[kernel] r18506 - in dists/squeeze/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Jan 11 21:50:36 UTC 2012
Author: dannf
Date: Wed Jan 11 21:50:35 2012
New Revision: 18506
Log:
merge 2.6.32-39squeeze1
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/revert-ub_bd_ioctl-removal.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/revert-ub_bd_ioctl-removal.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
dists/squeeze/linux-2.6/debian/patches/series/39squeeze1
- copied unchanged from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/series/39squeeze1
Modified:
dists/squeeze/linux-2.6/ (props changed)
dists/squeeze/linux-2.6/debian/changelog
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Wed Jan 11 21:42:35 2012 (r18505)
+++ dists/squeeze/linux-2.6/debian/changelog Wed Jan 11 21:50:35 2012 (r18506)
@@ -97,6 +97,17 @@
-- dann frazier <dannf at debian.org> Fri, 23 Dec 2011 12:14:46 -0700
+linux-2.6 (2.6.32-39squeeze1) stable-security; urgency=high
+
+ * Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127)
+ * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
+ * KEYS: Fix a NULL pointer deref in the user-defined key type (CVE-2011-4110)
+ * [x86] KVM: Prevent starting PIT timers in the absence of irqchip support
+ (CVE-2011-4622)
+ * rose: Add length checks to CALL_REQUEST parsing (CVE-2011-4914)
+
+ -- dann frazier <dannf at debian.org> Mon, 09 Jan 2012 21:17:41 +0100
+
linux-2.6 (2.6.32-39) stable; urgency=high
[ Ian Campbell ]
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch)
@@ -0,0 +1,65 @@
+commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b
+Author: David Howells <dhowells at redhat.com>
+Date: Tue Nov 15 22:09:45 2011 +0000
+
+ KEYS: Fix a NULL pointer deref in the user-defined key type
+
+ Fix a NULL pointer deref in the user-defined key type whereby updating a
+ negative key into a fully instantiated key will cause an oops to occur
+ when the code attempts to free the non-existent old payload.
+
+ This results in an oops that looks something like the following:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
+ PGD 3391d067 PUD 3894a067 PMD 0
+ Oops: 0002 [#1] SMP
+ CPU 1
+ Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY
+ RIP: 0010:[<ffffffff81085fa1>] [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
+ RSP: 0018:ffff88003d591df8 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
+ RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
+ R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
+ R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
+ FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
+ Stack:
+ ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
+ ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
+ ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
+ Call Trace:
+ [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
+ [<ffffffff8117bfea>] user_update+0x8d/0xa2
+ [<ffffffff8117723a>] key_create_or_update+0x236/0x270
+ [<ffffffff811789b1>] sys_add_key+0x123/0x17e
+ [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
+
+ Signed-off-by: David Howells <dhowells at redhat.com>
+ Acked-by: Jeff Layton <jlayton at redhat.com>
+ Acked-by: Neil Horman <nhorman at redhat.com>
+ Acked-by: Steve Dickson <steved at redhat.com>
+ Acked-by: James Morris <jmorris at namei.org>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
+index 7c687d5..97edf29 100644
+--- a/security/keys/user_defined.c
++++ b/security/keys/user_defined.c
+@@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
+ key->expiry = 0;
+ }
+
+- call_rcu(&zap->rcu, user_update_rcu_disposal);
++ if (zap)
++ call_rcu(&zap->rcu, user_update_rcu_disposal);
+
+ error:
+ return ret;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch)
@@ -0,0 +1,157 @@
+From 3831a172b179a5b74142aca314fe84b79e115410 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at debian.org>
+Date: Fri, 6 Jan 2012 14:30:17 -0700
+Subject: [PATCH 1/3] Introduce a wrapper around scsi_cmd_ioctl that takes a
+ block device. The function will then be enhanced to
+ detect partition block devices and, in that case,
+ subject the ioctls to whitelisting.
