[kernel] r22111 - in dists/squeeze-security/linux-2.6/debian/patches: bugfix/all debian series
Ben Hutchings
benh at moszumanska.debian.org
Sat Dec 6 23:03:56 UTC 2014
Author: benh
Date: Sat Dec 6 23:03:55 2014
New Revision: 22111
Log:
Add ABI revert and fix-up patches for 2.6.32.61..64
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-add-missing-blk_queue_dead-checks.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch
dists/squeeze-security/linux-2.6/debian/patches/debian/block-Avoid-ABI-change-in-2.6.32.61.patch
Modified:
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,62 @@
+From: Muthukumar Ratty <muthur at gmail.com>
+Date: Fri, 29 Jun 2012 15:31:49 +0000
+Subject: [PATCH 3/9] block: Fix blk_execute_rq_nowait() dead queue handling
+
+commit e81ca6fe85b77109a32489a5db82f575d51dfc98 upstream.
+
+If the queue is dead blk_execute_rq_nowait() doesn't invoke the done()
+callback function. That will result in blk_execute_rq() being stuck
+in wait_for_completion(). Avoid this by initializing rq->end_io to the
+done() callback before we check the queue state. Also, make sure the
+queue lock is held around the invocation of the done() callback. Found
+this through source code review.
+
+Signed-off-by: Muthukumar Ratty <muthur at gmail.com>
+Signed-off-by: Bart Van Assche <bvanassche at acm.org>
+Reviewed-by: Tejun Heo <tj at kernel.org>
+Acked-by: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+[bwh: Backported to 2.6.32: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ block/blk-exec.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/block/blk-exec.c b/block/blk-exec.c
+index ae0f2c7..2ecb362 100644
+--- a/block/blk-exec.c
++++ b/block/blk-exec.c
+@@ -43,6 +43,9 @@ static void blk_end_sync_rq(struct request *rq, int error)
+ * Description:
+ * Insert a fully prepared request at the back of the I/O scheduler queue
+ * for execution. Don't wait for completion.
++ *
++ * Note:
++ * This function will invoke @done directly if the queue is dead.
+ */
+ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ struct request *rq, int at_head,
+@@ -51,18 +54,20 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK;
+
+ WARN_ON(irqs_disabled());
++
++ rq->rq_disk = bd_disk;
++ rq->end_io = done;
++
+ spin_lock_irq(q->queue_lock);
+
+ if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) {
+- spin_unlock_irq(q->queue_lock);
+ rq->errors = -ENXIO;
+ if (rq->end_io)
+ rq->end_io(rq, rq->errors);
++ spin_unlock_irq(q->queue_lock);
+ return;
+ }
+
+- rq->rq_disk = bd_disk;
+- rq->end_io = done;
+ __elv_add_request(q, rq, where, 1);
+ __generic_unplug_device(q);
+ /* the queue is stopped so it won't be plugged+unplugged */
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-add-missing-blk_queue_dead-checks.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/block-add-missing-blk_queue_dead-checks.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,66 @@
+From: Tejun Heo <tj at kernel.org>
+Date: Wed, 14 Dec 2011 00:33:37 +0100
+Subject: [PATCH 2/9] block: add missing blk_queue_dead() checks
+
+commit 8ba61435d73f2274e12d4d823fde06735e8f6a54 upstream.
+
+blk_insert_cloned_request(), blk_execute_rq_nowait() and
+blk_flush_plug_list() either didn't check whether the queue was dead
+or did it without holding queue_lock. Update them so that dead state
+is checked while holding queue_lock.
+
+AFAICS, this plugs all holes (requeue doesn't matter as the request is
+transitioning atomically from in_flight to queued).
