[kernel] r15849 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/powerpc debian/patches/bugfix/sparc debian/patches/bugfix/x86 debian/patches/features/all/openvz debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jun 10 18:46:08 UTC 2010
Author: dannf
Date: Thu Jun 10 18:46:06 2010
New Revision: 15849
Log:
merge 2.6.26-22lenny1
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/keys-find_keyring_by_name-can-gain-access-to-a-freed-keyring.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/keys-find_keyring_by_name-can-gain-access-to-a-freed-keyring.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch
dists/lenny/linux-2.6/debian/patches/bugfix/powerpc/kgdb-dont-needlessly-skip-PAGE_USER-test-for-Fsl-booke.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/powerpc/kgdb-dont-needlessly-skip-PAGE_USER-test-for-Fsl-booke.patch
dists/lenny/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch
dists/lenny/linux-2.6/debian/patches/series/22lenny1
- copied unchanged from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/series/22lenny1
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Thu Jun 10 18:42:03 2010 (r15848)
+++ dists/lenny/linux-2.6/debian/changelog Thu Jun 10 18:46:06 2010 (r15849)
@@ -33,6 +33,34 @@
-- dann frazier <dannf at debian.org> Wed, 10 Mar 2010 23:42:11 -0700
+linux-2.6 (2.6.26-22lenny1) stable-security; urgency=high
+
+ [ dann frazier ]
+ * USB: usbfs: only copy the actual data received (CVE-2010-1083)
+ * GFS2: Skip check for mandatory locks when unlocking (CVE-2010-0727)
+ * Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)
+ * dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
+ by an invalid Payload Pointer (CVE-2010-1086)
+ * NFS: Fix an Oops when truncating a file (CVE-2010-1087)
+ * fix LOOKUP_FOLLOW on automount "symlinks" (CVE-2010-1088)
+ * tty: release_one_tty() forgets to put pids (CVE-2010-1162)
+ * tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
+ * sctp: Fix skb_over_panic resulting from multiple invalid parameter
+ errors (CVE-2010-1173)
+ * sparc64: Fix sun4u execute bit check in TSB I-TLB load (CVE-2010-1451)
+ * KEYS: find_keyring_by_name() can gain access to a freed keyring
+ (CVE-2010-1437)
+ * [powerpc] KGDB: don't needlessly skip PAGE_USER test for Fsl booke
+ Note: KGDB is not currently enabled in debian builds (CVE-2010-1446)
+
+ [ Ben Hutchings ]
+ * [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
+ due to fix for CVE-2010-0298; considered obsolete by upstream)
+ * r8169: Increase default RX buffer size to avoid RX scattering bug
+ (CVE-2009-4537)
+
+ -- dann frazier <dannf at debian.org> Sun, 09 May 2010 23:22:44 -0600
+
linux-2.6 (2.6.26-22) stable; urgency=high
[ maximilian attems ]
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch)
@@ -0,0 +1,141 @@
+commit cd17994006d51c3d1d7d8e248fc76137e71e858b
+Author: Marcel Holtmann <marcel at holtmann.org>
+Date: Mon Mar 15 14:12:58 2010 -0700
+
+ Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+ Bluetooth: Fix potential bad memory access with sysfs files
+
+ When creating a high number of Bluetooth sockets (L2CAP, SCO
+ and RFCOMM) it is possible to scribble repeatedly on arbitrary
+ pages of memory. Ensure that the content of these sysfs files is
+ always less than one page. Even if this means truncating. The
+ files in question are scheduled to be moved over to debugfs in
+ the future anyway.
+
+ Based on initial patches from Neil Brown and Linus Torvalds
+
+ Reported-by: Neil Brown <neilb at suse.de>
+ Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 6e180d2..ea113a3 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2270,16 +2270,24 @@ static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&l2cap_sk_list.lock);
+
+ sk_for_each(sk, node, &l2cap_sk_list.head) {
+ struct l2cap_pinfo *pi = l2cap_pi(sk);
++ int len;
+
+- str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n",
++ len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
+ pi->imtu, pi->omtu, pi->link_mode);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&l2cap_sk_list.lock);
+diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
+index 0c2c937..571f913 100644
+--- a/net/bluetooth/rfcomm/core.c
++++ b/net/bluetooth/rfcomm/core.c
+@@ -2013,6 +2013,7 @@ static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+ struct rfcomm_session *s;
+ struct list_head *pp, *p;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ rfcomm_lock();
+
+@@ -2021,11 +2022,21 @@ static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+ list_for_each(pp, &s->dlcs) {
+ struct sock *sk = s->sock->sk;
+ struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
++ int len;
+
+- str += sprintf(str, "%s %s %ld %d %d %d %d\n",
++ len = snprintf(str, size, "%s %s %ld %d %d %d %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
++
++ if (size <= 0)
++ break;
+ }
+
+ rfcomm_unlock();
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 5083adc..b90954a 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -894,13 +894,22 @@ static ssize_t rfcomm_sock_sysfs_show(struct class *dev, char *buf)
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&rfcomm_sk_list.lock);
+
+ sk_for_each(sk, node, &rfcomm_sk_list.head) {
+- str += sprintf(str, "%s %s %d %d\n",
++ int len;
++
++ len = snprintf(str, size, "%s %s %d %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state, rfcomm_pi(sk)->channel);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&rfcomm_sk_list.lock);
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index b0d487e..fbd9049 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -893,13 +893,22 @@ static ssize_t sco_sysfs_show(struct class *dev, char *buf)
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&sco_sk_list.lock);
+
+ sk_for_each(sk, node, &sco_sk_list.head) {
+- str += sprintf(str, "%s %s %d\n",
++ int len;
++
++ len = snprintf(str, size, "%s %s %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&sco_sk_list.lock);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch)
@@ -0,0 +1,40 @@
+commit ea3da36299bd775ff09528f6b6767893de487c39
+Author: Ang Way Chuang <wcang79 at gmail.com>
+Date: Thu Feb 25 09:45:03 2010 +0800
+
+ dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered by an invalid Payload Pointer
+
+ ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
+ has a bug that causes endless loop when Payload Pointer of MPEG2-TS
+ frame is 182 or 183. Anyone who sends malicious MPEG2-TS frame will
+ cause the receiver of ULE SNDU to go into endless loop.
+
+ This patch was generated and tested against linux-2.6.32.9 and should
+ apply cleanly to linux-2.6.33 as well because there was only one typo
+ fix to dvb_net.c since v2.6.32.
+
+ This bug was brought to you by modern day Santa Claus who decided to
+ shower the satellite dish at Keio University with heavy snow causing
+ huge burst of errors. We, receiver end, received Santa Claus's gift in
+ the form of kernel bug.
+
+ Care has been taken not to introduce more bug by fixing this bug, but
+ please scrutinize the code for I always produces buggy code.
+
+ Signed-off-by: Ang Way Chuang <wcang79 at gmail.com>
+ Acked-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/media/dvb/dvb-core/dvb_net.c b/drivers/media/dvb/dvb-core/dvb_net.c
+index c2334ae..155ef76 100644
+--- a/drivers/media/dvb/dvb-core/dvb_net.c
++++ b/drivers/media/dvb/dvb-core/dvb_net.c
+@@ -504,6 +504,7 @@ static void dvb_net_ule( struct net_device *dev, const u8 *buf, size_t buf_len )
+ "bytes left in TS. Resyncing.\n", ts_remain);
+ priv->ule_sndu_len = 0;
+ priv->need_pusi = 1;
++ ts += TS_SZ;
+ continue;
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch)
@@ -0,0 +1,43 @@
+commit 611b55e2510b310b1314c914a1c3823e80caa0f1
+Author: Al Viro <viro at ZenIV.linux.org.uk>
+Date: Tue Feb 16 18:09:36 2010 +0000
+
+ fix LOOKUP_FOLLOW on automount "symlinks"
+
+ Make sure that automount "symlinks" are followed regardless of LOOKUP_FOLLOW;
+ it should have no effect on them.
+
+ Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff --git a/fs/namei.c b/fs/namei.c
+index 2b50296..a9df272 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -868,6 +868,17 @@ fail:
+ }
+
+ /*
++ * This is a temporary kludge to deal with "automount" symlinks; proper
++ * solution is to trigger them on follow_mount(), so that do_lookup()
++ * would DTRT. To be killed before 2.6.34-final.
++ */
++static inline int follow_on_final(struct inode *inode, unsigned lookup_flags)
++{
++ return inode && unlikely(inode->i_op->follow_link) &&
++ ((lookup_flags & LOOKUP_FOLLOW) || S_ISDIR(inode->i_mode));
++}
++
++/*
+ * Name resolution.
+ * This is the basic name resolution function, turning a pathname into
+ * the final dentry. We expect 'base' to be positive and a directory.
+@@ -1011,8 +1022,7 @@ last_component:
+ if (err)
+ break;
+ inode = next.dentry->d_inode;
+- if ((lookup_flags & LOOKUP_FOLLOW)
+- && inode && inode->i_op && inode->i_op->follow_link) {
++ if (follow_on_final(inode, lookup_flags)) {
+ err = do_follow_link(&next, nd);
+ if (err)
+ goto return_err;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch)
@@ -0,0 +1,28 @@
+commit 14bea9ede1e6c24491168cb2333d93485c788972
+Author: Sachin Prabhu <sprabhu at redhat.com>
+Date: Thu Mar 11 12:24:45 2010 -0500
+
+ Backported to Debian's 2.6.26
+
+ GFS2: Skip check for mandatory locks when unlocking
+
+ gfs2_lock() will skip locks on file which have mode set to 02666. This is a problem in cases where the mode of the file is changed after a process has obtained a lock on the file. Such a lock will be skipped and will result in a BUG in locks_remove_flock().
+
+ gfs2_lock() should skip the check for mandatory locks when unlocking a file.
+
+ Signed-off-by: Sachin Prabhu <sprabhu at redhat.com>
+ Signed-off-by: Steven Whitehouse <swhiteho at redhat.com>
+
+diff --git a/fs/gfs2/ops_file.c b/fs/gfs2/ops_file.c
+index e1b7d52..34cc876 100644
+--- a/fs/gfs2/ops_file.c
++++ b/fs/gfs2/ops_file.c
+@@ -642,7 +642,7 @@ static int gfs2_lock(struct file *file, int cmd, struct file_lock *fl)
+
+ if (!(fl->fl_flags & FL_POSIX))
+ return -ENOLCK;
+- if (__mandatory_lock(&ip->i_inode))
++ if (__mandatory_lock(&ip->i_inode) && fl->fl_type != F_UNLCK)
+ return -ENOLCK;
+
+ if (cmd == F_CANCELLK) {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/keys-find_keyring_by_name-can-gain-access-to-a-freed-keyring.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/keys-find_keyring_by_name-can-gain-access-to-a-freed-keyring.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/keys-find_keyring_by_name-can-gain-access-to-a-freed-keyring.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/keys-find_keyring_by_name-can-gain-access-to-a-freed-keyring.patch)
@@ -0,0 +1,183 @@
+commit 697efd52b4c5374c2133f5fe86a354f1b163a22d
+Author: Toshiyuki Okajima <toshi.okajima at jp.fujitsu.com>
+Date: Fri Apr 30 14:32:13 2010 +0100
+
+ KEYS: find_keyring_by_name() can gain access to a freed keyring
+
+ find_keyring_by_name() can gain access to a keyring that has had its reference
+ count reduced to zero, and is thus ready to be freed. This then allows the
+ dead keyring to be brought back into use whilst it is being destroyed.
+
+ The following timeline illustrates the process:
+
+ |(cleaner) (user)
+ |
+ | free_user(user) sys_keyctl()
+ | | |
+ | key_put(user->session_keyring) keyctl_get_keyring_ID()
+ | || //=> keyring->usage = 0 |
+ | |schedule_work(&key_cleanup_task) lookup_user_key()
+ | || |
+ | kmem_cache_free(,user) |
+ | . |[KEY_SPEC_USER_KEYRING]
+ | . install_user_keyrings()
+ | . ||
+ | key_cleanup() [<= worker_thread()] ||
+ | | ||
+ | [spin_lock(&key_serial_lock)] |[mutex_lock(&key_user_keyr..mutex)]
+ | | ||
+ | atomic_read() == 0 ||
+ | |{ rb_ease(&key->serial_node,) } ||
+ | | ||
+ | [spin_unlock(&key_serial_lock)] |find_keyring_by_name()
+ | | |||
+ | keyring_destroy(keyring) ||[read_lock(&keyring_name_lock)]
+ | || |||
+ | |[write_lock(&keyring_name_lock)] ||atomic_inc(&keyring->usage)
+ | |. ||| *** GET freeing keyring ***
+ | |. ||[read_unlock(&keyring_name_lock)]
+ | || ||
+ | |list_del() |[mutex_unlock(&key_user_k..mutex)]
+ | || |
+ | |[write_unlock(&keyring_name_lock)] ** INVALID keyring is returned **
+ | | .
+ | kmem_cache_free(,keyring) .
+ | .
