r3409 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Wed, 29 Jun 2005 09:17:57 +0000
Author: horms
Date: 2005-06-29 09:17:55 +0000 (Wed, 29 Jun 2005)
New Revision: 3409
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-boundary-check.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-smp-boot-race.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-mm-ioremap-page-lookup.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-media-vidio-bttv-vc100xp-detect.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-1.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-2.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-core-exec-race.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-deadlock.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-hfs-oops-and-leak.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-jbd-checkpoint-assertion.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-mmap-range-test.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-rmap-out-of-bounds-pte.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-mangle-oops.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-netfilter-etables-smp-race.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipvs-conn_tab-race.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-netfilter-ip_queue-deadlock.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-rose-ndigis-verify.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sound-usb-usbaudio-unplug-oops.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
Log:
* [SECURITY] arch-x86_64-kernel-ptrace-boundary-check.dpatch
Don't allow accesses below register frame in ptrace
See CAN-2005-0756.
(Simon Horman)
* arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch,
arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
This works around an AMD Erratum by
checking if the ptrace RIP is canonical.
(Simon Horman)
* [SECURITY] arch-x86_64-kernel-smp-boot-race.dpatch
Keep interrupts disabled during smp bootup
This avoids a race that breaks SMP bootup on some machines.
(Simon Horman)
* [SECURITY] arch-x86_64-mm-ioremap-page-lookup.dpatch
Don't look up struct page pointer of physical address in iounmap as it may
be in a memory hole not mapped in mem_map and that causes the hash lookup
to go off to nirvana.
(Simon Horman)
* drivers-media-vidio-bttv-vc100xp-detect.dpatch
Allow Leadtek WinFast VC100 XP cards to work.
(Simon Horman)
* [SECURITY] fs-exec-ptrace-core-exec-race.dpatch
Fix race between core dumping and exec with shared mm
(Simon Horman)
* [SECURITY] fs-exec-ptrace-deadlock.dpatch
Fix coredump_wait deadlock with ptracer & tracee on shared mm
(Simon Horman)
* [SECURITY] fs-exec-posix-timers-leak-1.dpatch,
fs-exec-posix-timers-leak-2.dpatch
Make exec clean up posix timers.
(Simon Horman)
* [SECURITY] fs-exec-reparent-timers.dpatch
Make sure we re-parent itimers. If subthread exec's with timer pending,
signal is delivered to old group-leader and can panic kernel.
See CAN-2005-1913.
(Simon Horman)
* fs-hfs-oops-and-leak.dpatch
Fix a leak in HFS and HFS+
Fix an oops that occurs when an attempt is made to
mount a non-hfs filesystem as HFS+.
(Simon Horman)
* fs-jbd-checkpoint-assertion.dpatch
Fix possible false assertion failure in log_do_checkpoint(). We might fail
to detect that we actually made a progress when cleaning up the checkpoint
lists if we don't retry after writing something to disk.
(Simon Horman)
# Ommitted as it seems to require an update to struct_mm, which
# would be an ABI change. As it stands it breaks the build.
# Looking for a better solution, according to Frederik Schueler
# he has one from Ubuntu. More anon
#* [SECURITY] mm-mmap-range-test.dpatch
# Make sure get_unmapped_area sanity tests are done regardless of
# wheater MAP_FIXED is set or not.
# See CAN-2005-1265
# (Simon Horman)
* mm-rmap-out-of-bounds-pte.dpatch
Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap()
(Simon Horman)
* [SECURITY] net-bridge-netfilter-etables-smp-race.dpatch
The patch below fixes an smp race that happens on such systems under
heavy load.
(Simon Horman)
* net-bridge-mangle-oops.dpatch
Fix oops when mangling and brouting and tcpdumping packets
Needed for net-bridge-forwarding-poison.dpatch
(Simon Horman)
* [SECURITY] net-bridge-forwarding-poison.dpatch
Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
risk.
(Simon Horman)
* net-ipv4-netfilter-ip_queue-deadlock.dpatch
Fix deadlock with ip_queue and tcp local input path.
(Simon Horman)
* [SECURITY] net-rose-ndigis-verify.dpatch
Verify ndigis argument of a new route.
(Simon Horman)
* sound-usb-usbaudio-unplug-oops.dpatch
Prevent oops & dead keyboard on usb unplugging while the device is being
used.
(Simon Horman)
* net-ipv4-ipvs-conn_tab-race.dpatch
Fix race condition on p_vs_conn_tab list modification
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-06-29 09:17:55 UTC (rev 3409)
@@ -9,11 +9,115 @@
* drivers-net-via-rhine-wol-oops.dpatch (removed):
This patch breaks the via-rhine driver and 2.6.8 and is
- completely bogus for this version of the kernel
+ completely bogus for this version of the kernel
(Simon Horman) (closes: #311357)
- -- Simon Horman <horms@debian.org> Fri, 10 Jun 2005 15:59:11 +0900
+ * [SECURITY] arch-x86_64-kernel-ptrace-boundary-check.dpatch
+ Don't allow accesses below register frame in ptrace
+ See CAN-2005-0756.
+ (Simon Horman)
+ * arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch,
+ arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
+ This works around an AMD Erratum by
+ checking if the ptrace RIP is canonical.
+ (Simon Horman)
+
+ * [SECURITY] arch-x86_64-kernel-smp-boot-race.dpatch
+ Keep interrupts disabled during smp bootup
+ This avoids a race that breaks SMP bootup on some machines.
+ (Simon Horman)
+
+ * [SECURITY] arch-x86_64-mm-ioremap-page-lookup.dpatch
+ Don't look up struct page pointer of physical address in iounmap as it may
+ be in a memory hole not mapped in mem_map and that causes the hash lookup
+ to go off to nirvana.
+ (Simon Horman)
+
+ * drivers-media-vidio-bttv-vc100xp-detect.dpatch
+ Allow Leadtek WinFast VC100 XP cards to work.
+ (Simon Horman)
+
+ * [SECURITY] fs-exec-ptrace-core-exec-race.dpatch
+ Fix race between core dumping and exec with shared mm
+ (Simon Horman)
+
+ * [SECURITY] fs-exec-ptrace-deadlock.dpatch
+ Fix coredump_wait deadlock with ptracer & tracee on shared mm
+ (Simon Horman)
+
+ * [SECURITY] fs-exec-posix-timers-leak-1.dpatch,
+ fs-exec-posix-timers-leak-2.dpatch
+ Make exec clean up posix timers.
+ (Simon Horman)
+
+ * [SECURITY] fs-exec-reparent-timers.dpatch
+ Make sure we re-parent itimers. If subthread exec's with timer pending,
+ signal is delivered to old group-leader and can panic kernel.
+ See CAN-2005-1913.
+ (Simon Horman)
+
+ * fs-hfs-oops-and-leak.dpatch
+ Fix a leak in HFS and HFS+
+ Fix an oops that occurs when an attempt is made to
+ mount a non-hfs filesystem as HFS+.
+ (Simon Horman)
+
+ * fs-jbd-checkpoint-assertion.dpatch
+ Fix possible false assertion failure in log_do_checkpoint(). We might fail
+ to detect that we actually made a progress when cleaning up the checkpoint
+ lists if we don't retry after writing something to disk.
+ (Simon Horman)
+
+ # Ommitted as it seems to require an update to struct_mm, which
+ # would be an ABI change. As it stands it breaks the build.
+ # Looking for a better solution, according to Frederik Schueler
+ # he has one from Ubuntu. More anon
+ #* [SECURITY] mm-mmap-range-test.dpatch
+ # Make sure get_unmapped_area sanity tests are done regardless of
+ # wheater MAP_FIXED is set or not.
+ # See CAN-2005-1265
+ # (Simon Horman)
+
+ * mm-rmap-out-of-bounds-pte.dpatch
+ Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap()
+ (Simon Horman)
+
+ * [SECURITY] net-bridge-netfilter-etables-smp-race.dpatch
+ The patch below fixes an smp race that happens on such systems under
+ heavy load.
+ (Simon Horman)
+
+ * net-bridge-mangle-oops.dpatch
+ Fix oops when mangling and brouting and tcpdumping packets
+ Needed for net-bridge-forwarding-poison.dpatch
+ (Simon Horman)
+
+ * [SECURITY] net-bridge-forwarding-poison.dpatch
+ Avoid poisoning of the bridge forwarding table by frames that have been
+ dropped by filtering. This prevents spoofed source addresses on hostile
+ side of bridge from causing packet leakage, a small but possible security
+ risk.
+ (Simon Horman)
+
+ * net-ipv4-netfilter-ip_queue-deadlock.dpatch
+ Fix deadlock with ip_queue and tcp local input path.
+ (Simon Horman)
+
+ * [SECURITY] net-rose-ndigis-verify.dpatch
+ Verify ndigis argument of a new route.
+ (Simon Horman)
+
+ * sound-usb-usbaudio-unplug-oops.dpatch
+ Prevent oops & dead keyboard on usb unplugging while the device is being
+ used.
+ (Simon Horman)
+
+ * net-ipv4-ipvs-conn_tab-race.dpatch
+ Fix race condition on p_vs_conn_tab list modification
+
+ -- Simon Horman <horms@debian.org> Wed, 29 Jun 2005 18:15:05 +0900
+
kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
* smbfs-overrun.dpatch:
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-boundary-check.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-boundary-check.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-boundary-check.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,47 @@
+commit fa7405406223dd246f5ab6b7dce0efde0d583a43
+tree b5ef44650279196f876152a87bcccc6acacf6948
+parent 51af80e5f428d3d15b37c1f2df0479839a1d1fa4
+author Andi Kleen <ak@suse.de> 1117622850 +0200
+committer Chris Wright <chrisw@osdl.org> 1118544324 -0700
+
+[PATCH] x86_64: Fix ptrace boundary check
+
+Don't allow accesses below register frame in ptrace
+
+There was a "off by one quad word" error in there.
