appletalk: Fix bugs introduced when removing use of BKL
svn path=/dists/sid/linux-2.6/; revision=17184
This commit is contained in:
parent
35d9533be5
commit
5b32347921
|
@ -3,6 +3,7 @@ linux-2.6 (2.6.38-3) UNRELEASED; urgency=low
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* [ppc64] Add to linux-tools package architectures (Closes: #620124)
|
* [ppc64] Add to linux-tools package architectures (Closes: #620124)
|
||||||
* [amd64] Save cr4 to mmu_cr4_features at boot time (Closes: #620284)
|
* [amd64] Save cr4 to mmu_cr4_features at boot time (Closes: #620284)
|
||||||
|
* appletalk: Fix bugs introduced when removing use of BKL
|
||||||
|
|
||||||
[ Aurelien Jarno ]
|
[ Aurelien Jarno ]
|
||||||
* rtlwifi: fix build when PCI is not enabled.
|
* rtlwifi: fix build when PCI is not enabled.
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
From: David S. Miller <davem@davemloft.net>
|
||||||
|
Date: Thu, 31 Mar 2011 18:59:10 -0700
|
||||||
|
Subject: [PATCH 3/3] appletalk: Fix OOPS in atalk_release().
|
||||||
|
|
||||||
|
commit c100c8f4c3c6f2a407bdbaaad2c4f1062e6a473a upstream.
|
||||||
|
|
||||||
|
Commit 60d9f461a20ba59219fdcdc30cbf8e3a4ad3f625 ("appletalk: remove
|
||||||
|
the BKL") added a dereference of "sk" before checking for NULL in
|
||||||
|
atalk_release().
|
||||||
|
|
||||||
|
Guard the code block completely, rather than partially, with the
|
||||||
|
NULL check.
|
||||||
|
|
||||||
|
Reported-by: Dave Jones <davej@redhat.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
net/appletalk/ddp.c | 11 ++++++-----
|
||||||
|
1 files changed, 6 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
|
||||||
|
index 206e771..956a530 100644
|
||||||
|
--- a/net/appletalk/ddp.c
|
||||||
|
+++ b/net/appletalk/ddp.c
|
||||||
|
@@ -1051,16 +1051,17 @@ static int atalk_release(struct socket *sock)
|
||||||
|
{
|
||||||
|
struct sock *sk = sock->sk;
|
||||||
|
|
||||||
|
- sock_hold(sk);
|
||||||
|
- lock_sock(sk);
|
||||||
|
if (sk) {
|
||||||
|
+ sock_hold(sk);
|
||||||
|
+ lock_sock(sk);
|
||||||
|
+
|
||||||
|
sock_orphan(sk);
|
||||||
|
sock->sk = NULL;
|
||||||
|
atalk_destroy_socket(sk);
|
||||||
|
- }
|
||||||
|
- release_sock(sk);
|
||||||
|
- sock_put(sk);
|
||||||
|
|
||||||
|
+ release_sock(sk);
|
||||||
|
+ sock_put(sk);
|
||||||
|
+ }
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
1.7.4.1
|
||||||
|
|
43
debian/patches/bugfix/all/net-appletalk-fix-atalk_release-use-after-free.patch
vendored
Normal file
43
debian/patches/bugfix/all/net-appletalk-fix-atalk_release-use-after-free.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
From: Arnd Bergmann <arnd@arndb.de>
|
||||||
|
Date: Mon, 21 Mar 2011 18:18:00 -0700
|
||||||
|
Subject: [PATCH 2/3] net/appletalk: fix atalk_release use after free
|
||||||
|
|
||||||
|
commit b20e7bbfc7a15a4182730f0936433145992b4b06 upstream.
|
||||||
|
|
||||||
|
The BKL removal in appletalk introduced a use-after-free problem,
|
||||||
|
where atalk_destroy_socket frees a sock, but we still release
|
||||||
|
the socket lock on it.
|
||||||
|
|
||||||
|
An easy fix is to take an extra reference on the sock and sock_put
|
||||||
|
it when returning from atalk_release.
|
||||||
|
|
||||||
|
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
net/appletalk/ddp.c | 3 +++
|
||||||
|
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
|
||||||
|
index 3d4f4b0..206e771 100644
|
||||||
|
--- a/net/appletalk/ddp.c
|
||||||
|
+++ b/net/appletalk/ddp.c
|
||||||
|
@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
|
||||||
|
{
|
||||||
|
struct sock *sk = sock->sk;
|
||||||
|
|
||||||
|
+ sock_hold(sk);
|
||||||
|
lock_sock(sk);
|
||||||
|
if (sk) {
|
||||||
|
sock_orphan(sk);
|
||||||
|
@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
|
||||||
|
atalk_destroy_socket(sk);
|
||||||
|
}
|
||||||
|
release_sock(sk);
|
||||||
|
+ sock_put(sk);
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
1.7.4.1
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
+ bugfix/all/rtlwifi-Let-rtlwifi-build-when-PCI-is-not-enabled.patch
|
+ bugfix/all/rtlwifi-Let-rtlwifi-build-when-PCI-is-not-enabled.patch
|
||||||
+ bugfix/all/rtlwifi-remove-bogus-udelay-calls.patch
|
+ bugfix/all/rtlwifi-remove-bogus-udelay-calls.patch
|
||||||
+ bugfix/x86/Save-cr4-to-mmu_cr4_features-at-boot-time.patch
|
+ bugfix/x86/Save-cr4-to-mmu_cr4_features-at-boot-time.patch
|
||||||
|
+ bugfix/all/net-appletalk-fix-atalk_release-use-after-free.patch
|
||||||
|
+ bugfix/all/appletalk-Fix-OOPS-in-atalk_release.patch
|
||||||
|
|
Loading…
Reference in New Issue