From 439075e9e2458dbdc9d50be5cc0f3feb72374caa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederik=20Sch=C3=BCler?= Date: Sat, 10 Sep 2005 17:36:08 +0000 Subject: [PATCH] Added patch-2.6.13.1 svn path=/dists/trunk/linux-2.6/; revision=4165 --- debian/changelog | 16 +- debian/patches-debian/patch-2.6.13.1 | 422 ++++++++++++++++++++++++++ debian/patches-debian/series/2.6.13-1 | 1 + 3 files changed, 438 insertions(+), 1 deletion(-) create mode 100644 debian/patches-debian/patch-2.6.13.1 diff --git a/debian/changelog b/debian/changelog index cbbb42023..c071081bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,7 +3,21 @@ linux-2.6 (2.6.13-1) UNRELEASED; urgency=low [ Bastian Blank ] * - -- Simon Horman Tue, 30 Aug 2005 19:27:52 +0900 + [ Frederik Schüler ] + * Added class and longclass descriptions for amd64 flavours. + * Added patch-2.6.13.1: + - raw_sendmsg DoS (CAN-2005-2492) + - 32bit sendmsg() flaw (CAN-2005-2490) + - Reassembly trim not clearing CHECKSUM_HW + - Use SA_SHIRQ in sparc specific code. + - Fix boundary check in standard multi-block cipher processors + - 2.6.13 breaks libpcap (and tcpdump) + - x86: pci_assign_unassigned_resources() update + - Fix PCI ROM mapping + - aacraid: 2.6.13 aacraid bad BUG_ON fix + - Kconfig: saa7134-dvb must select tda1004x + + -- Frederik Schüler Sat, 10 Sep 2005 18:12:13 +0200 linux-2.6 (2.6.12-7) UNRELEASED; urgency=low diff --git a/debian/patches-debian/patch-2.6.13.1 b/debian/patches-debian/patch-2.6.13.1 new file mode 100644 index 000000000..0a467d1d8 --- /dev/null +++ b/debian/patches-debian/patch-2.6.13.1 @@ -0,0 +1,422 @@ +diff --git a/arch/i386/pci/common.c b/arch/i386/pci/common.c +--- a/arch/i386/pci/common.c ++++ b/arch/i386/pci/common.c +@@ -165,7 +165,6 @@ static int __init pcibios_init(void) + if ((pci_probe & PCI_BIOS_SORT) && !(pci_probe & PCI_NO_SORT)) + pcibios_sort(); + #endif +- pci_assign_unassigned_resources(); + return 0; + } + +diff --git a/arch/i386/pci/i386.c b/arch/i386/pci/i386.c +--- a/arch/i386/pci/i386.c ++++ b/arch/i386/pci/i386.c +@@ -170,43 +170,26 @@ static void __init pcibios_allocate_reso + static int __init pcibios_assign_resources(void) + { + struct pci_dev *dev = NULL; +- int idx; +- struct resource *r; ++ struct resource *r, *pr; + +- for_each_pci_dev(dev) { +- int class = dev->class >> 8; +- +- /* Don't touch classless devices and host bridges */ +- if (!class || class == PCI_CLASS_BRIDGE_HOST) +- continue; +- +- for(idx=0; idx<6; idx++) { +- r = &dev->resource[idx]; +- +- /* +- * Don't touch IDE controllers and I/O ports of video cards! +- */ +- if ((class == PCI_CLASS_STORAGE_IDE && idx < 4) || +- (class == PCI_CLASS_DISPLAY_VGA && (r->flags & IORESOURCE_IO))) +- continue; +- +- /* +- * We shall assign a new address to this resource, either because +- * the BIOS forgot to do so or because we have decided the old +- * address was unusable for some reason. +- */ +- if (!r->start && r->end) +- pci_assign_resource(dev, idx); +- } +- +- if (pci_probe & PCI_ASSIGN_ROMS) { ++ if (!(pci_probe & PCI_ASSIGN_ROMS)) { ++ /* Try to use BIOS settings for ROMs, otherwise let ++ pci_assign_unassigned_resources() allocate the new ++ addresses. */ ++ for_each_pci_dev(dev) { + r = &dev->resource[PCI_ROM_RESOURCE]; +- r->end -= r->start; +- r->start = 0; +- if (r->end) +- pci_assign_resource(dev, PCI_ROM_RESOURCE); ++ if (!r->flags || !r->start) ++ continue; ++ pr = pci_find_parent_resource(dev, r); ++ if (!pr || request_resource(pr, r) < 0) { ++ r->end -= r->start; ++ r->start = 0; ++ } + } + } ++ ++ pci_assign_unassigned_resources(); ++ + return 0; + } + +diff --git a/crypto/cipher.c b/crypto/cipher.c +--- a/crypto/cipher.c ++++ b/crypto/cipher.c +@@ -191,6 +191,8 @@ static unsigned int cbc_process_encrypt( + u8 *iv = desc->info; + unsigned int done = 0; + ++ nbytes -= bsize; ++ + do { + xor(iv, src); + fn(crypto_tfm_ctx(tfm), dst, iv); +@@ -198,7 +200,7 @@ static unsigned int cbc_process_encrypt( + + src += bsize; + dst += bsize; +- } while ((done += bsize) < nbytes); ++ } while ((done += bsize) <= nbytes); + + return done; + } +@@ -219,6 +221,8 @@ static unsigned int cbc_process_decrypt( + u8 *iv = desc->info; + unsigned int done = 0; + ++ nbytes -= bsize; ++ + do { + u8 *tmp_dst = *dst_p; + +@@ -230,7 +234,7 @@ static unsigned int cbc_process_decrypt( + + src += bsize; + dst += bsize; +- } while ((done += bsize) < nbytes); ++ } while ((done += bsize) <= nbytes); + + return done; + } +@@ -243,12 +247,14 @@ static unsigned int ecb_process(const st + void (*fn)(void *, u8 *, const u8 *) = desc->crfn; + unsigned int done = 0; + ++ nbytes -= bsize; ++ + do { + fn(crypto_tfm_ctx(tfm), dst, src); + + src += bsize; + dst += bsize; +- } while ((done += bsize) < nbytes); ++ } while ((done += bsize) <= nbytes); + + return done; + } +diff --git a/drivers/char/rtc.c b/drivers/char/rtc.c +--- a/drivers/char/rtc.c ++++ b/drivers/char/rtc.c +@@ -938,10 +938,9 @@ found: + + /* + * XXX Interrupt pin #7 in Espresso is shared between RTC and +- * PCI Slot 2 INTA# (and some INTx# in Slot 1). SA_INTERRUPT here +- * is asking for trouble with add-on boards. Change to SA_SHIRQ. ++ * PCI Slot 2 INTA# (and some INTx# in Slot 1). + */ +- if (request_irq(rtc_irq, rtc_interrupt, SA_INTERRUPT, "rtc", (void *)&rtc_port)) { ++ if (request_irq(rtc_irq, rtc_interrupt, SA_SHIRQ, "rtc", (void *)&rtc_port)) { + /* + * Standard way for sparc to print irq's is to use + * __irq_itoa(). I think for EBus it's ok to use %d. +diff --git a/drivers/media/video/Kconfig b/drivers/media/video/Kconfig +--- a/drivers/media/video/Kconfig ++++ b/drivers/media/video/Kconfig +@@ -254,6 +254,7 @@ config VIDEO_SAA7134_DVB + select VIDEO_BUF_DVB + select DVB_MT352 + select DVB_CX22702 ++ select DVB_TDA1004X + ---help--- + This adds support for DVB cards based on the + Philips saa7134 chip. +diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c +--- a/drivers/pci/rom.c ++++ b/drivers/pci/rom.c +@@ -21,13 +21,21 @@ + * between the ROM and other resources, so enabling it may disable access + * to MMIO registers or other card memory. + */ +-static void pci_enable_rom(struct pci_dev *pdev) ++static int pci_enable_rom(struct pci_dev *pdev) + { ++ struct resource *res = pdev->resource + PCI_ROM_RESOURCE; ++ struct pci_bus_region region; + u32 rom_addr; + ++ if (!res->flags) ++ return -1; ++ ++ pcibios_resource_to_bus(pdev, ®ion, res); + pci_read_config_dword(pdev, pdev->rom_base_reg, &rom_addr); +- rom_addr |= PCI_ROM_ADDRESS_ENABLE; ++ rom_addr &= ~PCI_ROM_ADDRESS_MASK; ++ rom_addr |= region.start | PCI_ROM_ADDRESS_ENABLE; + pci_write_config_dword(pdev, pdev->rom_base_reg, rom_addr); ++ return 0; + } + + /** +@@ -71,19 +79,21 @@ void __iomem *pci_map_rom(struct pci_dev + } else { + if (res->flags & IORESOURCE_ROM_COPY) { + *size = pci_resource_len(pdev, PCI_ROM_RESOURCE); +- return (void __iomem *)pci_resource_start(pdev, PCI_ROM_RESOURCE); ++ return (void __iomem *)pci_resource_start(pdev, ++ PCI_ROM_RESOURCE); + } else { + /* assign the ROM an address if it doesn't have one */ +- if (res->parent == NULL) +- pci_assign_resource(pdev, PCI_ROM_RESOURCE); +- ++ if (res->parent == NULL && ++ pci_assign_resource(pdev,PCI_ROM_RESOURCE)) ++ return NULL; + start = pci_resource_start(pdev, PCI_ROM_RESOURCE); + *size = pci_resource_len(pdev, PCI_ROM_RESOURCE); + if (*size == 0) + return NULL; + + /* Enable ROM space decodes */ +- pci_enable_rom(pdev); ++ if (pci_enable_rom(pdev)) ++ return NULL; + } + } + +diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -40,7 +40,7 @@ + * FIXME: IO should be max 256 bytes. However, since we may + * have a P2P bridge below a cardbus bridge, we need 4K. + */ +-#define CARDBUS_IO_SIZE (256) ++#define CARDBUS_IO_SIZE (4*1024) + #define CARDBUS_MEM_SIZE (32*1024*1024) + + static void __devinit +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c +--- a/drivers/scsi/aacraid/aachba.c ++++ b/drivers/scsi/aacraid/aachba.c +@@ -968,7 +968,7 @@ static int aac_read(struct scsi_cmnd * s + fibsize = sizeof(struct aac_read64) + + ((le32_to_cpu(readcmd->sg.count) - 1) * + sizeof (struct sgentry64)); +- BUG_ON (fibsize > (sizeof(struct hw_fib) - ++ BUG_ON (fibsize > (dev->max_fib_size - + sizeof(struct aac_fibhdr))); + /* + * Now send the Fib to the adapter +diff --git a/include/net/compat.h b/include/net/compat.h +--- a/include/net/compat.h ++++ b/include/net/compat.h +@@ -33,7 +33,8 @@ extern asmlinkage long compat_sys_sendms + extern asmlinkage long compat_sys_recvmsg(int,struct compat_msghdr __user *,unsigned); + extern asmlinkage long compat_sys_getsockopt(int, int, int, char __user *, int __user *); + extern int put_cmsg_compat(struct msghdr*, int, int, int, void *); +-extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, unsigned char *, +- int); ++ ++struct sock; ++extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *, int); + + #endif /* NET_COMPAT_H */ +diff --git a/net/compat.c b/net/compat.c +--- a/net/compat.c ++++ b/net/compat.c +@@ -135,13 +135,14 @@ static inline struct compat_cmsghdr __us + * thus placement) of cmsg headers and length are different for + * 32-bit apps. -DaveM + */ +-int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, ++int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk, + unsigned char *stackbuf, int stackbuf_size) + { + struct compat_cmsghdr __user *ucmsg; + struct cmsghdr *kcmsg, *kcmsg_base; + compat_size_t ucmlen; + __kernel_size_t kcmlen, tmp; ++ int err = -EFAULT; + + kcmlen = 0; + kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf; +@@ -156,6 +157,7 @@ int cmsghdr_from_user_compat_to_kern(str + + tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) + + CMSG_ALIGN(sizeof(struct cmsghdr))); ++ tmp = CMSG_ALIGN(tmp); + kcmlen += tmp; + ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen); + } +@@ -167,30 +169,34 @@ int cmsghdr_from_user_compat_to_kern(str + * until we have successfully copied over all of the data + * from the user. + */ +- if(kcmlen > stackbuf_size) +- kcmsg_base = kcmsg = kmalloc(kcmlen, GFP_KERNEL); +- if(kcmsg == NULL) ++ if (kcmlen > stackbuf_size) ++ kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL); ++ if (kcmsg == NULL) + return -ENOBUFS; + + /* Now copy them over neatly. */ + memset(kcmsg, 0, kcmlen); + ucmsg = CMSG_COMPAT_FIRSTHDR(kmsg); + while(ucmsg != NULL) { +- __get_user(ucmlen, &ucmsg->cmsg_len); ++ if (__get_user(ucmlen, &ucmsg->cmsg_len)) ++ goto Efault; ++ if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg)) ++ goto Einval; + tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) + + CMSG_ALIGN(sizeof(struct cmsghdr))); ++ if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp)) ++ goto Einval; + kcmsg->cmsg_len = tmp; +- __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level); +- __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type); +- +- /* Copy over the data. */ +- if(copy_from_user(CMSG_DATA(kcmsg), +- CMSG_COMPAT_DATA(ucmsg), +- (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))))) +- goto out_free_efault; ++ tmp = CMSG_ALIGN(tmp); ++ if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) || ++ __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) || ++ copy_from_user(CMSG_DATA(kcmsg), ++ CMSG_COMPAT_DATA(ucmsg), ++ (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))))) ++ goto Efault; + + /* Advance. */ +- kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp)); ++ kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp); + ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen); + } + +@@ -199,10 +205,12 @@ int cmsghdr_from_user_compat_to_kern(str + kmsg->msg_controllen = kcmlen; + return 0; + +-out_free_efault: +- if(kcmsg_base != (struct cmsghdr *)stackbuf) +- kfree(kcmsg_base); +- return -EFAULT; ++Einval: ++ err = -EINVAL; ++Efault: ++ if (kcmsg_base != (struct cmsghdr *)stackbuf) ++ sock_kfree_s(sk, kcmsg_base, kcmlen); ++ return err; + } + + int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data) +diff --git a/net/core/filter.c b/net/core/filter.c +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -182,7 +182,7 @@ int sk_run_filter(struct sk_buff *skb, s + A = ntohl(*(u32 *)ptr); + continue; + } +- return 0; ++ break; + case BPF_LD|BPF_H|BPF_ABS: + k = fentry->k; + load_h: +@@ -191,7 +191,7 @@ int sk_run_filter(struct sk_buff *skb, s + A = ntohs(*(u16 *)ptr); + continue; + } +- return 0; ++ break; + case BPF_LD|BPF_B|BPF_ABS: + k = fentry->k; + load_b: +@@ -200,7 +200,7 @@ load_b: + A = *(u8 *)ptr; + continue; + } +- return 0; ++ break; + case BPF_LD|BPF_W|BPF_LEN: + A = skb->len; + continue; +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -457,7 +457,7 @@ static void ip_frag_queue(struct ipq *qp + + if (pskb_pull(skb, ihl) == NULL) + goto err; +- if (pskb_trim(skb, end-offset)) ++ if (pskb_trim_rcsum(skb, end-offset)) + goto err; + + /* Find out which fragments are in front and at the back of us +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f + + if (type && code) { + get_user(fl->fl_icmp_type, type); +- __get_user(fl->fl_icmp_code, code); ++ get_user(fl->fl_icmp_code, code); + probed = 1; + } + break; +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct + + if (type && code) { + get_user(fl->fl_icmp_type, type); +- __get_user(fl->fl_icmp_code, code); ++ get_user(fl->fl_icmp_code, code); + probed = 1; + } + break; +diff --git a/net/socket.c b/net/socket.c +--- a/net/socket.c ++++ b/net/socket.c +@@ -1739,10 +1739,11 @@ asmlinkage long sys_sendmsg(int fd, stru + goto out_freeiov; + ctl_len = msg_sys.msg_controllen; + if ((MSG_CMSG_COMPAT & flags) && ctl_len) { +- err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl)); ++ err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl)); + if (err) + goto out_freeiov; + ctl_buf = msg_sys.msg_control; ++ ctl_len = msg_sys.msg_controllen; + } else if (ctl_len) { + if (ctl_len > sizeof(ctl)) + { diff --git a/debian/patches-debian/series/2.6.13-1 b/debian/patches-debian/series/2.6.13-1 index 7bb6fea65..bc6473274 100644 --- a/debian/patches-debian/series/2.6.13-1 +++ b/debian/patches-debian/series/2.6.13-1 @@ -20,3 +20,4 @@ + remove-references-to-removed-drivers.patch + sparc64-hme-lockup.patch + tty-locking-fixes9.patch ++ patch-2.6.13.1