+
+Signed-off-by: Tejun Heo <tj at kernel.org>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+[bwh: Backported to 2.6.32:
+ - Drop inapplicable changes to queue_unplugged() and
+ blk_flush_plug_list()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ block/blk-core.c | 4 ++++
+ block/blk-exec.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 4058f46..fc40ab9 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1651,6 +1651,10 @@ int blk_insert_cloned_request(struct request_queue *q, struct request *rq)
+ #endif
+
+ spin_lock_irqsave(q->queue_lock, flags);
++ if (unlikely(blk_queue_dead(q))) {
++ spin_unlock_irqrestore(q->queue_lock, flags);
++ return -ENODEV;
++ }
+
+ /*
+ * Submitting request must be dequeued before calling this function
+diff --git a/block/blk-exec.c b/block/blk-exec.c
+index 85bd7b4..ae0f2c7 100644
+--- a/block/blk-exec.c
++++ b/block/blk-exec.c
+@@ -50,7 +50,11 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ {
+ int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK;
+
++ WARN_ON(irqs_disabled());
++ spin_lock_irq(q->queue_lock);
++
+ if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) {
++ spin_unlock_irq(q->queue_lock);
+ rq->errors = -ENXIO;
+ if (rq->end_io)
+ rq->end_io(rq, rq->errors);
+@@ -59,8 +63,6 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+
+ rq->rq_disk = bd_disk;
+ rq->end_io = done;
+- WARN_ON(irqs_disabled());
+- spin_lock_irq(q->queue_lock);
+ __elv_add_request(q, rq, where, 1);
+ __generic_unplug_device(q);
+ /* the queue is stopped so it won't be plugged+unplugged */
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,37 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:54:04 +0000
+Subject: [PATCH 9/9] md/raid6: Fix misapplied backport in 2.6.32.64
+
+Upstream commit 0f606d9357c0 ("md/raid6: avoid data corruption during
+recovery of double-degraded RAID6") changes handle_stripe(), but we
+have separate functions for RAID5 and RAID6 and need to apply the
+change to handle_stripe6(). When cherry-picked, the change was
+wrongly applied to handle_stripe5().
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/md/raid5.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 013e598..4d70eef 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3091,8 +3091,6 @@ static void handle_stripe5(struct stripe_head *sh)
+ set_bit(R5_Wantwrite, &dev->flags);
+ if (prexor)
+ continue;
+- if (s.failed > 1)
+- continue;
+ if (!test_bit(R5_Insync, &dev->flags) ||
+ (i == sh->pd_idx && s.failed == 0))
+ set_bit(STRIPE_INSYNC, &sh->state);
+@@ -3380,6 +3378,8 @@ static void handle_stripe6(struct stripe_head *sh)
+ pr_debug("Writing block %d\n", i);
+ BUG_ON(!test_bit(R5_UPTODATE, &dev->flags));
+ set_bit(R5_Wantwrite, &dev->flags);
++ if (s.failed > 1)
++ continue;
+ if (!test_bit(R5_Insync, &dev->flags) ||
+ ((i == sh->pd_idx || i == qd_idx) &&
+ s.failed == 0))
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,26 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:47:25 +0000
+Subject: [PATCH 8/9] net: sendmsg: Really fix NULL pointer dereference
+
+The backport of upstream commit 40eea803c6b2 ("net: sendmsg: fix NULL
+pointer dereference") in 2.6.32.64 incorrectly tested msg_namelen
+twice rather than both msg_name and msg_namelen.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/compat.c b/net/compat.c
+index 71ed839..a5848ac 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -83,7 +83,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+ {
+ int tot_len;
+
+- if (kern_msg->msg_namelen && kern_msg->msg_namelen) {
++ if (kern_msg->msg_name && kern_msg->msg_namelen) {
+ if (mode==VERIFY_READ) {
+ int err = move_addr_to_kernel(kern_msg->msg_name,
+ kern_msg->msg_namelen,
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,28 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:39:09 +0000
+Subject: [PATCH 5/9] proc connector: Delete spurious memset in
+ proc_exit_connector()
+
+Upstream commit e727ca82e0e9 ("proc connector: fix info leaks")
+changed many functions that don't exist in 2.6.32.y. When it was
+cherry-picked into 2.6.32.61, one extra memset() calls was inserted
+into proc_exit_connector(). This results in clearing the cpu
+field of exit events.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/connector/cn_proc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 3603599..551ea92 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -187,7 +187,6 @@ void proc_exit_connector(struct task_struct *task)
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- memset(&ev->event_data, 0, sizeof(ev->event_data));
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+ ev->what = PROC_EVENT_EXIT;
+ ev->event_data.exit.process_pid = task->pid;
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:44:35 +0000
+Subject: [PATCH 7/9] sctp: Fix double-free introduced by bad backport in
+ 2.6.32.62
+
+One deletion was omitted from the backport of upstream commit c485658bae87
+("net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk").
