r3674 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Tue Aug 2 07:45:27 UTC 2005

Author: dannf
Date: 2005-08-02 07:45:25 +0000 (Tue, 02 Aug 2005)
New Revision: 3674

Added:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch
Modified:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
Log:
Merge in applicable fixes from post-2.6.12.3 stable-queue


Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================

--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-08-02 07:45:25 UTC (rev 3674)
@@ -160,14 +160,25 @@
     there is some value in being able to use it with unstable.
     (Simon Horman)
 
-  [ dann frazier ]
   * Merge in applicable fixes from 2.6.12.3
-    - ppc32-time_offset-misuse.dpatch
-    - v4l-cx88-hue-offset-fix.dpatch
-    - tty_ldisc_ref-return-null-check.dpatch
+     - ppc32-time_offset-misuse.dpatch
+     - v4l-cx88-hue-offset-fix.dpatch
+     - tty_ldisc_ref-return-null-check.dpatch
+    (dann frazier)
 
- -- dann frazier <dannf at debian.org>  Mon,  1 Aug 2005 22:28:59 -0600
+  * Merge in applicable fixes from stable-queue
+     - netfilter-NAT-memory-corruption.dpatch
+     - netfilter-deadlock-ip6_queue.dpatch
+     - ipsec-array-overflow.dpatch
+     - netfilter-ip_conntrack_untracked-refcount.dpatch
+     - sys_get_thread_area-leak.dpatch
+     - rocket_c-fix-ldisc-ref-count.dpatch
+     - powernow-dual-core-amd-oops.dpatch
+     - early-vlan-fix.dpatch
+    (dann frazier)
 
+ -- dann frazier <dannf at debian.org>  Tue,  2 Aug 2005 01:33:54 -0600
+
 kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
 
   * smbfs-overrun.dpatch:

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,55 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix early vlan adding leads to not functional device
+## DP: Patch author: Daniel Drake <dsd at gentoo.org>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Sat Jul 30 13:24:53 2005
+Date: Sat, 30 Jul 2005 21:25:10 +0100
+From: Daniel Drake <dsd at gentoo.org>
+To: stable at kernel.org
+Cc: tommy.christensen at tpack.net
+Subject: [PATCH][VLAN]: Fix early vlan adding leads to not functional device
+
+From: Tommy Christensen <tommy.christensen at tpack.net>
+X-Git-Url: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f4637b55ba960d9987a836617271659e9b7b0de8
+
+[VLAN]: Fix early vlan adding leads to not functional device
+
+OK, I can see what's happening here. eth0 doesn't detect link-up until
+after a few seconds, so when the vlan interface is opened immediately
+after eth0 has been opened, it inherits the link-down state. Subsequently
+the vlan interface is never properly activated and are thus unable to
+transmit any packets.
+
+dev->state bits are not supposed to be manipulated directly. Something
+similar is probably needed for the netif_device_present() bit, although
+I don't know how this is meant to work for a virtual device.
+  
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -578,6 +578,14 @@ static int vlan_device_event(struct noti
+ 			if (!vlandev)
+ 				continue;
+ 
++			if (netif_carrier_ok(dev)) {
++				if (!netif_carrier_ok(vlandev))
++					netif_carrier_on(vlandev);
++			} else {
++				if (netif_carrier_ok(vlandev))
++					netif_carrier_off(vlandev);
++			}
++
+ 			if ((vlandev->state & VLAN_LINK_STATE_MASK) != flgs) {
+ 				vlandev->state = (vlandev->state &~ VLAN_LINK_STATE_MASK) 
+ 					| flgs;
+

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,43 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix possible overflow of sock->sk_policy
+## DP: Patch author: "David S. Miller" <davem at davemloft.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Tue Jul 26 16:40:13 2005
+Date: Tue, 26 Jul 2005 16:40:31 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Subject: [PATCH][XFRM]: Fix possible overflow of sock->sk_policy
+
+From: Herbert Xu <herbert at gondor.apana.org.au>
+
+[XFRM]: Fix possible overflow of sock->sk_policy
+
+Spotted by, and original patch by, Balazs Scheidler.
+
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/xfrm/xfrm_user.c |    3 +++
+ 1 files changed, 3 insertions(+)
+
+--- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c	2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/xfrm/xfrm_user.c	2005-07-28 11:17:18.000000000 -0700
+@@ -1180,6 +1180,9 @@
+ 	if (nr > XFRM_MAX_DEPTH)
+ 		return NULL;
+ 
++	if (p->dir > XFRM_POLICY_OUT)
++		return NULL;
++
+ 	xp = xfrm_policy_alloc(GFP_KERNEL);
+ 	if (xp == NULL) {
+ 		*dir = -ENOBUFS;