+
+Found and fixed by John Blackwood
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+I:100644 100644 cddc37a5415ac2fecfd246bb80e3a22d462eac22 85105ec76259f867955c49de9828f2b2aa43a6ff M arch/x86_64/kernel/ptrace.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
+--- a/arch/x86_64/kernel/ptrace.c
++++ b/arch/x86_64/kernel/ptrace.c
+@@ -252,7 +252,7 @@ asmlinkage long sys_ptrace(long request,
+ break;
+
+ switch (addr) {
+- case 0 ... sizeof(struct user_regs_struct):
++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
+ tmp = getreg(child, addr);
+ break;
+ case offsetof(struct user, u_debugreg[0]):
+@@ -297,7 +297,7 @@ asmlinkage long sys_ptrace(long request,
+ break;
+
+ switch (addr) {
+- case 0 ... sizeof(struct user_regs_struct):
++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
+ ret = putreg(child, addr, data);
+ break;
+ /* Disallows to set a breakpoint into the vsyscall */
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,38 @@
+commit 63a4a4f228c0de221779cd18c7ed9511d42c557b
+tree d624f187485e67e5e95b840b8f492e4805cb8ecc
+parent 77068954f8f2354b3dfd65253f2a41e473b58f66
+author Andi Kleen <ak@suse.de> 1116305609 +0000
+committer <chrisw@vas.sous-sol.org> 1117167610 -0700
+
+[PATCH] x86_64: check if ptrace RIP is canonical
+
+This works around an AMD Erratum.
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+I:100644 100644 eaa7250152f56ca7f55e94dc42ca61f8ad9488b5 b2b7e347a6715f7f487928336608a411564e7e5f M arch/x86_64/kernel/ptrace.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
+--- a/arch/x86_64/kernel/ptrace.c
++++ b/arch/x86_64/kernel/ptrace.c
+@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch
+ return -EIO;
+ value &= 0xffff;
+ break;
++ case offsetof(struct user_regs_struct, rip):
++ /* Check if the new RIP address is canonical */
++ if (value >= TASK_SIZE)
++ return -EIO;
++ break;
+ }
+ put_stack_long(child, regno - sizeof(struct pt_regs), value);
+ return 0;
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,49 @@
+commit f51f3c46d7deaf3b957fefdce0c7e55d930f1c9f
+tree 7387c97e3dafc359eba872b8159d6bf7d566a9e9
+parent 63a4a4f228c0de221779cd18c7ed9511d42c557b
+author Andi Kleen <ak@suse.de> 1116305610 +0000
+committer <chrisw@vas.sous-sol.org> 1117167611 -0700
+
+[PATCH] x86_64: Fix canonical checking for segment registers in ptrace
+
+Allowed user programs to set a non canonical segment base, which would cause
+oopses in the kernel later.
+
+Credit-to: Alexander Nyberg <alexn@dsv.su.se>
+
+ For identifying and reporting this bug.
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+I:100644 100644 b2b7e347a6715f7f487928336608a411564e7e5f cddc37a5415ac2fecfd246bb80e3a22d462eac22 M arch/x86_64/kernel/ptrace.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
+--- a/arch/x86_64/kernel/ptrace.c
++++ b/arch/x86_64/kernel/ptrace.c
+@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch
+ value &= 0xffff;
+ return 0;
+ case offsetof(struct user_regs_struct,fs_base):
+- if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
+- return -EIO;
++ if (value >= TASK_SIZE)
++ return -EIO;
+ child->thread.fs = value;
+ return 0;
+ case offsetof(struct user_regs_struct,gs_base):
+- if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
+- return -EIO;
++ if (value >= TASK_SIZE)
++ return -EIO;
+ child->thread.gs = value;
+ return 0;
+ case offsetof(struct user_regs_struct, eflags):
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-smp-boot-race.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-smp-boot-race.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-kernel-smp-boot-race.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,69 @@
+commit 51af80e5f428d3d15b37c1f2df0479839a1d1fa4
+tree 18d6d5eb74ba2416e47113c14ea2671e81bded87
+parent 08373277d66dd334de2e20cf05e85533aaccf257
+author Andi Kleen <ak@suse.de> 1117548527 +0200
+committer Chris Wright <chrisw@osdl.org> 1118544323 -0700
+
+[PATCH] x86_64: avoid SMP boot up race
+
+Keep interrupts disabled during smp bootup
+
+This avoids a race that breaks SMP bootup on some machines.
+The race is not fully plugged (that is only done with much
+more changes in 2.6.12), but should be good enough
+for most people.
+
+Keeping the interrupts disabled here is ok because we
+don't rely on the timer interrupt for local APIC
+timer setup, but always read the timer registers
+directly.
+
+(originally from Rusty Russell iirc)
+
+Signed-off-by: ak@suse.de
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+I:100644 100644 dbccec4894c0b1b04b0e17834483f5443e00bb16 b97b4a20395dccda017bbc15975a00bbbf58932b M arch/x86_64/kernel/apic.c
+I:100644 100644 a7e2c3e95ea5940bcab4345bb500782875ba17af 8e3edd231cec14adf412b26a9467b6c25eed45be M arch/x86_64/kernel/smpboot.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/arch/x86_64/kernel/apic.c b/arch/x86_64/kernel/apic.c
+--- a/arch/x86_64/kernel/apic.c
++++ b/arch/x86_64/kernel/apic.c
+@@ -775,9 +775,7 @@ void __init setup_boot_APIC_clock (void)
+
+ void __init setup_secondary_APIC_clock(void)
+ {
+- local_irq_disable(); /* FIXME: Do we need this? --RR */
+ setup_APIC_timer(calibration_result);
+- local_irq_enable();
+ }
+
+ void __init disable_APIC_timer(void)
+diff --git a/arch/x86_64/kernel/smpboot.c b/arch/x86_64/kernel/smpboot.c
+--- a/arch/x86_64/kernel/smpboot.c
++++ b/arch/x86_64/kernel/smpboot.c
+@@ -309,8 +309,6 @@ void __init smp_callin(void)
+ Dprintk("CALLIN, before setup_local_APIC().\n");
+ setup_local_APIC();
+
+- local_irq_enable();
+-
+ /*
+ * Get our bogomips.
+ */
+@@ -324,8 +322,6 @@ void __init smp_callin(void)
+ */
+ smp_store_cpu_info(cpuid);
+
+- local_irq_disable();
+-
+ /*
+ * Allow the master to continue.
+ */
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-mm-ioremap-page-lookup.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-mm-ioremap-page-lookup.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-mm-ioremap-page-lookup.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,39 @@
+commit 361716975a00f9fd58ea619fd891b51096d38981
+tree a2c2ba2d1d495e1654e88146bb5ac56bfcbeaf52
+parent c7df5dfb58fdd6fc6983c54cb54add8a18794b19
+author Andi Kleen <ak@suse.de> 1116305604 +0000
+committer <chrisw@vas.sous-sol.org> 1117167613 -0700
+
+[PATCH] x86_64: Don't look up struct page pointer of physical address in iounmap
+
+It could be in a memory hole not mapped in mem_map and that causes the hash
+lookup to go off to nirvana.
+
+Back port to -stable tree by Chris Wright
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+R:100644 100644 911262d8ca1991737cb884eb6427160e5008c2f1 bae79b818d85108b5cc674c28303afb92438fdb4 M arch/x86_64/mm/ioremap.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+Manually patched and rediffed for 2.6.8
+
+--- a/arch/x86_64/mm/ioremap.c 2005-06-28 18:28:26.000000000 +0900
++++ b/arch/x86_64/mm/ioremap.c 2005-06-28 19:16:34.000000000 +0900
+@@ -224,7 +224,7 @@
+ }
+
+ if (p->flags && p->phys_addr < virt_to_phys(high_memory)) {
+- change_page_attr(virt_to_page(__va(p->phys_addr)),
++ change_page_attr_addr((unsigned long)(__va(p->phys_addr)),
+ p->size >> PAGE_SHIFT,
+ PAGE_KERNEL);
+ global_flush_tlb();
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-media-vidio-bttv-vc100xp-detect.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-media-vidio-bttv-vc100xp-detect.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-media-vidio-bttv-vc100xp-detect.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,39 @@
+commit 7b692080506bdb5fc9cbb22bda2b247525515433
+tree f6b117f6b57f2680af9efd3615e57cfdfc7976ed
+parent fa7405406223dd246f5ab6b7dce0efde0d583a43
+author Pete Jewell <pete@phraxos.nildram.co.uk> 1117653364 +0200
+committer Chris Wright <chrisw@osdl.org> 1118544325 -0700
+
+[PATCH] Fix for bttv driver (v0.9.15) for Leadtek WinFast VC100 XP capture cards
+
+Cc: kraxel@bytesex.org
+
+This is a tiny patch that fixes bttv-cards.c so that Leadtek WinFast
+VC100 XP video capture cards work. I've been advised to post it here
+after having already posted it to the v4l mailing list.
+
+Acked-by: Gerd Knorr <kraxel@bytesex.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+I:100644 100644 8127a34ce4792e35ee0e9a7bd91a84abd2385dfc 1ad9ceaa8b51d58b99e891eb1e4ef9b37f1594ba M drivers/media/video/bttv-cards.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
+--- a/drivers/media/video/bttv-cards.c
++++ b/drivers/media/video/bttv-cards.c
+@@ -1939,7 +1939,6 @@ struct tvcard bttv_tvcards[] = {
+ .no_tda9875 = 1,
+ .no_tda7432 = 1,
+ .tuner_type = TUNER_ABSENT,
+- .no_video = 1,
+ .pll = PLL_28,
+ },{
+ .name = "Teppro TEV-560/InterVision IV-560",
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-1.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-1.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-1.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,62 @@
+# origin: roland (BitKeeper)
+# cset: 1.1923.12.6 (2.6) key=414b332fsZQvEUsfzKJIo-q2_ZH0hg
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@414b332fsZQvEUsfzKJIo-q2_ZH0hg
+# inclusion: upstream
+# descrition: [PATCH] fix posix-timers leak
+# revision date: Wed, 29 Jun 2005 13:28:38 +0900
+#
+# S rset: ChangeSet|1.1923.12.5..1.1923.12.6
+# I rset: fs/exec.c|1.133..1.134
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/09/17 11:55:43-07:00 roland@redhat.com
+# [PATCH] fix posix-timers leak
+#
+# Exec fails to clean up posix-timers. This manifests itself in two ways, one
+# worse than the other. In the single-threaded case, it just fails to clear out
+# the timers on exec. POSIX says that exec clears out the timers from
+# timer_create (though not the setitimer ones), so it's wrong that a lingering
+# timer could fire after exec and kill the process with a signal it's not
+# expecting. In the multi-threaded case, it not only leaves lingering timers,
+# but it leaks them entirely when it replaces signal_struct, so they will never
+# be freed by the process exiting after that exec. The new per-user
+# RLIMIT_SIGPENDING actually limits the damage here, because a UID will fill up
+# its quota with leaked timers and then never be able to use timer_create again
+# (that's what my test program does). But if you have many many untrusted UIDs,
+# this leak could be considered a DoS risk.
+#
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/exec.c
+# 2004/09/16 23:58:37-07:00 roland@redhat.com +3 -1
+# fix posix-timers leak
+#
+#
+===== fs/exec.c 1.133 vs 1.134 =====
+--- 1.133/fs/exec.c 2004-09-15 08:49:49 +09:00
++++ 1.134/fs/exec.c 2004-09-17 15:58:37 +09:00
+@@ -741,8 +741,10 @@ no_thread_group:
+ spin_unlock(&oldsighand->siglock);
+ write_unlock_irq(&tasklist_lock);
+
+- if (newsig && atomic_dec_and_test(&oldsig->count))
++ if (newsig && atomic_dec_and_test(&oldsig->count)) {
++ exit_itimers(oldsig);
+ kmem_cache_free(signal_cachep, oldsig);
++ }
+
+ if (atomic_dec_and_test(&oldsighand->count))
+ kmem_cache_free(sighand_cachep, oldsighand);
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-2.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-2.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-posix-timers-leak-2.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,227 @@
+# origin: roland (BitKeeper)
+# cset: 1.1938.115.36 (2.6) key=4174ac1exFxpMg163OsRuPZLQrlBKg
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@4174ac1exFxpMg163OsRuPZLQrlBKg
+# inclusion: upstream
+# descrition: [PATCH] exec: fix posix-timers leak and pending signal loss
+# revision date: Wed, 29 Jun 2005 13:29:19 +0900
+#
+# S rset: ChangeSet|1.1938.115.35..1.1938.115.36
+# I rset: fs/exec.c|1.135..1.136
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/10/18 22:54:38-07:00 roland@redhat.com
+# [PATCH] exec: fix posix-timers leak and pending signal loss
+#
+# I've found some problems with exec and fixed them with this patch to
+# de_thread.
+#
+# The second problem is that a multithreaded exec loses all pending signals.
+# This is violation of POSIX rules. But a moment's thought will show it's
+# also just not desireable: if you send a process a SIGTERM while it's in the
+# middle of calling exec, you expect either the original program in that
+# process or the new program being exec'd to handle that signal or be killed
+# by it. As it stands now, you can try to kill a process and have that
+# signal just evaporate if it's multithreaded and calls exec just then. I
+# really don't know what the rationale was behind the de_thread code that
+# allocates a new signal_struct. It doesn't make any sense now. The other
+# code there ensures that the old signal_struct is no longer shared. Except
+# for posix-timers, all the state there is stuff you want to keep. So my
+# changes just keep the old structs when they are no longer shared, and all
+# the right state is retained (after clearing out posix-timers).
+#
+# The final bug is that the cumulative statistics of dead threads and dead
+# child processes are lost in the abandoned signal_struct. This is also
+# fixed by holding on to it instead of replacing it.
+#
+# Signed-off-by: Roland McGrath <roland@redhat.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/exec.c
+# 2004/10/18 22:28:03-07:00 roland@redhat.com +49 -61
+# exec: fix posix-timers leak and pending signal loss
+#
+#
+===== fs/exec.c 1.135 vs 1.136 =====
+--- 1.135/fs/exec.c 2004-10-19 14:28:19 +09:00
++++ 1.136/fs/exec.c 2004-10-19 14:28:03 +09:00
+@@ -564,7 +564,7 @@ static int exec_mmap(struct mm_struct *m
+ */
+ static inline int de_thread(struct task_struct *tsk)
+ {
+- struct signal_struct *newsig, *oldsig = tsk->signal;
++ struct signal_struct *sig = tsk->signal;
+ struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
+ spinlock_t *lock = &oldsighand->siglock;
+ int count;
+@@ -573,43 +573,16 @@ static inline int de_thread(struct task_
+ * If we don't share sighandlers, then we aren't sharing anything
+ * and we can just re-use it all.
+ */
+- if (atomic_read(&oldsighand->count) <= 1)
++ if (atomic_read(&oldsighand->count) <= 1) {
++ BUG_ON(atomic_read(&sig->count) != 1);
++ exit_itimers(sig);
+ return 0;
++ }
+
+ newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
+ if (!newsighand)
+ return -ENOMEM;
+
+- spin_lock_init(&newsighand->siglock);
+- atomic_set(&newsighand->count, 1);
+- memcpy(newsighand->action, oldsighand->action, sizeof(newsighand->action));
+-
+- /*
+- * See if we need to allocate a new signal structure
+- */
+- newsig = NULL;
+- if (atomic_read(&oldsig->count) > 1) {
+- newsig = kmem_cache_alloc(signal_cachep, GFP_KERNEL);
+- if (!newsig) {
+- kmem_cache_free(sighand_cachep, newsighand);
+- return -ENOMEM;
+- }
+- atomic_set(&newsig->count, 1);
+- newsig->group_exit = 0;
+- newsig->group_exit_code = 0;
+- newsig->group_exit_task = NULL;
+- newsig->group_stop_count = 0;
+- newsig->curr_target = NULL;
+- init_sigpending(&newsig->shared_pending);
+- INIT_LIST_HEAD(&newsig->posix_timers);
+-
+- newsig->tty = oldsig->tty;
+- newsig->pgrp = oldsig->pgrp;
+- newsig->session = oldsig->session;
+- newsig->leader = oldsig->leader;
+- newsig->tty_old_pgrp = oldsig->tty_old_pgrp;
+- }
+-
+ if (thread_group_empty(current))
+ goto no_thread_group;
+
+@@ -619,7 +592,7 @@ static inline int de_thread(struct task_
+ */
+ read_lock(&tasklist_lock);
+ spin_lock_irq(lock);
+- if (oldsig->group_exit) {
++ if (sig->group_exit) {
+ /*
+ * Another group action in progress, just
+ * return so that the signal is processed.
+@@ -627,11 +600,9 @@ static inline int de_thread(struct task_
+ spin_unlock_irq(lock);
+ read_unlock(&tasklist_lock);
+ kmem_cache_free(sighand_cachep, newsighand);
+- if (newsig)
+- kmem_cache_free(signal_cachep, newsig);
+ return -EAGAIN;
+ }
+- oldsig->group_exit = 1;
++ sig->group_exit = 1;
+ zap_other_threads(current);
+ read_unlock(&tasklist_lock);
+
+@@ -641,14 +612,16 @@ static inline int de_thread(struct task_
+ count = 2;
+ if (current->pid == current->tgid)
+ count = 1;
+- while (atomic_read(&oldsig->count) > count) {
+- oldsig->group_exit_task = current;
+- oldsig->notify_count = count;
++ while (atomic_read(&sig->count) > count) {
++ sig->group_exit_task = current;
++ sig->notify_count = count;
+ __set_current_state(TASK_UNINTERRUPTIBLE);
+ spin_unlock_irq(lock);
+ schedule();
+ spin_lock_irq(lock);
+ }
++ sig->group_exit_task = NULL;
++ sig->notify_count = 0;
+ spin_unlock_irq(lock);
+
+ /*
+@@ -723,31 +696,46 @@ static inline int de_thread(struct task_
+ release_task(leader);
+ }
+
++ /*
++ * Now there are really no other threads at all,
++ * so it's safe to stop telling them to kill themselves.
++ */
++ sig->group_exit = 0;
++
+ no_thread_group:
++ BUG_ON(atomic_read(&sig->count) != 1);
++ exit_itimers(sig);
+
+- write_lock_irq(&tasklist_lock);
+- spin_lock(&oldsighand->siglock);
+- spin_lock(&newsighand->siglock);
+-
+- if (current == oldsig->curr_target)
+- oldsig->curr_target = next_thread(current);
+- if (newsig)
+- current->signal = newsig;
+- current->sighand = newsighand;
+- init_sigpending(¤t->pending);
+- recalc_sigpending();
+-
+- spin_unlock(&newsighand->siglock);
+- spin_unlock(&oldsighand->siglock);
+- write_unlock_irq(&tasklist_lock);
+-
+- if (newsig && atomic_dec_and_test(&oldsig->count)) {
+- exit_itimers(oldsig);
+- kmem_cache_free(signal_cachep, oldsig);
+- }
++ if (atomic_read(&oldsighand->count) == 1) {
++ /*
++ * Now that we nuked the rest of the thread group,
++ * it turns out we are not sharing sighand any more either.