+ | atomic_dec(&keyring->usage)
+ v *** DESTROYED ***
+ TIME
+
+ If CONFIG_SLUB_DEBUG=y then we may see the following message generated:
+
+ =============================================================================
+ BUG key_jar: Poison overwritten
+ -----------------------------------------------------------------------------
+
+ INFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b
+ INFO: Allocated in key_alloc+0x10b/0x35f age=25 cpu=1 pid=5086
+ INFO: Freed in key_cleanup+0xd0/0xd5 age=12 cpu=1 pid=10
+ INFO: Slab 0xffffea000592cb90 objects=16 used=2 fp=0xffff880197a7e200 flags=0x200000000000c3
+ INFO: Object 0xffff880197a7e200 @offset=512 fp=0xffff880197a7e300
+
+ Bytes b4 0xffff880197a7e1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
+ Object 0xffff880197a7e200: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk
+
+ Alternatively, we may see a system panic happen, such as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
+ IP: [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
+ PGD 6b2b4067 PUD 6a80d067 PMD 0
+ Oops: 0000 [#1] SMP
+ last sysfs file: /sys/kernel/kexec_crash_loaded
+ CPU 1
+ ...
+ Pid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY
+ RIP: 0010:[<ffffffff810e61a3>] [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
+ RSP: 0018:ffff88006af3bd98 EFLAGS: 00010002
+ RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b
+ RDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430
+ RBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000
+ R10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0
+ R13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce
+ FS: 00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Process su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0)
+ Stack:
+ 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001
+ 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce
+ 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3
+ Call Trace:
+ [<ffffffff810f20ce>] ? get_empty_filp+0x70/0x12f
+ [<ffffffff810face3>] ? do_filp_open+0x145/0x590
+ [<ffffffff810ce208>] ? tlb_finish_mmu+0x2a/0x33
+ [<ffffffff810ce43c>] ? unmap_region+0xd3/0xe2
+ [<ffffffff810e4393>] ? virt_to_head_page+0x9/0x2d
+ [<ffffffff81103916>] ? alloc_fd+0x69/0x10e
+ [<ffffffff810ef4ed>] ? do_sys_open+0x56/0xfc
+ [<ffffffff81008a02>] ? system_call_fastpath+0x16/0x1b
+ Code: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 <48> 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef
+ RIP [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
+
+ This problem is that find_keyring_by_name does not confirm that the keyring is
+ valid before accepting it.
+
+ Skipping keyrings that have been reduced to a zero count seems the way to go.
+ To this end, use atomic_inc_not_zero() to increment the usage count and skip
+ the candidate keyring if that returns false.
+
+ The following script _may_ cause the bug to happen, but there's no guarantee
+ as the window of opportunity is small:
+
+ #!/bin/sh
+ LOOP=100000
+ USER=dummy_user
+ /bin/su -c "exit;" $USER || { /usr/sbin/adduser -m $USER; add=1; }
+ for ((i=0; i<LOOP; i++))
+ do
+ /bin/su -c "echo '$i' > /dev/null" $USER
+ done
+ (( add == 1 )) && /usr/sbin/userdel -r $USER
+ exit
+
+ Note that the nominated user must not be in use.
+
+ An alternative way of testing this may be:
+
+ for ((i=0; i<100000; i++))
+ do
+ keyctl session foo /bin/true || break
+ done >&/dev/null
+
+ as that uses a keyring named "foo" rather than relying on the user and
+ user-session named keyrings.
+
+ Reported-by: Toshiyuki Okajima <toshi.okajima at jp.fujitsu.com>
+ Signed-off-by: David Howells <dhowells at redhat.com>
+ Tested-by: Toshiyuki Okajima <toshi.okajima at jp.fujitsu.com>
+ Acked-by: Serge Hallyn <serue at us.ibm.com>
+ Signed-off-by: James Morris <jmorris at namei.org>
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index a9ab8af..594660f 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -523,9 +523,8 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+ struct key *keyring;
+ int bucket;
+
+- keyring = ERR_PTR(-EINVAL);
+ if (!name)
+- goto error;
++ return ERR_PTR(-EINVAL);
+
+ bucket = keyring_hash(name);
+
+@@ -549,17 +548,18 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+ KEY_SEARCH) < 0)
+ continue;
+
+- /* we've got a match */
+- atomic_inc(&keyring->usage);
+- read_unlock(&keyring_name_lock);
+- goto error;
++ /* we've got a match but we might end up racing with
++ * key_cleanup() if the keyring is currently 'dead'
++ * (ie. it has a zero usage count) */
++ if (!atomic_inc_not_zero(&keyring->usage))
++ continue;
++ goto out;
+ }
+ }
+
+- read_unlock(&keyring_name_lock);
+ keyring = ERR_PTR(-ENOKEY);
+-
+- error:
++out:
++ read_unlock(&keyring_name_lock);
+ return keyring;
+
+ } /* end find_keyring_by_name() */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch)
@@ -0,0 +1,51 @@
+commit e383bd6110a0192a09195326e9f5357704048d0b
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Wed Feb 3 08:27:22 2010 -0500
+
+ NFS: Fix an Oops when truncating a file
+
+ The VM/VFS does not allow mapping->a_ops->invalidatepage() to fail.
+ Unfortunately, nfs_wb_page_cancel() may fail if a fatal signal occurs.
+ Since the NFS code assumes that the page stays mapped for as long as the
+ writeback is active, we can end up Oopsing (among other things).
+
+ The only safe fix here is to convert nfs_wait_on_request(), so as to make
+ it uninterruptible (as is already the case with wait_on_page_writeback()).
+
+ Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
+index 7f07920..4a72112 100644
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -187,6 +187,12 @@ static int nfs_wait_bit_killable(void *word)
+ return ret;
+ }
+
++static int nfs_wait_bit_uninterruptible(void *word)
++{
++ io_schedule();
++ return 0;
++}
++
+ /**
+ * nfs_wait_on_request - Wait for a request to complete.
+ * @req: request to wait upon.
+@@ -197,14 +203,9 @@ static int nfs_wait_bit_killable(void *word)
+ int
+ nfs_wait_on_request(struct nfs_page *req)
+ {
+- int ret = 0;
+-
+- if (!test_bit(PG_BUSY, &req->wb_flags))
+- goto out;
+- ret = out_of_line_wait_on_bit(&req->wb_flags, PG_BUSY,
+- nfs_wait_bit_killable, TASK_KILLABLE);
+-out:
+- return ret;
++ return wait_on_bit(&req->wb_flags, PG_BUSY,
++ nfs_wait_bit_uninterruptible,
++ TASK_UNINTERRUPTIBLE);
+ }
+
+ /**
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch)
@@ -0,0 +1,59 @@
+From 8812304cf1110ae16b0778680f6022216cf4716a Mon Sep 17 00:00:00 2001
+From: Raimonds Cicans <ray at apollo.lv>
+Date: Fri, 13 Nov 2009 10:52:19 +0000
+Subject: [PATCH] r8169: Fix receive buffer length when MTU is between 1515 and 1536
+
+In r8169 driver MTU is used to calculate receive buffer size.
+Receive buffer size is used to configure hardware incoming packet filter.
+
+For jumbo frames:
+Receive buffer size = Max frame size = MTU + 14 (ethernet header) + 4
+(vlan header) + 4 (ethernet checksum) = MTU + 22
+
+Bug:
+driver for all MTU up to 1536 use receive buffer size 1536
+
+As you can see from formula, this mean all IP packets > 1536 - 22
+(for vlan tagged, 1536 - 18 for not tagged) are dropped by hardware
+filter.
+
+Example:
+
+host_good> ifconfig eth0 mtu 1536
+host_r8169> ifconfig eth0 mtu 1536
+host_good> ping host_r8169
+Ok
+host_good> ping -s 1500 host_r8169
+Fail
+host_good> ifconfig eth0 mtu 7000
+host_r8169> ifconfig eth0 mtu 7000
+host_good> ping -s 1500 host_r8169
+Ok
+
+Bonus: got rid of magic number 8
+
+Signed-off-by: Raimonds Cicans <ray at apollo.lv>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/r8169.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
+index fa49356..b9221bd 100644
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -3243,9 +3243,9 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev)
+ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+ struct net_device *dev)
+ {
+- unsigned int mtu = dev->mtu;
++ unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+
+- tp->rx_buf_sz = (mtu > RX_BUF_SIZE) ? mtu + ETH_HLEN + 8 : RX_BUF_SIZE;
++ tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+
+ static int rtl8169_open(struct net_device *dev)
+--
+1.7.0.3
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch)
@@ -0,0 +1,35 @@
+From 93f4d91d879acfcb0ba9c2725e3133fcff2dfd1e Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman at tuxdriver.com>
+Date: Thu, 1 Apr 2010 07:30:07 +0000
+Subject: [PATCH] r8169: clean up my printk uglyness
+
+Fix formatting on r8169 printk
+
+Brandon Philips noted that I had a spacing issue in my printk for the
+last r8169 patch that made it quite ugly. Fix that up and add the PFX
+macro to it as well so it looks like the other r8169 printks
+
+Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/r8169.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
+index 9674005..dbb1f5a 100644
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -3227,8 +3227,8 @@ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+ unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+
+ if (max_frame != 16383)
+- printk(KERN_WARNING "WARNING! Changing of MTU on this NIC"
+- "May lead to frame reception errors!\n");
++ printk(KERN_WARNING PFX "WARNING! Changing of MTU on this "
++ "NIC may lead to frame reception errors!\n");
+
+ tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+--
+1.7.0.3
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch)
@@ -0,0 +1,121 @@
+From c0cd884af045338476b8e69a61fceb3f34ff22f1 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman at redhat.com>
+Date: Mon, 29 Mar 2010 13:16:02 -0700
+Subject: r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
+
+From: Neil Horman <nhorman at redhat.com>
+
+commit c0cd884af045338476b8e69a61fceb3f34ff22f1 upstream.
+
+Official patch to fix the r8169 frame length check error.
+
+Based on this initial thread:
+http://marc.info/?l=linux-netdev&m=126202972828626&w=1
+This is the official patch to fix the frame length problems in the r8169
+driver. As noted in the previous thread, while this patch incurs a performance
+hit on the driver, its possible to improve performance dynamically by updating
+the mtu and rx_copybreak values at runtime to return performance to what it was
+for those NICS which are unaffected by the ideosyncracy (if there are any).
+
+Summary:
+
+ A while back Eric submitted a patch for r8169 in which the proper
+allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too
+much data. This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4. A
+long time prior to that however, Francois posted
+126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize
+setting due to the fact that the hardware behaved in odd ways when overlong
+frames were received on NIC's supported by this driver. This was mentioned in a
+security conference recently:
+http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
+
+It seems that if we can't enable frame size filtering, then, as Eric correctly
+noticed, we can find ourselves DMA-ing too much data to a buffer, causing
+corruption. As a result is seems that we are forced to allocate a frame which
+is ready to handle a maximally sized receive.
+
+This obviously has performance issues with it, so to mitigate that issue, this
+patch does two things:
+
+1) Raises the copybreak value to the frame allocation size, which should force
+appropriately sized packets to get allocated on rx, rather than a full new 16k
+buffer.
+
+2) This patch only disables frame filtering initially (i.e., during the NIC
+open), changing the MTU results in ring buffer allocation of a size in relation
+to the new mtu (along with a warning indicating that this is dangerous).
+
+Because of item (2), individuals who can't cope with the performance hit (or can
+otherwise filter frames to prevent the bug), or who have hardware they are sure
+is unaffected by this issue, can manually lower the copybreak and reset the mtu
+such that performance is restored easily.
+
+Signed-off-by: Neil Horman <nhorman at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Cc: maximilian attems <max at stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/net/r8169.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -186,7 +186,12 @@ static struct pci_device_id rtl8169_pci_
+
+ MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
+
+-static int rx_copybreak = 200;
++/*
++ * we set our copybreak very high so that we don't have
++ * to allocate 16k frames all the time (see note in
++ * rtl8169_open()
++ */
++static int rx_copybreak = 16383;
+ static int use_dac;
+ static struct {
+ u32 msg_enable;
+@@ -3245,9 +3250,13 @@ static void __devexit rtl8169_remove_one
+ }
+
+ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+- struct net_device *dev)
++ unsigned int mtu)
+ {
+- unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++ unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++
++ if (max_frame != 16383)
++ printk(KERN_WARNING "WARNING! Changing of MTU on this NIC"
++ "May lead to frame reception errors!\n");
+
+ tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+@@ -3259,7 +3268,17 @@ static int rtl8169_open(struct net_devic
+ int retval = -ENOMEM;
+
+
+- rtl8169_set_rxbufsize(tp, dev);
++ /*
++ * Note that we use a magic value here, its wierd I know
++ * its done because, some subset of rtl8169 hardware suffers from
++ * a problem in which frames received that are longer than
++ * the size set in RxMaxSize register return garbage sizes
++ * when received. To avoid this we need to turn off filtering,
++ * which is done by setting a value of 16383 in the RxMaxSize register
++ * and allocating 16k frames to handle the largest possible rx value
++ * thats what the magic math below does.
++ */
++ rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
+
+ /*
+ * Rx and Tx desscriptors needs 256 bytes alignment.
+@@ -3912,7 +3931,7 @@ static int rtl8169_change_mtu(struct net
+
+ rtl8169_down(dev);
+
+- rtl8169_set_rxbufsize(tp, dev);
++ rtl8169_set_rxbufsize(tp, dev->mtu);
+
+ ret = rtl8169_init_ring(dev);
+ if (ret < 0)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch)
@@ -0,0 +1,220 @@
+commit f489c5eebbf178632c17cbf1f2f24cce3427314d
+Author: dann frazier <dannf at hp.com>
+Date: Fri Apr 30 01:02:05 2010 -0600
+
+ sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
+
+ Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+ Ok, version 4
+
+ Change Notes:
+ 1) Minor cleanups, from Vlads notes
+
+ Summary:
+
+ Hey-
+ Recently, it was reported to me that the kernel could oops in the
+ following way:
+
+ <5> kernel BUG at net/core/skbuff.c:91!
