Added patch-2.6.13.1
svn path=/dists/trunk/linux-2.6/; revision=4165
This commit is contained in:
parent
307d1215dc
commit
439075e9e2
|
@ -3,7 +3,21 @@ linux-2.6 (2.6.13-1) UNRELEASED; urgency=low
|
|||
[ Bastian Blank ]
|
||||
*
|
||||
|
||||
-- Simon Horman <horms@debian.org> Tue, 30 Aug 2005 19:27:52 +0900
|
||||
[ Frederik Schüler ]
|
||||
* Added class and longclass descriptions for amd64 flavours.
|
||||
* Added patch-2.6.13.1:
|
||||
- raw_sendmsg DoS (CAN-2005-2492)
|
||||
- 32bit sendmsg() flaw (CAN-2005-2490)
|
||||
- Reassembly trim not clearing CHECKSUM_HW
|
||||
- Use SA_SHIRQ in sparc specific code.
|
||||
- Fix boundary check in standard multi-block cipher processors
|
||||
- 2.6.13 breaks libpcap (and tcpdump)
|
||||
- x86: pci_assign_unassigned_resources() update
|
||||
- Fix PCI ROM mapping
|
||||
- aacraid: 2.6.13 aacraid bad BUG_ON fix
|
||||
- Kconfig: saa7134-dvb must select tda1004x
|
||||
|
||||
-- Frederik Schüler <fschueler@gmx.net> Sat, 10 Sep 2005 18:12:13 +0200
|
||||
|
||||
linux-2.6 (2.6.12-7) UNRELEASED; urgency=low
|
||||
|
||||
|
|
|
@ -0,0 +1,422 @@
|
|||
diff --git a/arch/i386/pci/common.c b/arch/i386/pci/common.c
|
||||
--- a/arch/i386/pci/common.c
|
||||
+++ b/arch/i386/pci/common.c
|
||||
@@ -165,7 +165,6 @@ static int __init pcibios_init(void)
|
||||
if ((pci_probe & PCI_BIOS_SORT) && !(pci_probe & PCI_NO_SORT))
|
||||
pcibios_sort();
|
||||
#endif
|
||||
- pci_assign_unassigned_resources();
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/arch/i386/pci/i386.c b/arch/i386/pci/i386.c
|
||||
--- a/arch/i386/pci/i386.c
|
||||
+++ b/arch/i386/pci/i386.c
|
||||
@@ -170,43 +170,26 @@ static void __init pcibios_allocate_reso
|
||||
static int __init pcibios_assign_resources(void)
|
||||
{
|
||||
struct pci_dev *dev = NULL;
|
||||
- int idx;
|
||||
- struct resource *r;
|
||||
+ struct resource *r, *pr;
|
||||
|
||||
- for_each_pci_dev(dev) {
|
||||
- int class = dev->class >> 8;
|
||||
-
|
||||
- /* Don't touch classless devices and host bridges */
|
||||
- if (!class || class == PCI_CLASS_BRIDGE_HOST)
|
||||
- continue;
|
||||
-
|
||||
- for(idx=0; idx<6; idx++) {
|
||||
- r = &dev->resource[idx];
|
||||
-
|
||||
- /*
|
||||
- * Don't touch IDE controllers and I/O ports of video cards!
|
||||
- */
|
||||
- if ((class == PCI_CLASS_STORAGE_IDE && idx < 4) ||
|
||||
- (class == PCI_CLASS_DISPLAY_VGA && (r->flags & IORESOURCE_IO)))
|
||||
- continue;
|
||||
-
|
||||
- /*
|
||||
- * We shall assign a new address to this resource, either because
|
||||
- * the BIOS forgot to do so or because we have decided the old
|
||||
- * address was unusable for some reason.
|
||||
- */
|
||||
- if (!r->start && r->end)
|
||||
- pci_assign_resource(dev, idx);
|
||||
- }
|
||||
-
|
||||
- if (pci_probe & PCI_ASSIGN_ROMS) {
|
||||
+ if (!(pci_probe & PCI_ASSIGN_ROMS)) {
|
||||
+ /* Try to use BIOS settings for ROMs, otherwise let
|
||||
+ pci_assign_unassigned_resources() allocate the new
|
||||
+ addresses. */
|
||||
+ for_each_pci_dev(dev) {
|
||||
r = &dev->resource[PCI_ROM_RESOURCE];
|
||||
- r->end -= r->start;
|
||||
- r->start = 0;
|
||||
- if (r->end)
|
||||
- pci_assign_resource(dev, PCI_ROM_RESOURCE);
|
||||
+ if (!r->flags || !r->start)
|
||||
+ continue;
|
||||
+ pr = pci_find_parent_resource(dev, r);
|
||||
+ if (!pr || request_resource(pr, r) < 0) {
|
||||
+ r->end -= r->start;
|
||||
+ r->start = 0;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
+
|
||||
+ pci_assign_unassigned_resources();
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/crypto/cipher.c b/crypto/cipher.c
|
||||
--- a/crypto/cipher.c
|
||||
+++ b/crypto/cipher.c
|
||||
@@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt(
|
||||
u8 *iv = desc->info;
|
||||
unsigned int done = 0;
|
||||
|
||||
+ nbytes -= bsize;
|
||||
+
|
||||
do {
|
||||
xor(iv, src);
|
||||
fn(crypto_tfm_ctx(tfm), dst, iv);
|
||||
@@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt(
|
||||
|
||||
src += bsize;
|
||||
dst += bsize;
|
||||
- } while ((done += bsize) < nbytes);
|
||||
+ } while ((done += bsize) <= nbytes);
|
||||
|
||||
return done;
|
||||
}
|
||||
@@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt(
|
||||
u8 *iv = desc->info;
|
||||
unsigned int done = 0;
|
||||
|
||||
+ nbytes -= bsize;
|
||||
+
|
||||
do {
|
||||
u8 *tmp_dst = *dst_p;
|
||||
|
||||
@@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt(
|
||||
|
||||
src += bsize;
|
||||
dst += bsize;
|
||||
- } while ((done += bsize) < nbytes);
|
||||
+ } while ((done += bsize) <= nbytes);
|
||||
|
||||
return done;
|
||||
}
|
||||
@@ -243,12 +247,14 @@ static unsigned int ecb_process(const st
|
||||
void (*fn)(void *, u8 *, const u8 *) = desc->crfn;
|
||||
unsigned int done = 0;
|
||||
|
||||
+ nbytes -= bsize;
|
||||
+
|
||||
do {
|
||||
fn(crypto_tfm_ctx(tfm), dst, src);
|
||||
|
||||
src += bsize;
|
||||
dst += bsize;
|
||||
- } while ((done += bsize) < nbytes);
|
||||
+ } while ((done += bsize) <= nbytes);
|
||||
|
||||
return done;
|
||||
}
|
||||
diff --git a/drivers/char/rtc.c b/drivers/char/rtc.c
|
||||
--- a/drivers/char/rtc.c
|
||||
+++ b/drivers/char/rtc.c
|
||||
@@ -938,10 +938,9 @@ found:
|
||||
|
||||
/*
|
||||
* XXX Interrupt pin #7 in Espresso is shared between RTC and
|
||||
- * PCI Slot 2 INTA# (and some INTx# in Slot 1). SA_INTERRUPT here
|
||||
- * is asking for trouble with add-on boards. Change to SA_SHIRQ.
|
||||
+ * PCI Slot 2 INTA# (and some INTx# in Slot 1).
|
||||
*/
|
||||
- if (request_irq(rtc_irq, rtc_interrupt, SA_INTERRUPT, "rtc", (void *)&rtc_port)) {
|
||||
+ if (request_irq(rtc_irq, rtc_interrupt, SA_SHIRQ, "rtc", (void *)&rtc_port)) {
|
||||
/*
|
||||
* Standard way for sparc to print irq's is to use
|
||||
* __irq_itoa(). I think for EBus it's ok to use %d.
|
||||
diff --git a/drivers/media/video/Kconfig b/drivers/media/video/Kconfig
|
||||
--- a/drivers/media/video/Kconfig
|
||||
+++ b/drivers/media/video/Kconfig
|
||||
@@ -254,6 +254,7 @@ config VIDEO_SAA7134_DVB
|
||||
select VIDEO_BUF_DVB
|
||||
select DVB_MT352
|
||||
select DVB_CX22702
|
||||
+ select DVB_TDA1004X
|
||||
---help---
|
||||
This adds support for DVB cards based on the
|
||||
Philips saa7134 chip.
|
||||
diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
|
||||
--- a/drivers/pci/rom.c
|
||||
+++ b/drivers/pci/rom.c
|
||||
@@ -21,13 +21,21 @@
|
||||
* between the ROM and other resources, so enabling it may disable access
|
||||
* to MMIO registers or other card memory.
|
||||
*/
|
||||
-static void pci_enable_rom(struct pci_dev *pdev)
|
||||
+static int pci_enable_rom(struct pci_dev *pdev)
|
||||
{
|
||||
+ struct resource *res = pdev->resource + PCI_ROM_RESOURCE;
|
||||
+ struct pci_bus_region region;
|
||||
u32 rom_addr;
|
||||
|
||||
+ if (!res->flags)
|
||||
+ return -1;
|
||||
+
|
||||
+ pcibios_resource_to_bus(pdev, ®ion, res);
|
||||
pci_read_config_dword(pdev, pdev->rom_base_reg, &rom_addr);
|
||||
- rom_addr |= PCI_ROM_ADDRESS_ENABLE;
|
||||
+ rom_addr &= ~PCI_ROM_ADDRESS_MASK;
|
||||
+ rom_addr |= region.start | PCI_ROM_ADDRESS_ENABLE;
|
||||
pci_write_config_dword(pdev, pdev->rom_base_reg, rom_addr);
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -71,19 +79,21 @@ void __iomem *pci_map_rom(struct pci_dev
|
||||
} else {
|
||||
if (res->flags & IORESOURCE_ROM_COPY) {
|
||||
*size = pci_resource_len(pdev, PCI_ROM_RESOURCE);
|
||||
- return (void __iomem *)pci_resource_start(pdev, PCI_ROM_RESOURCE);
|
||||
+ return (void __iomem *)pci_resource_start(pdev,
|
||||
+ PCI_ROM_RESOURCE);
|
||||
} else {
|
||||
/* assign the ROM an address if it doesn't have one */
|
||||
- if (res->parent == NULL)
|
||||
- pci_assign_resource(pdev, PCI_ROM_RESOURCE);
|
||||
-
|
||||
+ if (res->parent == NULL &&
|
||||
+ pci_assign_resource(pdev,PCI_ROM_RESOURCE))
|
||||
+ return NULL;
|
||||
start = pci_resource_start(pdev, PCI_ROM_RESOURCE);
|
||||
*size = pci_resource_len(pdev, PCI_ROM_RESOURCE);
|
||||
if (*size == 0)
|
||||
return NULL;
|
||||
|
||||
/* Enable ROM space decodes */
|
||||
- pci_enable_rom(pdev);
|
||||
+ if (pci_enable_rom(pdev))
|
||||
+ return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
|
||||
--- a/drivers/pci/setup-bus.c
|
||||
+++ b/drivers/pci/setup-bus.c
|
||||
@@ -40,7 +40,7 @@
|
||||
* FIXME: IO should be max 256 bytes. However, since we may
|
||||
* have a P2P bridge below a cardbus bridge, we need 4K.
|
||||
*/
|
||||
-#define CARDBUS_IO_SIZE (256)
|
||||
+#define CARDBUS_IO_SIZE (4*1024)
|
||||
#define CARDBUS_MEM_SIZE (32*1024*1024)
|
||||
|
||||
static void __devinit
|
||||
diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
|
||||
--- a/drivers/scsi/aacraid/aachba.c
|
||||
+++ b/drivers/scsi/aacraid/aachba.c
|
||||
@@ -968,7 +968,7 @@ static int aac_read(struct scsi_cmnd * s
|
||||
fibsize = sizeof(struct aac_read64) +
|
||||
((le32_to_cpu(readcmd->sg.count) - 1) *
|
||||
sizeof (struct sgentry64));
|
||||
- BUG_ON (fibsize > (sizeof(struct hw_fib) -
|
||||
+ BUG_ON (fibsize > (dev->max_fib_size -
|
||||
sizeof(struct aac_fibhdr)));
|
||||
/*
|
||||
* Now send the Fib to the adapter
|
||||
diff --git a/include/net/compat.h b/include/net/compat.h
|
||||
--- a/include/net/compat.h
|
||||
+++ b/include/net/compat.h
|
||||
@@ -33,7 +33,8 @@ extern asmlinkage long compat_sys_sendms
|
||||
extern asmlinkage long compat_sys_recvmsg(int,struct compat_msghdr __user *,unsigned);
|
||||
extern asmlinkage long compat_sys_getsockopt(int, int, int, char __user *, int __user *);
|
||||
extern int put_cmsg_compat(struct msghdr*, int, int, int, void *);
|
||||
-extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, unsigned char *,
|
||||
- int);
|
||||
+
|
||||
+struct sock;
|
||||
+extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *, int);
|
||||
|
||||
#endif /* NET_COMPAT_H */
|
||||
diff --git a/net/compat.c b/net/compat.c
|
||||
--- a/net/compat.c
|
||||
+++ b/net/compat.c
|
||||
@@ -135,13 +135,14 @@ static inline struct compat_cmsghdr __us
|
||||
* thus placement) of cmsg headers and length are different for
|
||||
* 32-bit apps. -DaveM
|
||||
*/
|
||||
-int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg,
|
||||
+int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
|
||||
unsigned char *stackbuf, int stackbuf_size)
|
||||
{
|
||||
struct compat_cmsghdr __user *ucmsg;
|
||||
struct cmsghdr *kcmsg, *kcmsg_base;
|
||||
compat_size_t ucmlen;
|
||||
__kernel_size_t kcmlen, tmp;
|
||||
+ int err = -EFAULT;
|
||||
|
||||
kcmlen = 0;
|
||||
kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
|
||||
@@ -156,6 +157,7 @@ int cmsghdr_from_user_compat_to_kern(str
|
||||
|
||||
tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
|
||||
CMSG_ALIGN(sizeof(struct cmsghdr)));
|
||||
+ tmp = CMSG_ALIGN(tmp);
|
||||
kcmlen += tmp;
|
||||
ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
|
||||
}
|
||||
@@ -167,30 +169,34 @@ int cmsghdr_from_user_compat_to_kern(str
|
||||
* until we have successfully copied over all of the data
|
||||
* from the user.
|
||||
*/
|
||||
- if(kcmlen > stackbuf_size)
|
||||
- kcmsg_base = kcmsg = kmalloc(kcmlen, GFP_KERNEL);
|
||||
- if(kcmsg == NULL)
|
||||
+ if (kcmlen > stackbuf_size)
|
||||
+ kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
|
||||
+ if (kcmsg == NULL)
|
||||
return -ENOBUFS;
|
||||
|
||||
/* Now copy them over neatly. */
|
||||
memset(kcmsg, 0, kcmlen);
|
||||
ucmsg = CMSG_COMPAT_FIRSTHDR(kmsg);
|
||||
while(ucmsg != NULL) {
|
||||
- __get_user(ucmlen, &ucmsg->cmsg_len);
|
||||
+ if (__get_user(ucmlen, &ucmsg->cmsg_len))
|
||||
+ goto Efault;
|
||||
+ if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg))
|
||||
+ goto Einval;
|
||||
tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
|
||||
CMSG_ALIGN(sizeof(struct cmsghdr)));
|
||||
+ if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
|
||||
+ goto Einval;
|
||||
kcmsg->cmsg_len = tmp;
|
||||
- __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
|
||||
- __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
|
||||
-
|
||||
- /* Copy over the data. */
|
||||
- if(copy_from_user(CMSG_DATA(kcmsg),
|
||||
- CMSG_COMPAT_DATA(ucmsg),
|
||||
- (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
|
||||
- goto out_free_efault;
|
||||
+ tmp = CMSG_ALIGN(tmp);
|