++ * So we can just keep it.
++ */
++ kmem_cache_free(sighand_cachep, newsighand);
++ } else {
++ /*
++ * Move our state over to newsighand and switch it in.
++ */
++ spin_lock_init(&newsighand->siglock);
++ atomic_set(&newsighand->count, 1);
++ memcpy(newsighand->action, oldsighand->action,
++ sizeof(newsighand->action));
+
+- if (atomic_dec_and_test(&oldsighand->count))
+- kmem_cache_free(sighand_cachep, oldsighand);
++ write_lock_irq(&tasklist_lock);
++ spin_lock(&oldsighand->siglock);
++ spin_lock(&newsighand->siglock);
++
++ current->sighand = newsighand;
++ recalc_sigpending();
++
++ spin_unlock(&newsighand->siglock);
++ spin_unlock(&oldsighand->siglock);
++ write_unlock_irq(&tasklist_lock);
++
++ if (atomic_dec_and_test(&oldsighand->count))
++ kmem_cache_free(sighand_cachep, oldsighand);
++ }
+
+ if (!thread_group_empty(current))
+ BUG();
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-core-exec-race.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-core-exec-race.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-core-exec-race.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,76 @@
+# origin: roland (BitKeeper)
+# cset: 1.1966.64.97 (2.6) key=41e9a98dJKJjUrTCrKsyak1DOQxQug
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@41e9a98dJKJjUrTCrKsyak1DOQxQug
+# inclusion: upstream
+# descrition: [PATCH] fix race between core dumping and exec with shared mm
+# revision date: Wed, 29 Jun 2005 13:32:35 +0900
+#
+# S rset: ChangeSet|1.1966.64.96..1.1966.64.97
+# I rset: fs/exec.c|1.155..1.156
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/15 15:38:53-08:00 roland@redhat.com
+# [PATCH] fix race between core dumping and exec with shared mm
+#
+# When threads are sharing mm via CLONE_VM (linuxthreads, vfork), there is a
+# race condition where one thread doing a core dump and synchronizing all
+# mm-sharing threads for it can deadlock waiting for another thread that just
+# did an exec and will never synchronize. This patch makes the exec_mmap
+# check for a pending core dump and punt the exec to synchronize with that,
+# as if the core dump had struck before entering the execve system call at
+# all.
+#
+# Signed-off-by: Roland McGrath <roland@redhat.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/exec.c
+# 2005/01/15 14:47:13-08:00 roland@redhat.com +16 -0
+# fix race between core dumping and exec with shared mm
+#
+#
+===== fs/exec.c 1.155 vs 1.156 =====
+--- 1.155/fs/exec.c 2005-01-16 07:47:13 +09:00
++++ 1.156/fs/exec.c 2005-01-16 07:47:13 +09:00
+@@ -550,6 +550,21 @@ static int exec_mmap(struct mm_struct *m
+ old_mm = current->mm;
+ mm_release(tsk, old_mm);
+
++ if (old_mm) {
++ /*
++ * Make sure that if there is a core dump in progress
++ * for the old mm, we get out and die instead of going
++ * through with the exec. We must hold mmap_sem around
++ * checking core_waiters and changing tsk->mm. The
++ * core-inducing thread will increment core_waiters for
++ * each thread whose ->mm == old_mm.
++ */
++ down_read(&old_mm->mmap_sem);
++ if (unlikely(old_mm->core_waiters)) {
++ up_read(&old_mm->mmap_sem);
++ return -EINTR;
++ }
++ }
+ task_lock(tsk);
+ active_mm = tsk->active_mm;
+ tsk->mm = mm;
+@@ -558,6 +573,7 @@ static int exec_mmap(struct mm_struct *m
+ task_unlock(tsk);
+ arch_pick_mmap_layout(mm);
+ if (old_mm) {
++ up_read(&old_mm->mmap_sem);
+ if (active_mm != old_mm) BUG();
+ mmput(old_mm);
+ return 0;
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-deadlock.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-deadlock.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-ptrace-deadlock.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,85 @@
+# origin: roland (BitKeeper)
+# cset: 1.1966.64.96 (2.6) key=41e9a97cuQ7FWekabtf12Orvpfbp1w
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@41e9a97cuQ7FWekabtf12Orvpfbp1w
+# inclusion: upstream
+# descrition: [PATCH] fix coredump_wait deadlock with ptracer & tracee on shared mm
+# revision date: Wed, 29 Jun 2005 13:32:27 +0900
+#
+# S rset: ChangeSet|1.1966.64.95..1.1966.64.96
+# I rset: fs/exec.c|1.154..1.155
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/15 15:38:36-08:00 roland@redhat.com
+# [PATCH] fix coredump_wait deadlock with ptracer & tracee on shared mm
+#
+# In the oddball situation where one thread is using ptrace on another thread
+# sharing the same mm, and then someone sharing that mm causes a coredump,
+# there is a deadlock possible if the traced thread is in TASK_TRACED state.
+# It leaves all the threads sharing that mm wedged and permanently
+# unkillable. This patch checks for that situation and brings a thread out
+# of TASK_TRACED if its tracer is part of the same coredump (i.e. shares the
+# same mm). It's not pretty, but it does the job.
+#
+# Signed-off-by: Roland McGrath <roland@redhat.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/exec.c
+# 2005/01/15 14:47:13-08:00 roland@redhat.com +21 -0
+# fix coredump_wait deadlock with ptracer & tracee on shared mm
+#
+#
+===== fs/exec.c 1.154 vs 1.155 =====
+--- 1.154/fs/exec.c 2005-01-11 10:29:23 +09:00
++++ 1.155/fs/exec.c 2005-01-16 07:47:13 +09:00
+@@ -1338,6 +1338,7 @@ static void zap_threads (struct mm_struc
+ struct task_struct *g, *p;
+ struct task_struct *tsk = current;
+ struct completion *vfork_done = tsk->vfork_done;
++ int traced = 0;
+
+ /*
+ * Make sure nobody is waiting for us to release the VM,
+@@ -1353,10 +1354,30 @@ static void zap_threads (struct mm_struc
+ if (mm == p->mm && p != tsk) {
+ force_sig_specific(SIGKILL, p);
+ mm->core_waiters++;
++ if (unlikely(p->ptrace) &&
++ unlikely(p->parent->mm == mm))
++ traced = 1;
+ }
+ while_each_thread(g,p);
+
+ read_unlock(&tasklist_lock);
++
++ if (unlikely(traced)) {
++ /*
++ * We are zapping a thread and the thread it ptraces.
++ * If the tracee went into a ptrace stop for exit tracing,
++ * we could deadlock since the tracer is waiting for this
++ * coredump to finish. Detach them so they can both die.
++ */
++ write_lock_irq(&tasklist_lock);
++ do_each_thread(g,p) {
++ if (mm == p->mm && p != tsk &&
++ p->ptrace && p->parent->mm == mm) {
++ __ptrace_unlink(p);
++ }
++ } while_each_thread(g,p);
++ write_unlock_irq(&tasklist_lock);
++ }
+ }
+
+ static void coredump_wait(struct mm_struct *mm)
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,33 @@
+commit fe3d5c8793fcaf33c5d3118a7f3ffc135eadaf4d
+tree 19fac0a8a24b4c106babdfee1e68b5e794ece216
+parent 9ee1c939d1cb936b1f98e8d81aeffab57bae46ab
+author Linus Torvalds <torvalds@osdl.org> 1119125869 -0700
+committer Chris Wright <chrisw@osdl.org> 1119468770 -0700
+
+[PATCH] Clean up subthread exec (CAN-2005-1913)
+
+Make sure we re-parent itimers. If subthread exec's with timer pending,
+signal is delivered to old group-leader and can panic kernel.
+
+Signed-off-by: Linus Torvalds <torvalds@ppc970.osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+I:100644 100644 e56ee24370255e2ab4df9a3933ec03f0d07a2de3 422cc0ec5e366b846336a22398ddc019ca6212c2 M fs/exec.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -649,6 +649,7 @@ static inline int de_thread(struct task_
+ }
+ sig->group_exit_task = NULL;
+ sig->notify_count = 0;
++ sig->real_timer.data = (unsigned long)current;
+ spin_unlock_irq(lock);
+
+ /*
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-hfs-oops-and-leak.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-hfs-oops-and-leak.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-hfs-oops-and-leak.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,113 @@
+commit 08373277d66dd334de2e20cf05e85533aaccf257
+tree b5748acaa4d6f64a68436054fea7aa6f1b415bc0
+parent 839c2379a6ed8ea9dd669d4c3206b85c5dff674e
+author Colin Leroy <colin@colino.net> 1117461718 +0200
+committer Chris Wright <chrisw@osdl.org> 1118544322 -0700
+
+[PATCH] fix hfsplus oops, hfs and hfsplus leak
+
+This patch fixes the leak of sb->s_fs_info in both the HFS and HFS+
+modules. In addition to this, it fixes an oops happening when trying to
+mount a non-hfsplus filesystem using hfsplus. This patch is from Roman
+Zippel, based off patches sent by myself. It's been included in 2.6.12-
+rc4. See
+http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=945b092011c6af71a0107be96e119c8c08776f3f
+
+(chrisw: backport to -stable)
+
+Signed-off-by: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Colin Leroy <colin@colino.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+ fs/hfs/mdb.c | 5 +++++
+ fs/hfs/super.c | 8 +++-----
+ fs/hfsplus/super.c | 6 +++++-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+I:100644 100644 4efb640c4d0cc838938a1d1c202c3eb47d44ecc8 217e32f37e0be7bce323a9962c0cf95adb394b9e M fs/hfs/mdb.c
+I:100644 100644 884aeace678db2e9c3c8ffd41baa609cd20899f4 5e640a9a11da81a084684537603053f94e454b6c M fs/hfs/super.c
+I:100644 100644 09242d50096db4e2cd0966a8c3ab12c4565c09d5 53caa3d4d4e7e029d1627f3af4c8c8fabbc462c7 M fs/hfsplus/super.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -333,6 +333,8 @@ void hfs_mdb_close(struct super_block *s
+ * Release the resources associated with the in-core MDB. */
+ void hfs_mdb_put(struct super_block *sb)
+ {
++ if (!HFS_SB(sb))
++ return;
+ /* free the B-trees */
+ hfs_btree_close(HFS_SB(sb)->ext_tree);
+ hfs_btree_close(HFS_SB(sb)->cat_tree);
+@@ -340,4 +342,7 @@ void hfs_mdb_put(struct super_block *sb)
+ /* free the buffers holding the primary and alternate MDBs */
+ brelse(HFS_SB(sb)->mdb_bh);
+ brelse(HFS_SB(sb)->alt_mdb_bh);
++
++ kfree(HFS_SB(sb));
++ sb->s_fs_info = NULL;
+ }
+diff --git a/fs/hfs/super.c b/fs/hfs/super.c
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -263,7 +263,7 @@ static int hfs_fill_super(struct super_b
+ res = -EINVAL;
+ if (!parse_options((char *)data, sbi)) {
+ hfs_warn("hfs_fs: unable to parse mount options.\n");
+- goto bail3;
++ goto bail;
+ }
+
+ sb->s_op = &hfs_super_operations;
+@@ -276,7 +276,7 @@ static int hfs_fill_super(struct super_b
+ hfs_warn("VFS: Can't find a HFS filesystem on dev %s.\n",
+ hfs_mdb_name(sb));
+ res = -EINVAL;
+- goto bail2;
++ goto bail;
+ }
+
+ /* try to get the root inode */
+@@ -306,10 +306,8 @@ bail_iput:
+ iput(root_inode);
+ bail_no_root:
+ hfs_warn("hfs_fs: get root inode failed.\n");
++bail:
+ hfs_mdb_put(sb);
+-bail2:
+-bail3:
+- kfree(sbi);
+ return res;
+ }
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -207,7 +207,9 @@ static void hfsplus_write_super(struct s
+ static void hfsplus_put_super(struct super_block *sb)
+ {
+ dprint(DBG_SUPER, "hfsplus_put_super\n");
+- if (!(sb->s_flags & MS_RDONLY)) {
++ if (!sb->s_fs_info)
++ return;
++ if (!(sb->s_flags & MS_RDONLY) && HFSPLUS_SB(sb).s_vhdr) {
+ struct hfsplus_vh *vhdr = HFSPLUS_SB(sb).s_vhdr;
+
+ vhdr->modify_date = hfsp_now2mt();
+@@ -223,6 +225,8 @@ static void hfsplus_put_super(struct sup
+ iput(HFSPLUS_SB(sb).alloc_file);
+ iput(HFSPLUS_SB(sb).hidden_dir);
+ brelse(HFSPLUS_SB(sb).s_vhbh);
++ kfree(sb->s_fs_info);
++ sb->s_fs_info = NULL;
+ }
+
+ static int hfsplus_statfs(struct super_block *sb, struct kstatfs *buf)
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-jbd-checkpoint-assertion.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-jbd-checkpoint-assertion.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-jbd-checkpoint-assertion.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,44 @@
+commit 39dbf77a9f6acde730378c8b83879fc33ff4a596
+tree c149d2ed7c899f21a33c3b37d4a57172f6b83311
+parent 7b692080506bdb5fc9cbb22bda2b247525515433
+author Jan Kara <jack@suse.cz> 1117611659 +0200
+committer Chris Wright <chrisw@osdl.org> 1118544326 -0700
+
+[PATCH] ext3: fix log_do_checkpoint() assertion failure
+
+Fix possible false assertion failure in log_do_checkpoint(). We might fail
+to detect that we actually made a progress when cleaning up the checkpoint
+lists if we don't retry after writing something to disk. The patch was
+confirmed to fix observed assertion failures for several users.
+
+When we flushed some buffers we need to retry scanning the list.
+Otherwise we can fail to detect our progress.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+I:100644 100644 98d830401c56c7e50463e85acfe994f76171bb99 58133ab9457e251dfcefbc062b491408afcca02a M fs/jbd/checkpoint.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c
+--- a/fs/jbd/checkpoint.c
++++ b/fs/jbd/checkpoint.c
+@@ -339,8 +339,10 @@ int log_do_checkpoint(journal_t *journal
+ }
+ } while (jh != last_jh && !retry);
+
+- if (batch_count)
++ if (batch_count) {
+ __flush_batch(journal, bhs, &batch_count);
++ retry = 1;
++ }
+
+ /*
+ * If someone cleaned up this transaction while we slept, we're
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-mmap-range-test.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-mmap-range-test.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-mmap-range-test.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,119 @@
+commit 27d050adf5cea402a3da5ca7564a23bf87ce7bef
+tree d7384eaea30e89c6d45bcf98f4b5993abf548f07
+parent 4dd43544510011f66ae75e41301926003588e89d
+author Linus Torvalds <torvalds@osdl.org> 1116567817 -0700
+committer <chrisw@vas.sous-sol.org> 1117167600 -0700
+
+[PATCH] Fix get_unmapped_area sanity tests
+
+Fix get_unmapped_area sanity tests
+
+As noted by Chris Wright, we need to do the full range of tests regardless
+of whether MAP_FIXED is set or not, so re-organize get_unmapped_area()
+slightly to do the sanity checks unconditionally.
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+R:100644 100644 17c55df13615a9bda172e80c6f4711c11f3183e8 ff71d2af5da33ac711da7f64957d8d93bad4f91f M include/linux/err.h
+R:100644 100644 b8af0c8db48d637791ba82ec1b013032779a1379 136db2d1fb95c5759ea4188ebf712601d507687a M mm/mmap.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+Manually applied and rediffed for 2.6.8
+
+--- a/include/linux/err.h 2005-06-28 14:37:41.000000000 +0900
++++ b/include/linux/err.h 2005-06-28 14:37:44.000000000 +0900
+@@ -11,6 +11,8 @@
+ * This should be a per-architecture thing, to allow different
+ * error and pointer decisions.
+ */
++#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L)
++
+ static inline void *ERR_PTR(long error)
+ {
+ return (void *) error;
+@@ -23,7 +25,7 @@ static inline long PTR_ERR(const void *p
+
+ static inline long IS_ERR(const void *ptr)
+ {
+- return (unsigned long)ptr > (unsigned long)-1000L;
++ return IS_ERR_VALUE((unsigned long)ptr);
+ }
+
+ #endif /* _LINUX_ERR_H */
+--- a/mm/mmap.c 2005-06-28 14:27:35.000000000 +0900
++++ b/mm/mmap.c 2005-06-28 14:32:00.000000000 +0900
+@@ -1074,37 +1074,41 @@ unsigned long
+ get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
+ unsigned long pgoff, unsigned long flags)
+ {
+- if (flags & MAP_FIXED) {
+- unsigned long ret;
++ unsigned long ret;
+
+- if (addr > TASK_SIZE - len)
+- return -ENOMEM;
+- if (addr & ~PAGE_MASK)
+- return -EINVAL;
+- if (file && is_file_hugepages(file)) {
+- /*
+- * Check if the given range is hugepage aligned, and
+- * can be made suitable for hugepages.
+- */
+- ret = prepare_hugepage_range(addr, len);
+- } else {
+- /*
+- * Ensure that a normal request is not falling in a
+- * reserved hugepage range. For some archs like IA-64,
+- * there is a separate region for hugepages.
+- */
+- ret = is_hugepage_only_range(current->mm, addr, len);
+- }
+- if (ret)
+- return -EINVAL;
+- return addr;
++ if (!(flags & MAP_FIXED)) {
++ unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
++
++ get_area = current->mm->get_unmapped_area;
++ if (file && file->f_op && file->f_op->get_unmapped_area)
++ get_area = file->f_op->get_unmapped_area;
++ addr = get_area(file, addr, len, pgoff, flags);
++ if (IS_ERR_VALUE(addr))
++ return addr;
+ }
+
+- if (file && file->f_op && file->f_op->get_unmapped_area)
+- return file->f_op->get_unmapped_area(file, addr, len,
+- pgoff, flags);
+
+- return arch_get_unmapped_area(file, addr, len, pgoff, flags);
++ if (addr > TASK_SIZE - len)
++ return -ENOMEM;
++ if (addr & ~PAGE_MASK)
++ return -EINVAL;
++ if (file && is_file_hugepages(file)) {
++ /*
++ * Check if the given range is hugepage aligned, and
++ * can be made suitable for hugepages.
++ */
++ ret = prepare_hugepage_range(addr, len);
++ } else {
++ /*
++ * Ensure that a normal request is not falling in a
++ * reserved hugepage range. For some archs like IA-64,
++ * there is a separate region for hugepages.
++ */
++ ret = is_hugepage_only_range(current->mm, addr, len);
++ }
++ if (ret)
++ return -EINVAL;
++ return addr;
+ }
+
+ EXPORT_SYMBOL(get_unmapped_area);
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-rmap-out-of-bounds-pte.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-rmap-out-of-bounds-pte.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mm-rmap-out-of-bounds-pte.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,70 @@
+commit 43cdfc5ea9a5c7b7904dd040370f6655951412f0
+tree 50c7a0cb88185a6b0a2dcc3cca1074b2135e6857
+parent c27d379fe5e7a0709fdb63eeaec5c7c848747d8a
+author William Lee Irwin III <wli@holomorphy.com> 1117172591 -0700
+committer Chris Wright <chrisw@osdl.org> 1118544321 -0700
+
+[PATCH] try_to_unmap_cluster() passes out-of-bounds pte to pte_unmap()
+
+try_to_unmap_cluster() does:
+ for (pte = pte_offset_map(pmd, address);
+ address < end; pte++, address += PAGE_SIZE) {
+ ...
+ }
+
+ pte_unmap(pte);
+
+It may take a little staring to notice, but pte can actually fall off the
+end of the pte page in this iteration, which makes life difficult for
+kmap_atomic() and the users not expecting it to BUG(). Of course, we're
+somewhat lucky in that arithmetic elsewhere in the function guarantees that
+at least one iteration is made, lest this force larger rearrangements to be
+made. This issue and patch also apply to non-mm mainline and with trivial
+adjustments, at least two related kernels.
+
+Discovered during internal testing at Oracle.
+
+Signed-off-by: William Irwin <wli@holomorphy.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+I:100644 100644 4ff8183fa18e9e32c8316a37e56a321fd00df852 895a454820b69d091d13bcc46c6b60c4ce41db69 M mm/rmap.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/mm/rmap.c b/mm/rmap.c
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -641,7 +641,7 @@ static void try_to_unmap_cluster(unsigne
+ pgd_t *pgd;
+ pud_t *pud;
+ pmd_t *pmd;
+- pte_t *pte;
++ pte_t *pte, *original_pte;
+ pte_t pteval;
+ struct page *page;
+ unsigned long address;
+@@ -673,7 +673,7 @@ static void try_to_unmap_cluster(unsigne
+ if (!pmd_present(*pmd))
+ goto out_unlock;
+
+- for (pte = pte_offset_map(pmd, address);
++ for (original_pte = pte = pte_offset_map(pmd, address);
+ address < end; pte++, address += PAGE_SIZE) {
+
+ if (!pte_present(*pte))
+@@ -710,7 +710,7 @@ static void try_to_unmap_cluster(unsigne
+ (*mapcount)--;
+ }
+
+- pte_unmap(pte);
++ pte_unmap(original_pte);
+
+ out_unlock:
+ spin_unlock(&mm->page_table_lock);
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-forwarding-poison.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,62 @@
+commit c5187a40291642ae66928dd54bc83117286067d3
+tree edd6698f06f6bda7f867f99bc416df08feacf506
+parent 39dbf77a9f6acde730378c8b83879fc33ff4a596
+author Stephen Hemminger <shemminger@osdl.org> 1118248209 -0700
+committer Chris Wright <chrisw@osdl.org> 1118544326 -0700
+
+[PATCH] prevent bad forwarding table updates
+
+Avoid poisoning of the bridge forwarding table by frames that have been
+dropped by filtering. This prevents spoofed source addresses on hostile
+side of bridge from causing packet leakage, a small but possible security
+risk.
+
+Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+I:100644 100644 943d5ddc5f26e626031b0ab0a0865b9685474fe2 0c4a8aa0375f46e38cf8c4c60faabbb906ac7a2b M net/bridge/br_input.c
+R:100644 100644 b91a875aca01c23f0b37b7916cad225e0c5f9fe5 f62e08d68658348dbd66f7df2ed3eb67dbd76630 M net/bridge/br_stp_bpdu.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf
+ struct net_bridge_fdb_entry *dst;
+ int passedup = 0;
+
++ /* insert into forwarding database after filtering to avoid spoofing */
++ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
++
+ if (br->dev->flags & IFF_PROMISC) {
+ struct sk_buff *skb2;
+
+@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po
+ if (eth_hdr(skb)->h_source[0] & 1)
+ goto err;
+
+- if (p->state == BR_STATE_LEARNING ||
+- p->state == BR_STATE_FORWARDING)
++ if (p->state == BR_STATE_LEARNING)
+ br_fdb_insert(p->br, p, skb->mac.ethernet->h_source, 0);
+
+ if (p->br->stp_enabled &&
+diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s
+ struct net_bridge *br = p->br;
+ unsigned char *buf;
+
++ /* insert into forwarding database after filtering to avoid spoofing */
++ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
++
+ /* need at least the 802 and STP headers */
+ if (!pskb_may_pull(skb, sizeof(header)+1) ||
+ memcmp(skb->data, header, sizeof(header)))
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-mangle-oops.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-mangle-oops.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-mangle-oops.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,298 @@
+# origin: shemminger (BitKeeper)
+# cset: 1.1832.2.15 (2.6) key=412d2246sXjFQD6OadAB57YWvqR9vQ
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@412d2246sXjFQD6OadAB57YWvqR9vQ
+# inclusion: upstream
+# descrition: [BRIDGE]: Fix oops when mangling and brouting and tcpdumping packets
+# revision date: Tue, 28 Jun 2005 19:49:12 +0900
+#
+# S rset: ChangeSet|1.1832.2.14..1.1832.2.15
+# I rset: net/bridge/br_private.h|1.34..1.35
+# R rset: net/bridge/br_input.c|1.19..1.20
+# I rset: include/linux/if_bridge.h|1.7..1.8
+# R rset: net/core/dev.c|1.160..1.161
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# net/core/dev.c
+# 2004/08/25 16:35:17-07:00 shemminger@osdl.org +16 -25
+# [BRIDGE]: Fix oops when mangling and brouting and tcpdumping packets
+#
+# The ebtables brouting chain, traversed through the call
+# br_should_route_hook(), can alter a packet. The redirect target
+# does this, f.e., to change the MAC destination.
+#
+# Bart discovered this and proposed a patch; this is a revised version.
+# This version cleans up the handle_bridge code in net/core/dev.c as well
+# as getting rid of extra rcu_read_lock and only does the br_port checking
+# once.
+#
+# Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+# Signed-off-by: David S. Miller <davem@redhat.com>
+#
+# ChangeSet
+# 2004/08/25 16:35:34-07:00 shemminger@osdl.org
+# [BRIDGE]: Fix oops when mangling and brouting and tcpdumping packets
+#
+# The ebtables brouting chain, traversed through the call
+# br_should_route_hook(), can alter a packet. The redirect target
+# does this, f.e., to change the MAC destination.
+#
+# Bart discovered this and proposed a patch; this is a revised version.
+# This version cleans up the handle_bridge code in net/core/dev.c as well
+# as getting rid of extra rcu_read_lock and only does the br_port checking
+# once.
+#
+# Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+# Signed-off-by: David S. Miller <davem@redhat.com>
+#
+# net/bridge/br_private.h
+# 2004/08/25 16:35:17-07:00 shemminger@osdl.org +1 -1
+# [BRIDGE]: Fix oops when mangling and brouting and tcpdumping packets
+#
+# The ebtables brouting chain, traversed through the call
+# br_should_route_hook(), can alter a packet. The redirect target
+# does this, f.e., to change the MAC destination.
+#
+# Bart discovered this and proposed a patch; this is a revised version.
+# This version cleans up the handle_bridge code in net/core/dev.c as well
+# as getting rid of extra rcu_read_lock and only does the br_port checking
+# once.
+#
+# Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+# Signed-off-by: David S. Miller <davem@redhat.com>
+#
+# net/bridge/br_input.c
+# 2004/08/25 16:35:17-07:00 shemminger@osdl.org +23 -34
+# [BRIDGE]: Fix oops when mangling and brouting and tcpdumping packets
+#
+# The ebtables brouting chain, traversed through the call
+# br_should_route_hook(), can alter a packet. The redirect target
+# does this, f.e., to change the MAC destination.
+#
+# Bart discovered this and proposed a patch; this is a revised version.
+# This version cleans up the handle_bridge code in net/core/dev.c as well
+# as getting rid of extra rcu_read_lock and only does the br_port checking
+# once.
+#
+# Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+# Signed-off-by: David S. Miller <davem@redhat.com>
+#
+# include/linux/if_bridge.h
+# 2004/08/25 16:35:17-07:00 shemminger@osdl.org +1 -1
+# [BRIDGE]: Fix oops when mangling and brouting and tcpdumping packets
+#
+# The ebtables brouting chain, traversed through the call
+# br_should_route_hook(), can alter a packet. The redirect target
+# does this, f.e., to change the MAC destination.
+#
+# Bart discovered this and proposed a patch; this is a revised version.
+# This version cleans up the handle_bridge code in net/core/dev.c as well
+# as getting rid of extra rcu_read_lock and only does the br_port checking
+# once.
