.c]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 5816339310b2d9623cf413d33e538b45e815da5d]
We should not conditionalize VA range checks on MAP_FIXED.
Signed-off-by: David S. Miller <davem@davemloft.net>
[w@1wt.eu: sparc_mmap_check() does not exist in 2.4]
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit a815ab8b5891f3d2515316655729272f68269e3b]
We should check *resource != NULL rather than resource != NULL, which will be
always true.
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Zhao Yakui <yakui.zhao@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit b7acbdfbd1f277c1eb23f344f899cfa4cd0bf36a]
There will be no delay even when COMMAND_BUSY (defined 0x8000) is set:
0x8000 & (delay < 10000) will evaluate to 0 - when delay is 0.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This patches include/asm/processor.h
Sometime between 2.4.29 and 2.4.36.2 spaces were deleted between colons
which causes compiler gcc 2.95.3 to fail to parse the header
when compiling applications which include it.
Adding back the spaces solves the problem on gcc 2.95.3.
gcc 4.1.1 also compiles the kernel OK with this patch."
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
This patches include/linux/signal.h
There is an implicit cast from an integer to an
unsigned long (sigset_t) which causes compilers to generate warnings.
Different compilers could possibly produce different code.
This change has been tested over several years of use and is stable.
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
The ethernet card 3c980-TX needs a mdio_sync() to initialize the ethernet
properly. This is forced by adding an EXTRA_PREAMBLE to its drv_flags.
Without this, the driver did not reconnect after a link loss since
Version 2.4.29.
Signed-off-by: Gunnar Larisch <Gunnar.Larisch@gmx.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02]
Noticed by Paul Marks <paul@pmarks.net>.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[backport of 2.6 commit a2f72982e22b96862f8f15272732bd316d4db040]
old buffer overflow in moxa driver
I noticed that the moxa input checking security bug described by
CVE-2005-0504 appears to remain unfixed upstream.
The issue is described here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504
Debian has been shipping the following patch from Andres Salomon.
(akpm: it's a privileged operation)
Signed-off-by: dann frazier <dannf@hp.com>
Signed-off-by: Andres Salomon <dilinger@debian.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
[ sync up with 2.6 commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 ]
fcntl_setlk()/close() race prevention has a subtle hole - we need to
make sure that if we *do* have an fcntl/close race on SMP box, the
access to descriptor table and inode->i_flock won't get reordered.
As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
STORE descriptor table entry, LOAD inode->i_flock with not a single
lock in common on both sides. We do have BKL around the first STORE,
but check in locks_remove_posix() is outside of BKL and for a good
reason - we don't want BKL on common path of close(2).
Solution is to hold ->file_lock around fcheck() in there; that orders
us wrt removal from descriptor table that preceded locks_remove_posix()
on close path and we either come first (in which case eviction will be
handled by the close side) or we'll see the effect of close and do
eviction ourselves. Note that even though it's read-only access,
we do need ->file_lock here - rcu_read_lock() won't be enough to
order the things.
[ w@1wt.eu: this patch also includes a missing fix for and older
bug affecting the same code, which was already fixed in 2.6. As
of now, 2.4 is in sync with 2.6 concerning this bug. ]
|
|
Issue reported by Al Viro with description taken from 2.6 commit
214b7049a7929f03bbd2786aaef04b8b79db34e2 :
We have a race between fcntl() and close() that can lead to
dnotify_struct inserted into inode's list *after* the last descriptor
had been gone from current->files.
Since that's the only point where dnotify_struct gets evicted, we are
screwed - it will stick around indefinitely. Even after struct file in
question is gone and freed. Worse, we can trigger send_sigio() on it at
any later point, which allows to send an arbitrary signal to arbitrary
process if we manage to apply enough memory pressure to get the page
that used to host that struct file and fill it with the right pattern...
|
|
gcc pointed out the following issue :
dcache.c: In function `presto_set_dd':
dcache.c:251: warning: `fset' might be used uninitialized in this function
fset is not yet assigned in the error path, so no operation must be done
with it.
|
|
[backported from 2.6 commit 607bfbf2d55dd1cfe5368b41c2a81a8c9ccf4723]
When selecting a new window, tcp_select_window() tries not to shrink
the offered window by using the maximum of the remaining offered window
size and the newly calculated window size. The newly calculated window
size is always a multiple of the window scaling factor, the remaining
window size however might not be since it depends on rcv_wup/rcv_nxt.
This means we're effectively shrinking the window when scaling it down.
The dump below shows the problem (scaling factor 2^7):
- Window size of 557 (71296) is advertised, up to 3111907257:
IP 172.2.2.3.33000 > 172.2.2.2.33000: . ack 3111835961 win 557 <...>
- New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes
below the last end:
IP 172.2.2.3.33000 > 172.2.2.2.33000: . 3113575668:3113577116(1448) ack 3111841425 win 514 <...>
The number 40 results from downscaling the remaining window:
3111907257 - 3111841425 = 65832
65832 / 2^7 = 514
65832 % 2^7 = 40
If the sender uses up the entire window before it is shrunk, this can have
chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq()
will notice that the window has been shrunk since tcp_wnd_end() is before
tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number.
This will fail the receivers checks in tcp_sequence() however since it
is before it's tp->rcv_wup, making it respond with a dupack.
If both sides are in this condition, this leads to a constant flood of
ACKs until the connection times out.
Make sure the window is never shrunk by aligning the remaining window to
the window scaling factor.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
ic_dynamic() holds the cpu too long and tasks do not have a chance to run.
This causes adapters like e1000 that have the link come up in a tasklet to fail
link up due to exceptionally long delays in acquiring link, and then a dhcp
address.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
|
|
I experienced major major data loss on a PL-2303 USB-serial converter
under 2.4.36, which I remedied by back-porting the pl2303.c from the
latest 2.6 kernel tree.
Here's a new patch, which is more complete than my previous one.
It's based on the 2.6.24.1.
There's a lot of trivial white-space changes and some things that have
been moved, which make the patch rather larger than it could be. I
didn't include those changes before, but have now in order that the
driver be closer to the 2.6 driver. It'll never be identical, of course.
Note, too, that the 2.6 driver (and thus the patched 2.4) includes a 1k
circular buffer which rather duplicates a buffer in the 2.4 usbserial.c;
2.6's usb-serial has had that buffer removed. As the buffer resolves
loss of the occasional putchar (e.g. from n_tty's opost), it is
important and correct, even in 2.4.
Speaking as a user, I no longer see any problems with PL2303, and I
think this is okay to release.
Cc: Greg Kroah-Hartman <greg@kroah.com>
|
|
Here's a heads up on a couple of patches I submitted a few years back
that seem to have been forgotten:
http://marc.info/?l=linux-kernel&m=111467256405878&w=2
The following ChangeSet introduced a typo in acpi_boot_init:
ChangeSet@1.1448.1.123 2005-03-09 11:43:51-03:00 marcelo@cnet
* Early ACPI PCI quirk depends on CONFIG_X86_IO_APIC
CONFIG_X86_IOAPIC should obviously be CONFIG_X86_IO_APIC
as written in the patch description above.
Trivial fix below.
Signed-off-by: Glen Nakamura <glen@imodulo.com>
|
