r3674 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: .
patches patches/series
Dann Frazier
dannf at costa.debian.org
Tue Aug 2 07:45:27 UTC 2005
Author: dannf
Date: 2005-08-02 07:45:25 +0000 (Tue, 02 Aug 2005)
New Revision: 3674
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
Log:
Merge in applicable fixes from post-2.6.12.3 stable-queue
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-08-02 07:45:25 UTC (rev 3674)
@@ -160,14 +160,25 @@
there is some value in being able to use it with unstable.
(Simon Horman)
- [ dann frazier ]
* Merge in applicable fixes from 2.6.12.3
- - ppc32-time_offset-misuse.dpatch
- - v4l-cx88-hue-offset-fix.dpatch
- - tty_ldisc_ref-return-null-check.dpatch
+ - ppc32-time_offset-misuse.dpatch
+ - v4l-cx88-hue-offset-fix.dpatch
+ - tty_ldisc_ref-return-null-check.dpatch
+ (dann frazier)
- -- dann frazier <dannf at debian.org> Mon, 1 Aug 2005 22:28:59 -0600
+ * Merge in applicable fixes from stable-queue
+ - netfilter-NAT-memory-corruption.dpatch
+ - netfilter-deadlock-ip6_queue.dpatch
+ - ipsec-array-overflow.dpatch
+ - netfilter-ip_conntrack_untracked-refcount.dpatch
+ - sys_get_thread_area-leak.dpatch
+ - rocket_c-fix-ldisc-ref-count.dpatch
+ - powernow-dual-core-amd-oops.dpatch
+ - early-vlan-fix.dpatch
+ (dann frazier)
+ -- dann frazier <dannf at debian.org> Tue, 2 Aug 2005 01:33:54 -0600
+
kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
* smbfs-overrun.dpatch:
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/early-vlan-fix.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,55 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix early vlan adding leads to not functional device
+## DP: Patch author: Daniel Drake <dsd at gentoo.org>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Sat Jul 30 13:24:53 2005
+Date: Sat, 30 Jul 2005 21:25:10 +0100
+From: Daniel Drake <dsd at gentoo.org>
+To: stable at kernel.org
+Cc: tommy.christensen at tpack.net
+Subject: [PATCH][VLAN]: Fix early vlan adding leads to not functional device
+
+From: Tommy Christensen <tommy.christensen at tpack.net>
+X-Git-Url: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f4637b55ba960d9987a836617271659e9b7b0de8
+
+[VLAN]: Fix early vlan adding leads to not functional device
+
+OK, I can see what's happening here. eth0 doesn't detect link-up until
+after a few seconds, so when the vlan interface is opened immediately
+after eth0 has been opened, it inherits the link-down state. Subsequently
+the vlan interface is never properly activated and are thus unable to
+transmit any packets.
+
+dev->state bits are not supposed to be manipulated directly. Something
+similar is probably needed for the netif_device_present() bit, although
+I don't know how this is meant to work for a virtual device.
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -578,6 +578,14 @@ static int vlan_device_event(struct noti
+ if (!vlandev)
+ continue;
+
++ if (netif_carrier_ok(dev)) {
++ if (!netif_carrier_ok(vlandev))
++ netif_carrier_on(vlandev);
++ } else {
++ if (netif_carrier_ok(vlandev))
++ netif_carrier_off(vlandev);
++ }
++
+ if ((vlandev->state & VLAN_LINK_STATE_MASK) != flgs) {
+ vlandev->state = (vlandev->state &~ VLAN_LINK_STATE_MASK)
+ | flgs;
+
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipsec-array-overflow.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,43 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix possible overflow of sock->sk_policy
+## DP: Patch author: "David S. Miller" <davem at davemloft.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Tue Jul 26 16:40:13 2005
+Date: Tue, 26 Jul 2005 16:40:31 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Subject: [PATCH][XFRM]: Fix possible overflow of sock->sk_policy
+
+From: Herbert Xu <herbert at gondor.apana.org.au>
+
+[XFRM]: Fix possible overflow of sock->sk_policy
+
+Spotted by, and original patch by, Balazs Scheidler.
+
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 files changed, 3 insertions(+)
+
+--- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c 2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/xfrm/xfrm_user.c 2005-07-28 11:17:18.000000000 -0700
+@@ -1180,6 +1180,9 @@
+ if (nr > XFRM_MAX_DEPTH)
+ return NULL;
+
++ if (p->dir > XFRM_POLICY_OUT)
++ return NULL;
++
+ xp = xfrm_policy_alloc(GFP_KERNEL);
+ if (xp == NULL) {
+ *dir = -ENOBUFS;
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-NAT-memory-corruption.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,57 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix potential memory corruption in NAT code (aka memory NAT)
+## DP: Patch author: Patrick McHardy <kaber at trash.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Fri Jul 22 00:35:55 2005
+Date: Fri, 22 Jul 2005 09:35:43 +0200
+From: Patrick McHardy <kaber at trash.net>
+To: "David S. Miller" <davem at davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel at lists.netfilter.org>,
+ stable at kernel.org
+Subject: [PATCH][NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
+
+The portptr pointing to the port in the conntrack tuple is declared static,
+which could result in memory corruption when two packets of the same
+protocol are NATed at the same time and one conntrack goes away.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv4/netfilter/ip_nat_proto_tcp.c | 3 ++-
+ net/ipv4/netfilter/ip_nat_proto_udp.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_tcp.c 2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_tcp.c 2005-07-28 11:17:15.000000000 -0700
+@@ -40,7 +40,8 @@
+ enum ip_nat_manip_type maniptype,
+ const struct ip_conntrack *conntrack)
+ {
+- static u_int16_t port, *portptr;
++ static u_int16_t port;
++ u_int16_t *portptr;
+ unsigned int range_size, min, i;
+
+ if (maniptype == IP_NAT_MANIP_SRC)
+--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_udp.c 2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_udp.c 2005-07-28 11:17:15.000000000 -0700
+@@ -41,7 +41,8 @@
+ enum ip_nat_manip_type maniptype,
+ const struct ip_conntrack *conntrack)
+ {
+- static u_int16_t port, *portptr;
++ static u_int16_t port;
++ u_int16_t *portptr;
+ unsigned int range_size, min, i;
+
+ if (maniptype == IP_NAT_MANIP_SRC)
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-deadlock-ip6_queue.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,42 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix deadlock in ip6_queue
+## DP: Patch author: Patrick McHardy <kaber at trash.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Fri Jul 22 00:35:49 2005
+Date: Fri, 22 Jul 2005 09:35:34 +0200
+From: Patrick McHardy <kaber at trash.net>
+To: "David S. Miller" <davem at davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel at lists.netfilter.org>,
+ stable at kernel.org
+Subject: [PATCH] [NETFILTER]: Fix deadlock in ip6_queue
+
+[NETFILTER]: Fix deadlock in ip6_queue
+
+Already fixed in ip_queue, ip6_queue was missed.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv6/netfilter/ip6_queue.c | 2 ++
+ 1 files changed, 2 insertions(+)
+
+--- linux-2.6.12.3.orig/net/ipv6/netfilter/ip6_queue.c 2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv6/netfilter/ip6_queue.c 2005-07-28 11:17:13.000000000 -0700
+@@ -76,7 +76,9 @@
+ static void
+ ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
+ {
++ local_bh_disable();
+ nf_reinject(entry->skb, entry->info, verdict);
++ local_bh_enable();
+ kfree(entry);
+ }
+
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-ip_conntrack_untracked-refcount.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,43 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH][NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+## DP: Patch author: Patrick McHardy <kaber at trash.net>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Fri Jul 22 00:35:58 2005
+Date: Fri, 22 Jul 2005 09:35:51 +0200
+From: Patrick McHardy <kaber at trash.net>
+User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050602)
+To: "David S. Miller" <davem at davemloft.net>
+Cc: Netfilter Development Mailinglist <netfilter-devel at lists.netfilter.org>,
+ stable at kernel.org
+Subject: [PATCH][NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+[NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
+
+Fixes a crash when unloading ip_conntrack.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv4/netfilter/ip_conntrack_core.c | 3 +++
+ 1 files changed, 3 insertions(+)
+
+--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/ipv4/netfilter/ip_conntrack_core.c 2005-07-28 11:17:16.000000000 -0700
+@@ -1124,6 +1124,9 @@
+ schedule();
+ goto i_see_dead_people;
+ }
++ /* wait until all references to ip_conntrack_untracked are dropped */
++ while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
++ schedule();
+
+ kmem_cache_destroy(ip_conntrack_cachep);
+ kmem_cache_destroy(ip_conntrack_expect_cachep);
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powernow-dual-core-amd-oops.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,75 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix powernow oops on dual-core athlon
+## DP: Patch author: Daniel Drake <dsd at gentoo.org>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Sat Jul 30 13:30:11 2005
+Date: Sat, 30 Jul 2005 21:30:30 +0100
+From: Daniel Drake <dsd at gentoo.org>
+To: stable at kernel.org
+Cc: davej at redhat.com
+Subject: [PATCH] Fix powernow oops on dual-core athlon
+
+From: Dave Jones <davej at redhat.com>
+Date: Thu, 28 Jul 2005 16:38:21 +0000 (-0700)
+Subject: powernow-k8 requires that a data structure for
+X-Git-Tag: v2.6.13-rc4
+X-Git-Url: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03938c3f1062b0f279a0ef937a471d4db83702ed
+
+powernow-k8 requires that a data structure for
+each core be created in the _cpu_init function
+call. The cpufreq infrastructure doesn't call
+_cpu_init for the second core in each processor.
+Some systems crashed when _get was called with
+an odd-numbered core because it tried to
+dereference a NULL pointer since the data
+structure had not been created.
+
+The attached patch solves the problem by
+initializing data structures for all shared
+cores in the _cpu_init function. It should
+apply to 2.6.12-rc6 and has been tested by
+AMD and Sun.
