[kernel] r22111 - in dists/squeeze-security/linux-2.6/debian/patches: bugfix/all debian series

Sat Dec 6 23:03:56 UTC 2014

Author: benh
Date: Sat Dec  6 23:03:55 2014
New Revision: 22111

Log:
Add ABI revert and fix-up patches for 2.6.32.61..64

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-add-missing-blk_queue_dead-checks.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch
   dists/squeeze-security/linux-2.6/debian/patches/debian/block-Avoid-ABI-change-in-2.6.32.61.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch
==============================================================================

--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,62 @@
+From: Muthukumar Ratty <muthur at gmail.com>
+Date: Fri, 29 Jun 2012 15:31:49 +0000
+Subject: [PATCH 3/9] block: Fix blk_execute_rq_nowait() dead queue handling
+
+commit e81ca6fe85b77109a32489a5db82f575d51dfc98 upstream.
+
+If the queue is dead blk_execute_rq_nowait() doesn't invoke the done()
+callback function. That will result in blk_execute_rq() being stuck
+in wait_for_completion(). Avoid this by initializing rq->end_io to the
+done() callback before we check the queue state. Also, make sure the
+queue lock is held around the invocation of the done() callback. Found
+this through source code review.
+
+Signed-off-by: Muthukumar Ratty <muthur at gmail.com>
+Signed-off-by: Bart Van Assche <bvanassche at acm.org>
+Reviewed-by: Tejun Heo <tj at kernel.org>
+Acked-by: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+[bwh: Backported to 2.6.32: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ block/blk-exec.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/block/blk-exec.c b/block/blk-exec.c
+index ae0f2c7..2ecb362 100644
+--- a/block/blk-exec.c
++++ b/block/blk-exec.c
+@@ -43,6 +43,9 @@ static void blk_end_sync_rq(struct request *rq, int error)
+  * Description:
+  *    Insert a fully prepared request at the back of the I/O scheduler queue
+  *    for execution.  Don't wait for completion.
++ *
++ * Note:
++ *    This function will invoke @done directly if the queue is dead.
+  */
+ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ 			   struct request *rq, int at_head,
+@@ -51,18 +54,20 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ 	int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK;
+ 
+ 	WARN_ON(irqs_disabled());
++
++	rq->rq_disk = bd_disk;
++	rq->end_io = done;
++
+ 	spin_lock_irq(q->queue_lock);
+ 
+ 	if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) {
+-		spin_unlock_irq(q->queue_lock);
+ 		rq->errors = -ENXIO;
+ 		if (rq->end_io)
+ 			rq->end_io(rq, rq->errors);
++		spin_unlock_irq(q->queue_lock);
+ 		return;
+ 	}
+ 
+-	rq->rq_disk = bd_disk;
+-	rq->end_io = done;
+ 	__elv_add_request(q, rq, where, 1);
+ 	__generic_unplug_device(q);
+ 	/* the queue is stopped so it won't be plugged+unplugged */

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-add-missing-blk_queue_dead-checks.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-add-missing-blk_queue_dead-checks.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,66 @@
+From: Tejun Heo <tj at kernel.org>
+Date: Wed, 14 Dec 2011 00:33:37 +0100
+Subject: [PATCH 2/9] block: add missing blk_queue_dead() checks
+
+commit 8ba61435d73f2274e12d4d823fde06735e8f6a54 upstream.
+
+blk_insert_cloned_request(), blk_execute_rq_nowait() and
+blk_flush_plug_list() either didn't check whether the queue was dead
+or did it without holding queue_lock.  Update them so that dead state
+is checked while holding queue_lock.
+
+AFAICS, this plugs all holes (requeue doesn't matter as the request is
+transitioning atomically from in_flight to queued).
+
+Signed-off-by: Tejun Heo <tj at kernel.org>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+[bwh: Backported to 2.6.32:
+ - Drop inapplicable changes to queue_unplugged() and
+   blk_flush_plug_list()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ block/blk-core.c | 4 ++++
+ block/blk-exec.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 4058f46..fc40ab9 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1651,6 +1651,10 @@ int blk_insert_cloned_request(struct request_queue *q, struct request *rq)
+ #endif
+ 
+ 	spin_lock_irqsave(q->queue_lock, flags);
++	if (unlikely(blk_queue_dead(q))) {
++		spin_unlock_irqrestore(q->queue_lock, flags);
++		return -ENODEV;
++	}
+ 
+ 	/*
+ 	 * Submitting request must be dequeued before calling this function
+diff --git a/block/blk-exec.c b/block/blk-exec.c
+index 85bd7b4..ae0f2c7 100644
+--- a/block/blk-exec.c
++++ b/block/blk-exec.c
+@@ -50,7 +50,11 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ {
+ 	int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK;
+ 
++	WARN_ON(irqs_disabled());
++	spin_lock_irq(q->queue_lock);
++
+ 	if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) {
++		spin_unlock_irq(q->queue_lock);
+ 		rq->errors = -ENXIO;
+ 		if (rq->end_io)
+ 			rq->end_io(rq, rq->errors);
+@@ -59,8 +63,6 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ 
+ 	rq->rq_disk = bd_disk;
+ 	rq->end_io = done;
+-	WARN_ON(irqs_disabled());
+-	spin_lock_irq(q->queue_lock);
+ 	__elv_add_request(q, rq, where, 1);
+ 	__generic_unplug_device(q);
+ 	/* the queue is stopped so it won't be plugged+unplugged */

