Cherry-pick some important fixes from 3.0.4-rc1
svn path=/dists/sid/linux-2.6/; revision=18021
This commit is contained in:
Ben Hutchings
parent
c0dedf4876
commit
3783ddfc79
|
|
@ -11,7 +11,12 @@ linux-2.6 (3.0.0-3) UNRELEASED; urgency=low
|
|||
SNAT/masquerading is not done)
|
||||
* Remove net device features from bug reports (Closes: #638956)
|
||||
* [mips,mipsel] Ignore nfs ABI changes made in 3.0.0-2; fixes FTBFS
|
||||
* genirq: Fix wrong bit operation
|
||||
* befs: Validate length of long symbolic links (CVE-2011-2928)
|
||||
* CIFS: Fix memory corruption on mount (Closes: #635344)
|
||||
* x86-32, vdso: On system call restart after SYSENTER, use int $0x80
|
||||
* drm/ttm: fix ttm_bo_add_ttm(user) failure path
|
||||
* fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 21 Aug 2011 16:18:29 +0100
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,50 @@
|
|||
From: Timo Warns <Warns@pre-sense.de>
|
||||
Date: Wed, 17 Aug 2011 17:59:56 +0200
|
||||
Subject: befs: Validate length of long symbolic links.
|
||||
|
||||
From: Timo Warns <Warns@pre-sense.de>
|
||||
|
||||
commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 upstream.
|
||||
|
||||
Signed-off-by: Timo Warns <warns@pre-sense.de>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
fs/befs/linuxvfs.c | 23 ++++++++++++++---------
|
||||
1 file changed, 14 insertions(+), 9 deletions(-)
|
||||
|
||||
--- a/fs/befs/linuxvfs.c
|
||||
+++ b/fs/befs/linuxvfs.c
|
||||
@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry,
|
||||
befs_data_stream *data = &befs_ino->i_data.ds;
|
||||
befs_off_t len = data->size;
|
||||
|
||||
- befs_debug(sb, "Follow long symlink");
|
||||
-
|
||||
- link = kmalloc(len, GFP_NOFS);
|
||||
- if (!link) {
|
||||
- link = ERR_PTR(-ENOMEM);
|
||||
- } else if (befs_read_lsymlink(sb, data, link, len) != len) {
|
||||
- kfree(link);
|
||||
- befs_error(sb, "Failed to read entire long symlink");
|
||||
+ if (len == 0) {
|
||||
+ befs_error(sb, "Long symlink with illegal length");
|
||||
link = ERR_PTR(-EIO);
|
||||
} else {
|
||||
- link[len - 1] = '\0';
|
||||
+ befs_debug(sb, "Follow long symlink");
|
||||
+
|
||||
+ link = kmalloc(len, GFP_NOFS);
|
||||
+ if (!link) {
|
||||
+ link = ERR_PTR(-ENOMEM);
|
||||
+ } else if (befs_read_lsymlink(sb, data, link, len) != len) {
|
||||
+ kfree(link);
|
||||
+ befs_error(sb, "Failed to read entire long symlink");
|
||||
+ link = ERR_PTR(-EIO);
|
||||
+ } else {
|
||||
+ link[len - 1] = '\0';
|
||||
+ }
|
||||
}
|
||||
} else {
|
||||
link = befs_ino->i_data.symlink;
|
||||
34
debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
vendored
Normal file
34
debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
vendored
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
From: Marcin Slusarz <marcin.slusarz@gmail.com>
|
||||
Date: Mon, 22 Aug 2011 21:17:57 +0000
|
||||
Subject: drm/ttm: fix ttm_bo_add_ttm(user) failure path
|
||||
|
||||
From: Marcin Slusarz <marcin.slusarz@gmail.com>
|
||||
|
||||
commit 7c4c3960dff109bc5db4c35da481c212dadb5eb5 upstream.
|
||||
|
||||
ttm_tt_destroy kfrees passed object, so we need to nullify
|
||||
a reference to it.
|
||||
|
||||
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
|
||||
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
|
||||
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
drivers/gpu/drm/ttm/ttm_bo.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/gpu/drm/ttm/ttm_bo.c
|
||||
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
|
||||
@@ -353,8 +353,10 @@ static int ttm_bo_add_ttm(struct ttm_buf
|
||||
|
||||
ret = ttm_tt_set_user(bo->ttm, current,
|
||||
bo->buffer_start, bo->num_pages);
|
||||
- if (unlikely(ret != 0))
|
||||
+ if (unlikely(ret != 0)) {
|
||||
ttm_tt_destroy(bo->ttm);
|
||||
+ bo->ttm = NULL;
|
||||
+ }
|
||||
break;
|
||||
default:
|
||||
printk(KERN_ERR TTM_PFX "Illegal buffer object type\n");
|
||||
33
debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
vendored
Normal file
33
debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
vendored
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||
Date: Wed, 24 Aug 2011 10:20:17 +0200
|
||||
Subject: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
|
||||
|
||||
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||
|
||||
commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream.
|
||||
|
||||
FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
|
||||
message processing could overrun and result in a "kernel BUG at
|
||||
fs/fuse/dev.c:629!"
|
||||
|
||||
Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com>
|
||||
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
fs/fuse/dev.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
--- a/fs/fuse/dev.c
|
||||
+++ b/fs/fuse/dev.c
|
||||
@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struc
|
||||
if (outarg.namelen > FUSE_NAME_MAX)
|
||||
goto err;
|
||||
|
||||
+ err = -EINVAL;
|
||||
+ if (size != sizeof(outarg) + outarg.namelen + 1)
|
||||
+ goto err;
|
||||
+
|
||||
name.name = buf;
|
||||
name.len = outarg.namelen;
|
||||
err = fuse_copy_one(cs, buf, outarg.namelen + 1);
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From: "jhbird.choi@samsung.com" <jhbird.choi@samsung.com>
|
||||
Date: Thu, 21 Jul 2011 15:29:14 +0900
|
||||
Subject: genirq: Fix wrong bit operation
|
||||
|
||||
From: "jhbird.choi@samsung.com" <jhbird.choi@samsung.com>
|
||||
|
||||
commit 1dd75f91ae713049eb6baaa640078f3a6549e522 upstream.
|
||||
|
||||
(!msk & 0x01) should be !(msk & 0x01)
|
||||
|
||||
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
|
||||
Link: http://lkml.kernel.org/r/1311229754-6003-1-git-send-email-jhbird.choi@samsung.com
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
kernel/irq/generic-chip.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/kernel/irq/generic-chip.c
|
||||
+++ b/kernel/irq/generic-chip.c
|
||||
@@ -246,7 +246,7 @@ void irq_setup_generic_chip(struct irq_c
|
||||
gc->mask_cache = irq_reg_readl(gc->reg_base + ct->regs.mask);
|
||||
|
||||
for (i = gc->irq_base; msk; msk >>= 1, i++) {
|
||||
- if (!msk & 0x01)
|
||||
+ if (!(msk & 0x01))
|
||||
continue;
|
||||
|
||||
if (flags & IRQ_GC_INIT_NESTED_LOCK)
|
||||
@@ -301,7 +301,7 @@ void irq_remove_generic_chip(struct irq_
|
||||
raw_spin_unlock(&gc_lock);
|
||||
|
||||
for (; msk; msk >>= 1, i++) {
|
||||
- if (!msk & 0x01)
|
||||
+ if (!(msk & 0x01))
|
||||
continue;
|
||||
|
||||
/* Remove handler first. That will mask the irq line */
|
||||
38
debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
vendored
Normal file
38
debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
vendored
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
From: "H. Peter Anvin" <hpa@linux.intel.com>
|
||||
Date: Mon, 22 Aug 2011 13:27:06 -0700
|
||||
Subject: x86-32, vdso: On system call restart after SYSENTER, use int $0x80
|
||||
|
||||
From: "H. Peter Anvin" <hpa@linux.intel.com>
|
||||
|
||||
commit 7ca0758cdb7c241cb4e0490a8d95f0eb5b861daf upstream.
|
||||
|
||||
When we enter a 32-bit system call via SYSENTER or SYSCALL, we shuffle
|
||||
the arguments to match the int $0x80 calling convention. This was
|
||||
probably a design mistake, but it's what it is now. This causes
|
||||
errors if the system call as to be restarted.
|
||||
|
||||
For SYSENTER, we have to invoke the instruction from the vdso as the
|
||||
return address is hardcoded. Accordingly, we can simply replace the
|
||||
jump in the vdso with an int $0x80 instruction and use the slower
|
||||
entry point for a post-restart.
|
||||
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Link: http://lkml.kernel.org/r/CA%2B55aFztZ=r5wa0x26KJQxvZOaQq8s2v3u50wCyJcA-Sc4g8gQ@mail.gmail.com
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
arch/x86/vdso/vdso32/sysenter.S | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/arch/x86/vdso/vdso32/sysenter.S
|
||||
+++ b/arch/x86/vdso/vdso32/sysenter.S
|
||||
@@ -43,7 +43,7 @@ __kernel_vsyscall:
|
||||
.space 7,0x90
|
||||
|
||||
/* 14: System call restart point is here! (SYSENTER_RETURN-2) */
|
||||
- jmp .Lenter_kernel
|
||||
+ int $0x80
|
||||
/* 16: System call normal return point is here! */
|
||||
VDSO32_SYSENTER_RETURN: /* Symbol used by sysenter.c via vdso32-syms.h */
|
||||
pop %ebp
|
||||
|
|
@ -1,4 +1,9 @@
|
|||
- bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
|
||||
+ bugfix/all/stable/3.0.3.patch
|
||||
+ bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
|
||||
+ bugfix/all/genirq-fix-wrong-bit-operation.patch
|
||||
+ bugfix/all/befs-validate-length-of-long-symbolic-links.patch
|
||||
+ bugfix/all/cifs-possible-memory-corruption-on-mount.patch
|
||||
+ bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
|
||||
+ bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
|
||||
+ bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue