[kernel] r18021 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Sat Aug 27 07:03:53 UTC 2011
Author: benh
Date: Sat Aug 27 07:03:52 2011
New Revision: 18021
Log:
Cherry-pick some important fixes from 3.0.4-rc1
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/genirq-fix-wrong-bit-operation.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/3
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Sat Aug 27 06:52:31 2011 (r18020)
+++ dists/sid/linux-2.6/debian/changelog Sat Aug 27 07:03:52 2011 (r18021)
@@ -11,7 +11,12 @@
SNAT/masquerading is not done)
* Remove net device features from bug reports (Closes: #638956)
* [mips,mipsel] Ignore nfs ABI changes made in 3.0.0-2; fixes FTBFS
+ * genirq: Fix wrong bit operation
+ * befs: Validate length of long symbolic links (CVE-2011-2928)
* CIFS: Fix memory corruption on mount (Closes: #635344)
+ * x86-32, vdso: On system call restart after SYSENTER, use int $0x80
+ * drm/ttm: fix ttm_bo_add_ttm(user) failure path
+ * fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
-- Ben Hutchings <ben at decadent.org.uk> Sun, 21 Aug 2011 16:18:29 +0100
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch Sat Aug 27 07:03:52 2011 (r18021)
@@ -0,0 +1,50 @@
+From: Timo Warns <Warns at pre-sense.de>
+Date: Wed, 17 Aug 2011 17:59:56 +0200
+Subject: befs: Validate length of long symbolic links.
+
+From: Timo Warns <Warns at pre-sense.de>
+
+commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 upstream.
+
+Signed-off-by: Timo Warns <warns at pre-sense.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/befs/linuxvfs.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry,
+ befs_data_stream *data = &befs_ino->i_data.ds;
+ befs_off_t len = data->size;
+
+- befs_debug(sb, "Follow long symlink");
+-
+- link = kmalloc(len, GFP_NOFS);
+- if (!link) {
+- link = ERR_PTR(-ENOMEM);
+- } else if (befs_read_lsymlink(sb, data, link, len) != len) {
+- kfree(link);
+- befs_error(sb, "Failed to read entire long symlink");
++ if (len == 0) {
++ befs_error(sb, "Long symlink with illegal length");
+ link = ERR_PTR(-EIO);
+ } else {
+- link[len - 1] = '\0';
++ befs_debug(sb, "Follow long symlink");
++
++ link = kmalloc(len, GFP_NOFS);
++ if (!link) {
++ link = ERR_PTR(-ENOMEM);
++ } else if (befs_read_lsymlink(sb, data, link, len) != len) {
++ kfree(link);
++ befs_error(sb, "Failed to read entire long symlink");
++ link = ERR_PTR(-EIO);
++ } else {
++ link[len - 1] = '\0';
++ }
+ }
+ } else {
+ link = befs_ino->i_data.symlink;
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch Sat Aug 27 07:03:52 2011 (r18021)
@@ -0,0 +1,34 @@
+From: Marcin Slusarz <marcin.slusarz at gmail.com>
+Date: Mon, 22 Aug 2011 21:17:57 +0000
+Subject: drm/ttm: fix ttm_bo_add_ttm(user) failure path
+
+From: Marcin Slusarz <marcin.slusarz at gmail.com>
+
+commit 7c4c3960dff109bc5db4c35da481c212dadb5eb5 upstream.
+
+ttm_tt_destroy kfrees passed object, so we need to nullify
+a reference to it.
+
+Signed-off-by: Marcin Slusarz <marcin.slusarz at gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -353,8 +353,10 @@ static int ttm_bo_add_ttm(struct ttm_buf
+
+ ret = ttm_tt_set_user(bo->ttm, current,
+ bo->buffer_start, bo->num_pages);
+- if (unlikely(ret != 0))
++ if (unlikely(ret != 0)) {
+ ttm_tt_destroy(bo->ttm);
++ bo->ttm = NULL;
++ }
+ break;
+ default:
+ printk(KERN_ERR TTM_PFX "Illegal buffer object type\n");
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch Sat Aug 27 07:03:52 2011 (r18021)
@@ -0,0 +1,33 @@
+From: Miklos Szeredi <mszeredi at suse.cz>
+Date: Wed, 24 Aug 2011 10:20:17 +0200
+Subject: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
+
+From: Miklos Szeredi <mszeredi at suse.cz>
+
+commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream.
+
+FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
+message processing could overrun and result in a "kernel BUG at
+fs/fuse/dev.c:629!"
+
+Reported-by: Han-Wen Nienhuys <hanwenn at gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/fuse/dev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struc
+ if (outarg.namelen > FUSE_NAME_MAX)
+ goto err;
+
++ err = -EINVAL;
++ if (size != sizeof(outarg) + outarg.namelen + 1)
++ goto err;
++
+ name.name = buf;
+ name.len = outarg.namelen;
+ err = fuse_copy_one(cs, buf, outarg.namelen + 1);
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/genirq-fix-wrong-bit-operation.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/genirq-fix-wrong-bit-operation.patch Sat Aug 27 07:03:52 2011 (r18021)
@@ -0,0 +1,39 @@
+From: "jhbird.choi at samsung.com" <jhbird.choi at samsung.com>
+Date: Thu, 21 Jul 2011 15:29:14 +0900
+Subject: genirq: Fix wrong bit operation
+
+From: "jhbird.choi at samsung.com" <jhbird.choi at samsung.com>
+
+commit 1dd75f91ae713049eb6baaa640078f3a6549e522 upstream.
+
+(!msk & 0x01) should be !(msk & 0x01)
+
+Signed-off-by: Jonghwan Choi <jhbird.choi at samsung.com>
+Link: http://lkml.kernel.org/r/1311229754-6003-1-git-send-email-jhbird.choi@samsung.com
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ kernel/irq/generic-chip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/irq/generic-chip.c
++++ b/kernel/irq/generic-chip.c
+@@ -246,7 +246,7 @@ void irq_setup_generic_chip(struct irq_c
+ gc->mask_cache = irq_reg_readl(gc->reg_base + ct->regs.mask);
+
+ for (i = gc->irq_base; msk; msk >>= 1, i++) {
+- if (!msk & 0x01)
++ if (!(msk & 0x01))
+ continue;
+
+ if (flags & IRQ_GC_INIT_NESTED_LOCK)
+@@ -301,7 +301,7 @@ void irq_remove_generic_chip(struct irq_
+ raw_spin_unlock(&gc_lock);
+
+ for (; msk; msk >>= 1, i++) {
+- if (!msk & 0x01)
++ if (!(msk & 0x01))
+ continue;
+
+ /* Remove handler first. That will mask the irq line */
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch Sat Aug 27 07:03:52 2011 (r18021)
@@ -0,0 +1,38 @@
+From: "H. Peter Anvin" <hpa at linux.intel.com>
+Date: Mon, 22 Aug 2011 13:27:06 -0700
+Subject: x86-32, vdso: On system call restart after SYSENTER, use int $0x80
+
+From: "H. Peter Anvin" <hpa at linux.intel.com>
+
+commit 7ca0758cdb7c241cb4e0490a8d95f0eb5b861daf upstream.
+
+When we enter a 32-bit system call via SYSENTER or SYSCALL, we shuffle
+the arguments to match the int $0x80 calling convention. This was
+probably a design mistake, but it's what it is now. This causes
+errors if the system call as to be restarted.
+
+For SYSENTER, we have to invoke the instruction from the vdso as the
+return address is hardcoded. Accordingly, we can simply replace the
+jump in the vdso with an int $0x80 instruction and use the slower
+entry point for a post-restart.
+
+Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+Link: http://lkml.kernel.org/r/CA%2B55aFztZ=r5wa0x26KJQxvZOaQq8s2v3u50wCyJcA-Sc4g8gQ@mail.gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/x86/vdso/vdso32/sysenter.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/vdso/vdso32/sysenter.S
++++ b/arch/x86/vdso/vdso32/sysenter.S
+@@ -43,7 +43,7 @@ __kernel_vsyscall:
+ .space 7,0x90
+
+ /* 14: System call restart point is here! (SYSENTER_RETURN-2) */
+- jmp .Lenter_kernel
++ int $0x80
+ /* 16: System call normal return point is here! */
+ VDSO32_SYSENTER_RETURN: /* Symbol used by sysenter.c via vdso32-syms.h */
+ pop %ebp
Modified: dists/sid/linux-2.6/debian/patches/series/3
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/3 Sat Aug 27 06:52:31 2011 (r18020)
+++ dists/sid/linux-2.6/debian/patches/series/3 Sat Aug 27 07:03:52 2011 (r18021)
@@ -1,4 +1,9 @@
- bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
+ bugfix/all/stable/3.0.3.patch
+ bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
++ bugfix/all/genirq-fix-wrong-bit-operation.patch
++ bugfix/all/befs-validate-length-of-long-symbolic-links.patch
+ bugfix/all/cifs-possible-memory-corruption-on-mount.patch
++ bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
++ bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
++ bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
More information about the Kernel-svn-changes
mailing list