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,57 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix potential memory corruption in NAT code (aka memory NAT)
+## DP: Patch author: Patrick McHardy <kaber at trash.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Fri Jul 22 00:35:55 2005
+Date: Fri, 22 Jul 2005 09:35:43 +0200
+From: Patrick McHardy <kaber at trash.net>
+To: "David S. Miller" <davem at davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel at lists.netfilter.org>,
+        stable at kernel.org
+Subject: [PATCH][NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+The portptr pointing to the port in the conntrack tuple is declared static,
+which could result in memory corruption when two packets of the same
+protocol are NATed at the same time and one conntrack goes away.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv4/netfilter/ip_nat_proto_tcp.c |    3 ++-
+ net/ipv4/netfilter/ip_nat_proto_udp.c |    3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_tcp.c	2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_tcp.c	2005-07-28 11:17:15.000000000 -0700
+@@ -40,7 +40,8 @@
+ 		 enum ip_nat_manip_type maniptype,
+ 		 const struct ip_conntrack *conntrack)
+ {
+-	static u_int16_t port, *portptr;
++	static u_int16_t port;
++	u_int16_t *portptr;
+ 	unsigned int range_size, min, i;
+ 
+ 	if (maniptype == IP_NAT_MANIP_SRC)
+--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_udp.c	2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_udp.c	2005-07-28 11:17:15.000000000 -0700
+@@ -41,7 +41,8 @@
+ 		 enum ip_nat_manip_type maniptype,
+ 		 const struct ip_conntrack *conntrack)
+ {
+-	static u_int16_t port, *portptr;
++	static u_int16_t port;
++	u_int16_t *portptr;
+ 	unsigned int range_size, min, i;
+ 
+ 	if (maniptype == IP_NAT_MANIP_SRC)

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,42 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix deadlock in ip6_queue
+## DP: Patch author: Patrick McHardy <kaber at trash.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Fri Jul 22 00:35:49 2005
+Date: Fri, 22 Jul 2005 09:35:34 +0200
+From: Patrick McHardy <kaber at trash.net>
+To: "David S. Miller" <davem at davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel at lists.netfilter.org>,
+        stable at kernel.org
+Subject: [PATCH] [NETFILTER]: Fix deadlock in ip6_queue
+
+[NETFILTER]: Fix deadlock in ip6_queue
+
+Already fixed in ip_queue, ip6_queue was missed.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv6/netfilter/ip6_queue.c |    2 ++
+ 1 files changed, 2 insertions(+)
+
+--- linux-2.6.12.3.orig/net/ipv6/netfilter/ip6_queue.c	2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv6/netfilter/ip6_queue.c	2005-07-28 11:17:13.000000000 -0700
+@@ -76,7 +76,9 @@
+ static void
+ ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
+ {
++	local_bh_disable();
+ 	nf_reinject(entry->skb, entry->info, verdict);
++	local_bh_enable();
+ 	kfree(entry);
+ }
+ 

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,43 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH][NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+## DP: Patch author: Patrick McHardy <kaber at trash.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Fri Jul 22 00:35:58 2005
+Date: Fri, 22 Jul 2005 09:35:51 +0200
+From: Patrick McHardy <kaber at trash.net>
+User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050602)
+To: "David S. Miller" <davem at davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel at lists.netfilter.org>,
+        stable at kernel.org
+Subject: [PATCH][NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+[NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+Fixes a crash when unloading ip_conntrack.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv4/netfilter/ip_conntrack_core.c |    3 +++
+ 1 files changed, 3 insertions(+)
+
+--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_conntrack_core.c	2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv4/netfilter/ip_conntrack_core.c	2005-07-28 11:17:16.000000000 -0700
+@@ -1124,6 +1124,9 @@
+ 		schedule();
+ 		goto i_see_dead_people;
+ 	}
++	/* wait until all references to ip_conntrack_untracked are dropped */
++	while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
++		schedule();
+ 
+ 	kmem_cache_destroy(ip_conntrack_cachep);
+ 	kmem_cache_destroy(ip_conntrack_expect_cachep);