+ <5> invalid operand: 0000 [#1]
+ <5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
+ ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
+ vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
+ ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
+ snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
+ pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
+ mptbase sd_mod scsi_mod
+ <5> CPU: 0
+ <5> EIP: 0060:[<c02bff27>] Not tainted VLI
+ <5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
+ <5> EIP is at skb_over_panic+0x1f/0x2d
+ <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
+ <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
+ <5> ds: 007b es: 007b ss: 0068
+ <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
+ <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
+ e0c2947d
+ <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
+ df653490
+ <5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
+ 00000004
+ <5> Call Trace:
+ <5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
+ <5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
+ <5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
+ <5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
+ <5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
+ <5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
+ <5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
+ <5> [<c01555a4>] cache_grow+0x140/0x233
+ <5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
+ <5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
+ <5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
+ <5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
+ <5> [<c02d005e>] nf_iterate+0x40/0x81
+ <5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
+ <5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
+ <5> [<c02d0362>] nf_hook_slow+0x83/0xb5
+ <5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
+ <5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
+ <5> [<c02e103e>] ip_rcv+0x334/0x3b4
+ <5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
+ <5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
+ <5> [<c02c67a4>] process_backlog+0x6c/0xd9
+ <5> [<c02c690f>] net_rx_action+0xfe/0x1f8
+ <5> [<c012a7b1>] __do_softirq+0x35/0x79
+ <5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
+ <5> [<c01094de>] do_softirq+0x46/0x4d
+
+ Its an skb_over_panic BUG halt that results from processing an init chunk in
+ which too many of its variable length parameters are in some way malformed.
+
+ The problem is in sctp_process_unk_param:
+ if (NULL == *errp)
+ *errp = sctp_make_op_error_space(asoc, chunk,
+ ntohs(chunk->chunk_hdr->length));
+
+ if (*errp) {
+ sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
+ WORD_ROUND(ntohs(param.p->length)));
+ sctp_addto_chunk(*errp,
+ WORD_ROUND(ntohs(param.p->length)),
+ param.v);
+
+ When we allocate an error chunk, we assume that the worst case scenario requires
+ that we have chunk_hdr->length data allocated, which would be correct nominally,
+ given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
+ we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
+ chunk, so the worst case situation in which all parameters are in violation
+ requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
+
+ The result of this error is that a deliberately malformed packet sent to a
+ listening host can cause a remote DOS, described in CVE-2010-1173:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
+
+ I've tested the below fix and confirmed that it fixes the issue. We move to a
+ strategy whereby we allocate a fixed size error chunk and ignore errors we don't
+ have space to report. Tested by me successfully
+
+ Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+ Acked-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index 7f25195..71e8509 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -753,6 +753,7 @@ int sctp_user_addto_chunk(struct sctp_chunk *chunk, int off, int len,
+ struct iovec *data);
+ void sctp_chunk_free(struct sctp_chunk *);
+ void *sctp_addto_chunk(struct sctp_chunk *, int len, const void *data);
++void *sctp_addto_chunk_fixed(struct sctp_chunk *, int len, const void *data);
+ struct sctp_chunk *sctp_chunkify(struct sk_buff *,
+ const struct sctp_association *,
+ struct sock *);
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index 39e3a70..6579153 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -107,7 +107,7 @@ static const struct sctp_paramhdr prsctp_param = {
+ __constant_htons(sizeof(struct sctp_paramhdr)),
+ };
+
+-/* A helper to initialize to initialize an op error inside a
++/* A helper to initialize an op error inside a
+ * provided chunk, as most cause codes will be embedded inside an
+ * abort chunk.
+ */
+@@ -124,6 +124,29 @@ void sctp_init_cause(struct sctp_chunk *chunk, __be16 cause_code,
+ chunk->subh.err_hdr = sctp_addto_chunk(chunk, sizeof(sctp_errhdr_t), &err);
+ }
+
++/* A helper to initialize an op error inside a
++ * provided chunk, as most cause codes will be embedded inside an
++ * abort chunk. Differs from sctp_init_cause in that it won't oops
++ * if there isn't enough space in the op error chunk
++ */
++int sctp_init_cause_fixed(struct sctp_chunk *chunk, __be16 cause_code,
++ size_t paylen)
++{
++ sctp_errhdr_t err;
++ __u16 len;
++
++ /* Cause code constants are now defined in network order. */
++ err.cause = cause_code;
++ len = sizeof(sctp_errhdr_t) + paylen;
++ err.length = htons(len);
++
++ if (skb_tailroom(chunk->skb) > len)
++ return -ENOSPC;
++ chunk->subh.err_hdr = sctp_addto_chunk_fixed(chunk,
++ sizeof(sctp_errhdr_t),
++ &err);
++ return 0;
++}
+ /* 3.3.2 Initiation (INIT) (1)
+ *
+ * This chunk is used to initiate a SCTP association between two
+@@ -1114,6 +1137,24 @@ nodata:
+ return retval;
+ }
+
++/* Create an Operation Error chunk of a fixed size,
++ * specifically, max(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT)
++ * This is a helper function to allocate an error chunk for
++ * for those invalid parameter codes in which we may not want
++ * to report all the errors, if the incomming chunk is large
++ */
++static inline struct sctp_chunk *sctp_make_op_error_fixed(
++ const struct sctp_association *asoc,
++ const struct sctp_chunk *chunk)
++{
++ size_t size = asoc ? asoc->pathmtu : 0;
++
++ if (!size)
++ size = SCTP_DEFAULT_MAXSEGMENT;
++
++ return sctp_make_op_error_space(asoc, chunk, size);
++}
++
+ /* Create an Operation Error chunk. */
+ struct sctp_chunk *sctp_make_op_error(const struct sctp_association *asoc,
+ const struct sctp_chunk *chunk,
+@@ -1354,6 +1395,18 @@ void *sctp_addto_chunk(struct sctp_chunk *chunk, int len, const void *data)
+ return target;
+ }
+
++/* Append bytes to the end of a chunk. Returns NULL if there isn't sufficient
++ * space in the chunk
++ */
++void *sctp_addto_chunk_fixed(struct sctp_chunk *chunk,
++ int len, const void *data)
++{
++ if (skb_tailroom(chunk->skb) > len)
++ return sctp_addto_chunk(chunk, len, data);
++ else
++ return NULL;
++}
++
+ /* Append bytes from user space to the end of a chunk. Will panic if
+ * chunk is not big enough.
+ * Returns a kernel err value.
+@@ -1957,13 +2010,12 @@ static sctp_ierror_t sctp_process_unk_param(const struct sctp_association *asoc,
+ * returning multiple unknown parameters.
+ */
+ if (NULL == *errp)
+- *errp = sctp_make_op_error_space(asoc, chunk,
+- ntohs(chunk->chunk_hdr->length));
++ *errp = sctp_make_op_error_fixed(asoc, chunk);
+
+ if (*errp) {
+- sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
++ sctp_init_cause_fixed(*errp, SCTP_ERROR_UNKNOWN_PARAM,
+ WORD_ROUND(ntohs(param.p->length)));
+- sctp_addto_chunk(*errp,
++ sctp_addto_chunk_fixed(*errp,
+ WORD_ROUND(ntohs(param.p->length)),
+ param.v);
+ } else {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch)
@@ -0,0 +1,211 @@
+commit cfa124a2725e84dd845805672f170aa89444b52e
+Author: Neil Horman <nhorman at tuxdriver.com>
+Date: Wed Mar 3 08:31:23 2010 +0000
+
+ tipc: Fix oops on send prior to entering networked mode (v3)
+
+ Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE
+
+ user programs can oops the kernel by sending datagrams via AF_TIPC prior to
+ entering networked mode. The following backtrace has been observed:
+
+ ID: 13459 TASK: ffff810014640040 CPU: 0 COMMAND: "tipc-client"
+ [exception RIP: tipc_node_select_next_hop+90]
+ RIP: ffffffff8869d3c3 RSP: ffff81002d9a5ab8 RFLAGS: 00010202
+ RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000001
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000001001001
+ RBP: 0000000001001001 R8: 0074736575716552 R9: 0000000000000000
+ R10: ffff81003fbd0680 R11: 00000000000000c8 R12: 0000000000000008
+ R13: 0000000000000001 R14: 0000000000000001 R15: ffff810015c6ca00
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ RIP: 0000003cbd8d49a3 RSP: 00007fffc84e0be8 RFLAGS: 00010206
+ RAX: 000000000000002c RBX: ffffffff8005d116 RCX: 0000000000000000
+ RDX: 0000000000000008 RSI: 00007fffc84e0c00 RDI: 0000000000000003
+ RBP: 0000000000000000 R8: 00007fffc84e0c10 R9: 0000000000000010
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fffc84e0d10 R14: 0000000000000000 R15: 00007fffc84e0c30
+ ORIG_RAX: 000000000000002c CS: 0033 SS: 002b
+
+ What happens is that, when the tipc module in inserted it enters a standalone
+ node mode in which communication to its own address is allowed <0.0.0> but not
+ to other addresses, since the appropriate data structures have not been
+ allocated yet (specifically the tipc_net pointer). There is nothing stopping a
+ client from trying to send such a message however, and if that happens, we
+ attempt to dereference tipc_net.zones while the pointer is still NULL, and
+ explode. The fix is pretty straightforward. Since these oopses all arise from
+ the dereference of global pointers prior to their assignment to allocated
+ values, and since these allocations are small (about 2k total), lets convert
+ these pointers to static arrays of the appropriate size. All the accesses to
+ these bits consider 0/NULL to be a non match when searching, so all the lookups
+ still work properly, and there is no longer a chance of a bad dererence
+ anywhere. As a bonus, this lets us eliminate the setup/teardown routines for
+ those pointers, and elimnates the need to preform any locking around them to
+ prevent access while their being allocated/freed.
+
+ I've updated the tipc_net structure to behave this way to fix the exact reported
+ problem, and also fixed up the tipc_bearers and media_list arrays to fix an
+ obvious simmilar problem that arises from issuing tipc-config commands to
+ manipulate bearers/links prior to entering networked mode
+
+ I've tested this for a few hours by running the sanity tests and stress test
+ with the tipcutils suite, and nothing has fallen over. There have been a few
+ lockdep warnings, but those were there before, and can be addressed later, as
+ they didn't actually result in any deadlock.
+
+ Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+ Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+ CC: Allan Stephens <allan.stephens at windriver.com>
+ CC: David S. Miller <davem at davemloft.net>
+ CC: tipc-discussion at lists.sourceforge.net
+
+ bearer.c | 37 ++++++-------------------------------
+ bearer.h | 2 +-
+ net.c | 25 ++++---------------------
+ 3 files changed, 11 insertions(+), 53 deletions(-)
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
+index 271a375..e5ebebd 100644
+--- a/net/tipc/bearer.c
++++ b/net/tipc/bearer.c
+@@ -45,10 +45,10 @@
+
+ #define MAX_ADDR_STR 32
+
+-static struct media *media_list = NULL;
++static struct media media_list[MAX_MEDIA];
+ static u32 media_count = 0;
+
+-struct bearer *tipc_bearers = NULL;
++struct bearer tipc_bearers[MAX_BEARERS];
+
+ /**
+ * media_name_valid - validate media name
+@@ -108,9 +108,11 @@ int tipc_register_media(u32 media_type,
+ int res = -EINVAL;
+
+ write_lock_bh(&tipc_net_lock);
+- if (!media_list)
+- goto exit;
+
++ if (tipc_mode != TIPC_NET_MODE) {
++ warn("Media <%s> rejected, not in networked mode yet\n", name);
++ goto exit;
++ }
+ if (!media_name_valid(name)) {
+ warn("Media <%s> rejected, illegal name\n", name);
+ goto exit;
+@@ -660,33 +662,10 @@ int tipc_disable_bearer(const char *name)
+
+
+
+-int tipc_bearer_init(void)
+-{
+- int res;
+-
+- write_lock_bh(&tipc_net_lock);
+- tipc_bearers = kcalloc(MAX_BEARERS, sizeof(struct bearer), GFP_ATOMIC);
+- media_list = kcalloc(MAX_MEDIA, sizeof(struct media), GFP_ATOMIC);
+- if (tipc_bearers && media_list) {
+- res = TIPC_OK;
+- } else {
+- kfree(tipc_bearers);
+- kfree(media_list);
+- tipc_bearers = NULL;
+- media_list = NULL;
+- res = -ENOMEM;
+- }
+- write_unlock_bh(&tipc_net_lock);
+- return res;
+-}
+-
+ void tipc_bearer_stop(void)
+ {
+ u32 i;
+
+- if (!tipc_bearers)
+- return;
+-
+ for (i = 0; i < MAX_BEARERS; i++) {
+ if (tipc_bearers[i].active)
+ tipc_bearers[i].publ.blocked = 1;
+@@ -695,10 +674,6 @@ void tipc_bearer_stop(void)
+ if (tipc_bearers[i].active)
+ bearer_disable(tipc_bearers[i].publ.name);
+ }
+- kfree(tipc_bearers);
+- kfree(media_list);
+- tipc_bearers = NULL;
+- media_list = NULL;
+ media_count = 0;
+ }
+
+diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
+index 6a36b66..b250414 100644
+--- a/net/tipc/bearer.h
++++ b/net/tipc/bearer.h
+@@ -114,7 +114,7 @@ struct bearer_name {
+
+ struct link;
+
+-extern struct bearer *tipc_bearers;
++extern struct bearer tipc_bearers[];
+
+ void tipc_media_addr_printf(struct print_buf *pb, struct tipc_media_addr *a);
+ struct sk_buff *tipc_media_get_names(void);
+diff --git a/net/tipc/net.c b/net/tipc/net.c
+index c39c762..d9830c0 100644
+--- a/net/tipc/net.c
++++ b/net/tipc/net.c
+@@ -116,7 +116,8 @@
+ */
+
+ DEFINE_RWLOCK(tipc_net_lock);
+-struct network tipc_net = { NULL };
++struct _zone *tipc_zones[256] = { NULL, };
++struct network tipc_net = { tipc_zones };
+
+ struct node *tipc_net_select_remote_node(u32 addr, u32 ref)
+ {
+@@ -158,28 +159,12 @@ void tipc_net_send_external_routes(u32 dest)
+ }
+ }
+
+-static int net_init(void)
+-{
+- memset(&tipc_net, 0, sizeof(tipc_net));
+- tipc_net.zones = kcalloc(tipc_max_zones + 1, sizeof(struct _zone *), GFP_ATOMIC);
+- if (!tipc_net.zones) {
+- return -ENOMEM;
+- }
+- return TIPC_OK;
+-}
+-
+ static void net_stop(void)
+ {
+ u32 z_num;
+
+- if (!tipc_net.zones)
+- return;
+-
+- for (z_num = 1; z_num <= tipc_max_zones; z_num++) {
++ for (z_num = 1; z_num <= tipc_max_zones; z_num++)
+ tipc_zone_delete(tipc_net.zones[z_num]);
+- }
+- kfree(tipc_net.zones);
+- tipc_net.zones = NULL;
+ }
+
+ static void net_route_named_msg(struct sk_buff *buf)
+@@ -278,9 +263,7 @@ int tipc_net_start(void)
+ tipc_named_reinit();
+ tipc_port_reinit();
+
+- if ((res = tipc_bearer_init()) ||
+- (res = net_init()) ||
+- (res = tipc_cltr_init()) ||
++ if ((res = tipc_cltr_init()) ||
+ (res = tipc_bclink_init())) {
+ return res;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch)
@@ -0,0 +1,29 @@
+commit b5662617959ef558e1130a250a88f9f189cb1bae
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Fri Apr 2 18:05:12 2010 +0200
+
+ tty: release_one_tty() forgets to put pids
+
+ release_one_tty(tty) can be called when tty still has a reference
+ to pgrp/session. In this case we leak the pid.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Reported-by: Catalin Marinas <catalin.marinas at arm.com>
+ Reported-and-tested-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+ Acked-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Acked-by: Eric W. Biederman <ebiederm at xmission.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
+index a51374e..60b691e 100644
+--- a/drivers/char/tty_io.c
++++ b/drivers/char/tty_io.c
+@@ -2342,6 +2342,8 @@ static void release_one_tty(struct tty_struct *tty, int idx)
+ list_del_init(&tty->tty_files);
+ file_list_unlock();
+
++ put_pid(tty->pgrp);
++ put_pid(tty->session);
+ free_tty_struct(tty);
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch)
@@ -0,0 +1,47 @@
+Backported to Debian's 2.6.26
+
+commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6
+Author: Greg KH <greg at kroah.com>
+Date: Mon Feb 15 09:37:46 2010 -0800
+
+ USB: usbfs: only copy the actual data received
+
+ We need to only copy the data received by the device to userspace, not
+ the whole kernel buffer, which can contain "stale" data.
+
+ Thanks to Marcus Meissner for pointing this out and testing the fix.
+
+ Reported-by: Marcus Meissner <meissner at suse.de>
+ Tested-by: Marcus Meissner <meissner at suse.de>
+ Cc: Alan Stern <stern at rowland.harvard.edu>
+ Cc: Linus Torvalds <torvalds at linux-foundation.org>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff -urpN linux-source-2.6.26.orig/drivers/usb/core/devio.c linux-source-2.6.26/drivers/usb/core/devio.c
+--- linux-source-2.6.26.orig/drivers/usb/core/devio.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/usb/core/devio.c 2010-04-16 20:02:20.000000000 -0600
+@@ -1203,9 +1203,9 @@ static int processcompl(struct async *as
+ void __user *addr = as->userurb;
+ unsigned int i;
+
+- if (as->userbuffer)
++ if (as->userbuffer && urb->actual_length)
+ if (copy_to_user(as->userbuffer, urb->transfer_buffer,
+- urb->transfer_buffer_length))
++ urb->actual_length))
+ return -EFAULT;
+ if (put_user(as->status, &userurb->status))
+ return -EFAULT;
+@@ -1321,9 +1321,9 @@ static int processcompl_compat(struct as
+ void __user *addr = as->userurb;
+ unsigned int i;
+
+- if (as->userbuffer)
++ if (as->userbuffer && urb->actual_length)
+ if (copy_to_user(as->userbuffer, urb->transfer_buffer,
+- urb->transfer_buffer_length))
++ urb->actual_length))
+ return -EFAULT;
+ if (put_user(as->status, &userurb->status))
+ return -EFAULT;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/powerpc/kgdb-dont-needlessly-skip-PAGE_USER-test-for-Fsl-booke.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/powerpc/kgdb-dont-needlessly-skip-PAGE_USER-test-for-Fsl-booke.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/powerpc/kgdb-dont-needlessly-skip-PAGE_USER-test-for-Fsl-booke.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/powerpc/kgdb-dont-needlessly-skip-PAGE_USER-test-for-Fsl-booke.patch)
@@ -0,0 +1,42 @@
+commit 56151e753468e34aeb322af4b0309ab727c97d2e
+Author: Wufei <fei.wu at windriver.com>
+Date: Wed Apr 28 17:42:32 2010 -0400
+
+ kgdb: don't needlessly skip PAGE_USER test for Fsl booke
+
+ The bypassing of this test is a leftover from 2.4 vintage
+ kernels, and is no longer appropriate, or even used by KGDB.
+ Currently KGDB uses probe_kernel_write() for all access to
+ memory via the KGDB core, so it can simply be deleted.
+
+ This fixes CVE-2010-1446.
+
+ CC: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+ CC: Paul Mackerras <paulus at samba.org>
+ CC: Kumar Gala <galak at kernel.crashing.org>
+ Signed-off-by: Wufei <fei.wu at windriver.com>
+ Signed-off-by: Jason Wessel <jason.wessel at windriver.com>
+
+
+Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>
+
+
+diff -urpN a/arch/powerpc/mm/fsl_booke_mmu.c b/arch/powerpc/mm/fsl_booke_mmu.c
+--- a/arch/powerpc/mm/fsl_booke_mmu.c 2009-12-02 20:51:21.000000000 -0700
++++ b/arch/powerpc/mm/fsl_booke_mmu.c 2010-04-30 00:49:04.000000000 -0600
+@@ -131,15 +131,10 @@ void settlbcam(int index, unsigned long
+ TLBCAM[index].MAS3 = (phys & PAGE_MASK) | MAS3_SX | MAS3_SR;
+ TLBCAM[index].MAS3 |= ((flags & _PAGE_RW) ? MAS3_SW : 0);
+
+-#ifndef CONFIG_KGDB /* want user access for breakpoints */
+ if (flags & _PAGE_USER) {
+ TLBCAM[index].MAS3 |= MAS3_UX | MAS3_UR;
+ TLBCAM[index].MAS3 |= ((flags & _PAGE_RW) ? MAS3_UW : 0);
+ }
+-#else
+- TLBCAM[index].MAS3 |= MAS3_UX | MAS3_UR;
+- TLBCAM[index].MAS3 |= ((flags & _PAGE_RW) ? MAS3_UW : 0);
+-#endif
+
+ tlbcam_addrs[index].start = virt;
+ tlbcam_addrs[index].limit = virt + size - 1;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch)
@@ -0,0 +1,54 @@
+commit f5ef7eaab6daa9eea6c2f611af743544cb0b905d
+Author: David S. Miller <davem at davemloft.net>
+Date: Fri Feb 19 15:19:52 2010 -0800
+
+ sparc64: Fix sun4u execute bit check in TSB I-TLB load.
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ Thanks to testcase and report from Brad Spengler:
+
+ --------------------
+
+ typedef int (* _wee)(void);
+
+ int main(void)
+ {
+ char buf[8] = { '\x81', '\xc7', '\xe0', '\x08', '\x81', '\xe8',
+ '\x00', '\x00' };
+ _wee wee;
+ printf("%p\n", &buf);
+ wee = (_wee)&buf;
+ wee();
+
+ return 0;
+ }
+ --------------------
+
+ TSB I-tlb load code tries to use andcc to check the _PAGE_EXEC_4U bit,
+ but that's bit 12 so it gets sign extended all the way up to bit 63
+ and the test nearly always passes as a result.
+
+ Use sethi to fix the bug.
+
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/arch/sparc64/kernel/tsb.S b/arch/sparc64/kernel/tsb.S
+index c499214..a237e29 100644
+--- a/arch/sparc64/kernel/tsb.S
++++ b/arch/sparc64/kernel/tsb.S
+@@ -191,10 +191,12 @@ tsb_dtlb_load:
+
+ tsb_itlb_load:
+ /* Executable bit must be set. */
+-661: andcc %g5, _PAGE_EXEC_4U, %g0
+- .section .sun4v_1insn_patch, "ax"
++661: sethi %hi(_PAGE_EXEC_4U), %g4
++ andcc %g5, %g4, %g0
++ .section .sun4v_2insn_patch, "ax"
+ .word 661b
+ andcc %g5, _PAGE_EXEC_4V, %g0
++ nop
+ .previous
+
+ be,pn %xcc, tsb_do_fault
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch)
@@ -0,0 +1,41 @@
+From stefan.bader at canonical.com Wed Apr 7 14:48:33 2010
+From: Marcelo Tosatti <mtosatti at redhat.com>
+Date: Fri, 19 Mar 2010 15:47:39 +0100
+Subject: KVM: x86: disable paravirt mmu reporting
+To: stable at kernel.org
+Cc: Marcelo Tosatti <mtosatti at redhat.com>, Avi Kivity <avi at redhat.com>, Gleb Natapov <gleb at redhat.com>
+Message-ID: <1269010059-25309-12-git-send-email-stefan.bader at canonical.com>
+
+
+From: Marcelo Tosatti <mtosatti at redhat.com>
+
+commit a68a6a7282373bedba8a2ed751b6384edb983a64 upstream
+
+Disable paravirt MMU capability reporting, so that new (or rebooted)
+guests switch to native operation.
+
+Paravirt MMU is a burden to maintain and does not bring significant
+advantages compared to shadow anymore.
+
+Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+Signed-off-by: Avi Kivity <avi at redhat.com>
+Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Adjust context for 2.6.26]
+---
+ arch/x86/kvm/x86.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1242,8 +1242,8 @@ int kvm_dev_ioctl_check_extension(long e
+ case KVM_CAP_NR_MEMSLOTS:
+ r = KVM_MEMORY_SLOTS;
+ break;
+- case KVM_CAP_PV_MMU:
+- r = !tdp_enabled;
++ case KVM_CAP_PV_MMU: /* obsolete */
++ r = 0;
+ break;
+ default:
+ r = 0;
Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Thu Jun 10 18:42:03 2010 (r15848)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Thu Jun 10 18:46:06 2010 (r15849)
@@ -9391,6 +9391,14 @@
path->mnt = mnt;
path->dentry = dentry;
__follow_mount(path);
+@@ -875,6 +903,7 @@ fail:
+ static inline int follow_on_final(struct inode *inode, unsigned lookup_flags)
+ {
+ return inode && unlikely(inode->i_op->follow_link) &&
++ !(lookup_flags & LOOKUP_STRICT) &&
+ ((lookup_flags & LOOKUP_FOLLOW) || S_ISDIR(inode->i_mode));
+ }
+
@@ -872,6 +900,7 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
struct inode *inode;
int err;
@@ -9417,14 +9425,6 @@
err = do_follow_link(&next, nd);
if (err)
goto return_err;
-@@ -1003,6 +1036,7 @@ last_component:
- break;
- inode = next.dentry->d_inode;
- if ((lookup_flags & LOOKUP_FOLLOW)
-+ && !(lookup_flags & LOOKUP_STRICT)
- && inode && inode->i_op && inode->i_op->follow_link) {
- err = do_follow_link(&next, nd);
- if (err)
@@ -1024,27 +1058,41 @@ lookup_parent:
nd->last_type = LAST_NORM;
if (this.name[0] != '.')
Copied: dists/lenny/linux-2.6/debian/patches/series/22lenny1 (from r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/series/22lenny1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/22lenny1 Thu Jun 10 18:46:06 2010 (r15849, copy of r15848, releases/linux-2.6/2.6.26-22lenny1/debian/patches/series/22lenny1)
@@ -0,0 +1,16 @@
++ bugfix/all/usbfs-only-copy-received-data.patch
++ bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch
++ bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch
++ bugfix/all/r8169-Fix-receive-buffer-length.patch
++ bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
++ bugfix/all/r8169-clean-up-my-printk-uglyness.patch
++ bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
++ bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch
++ bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch
++ bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch
++ bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch
++ bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
++ bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch
++ bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
++ bugfix/all/keys-find_keyring_by_name-can-gain-access-to-a-freed-keyring.patch
++ bugfix/powerpc/kgdb-dont-needlessly-skip-PAGE_USER-test-for-Fsl-booke.patch
More information about the Kernel-svn-changes
mailing list