Cherry-pick some important fixes from 3.0.4-rc1
svn path=/dists/sid/linux-2.6/; revision=18021
This commit is contained in:
parent
c0dedf4876
commit
3783ddfc79
|
@ -11,7 +11,12 @@ linux-2.6 (3.0.0-3) UNRELEASED; urgency=low
|
||||||
SNAT/masquerading is not done)
|
SNAT/masquerading is not done)
|
||||||
* Remove net device features from bug reports (Closes: #638956)
|
* Remove net device features from bug reports (Closes: #638956)
|
||||||
* [mips,mipsel] Ignore nfs ABI changes made in 3.0.0-2; fixes FTBFS
|
* [mips,mipsel] Ignore nfs ABI changes made in 3.0.0-2; fixes FTBFS
|
||||||
|
* genirq: Fix wrong bit operation
|
||||||
|
* befs: Validate length of long symbolic links (CVE-2011-2928)
|
||||||
* CIFS: Fix memory corruption on mount (Closes: #635344)
|
* CIFS: Fix memory corruption on mount (Closes: #635344)
|
||||||
|
* x86-32, vdso: On system call restart after SYSENTER, use int $0x80
|
||||||
|
* drm/ttm: fix ttm_bo_add_ttm(user) failure path
|
||||||
|
* fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 21 Aug 2011 16:18:29 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Sun, 21 Aug 2011 16:18:29 +0100
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
From: Timo Warns <Warns@pre-sense.de>
|
||||||
|
Date: Wed, 17 Aug 2011 17:59:56 +0200
|
||||||
|
Subject: befs: Validate length of long symbolic links.
|
||||||
|
|
||||||
|
From: Timo Warns <Warns@pre-sense.de>
|
||||||
|
|
||||||
|
commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 upstream.
|
||||||
|
|
||||||
|
Signed-off-by: Timo Warns <warns@pre-sense.de>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||||
|
|
||||||
|
---
|
||||||
|
fs/befs/linuxvfs.c | 23 ++++++++++++++---------
|
||||||
|
1 file changed, 14 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
--- a/fs/befs/linuxvfs.c
|
||||||
|
+++ b/fs/befs/linuxvfs.c
|
||||||
|
@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry,
|
||||||
|
befs_data_stream *data = &befs_ino->i_data.ds;
|
||||||
|
befs_off_t len = data->size;
|
||||||
|
|
||||||
|
- befs_debug(sb, "Follow long symlink");
|
||||||
|
-
|
||||||
|
- link = kmalloc(len, GFP_NOFS);
|
||||||
|
- if (!link) {
|
||||||
|
- link = ERR_PTR(-ENOMEM);
|
||||||
|
- } else if (befs_read_lsymlink(sb, data, link, len) != len) {
|
||||||
|
- kfree(link);
|
||||||
|
- befs_error(sb, "Failed to read entire long symlink");
|
||||||
|
+ if (len == 0) {
|
||||||
|
+ befs_error(sb, "Long symlink with illegal length");
|
||||||
|
link = ERR_PTR(-EIO);
|
||||||
|
} else {
|
||||||
|
- link[len - 1] = '\0';
|
||||||
|
+ befs_debug(sb, "Follow long symlink");
|
||||||
|
+
|
||||||
|
+ link = kmalloc(len, GFP_NOFS);
|
||||||
|
+ if (!link) {
|
||||||
|
+ link = ERR_PTR(-ENOMEM);
|
||||||
|
+ } else if (befs_read_lsymlink(sb, data, link, len) != len) {
|
||||||
|
+ kfree(link);
|
||||||
|
+ befs_error(sb, "Failed to read entire long symlink");
|
||||||
|
+ link = ERR_PTR(-EIO);
|
||||||
|
+ } else {
|
||||||
|
+ link[len - 1] = '\0';
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
link = befs_ino->i_data.symlink;
|
34
debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
vendored
Normal file
34
debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
From: Marcin Slusarz <marcin.slusarz@gmail.com>
|
||||||
|
Date: Mon, 22 Aug 2011 21:17:57 +0000
|
||||||
|
Subject: drm/ttm: fix ttm_bo_add_ttm(user) failure path
|
||||||
|
|
||||||
|
From: Marcin Slusarz <marcin.slusarz@gmail.com>
|
||||||
|
|
||||||
|
commit 7c4c3960dff109bc5db4c35da481c212dadb5eb5 upstream.
|
||||||
|
|
||||||
|
ttm_tt_destroy kfrees passed object, so we need to nullify
|
||||||
|
a reference to it.
|
||||||
|
|
||||||
|
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
|
||||||
|
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
|
||||||
|
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||||
|
|
||||||
|
---
|
||||||
|
drivers/gpu/drm/ttm/ttm_bo.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/gpu/drm/ttm/ttm_bo.c
|
||||||
|
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
|
||||||
|
@@ -353,8 +353,10 @@ static int ttm_bo_add_ttm(struct ttm_buf
|
||||||
|
|
||||||
|
ret = ttm_tt_set_user(bo->ttm, current,
|
||||||
|
bo->buffer_start, bo->num_pages);
|
||||||
|
- if (unlikely(ret != 0))
|
||||||
|
+ if (unlikely(ret != 0)) {
|
||||||
|
ttm_tt_destroy(bo->ttm);
|
||||||
|
+ bo->ttm = NULL;
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
printk(KERN_ERR TTM_PFX "Illegal buffer object type\n");
|
33
debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
vendored
Normal file
33
debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
vendored
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||||
|
Date: Wed, 24 Aug 2011 10:20:17 +0200
|
||||||
|
Subject: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
|
||||||
|
|
||||||
|
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||||
|
|
||||||
|
commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream.
|
||||||
|
|
||||||
|
FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
|
||||||
|
message processing could overrun and result in a "kernel BUG at
|
||||||
|
fs/fuse/dev.c:629!"
|
||||||
|
|
||||||
|
Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com>
|
||||||
|
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||||
|
|
||||||
|
---
|
||||||
|
fs/fuse/dev.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
--- a/fs/fuse/dev.c
|
||||||
|
+++ b/fs/fuse/dev.c
|
||||||
|
@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struc
|
||||||
|
if (outarg.namelen > FUSE_NAME_MAX)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+ err = -EINVAL;
|
||||||
|
+ if (size != sizeof(outarg) + outarg.namelen + 1)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
name.name = buf;
|
||||||
|
name.len = outarg.namelen;
|
||||||
|
err = fuse_copy_one(cs, buf, outarg.namelen + 1);
|
|
@ -0,0 +1,39 @@
|
||||||
|
From: "jhbird.choi@samsung.com" <jhbird.choi@samsung.com>
|
||||||
|
Date: Thu, 21 Jul 2011 15:29:14 +0900
|
||||||
|
Subject: genirq: Fix wrong bit operation
|
||||||
|
|
||||||
|
From: "jhbird.choi@samsung.com" <jhbird.choi@samsung.com>
|
||||||
|
|
||||||
|
commit 1dd75f91ae713049eb6baaa640078f3a6549e522 upstream.
|
||||||
|
|
||||||
|
(!msk & 0x01) should be !(msk & 0x01)
|
||||||
|
|
||||||
|
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
|
||||||
|
Link: http://lkml.kernel.org/r/1311229754-6003-1-git-send-email-jhbird.choi@samsung.com
|
||||||
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||||
|
|
||||||
|
---
|
||||||
|
kernel/irq/generic-chip.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/kernel/irq/generic-chip.c
|
||||||
|
+++ b/kernel/irq/generic-chip.c
|
||||||
|
@@ -246,7 +246,7 @@ void irq_setup_generic_chip(struct irq_c
|
||||||
|
gc->mask_cache = irq_reg_readl(gc->reg_base + ct->regs.mask);
|
||||||
|
|
||||||
|
for (i = gc->irq_base; msk; msk >>= 1, i++) {
|
||||||
|
- if (!msk & 0x01)
|
||||||
|
+ if (!(msk & 0x01))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (flags & IRQ_GC_INIT_NESTED_LOCK)
|
||||||
|
@@ -301,7 +301,7 @@ void irq_remove_generic_chip(struct irq_
|
||||||
|
raw_spin_unlock(&gc_lock);
|
||||||
|
|
||||||
|
for (; msk; msk >>= 1, i++) {
|
||||||
|
- if (!msk & 0x01)
|
||||||
|
+ if (!(msk & 0x01))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
/* Remove handler first. That will mask the irq line */
|
38
debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
vendored
Normal file
38
debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
vendored
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
From: "H. Peter Anvin" <hpa@linux.intel.com>
|
||||||
|
Date: Mon, 22 Aug 2011 13:27:06 -0700
|
||||||
|
Subject: x86-32, vdso: On system call restart after SYSENTER, use int $0x80
|
||||||
|
|
||||||
|
From: "H. Peter Anvin" <hpa@linux.intel.com>
|
||||||
|
|
||||||
|
commit 7ca0758cdb7c241cb4e0490a8d95f0eb5b861daf upstream.
|
||||||
|
|
||||||
|
When we enter a 32-bit system call via SYSENTER or SYSCALL, we shuffle
|
||||||
|
the arguments to match the int $0x80 calling convention. This was
|
||||||
|
probably a design mistake, but it's what it is now. This causes
|
||||||
|
errors if the system call as to be restarted.
|
||||||
|
|
||||||
|
For SYSENTER, we have to invoke the instruction from the vdso as the
|
||||||
|
return address is hardcoded. Accordingly, we can simply replace the
|
||||||
|
jump in the vdso with an int $0x80 instruction and use the slower
|
||||||
|
entry point for a post-restart.
|
||||||
|
|
||||||
|
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||||
|
Link: http://lkml.kernel.org/r/CA%2B55aFztZ=r5wa0x26KJQxvZOaQq8s2v3u50wCyJcA-Sc4g8gQ@mail.gmail.com
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||||
|
|
||||||
|
---
|
||||||
|
arch/x86/vdso/vdso32/sysenter.S | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/arch/x86/vdso/vdso32/sysenter.S
|
||||||
|
+++ b/arch/x86/vdso/vdso32/sysenter.S
|
||||||
|
@@ -43,7 +43,7 @@ __kernel_vsyscall:
|
||||||
|
.space 7,0x90
|
||||||
|
|
||||||
|
/* 14: System call restart point is here! (SYSENTER_RETURN-2) */
|
||||||
|
- jmp .Lenter_kernel
|
||||||
|
+ int $0x80
|
||||||
|
/* 16: System call normal return point is here! */
|
||||||
|
VDSO32_SYSENTER_RETURN: /* Symbol used by sysenter.c via vdso32-syms.h */
|
||||||
|
pop %ebp
|
|
@ -1,4 +1,9 @@
|
||||||
- bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
|
- bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
|
||||||
+ bugfix/all/stable/3.0.3.patch
|
+ bugfix/all/stable/3.0.3.patch
|
||||||
+ bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
|
+ bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
|
||||||
|
+ bugfix/all/genirq-fix-wrong-bit-operation.patch
|
||||||
|
+ bugfix/all/befs-validate-length-of-long-symbolic-links.patch
|
||||||
+ bugfix/all/cifs-possible-memory-corruption-on-mount.patch
|
+ bugfix/all/cifs-possible-memory-corruption-on-mount.patch
|
||||||
|
+ bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
|
||||||
|
+ bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
|
||||||
|
+ bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
|
||||||
|
|
Loading…
Reference in New Issue