[kernel] r18045 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/bugfix/sparc patches/series
Ben Hutchings
benh at alioth.debian.org
Sun Sep 4 23:30:52 UTC 2011
Author: benh
Date: Sun Sep 4 23:30:50 2011
New Revision: 18045
Log:
Add fixes from the stable queue believed to fix Debian bugs
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
dists/sid/linux-2.6/debian/patches/bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/4
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Sun Sep 4 22:28:39 2011 (r18044)
+++ dists/sid/linux-2.6/debian/changelog Sun Sep 4 23:30:50 2011 (r18045)
@@ -13,10 +13,14 @@
- ext4: fix nomblk_io_submit option so it correctly converts uninit blocks
- xen-blkfront: Drop name and minor adjustments for emulated scsi devices
- xen/x86: replace order-based range checking of M2P table by linear one
- - rt2x00: fix order of entry flags modification (Closes: #636531)
+ - rt2x00: fix order of entry flags modification
- Add a personality to report 2.6.x version numbers
For the complete list of changes, see:
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.4
+ * sendmmsg/sendmsg: fix unsafe user pointer access
+ * rt2x00: fix crash in rt2800usb_write_tx_desc
+ * rt2x00: fix crash in rt2800usb_get_txwi (Closes: #636531)
+ * [sparc] Only Panther cheetah+ chips have POPC (Closes: #639949)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 28 Aug 2011 17:07:47 +0100
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch Sun Sep 4 23:30:50 2011 (r18045)
@@ -0,0 +1,74 @@
+From sgruszka at redhat.com Mon Aug 29 15:24:50 2011
+From: Stanislaw Gruszka <sgruszka at redhat.com>
+Date: Thu, 25 Aug 2011 17:14:26 +0200
+Subject: rt2x00: fix crash in rt2800usb_get_txwi
+To: stable at kernel.org
+Cc: IvDoorn at gmail.com, Stanislaw Gruszka <sgruszka at redhat.com>, jpiszcz at lucidpixels.com, "John W. Linville" <linville at tuxdriver.com>
+Message-ID: <1314285266-5098-3-git-send-email-sgruszka at redhat.com>
+
+From: Stanislaw Gruszka <sgruszka at redhat.com>
+
+commit 674db1344443204b6ce3293f2df8fd1b7665deea upstream.
+
+Patch should fix this oops:
+
+BUG: unable to handle kernel NULL pointer dereference at 000000a0
+IP: [<f81b30c9>] rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
+*pdpt = 0000000000000000 *pde = f000ff53f000ff53
+Oops: 0000 [#1] SMP
+Pid: 198, comm: kworker/u:3 Tainted: G W 3.0.0-wl+ #9 LENOVO 6369CTO/6369CTO
+EIP: 0060:[<f81b30c9>] EFLAGS: 00010283 CPU: 1
+EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
+EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8
+ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000)
+Call Trace:
+ [<f804790f>] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib]
+ [<c045110d>] ? warn_slowpath_common+0x7d/0xa0
+ [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
+ [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
+ [<f81b3a13>] rt2800usb_work_txdone+0x263/0x360 [rt2800usb]
+ [<c046a8d6>] process_one_work+0x186/0x440
+ [<c046a85a>] ? process_one_work+0x10a/0x440
+ [<f81b37b0>] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb]
+ [<c046c283>] worker_thread+0x133/0x310
+ [<c04885db>] ? trace_hardirqs_on+0xb/0x10
+ [<c046c150>] ? manage_workers+0x1e0/0x1e0
+ [<c047054c>] kthread+0x7c/0x90
+ [<c04704d0>] ? __init_kthread_worker+0x60/0x60
+ [<c0826b42>] kernel_thread_helper+0x6/0x1
+
+Oops might happen because we check rt2x00queue_empty(queue) twice,
+but this condition can change and we can process entry in
+rt2800_txdone_entry(), which was already processed by
+rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and
+has nullify entry->skb .
+
+Reported-by: Justin Piszcz <jpiszcz at lucidpixels.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka at redhat.com>
+Acked-by: Ivo van Doorn <IvDoorn at gmail.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/net/wireless/rt2x00/rt2800lib.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
+@@ -764,12 +764,11 @@ void rt2800_txdone(struct rt2x00_dev *rt
+ entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE);
+ if (rt2800_txdone_entry_check(entry, reg))
+ break;
++ entry = NULL;
+ }
+
+- if (!entry || rt2x00queue_empty(queue))
+- break;
+-
+- rt2800_txdone_entry(entry, reg);
++ if (entry)
++ rt2800_txdone_entry(entry, reg);
+ }
+ }
+ EXPORT_SYMBOL_GPL(rt2800_txdone);
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch Sun Sep 4 23:30:50 2011 (r18045)
@@ -0,0 +1,102 @@
+From sgruszka at redhat.com Mon Aug 29 15:23:55 2011
+From: Stanislaw Gruszka <sgruszka at redhat.com>
+Date: Thu, 25 Aug 2011 17:14:24 +0200
+Subject: rt2x00: fix crash in rt2800usb_write_tx_desc
+To: stable at kernel.org
+Cc: IvDoorn at gmail.com, Stanislaw Gruszka <sgruszka at redhat.com>, jpiszcz at lucidpixels.com, "John W. Linville" <linville at tuxdriver.com>
+Message-ID: <1314285266-5098-1-git-send-email-sgruszka at redhat.com>
+
+From: Stanislaw Gruszka <sgruszka at redhat.com>
+
+commit 4b1bfb7d2d125af6653d6c2305356b2677f79dc6 upstream.
+
+Patch should fix this oops:
+
+BUG: unable to handle kernel NULL pointer dereference at 000000a0
+IP: [<f8e06078>] rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb]
+*pdpt = 000000002408c001 *pde = 0000000024079067 *pte = 0000000000000000
+Oops: 0000 [#1] SMP
+EIP: 0060:[<f8e06078>] EFLAGS: 00010282 CPU: 0
+EIP is at rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb]
+EAX: 00000035 EBX: ef2bef10 ECX: 00000000 EDX: d40958a0
+ESI: ef1865f8 EDI: ef1865f8 EBP: d4095878 ESP: d409585c
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+Call Trace:
+ [<f8da5e85>] rt2x00queue_write_tx_frame+0x155/0x300 [rt2x00lib]
+ [<f8da424c>] rt2x00mac_tx+0x7c/0x370 [rt2x00lib]
+ [<c04882b2>] ? mark_held_locks+0x62/0x90
+ [<c081f645>] ? _raw_spin_unlock_irqrestore+0x35/0x60
+ [<c04884ba>] ? trace_hardirqs_on_caller+0x5a/0x170
+ [<c04885db>] ? trace_hardirqs_on+0xb/0x10
+ [<f8d618ac>] __ieee80211_tx+0x5c/0x1e0 [mac80211]
+ [<f8d631fc>] ieee80211_tx+0xbc/0xe0 [mac80211]
+ [<f8d63163>] ? ieee80211_tx+0x23/0xe0 [mac80211]
+ [<f8d632e1>] ieee80211_xmit+0xc1/0x200 [mac80211]
+ [<f8d63220>] ? ieee80211_tx+0xe0/0xe0 [mac80211]
+ [<c0487d45>] ? lock_release_holdtime+0x35/0x1b0
+ [<f8d63986>] ? ieee80211_subif_start_xmit+0x446/0x5f0 [mac80211]
+ [<f8d637dd>] ieee80211_subif_start_xmit+0x29d/0x5f0 [mac80211]
+ [<f8d63924>] ? ieee80211_subif_start_xmit+0x3e4/0x5f0 [mac80211]
+ [<c0760188>] ? sock_setsockopt+0x6a8/0x6f0
+ [<c0760000>] ? sock_setsockopt+0x520/0x6f0
+ [<c076daef>] dev_hard_start_xmit+0x2ef/0x650
+
+Oops might happen because we perform parallel putting new entries in a
+queue (rt2x00queue_write_tx_frame()) and removing entries after
+finishing transmitting (rt2800usb_work_txdone()). There are cases when
+_txdone may process an entry that was not fully send and nullify
+entry->skb .
+
+To fix check in _txdone if entry has flags that indicate pending
+transmission and wait until flags get cleared.
+
+Reported-by: Justin Piszcz <jpiszcz at lucidpixels.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka at redhat.com>
+Acked-by: Ivo van Doorn <IvDoorn at gmail.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/net/wireless/rt2x00/rt2800lib.c | 10 ++++++++++
+ drivers/net/wireless/rt2x00/rt2800usb.c | 4 +++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
+@@ -38,6 +38,7 @@
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/sched.h>
+
+ #include "rt2x00.h"
+ #include "rt2800lib.h"
+@@ -607,6 +608,15 @@ static bool rt2800_txdone_entry_check(st
+ int wcid, ack, pid;
+ int tx_wcid, tx_ack, tx_pid;
+
++ if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) ||
++ !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags)) {
++ WARNING(entry->queue->rt2x00dev,
++ "Data pending for entry %u in queue %u\n",
++ entry->entry_idx, entry->queue->qid);
++ cond_resched();
++ return false;
++ }
++
+ wcid = rt2x00_get_field32(reg, TX_STA_FIFO_WCID);
+ ack = rt2x00_get_field32(reg, TX_STA_FIFO_TX_ACK_REQUIRED);
+ pid = rt2x00_get_field32(reg, TX_STA_FIFO_PID_TYPE);
+--- a/drivers/net/wireless/rt2x00/rt2800usb.c
++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
+@@ -477,8 +477,10 @@ static void rt2800usb_work_txdone(struct
+ while (!rt2x00queue_empty(queue)) {
+ entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE);
+
+- if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags))
++ if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) ||
++ !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags))
+ break;
++
+ if (test_bit(ENTRY_DATA_IO_FAILED, &entry->flags))
+ rt2x00lib_txdone_noinfo(entry, TXDONE_FAILURE);
+ else if (rt2x00queue_status_timeout(entry))
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch Sun Sep 4 23:30:50 2011 (r18045)
@@ -0,0 +1,60 @@
+From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
+Date: Wed, 24 Aug 2011 19:45:03 -0700
+Subject: sendmmsg/sendmsg: fix unsafe user pointer access
+
+From: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
+
+commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream.
+
+Dereferencing a user pointer directly from kernel-space without going
+through the copy_from_user family of functions is a bad idea. Two of
+such usages can be found in the sendmsg code path called from sendmmsg,
+added by
+
+commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
+commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
+
+Usages are performed through memcmp() and memcpy() directly. Fix those
+by using the already copied msg_sys structure instead of the __user *msg
+structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
+or verify_iovec(), which requires additional NULL pointer checks.
+
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
+Signed-off-by: David Goulet <dgoulet at ev0ke.net>
+CC: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+CC: Anton Blanchard <anton at samba.org>
+CC: David S. Miller <davem at davemloft.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/socket.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket *
+ * used_address->name_len is initialized to UINT_MAX so that the first
+ * destination address never matches.
+ */
+- if (used_address && used_address->name_len == msg_sys->msg_namelen &&
+- !memcmp(&used_address->name, msg->msg_name,
++ if (used_address && msg_sys->msg_name &&
++ used_address->name_len == msg_sys->msg_namelen &&
++ !memcmp(&used_address->name, msg_sys->msg_name,
+ used_address->name_len)) {
+ err = sock_sendmsg_nosec(sock, msg_sys, total_len);
+ goto out_freectl;
+@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket *
+ */
+ if (used_address && err >= 0) {
+ used_address->name_len = msg_sys->msg_namelen;
+- memcpy(&used_address->name, msg->msg_name,
+- used_address->name_len);
++ if (msg_sys->msg_name)
++ memcpy(&used_address->name, msg_sys->msg_name,
++ used_address->name_len);
+ }
+
+ out_freectl:
Added: dists/sid/linux-2.6/debian/patches/bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch Sun Sep 4 23:30:50 2011 (r18045)
@@ -0,0 +1,35 @@
+From 1a8e0da5937a6c87807083baa318cf8f98dac9aa Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem at davemloft.net>
+Date: Mon, 29 Aug 2011 21:14:29 -0700
+Subject: sparc64: Only Panther cheetah+ chips have POPC.
+
+From: "David S. Miller" <davem at davemloft.net>
+
+commit 1a8e0da5937a6c87807083baa318cf8f98dac9aa upstream.
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/sparc/kernel/setup_64.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/sparc/kernel/setup_64.c
++++ b/arch/sparc/kernel/setup_64.c
+@@ -440,8 +440,14 @@ static void __init init_sparc64_elf_hwca
+ cap |= AV_SPARC_VIS;
+ if (tlb_type == cheetah || tlb_type == cheetah_plus)
+ cap |= AV_SPARC_VIS | AV_SPARC_VIS2;
+- if (tlb_type == cheetah_plus)
+- cap |= AV_SPARC_POPC;
++ if (tlb_type == cheetah_plus) {
++ unsigned long impl, ver;
++
++ __asm__ __volatile__("rdpr %%ver, %0" : "=r" (ver));
++ impl = ((ver >> 32) & 0xffff);
++ if (impl == PANTHER_IMPL)
++ cap |= AV_SPARC_POPC;
++ }
+ if (tlb_type == hypervisor) {
+ if (sun4v_chip_type == SUN4V_CHIP_NIAGARA1)
+ cap |= AV_SPARC_ASI_BLK_INIT;
Modified: dists/sid/linux-2.6/debian/patches/series/4
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/4 Sun Sep 4 22:28:39 2011 (r18044)
+++ dists/sid/linux-2.6/debian/patches/series/4 Sun Sep 4 23:30:50 2011 (r18045)
@@ -7,3 +7,8 @@
- bugfix/all/befs-validate-length-of-long-symbolic-links.patch
- bugfix/all/genirq-fix-wrong-bit-operation.patch
+ bugfix/all/stable/3.0.4.patch
+
++ bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
++ bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch
++ bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch
++ bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch
More information about the Kernel-svn-changes
mailing list