r4165 - in dists/trunk/linux-2.6/debian: . patches-debian
patches-debian/series
Frederik Schüler
fschueler-guest at costa.debian.org
Sat Sep 10 17:36:09 UTC 2005
Author: fschueler-guest
Date: 2005-09-10 17:36:08 +0000 (Sat, 10 Sep 2005)
New Revision: 4165
Added:
dists/trunk/linux-2.6/debian/patches-debian/patch-2.6.13.1
Modified:
dists/trunk/linux-2.6/debian/changelog
dists/trunk/linux-2.6/debian/patches-debian/series/2.6.13-1
Log:
Added patch-2.6.13.1
Modified: dists/trunk/linux-2.6/debian/changelog
===================================================================
--- dists/trunk/linux-2.6/debian/changelog 2005-09-10 02:48:40 UTC (rev 4164)
+++ dists/trunk/linux-2.6/debian/changelog 2005-09-10 17:36:08 UTC (rev 4165)
@@ -3,8 +3,22 @@
[ Bastian Blank ]
*
- -- Simon Horman <horms at debian.org> Tue, 30 Aug 2005 19:27:52 +0900
+ [ Frederik Schüler ]
+ * Added class and longclass descriptions for amd64 flavours.
+ * Added patch-2.6.13.1:
+ - raw_sendmsg DoS (CAN-2005-2492)
+ - 32bit sendmsg() flaw (CAN-2005-2490)
+ - Reassembly trim not clearing CHECKSUM_HW
+ - Use SA_SHIRQ in sparc specific code.
+ - Fix boundary check in standard multi-block cipher processors
+ - 2.6.13 breaks libpcap (and tcpdump)
+ - x86: pci_assign_unassigned_resources() update
+ - Fix PCI ROM mapping
+ - aacraid: 2.6.13 aacraid bad BUG_ON fix
+ - Kconfig: saa7134-dvb must select tda1004x
+ -- Frederik Schüler <fschueler at gmx.net> Sat, 10 Sep 2005 18:12:13 +0200
+
linux-2.6 (2.6.12-7) UNRELEASED; urgency=low
[ Simon Horman ]
Added: dists/trunk/linux-2.6/debian/patches-debian/patch-2.6.13.1
===================================================================
--- dists/trunk/linux-2.6/debian/patches-debian/patch-2.6.13.1 2005-09-10 02:48:40 UTC (rev 4164)
+++ dists/trunk/linux-2.6/debian/patches-debian/patch-2.6.13.1 2005-09-10 17:36:08 UTC (rev 4165)
@@ -0,0 +1,422 @@
+diff --git a/arch/i386/pci/common.c b/arch/i386/pci/common.c
+--- a/arch/i386/pci/common.c
++++ b/arch/i386/pci/common.c
+@@ -165,7 +165,6 @@ static int __init pcibios_init(void)
+ if ((pci_probe & PCI_BIOS_SORT) && !(pci_probe & PCI_NO_SORT))
+ pcibios_sort();
+ #endif
+- pci_assign_unassigned_resources();
+ return 0;
+ }
+
+diff --git a/arch/i386/pci/i386.c b/arch/i386/pci/i386.c
+--- a/arch/i386/pci/i386.c
++++ b/arch/i386/pci/i386.c
+@@ -170,43 +170,26 @@ static void __init pcibios_allocate_reso
+ static int __init pcibios_assign_resources(void)
+ {
+ struct pci_dev *dev = NULL;
+- int idx;
+- struct resource *r;
++ struct resource *r, *pr;
+
+- for_each_pci_dev(dev) {
+- int class = dev->class >> 8;
+-
+- /* Don't touch classless devices and host bridges */
+- if (!class || class == PCI_CLASS_BRIDGE_HOST)
+- continue;
+-
+- for(idx=0; idx<6; idx++) {
+- r = &dev->resource[idx];
+-
+- /*
+- * Don't touch IDE controllers and I/O ports of video cards!
+- */
+- if ((class == PCI_CLASS_STORAGE_IDE && idx < 4) ||
+- (class == PCI_CLASS_DISPLAY_VGA && (r->flags & IORESOURCE_IO)))
+- continue;
+-
+- /*
+- * We shall assign a new address to this resource, either because
+- * the BIOS forgot to do so or because we have decided the old
+- * address was unusable for some reason.