+
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[dannf: backported to Debian's 2.6.32]
+---
+ block/scsi_ioctl.c | 7 +++++++
+ drivers/block/cciss.c | 6 +++---
+ drivers/block/ub.c | 14 +-------------
+ drivers/block/virtio_blk.c | 4 ++--
+ drivers/cdrom/cdrom.c | 3 +--
+ drivers/scsi/sd.c | 2 +-
+ include/linux/blkdev.h | 2 ++
+ 7 files changed, 17 insertions(+), 21 deletions(-)
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 1d5a780..114ee29 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -689,6 +689,13 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+ }
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+
++int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
++ unsigned int cmd, void __user *arg)
++{
++ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
++}
++EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
++
+ int __init blk_scsi_ioctl_init(void)
+ {
+ blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
+diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
+index ca9c548..68b90d9 100644
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -1583,7 +1583,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+ return status;
+ }
+
+- /* scsi_cmd_ioctl handles these, below, though some are not */
++ /* scsi_cmd_blk_ioctl handles these, below, though some are not */
+ /* very meaningful for cciss. SG_IO is the main one people want. */
+
+ case SG_GET_VERSION_NUM:
+@@ -1594,9 +1594,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+ case SG_EMULATED_HOST:
+ case SG_IO:
+ case SCSI_IOCTL_SEND_COMMAND:
+- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
++ return scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
+
+- /* scsi_cmd_ioctl would normally handle these, below, but */
++ /* scsi_cmd_blk_ioctl would normally handle these, below, but */
+ /* they aren't a good fit for cciss, as CD-ROMs are */
+ /* not supported, and we don't have any bus/target/lun */
+ /* which we present to the kernel. */
+diff --git a/drivers/block/ub.c b/drivers/block/ub.c
+index c739b20..5e0ac9a 100644
+--- a/drivers/block/ub.c
++++ b/drivers/block/ub.c
+@@ -1721,18 +1721,6 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode)
+ }
+
+ /*
+- * The ioctl interface.
+- */
+-static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode,
+- unsigned int cmd, unsigned long arg)
+-{
+- struct gendisk *disk = bdev->bd_disk;
+- void __user *usermem = (void __user *) arg;
+-
+- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, usermem);
+-}
+-
+-/*
+ * This is called by check_disk_change if we reported a media change.
+ * The main onjective here is to discover the features of the media such as
+ * the capacity, read-only status, etc. USB storage generally does not
+@@ -1793,7 +1781,7 @@ static const struct block_device_operations ub_bd_fops = {
+ .owner = THIS_MODULE,
+ .open = ub_bd_open,
+ .release = ub_bd_release,
+- .locked_ioctl = ub_bd_ioctl,
++ .locked_ioctl = scsi_cmd_blk_ioctl,
+ .media_changed = ub_bd_media_changed,
+ .revalidate_disk = ub_bd_revalidate,
+ };
+diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
+index 51042f0..44d019b 100644
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -200,8 +200,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
+ if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
+ return -ENOTTY;
+
+- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd,
+- (void __user *)data);
++ return scsi_cmd_blk_ioctl(bdev, mode, cmd,
++ (void __user *)data);
+ }
+
+ /* We provide getgeo only to please some old bootloader/partitioning tools */
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 614da5b..59cccc9 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2684,12 +2684,11 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
+ {
+ void __user *argp = (void __user *)arg;
+ int ret;
+- struct gendisk *disk = bdev->bd_disk;
+
+ /*
+ * Try the generic SCSI command ioctl's first.
+ */
+- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
++ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
+ if (ret != -ENOTTY)
+ return ret;
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 160b47e..a5f3728 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -840,7 +840,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ case SCSI_IOCTL_GET_BUS_NUMBER:
+ return scsi_ioctl(sdp, cmd, p);
+ default:
+- error = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, p);
++ error = scsi_cmd_blk_ioctl(bdev, mode, cmd, p);
+ if (error != -ENOTTY)
+ return error;
+ }
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 57da328..025b78b 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -779,6 +779,8 @@ extern void blk_plug_device(struct request_queue *);
+ extern void blk_plug_device_unlocked(struct request_queue *);
+ extern int blk_remove_plug(struct request_queue *);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
++ unsigned int, void __user *);
+ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+ unsigned int, void __user *);
+ extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+--
+1.7.8.2
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch)
@@ -0,0 +1,140 @@
+From 264713ad6e27fcd33eb2095a98ffa6d34ce2ea4b Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at debian.org>
+Date: Fri, 6 Jan 2012 14:31:06 -0700
+Subject: [PATCH 2/3] Linux allows executing the SG_IO ioctl on a partition or
+ even on an LVM volume, and will pass the command to the
+ underlying block device. This is well-known, but it is
+ also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a
+ program or user needs to be granted access to a
+ particular partition or logical volume but not to the
+ full device.
+
+This patch limits the ioctls that are forwarded to non-SCSI devices to
+a few ones that are harmless. This restriction includes programs
+running with the CAP_SYS_RAWIO. If for example I let a program access
+/dev/sda2 and /dev/sdb, it still should not be able to read/write outside
+the boundaries of /dev/sda2 independent of the capabilities.
+
+This patch does not affect the non-libata IDE driver. That driver however
+alreadys test for bd != bd->bd_contains before issuing some ioctl; so,
+programs that do not require CAP_SYS_RAWIO are safe. A workaround is
+just to use libata.
+
+Encryption on the host is a mitigating factor, but it does not provide
+a full solution. In particular it doesn't protect against DoS (write
+random data), replay attacks (reinstate old ciphertext sectors), or
+writes to unencrypted areas including the MBR, the partition table, or
+/boot.
+
+Thanks to Daniel Berrange, Milan Broz, Mike Christie, Alasdair Kergon,
+Petr Matousek, Jeff Moyer, Mike Snitzer and others for help discussing
+this issue.
+
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[dannf: backported to Debian's 2.6.32]
+---
+ block/scsi_ioctl.c | 34 ++++++++++++++++++++++++++++++++++
+ drivers/scsi/sd.c | 11 +++++++++--
+ include/linux/blkdev.h | 1 +
+ 3 files changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 114ee29..5cd4e02 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -689,9 +689,43 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+ }
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+
++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
++{
++ if (bd && bd == bd->bd_contains)
++ return 0;
++
++ /* Actually none of this is particularly useful on a partition
++ * device, but let's play it safe.
++ */
++ switch (cmd) {
++ case SCSI_IOCTL_GET_IDLUN:
++ case SCSI_IOCTL_GET_BUS_NUMBER:
++ case SCSI_IOCTL_GET_PCI:
++ case SCSI_IOCTL_PROBE_HOST:
++ case SG_GET_VERSION_NUM:
++ case SG_SET_TIMEOUT:
++ case SG_GET_TIMEOUT:
++ case SG_GET_RESERVED_SIZE:
++ case SG_SET_RESERVED_SIZE:
++ case SG_EMULATED_HOST:
++ return 0;
++ default:
++ break;
++ }
++ /* In particular, rule out all resets and host-specific ioctls. */
++ return -ENOTTY;
++}
++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
++
+ int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
+ unsigned int cmd, void __user *arg)
+ {
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bd, cmd);
++ if (ret < 0)
++ return ret;
++
+ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
+ }
+ EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index a5f3728..4219572 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -819,6 +819,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
+ disk->disk_name, cmd));
+
++ error = scsi_verify_blk_ioctl(bdev, cmd);
++ if (error < 0)
++ return error;
++
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+ * else try and use this device. Also, if error recovery fails, it
+@@ -998,6 +1002,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bdev, cmd);
++ if (ret < 0)
++ return ret;
+
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+@@ -1009,8 +1018,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ return -ENODEV;
+
+ if (sdev->host->hostt->compat_ioctl) {
+- int ret;
+-
+ ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
+
+ return ret;
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 025b78b..09beade 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -779,6 +779,7 @@ extern void blk_plug_device(struct request_queue *);
+ extern void blk_plug_device_unlocked(struct request_queue *);
+ extern int blk_remove_plug(struct request_queue *);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
+ extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
+ unsigned int, void __user *);
+ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+--
+1.7.8.2
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/revert-ub_bd_ioctl-removal.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/revert-ub_bd_ioctl-removal.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/revert-ub_bd_ioctl-removal.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/revert-ub_bd_ioctl-removal.patch)
@@ -0,0 +1,32 @@
+diff --git a/drivers/block/ub.c b/drivers/block/ub.c
+index 5e0ac9a..1bdf2ca 100644
+--- a/drivers/block/ub.c
++++ b/drivers/block/ub.c
+@@ -1721,6 +1721,18 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode)
+ }
+
+ /*
++ * The ioctl interface.
++ */
++static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode,
++ unsigned int cmd, unsigned long arg)
++{
++ struct gendisk *disk = bdev->bd_disk;
++ void __user *usermem = (void __user *) arg;
++
++ return scsi_cmd_blk_ioctl(disk->queue, disk, mode, cmd, usermem);
++}
++
++/*
+ * This is called by check_disk_change if we reported a media change.
+ * The main onjective here is to discover the features of the media such as
+ * the capacity, read-only status, etc. USB storage generally does not
+@@ -1781,7 +1793,7 @@ static const struct block_device_operations ub_bd_fops = {
+ .owner = THIS_MODULE,
+ .open = ub_bd_open,
+ .release = ub_bd_release,
+- .locked_ioctl = scsi_cmd_blk_ioctl,
++ .locked_ioctl = ub_bd_ioctl,
+ .media_changed = ub_bd_media_changed,
+ .revalidate_disk = ub_bd_revalidate,
+ };
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch)
@@ -0,0 +1,334 @@
+commit e0bccd315db0c2f919e7fcf9cb60db21d9986f52
+Author: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun Mar 20 06:48:05 2011 +0000
+
+ rose: Add length checks to CALL_REQUEST parsing
+
+ Define some constant offsets for CALL_REQUEST based on the description
+ at <http://www.techfest.com/networking/wan/x25plp.htm> and the
+ definition of ROSE as using 10-digit (5-byte) addresses. Use them
+ consistently. Validate all implicit and explicit facilities lengths.
+ Validate the address length byte rather than either trusting or
+ assuming its value.
+
+ Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/include/net/rose.h b/include/net/rose.h
+index 5ba9f02..555dd19 100644
+--- a/include/net/rose.h
++++ b/include/net/rose.h
+@@ -14,6 +14,12 @@
+
+ #define ROSE_MIN_LEN 3
+
++#define ROSE_CALL_REQ_ADDR_LEN_OFF 3
++#define ROSE_CALL_REQ_ADDR_LEN_VAL 0xAA /* each address is 10 digits */
++#define ROSE_CALL_REQ_DEST_ADDR_OFF 4
++#define ROSE_CALL_REQ_SRC_ADDR_OFF 9
++#define ROSE_CALL_REQ_FACILITIES_OFF 14
++
+ #define ROSE_GFI 0x10
+ #define ROSE_Q_BIT 0x80
+ #define ROSE_D_BIT 0x40
+@@ -214,7 +220,7 @@ extern void rose_requeue_frames(struct sock *);
+ extern int rose_validate_nr(struct sock *, unsigned short);
+ extern void rose_write_internal(struct sock *, int);
+ extern int rose_decode(struct sk_buff *, int *, int *, int *, int *, int *);
+-extern int rose_parse_facilities(unsigned char *, struct rose_facilities_struct *);
++extern int rose_parse_facilities(unsigned char *, unsigned int, struct rose_facilities_struct *);
+ extern void rose_disconnect(struct sock *, int, int, int);
+
+ /* rose_timer.c */
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 7d188bc..523efbb 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -983,7 +983,7 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
+ struct sock *make;
+ struct rose_sock *make_rose;
+ struct rose_facilities_struct facilities;
+- int n, len;
++ int n;
+
+ skb->sk = NULL; /* Initially we don't know who it's for */
+
+@@ -992,9 +992,9 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
+ */
+ memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
+
+- len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+- len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
+- if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
++ if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
++ skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
++ &facilities)) {
+ rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);
+ return 0;
+ }
+diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
+index 114df6e..37965b8 100644
+--- a/net/rose/rose_loopback.c
++++ b/net/rose/rose_loopback.c
+@@ -72,9 +72,20 @@ static void rose_loopback_timer(unsigned long param)
+ unsigned int lci_i, lci_o;
+
+ while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
++ if (skb->len < ROSE_MIN_LEN) {
++ kfree_skb(skb);
++ continue;
++ }
+ lci_i = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
+ frametype = skb->data[2];
+- dest = (rose_address *)(skb->data + 4);
++ if (frametype == ROSE_CALL_REQUEST &&
++ (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
++ skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
++ ROSE_CALL_REQ_ADDR_LEN_VAL)) {
++ kfree_skb(skb);
++ continue;
++ }
++ dest = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
+ lci_o = 0xFFF - lci_i;
+
+ skb_reset_transport_header(skb);
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index 08230fa..1646b25 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -852,7 +852,7 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ unsigned int lci, new_lci;
+ unsigned char cause, diagnostic;
+ struct net_device *dev;
+- int len, res = 0;
++ int res = 0;
+ char buf[11];
+
+ #if 0
+@@ -860,10 +860,17 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ return res;
+ #endif
+
++ if (skb->len < ROSE_MIN_LEN)
++ return res;
+ frametype = skb->data[2];
+ lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
+- src_addr = (rose_address *)(skb->data + 9);
+- dest_addr = (rose_address *)(skb->data + 4);
++ if (frametype == ROSE_CALL_REQUEST &&
++ (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
++ skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
++ ROSE_CALL_REQ_ADDR_LEN_VAL))
++ return res;
++ src_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF);
++ dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
+
+ spin_lock_bh(&rose_neigh_list_lock);
+ spin_lock_bh(&rose_route_list_lock);
+@@ -1001,12 +1008,11 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ goto out;
+ }
+
+- len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+- len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
+-
+ memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
+
+- if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
++ if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
++ skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
++ &facilities)) {
+ rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76);
+ goto out;
+ }
+diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
+index 07bca7d..32e5c9f 100644
+--- a/net/rose/rose_subr.c
++++ b/net/rose/rose_subr.c
+@@ -141,7 +141,7 @@ void rose_write_internal(struct sock *sk, int frametype)
+ *dptr++ = ROSE_GFI | lci1;
+ *dptr++ = lci2;
+ *dptr++ = frametype;
+- *dptr++ = 0xAA;
++ *dptr++ = ROSE_CALL_REQ_ADDR_LEN_VAL;
+ memcpy(dptr, &rose->dest_addr, ROSE_ADDR_LEN);
+ dptr += ROSE_ADDR_LEN;
+ memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
+@@ -245,12 +245,16 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ do {
+ switch (*p & 0xC0) {
+ case 0x00:
++ if (len < 2)
++ return -1;
+ p += 2;
+ n += 2;
+ len -= 2;
+ break;
+
+ case 0x40:
++ if (len < 3)
++ return -1;
+ if (*p == FAC_NATIONAL_RAND)
+ facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF);
+ p += 3;
+@@ -259,32 +263,48 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ break;
+
+ case 0x80:
++ if (len < 4)
++ return -1;
+ p += 4;
+ n += 4;
+ len -= 4;
+ break;
+
+ case 0xC0:
++ if (len < 2)
++ return -1;
+ l = p[1];
++ if (len < 2 + l)
++ return -1;
+ if (*p == FAC_NATIONAL_DEST_DIGI) {
+ if (!fac_national_digis_received) {
++ if (l < AX25_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN);
+ facilities->source_ndigis = 1;
+ }
+ }
+ else if (*p == FAC_NATIONAL_SRC_DIGI) {
+ if (!fac_national_digis_received) {
++ if (l < AX25_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN);
+ facilities->dest_ndigis = 1;
+ }
+ }
+ else if (*p == FAC_NATIONAL_FAIL_CALL) {
++ if (l < AX25_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN);
+ }
+ else if (*p == FAC_NATIONAL_FAIL_ADD) {
++ if (l < 1 + ROSE_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN);
+ }
+ else if (*p == FAC_NATIONAL_DIGIS) {
++ if (l % AX25_ADDR_LEN)
++ return -1;
+ fac_national_digis_received = 1;
+ facilities->source_ndigis = 0;
+ facilities->dest_ndigis = 0;
+@@ -318,24 +338,32 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+ do {
+ switch (*p & 0xC0) {
+ case 0x00:
++ if (len < 2)
++ return -1;
+ p += 2;
+ n += 2;
+ len -= 2;
+ break;
+
+ case 0x40:
++ if (len < 3)
++ return -1;
+ p += 3;
+ n += 3;
+ len -= 3;
+ break;
+
+ case 0x80:
++ if (len < 4)
++ return -1;
+ p += 4;
+ n += 4;
+ len -= 4;
+ break;
+
+ case 0xC0:
++ if (len < 2)
++ return -1;
+ l = p[1];
+
+ /* Prevent overflows*/
+@@ -364,49 +392,44 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+ return n;
+ }
+
+-int rose_parse_facilities(unsigned char *p,
++int rose_parse_facilities(unsigned char *p, unsigned packet_len,
+ struct rose_facilities_struct *facilities)
+ {
+ int facilities_len, len;
+
+ facilities_len = *p++;
+
+- if (facilities_len == 0)
++ if (facilities_len == 0 || (unsigned)facilities_len > packet_len)
+ return 0;
+
+- while (facilities_len > 0) {
+- if (*p == 0x00) {
+- facilities_len--;
+- p++;
+-
+- switch (*p) {
+- case FAC_NATIONAL: /* National */
+- len = rose_parse_national(p + 1, facilities, facilities_len - 1);
+- if (len < 0)
+- return 0;
+- facilities_len -= len + 1;
+- p += len + 1;
+- break;
+-
+- case FAC_CCITT: /* CCITT */
+- len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+- if (len < 0)
+- return 0;
+- facilities_len -= len + 1;
+- p += len + 1;
+- break;
+-
+- default:
+- printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
+- facilities_len--;
+- p++;
+- break;
+- }
+- } else
+- break; /* Error in facilities format */
++ while (facilities_len >= 3 && *p == 0x00) {
++ facilities_len--;
++ p++;
++
++ switch (*p) {
++ case FAC_NATIONAL: /* National */
++ len = rose_parse_national(p + 1, facilities, facilities_len - 1);
++ break;
++
++ case FAC_CCITT: /* CCITT */
++ len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
++ break;
++
++ default:
++ printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
++ len = 1;
++ break;
++ }
++
++ if (len < 0)
++ return 0;
++ if (WARN_ON(len >= facilities_len))
++ return 0;
++ facilities_len -= len + 1;
++ p += len + 1;
+ }
+
+- return 1;
++ return facilities_len == 0;
+ }
+
+ static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch)
@@ -0,0 +1,61 @@
+From d4a97721ab45133e6e0d058fb711e0b55fe2e0db Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at debian.org>
+Date: Fri, 6 Jan 2012 14:35:32 -0700
+Subject: [PATCH 3/3] A logical volume can map to just part of underlying
+ physical volume. In this case, it must be treated like
+ a partition.
+
+Based on a patch from Alasdair G Kergon.
+
+Cc: Alasdair G Kergon <agk at redhat.com>
+Cc: Mike Snitzer <msnitzer at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[dannf: backported to Debian's 2.6.32]
+---
+ drivers/md/dm-linear.c | 12 +++++++++++-
+ drivers/md/dm-mpath.c | 6 ++++++
+ 2 files changed, 17 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
+index 82f7d6e..7ab302d 100644
+--- a/drivers/md/dm-linear.c
++++ b/drivers/md/dm-linear.c
+@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
+ unsigned long arg)
+ {
+ struct linear_c *lc = (struct linear_c *) ti->private;
+- return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg);
++ struct dm_dev *dev = lc->dev;
++ int r = 0;
++
++ /*
++ * Only pass ioctls through if the device sizes match exactly.
++ */
++ if (lc->start ||
++ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
++
++ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
+ }
+
+ static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
+diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
+index fcf717c..60d1f93 100644
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -1459,6 +1459,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
+
+ spin_unlock_irqrestore(&m->lock, flags);
+
++ /*
++ * Only pass ioctls through if the device sizes match exactly.
++ */
++ if (r == 0 && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
++
+ return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
+ }
+
+--
+1.7.8.2
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch)
@@ -0,0 +1,65 @@
+commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24
+Author: Carlos Maiolino <cmaiolino at redhat.com>
+Date: Mon Nov 7 16:10:24 2011 +0000
+
+ xfs: Fix possible memory corruption in xfs_readlink
+
+ Fixes a possible memory corruption when the link is larger than
+ MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
+ S_ISLNK assert, since the inode mode is checked previously in
+ xfs_readlink_by_handle() and via VFS.
+
+ Updated to address concerns raised by Ben Hutchings about the loose
+ attention paid to 32- vs 64-bit values, and the lack of handling a
+ potentially negative pathlen value:
+ - Changed type of "pathlen" to be xfs_fsize_t, to match that of
+ ip->i_d.di_size
+ - Added checking for a negative pathlen to the too-long pathlen
+ test, and generalized the message that gets reported in that case
+ to reflect the change
+ As a result, if a negative pathlen were encountered, this function
+ would return EFSCORRUPTED (and would fail an assertion for a debug
+ build)--just as would a too-long pathlen.
+
+ Signed-off-by: Alex Elder <aelder at sgi.com>
+ Signed-off-by: Carlos Maiolino <cmaiolino at redhat.com>
+ Reviewed-by: Christoph Hellwig <hch at lst.de>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
+index 8f32f50..1638884 100644
+--- a/fs/xfs/xfs_vnodeops.c
++++ b/fs/xfs/xfs_vnodeops.c
+@@ -554,7 +554,7 @@ xfs_readlink(
+ char *link)
+ {
+ xfs_mount_t *mp = ip->i_mount;
+- int pathlen;
++ xfs_fsize_t pathlen;
+ int error = 0;
+
+ xfs_itrace_entry(ip);
+@@ -564,13 +564,20 @@ xfs_readlink(
+
+ xfs_ilock(ip, XFS_ILOCK_SHARED);
+
+- ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
+- ASSERT(ip->i_d.di_size <= MAXPATHLEN);
+-
+ pathlen = ip->i_d.di_size;
+ if (!pathlen)
+ goto out;
+
++ if (pathlen < 0 || pathlen > MAXPATHLEN) {
++ xfs_fs_cmn_err(CE_ALERT, mp,
++ "%s: inode (%llu) bad symlink length (%lld)",
++ __func__, (unsigned long long) ip->i_ino,
++ (long long) pathlen);
++ ASSERT(0);
++ return XFS_ERROR(EFSCORRUPTED);
++ }
++
++
+ if (ip->i_df.if_flags & XFS_IFINLINE) {
+ memcpy(link, ip->i_df.if_u1.if_data, pathlen);
+ link[pathlen] = '\0';
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch)
@@ -0,0 +1,64 @@
+commit 0924ab2cfa98b1ece26c033d696651fd62896c69
+Author: Jan Kiszka <jan.kiszka at siemens.com>
+Date: Wed Dec 14 19:25:13 2011 +0100
+
+ KVM: x86: Prevent starting PIT timers in the absence of irqchip support
+
+ User space may create the PIT and forgets about setting up the irqchips.
+ In that case, firing PIT IRQs will crash the host:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000128
+ IP: [<ffffffffa10f6280>] kvm_set_irq+0x30/0x170 [kvm]
+ ...
+ Call Trace:
+ [<ffffffffa11228c1>] pit_do_work+0x51/0xd0 [kvm]
+ [<ffffffff81071431>] process_one_work+0x111/0x4d0
+ [<ffffffff81071bb2>] worker_thread+0x152/0x340
+ [<ffffffff81075c8e>] kthread+0x7e/0x90
+ [<ffffffff815a4474>] kernel_thread_helper+0x4/0x10
+
+ Prevent this by checking the irqchip mode before starting a timer. We
+ can't deny creating the PIT if the irqchips aren't set up yet as
+ current user land expects this order to work.
+
+ Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 88ad162..7e361b4 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -277,11 +277,15 @@ static struct kvm_timer_ops kpit_ops = {
+ .is_periodic = kpit_is_periodic,
+ };
+
+-static void create_pit_timer(struct kvm_kpit_state *ps, u32 val, int is_period)
++static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
+ {
++ struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
+ struct kvm_timer *pt = &ps->pit_timer;
+ s64 interval;
+
++ if (!irqchip_in_kernel(kvm))
++ return;
++
+ interval = muldiv64(val, NSEC_PER_SEC, KVM_PIT_FREQ);
+
+ pr_debug("pit: create pit timer, interval is %llu nsec\n", interval);
+@@ -333,13 +337,13 @@ static void pit_load_count(struct kvm *kvm, int channel, u32 val)
+ /* FIXME: enhance mode 4 precision */
+ case 4:
+ if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)) {
+- create_pit_timer(ps, val, 0);
++ create_pit_timer(kvm, val, 0);
+ }
+ break;
+ case 2:
+ case 3:
+ if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)){
+- create_pit_timer(ps, val, 1);
++ create_pit_timer(kvm, val, 1);
+ }
+ break;
+ default:
Copied: dists/squeeze/linux-2.6/debian/patches/series/39squeeze1 (from r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/series/39squeeze1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/series/39squeeze1 Wed Jan 11 21:50:35 2012 (r18506, copy of r18505, releases/linux-2.6/2.6.32-39squeeze1/debian/patches/series/39squeeze1)
@@ -0,0 +1,8 @@
++ bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch
++ bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch
++ bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch
++ bugfix/all/revert-ub_bd_ioctl-removal.patch
++ bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
++ bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch
++ bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
++ bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch
More information about the Kernel-svn-changes
mailing list