+
+Signed-off-by: Mark Langsdorf <mark.langsdorf at amd.com>
+Signed-off-by: Dave Jones <davej at redhat.com>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+
+--- a/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
++++ b/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
+@@ -44,7 +44,7 @@
+
+ #define PFX "powernow-k8: "
+ #define BFX PFX "BIOS error: "
+-#define VERSION "version 1.00.09b"
++#define VERSION "version 1.00.09b.debian1"
+ #include "powernow-k8.h"
+
+ /* serialize freq changes */
+@@ -978,7 +978,7 @@ static int __init powernowk8_cpu_init(st
+ {
+ struct powernow_k8_data *data;
+ cpumask_t oldmask = CPU_MASK_ALL;
+- int rc;
++ int rc, i;
+
+ if (!check_supported_cpu(pol->cpu))
+ return -ENODEV;
+@@ -1064,7 +1064,9 @@ static int __init powernowk8_cpu_init(st
+ printk("cpu_init done, current fid 0x%x, vid 0x%x\n",
+ data->currfid, data->currvid);
+
+- powernow_data[pol->cpu] = data;
++ for_each_cpu_mask(i, cpu_core_map[pol->cpu]) {
++ powernow_data[i] = data;
++ }
+
+ return 0;
+
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/rocket_c-fix-ldisc-ref-count.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,51 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: rocket.c: Fix ldisc ref count handling
+## DP: Patch author: Michal Ostrowski <mostrows at watson.ibm.com>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Thu Jul 14 16:54:10 2005
+To: stable at kernel.org
+From: akpm at osdl.org
+Date: Thu, 14 Jul 2005 16:46:26 -0700
+Cc: akpm at osdl.org, mostrows at watson.ibm.com
+Subject: [patch] rocket.c: Fix ldisc ref count handling
+
+From: Michal Ostrowski <mostrows at watson.ibm.com>
+
+If bailing out because there is nothing to receive in rp_do_receive(),
+tty_ldisc_deref is not called. Failure to do so increases the ref count=20
+and causes release_dev() to hang since it can't get the ref count to 0.
+
+Signed-off-by: Michal Ostrowski <mostrows at watson.ibm.com>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/char/rocket.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.12.3.orig/drivers/char/rocket.c 2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/drivers/char/rocket.c 2005-07-28 11:17:09.000000000 -0700
+@@ -277,7 +277,7 @@
+ ToRecv = space;
+
+ if (ToRecv <= 0)
+- return;
++ goto done;
+
+ /*
+ * if status indicates there are errored characters in the
+@@ -359,6 +359,7 @@
+ }
+ /* Push the data up to the tty layer */
+ ld->receive_buf(tty, tty->flip.char_buf, tty->flip.flag_buf, count);
++done:
+ tty_ldisc_deref(ld);
+ }
+
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-08-02 07:45:25 UTC (rev 3674)
@@ -34,3 +34,11 @@
+ ppc32-time_offset-misuse.dpatch
+ v4l-cx88-hue-offset-fix.dpatch
+ tty_ldisc_ref-return-null-check.dpatch
++ netfilter-NAT-memory-corruption.dpatch
++ netfilter-deadlock-ip6_queue.dpatch
++ ipsec-array-overflow.dpatch
++ netfilter-ip_conntrack_untracked-refcount.dpatch
++ sys_get_thread_area-leak.dpatch
++ rocket_c-fix-ldisc-ref-count.dpatch
++ powernow-dual-core-amd-oops.dpatch
++ early-vlan-fix.dpatch
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch 2005-08-02 06:31:48 UTC (rev 3673)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sys_get_thread_area-leak.dpatch 2005-08-02 07:45:25 UTC (rev 3674)
@@ -0,0 +1,47 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR at EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: sys_get_thread_area does not clear the returned argument
+## DP: Patch author: Blaisorblade <blaisorblade at yahoo.it>
+## DP: Upstream status: upstream
+
+. $(dirname $0)/DPATCH
+
+ at DPATCH@
+From stable-bounces at linux.kernel.org Sat Jul 30 12:02:54 2005
+To: stable at kernel.org
+From: blaisorblade at yahoo.it
+Date: Sat, 30 Jul 2005 21:07:02 +0200
+Cc: blaisorblade at yahoo.it, linux-kernel at vger.kernel.org
+Subject: [patch] sys_get_thread_area does not clear the returned argument
+
+From: Blaisorblade <blaisorblade at yahoo.it>
+CC: <stable at kernel.org>
+
+sys_get_thread_area does not memset to 0 its struct user_desc info before
+copying it to user space... since sizeof(struct user_desc) is 16 while the
+actual datas which are filled are only 12 bytes + 9 bits (across the
+bitfields), there is a (small) information leak.
+
+This was already committed to Linus' repository.
+
+Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade at yahoo.it>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+
+ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c | 2 ++
+ 1 files changed, 2 insertions(+)
+
+diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
+--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak 2005-07-28 21:19:26.000000000 +0200
++++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c 2005-07-28 21:19:26.000000000 +0200
+@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
+ if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
+ return -EINVAL;
+
++ memset(&info, 0, sizeof(info));
++
+ desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
+
+ info.entry_number = idx;
More information about the Kernel-svn-changes
mailing list