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,75 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix powernow oops on dual-core athlon
+## DP: Patch author: Daniel Drake <dsd at gentoo.org>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Sat Jul 30 13:30:11 2005
+Date: Sat, 30 Jul 2005 21:30:30 +0100
+From: Daniel Drake <dsd at gentoo.org>
+To: stable at kernel.org
+Cc: davej at redhat.com
+Subject: [PATCH] Fix powernow oops on dual-core athlon
+
+From: Dave Jones <davej at redhat.com>
+Date: Thu, 28 Jul 2005 16:38:21 +0000 (-0700)
+Subject: powernow-k8 requires that a data structure for
+X-Git-Tag: v2.6.13-rc4
+X-Git-Url: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03938c3f1062b0f279a0ef937a471d4db83702ed
+
+powernow-k8 requires that a data structure for
+each core be created in the _cpu_init function
+call.  The cpufreq infrastructure doesn't call
+_cpu_init for the second core in each processor.
+Some systems crashed when _get was called with
+an odd-numbered core because it tried to
+dereference a NULL pointer since the data
+structure had not been created.
+
+The attached patch solves the problem by
+initializing data structures for all shared
+cores in the _cpu_init function.  It should
+apply to 2.6.12-rc6 and has been tested by
+AMD and Sun.
+
+Signed-off-by: Mark Langsdorf <mark.langsdorf at amd.com>
+Signed-off-by: Dave Jones <davej at redhat.com>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+
+--- a/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
++++ b/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
+@@ -44,7 +44,7 @@
+ 
+ #define PFX "powernow-k8: "
+ #define BFX PFX "BIOS error: "
+-#define VERSION "version 1.00.09b"
++#define VERSION "version 1.00.09b.debian1"
+ #include "powernow-k8.h"
+ 
+ /* serialize freq changes  */
+@@ -978,7 +978,7 @@ static int __init powernowk8_cpu_init(st
+ {
+ 	struct powernow_k8_data *data;
+ 	cpumask_t oldmask = CPU_MASK_ALL;
+-	int rc;
++	int rc, i;
+ 
+ 	if (!check_supported_cpu(pol->cpu))
+ 		return -ENODEV;
+@@ -1064,7 +1064,9 @@ static int __init powernowk8_cpu_init(st
+ 	printk("cpu_init done, current fid 0x%x, vid 0x%x\n",
+ 	       data->currfid, data->currvid);
+ 
+-	powernow_data[pol->cpu] = data;
++	for_each_cpu_mask(i, cpu_core_map[pol->cpu]) {
++		powernow_data[i] = data;
++	}
+ 
+ 	return 0;
+ 

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,51 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: rocket.c: Fix ldisc ref count handling
+## DP: Patch author: Michal Ostrowski <mostrows at watson.ibm.com>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Thu Jul 14 16:54:10 2005
+To: stable at kernel.org
+From: akpm at osdl.org
+Date: Thu, 14 Jul 2005 16:46:26 -0700
+Cc: akpm at osdl.org, mostrows at watson.ibm.com
+Subject: [patch] rocket.c: Fix ldisc ref count handling
+
+From: Michal Ostrowski <mostrows at watson.ibm.com>
+
+If bailing out because there is nothing to receive in rp_do_receive(),
+tty_ldisc_deref is not called.  Failure to do so increases the ref count=20
+and causes release_dev() to hang since it can't get the ref count to 0.
+
+Signed-off-by: Michal Ostrowski <mostrows at watson.ibm.com>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/char/rocket.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.12.3.orig/drivers/char/rocket.c	2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/drivers/char/rocket.c	2005-07-28 11:17:09.000000000 -0700
+@@ -277,7 +277,7 @@
+ 		ToRecv = space;
+ 
+ 	if (ToRecv <= 0)
+-		return;
++		goto done;
+ 
+ 	/*
+ 	 * if status indicates there are errored characters in the
+@@ -359,6 +359,7 @@
+ 	}
+ 	/*  Push the data up to the tty layer */
+ 	ld->receive_buf(tty, tty->flip.char_buf, tty->flip.flag_buf, count);
++done:
+ 	tty_ldisc_deref(ld);
+ }
+ 

Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17	2005-08-02 07:45:25 UTC (rev 3674)
@@ -34,3 +34,11 @@
 + ppc32-time_offset-misuse.dpatch
 + v4l-cx88-hue-offset-fix.dpatch
 + tty_ldisc_ref-return-null-check.dpatch
++ netfilter-NAT-memory-corruption.dpatch
++ netfilter-deadlock-ip6_queue.dpatch
++ ipsec-array-overflow.dpatch
++ netfilter-ip_conntrack_untracked-refcount.dpatch
++ sys_get_thread_area-leak.dpatch
++ rocket_c-fix-ldisc-ref-count.dpatch
++ powernow-dual-core-amd-oops.dpatch
++ early-vlan-fix.dpatch

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch	2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch	2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,47 @@
+#! /bin/sh -e 
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: sys_get_thread_area does not clear the returned argument
+## DP: Patch author: Blaisorblade <blaisorblade at yahoo.it>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org  Sat Jul 30 12:02:54 2005
+To: stable at kernel.org
+From: blaisorblade at yahoo.it
+Date: Sat, 30 Jul 2005 21:07:02 +0200
+Cc: blaisorblade at yahoo.it, linux-kernel at vger.kernel.org
+Subject: [patch] sys_get_thread_area does not clear the returned argument
+
+From: Blaisorblade <blaisorblade at yahoo.it>
+CC: <stable at kernel.org>
+
+sys_get_thread_area does not memset to 0 its struct user_desc info before
+copying it to user space...  since sizeof(struct user_desc) is 16 while the
+actual datas which are filled are only 12 bytes + 9 bits (across the
+bitfields), there is a (small) information leak.
+
+This was already committed to Linus' repository.
+
+Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade at yahoo.it>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+
+ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c |    2 ++
+ 1 files changed, 2 insertions(+)
+
+diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
+--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak	2005-07-28 21:19:26.000000000 +0200
++++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c	2005-07-28 21:19:26.000000000 +0200
+@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
+ 	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
+ 		return -EINVAL;
+ 
++	memset(&info, 0, sizeof(info));
++
+ 	desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
+ 
+ 	info.entry_number = idx;


