[kernel] r17904 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Thu Aug 11 06:03:53 UTC 2011

Author: dannf
Date: Thu Aug 11 06:03:51 2011
New Revision: 17904

Log:
NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Wed Aug 10 12:16:31 2011	(r17903)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 11 06:03:51 2011	(r17904)
@@ -3,6 +3,7 @@
   * Fix regression in fix for CVE-2011-1768 (Closes: #633738)
   * net: Fix memory leak/corruption on VLAN GRO_DROP (CVE-2011-1576)
   * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
+  * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
 
  -- dann frazier <dannf at debian.org>  Thu, 21 Jul 2011 00:31:53 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch	Thu Aug 11 06:03:51 2011	(r17904)
@@ -0,0 +1,71 @@
+commit 0b760113a3a155269a3fba93a409c640031dd68f
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date:   Tue May 31 15:15:34 2011 -0400
+
+    NLM: Don't hang forever on NLM unlock requests
+    
+    If the NLM daemon is killed on the NFS server, we can currently end up
+    hanging forever on an 'unlock' request, instead of aborting. Basically,
+    if the rpcbind request fails, or the server keeps returning garbage, we
+    really want to quit instead of retrying.
+    
+    Tested-by: Vasily Averin <vvs at sw.ru>
+    Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+    Cc: stable at kernel.org
+
+diff -urpN linux-source-2.6.32.orig/fs/lockd/clntproc.c linux-source-2.6.32/fs/lockd/clntproc.c
+--- linux-source-2.6.32.orig/fs/lockd/clntproc.c	2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/fs/lockd/clntproc.c	2011-08-03 23:36:15.028741583 -0600
+@@ -709,7 +709,13 @@ static void nlmclnt_unlock_callback(stru
+ 
+ 	if (task->tk_status < 0) {
+ 		dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status);
+-		goto retry_rebind;
++		switch (task->tk_status) {
++		case -EACCES:
++		case -EIO:
++			goto die;
++		default:
++			goto retry_rebind;
++		}
+ 	}
+ 	if (status == NLM_LCK_DENIED_GRACE_PERIOD) {
+ 		rpc_delay(task, NLMCLNT_GRACE_WAIT);
+diff -urpN linux-source-2.6.32.orig/include/linux/sunrpc/sched.h linux-source-2.6.32/include/linux/sunrpc/sched.h
+--- linux-source-2.6.32.orig/include/linux/sunrpc/sched.h	2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/include/linux/sunrpc/sched.h	2011-08-03 23:43:26.040758731 -0600
+@@ -84,8 +84,8 @@ struct rpc_task {
+ 	long			tk_rtt;		/* round-trip time (jiffies) */
+ 
+ 	pid_t			tk_owner;	/* Process id for batching tasks */
+-	unsigned char		tk_priority : 2;/* Task priority */
+-
++	unsigned char		tk_priority : 2,/* Task priority */
++				tk_rebind_retry : 2;
+ #ifdef RPC_DEBUG
+ 	unsigned short		tk_pid;		/* debugging aid */
+ #endif
+diff -urpN linux-source-2.6.32.orig/net/sunrpc/clnt.c linux-source-2.6.32/net/sunrpc/clnt.c
+--- linux-source-2.6.32.orig/net/sunrpc/clnt.c	2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/net/sunrpc/clnt.c	2011-08-03 23:36:15.036741657 -0600
+@@ -1052,6 +1052,9 @@ call_bind_status(struct rpc_task *task)
+ 			status = -EOPNOTSUPP;
+ 			break;
+ 		}
++		if (task->tk_rebind_retry == 0)
++			break;
++		task->tk_rebind_retry--;
+ 		rpc_delay(task, 3*HZ);
+ 		goto retry_timeout;
+ 	case -ETIMEDOUT:
+diff -urpN linux-source-2.6.32.orig/net/sunrpc/sched.c linux-source-2.6.32/net/sunrpc/sched.c
+--- linux-source-2.6.32.orig/net/sunrpc/sched.c	2011-06-11 13:10:38.000000000 -0600
++++ linux-source-2.6.32/net/sunrpc/sched.c	2011-08-03 23:36:15.044741731 -0600
+@@ -789,6 +789,7 @@ static void rpc_init_task(struct rpc_tas
+ 	/* Initialize retry counters */
+ 	task->tk_garb_retry = 2;
+ 	task->tk_cred_retry = 2;
++	task->tk_rebind_retry = 2;
+ 
+ 	task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW;
+ 	task->tk_owner = current->tgid;

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Wed Aug 10 12:16:31 2011	(r17903)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 11 06:03:51 2011	(r17904)
@@ -1,3 +1,4 @@
 + bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
 + bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch
 + bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
++ bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch

