r1957 - in trunk/kernel/source: kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Andres Salomon
dilinger-guest@haydn.debian.org
Wed, 01 Dec 2004 07:33:52 -0700
Author: dilinger-guest
Date: 2004-12-01 07:32:49 -0700 (Wed, 01 Dec 2004)
New Revision: 1957
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drm-locking-fixes.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mark-vmio.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/selinux-seqpacket-fix.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unix-serialize-dgram.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/drm-locking-fixes.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/mark-vmio.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/selinux-seqpacket-fix.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/unix-serialize-dgram.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
Log:
For both 2.6.8 and 2.6.9:
* [SECURITY] serialize dgram read using semaphore just like stream;
CAN-2004-1068 (Fabio M. Di Nitto).
* [SECURITY] Fix insufficient locking checks in DRM code;
CAN-2004-1056 (Fabio M. Di Nitto).
* [SECURITY] Fix SELinux crashes with SOCK_SEQPACKET; see
http://marc.theaimsgroup.com/?l=linux-kernel&m=110045613004761
for reference; CAN-2004-1069 (Fabio M. Di Nitto).
* [SECURITY] Fix problems in VM_IO refcount; CAN not yet assigned
(Fabio M. Di Nitto).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-01 14:32:49 UTC (rev 1957)
@@ -1,3 +1,20 @@
+kernel-source-2.6.8 (2.6.8-11) UNRELEASED; urgency=high
+
+ * [SECURITY] serialize dgram read using semaphore just like stream;
+ CAN-2004-1068 (Fabio M. Di Nitto).
+
+ * [SECURITY] Fix insufficient locking checks in DRM code;
+ CAN-2004-1056 (Fabio M. Di Nitto).
+
+ * [SECURITY] Fix SELinux crashes with SOCK_SEQPACKET; see
+ http://marc.theaimsgroup.com/?l=linux-kernel&m=110045613004761
+ for reference; CAN-2004-1069 (Fabio M. Di Nitto).
+
+ * [SECURITY] Fix problems in VM_IO refcount; CAN not yet assigned
+ (Fabio M. Di Nitto).
+
+ -- Andres Salomon <dilinger@voxel.net> Wed, 01 Dec 2004 09:22:02 -0500
+
kernel-source-2.6.8 (2.6.8-10) unstable; urgency=high
* Fix missing backport of ssleep declaration so that new aic7xxx works.
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drm-locking-fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drm-locking-fixes.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drm-locking-fixes.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,280 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix insufficient locking checks in DRM code
+## DP: Patch author: https://bugs.freedesktop.org/attachment.cgi?id=1250
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c 2004-10-18 23:53:46.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c 2004-12-01 11:02:03.115499360 +0100
+@@ -1030,10 +1030,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -1055,10 +1052,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1090,10 +1084,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1114,10 +1105,8 @@
+
+ DRM_DEBUG("i810_swap_bufs\n");
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1152,10 +1141,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+@@ -1266,10 +1252,7 @@
+ return -EFAULT;
+
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_mc called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (mc.idx >= dma->buf_count || mc.idx < 0)
+ return -EINVAL;
+@@ -1317,10 +1300,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_fstatus called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+ return I810_READ(0x30008);
+ }
+
+@@ -1331,10 +1311,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_ov0_flip called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ //Tell the overlay to update
+ I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+@@ -1376,10 +1353,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i810_do_init_pageflip( dev );
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c 2004-10-18 23:53:12.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c 2004-12-01 11:02:03.116499208 +0100
+@@ -1319,10 +1319,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_flush_queue(dev);
+ return 0;
+@@ -1343,10 +1340,7 @@
+ if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1373,10 +1367,7 @@
+ if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1398,10 +1389,7 @@
+
+ DRM_DEBUG("i830_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_dma_dispatch_swap( dev );
+ return 0;
+@@ -1442,10 +1430,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i830_do_init_pageflip( dev );
+@@ -1484,10 +1469,7 @@
+ if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c 2004-10-18 23:54:54.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c 2004-12-01 11:02:03.116499208 +0100
+@@ -129,10 +129,7 @@
+ drm_i830_irq_emit_t emit;
+ int result;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_irq_emit called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if ( !dev_priv ) {
+ DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c 2004-10-18 23:53:51.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c 2004-12-01 11:08:36.881637808 +0100
+@@ -545,10 +545,7 @@
+ {
+ DRM_DEVICE;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flush_ioctl called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_quiescent(dev);
+ }
+@@ -574,10 +571,7 @@
+ DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n",
+ batch.start, batch.used, batch.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_batchbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects,
+ batch.num_cliprects *
+@@ -606,10 +600,7 @@
+ DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n",
+ cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_cmdbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (cmdbuf.num_cliprects &&
+ DRM_VERIFYAREA_READ(cmdbuf.cliprects,
+@@ -645,10 +636,8 @@
+ DRM_DEVICE;
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flip_buf called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_dispatch_flip(dev);
+ }
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c 2004-10-18 23:53:51.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c 2004-12-01 11:03:45.342958424 +0100
+@@ -92,10 +92,7 @@
+ drm_i915_irq_emit_t emit;
+ int result;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_irq_emit called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv) {
+ DRM_ERROR("%s called with no initialization\n", __FUNCTION__);
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mark-vmio.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mark-vmio.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mark-vmio.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,44 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Mark region special in remap_pfn_range.
+## DP: Patch author: Linus Torvalds
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/10/21 15:23:16-07:00 torvalds@ppc970.osdl.org
+# remap_pfn_range: make the region special.
+#
+# VM_IO tells the rest fo the world that the pages may
+# have side effects on reads/writes etc, and VM_RESERVED
+# historically told swap-out not to bother with it.
+#
+# mm/memory.c
+# 2004/10/21 15:23:09-07:00 torvalds@ppc970.osdl.org +9 -0
+# remap_pfn_range: make the region special.
+#
+diff -Nru a/mm/memory.c b/mm/memory.c
+--- a/mm/memory.c 2004-11-17 19:12:55 +11:00
++++ b/mm/memory.c 2004-11-17 19:12:55 +11:00
+@@ -974,6 +974,15 @@
+ if (from >= end)
+ BUG();
+
++ /*
++ * Physically remapped pages are special. Tell the
++ * rest of the world about it:
++ * VM_IO tells people not to look at these pages
++ * (accesses can have side effects).
++ * VM_RESERVED tells swapout not to try to touch
++ * this region.
++ */
++ vma->vm_flags |= VM_IO | VM_RESERVED;
+ spin_lock(&mm->page_table_lock);
+ do {
+ pmd_t *pmd = pmd_alloc(mm, dir, from);
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/selinux-seqpacket-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/selinux-seqpacket-fix.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/selinux-seqpacket-fix.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,38 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix SELinux crashes with SOCK_SEQPACKET
+## DP: Patch author: Ross Axe <ross.axe@blueyonder.co.uk>
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+
+With CONFIG_SECURITY_NETWORK=y and CONFIG_SECURITY_SELINUX=y, using
+SOCK_SEQPACKET unix domain sockets causes an oops in the superfluous(?)
+call to security_unix_may_send in sock_dgram_sendmsg. This patch avoids
+making this call for SOCK_SEQPACKET sockets.
+
+
+Signed-off-by: Ross Axe <ross.axe@blueyonder.co.uk>
+
+diff -urNad linux-source-2.6.9-2.6.9/net/unix/af_unix.c /tmp/dpep.JmX4rP/linux-source-2.6.9-2.6.9/net/unix/af_unix.c
+--- linux-source-2.6.9-2.6.9/net/unix/af_unix.c 2004-10-18 23:54:37.000000000 +0200
++++ /tmp/dpep.JmX4rP/linux-source-2.6.9-2.6.9/net/unix/af_unix.c 2004-12-01 10:46:38.572051328 +0100
+@@ -1365,9 +1365,11 @@
+ if (other->sk_shutdown & RCV_SHUTDOWN)
+ goto out_unlock;
+
+- err = security_unix_may_send(sk->sk_socket, other->sk_socket);
+- if (err)
+- goto out_unlock;
++ if (sk->sk_type != SOCK_SEQPACKET) {
++ err = security_unix_may_send(sk->sk_socket, other->sk_socket);
++ if (err)
++ goto out_unlock;
++ }
+
+ if (unix_peer(other) != sk &&
+ (skb_queue_len(&other->sk_receive_queue) >
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,4 @@
++ drm-locking-fixes.dpatch
++ selinux-seqpacket-fix.dpatch
++ mark-vmio.dpatch
++ unix-serialize-dgram.dpatch
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unix-serialize-dgram.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unix-serialize-dgram.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unix-serialize-dgram.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,48 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Serialize dgram read using semaphore just like stream.
+## DP: Patch author: David S. Miller <davem@davemloft.net>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/15 14:04:37-08:00 davem@nuts.davemloft.net
+# [AF_UNIX]: Serialize dgram read using semaphore just like stream.
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/unix/af_unix.c
+# 2004/11/15 14:03:52-08:00 davem@nuts.davemloft.net +5 -1
+# [AF_UNIX]: Serialize dgram read using semaphore just like stream.
+#
+diff -Nru a/net/unix/af_unix.c b/net/unix/af_unix.c
+--- a/net/unix/af_unix.c 2004-12-01 03:02:59 -08:00
++++ b/net/unix/af_unix.c 2004-12-01 03:02:59 -08:00
+@@ -1535,9 +1535,11 @@
+
+ msg->msg_namelen = 0;
+
++ down(&u->readsem);
++
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb)
+- goto out;
++ goto out_unlock;
+
+ wake_up_interruptible(&u->peer_wait);
+
+@@ -1587,6 +1589,8 @@
+
+ out_free:
+ skb_free_datagram(sk,skb);
++out_unlock:
++ up(&u->readsem);
+ out:
+ return err;
+ }
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-01 14:32:49 UTC (rev 1957)
@@ -5,6 +5,19 @@
* Yank fixed debian/apply from kernel-source-2.6.8. (Joshua Kwan)
+ * [SECURITY] serialize dgram read using semaphore just like stream;
+ CAN-2004-1068 (Fabio M. Di Nitto).
+
+ * [SECURITY] Fix insufficient locking checks in DRM code;
+ CAN-2004-1056 (Fabio M. Di Nitto).
+
+ * [SECURITY] Fix SELinux crashes with SOCK_SEQPACKET; see
+ http://marc.theaimsgroup.com/?l=linux-kernel&m=110045613004761
+ for reference; CAN-2004-1069 (Fabio M. Di Nitto).
+
+ * [SECURITY] Fix problems in VM_IO refcount; CAN not yet assigned
+ (Fabio M. Di Nitto).
+
-- Joshua Kwan <joshk@triplehelix.org> Sat, 27 Nov 2004 16:07:47 -0800
kernel-source-2.6.9 (2.6.9-3) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/drm-locking-fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/drm-locking-fixes.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/drm-locking-fixes.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,280 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix insufficient locking checks in DRM code
+## DP: Patch author: https://bugs.freedesktop.org/attachment.cgi?id=1250
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c 2004-10-18 23:53:46.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i810_dma.c 2004-12-01 11:02:03.115499360 +0100
+@@ -1030,10 +1030,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -1055,10 +1052,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1090,10 +1084,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1114,10 +1105,8 @@
+
+ DRM_DEBUG("i810_swap_bufs\n");
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1152,10 +1141,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+@@ -1266,10 +1252,7 @@
+ return -EFAULT;
+
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_mc called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (mc.idx >= dma->buf_count || mc.idx < 0)
+ return -EINVAL;
+@@ -1317,10 +1300,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_fstatus called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+ return I810_READ(0x30008);
+ }
+
+@@ -1331,10 +1311,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_ov0_flip called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ //Tell the overlay to update
+ I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+@@ -1376,10 +1353,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i810_do_init_pageflip( dev );
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c 2004-10-18 23:53:12.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_dma.c 2004-12-01 11:02:03.116499208 +0100
+@@ -1319,10 +1319,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_flush_queue(dev);
+ return 0;
+@@ -1343,10 +1340,7 @@
+ if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1373,10 +1367,7 @@
+ if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1398,10 +1389,7 @@
+
+ DRM_DEBUG("i830_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_dma_dispatch_swap( dev );
+ return 0;
+@@ -1442,10 +1430,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i830_do_init_pageflip( dev );
+@@ -1484,10 +1469,7 @@
+ if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c 2004-10-18 23:54:54.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i830_irq.c 2004-12-01 11:02:03.116499208 +0100
+@@ -129,10 +129,7 @@
+ drm_i830_irq_emit_t emit;
+ int result;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_irq_emit called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if ( !dev_priv ) {
+ DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c 2004-10-18 23:53:51.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_dma.c 2004-12-01 11:08:36.881637808 +0100
+@@ -545,10 +545,7 @@
+ {
+ DRM_DEVICE;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flush_ioctl called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_quiescent(dev);
+ }
+@@ -574,10 +571,7 @@
+ DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n",
+ batch.start, batch.used, batch.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_batchbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects,
+ batch.num_cliprects *
+@@ -606,10 +600,7 @@
+ DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n",
+ cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_cmdbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (cmdbuf.num_cliprects &&
+ DRM_VERIFYAREA_READ(cmdbuf.cliprects,
+@@ -645,10 +636,8 @@
+ DRM_DEVICE;
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flip_buf called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_dispatch_flip(dev);
+ }
+diff -urNad linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c
+--- linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c 2004-10-18 23:53:51.000000000 +0200
++++ /tmp/dpep.C9szyr/linux-source-2.6.9-2.6.9/drivers/char/drm/i915_irq.c 2004-12-01 11:03:45.342958424 +0100
+@@ -92,10 +92,7 @@
+ drm_i915_irq_emit_t emit;
+ int result;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_irq_emit called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv) {
+ DRM_ERROR("%s called with no initialization\n", __FUNCTION__);
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/mark-vmio.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/mark-vmio.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/mark-vmio.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,44 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Mark region special in remap_pfn_range.
+## DP: Patch author: Linus Torvalds
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/10/21 15:23:16-07:00 torvalds@ppc970.osdl.org
+# remap_pfn_range: make the region special.
+#
+# VM_IO tells the rest fo the world that the pages may
+# have side effects on reads/writes etc, and VM_RESERVED
+# historically told swap-out not to bother with it.
+#
+# mm/memory.c
+# 2004/10/21 15:23:09-07:00 torvalds@ppc970.osdl.org +9 -0
+# remap_pfn_range: make the region special.
+#
+diff -Nru a/mm/memory.c b/mm/memory.c
+--- a/mm/memory.c 2004-11-17 19:12:55 +11:00
++++ b/mm/memory.c 2004-11-17 19:12:55 +11:00
+@@ -974,6 +974,15 @@
+ if (from >= end)
+ BUG();
+
++ /*
++ * Physically remapped pages are special. Tell the
++ * rest of the world about it:
++ * VM_IO tells people not to look at these pages
++ * (accesses can have side effects).
++ * VM_RESERVED tells swapout not to try to touch
++ * this region.
++ */
++ vma->vm_flags |= VM_IO | VM_RESERVED;
+ spin_lock(&mm->page_table_lock);
+ do {
+ pmd_t *pmd = pmd_alloc(mm, dir, from);
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/selinux-seqpacket-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/selinux-seqpacket-fix.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/selinux-seqpacket-fix.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,38 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix SELinux crashes with SOCK_SEQPACKET
+## DP: Patch author: Ross Axe <ross.axe@blueyonder.co.uk>
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+
+With CONFIG_SECURITY_NETWORK=y and CONFIG_SECURITY_SELINUX=y, using
+SOCK_SEQPACKET unix domain sockets causes an oops in the superfluous(?)
+call to security_unix_may_send in sock_dgram_sendmsg. This patch avoids
+making this call for SOCK_SEQPACKET sockets.
+
+
+Signed-off-by: Ross Axe <ross.axe@blueyonder.co.uk>
+
+diff -urNad linux-source-2.6.9-2.6.9/net/unix/af_unix.c /tmp/dpep.JmX4rP/linux-source-2.6.9-2.6.9/net/unix/af_unix.c
+--- linux-source-2.6.9-2.6.9/net/unix/af_unix.c 2004-10-18 23:54:37.000000000 +0200
++++ /tmp/dpep.JmX4rP/linux-source-2.6.9-2.6.9/net/unix/af_unix.c 2004-12-01 10:46:38.572051328 +0100
+@@ -1365,9 +1365,11 @@
+ if (other->sk_shutdown & RCV_SHUTDOWN)
+ goto out_unlock;
+
+- err = security_unix_may_send(sk->sk_socket, other->sk_socket);
+- if (err)
+- goto out_unlock;
++ if (sk->sk_type != SOCK_SEQPACKET) {
++ err = security_unix_may_send(sk->sk_socket, other->sk_socket);
++ if (err)
++ goto out_unlock;
++ }
+
+ if (unix_peer(other) != sk &&
+ (skb_queue_len(&other->sk_receive_queue) >
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-01 14:32:49 UTC (rev 1957)
@@ -1 +1,5 @@
+ fb_get_option-fix.diff
++ drm-locking-fixes.dpatch
++ selinux-seqpacket-fix.dpatch
++ mark-vmio.dpatch
++ unix-serialize-dgram.dpatch
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/unix-serialize-dgram.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/unix-serialize-dgram.dpatch 2004-12-01 12:45:04 UTC (rev 1956)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/unix-serialize-dgram.dpatch 2004-12-01 14:32:49 UTC (rev 1957)
@@ -0,0 +1,48 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Serialize dgram read using semaphore just like stream.
+## DP: Patch author: David S. Miller <davem@davemloft.net>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/15 14:04:37-08:00 davem@nuts.davemloft.net
+# [AF_UNIX]: Serialize dgram read using semaphore just like stream.
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/unix/af_unix.c
+# 2004/11/15 14:03:52-08:00 davem@nuts.davemloft.net +5 -1
+# [AF_UNIX]: Serialize dgram read using semaphore just like stream.
+#
+diff -Nru a/net/unix/af_unix.c b/net/unix/af_unix.c
+--- a/net/unix/af_unix.c 2004-12-01 03:02:59 -08:00
++++ b/net/unix/af_unix.c 2004-12-01 03:02:59 -08:00
+@@ -1535,9 +1535,11 @@
+
+ msg->msg_namelen = 0;
+
++ down(&u->readsem);
++
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb)
+- goto out;
++ goto out_unlock;
+
+ wake_up_interruptible(&u->peer_wait);
+
+@@ -1587,6 +1589,8 @@
+
+ out_free:
+ skb_free_datagram(sk,skb);
++out_unlock:
++ up(&u->readsem);
+ out:
+ return err;
+ }