||||
+ if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
|
||||
+ __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
|
||||
+ copy_from_user(CMSG_DATA(kcmsg),
|
||||
+ CMSG_COMPAT_DATA(ucmsg),
|
||||
+ (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
|
||||
+ goto Efault;
|
||||
|
||||
/* Advance. */
|
||||
- kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
|
||||
+ kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
|
||||
ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
|
||||
}
|
||||
|
||||
@@ -199,10 +205,12 @@ int cmsghdr_from_user_compat_to_kern(str
|
||||
kmsg->msg_controllen = kcmlen;
|
||||
return 0;
|
||||
|
||||
-out_free_efault:
|
||||
- if(kcmsg_base != (struct cmsghdr *)stackbuf)
|
||||
- kfree(kcmsg_base);
|
||||
- return -EFAULT;
|
||||
+Einval:
|
||||
+ err = -EINVAL;
|
||||
+Efault:
|
||||
+ if (kcmsg_base != (struct cmsghdr *)stackbuf)
|
||||
+ sock_kfree_s(sk, kcmsg_base, kcmlen);
|
||||
+ return err;
|
||||
}
|
||||
|
||||
int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
|
||||
diff --git a/net/core/filter.c b/net/core/filter.c
|
||||
--- a/net/core/filter.c
|
||||
+++ b/net/core/filter.c
|
||||
@@ -182,7 +182,7 @@ int sk_run_filter(struct sk_buff *skb, s
|
||||
A = ntohl(*(u32 *)ptr);
|
||||
continue;
|
||||
}
|
||||
- return 0;
|
||||
+ break;
|
||||
case BPF_LD|BPF_H|BPF_ABS:
|
||||
k = fentry->k;
|
||||
load_h:
|
||||
@@ -191,7 +191,7 @@ int sk_run_filter(struct sk_buff *skb, s
|
||||
A = ntohs(*(u16 *)ptr);
|
||||
continue;
|
||||
}
|
||||
- return 0;
|
||||
+ break;
|
||||
case BPF_LD|BPF_B|BPF_ABS:
|
||||
k = fentry->k;
|
||||
load_b:
|
||||
@@ -200,7 +200,7 @@ load_b:
|
||||
A = *(u8 *)ptr;
|
||||
continue;
|
||||
}
|
||||
- return 0;
|
||||
+ break;
|
||||
case BPF_LD|BPF_W|BPF_LEN:
|
||||
A = skb->len;
|
||||
continue;
|
||||
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
|
||||
--- a/net/ipv4/ip_fragment.c
|
||||
+++ b/net/ipv4/ip_fragment.c
|
||||
@@ -457,7 +457,7 @@ static void ip_frag_queue(struct ipq *qp
|
||||
|
||||
if (pskb_pull(skb, ihl) == NULL)
|
||||
goto err;
|
||||
- if (pskb_trim(skb, end-offset))
|
||||
+ if (pskb_trim_rcsum(skb, end-offset))
|
||||
goto err;
|
||||
|
||||
/* Find out which fragments are in front and at the back of us
|
||||
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
|
||||
--- a/net/ipv4/raw.c
|
||||
+++ b/net/ipv4/raw.c
|
||||
@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
|
||||
|
||||
if (type && code) {
|
||||
get_user(fl->fl_icmp_type, type);
|
||||
- __get_user(fl->fl_icmp_code, code);
|
||||
+ get_user(fl->fl_icmp_code, code);
|
||||
probed = 1;
|
||||
}
|
||||
break;
|
||||
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
|
||||
--- a/net/ipv6/raw.c
|
||||
+++ b/net/ipv6/raw.c
|
||||
@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
|
||||
|
||||
if (type && code) {
|
||||
get_user(fl->fl_icmp_type, type);
|
||||
- __get_user(fl->fl_icmp_code, code);
|
||||
+ get_user(fl->fl_icmp_code, code);
|
||||
probed = 1;
|
||||
}
|
||||
break;
|
||||
diff --git a/net/socket.c b/net/socket.c
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1739,10 +1739,11 @@ asmlinkage long sys_sendmsg(int fd, stru
|
||||
goto out_freeiov;
|
||||
ctl_len = msg_sys.msg_controllen;
|
||||
if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
|
||||
- err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
|
||||
+ err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl));
|
||||
if (err)
|
||||
goto out_freeiov;
|
||||
ctl_buf = msg_sys.msg_control;
|
||||
+ ctl_len = msg_sys.msg_controllen;
|
||||
} else if (ctl_len) {
|
||||
if (ctl_len > sizeof(ctl))
|
||||
{
|
|
@ -20,3 +20,4 @@
|
|||
+ remove-references-to-removed-drivers.patch
|
||||
+ sparc64-hme-lockup.patch
|
||||
+ tty-locking-fixes9.patch
|
||||
+ patch-2.6.13.1
|
||||
|
|
Loading…
Reference in New Issue