+#
+# Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+# Signed-off-by: David S. Miller <davem@redhat.com>
+#
+#
+===== net/bridge/br_private.h 1.34 vs 1.35 =====
+--- 1.34/net/bridge/br_private.h 2004-08-03 08:54:45 +09:00
++++ 1.35/net/bridge/br_private.h 2004-08-26 08:35:17 +09:00
+@@ -177,7 +177,7 @@ extern int br_min_mtu(const struct net_b
+
+ /* br_input.c */
+ extern int br_handle_frame_finish(struct sk_buff *skb);
+-extern int br_handle_frame(struct sk_buff *skb);
++extern int br_handle_frame(struct net_bridge_port *p, struct sk_buff **pskb);
+
+ /* br_ioctl.c */
+ extern int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
+===== net/bridge/br_input.c 1.19 vs 1.20 =====
+--- 1.19/net/bridge/br_input.c 2004-08-23 17:15:14 +09:00
++++ 1.20/net/bridge/br_input.c 2004-08-26 08:35:17 +09:00
+@@ -45,27 +45,15 @@
+ br_pass_frame_up_finish);
+ }
+
++/* note: already called with rcu_read_lock (preempt_disabled) */
+ int br_handle_frame_finish(struct sk_buff *skb)
+ {
+- struct net_bridge *br;
+- unsigned char *dest;
++ const unsigned char *dest = skb->mac.ethernet->h_dest;
++ struct net_bridge_port *p = skb->dev->br_port;
++ struct net_bridge *br = p->br;
+ struct net_bridge_fdb_entry *dst;
+- struct net_bridge_port *p;
+- int passedup;
+-
+- dest = skb->mac.ethernet->h_dest;
+-
+- rcu_read_lock();
+- p = skb->dev->br_port;
+- smp_read_barrier_depends();
+-
+- if (p == NULL || p->state == BR_STATE_DISABLED) {
+- kfree_skb(skb);
+- goto out;
+- }
++ int passedup = 0;
+
+- br = p->br;
+- passedup = 0;
+ if (br->dev->flags & IFF_PROMISC) {
+ struct sk_buff *skb2;
+
+@@ -99,20 +88,21 @@ int br_handle_frame_finish(struct sk_buf
+ br_flood_forward(br, skb, 0);
+
+ out:
+- rcu_read_unlock();
+ return 0;
+ }
+
+-int br_handle_frame(struct sk_buff *skb)
++/*
++ * Called via br_handle_frame_hook.
++ * Return 0 if *pskb should be processed furthur
++ * 1 if *pskb is handled
++ * note: already called with rcu_read_lock (preempt_disabled)
++ */
++int br_handle_frame(struct net_bridge_port *p, struct sk_buff **pskb)
+ {
+- unsigned char *dest;
+- struct net_bridge_port *p;
+-
+- dest = skb->mac.ethernet->h_dest;
++ struct sk_buff *skb = *pskb;
++ const unsigned char *dest = skb->mac.ethernet->h_dest;
+
+- rcu_read_lock();
+- p = skb->dev->br_port;
+- if (p == NULL || p->state == BR_STATE_DISABLED)
++ if (p->state == BR_STATE_DISABLED)
+ goto err;
+
+ if (skb->mac.ethernet->h_source[0] & 1)
+@@ -128,15 +118,16 @@ int br_handle_frame(struct sk_buff *skb)
+ if (!dest[5]) {
+ NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
+ NULL, br_stp_handle_bpdu);
+- rcu_read_unlock();
+- return 0;
++ return 1;
+ }
+ }
+
+ else if (p->state == BR_STATE_FORWARDING) {
+- if (br_should_route_hook && br_should_route_hook(&skb)) {
+- rcu_read_unlock();
+- return -1;
++ if (br_should_route_hook) {
++ if (br_should_route_hook(pskb))
++ return 0;
++ skb = *pskb;
++ dest = skb->mac.ethernet->h_dest;
+ }
+
+ if (!memcmp(p->br->dev->dev_addr, dest, ETH_ALEN))
+@@ -144,12 +135,10 @@ int br_handle_frame(struct sk_buff *skb)
+
+ NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
+ br_handle_frame_finish);
+- rcu_read_unlock();
+- return 0;
++ return 1;
+ }
+
+ err:
+- rcu_read_unlock();
+ kfree_skb(skb);
+- return 0;
++ return 1;
+ }
+===== include/linux/if_bridge.h 1.7 vs 1.8 =====
+--- 1.7/include/linux/if_bridge.h 2004-06-04 09:20:24 +09:00
++++ 1.8/include/linux/if_bridge.h 2004-08-26 08:35:17 +09:00
+@@ -105,7 +105,7 @@ struct __fdb_entry
+ #include <linux/netdevice.h>
+
+ extern void brioctl_set(int (*ioctl_hook)(unsigned int, void __user *));
+-extern int (*br_handle_frame_hook)(struct sk_buff *skb);
++extern int (*br_handle_frame_hook)(struct net_bridge_port *p, struct sk_buff **pskb);
+ extern int (*br_should_route_hook)(struct sk_buff **pskb);
+
+ #endif
+===== net/core/dev.c 1.160 vs 1.161 =====
+--- 1.160/net/core/dev.c 2004-08-25 09:09:48 +09:00
++++ 1.161/net/core/dev.c 2004-08-26 08:35:17 +09:00
+@@ -1683,36 +1683,29 @@
+ return pt_prev->func(skb, skb->dev, pt_prev);
+ }
+
+-
+ #if defined(CONFIG_BRIDGE) || defined (CONFIG_BRIDGE_MODULE)
+-int (*br_handle_frame_hook)(struct sk_buff *skb);
++int (*br_handle_frame_hook)(struct net_bridge_port *p, struct sk_buff **pskb);
+
+-static __inline__ int handle_bridge(struct sk_buff *skb,
+- struct packet_type *pt_prev)
++static __inline__ int handle_bridge(struct sk_buff **pskb,
++ struct packet_type **pt_prev, int *ret)
+ {
+- int ret = NET_RX_DROP;
+- if (pt_prev)
+- ret = deliver_skb(skb, pt_prev, 0);
+-
+- return ret;
+-}
+-
+-#endif
++ struct net_bridge_port *port;
+
+-static inline int __handle_bridge(struct sk_buff *skb,
+- struct packet_type **pt_prev, int *ret)
+-{
+-#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+- if (skb->dev->br_port && skb->pkt_type != PACKET_LOOPBACK) {
+- *ret = handle_bridge(skb, *pt_prev);
+- if (br_handle_frame_hook(skb) == 0)
+- return 1;
++ if ((*pskb)->pkt_type == PACKET_LOOPBACK ||
++ (port = rcu_dereference((*pskb)->dev->br_port)) == NULL)
++ return 0;
+
++ if (*pt_prev) {
++ *ret = deliver_skb(*pskb, *pt_prev);
+ *pt_prev = NULL;
+ }
+-#endif
+- return 0;
++
++ return br_handle_frame_hook(port, pskb);
+ }
++#else
++#define handle_bridge(skb, pt_prev, ret) (0)
++#endif
++
+
+
+ #ifdef CONFIG_NET_CLS_ACT
+@@ -1812,7 +1803,7 @@ ncls:
+
+ handle_diverter(skb);
+
+- if (__handle_bridge(skb, &pt_prev, &ret))
++ if (handle_bridge(&skb, &pt_prev, &ret))
+ goto out;
+
+ type = skb->protocol;
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-netfilter-etables-smp-race.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-netfilter-etables-smp-race.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-bridge-netfilter-etables-smp-race.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,41 @@
+commit 5ba07d5c81af64d42937a4027ea7c930bdd8bf9e
+tree 75a6512dac67541bf9a76a5e2a5af129702547a6
+parent 973ed0feb6c29b170e4e57f25198403b1fee2dfb
+author bdschuym@pandora.be <bdschuym@pandora.be> 1110864151 -0800
+committer <chrisw@vas.sous-sol.org> 1117167602 -0700
+
+[PATCH] Fix smp race.
+
+The patch below fixes an smp race that happens on such systems under
+heavy load.
+This bug was reported and solved by Steve Herrell
+<steve_herrell@yahoo.ca>
+
+Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+I:100644 100644 33dde2be31ba3ef2f0a3b0630f7490db0390670d 771105c927be47b5545df4c7a99376ec125c20a1 M net/bridge/netfilter/ebtables.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int
+ struct ebt_chainstack *cs;
+ struct ebt_entries *chaininfo;
+ char *base;
+- struct ebt_table_info *private = table->private;
++ struct ebt_table_info *private;
+
+ read_lock_bh(&table->lock);
++ private = table->private;
+ cb_base = COUNTER_BASE(private->counters, private->nentries,
+ smp_processor_id());
+ if (private->chainstack)
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipvs-conn_tab-race.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipvs-conn_tab-race.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipvs-conn_tab-race.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,115 @@
+Date: Fri, 24 Jun 2005 13:40:54 -0400
+From: Neil Horman <nhorman@redhat.com>
+To: Julian Anastasov <ja@ssi.bg>
+Cc: Neil Horman <nhorman@redhat.com>,
+ linux-kernel <linux-kernel@vger.kernel.org>,
+ Wensong Zhang <wensong@linux-vs.org>, akpm@osdl.org,
+ netdev@oss.sgi.com, davem@davemloft.net
+Subject: Re: [Patch] ipvs: close race conditions on ip_vs_conn_tab list modification
+
+On Fri, Jun 24, 2005 at 06:09:40PM +0300, Julian Anastasov wrote:
+>
+> Hello,
+>
+> On Fri, 24 Jun 2005, Neil Horman wrote:
+>
+> > if (ct) {
+> > IP_VS_DBG(4, "del conn template\n");
+> > ip_vs_conn_expire_now(ct);
+> > }
+>
+> Don't forget to use cp->control instead of ct, ct is not needed
+> anymore.
+>
+> Regards
+>
+> --
+> Julian Anastasov <ja@ssi.bg>
+>
+
+
+Good catch. Sorry, should have seen that earlier. New patch attached with
+corrections. When you're comfortable with this, I'll post the 2.4 version of
+the patch.