+- */
+- if (!r->start && r->end)
+- pci_assign_resource(dev, idx);
+- }
+-
+- if (pci_probe & PCI_ASSIGN_ROMS) {
++ if (!(pci_probe & PCI_ASSIGN_ROMS)) {
++ /* Try to use BIOS settings for ROMs, otherwise let
++ pci_assign_unassigned_resources() allocate the new
++ addresses. */
++ for_each_pci_dev(dev) {
+ r = &dev->resource[PCI_ROM_RESOURCE];
+- r->end -= r->start;
+- r->start = 0;
+- if (r->end)
+- pci_assign_resource(dev, PCI_ROM_RESOURCE);
++ if (!r->flags || !r->start)
++ continue;
++ pr = pci_find_parent_resource(dev, r);
++ if (!pr || request_resource(pr, r) < 0) {
++ r->end -= r->start;
++ r->start = 0;
++ }
+ }
+ }
++
++ pci_assign_unassigned_resources();
++
+ return 0;
+ }
+
+diff --git a/crypto/cipher.c b/crypto/cipher.c
+--- a/crypto/cipher.c
++++ b/crypto/cipher.c
+@@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt(
+ u8 *iv = desc->info;
+ unsigned int done = 0;
+
++ nbytes -= bsize;
++
+ do {
+ xor(iv, src);
+ fn(crypto_tfm_ctx(tfm), dst, iv);
+@@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt(
+
+ src += bsize;
+ dst += bsize;
+- } while ((done += bsize) < nbytes);
++ } while ((done += bsize) <= nbytes);
+
+ return done;
+ }
+@@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt(
+ u8 *iv = desc->info;
+ unsigned int done = 0;
+
++ nbytes -= bsize;
++
+ do {
+ u8 *tmp_dst = *dst_p;
+
+@@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt(
+
+ src += bsize;
+ dst += bsize;
+- } while ((done += bsize) < nbytes);
++ } while ((done += bsize) <= nbytes);
+
+ return done;
+ }
+@@ -243,12 +247,14 @@ static unsigned int ecb_process(const st
+ void (*fn)(void *, u8 *, const u8 *) = desc->crfn;
+ unsigned int done = 0;
+
++ nbytes -= bsize;
++
+ do {
+ fn(crypto_tfm_ctx(tfm), dst, src);
+
+ src += bsize;
+ dst += bsize;
+- } while ((done += bsize) < nbytes);
++ } while ((done += bsize) <= nbytes);
+
+ return done;
+ }
+diff --git a/drivers/char/rtc.c b/drivers/char/rtc.c
+--- a/drivers/char/rtc.c
++++ b/drivers/char/rtc.c
+@@ -938,10 +938,9 @@ found:
+
+ /*
+ * XXX Interrupt pin #7 in Espresso is shared between RTC and
+- * PCI Slot 2 INTA# (and some INTx# in Slot 1). SA_INTERRUPT here
+- * is asking for trouble with add-on boards. Change to SA_SHIRQ.
++ * PCI Slot 2 INTA# (and some INTx# in Slot 1).
+ */
+- if (request_irq(rtc_irq, rtc_interrupt, SA_INTERRUPT, "rtc", (void *)&rtc_port)) {
++ if (request_irq(rtc_irq, rtc_interrupt, SA_SHIRQ, "rtc", (void *)&rtc_port)) {
+ /*
+ * Standard way for sparc to print irq's is to use
+ * __irq_itoa(). I think for EBus it's ok to use %d.
+diff --git a/drivers/media/video/Kconfig b/drivers/media/video/Kconfig
+--- a/drivers/media/video/Kconfig
++++ b/drivers/media/video/Kconfig
+@@ -254,6 +254,7 @@ config VIDEO_SAA7134_DVB
+ select VIDEO_BUF_DVB
+ select DVB_MT352
+ select DVB_CX22702
++ select DVB_TDA1004X
+ ---help---
+ This adds support for DVB cards based on the
+ Philips saa7134 chip.
+diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
+--- a/drivers/pci/rom.c
++++ b/drivers/pci/rom.c
+@@ -21,13 +21,21 @@
+ * between the ROM and other resources, so enabling it may disable access
+ * to MMIO registers or other card memory.
+ */
+-static void pci_enable_rom(struct pci_dev *pdev)
++static int pci_enable_rom(struct pci_dev *pdev)
+ {
++ struct resource *res = pdev->resource + PCI_ROM_RESOURCE;
++ struct pci_bus_region region;
+ u32 rom_addr;
+
++ if (!res->flags)
++ return -1;
++
++ pcibios_resource_to_bus(pdev, ®ion, res);
+ pci_read_config_dword(pdev, pdev->rom_base_reg, &rom_addr);
+- rom_addr |= PCI_ROM_ADDRESS_ENABLE;
++ rom_addr &= ~PCI_ROM_ADDRESS_MASK;
++ rom_addr |= region.start | PCI_ROM_ADDRESS_ENABLE;
+ pci_write_config_dword(pdev, pdev->rom_base_reg, rom_addr);
++ return 0;
+ }
+
+ /**
+@@ -71,19 +79,21 @@ void __iomem *pci_map_rom(struct pci_dev
+ } else {
+ if (res->flags & IORESOURCE_ROM_COPY) {
+ *size = pci_resource_len(pdev, PCI_ROM_RESOURCE);
+- return (void __iomem *)pci_resource_start(pdev, PCI_ROM_RESOURCE);
++ return (void __iomem *)pci_resource_start(pdev,
++ PCI_ROM_RESOURCE);
+ } else {
+ /* assign the ROM an address if it doesn't have one */
+- if (res->parent == NULL)
+- pci_assign_resource(pdev, PCI_ROM_RESOURCE);
+-
++ if (res->parent == NULL &&
++ pci_assign_resource(pdev,PCI_ROM_RESOURCE))
++ return NULL;
+ start = pci_resource_start(pdev, PCI_ROM_RESOURCE);
+ *size = pci_resource_len(pdev, PCI_ROM_RESOURCE);
+ if (*size == 0)
+ return NULL;
+
+ /* Enable ROM space decodes */
+- pci_enable_rom(pdev);
++ if (pci_enable_rom(pdev))
++ return NULL;
+ }
+ }
+
+diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -40,7 +40,7 @@
+ * FIXME: IO should be max 256 bytes. However, since we may
+ * have a P2P bridge below a cardbus bridge, we need 4K.
+ */
+-#define CARDBUS_IO_SIZE (256)
++#define CARDBUS_IO_SIZE (4*1024)
+ #define CARDBUS_MEM_SIZE (32*1024*1024)
+
+ static void __devinit
+diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
+--- a/drivers/scsi/aacraid/aachba.c
++++ b/drivers/scsi/aacraid/aachba.c
+@@ -968,7 +968,7 @@ static int aac_read(struct scsi_cmnd * s
+ fibsize = sizeof(struct aac_read64) +
+ ((le32_to_cpu(readcmd->sg.count) - 1) *
+ sizeof (struct sgentry64));
+- BUG_ON (fibsize > (sizeof(struct hw_fib) -
++ BUG_ON (fibsize > (dev->max_fib_size -
+ sizeof(struct aac_fibhdr)));
+ /*
+ * Now send the Fib to the adapter
+diff --git a/include/net/compat.h b/include/net/compat.h
+--- a/include/net/compat.h
++++ b/include/net/compat.h
+@@ -33,7 +33,8 @@ extern asmlinkage long compat_sys_sendms
+ extern asmlinkage long compat_sys_recvmsg(int,struct compat_msghdr __user *,unsigned);
+ extern asmlinkage long compat_sys_getsockopt(int, int, int, char __user *, int __user *);
+ extern int put_cmsg_compat(struct msghdr*, int, int, int, void *);
+-extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, unsigned char *,
+- int);
++
++struct sock;
++extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *, int);
+
+ #endif /* NET_COMPAT_H */
+diff --git a/net/compat.c b/net/compat.c
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -135,13 +135,14 @@ static inline struct compat_cmsghdr __us
+ * thus placement) of cmsg headers and length are different for
+ * 32-bit apps. -DaveM
+ */
+-int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg,
++int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
+ unsigned char *stackbuf, int stackbuf_size)
+ {
+ struct compat_cmsghdr __user *ucmsg;
+ struct cmsghdr *kcmsg, *kcmsg_base;
+ compat_size_t ucmlen;
+ __kernel_size_t kcmlen, tmp;
++ int err = -EFAULT;
+
+ kcmlen = 0;
+ kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
+@@ -156,6 +157,7 @@ int cmsghdr_from_user_compat_to_kern(str
+
+ tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+ CMSG_ALIGN(sizeof(struct cmsghdr)));
++ tmp = CMSG_ALIGN(tmp);
+ kcmlen += tmp;
+ ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+ }
+@@ -167,30 +169,34 @@ int cmsghdr_from_user_compat_to_kern(str
+ * until we have successfully copied over all of the data
+ * from the user.
+ */
+- if(kcmlen > stackbuf_size)
+- kcmsg_base = kcmsg = kmalloc(kcmlen, GFP_KERNEL);
+- if(kcmsg == NULL)
++ if (kcmlen > stackbuf_size)
++ kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
++ if (kcmsg == NULL)
+ return -ENOBUFS;
+
+ /* Now copy them over neatly. */
+ memset(kcmsg, 0, kcmlen);
+ ucmsg = CMSG_COMPAT_FIRSTHDR(kmsg);
+ while(ucmsg != NULL) {
+- __get_user(ucmlen, &ucmsg->cmsg_len);
++ if (__get_user(ucmlen, &ucmsg->cmsg_len))
++ goto Efault;
++ if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg))
++ goto Einval;
+ tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+ CMSG_ALIGN(sizeof(struct cmsghdr)));
++ if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
++ goto Einval;
+ kcmsg->cmsg_len = tmp;
+- __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
+- __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
+-
+- /* Copy over the data. */
+- if(copy_from_user(CMSG_DATA(kcmsg),
+- CMSG_COMPAT_DATA(ucmsg),
+- (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
+- goto out_free_efault;
++ tmp = CMSG_ALIGN(tmp);
++ if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
++ __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
++ copy_from_user(CMSG_DATA(kcmsg),
++ CMSG_COMPAT_DATA(ucmsg),
++ (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
++ goto Efault;
+
+ /* Advance. */
+- kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
++ kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
+ ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+ }
+
+@@ -199,10 +205,12 @@ int cmsghdr_from_user_compat_to_kern(str
+ kmsg->msg_controllen = kcmlen;
+ return 0;
+
+-out_free_efault:
+- if(kcmsg_base != (struct cmsghdr *)stackbuf)
+- kfree(kcmsg_base);
+- return -EFAULT;
++Einval:
++ err = -EINVAL;
++Efault:
++ if (kcmsg_base != (struct cmsghdr *)stackbuf)
++ sock_kfree_s(sk, kcmsg_base, kcmlen);
++ return err;
+ }
+
+ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
+diff --git a/net/core/filter.c b/net/core/filter.c
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -182,7 +182,7 @@ int sk_run_filter(struct sk_buff *skb, s
+ A = ntohl(*(u32 *)ptr);
+ continue;
+ }
+- return 0;
++ break;
+ case BPF_LD|BPF_H|BPF_ABS:
+ k = fentry->k;
+ load_h:
+@@ -191,7 +191,7 @@ int sk_run_filter(struct sk_buff *skb, s
+ A = ntohs(*(u16 *)ptr);
+ continue;
+ }
+- return 0;
++ break;
+ case BPF_LD|BPF_B|BPF_ABS:
+ k = fentry->k;
+ load_b:
+@@ -200,7 +200,7 @@ load_b:
+ A = *(u8 *)ptr;
+ continue;
+ }
+- return 0;
++ break;
+ case BPF_LD|BPF_W|BPF_LEN:
+ A = skb->len;
+ continue;
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -457,7 +457,7 @@ static void ip_frag_queue(struct ipq *qp
+
+ if (pskb_pull(skb, ihl) == NULL)
+ goto err;
+- if (pskb_trim(skb, end-offset))
++ if (pskb_trim_rcsum(skb, end-offset))
+ goto err;
+
+ /* Find out which fragments are in front and at the back of us
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
+
+ if (type && code) {
+ get_user(fl->fl_icmp_type, type);
+- __get_user(fl->fl_icmp_code, code);
++ get_user(fl->fl_icmp_code, code);
+ probed = 1;
+ }
+ break;
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
+
+ if (type && code) {
+ get_user(fl->fl_icmp_type, type);
+- __get_user(fl->fl_icmp_code, code);
++ get_user(fl->fl_icmp_code, code);
+ probed = 1;
+ }
+ break;
+diff --git a/net/socket.c b/net/socket.c
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1739,10 +1739,11 @@ asmlinkage long sys_sendmsg(int fd, stru
+ goto out_freeiov;
+ ctl_len = msg_sys.msg_controllen;
+ if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
+- err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
++ err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl));
+ if (err)
+ goto out_freeiov;
+ ctl_buf = msg_sys.msg_control;
++ ctl_len = msg_sys.msg_controllen;
+ } else if (ctl_len) {
+ if (ctl_len > sizeof(ctl))
+ {
Modified: dists/trunk/linux-2.6/debian/patches-debian/series/2.6.13-1
===================================================================
--- dists/trunk/linux-2.6/debian/patches-debian/series/2.6.13-1 2005-09-10 02:48:40 UTC (rev 4164)
+++ dists/trunk/linux-2.6/debian/patches-debian/series/2.6.13-1 2005-09-10 17:36:08 UTC (rev 4165)
@@ -20,3 +20,4 @@
+ remove-references-to-removed-drivers.patch
+ sparc64-hme-lockup.patch
+ tty-locking-fixes9.patch
++ patch-2.6.13.1
More information about the Kernel-svn-changes
mailing list