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/sctp/sm_statefuns.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index ac98a1e..5ca1edb 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -747,7 +747,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
+
+ /* Make sure that we and the peer are AUTH capable */
+ if (!sctp_auth_enable || !new_asoc->peer.auth_capable) {
+- kfree_skb(chunk->auth_chunk);
+ sctp_association_free(new_asoc);
+ return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
+ }
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,43 @@
+From: Matthijs Kooijman <matthijs at stdin.nl>
+Date: Mon, 31 Oct 2011 04:53:13 +0000
+Subject: [PATCH 6/9] vlan: Don't propagate flag changes on down interfaces.
+
+When (de)configuring a vlan interface, the IFF_ALLMULTI ans IFF_PROMISC
+flags are cleared or set on the underlying interface. So, if these flags
+are changed on a vlan interface that is not up, the flags underlying
+interface might be set or cleared twice.
+
+Only propagating flag changes when a device is up makes sure this does
+not happen. It also makes sure that an underlying device is not set to
+promiscuous or allmulti mode for a vlan device that is down.
+
+Signed-off-by: Matthijs Kooijman <matthijs at stdin.nl>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: This is a dependency of commit d2615bf45069 ("net: core: Always
+ propagate flag changes to interfaces"), already backported in 2.6.32.62]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/8021q/vlan_dev.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index 9796ea4..8c9f69c 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -639,10 +639,12 @@ static void vlan_dev_change_rx_flags(struct net_device *dev, int change)
+ {
+ struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
+
+- if (change & IFF_ALLMULTI)
+- dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+- if (change & IFF_PROMISC)
+- dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
++ if (dev->flags & IFF_UP) {
++ if (change & IFF_ALLMULTI)
++ dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
++ if (change & IFF_PROMISC)
++ dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
++ }
+ }
+
+ static void vlan_dev_set_rx_mode(struct net_device *vlan_dev)
Added: dists/squeeze-security/linux-2.6/debian/patches/debian/block-Avoid-ABI-change-in-2.6.32.61.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/debian/block-Avoid-ABI-change-in-2.6.32.61.patch Sat Dec 6 23:03:55 2014 (r22111)
@@ -0,0 +1,24 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 6 Dec 2014 22:20:29 +0000
+Subject: [PATCH 1/9] block: Avoid ABI change in 2.6.32.61
+
+This reverts the queue flag renumbering in commit
+ec2826bc2f8c9874284080a9cda657c4c1dc948e.
+---
+ include/linux/blkdev.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index ec9c10b..6c94ad5 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -456,7 +456,8 @@ struct request_queue
+ #define QUEUE_FLAG_NONROT 14 /* non-rotational device (SSD) */
+ #define QUEUE_FLAG_VIRT QUEUE_FLAG_NONROT /* paravirt device */
+ #define QUEUE_FLAG_IO_STAT 15 /* do IO stats */
+-#define QUEUE_FLAG_DISCARD 16 /* supports DISCARD */
++#define QUEUE_FLAG_CQ 16 /* hardware does queuing */
++#define QUEUE_FLAG_DISCARD 17 /* supports DISCARD */
+
+ #define QUEUE_FLAG_DEFAULT ((1 << QUEUE_FLAG_IO_STAT) | \
+ (1 << QUEUE_FLAG_STACKABLE) | \
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9 Sat Dec 6 22:19:22 2014 (r22110)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9 Sat Dec 6 23:03:55 2014 (r22111)
@@ -150,3 +150,14 @@
+ bugfix/all/CVE-2014-4653.patch
+ bugfix/all/CVE-2014-4654+4655.patch
+ bugfix/all/CVE-2014-4943.patch
+
++ debian/block-Avoid-ABI-change-in-2.6.32.61.patch
+
+# Fix-ups for 2.6.32.61..64
++ bugfix/all/block-add-missing-blk_queue_dead-checks.patch
++ bugfix/all/block-Fix-blk_execute_rq_nowait-dead-queue-handling.patch
++ bugfix/all/proc-connector-Delete-spurious-memset-in-proc_exit_c.patch
++ bugfix/all/vlan-Don-t-propagate-flag-changes-on-down-interfaces.patch
++ bugfix/all/net-sendmsg-Really-fix-NULL-pointer-dereference.patch
++ bugfix/all/sctp-Fix-double-free-introduced-by-bad-backport-in-2.patch
++ bugfix/all/md-raid6-Fix-misapplied-backport-in-2.6.32.64.patch
More information about the Kernel-svn-changes
mailing list