+
+Regards
+Neil
+
+Signed-off-by: Neil Horman <nhorman@redhat.com>
+
+ ip_vs_conn.c | 24 ++++--------------------
+ 1 files changed, 4 insertions(+), 20 deletions(-)
+
+
+--- linux-2.6.git/net/ipv4/ipvs/ip_vs_conn.c.orig 2005-06-23 13:11:00.000000000 -0400
++++ linux-2.6.git/net/ipv4/ipvs/ip_vs_conn.c 2005-06-24 13:33:03.000000000 -0400
+@@ -548,7 +548,6 @@
+ {
+ if (del_timer(&cp->timer))
+ mod_timer(&cp->timer, jiffies);
+- __ip_vs_conn_put(cp);
+ }
+
+
+@@ -801,21 +800,12 @@
+ continue;
+ }
+
+- /*
+- * Drop the entry, and drop its ct if not referenced
+- */
+- atomic_inc(&cp->refcnt);
+- ct_write_unlock(hash);
+-
+- if ((ct = cp->control))
+- atomic_inc(&ct->refcnt);
+ IP_VS_DBG(4, "del connection\n");
+ ip_vs_conn_expire_now(cp);
+- if (ct) {
++ if (cp->control) {
+ IP_VS_DBG(4, "del conn template\n");
+- ip_vs_conn_expire_now(ct);
++ ip_vs_conn_expire_now(cp->control);
+ }
+- ct_write_lock(hash);
+ }
+ ct_write_unlock(hash);
+ }
+@@ -829,7 +819,6 @@
+ {
+ int idx;
+ struct ip_vs_conn *cp;
+- struct ip_vs_conn *ct;
+
+ flush_again:
+ for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) {
+@@ -839,18 +828,13 @@
+ ct_write_lock_bh(idx);
+
+ list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) {
+- atomic_inc(&cp->refcnt);
+- ct_write_unlock(idx);
+
+- if ((ct = cp->control))
+- atomic_inc(&ct->refcnt);
+ IP_VS_DBG(4, "del connection\n");
+ ip_vs_conn_expire_now(cp);
+- if (ct) {
++ if (cp->control) {
+ IP_VS_DBG(4, "del conn template\n");
+- ip_vs_conn_expire_now(ct);
++ ip_vs_conn_expire_now(cp->control);
+ }
+- ct_write_lock(idx);
+ }
+ ct_write_unlock_bh(idx);
+ }
+--
+/***************************************************
+ *Neil Horman
+ *Software Engineer
+ *Red Hat, Inc.
+ *nhorman@redhat.com
+ *gpg keyid: 1024D / 0x92A74FA1
+ *http://pgp.mit.edu
+ ***************************************************/
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-netfilter-ip_queue-deadlock.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-netfilter-ip_queue-deadlock.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-netfilter-ip_queue-deadlock.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,69 @@
+commit 839c2379a6ed8ea9dd669d4c3206b85c5dff674e
+tree fb7cb1c304f0f5f5d14412ee533ca9a2a30d46f3
+parent 43cdfc5ea9a5c7b7904dd040370f6655951412f0
+author Harald Welte <laforge@netfilter.org> 1117492694 -0700
+committer Chris Wright <chrisw@osdl.org> 1118544322 -0700
+
+[PATCH] Fix deadlock with ip_queue and tcp local input path.
+
+When we have ip_queue being used from LOCAL_IN, then we end up with a
+situation where the verdicts coming back from userspace traverse the TCP
+input path from syscall context. While this seems to work most of the
+time, there's an ugly deadlock:
+
+syscall context is interrupted by the timer interrupt. When the timer
+interrupt leaves, the timer softirq get's scheduled and calls
+tcp_delack_timer() and alike. They themselves do bh_lock_sock(sk),
+which is already held from somewhere else -> boom.
+
+I've now tested the suggested solution by Patrick McHardy and Herbert Xu to
+simply use local_bh_{en,dis}able().
+
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+I:100644 100644 a9aa12cc83bb40137acbd7410656b9da07724ed4 470a9055488eb9b5cffb7467ed23030c5da6c989 M net/ipv4/netfilter/ip_queue.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
+--- a/net/ipv4/netfilter/ip_queue.c
++++ b/net/ipv4/netfilter/ip_queue.c
+@@ -3,6 +3,7 @@
+ * communicating with userspace via netlink.
+ *
+ * (C) 2000-2002 James Morris <jmorris@intercode.com.au>
++ * (C) 2003-2005 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -14,6 +15,7 @@
+ * Zander).
+ * 2000-08-01: Added Nick Williams' MAC support.
+ * 2002-06-25: Code cleanup.
++ * 2005-05-26: local_bh_{disable,enable} around nf_reinject (Harald Welte)
+ *
+ */
+ #include <linux/module.h>
+@@ -66,7 +68,15 @@ static DECLARE_MUTEX(ipqnl_sem);
+ static void
+ ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
+ {
++ /* TCP input path (and probably other bits) assume to be called
++ * from softirq context, not from syscall, like ipq_issue_verdict is
++ * called. TCP input path deadlocks with locks taken from timer
++ * softirq, e.g. We therefore emulate this by local_bh_disable() */
++
++ local_bh_disable();
+ nf_reinject(entry->skb, entry->info, verdict);
++ local_bh_enable();
++
+ kfree(entry);
+ }
+
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-rose-ndigis-verify.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-rose-ndigis-verify.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-rose-ndigis-verify.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,36 @@
+commit 87127723a58fe970177ce087e079f2fffac2adce
+tree e5cefe66570da03dabb35fe5037fcefe2183cfbf
+parent bb2c14017115369ba23f7fe86309e725bd2ee9b5
+author ralf@linux-mips.org <ralf@linux-mips.org> 1110512828 -0800
+committer <chrisw@vas.sous-sol.org> 1117167606 -0700
+
+[PATCH] Fix minor security hole
+
+ROSE wasn't verifying the ndigis argument of a new route resulting in a
+minor security hole.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+I:100644 100644 92674a1cc49ea6640a070e32e03fa1027568414c d19d931a1a75a26bb4395fae73c0dd1efab16d45 M net/rose/rose_route.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void
+ }
+ if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
+ return -EINVAL;
+-
++ if (rose_route.ndigis > 8) /* No more than 8 digipeats */
++ return -EINVAL;
+ err = rose_add_node(&rose_route, dev);
+ dev_put(dev);
+ return err;
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-06-29 09:17:55 UTC (rev 3409)
@@ -1,2 +1,24 @@
+ mckinley_icache.dpatch
- drivers-net-via-rhine-wol-oops.dpatch
++ arch-x86_64-kernel-ptrace-boundary-check.dpatch
++ arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
++ arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
++ arch-x86_64-kernel-smp-boot-race.dpatch
++ arch-x86_64-mm-ioremap-page-lookup.dpatch
++ drivers-media-vidio-bttv-vc100xp-detect.dpatch
++ fs-exec-ptrace-core-exec-race.dpatch
++ fs-exec-ptrace-deadlock.dpatch
++ fs-exec-posix-timers-leak-1.dpatch
++ fs-exec-posix-timers-leak-2.dpatch
++ fs-exec-reparent-timers.dpatch
++ fs-hfs-oops-and-leak.dpatch
++ fs-jbd-checkpoint-assertion.dpatch
+#+ mm-mmap-range-test.dpatch
++ mm-rmap-out-of-bounds-pte.dpatch
++ net-bridge-netfilter-etables-smp-race.dpatch
++ net-bridge-mangle-oops.dpatch
++ net-bridge-forwarding-poison.dpatch
++ net-ipv4-netfilter-ip_queue-deadlock.dpatch
++ net-rose-ndigis-verify.dpatch
++ sound-usb-usbaudio-unplug-oops.dpatch
++ net-ipv4-ipvs-conn_tab-race.dpatch
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sound-usb-usbaudio-unplug-oops.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sound-usb-usbaudio-unplug-oops.dpatch 2005-06-28 01:01:26 UTC (rev 3408)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sound-usb-usbaudio-unplug-oops.dpatch 2005-06-29 09:17:55 UTC (rev 3409)
@@ -0,0 +1,43 @@
+commit 439de7e64f1d6c24694697ca103185dbd04563f0
+tree 02914a46932ca652a5a4c2bb82f49333bc5fb420
+parent 87127723a58fe970177ce087e079f2fffac2adce
+author Gregor Jasny <gjasny@web.de> 1114673208 +0200
+committer <chrisw@vas.sous-sol.org> 1117167607 -0700
+
+[PATCH] usbaudio: prevent oops & dead keyboard on usb unplugging while the device is being used
+
+Summary: prevent oops & dead keyboard on usb unplugging while the device is being used
+
+Without this patch, some usb kobjects, which are parents to
+the usx2y's kobjects can be freed before the usx2y's.
+This led to an oops in get_kobj_path_length() and a dead
+keyboard, when the usx2y's kobjects were freed.
+The patch ensures the correct sequence.
+Tested ok on kernel 2.6.12-rc2.
+
+Present in ALSA cvs
+
+Signed-off-by: Karsten Wiese <annabellesgarden@yahoo.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+I:100644 100644 e7520f99054c7e65216fd0cb9fe562a0644a8fcb 5ea025155db9a59e1039537d40588e8309ad2e0a M sound/usb/usbaudio.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c
+--- a/sound/usb/usbaudio.c
++++ b/sound/usb/usbaudio.c
+@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str
+ }
+ usb_chip[chip->index] = NULL;
+ up(®ister_mutex);
+- snd_card_free_in_thread(card);
++ snd_card_free(card);
+ } else {
+ up(®ister_mutex);
+ }