diff --git a/debian/changelog b/debian/changelog index 67ef4af21..b46696cb8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ linux-2.6 (2.6.38-3) UNRELEASED; urgency=low [ Ben Hutchings ] * [ppc64] Add to linux-tools package architectures (Closes: #620124) * [amd64] Save cr4 to mmu_cr4_features at boot time (Closes: #620284) + * appletalk: Fix bugs introduced when removing use of BKL [ Aurelien Jarno ] * rtlwifi: fix build when PCI is not enabled. diff --git a/debian/patches/bugfix/all/appletalk-Fix-OOPS-in-atalk_release.patch b/debian/patches/bugfix/all/appletalk-Fix-OOPS-in-atalk_release.patch new file mode 100644 index 000000000..2d8b76c99 --- /dev/null +++ b/debian/patches/bugfix/all/appletalk-Fix-OOPS-in-atalk_release.patch @@ -0,0 +1,49 @@ +From: David S. Miller +Date: Thu, 31 Mar 2011 18:59:10 -0700 +Subject: [PATCH 3/3] appletalk: Fix OOPS in atalk_release(). + +commit c100c8f4c3c6f2a407bdbaaad2c4f1062e6a473a upstream. + +Commit 60d9f461a20ba59219fdcdc30cbf8e3a4ad3f625 ("appletalk: remove +the BKL") added a dereference of "sk" before checking for NULL in +atalk_release(). + +Guard the code block completely, rather than partially, with the +NULL check. + +Reported-by: Dave Jones +Signed-off-by: David S. Miller +--- + net/appletalk/ddp.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 206e771..956a530 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1051,16 +1051,17 @@ static int atalk_release(struct socket *sock) + { + struct sock *sk = sock->sk; + +- sock_hold(sk); +- lock_sock(sk); + if (sk) { ++ sock_hold(sk); ++ lock_sock(sk); ++ + sock_orphan(sk); + sock->sk = NULL; + atalk_destroy_socket(sk); +- } +- release_sock(sk); +- sock_put(sk); + ++ release_sock(sk); ++ sock_put(sk); ++ } + return 0; + } + +-- +1.7.4.1 + diff --git a/debian/patches/bugfix/all/net-appletalk-fix-atalk_release-use-after-free.patch b/debian/patches/bugfix/all/net-appletalk-fix-atalk_release-use-after-free.patch new file mode 100644 index 000000000..78b75562d --- /dev/null +++ b/debian/patches/bugfix/all/net-appletalk-fix-atalk_release-use-after-free.patch @@ -0,0 +1,43 @@ +From: Arnd Bergmann +Date: Mon, 21 Mar 2011 18:18:00 -0700 +Subject: [PATCH 2/3] net/appletalk: fix atalk_release use after free + +commit b20e7bbfc7a15a4182730f0936433145992b4b06 upstream. + +The BKL removal in appletalk introduced a use-after-free problem, +where atalk_destroy_socket frees a sock, but we still release +the socket lock on it. + +An easy fix is to take an extra reference on the sock and sock_put +it when returning from atalk_release. + +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +--- + net/appletalk/ddp.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 3d4f4b0..206e771 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock) + { + struct sock *sk = sock->sk; + ++ sock_hold(sk); + lock_sock(sk); + if (sk) { + sock_orphan(sk); +@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock) + atalk_destroy_socket(sk); + } + release_sock(sk); ++ sock_put(sk); ++ + return 0; + } + +-- +1.7.4.1 + diff --git a/debian/patches/series/3 b/debian/patches/series/3 index c7e913c66..82c08801a 100644 --- a/debian/patches/series/3 +++ b/debian/patches/series/3 @@ -1,3 +1,5 @@ + bugfix/all/rtlwifi-Let-rtlwifi-build-when-PCI-is-not-enabled.patch + bugfix/all/rtlwifi-remove-bogus-udelay-calls.patch + bugfix/x86/Save-cr4-to-mmu_cr4_features-at-boot-time.patch ++ bugfix/all/net-appletalk-fix-atalk_release-use-after-free.patch ++ bugfix/all/appletalk-Fix-OOPS-in-atalk_release.patch