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,37 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:54:04 +0000
+Subject: [PATCH 9/9] md/raid6: Fix misapplied backport in 2.6.32.64
+
+Upstream commit 0f606d9357c0 ("md/raid6: avoid data corruption during
+recovery of double-degraded RAID6") changes handle_stripe(), but we
+have separate functions for RAID5 and RAID6 and need to apply the
+change to handle_stripe6().  When cherry-picked, the change was
+wrongly applied to handle_stripe5().
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/md/raid5.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 013e598..4d70eef 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3091,8 +3091,6 @@ static void handle_stripe5(struct stripe_head *sh)
+ 				set_bit(R5_Wantwrite, &dev->flags);
+ 				if (prexor)
+ 					continue;
+-				if (s.failed > 1)
+-					continue;
+ 				if (!test_bit(R5_Insync, &dev->flags) ||
+ 				    (i == sh->pd_idx && s.failed == 0))
+ 					set_bit(STRIPE_INSYNC, &sh->state);
+@@ -3380,6 +3378,8 @@ static void handle_stripe6(struct stripe_head *sh)
+ 				pr_debug("Writing block %d\n", i);
+ 				BUG_ON(!test_bit(R5_UPTODATE, &dev->flags));
+ 				set_bit(R5_Wantwrite, &dev->flags);
++				if (s.failed > 1)
++					continue;
+ 				if (!test_bit(R5_Insync, &dev->flags) ||
+ 				    ((i == sh->pd_idx || i == qd_idx) &&
+ 				      s.failed == 0))

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,26 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:47:25 +0000
+Subject: [PATCH 8/9] net: sendmsg: Really fix NULL pointer dereference
+
+The backport of upstream commit 40eea803c6b2 ("net: sendmsg: fix NULL
+pointer dereference") in 2.6.32.64 incorrectly tested msg_namelen
+twice rather than both msg_name and msg_namelen.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/compat.c b/net/compat.c
+index 71ed839..a5848ac 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -83,7 +83,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+ {
+ 	int tot_len;
+ 
+-	if (kern_msg->msg_namelen && kern_msg->msg_namelen) {
++	if (kern_msg->msg_name && kern_msg->msg_namelen) {
+ 		if (mode==VERIFY_READ) {
+ 			int err = move_addr_to_kernel(kern_msg->msg_name,
+ 						      kern_msg->msg_namelen,

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,28 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:39:09 +0000
+Subject: [PATCH 5/9] proc connector: Delete spurious memset in
+ proc_exit_connector()
+
+Upstream commit e727ca82e0e9 ("proc connector: fix info leaks")
+changed many functions that don't exist in 2.6.32.y.  When it was
+cherry-picked into 2.6.32.61, one extra memset() calls was inserted
+into proc_exit_connector().  This results in clearing the cpu
+field of exit events.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/connector/cn_proc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 3603599..551ea92 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -187,7 +187,6 @@ void proc_exit_connector(struct task_struct *task)
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+ 	ev->what = PROC_EVENT_EXIT;
+ 	ev->event_data.exit.process_pid = task->pid;

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:44:35 +0000
+Subject: [PATCH 7/9] sctp: Fix double-free introduced by bad backport in
+ 2.6.32.62
+
+One deletion was omitted from the backport of upstream commit c485658bae87
+("net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk").
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/sctp/sm_statefuns.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index ac98a1e..5ca1edb 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -747,7 +747,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
+ 
+ 		/* Make sure that we and the peer are AUTH capable */
+ 		if (!sctp_auth_enable || !new_asoc->peer.auth_capable) {
+-			kfree_skb(chunk->auth_chunk);
+ 			sctp_association_free(new_asoc);
+ 			return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
+ 		}

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,43 @@
+From: Matthijs Kooijman <matthijs at stdin.nl>
+Date: Mon, 31 Oct 2011 04:53:13 +0000
+Subject: [PATCH 6/9] vlan: Don't propagate flag changes on down interfaces.
+
+When (de)configuring a vlan interface, the IFF_ALLMULTI ans IFF_PROMISC
+flags are cleared or set on the underlying interface. So, if these flags
+are changed on a vlan interface that is not up, the flags underlying
+interface might be set or cleared twice.
+
+Only propagating flag changes when a device is up makes sure this does
+not happen. It also makes sure that an underlying device is not set to
+promiscuous or allmulti mode for a vlan device that is down.
+
+Signed-off-by: Matthijs Kooijman <matthijs at stdin.nl>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: This is a dependency of commit d2615bf45069 ("net: core: Always
+ propagate flag changes to interfaces"), already backported in 2.6.32.62]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/8021q/vlan_dev.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index 9796ea4..8c9f69c 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -639,10 +639,12 @@ static void vlan_dev_change_rx_flags(struct net_device *dev, int change)
+ {
+ 	struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
+ 
+-	if (change & IFF_ALLMULTI)
+-		dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+-	if (change & IFF_PROMISC)
+-		dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
++	if (dev->flags & IFF_UP) {
++		if (change & IFF_ALLMULTI)
++			dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
++		if (change & IFF_PROMISC)
++			dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
++	}
+ }
+ 
+ static void vlan_dev_set_rx_mode(struct net_device *vlan_dev)

Added: dists/squeeze-security/linux-2.6/debian/patches/debian/block-Avoid-ABI-change-in-2.6.32.61.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/debian/block-Avoid-ABI-change-in-2.6.32.61.patch	Sat Dec  6 23:03:55 2014	(r22111)
@@ -0,0 +1,24 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:20:29 +0000
+Subject: [PATCH 1/9] block: Avoid ABI change in 2.6.32.61
+
+This reverts the queue flag renumbering in commit
+ec2826bc2f8c9874284080a9cda657c4c1dc948e.
+---
+ include/linux/blkdev.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index ec9c10b..6c94ad5 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -456,7 +456,8 @@ struct request_queue
+ #define QUEUE_FLAG_NONROT      14	/* non-rotational device (SSD) */
+ #define QUEUE_FLAG_VIRT        QUEUE_FLAG_NONROT /* paravirt device */
+ #define QUEUE_FLAG_IO_STAT     15	/* do IO stats */
+-#define QUEUE_FLAG_DISCARD     16	/* supports DISCARD */
++#define QUEUE_FLAG_CQ	       16	/* hardware does queuing */
++#define QUEUE_FLAG_DISCARD     17	/* supports DISCARD */
+ 
+ #define QUEUE_FLAG_DEFAULT	((1 << QUEUE_FLAG_IO_STAT) |		\
+ 				 (1 << QUEUE_FLAG_STACKABLE)	|	\

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9	Sat Dec  6 22:19:22 2014	(r22110)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9	Sat Dec  6 23:03:55 2014	(r22111)
@@ -150,3 +150,14 @@
 + bugfix/all/CVE-2014-4653.patch
 + bugfix/all/CVE-2014-4654+4655.patch  
 + bugfix/all/CVE-2014-4943.patch
+
++ debian/block-Avoid-ABI-change-in-2.6.32.61.patch
+
+# Fix-ups for 2.6.32.61..64
++ bugfix/all/block-add-missing-blk_queue_dead-checks.patch
++ bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch
++ bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch
++ bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch
++ bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch
++ bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch
++ bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch

