[kernel] r19391 - in dists/squeeze/linux-2.6: . debian debian/patches/bugfix/all debian/patches/features/all/openvz debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Sep 22 19:11:00 UTC 2012
Author: dannf
Date: Sat Sep 22 19:10:58 2012
New Revision: 19391
Log:
merge squeeze-security
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/dl2k-Clean-up-rio_ioctl.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dl2k-Clean-up-rio_ioctl.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/dl2k-use-standard-defines-from-mii.h.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dl2k-use-standard-defines-from-mii.h.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/udf-Fortify-loading-of-sparing-table.patch
- copied unchanged from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-Fortify-loading-of-sparing-table.patch
dists/squeeze/linux-2.6/debian/patches/series/46-extra
- copied, changed from r19390, dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1-extra
Deleted:
dists/squeeze/linux-2.6/debian/patches/series/44-extra
Modified:
dists/squeeze/linux-2.6/ (props changed)
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/squeeze/linux-2.6/debian/patches/series/46
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Sat Sep 22 15:24:51 2012 (r19390)
+++ dists/squeeze/linux-2.6/debian/changelog Sat Sep 22 19:10:58 2012 (r19391)
@@ -23,6 +23,10 @@
- drm: mm: fix range restricted allocations (regression in 2.6.32-36)
- drm/i915: no lvds quirk for AOpen MP45
* [armel/kirkwood] ahci: Add JMicron 362 device IDs (Closes: #634180)
+ * tcp: Don't change unlocked socket state in tcp_v4_err(). (Closes: #685087)
+ * locks: fix checking of fcntl_setlease argument
+ * sfc: Fix maximum number of TSO segments and minimum TX queue size
+ (CVE-2012-3412)
[ Jonathan Nieder ]
* ath5k: initialize default noise floor
@@ -33,6 +37,15 @@
[ dann frazier ]
* Avoid leap second deadlock and early hrtimer/futex expiration issue
(Closes: #679882)
+ * net: sock: validate data_len before allocating skb in
+ sock_alloc_send_pskb() (CVE-2012-2136)
+ * dl2k: Clean up rio_ioctl, add missing CAP_NET_ADMIN checks (CVE-2012-2313)
+ * hfsplus: Fix potential buffer overflows (CVE-2012-2319)
+ * hugetlb: fix resv_map leak in error path (CVE-2012-2390)
+ * mm: fix vma_resv_map() NULL pointer (CVE-2012-2390)
+ * cred: copy_process() should clear child->replacement_session_keyring
+ (CVE-2012-2745)
+ * udf: Fix buffer overflow when parsing sparing table (CVE-2012-3400)
-- Bastian Blank <waldi at debian.org> Mon, 07 May 2012 19:18:05 +0200
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch)
@@ -0,0 +1,36 @@
+commit 79549c6dfda0603dba9a70a53467ce62d9335c33
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Apr 9 21:03:50 2012 +0200
+
+ cred: copy_process() should clear child->replacement_session_keyring
+
+ keyctl_session_to_parent(task) sets ->replacement_session_keyring,
+ it should be processed and cleared by key_replace_session_keyring().
+
+ However, this task can fork before it notices TIF_NOTIFY_RESUME and
+ the new child gets the bogus ->replacement_session_keyring copied by
+ dup_task_struct(). This is obviously wrong and, if nothing else, this
+ leads to put_cred(already_freed_cred).
+
+ change copy_creds() to clear this member. If copy_process() fails
+ before this point the wrong ->replacement_session_keyring doesn't
+ matter, exit_creds() won't be called.
+
+ Cc: <stable at vger.kernel.org>
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Acked-by: David Howells <dhowells at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+[bwh: Backported to 2.6.32: adjust context]
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -441,6 +441,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
+ struct cred *new;
+ int ret;
+
++ p->replacement_session_keyring = NULL;
++
+ mutex_init(&p->cred_guard_mutex);
+
+ if (
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/dl2k-Clean-up-rio_ioctl.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dl2k-Clean-up-rio_ioctl.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/dl2k-Clean-up-rio_ioctl.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dl2k-Clean-up-rio_ioctl.patch)
@@ -0,0 +1,115 @@
+commit 1bb57e940e1958e40d51f2078f50c3a96a9b2d75
+Author: Jeff Mahoney <jeffm at suse.com>
+Date: Wed Apr 25 14:32:09 2012 +0000
+
+ dl2k: Clean up rio_ioctl
+
+ The dl2k driver's rio_ioctl call has a few issues:
+ - No permissions checking
+ - Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers
+ - Has a few ioctls that may have been used for debugging at one point
+ but have no place in the kernel proper.
+
+ This patch removes all but the MII ioctls, renumbers them to use the
+ standard ones, and adds the proper permission check for SIOCSMIIREG.
+
+ We can also get rid of the dl2k-specific struct mii_data in favor of
+ the generic struct mii_ioctl_data.
+
+ Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too.
+
+ Most of the MII code for the driver could probably be converted to use
+ the generic MII library but I don't have a device to test the results.
+
+ Reported-by: Stephan Mueller <stephan.mueller at atsec.com>
+ Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/drivers/net/dl2k.c b/drivers/net/dl2k.c
+index 731ee85..c2f9313 100644
+--- a/drivers/net/dl2k.c
++++ b/drivers/net/dl2k.c
+@@ -1279,55 +1279,21 @@ rio_ioctl (struct net_device *dev, struct ifreq *rq, int cmd)
+ {
+ int phy_addr;
+ struct netdev_private *np = netdev_priv(dev);
+- struct mii_data *miidata = (struct mii_data *) &rq->ifr_ifru;
+-
+- struct netdev_desc *desc;
+- int i;
++ struct mii_ioctl_data *miidata = if_mii(rq);
+
+ phy_addr = np->phy_addr;
+ switch (cmd) {
+- case SIOCDEVPRIVATE:
+- break;
+-
+- case SIOCDEVPRIVATE + 1:
+- miidata->out_value = mii_read (dev, phy_addr, miidata->reg_num);
++ case SIOCGMIIPHY:
++ miidata->phy_id = phy_addr;
+ break;
+- case SIOCDEVPRIVATE + 2:
+- mii_write (dev, phy_addr, miidata->reg_num, miidata->in_value);
++ case SIOCGMIIREG:
++ miidata->val_out = mii_read (dev, phy_addr, miidata->reg_num);
+ break;
+- case SIOCDEVPRIVATE + 3:
+- break;
+- case SIOCDEVPRIVATE + 4:
+- break;
+- case SIOCDEVPRIVATE + 5:
+- netif_stop_queue (dev);
++ case SIOCSMIIREG:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++ mii_write (dev, phy_addr, miidata->reg_num, miidata->val_in);
+ break;
+- case SIOCDEVPRIVATE + 6:
+- netif_wake_queue (dev);
+- break;
+- case SIOCDEVPRIVATE + 7:
+- printk
+- ("tx_full=%x cur_tx=%lx old_tx=%lx cur_rx=%lx old_rx=%lx\n",
+- netif_queue_stopped(dev), np->cur_tx, np->old_tx, np->cur_rx,
+- np->old_rx);
+- break;
+- case SIOCDEVPRIVATE + 8:
+- printk("TX ring:\n");
+- for (i = 0; i < TX_RING_SIZE; i++) {
+- desc = &np->tx_ring[i];
+- printk
+- ("%02x:cur:%08x next:%08x status:%08x frag1:%08x frag0:%08x",
+- i,
+- (u32) (np->tx_ring_dma + i * sizeof (*desc)),
+- (u32)le64_to_cpu(desc->next_desc),
+- (u32)le64_to_cpu(desc->status),
+- (u32)(le64_to_cpu(desc->fraginfo) >> 32),
+- (u32)le64_to_cpu(desc->fraginfo));
+- printk ("\n");
+- }
+- printk ("\n");
+- break;
+-
+ default:
+ return -EOPNOTSUPP;
+ }
+diff --git a/drivers/net/dl2k.h b/drivers/net/dl2k.h
+index 73e1457..cde8ecd 100644
+--- a/drivers/net/dl2k.h
++++ b/drivers/net/dl2k.h
+@@ -365,13 +365,6 @@ struct ioctl_data {
+ char *data;
+ };
+
+-struct mii_data {
+- __u16 reserved;
+- __u16 reg_num;
+- __u16 in_value;
+- __u16 out_value;
+-};
+-
+ /* The Rx and Tx buffer descriptors. */
+ struct netdev_desc {
+ __le64 next_desc;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/dl2k-use-standard-defines-from-mii.h.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dl2k-use-standard-defines-from-mii.h.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/dl2k-use-standard-defines-from-mii.h.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dl2k-use-standard-defines-from-mii.h.patch)
@@ -0,0 +1,393 @@
+commit 78f6a6bd89e9a33e4be1bc61e6990a1172aa396e
+Author: Francois Romieu <romieu at fr.zoreil.com>
+Date: Sun Aug 21 18:32:05 2011 +0200
+
+ dl2k: use standard #defines from mii.h.
+
+ Signed-off-by: Francois Romieu <romieu at fr.zoreil.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/drivers/net/dl2k.c b/drivers/net/dl2k.c
+index 7fa7a90..731ee85 100644
+--- a/drivers/net/dl2k.c
++++ b/drivers/net/dl2k.c
+@@ -1448,7 +1448,7 @@ mii_wait_link (struct net_device *dev, int wait)
+
+ do {
+ bmsr = mii_read (dev, phy_addr, MII_BMSR);
+- if (bmsr & MII_BMSR_LINK_STATUS)
++ if (bmsr & BMSR_LSTATUS)
+ return 0;
+ mdelay (1);
+ } while (--wait > 0);
+@@ -1469,60 +1469,60 @@ mii_get_media (struct net_device *dev)
+
+ bmsr = mii_read (dev, phy_addr, MII_BMSR);
+ if (np->an_enable) {
+- if (!(bmsr & MII_BMSR_AN_COMPLETE)) {
++ if (!(bmsr & BMSR_ANEGCOMPLETE)) {
+ /* Auto-Negotiation not completed */
+ return -1;
+ }
+- negotiate = mii_read (dev, phy_addr, MII_ANAR) &
+- mii_read (dev, phy_addr, MII_ANLPAR);
+- mscr = mii_read (dev, phy_addr, MII_MSCR);
+- mssr = mii_read (dev, phy_addr, MII_MSSR);
+- if (mscr & MII_MSCR_1000BT_FD && mssr & MII_MSSR_LP_1000BT_FD) {
++ negotiate = mii_read (dev, phy_addr, MII_ADVERTISE) &
++ mii_read (dev, phy_addr, MII_LPA);
++ mscr = mii_read (dev, phy_addr, MII_CTRL1000);
++ mssr = mii_read (dev, phy_addr, MII_STAT1000);
++ if (mscr & ADVERTISE_1000FULL && mssr & LPA_1000FULL) {
+ np->speed = 1000;
+ np->full_duplex = 1;
+ printk (KERN_INFO "Auto 1000 Mbps, Full duplex\n");
+- } else if (mscr & MII_MSCR_1000BT_HD && mssr & MII_MSSR_LP_1000BT_HD) {
++ } else if (mscr & ADVERTISE_1000HALF && mssr & LPA_1000HALF) {
+ np->speed = 1000;
+ np->full_duplex = 0;
+ printk (KERN_INFO "Auto 1000 Mbps, Half duplex\n");
+- } else if (negotiate & MII_ANAR_100BX_FD) {
++ } else if (negotiate & ADVERTISE_100FULL) {
+ np->speed = 100;
+ np->full_duplex = 1;
+ printk (KERN_INFO "Auto 100 Mbps, Full duplex\n");
+- } else if (negotiate & MII_ANAR_100BX_HD) {
++ } else if (negotiate & ADVERTISE_100HALF) {
+ np->speed = 100;
+ np->full_duplex = 0;
+ printk (KERN_INFO "Auto 100 Mbps, Half duplex\n");
+- } else if (negotiate & MII_ANAR_10BT_FD) {
++ } else if (negotiate & ADVERTISE_10FULL) {
+ np->speed = 10;
+ np->full_duplex = 1;
+ printk (KERN_INFO "Auto 10 Mbps, Full duplex\n");
+- } else if (negotiate & MII_ANAR_10BT_HD) {
++ } else if (negotiate & ADVERTISE_10HALF) {
+ np->speed = 10;
+ np->full_duplex = 0;
+ printk (KERN_INFO "Auto 10 Mbps, Half duplex\n");
+ }
+- if (negotiate & MII_ANAR_PAUSE) {
++ if (negotiate & ADVERTISE_PAUSE_CAP) {
+ np->tx_flow &= 1;
+ np->rx_flow &= 1;
+- } else if (negotiate & MII_ANAR_ASYMMETRIC) {
++ } else if (negotiate & ADVERTISE_PAUSE_ASYM) {
+ np->tx_flow = 0;
+ np->rx_flow &= 1;
+ }
+ /* else tx_flow, rx_flow = user select */
+ } else {
+ __u16 bmcr = mii_read (dev, phy_addr, MII_BMCR);
+- switch (bmcr & (MII_BMCR_SPEED_100 | MII_BMCR_SPEED_1000)) {
+- case MII_BMCR_SPEED_1000:
++ switch (bmcr & (BMCR_SPEED100 | BMCR_SPEED1000)) {
++ case BMCR_SPEED1000:
+ printk (KERN_INFO "Operating at 1000 Mbps, ");
+ break;
+- case MII_BMCR_SPEED_100:
++ case BMCR_SPEED100:
+ printk (KERN_INFO "Operating at 100 Mbps, ");
+ break;
+ case 0:
+ printk (KERN_INFO "Operating at 10 Mbps, ");
+ }
+- if (bmcr & MII_BMCR_DUPLEX_MODE) {
++ if (bmcr & BMCR_FULLDPLX) {
+ printk (KERN_CONT "Full duplex\n");
+ } else {
+ printk (KERN_CONT "Half duplex\n");
+@@ -1556,24 +1556,22 @@ mii_set_media (struct net_device *dev)
+ if (np->an_enable) {
+ /* Advertise capabilities */
+ bmsr = mii_read (dev, phy_addr, MII_BMSR);
+- anar = mii_read (dev, phy_addr, MII_ANAR) &
+- ~MII_ANAR_100BX_FD &
+- ~MII_ANAR_100BX_HD &
+- ~MII_ANAR_100BT4 &
+- ~MII_ANAR_10BT_FD &
+- ~MII_ANAR_10BT_HD;
+- if (bmsr & MII_BMSR_100BX_FD)
+- anar |= MII_ANAR_100BX_FD;
+- if (bmsr & MII_BMSR_100BX_HD)
+- anar |= MII_ANAR_100BX_HD;
+- if (bmsr & MII_BMSR_100BT4)
+- anar |= MII_ANAR_100BT4;
+- if (bmsr & MII_BMSR_10BT_FD)
+- anar |= MII_ANAR_10BT_FD;
+- if (bmsr & MII_BMSR_10BT_HD)
+- anar |= MII_ANAR_10BT_HD;
+- anar |= MII_ANAR_PAUSE | MII_ANAR_ASYMMETRIC;
+- mii_write (dev, phy_addr, MII_ANAR, anar);
++ anar = mii_read (dev, phy_addr, MII_ADVERTISE) &
++ ~(ADVERTISE_100FULL | ADVERTISE_10FULL |
++ ADVERTISE_100HALF | ADVERTISE_10HALF |
++ ADVERTISE_100BASE4);
++ if (bmsr & BMSR_100FULL)
++ anar |= ADVERTISE_100FULL;
++ if (bmsr & BMSR_100HALF)
++ anar |= ADVERTISE_100HALF;
++ if (bmsr & BMSR_100BASE4)
++ anar |= ADVERTISE_100BASE4;
++ if (bmsr & BMSR_10FULL)
++ anar |= ADVERTISE_10FULL;
++ if (bmsr & BMSR_10HALF)
++ anar |= ADVERTISE_10HALF;
++ anar |= ADVERTISE_PAUSE_CAP | ADVERTISE_PAUSE_ASYM;
++ mii_write (dev, phy_addr, MII_ADVERTISE, anar);
+
+ /* Enable Auto crossover */
+ pscr = mii_read (dev, phy_addr, MII_PHY_SCR);
+@@ -1581,8 +1579,8 @@ mii_set_media (struct net_device *dev)
+ mii_write (dev, phy_addr, MII_PHY_SCR, pscr);
+
+ /* Soft reset PHY */
+- mii_write (dev, phy_addr, MII_BMCR, MII_BMCR_RESET);
+- bmcr = MII_BMCR_AN_ENABLE | MII_BMCR_RESTART_AN | MII_BMCR_RESET;
++ mii_write (dev, phy_addr, MII_BMCR, BMCR_RESET);
++ bmcr = BMCR_ANENABLE | BMCR_ANRESTART | BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ mdelay(1);
+ } else {
+@@ -1594,7 +1592,7 @@ mii_set_media (struct net_device *dev)
+
+ /* 2) PHY Reset */
+ bmcr = mii_read (dev, phy_addr, MII_BMCR);
+- bmcr |= MII_BMCR_RESET;
++ bmcr |= BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+
+ /* 3) Power Down */
+@@ -1603,25 +1601,25 @@ mii_set_media (struct net_device *dev)
+ mdelay (100); /* wait a certain time */
+
+ /* 4) Advertise nothing */
+- mii_write (dev, phy_addr, MII_ANAR, 0);
++ mii_write (dev, phy_addr, MII_ADVERTISE, 0);
+
+ /* 5) Set media and Power Up */
+- bmcr = MII_BMCR_POWER_DOWN;
++ bmcr = BMCR_PDOWN;
+ if (np->speed == 100) {
+- bmcr |= MII_BMCR_SPEED_100;
++ bmcr |= BMCR_SPEED100;
+ printk (KERN_INFO "Manual 100 Mbps, ");
+ } else if (np->speed == 10) {
+ printk (KERN_INFO "Manual 10 Mbps, ");
+ }
+ if (np->full_duplex) {
+- bmcr |= MII_BMCR_DUPLEX_MODE;
++ bmcr |= BMCR_FULLDPLX;
+ printk (KERN_CONT "Full duplex\n");
+ } else {
+ printk (KERN_CONT "Half duplex\n");
+ }
+ #if 0
+ /* Set 1000BaseT Master/Slave setting */
+- mscr = mii_read (dev, phy_addr, MII_MSCR);
++ mscr = mii_read (dev, phy_addr, MII_CTRL1000);
+ mscr |= MII_MSCR_CFG_ENABLE;
+ mscr &= ~MII_MSCR_CFG_VALUE = 0;
+ #endif
+@@ -1644,7 +1642,7 @@ mii_get_media_pcs (struct net_device *dev)
+
+ bmsr = mii_read (dev, phy_addr, PCS_BMSR);
+ if (np->an_enable) {
+- if (!(bmsr & MII_BMSR_AN_COMPLETE)) {
++ if (!(bmsr & BMSR_ANEGCOMPLETE)) {
+ /* Auto-Negotiation not completed */
+ return -1;
+ }
+@@ -1669,7 +1667,7 @@ mii_get_media_pcs (struct net_device *dev)
+ } else {
+ __u16 bmcr = mii_read (dev, phy_addr, PCS_BMCR);
+ printk (KERN_INFO "Operating at 1000 Mbps, ");
+- if (bmcr & MII_BMCR_DUPLEX_MODE) {
++ if (bmcr & BMCR_FULLDPLX) {
+ printk (KERN_CONT "Full duplex\n");
+ } else {
+ printk (KERN_CONT "Half duplex\n");
+@@ -1702,7 +1700,7 @@ mii_set_media_pcs (struct net_device *dev)
+ if (np->an_enable) {
+ /* Advertise capabilities */
+ esr = mii_read (dev, phy_addr, PCS_ESR);
+- anar = mii_read (dev, phy_addr, MII_ANAR) &
++ anar = mii_read (dev, phy_addr, MII_ADVERTISE) &
+ ~PCS_ANAR_HALF_DUPLEX &
+ ~PCS_ANAR_FULL_DUPLEX;
+ if (esr & (MII_ESR_1000BT_HD | MII_ESR_1000BX_HD))
+@@ -1710,22 +1708,21 @@ mii_set_media_pcs (struct net_device *dev)
+ if (esr & (MII_ESR_1000BT_FD | MII_ESR_1000BX_FD))
+ anar |= PCS_ANAR_FULL_DUPLEX;
+ anar |= PCS_ANAR_PAUSE | PCS_ANAR_ASYMMETRIC;
+- mii_write (dev, phy_addr, MII_ANAR, anar);
++ mii_write (dev, phy_addr, MII_ADVERTISE, anar);
+
+ /* Soft reset PHY */
+- mii_write (dev, phy_addr, MII_BMCR, MII_BMCR_RESET);
+- bmcr = MII_BMCR_AN_ENABLE | MII_BMCR_RESTART_AN |
+- MII_BMCR_RESET;
++ mii_write (dev, phy_addr, MII_BMCR, BMCR_RESET);
++ bmcr = BMCR_ANENABLE | BMCR_ANRESTART | BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ mdelay(1);
+ } else {
+ /* Force speed setting */
+ /* PHY Reset */
+- bmcr = MII_BMCR_RESET;
++ bmcr = BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ mdelay(10);
+ if (np->full_duplex) {
+- bmcr = MII_BMCR_DUPLEX_MODE;
++ bmcr = BMCR_FULLDPLX;
+ printk (KERN_INFO "Manual full duplex\n");
+ } else {
+ bmcr = 0;
+@@ -1735,7 +1732,7 @@ mii_set_media_pcs (struct net_device *dev)
+ mdelay(10);
+
+ /* Advertise nothing */
+- mii_write (dev, phy_addr, MII_ANAR, 0);
++ mii_write (dev, phy_addr, MII_ADVERTISE, 0);
+ }
+ return 0;
+ }
+diff --git a/drivers/net/dl2k.h b/drivers/net/dl2k.h
+index 266ec87..73e1457 100644
+--- a/drivers/net/dl2k.h
++++ b/drivers/net/dl2k.h
+@@ -28,6 +28,7 @@
+ #include <linux/init.h>
+ #include <linux/crc32.h>
+ #include <linux/ethtool.h>
++#include <linux/mii.h>
+ #include <linux/bitops.h>
+ #include <asm/processor.h> /* Processor type for cache alignment. */
+ #include <asm/io.h>
+@@ -271,20 +272,9 @@ enum RFS_bits {
+ #define MII_RESET_TIME_OUT 10000
+ /* MII register */
+ enum _mii_reg {
+- MII_BMCR = 0,
+- MII_BMSR = 1,
+- MII_PHY_ID1 = 2,
+- MII_PHY_ID2 = 3,
+- MII_ANAR = 4,
+- MII_ANLPAR = 5,
+- MII_ANER = 6,
+- MII_ANNPT = 7,
+- MII_ANLPRNP = 8,
+- MII_MSCR = 9,
+- MII_MSSR = 10,
+- MII_ESR = 15,
+ MII_PHY_SCR = 16,
+ };
++
+ /* PCS register */
+ enum _pcs_reg {
+ PCS_BMCR = 0,
+@@ -297,102 +287,6 @@ enum _pcs_reg {
+ PCS_ESR = 15,
+ };
+
+-/* Basic Mode Control Register */
+-enum _mii_bmcr {
+- MII_BMCR_RESET = 0x8000,
+- MII_BMCR_LOOP_BACK = 0x4000,
+- MII_BMCR_SPEED_LSB = 0x2000,
+- MII_BMCR_AN_ENABLE = 0x1000,
+- MII_BMCR_POWER_DOWN = 0x0800,
+- MII_BMCR_ISOLATE = 0x0400,
+- MII_BMCR_RESTART_AN = 0x0200,
+- MII_BMCR_DUPLEX_MODE = 0x0100,
+- MII_BMCR_COL_TEST = 0x0080,
+- MII_BMCR_SPEED_MSB = 0x0040,
+- MII_BMCR_SPEED_RESERVED = 0x003f,
+- MII_BMCR_SPEED_10 = 0,
+- MII_BMCR_SPEED_100 = MII_BMCR_SPEED_LSB,
+- MII_BMCR_SPEED_1000 = MII_BMCR_SPEED_MSB,
+-};
+-
+-/* Basic Mode Status Register */
+-enum _mii_bmsr {
+- MII_BMSR_100BT4 = 0x8000,
+- MII_BMSR_100BX_FD = 0x4000,
+- MII_BMSR_100BX_HD = 0x2000,
+- MII_BMSR_10BT_FD = 0x1000,
+- MII_BMSR_10BT_HD = 0x0800,
+- MII_BMSR_100BT2_FD = 0x0400,
+- MII_BMSR_100BT2_HD = 0x0200,
+- MII_BMSR_EXT_STATUS = 0x0100,
+- MII_BMSR_PREAMBLE_SUPP = 0x0040,
+- MII_BMSR_AN_COMPLETE = 0x0020,
+- MII_BMSR_REMOTE_FAULT = 0x0010,
+- MII_BMSR_AN_ABILITY = 0x0008,
+- MII_BMSR_LINK_STATUS = 0x0004,
+- MII_BMSR_JABBER_DETECT = 0x0002,
+- MII_BMSR_EXT_CAP = 0x0001,
+-};
+-
+-/* ANAR */
+-enum _mii_anar {
+- MII_ANAR_NEXT_PAGE = 0x8000,
+- MII_ANAR_REMOTE_FAULT = 0x4000,
+- MII_ANAR_ASYMMETRIC = 0x0800,
+- MII_ANAR_PAUSE = 0x0400,
+- MII_ANAR_100BT4 = 0x0200,
+- MII_ANAR_100BX_FD = 0x0100,
+- MII_ANAR_100BX_HD = 0x0080,
+- MII_ANAR_10BT_FD = 0x0020,
+- MII_ANAR_10BT_HD = 0x0010,
+- MII_ANAR_SELECTOR = 0x001f,
+- MII_IEEE8023_CSMACD = 0x0001,
+-};
+-
+-/* ANLPAR */
+-enum _mii_anlpar {
+- MII_ANLPAR_NEXT_PAGE = MII_ANAR_NEXT_PAGE,
+- MII_ANLPAR_REMOTE_FAULT = MII_ANAR_REMOTE_FAULT,
+- MII_ANLPAR_ASYMMETRIC = MII_ANAR_ASYMMETRIC,
+- MII_ANLPAR_PAUSE = MII_ANAR_PAUSE,
+- MII_ANLPAR_100BT4 = MII_ANAR_100BT4,
+- MII_ANLPAR_100BX_FD = MII_ANAR_100BX_FD,
+- MII_ANLPAR_100BX_HD = MII_ANAR_100BX_HD,
+- MII_ANLPAR_10BT_FD = MII_ANAR_10BT_FD,
+- MII_ANLPAR_10BT_HD = MII_ANAR_10BT_HD,
+- MII_ANLPAR_SELECTOR = MII_ANAR_SELECTOR,
+-};
+-
+-/* Auto-Negotiation Expansion Register */
+-enum _mii_aner {
+- MII_ANER_PAR_DETECT_FAULT = 0x0010,
+- MII_ANER_LP_NEXTPAGABLE = 0x0008,
+- MII_ANER_NETXTPAGABLE = 0x0004,
+- MII_ANER_PAGE_RECEIVED = 0x0002,
+- MII_ANER_LP_NEGOTIABLE = 0x0001,
+-};
+-
+-/* MASTER-SLAVE Control Register */
+-enum _mii_mscr {
+- MII_MSCR_TEST_MODE = 0xe000,
+- MII_MSCR_CFG_ENABLE = 0x1000,
+- MII_MSCR_CFG_VALUE = 0x0800,
+- MII_MSCR_PORT_VALUE = 0x0400,
+- MII_MSCR_1000BT_FD = 0x0200,
+- MII_MSCR_1000BT_HD = 0X0100,
+-};
+-
+-/* MASTER-SLAVE Status Register */
+-enum _mii_mssr {
+- MII_MSSR_CFG_FAULT = 0x8000,
+- MII_MSSR_CFG_RES = 0x4000,
+- MII_MSSR_LOCAL_RCV_STATUS = 0x2000,
+- MII_MSSR_REMOTE_RCVR = 0x1000,
+- MII_MSSR_LP_1000BT_FD = 0x0800,
+- MII_MSSR_LP_1000BT_HD = 0x0400,
+- MII_MSSR_IDLE_ERR_COUNT = 0x00ff,
+-};
+-
+ /* IEEE Extened Status Register */
+ enum _mii_esr {
+ MII_ESR_1000BX_FD = 0x8000,
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch)
@@ -0,0 +1,72 @@
+commit 6f24f892871acc47b40dd594c63606a17c714f77
+Author: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Date: Fri May 4 12:09:39 2012 -0700
+
+ hfsplus: Fix potential buffer overflows
+
+ Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
+ potential buffer overflows in the hfs filesystem. But as Timo Warns
+ pointed out, these changes also need to be made on the hfsplus
+ filesystem as well.
+
+ Reported-by: Timo Warns <warns at pre-sense.de>
+ Acked-by: WANG Cong <amwang at redhat.com>
+ Cc: Alexey Khoroshilov <khoroshilov at ispras.ru>
+ Cc: Miklos Szeredi <mszeredi at suse.cz>
+ Cc: Sage Weil <sage at newdream.net>
+ Cc: Eugene Teo <eteo at redhat.com>
+ Cc: Roman Zippel <zippel at linux-m68k.org>
+ Cc: Al Viro <viro at zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch at lst.de>
+ Cc: Alexey Dobriyan <adobriyan at gmail.com>
+ Cc: Dave Anderson <anderson at redhat.com>
+ Cc: stable <stable at vger.kernel.org>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
+index f6874ac..a0786c6 100644
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
+ err = hfs_brec_find(&src_fd);
+ if (err)
+ goto out;
++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
+
+ hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ src_fd.entrylength);
+diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
+index 5f40236..f4300ff 100644
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ filp->f_pos++;
+ /* fall through */
+ case 1:
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
+ printk(KERN_ERR "hfs: bad catalog folder thread\n");
+@@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ err = -EIO;
+ goto out;
+ }
++
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ type = be16_to_cpu(entry.type);
+ len = HFSPLUS_MAX_STRLEN;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch)
@@ -0,0 +1,104 @@
+commit c50ac050811d6485616a193eb0f37bfbd191cc89
+Author: Dave Hansen <dave at linux.vnet.ibm.com>
+Date: Tue May 29 15:06:46 2012 -0700
+
+ hugetlb: fix resv_map leak in error path
+
+ When called for anonymous (non-shared) mappings, hugetlb_reserve_pages()
+ does a resv_map_alloc(). It depends on code in hugetlbfs's
+ vm_ops->close() to release that allocation.
+
+ However, in the mmap() failure path, we do a plain unmap_region() without
+ the remove_vma() which actually calls vm_ops->close().
+
+ This is a decent fix. This leak could get reintroduced if new code (say,
+ after hugetlb_reserve_pages() in hugetlbfs_file_mmap()) decides to return
+ an error. But, I think it would have to unroll the reservation anyway.
+
+ Christoph's test case:
+
+ http://marc.info/?l=linux-mm&m=133728900729735
+
+ This patch applies to 3.4 and later. A version for earlier kernels is at
+ https://lkml.org/lkml/2012/5/22/418.
+
+ Signed-off-by: Dave Hansen <dave at linux.vnet.ibm.com>
+ Acked-by: Mel Gorman <mel at csn.ul.ie>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Reported-by: Christoph Lameter <cl at linux.com>
+ Tested-by: Christoph Lameter <cl at linux.com>
+ Cc: Andrea Arcangeli <aarcange at redhat.com>
+ Cc: <stable at vger.kernel.org> [2.6.32+]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 20f9240..3d61035 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -1772,6 +1772,15 @@ static void hugetlb_vm_op_open(struct vm_area_struct *vma)
+ kref_get(&reservations->refs);
+ }
+
++static void resv_map_put(struct vm_area_struct *vma)
++{
++ struct resv_map *reservations = vma_resv_map(vma);
++
++ if (!reservations)
++ return;
++ kref_put(&reservations->refs, resv_map_release);
++}
++
+ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ {
+ struct hstate *h = hstate_vma(vma);
+@@ -1788,7 +1797,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ reserve = (end - start) -
+ region_count(&reservations->regions, start, end);
+
+- kref_put(&reservations->refs, resv_map_release);
++ resv_map_put(vma);
+
+ if (reserve) {
+ hugetlb_acct_memory(h, -reserve);
+@@ -2472,12 +2481,16 @@ int hugetlb_reserve_pages(struct inode *inode,
+ set_vma_resv_flags(vma, HPAGE_RESV_OWNER);
+ }
+
+- if (chg < 0)
+- return chg;
++ if (chg < 0) {
++ ret = chg;
++ goto out_err;
++ }
+
+ /* There must be enough pages in the subpool for the mapping */
+- if (hugepage_subpool_get_pages(spool, chg))
+- return -ENOSPC;
++ if (hugepage_subpool_get_pages(spool, chg)) {
++ ret = -ENOSPC;
++ goto out_err;
++ }
+
+ /*
+ * Check enough hugepages are available for the reservation.
+@@ -2486,7 +2499,7 @@ int hugetlb_reserve_pages(struct inode *inode,
+ ret = hugetlb_acct_memory(h, chg);
+ if (ret < 0) {
+ hugepage_subpool_put_pages(spool, chg);
+- return ret;
++ goto out_err;
+ }
+
+ /*
+@@ -2503,6 +2516,9 @@ int hugetlb_reserve_pages(struct inode *inode,
+ if (!vma || vma->vm_flags & VM_MAYSHARE)
+ region_add(&inode->i_mapping->private_list, from, to);
+ return 0;
++out_err:
++ resv_map_put(vma);
++ return ret;
+ }
+
+ void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed)
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch)
@@ -0,0 +1,52 @@
+From: "J. Bruce Fields" <bfields at fieldses.org>
+Date: Mon, 23 Jul 2012 15:17:17 -0400
+Subject: locks: fix checking of fcntl_setlease argument
+
+commit 0ec4f431eb56d633da3a55da67d5c4b88886ccc7 upstream.
+
+The only checks of the long argument passed to fcntl(fd,F_SETLEASE,.)
+are done after converting the long to an int. Thus some illegal values
+may be let through and cause problems in later code.
+
+[ They actually *don't* cause problems in mainline, as of Dave Jones's
+ commit 8d657eb3b438 "Remove easily user-triggerable BUG from
+ generic_setlease", but we should fix this anyway. And this patch will
+ be necessary to fix real bugs on earlier kernels. ]
+
+Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/locks.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/locks.c b/fs/locks.c
+index fce6238..82c3533 100644
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -308,7 +308,7 @@ static int flock_make_lock(struct file *filp, struct file_lock **lock,
+ return 0;
+ }
+
+-static int assign_type(struct file_lock *fl, int type)
++static int assign_type(struct file_lock *fl, long type)
+ {
+ switch (type) {
+ case F_RDLCK:
+@@ -445,7 +445,7 @@ static const struct lock_manager_operations lease_manager_ops = {
+ /*
+ * Initialize a lease, use the default lock manager operations
+ */
+-static int lease_init(struct file *filp, int type, struct file_lock *fl)
++static int lease_init(struct file *filp, long type, struct file_lock *fl)
+ {
+ if (assign_type(fl, type) != 0)
+ return -EINVAL;
+@@ -463,7 +463,7 @@ static int lease_init(struct file *filp, int type, struct file_lock *fl)
+ }
+
+ /* Allocate a file_lock initialised to this type of lease */
+-static struct file_lock *lease_alloc(struct file *filp, int type)
++static struct file_lock *lease_alloc(struct file *filp, long type)
+ {
+ struct file_lock *fl = locks_alloc_lock();
+ int error = -ENOMEM;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch)
@@ -0,0 +1,64 @@
+commit 4523e1458566a0e8ecfaff90f380dd23acc44d27
+Author: Dave Hansen <dave at linux.vnet.ibm.com>
+Date: Wed May 30 07:51:07 2012 -0700
+
+ mm: fix vma_resv_map() NULL pointer
+
+ hugetlb_reserve_pages() can be used for either normal file-backed
+ hugetlbfs mappings, or MAP_HUGETLB. In the MAP_HUGETLB, semi-anonymous
+ mode, there is not a VMA around. The new call to resv_map_put() assumed
+ that there was, and resulted in a NULL pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ IP: vma_resv_map+0x9/0x30
+ PGD 141453067 PUD 1421e1067 PMD 0
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Pid: 14006, comm: trinity-child6 Not tainted 3.4.0+ #36
+ RIP: vma_resv_map+0x9/0x30
+ ...
+ Process trinity-child6 (pid: 14006, threadinfo ffff8801414e0000, task ffff8801414f26b0)
+ Call Trace:
+ resv_map_put+0xe/0x40
+ hugetlb_reserve_pages+0xa6/0x1d0
+ hugetlb_file_setup+0x102/0x2c0
+ newseg+0x115/0x360
+ ipcget+0x1ce/0x310
+ sys_shmget+0x5a/0x60
+ system_call_fastpath+0x16/0x1b
+
+ This was reported by Dave Jones, but was reproducible with the
+ libhugetlbfs test cases, so shame on me for not running them in the
+ first place.
+
+ With this, the oops is gone, and the output of libhugetlbfs's
+ run_tests.py is identical to plain 3.4 again.
+
+ [ Marked for stable, since this was introduced by commit c50ac050811d
+ ("hugetlb: fix resv_map leak in error path") which was also marked for
+ stable ]
+
+ Reported-by: Dave Jones <davej at redhat.com>
+ Cc: Mel Gorman <mel at csn.ul.ie>
+ Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Cc: Christoph Lameter <cl at linux.com>
+ Cc: Andrea Arcangeli <aarcange at redhat.com>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Cc: <stable at vger.kernel.org> [2.6.32+]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 3d61035..b435d1f 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2517,7 +2517,8 @@ int hugetlb_reserve_pages(struct inode *inode,
+ region_add(&inode->i_mapping->private_list, from, to);
+ return 0;
+ out_err:
+- resv_map_put(vma);
++ if (vma)
++ resv_map_put(vma);
+ return ret;
+ }
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch)
@@ -0,0 +1,45 @@
+commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc
+Author: Jason Wang <jasowang at redhat.com>
+Date: Wed May 30 21:18:10 2012 +0000
+
+ net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
+
+ We need to validate the number of pages consumed by data_len, otherwise frags
+ array could be overflowed by userspace. So this patch validate data_len and
+ return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
+
+ Signed-off-by: Jason Wang <jasowang at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 31e02d3..eb7de4f 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1396,6 +1396,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ gfp_t gfp_mask;
+ long timeo;
+ int err;
++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
++
++ err = -EMSGSIZE;
++ if (npages > MAX_SKB_FRAGS)
++ goto failure;
+
+ gfp_mask = sk->sk_allocation;
+ if (gfp_mask & __GFP_WAIT)
+@@ -1414,14 +1419,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
+ skb = alloc_skb(header_len, gfp_mask);
+ if (skb) {
+- int npages;
+ int i;
+
+ /* No pages, we're done... */
+ if (!data_len)
+ break;
+
+- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+ skb->truesize += data_len;
+ skb_shinfo(skb)->nr_frags = npages;
+ for (i = 0; i < npages; i++) {
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch)
@@ -0,0 +1,68 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: sfc: Fix maximum number of TSO segments and minimum TX queue size
+
+This is related to commit 7e6d06f0de3f74ca929441add094518ae332257c
+upstream, but looks very different because:
+
+- TX queue size was constant before 2.6.37, so we don't need to check it
+- The upstream fix relies on changes to the TCP stack and networking
+ core, which are not appropriate for stable updates. Instead we limit
+ number of segments in efx_enqueue_skb_tso(). This effectively drops
+ all the extra packets and seriously hurts TCP throughput if the limit
+ is ever hit, but this shouldn't affect any legitimate traffic.
+
+The original commit message is:
+
+Currently an skb requiring TSO may not fit within a minimum-size TX
+queue. The TX queue selected for the skb may stall and trigger the TX
+watchdog repeatedly (since the problem skb will be retried after the
+TX reset). This issue is designated as CVE-2012-3412.
+
+Set the maximum number of TSO segments for our devices to 100. This
+should make no difference to behaviour unless the actual MSS is less
+than about 700. Increase the minimum TX queue size accordingly to
+allow for 2 worst-case skbs, so that there will definitely be space
+to add an skb after we wake a queue.
+
+To avoid invalidating existing configurations, change
+efx_ethtool_set_ringparam() to fix up values that are too small rather
+than returning -EINVAL.
+
+Signed-off-by: Ben Hutchings <bhutchings at solarflare.com>
+---
+--- a/drivers/net/sfc/efx.h
++++ b/drivers/net/sfc/efx.h
+@@ -39,6 +39,9 @@ extern void efx_release_tx_buffers(struc
+ extern void efx_wake_queue(struct efx_nic *efx);
+ #define EFX_TXQ_SIZE 1024
+ #define EFX_TXQ_MASK (EFX_TXQ_SIZE - 1)
++
++/* Maximum number of TCP segments we support for soft-TSO */
++#define EFX_TSO_MAX_SEGS 100
+
+ /* RX */
+ extern int efx_probe_rx_queue(struct efx_rx_queue *rx_queue);
+--- a/drivers/net/sfc/tx.c
++++ b/drivers/net/sfc/tx.c
+@@ -1053,6 +1053,21 @@ static int efx_enqueue_skb_tso(struct ef
+ int frag_i, rc, rc2 = NETDEV_TX_OK;
+ struct tso_state state;
+
++ /* Since the stack does not limit the number of segments per
++ * skb, we must do so. Otherwise an attacker may be able to
++ * make the TCP produce skbs that will never fit in our TX
++ * queue, causing repeated resets.
++ */
++ if (unlikely(skb_shinfo(skb)->gso_segs > EFX_TSO_MAX_SEGS)) {
++ unsigned int excess =
++ (skb_shinfo(skb)->gso_segs - EFX_TSO_MAX_SEGS) *
++ skb_shinfo(skb)->gso_size;
++ if (__pskb_trim(skb, skb->len - excess)) {
++ dev_kfree_skb_any(skb);
++ return NETDEV_TX_OK;
++ }
++ }
++
+ /* Find the packet protocol and sanity-check it */
+ state.protocol = efx_tso_check_protocol(skb);
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch)
@@ -0,0 +1,53 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 12 Nov 2010 13:35:00 -0800
+Subject: tcp: Don't change unlocked socket state in tcp_v4_err().
+
+commit 8f49c2703b33519aaaccc63f571b465b9d2b3a2d upstream.
+
+Alexey Kuznetsov noticed a regression introduced by
+commit f1ecd5d9e7366609d640ff4040304ea197fbc618
+("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable")
+
+The RTO and timer modification code added to tcp_v4_err()
+doesn't check sock_owned_by_user(), which if true means we
+don't have exclusive access to the socket and therefore cannot
+modify it's critical state.
+
+Just skip this new code block if sock_owned_by_user() is true
+and eliminate the now superfluous sock_owned_by_user() code
+block contained within.
+
+Reported-by: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+CC: Damian Lukowski <damian at tvk.rwth-aachen.de>
+Acked-by: Eric Dumazet <eric.dumazet at gmail.com>
+---
+ net/ipv4/tcp_ipv4.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 8f8527d..69ccbc1 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ !icsk->icsk_backoff)
+ break;
+
++ if (sock_owned_by_user(sk))
++ break;
++
+ icsk->icsk_backoff--;
+ inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
+ icsk->icsk_backoff;
+@@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ if (remaining) {
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+ remaining, TCP_RTO_MAX);
+- } else if (sock_owned_by_user(sk)) {
+- /* RTO revert clocked out retransmission,
+- * but socket is locked. Will defer. */
+- inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+- HZ/20, TCP_RTO_MAX);
+ } else {
+ /* RTO revert clocked out retransmission.
+ * Will retransmit now */
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch)
@@ -0,0 +1,48 @@
+commit adee11b2085bee90bd8f4f52123ffb07882d6256
+Author: Jan Kara <jack at suse.cz>
+Date: Wed Jun 27 20:20:22 2012 +0200
+
+ udf: Avoid run away loop when partition table length is corrupted
+
+ Check provided length of partition table so that (possibly maliciously)
+ corrupted partition table cannot cause accessing data beyond current buffer.
+
+ Signed-off-by: Jan Kara <jack at suse.cz>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index fd4a262..b350a71 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1300,6 +1300,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ struct genericPartitionMap *gpm;
+ uint16_t ident;
+ struct buffer_head *bh;
++ unsigned int table_len;
+ int ret = 0;
+
+ bh = udf_read_tagged(sb, block, block, &ident);
+@@ -1307,6 +1308,14 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ return 1;
+ BUG_ON(ident != TAG_IDENT_LVD);
+ lvd = (struct logicalVolDesc *)bh->b_data;
++ table_len = le32_to_cpu(lvd->mapTableLength);
++ if (sizeof(*lvd) + table_len > sb->s_blocksize) {
++ udf_error(sb, __func__,
++ "error loading logical volume descriptor: "
++ "Partition table too long (%u > %lu)\n", table_len,
++ sb->s_blocksize - sizeof(*lvd));
++ goto out_bh;
++ }
+
+ i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+ if (i != 0) {
+@@ -1315,7 +1324,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ }
+
+ for (i = 0, offset = 0;
+- i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
++ i < sbi->s_partitions && offset < table_len;
+ i++, offset += gpm->partitionMapLength) {
+ struct udf_part_map *map = &sbi->s_partmaps[i];
+ gpm = (struct genericPartitionMap *)
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/udf-Fortify-loading-of-sparing-table.patch (from r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-Fortify-loading-of-sparing-table.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/udf-Fortify-loading-of-sparing-table.patch Sat Sep 22 19:10:58 2012 (r19391, copy of r19390, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-Fortify-loading-of-sparing-table.patch)
@@ -0,0 +1,129 @@
+commit 1df2ae31c724e57be9d7ac00d78db8a5dabdd050
+Author: Jan Kara <jack at suse.cz>
+Date: Wed Jun 27 21:23:07 2012 +0200
+
+ udf: Fortify loading of sparing table
+
+ Add sanity checks when loading sparing table from disk to avoid accessing
+ unallocated memory or writing to it.
+
+ Signed-off-by: Jan Kara <jack at suse.cz>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 1e4543c..fd4a262 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -57,6 +57,7 @@
+ #include <linux/seq_file.h>
+ #include <linux/bitmap.h>
+ #include <linux/crc-itu-t.h>
++#include <linux/log2.h>
+ #include <asm/byteorder.h>
+
+ #include "udf_sb.h"
+@@ -1239,11 +1240,61 @@ out_bh:
+ return ret;
+ }
+
++static int udf_load_sparable_map(struct super_block *sb,
++ struct udf_part_map *map,
++ struct sparablePartitionMap *spm)
++{
++ uint32_t loc;
++ uint16_t ident;
++ struct sparingTable *st;
++ struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing;
++ int i;
++ struct buffer_head *bh;
++
++ map->s_partition_type = UDF_SPARABLE_MAP15;
++ sdata->s_packet_len = le16_to_cpu(spm->packetLength);
++ if (!is_power_of_2(sdata->s_packet_len)) {
++ udf_error(sb, __func__,
++ "error loading logical volume descriptor: "
++ "Invalid packet length %u\n",
++ (unsigned)sdata->s_packet_len);
++ return -EIO;
++ }
++ if (spm->numSparingTables > 4) {
++ udf_error(sb, __func__,
++ "error loading logical volume descriptor: "
++ "Too many sparing tables (%d)\n",
++ (int)spm->numSparingTables);
++ return -EIO;
++ }
++
++ for (i = 0; i < spm->numSparingTables; i++) {
++ loc = le32_to_cpu(spm->locSparingTable[i]);
++ bh = udf_read_tagged(sb, loc, loc, &ident);
++ if (!bh)
++ continue;
++
++ st = (struct sparingTable *)bh->b_data;
++ if (ident != 0 ||
++ strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
++ strlen(UDF_ID_SPARING)) ||
++ sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
++ sb->s_blocksize) {
++ brelse(bh);
++ continue;
++ }
++
++ sdata->s_spar_map[i] = bh;
++ }
++ map->s_partition_func = udf_get_pblock_spar15;
++ return 0;
++}
++
+ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ struct kernel_lb_addr *fileset)
+ {
+ struct logicalVolDesc *lvd;
+- int i, j, offset;
++ int i, offset;
+ uint8_t type;
+ struct udf_sb_info *sbi = UDF_SB(sb);
+ struct genericPartitionMap *gpm;
+@@ -1299,38 +1350,9 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ } else if (!strncmp(upm2->partIdent.ident,
+ UDF_ID_SPARABLE,
+ strlen(UDF_ID_SPARABLE))) {
+- uint32_t loc;
+- struct sparingTable *st;
+- struct sparablePartitionMap *spm =
+- (struct sparablePartitionMap *)gpm;
+-
+- map->s_partition_type = UDF_SPARABLE_MAP15;
+- map->s_type_specific.s_sparing.s_packet_len =
+- le16_to_cpu(spm->packetLength);
+- for (j = 0; j < spm->numSparingTables; j++) {
+- struct buffer_head *bh2;
+-
+- loc = le32_to_cpu(
+- spm->locSparingTable[j]);
+- bh2 = udf_read_tagged(sb, loc, loc,
+- &ident);
+- map->s_type_specific.s_sparing.
+- s_spar_map[j] = bh2;
+-
+- if (bh2 == NULL)
+- continue;
+-
+- st = (struct sparingTable *)bh2->b_data;
+- if (ident != 0 || strncmp(
+- st->sparingIdent.ident,
+- UDF_ID_SPARING,
+- strlen(UDF_ID_SPARING))) {
+- brelse(bh2);
+- map->s_type_specific.s_sparing.
+- s_spar_map[j] = NULL;
+- }
+- }
+- map->s_partition_func = udf_get_pblock_spar15;
++ if (udf_load_sparable_map(sb, map,
++ (struct sparablePartitionMap *)gpm) < 0)
++ goto out_bh;
+ } else if (!strncmp(upm2->partIdent.ident,
+ UDF_ID_METADATA,
+ strlen(UDF_ID_METADATA))) {
Modified: dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch Sat Sep 22 15:24:51 2012 (r19390)
+++ dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch Sat Sep 22 19:10:58 2012 (r19391)
@@ -6538,6 +6538,9 @@
[bwh: Fix context for changes to flush_old_exec() and nf_ct_frag6_gather()
after 2.6.32.42]
[bwh: Fix context for changes to uptime_proc_show() after 2.6.32.55]
+[bwh: Fix context for changes to lease_alloc() after commit
+ 79549c6dfda0603dba9a70a53467ce62d9335c33 ('cred: copy_process() should
+ clear child->replacement_session_keyring')]
diff --git a/COPYING.Parallels b/COPYING.Parallels
new file mode 100644
@@ -18322,7 +18325,7 @@
@@ -464,7 +483,7 @@ static int lease_init(struct file *filp, int type, struct file_lock *fl)
/* Allocate a file_lock initialised to this type of lease */
- static struct file_lock *lease_alloc(struct file *filp, int type)
+ static struct file_lock *lease_alloc(struct file *filp, long type)
{
- struct file_lock *fl = locks_alloc_lock();
+ struct file_lock *fl = locks_alloc_lock(1);
@@ -91657,7 +91660,7 @@
{
struct scm_cookie scm;
memset(&scm, 0, sizeof(scm));
-@@ -1322,6 +1332,7 @@ static void unix_destruct_fds(struct sk_buff *skb)
+@@ -1322,5 +1332,6 @@ static void unix_destruct_fds(struct sk_buff *skb)
scm_destroy(&scm);
sock_wfree(skb);
}
Modified: dists/squeeze/linux-2.6/debian/patches/series/46
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/46 Sat Sep 22 15:24:51 2012 (r19390)
+++ dists/squeeze/linux-2.6/debian/patches/series/46 Sat Sep 22 19:10:58 2012 (r19391)
@@ -32,3 +32,15 @@
+ bugfix/all/0010-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+ bugfix/all/0011-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+ debian/timer-Avoid_ABI-change-from-leap-second-fix.patch
++ bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
++ bugfix/all/dl2k-use-standard-defines-from-mii.h.patch
++ bugfix/all/dl2k-Clean-up-rio_ioctl.patch
++ bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
++ bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
++ bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
++ bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
++ bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
++ bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
++ bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch
++ bugfix/all/udf-Fortify-loading-of-sparing-table.patch
++ bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch
Copied and modified: dists/squeeze/linux-2.6/debian/patches/series/46-extra (from r19390, dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1-extra)
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1-extra Sat Sep 22 15:24:51 2012 (r19390, copy source)
+++ dists/squeeze/linux-2.6/debian/patches/series/46-extra Sat Sep 22 19:10:58 2012 (r19391)
@@ -12,6 +12,7 @@
+ features/all/openvz/0005-ve-Fix-d_path-return-code-when-no-buffer-given.patch featureset=openvz
+ features/all/openvz/ptrace_dont_allow_process_without_memory_map_v2.patch featureset=openvz
+ features/all/openvz/cpt-Allow-ext4-mount.patch featureset=openvz
++ features/all/openvz/proc-self-mountinfo.patch featureset=openvz
+ features/all/vserver/revert-fix-cputime-overflow-in-uptime_proc_show.patch featureset=vserver
+ features/all/vserver/vs2.3.0.36.29.8.patch featureset=vserver
More information about the Kernel-svn-changes
mailing list