Add more fixes currently in the patch queue for 3.2.24

svn path=/dists/sid/linux/; revision=19277

debian/changelog

@@ -44,6 +44,9 @@ linux (3.2.23-1) UNRELEASED; urgency=low
   * [x86] hwmon: Enable SENSORS_SCH5636 as module (Closes: #680934)
   * atl1c: fix issue of transmit queue 0 timed out
   * raid5: delayed stripe fix (Closes: #680366)
+  * fs: Remove easily user-triggerable BUG from generic_setlease
+  * tcp: drop SYN+FIN messages
+  * fifo: Do not restart open() if it already found a partner (Closes: #678852)
 
   [ Arnaud Patard ]
   * [mipsel] add r8169 to d-i udeb.

debian/patches/bugfix/all/fifo-do-not-restart-open-if-it-already-found-a-partner.patch

@@ -0,0 +1,110 @@
+From: Anders Kaseorg <andersk@MIT.EDU>
+Date: Sun, 15 Jul 2012 17:14:25 -0400
+Subject: fifo: Do not restart open() if it already found a partner
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 05d290d66be6ef77a0b962ebecf01911bd984a78 upstream.
+
+If a parent and child process open the two ends of a fifo, and the
+child immediately exits, the parent may receive a SIGCHLD before its
+open() returns.  In that case, we need to make sure that open() will
+return successfully after the SIGCHLD handler returns, instead of
+throwing EINTR or being restarted.  Otherwise, the restarted open()
+would incorrectly wait for a second partner on the other end.
+
+The following test demonstrates the EINTR that was wrongly thrown from
+the parent’s open().  Change .sa_flags = 0 to .sa_flags = SA_RESTART
+to see a deadlock instead, in which the restarted open() waits for a
+second reader that will never come.  (On my systems, this happens
+pretty reliably within about 5 to 500 iterations.  Others report that
+it manages to loop ~forever sometimes; YMMV.)
+
+  #include <sys/stat.h>
+  #include <sys/types.h>
+  #include <sys/wait.h>
+  #include <fcntl.h>
+  #include <signal.h>
+  #include <stdio.h>
+  #include <stdlib.h>
+  #include <unistd.h>
+
+  #define CHECK(x) do if ((x) == -1) {perror(#x); abort();} while(0)
+
+  void handler(int signum) {}
+
+  int main()
+  {
+      struct sigaction act = {.sa_handler = handler, .sa_flags = 0};
+      CHECK(sigaction(SIGCHLD, &act, NULL));
+      CHECK(mknod("fifo", S_IFIFO | S_IRWXU, 0));
+      for (;;) {
+          int fd;
+          pid_t pid;
+          putc('.', stderr);
+          CHECK(pid = fork());
+          if (pid == 0) {
+              CHECK(fd = open("fifo", O_RDONLY));
+              _exit(0);
+          }
+          CHECK(fd = open("fifo", O_WRONLY));
+          CHECK(close(fd));
+          CHECK(waitpid(pid, NULL, 0));
+      }
+  }
+
+This is what I suspect was causing the Git test suite to fail in
+t9010-svn-fe.sh:
+
+	http://bugs.debian.org/678852
+
+Signed-off-by: Anders Kaseorg <andersk@mit.edu>
+Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/fifo.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/fs/fifo.c b/fs/fifo.c
+index b1a524d..cf6f434 100644
+--- a/fs/fifo.c
++++ b/fs/fifo.c
+@@ -14,7 +14,7 @@
+ #include <linux/sched.h>
+ #include <linux/pipe_fs_i.h>
+ 
+-static void wait_for_partner(struct inode* inode, unsigned int *cnt)
++static int wait_for_partner(struct inode* inode, unsigned int *cnt)
+ {
+ 	int cur = *cnt;	
+ 
+@@ -23,6 +23,7 @@ static void wait_for_partner(struct inode* inode, unsigned int *cnt)
+ 		if (signal_pending(current))
+ 			break;
+ 	}
++	return cur == *cnt ? -ERESTARTSYS : 0;
+ }
+ 
+ static void wake_up_partner(struct inode* inode)
+@@ -67,8 +68,7 @@ static int fifo_open(struct inode *inode, struct file *filp)
+ 				 * seen a writer */
+ 				filp->f_version = pipe->w_counter;
+ 			} else {
+-				wait_for_partner(inode, &pipe->w_counter);
+-				if(signal_pending(current))
++				if (wait_for_partner(inode, &pipe->w_counter))
+ 					goto err_rd;
+ 			}
+ 		}
+@@ -90,8 +90,7 @@ static int fifo_open(struct inode *inode, struct file *filp)
+ 			wake_up_partner(inode);
+ 
+ 		if (!pipe->readers) {
+-			wait_for_partner(inode, &pipe->r_counter);
+-			if (signal_pending(current))
++			if (wait_for_partner(inode, &pipe->r_counter))
+ 				goto err_wr;
+ 		}
+ 		break;

debian/patches/bugfix/all/remove-easily-user-triggerable-bug-from-generic_setlease.patch

@@ -0,0 +1,37 @@
+From: Dave Jones <davej@redhat.com>
+Date: Fri, 13 Jul 2012 13:35:36 -0400
+Subject: Remove easily user-triggerable BUG from generic_setlease
+
+commit 8d657eb3b43861064d36241e88d9d61c709f33f0 upstream.
+
+This can be trivially triggered from userspace by passing in something unexpected.
+
+    kernel BUG at fs/locks.c:1468!
+    invalid opcode: 0000 [#1] SMP
+    RIP: 0010:generic_setlease+0xc2/0x100
+    Call Trace:
+      __vfs_setlease+0x35/0x40
+      fcntl_setlease+0x76/0x150
+      sys_fcntl+0x1c6/0x810
+      system_call_fastpath+0x1a/0x1f
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/locks.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/locks.c b/fs/locks.c
+index 814c51d..fce6238 100644
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -1465,7 +1465,7 @@ int generic_setlease(struct file *filp, long arg, struct file_lock **flp)
+ 	case F_WRLCK:
+ 		return generic_add_lease(filp, arg, flp);
+ 	default:
+-		BUG();
++		return -EINVAL;
+ 	}
+ }
+ EXPORT_SYMBOL(generic_setlease);

debian/patches/bugfix/all/tcp-drop-syn-fin-messages.patch

@@ -0,0 +1,32 @@
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Fri, 2 Dec 2011 23:41:42 +0000
+Subject: tcp: drop SYN+FIN messages
+
+commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa upstream.
+
+Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
+linux machines to their limits.
+
+Dont call conn_request() if the TCP flags includes SYN flag
+
+Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv4/tcp_input.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 78dd38c..0cbb440 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5811,6 +5811,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ 			goto discard;
+ 
+ 		if (th->syn) {
++			if (th->fin)
++				goto discard;
+ 			if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
+ 				return 1;
+ 

debian/patches/series

@@ -379,8 +379,12 @@ features/all/fermi-accel/drm-nouveau-inform-userspace-of-relaxed-kernel-subch.pa
 features/all/fermi-accel/drm-nouveau-oops-increase-channel-dispc_vma-to-4.patch
 features/all/fermi-accel/drm-nvd0-disp-ignore-clock-set-if-no-pclk.patch
 features/all/fermi-accel/drm-nouveau-bump-version-to-1.0.0.patch
+
 bugfix/all/net-e100-ucode-is-optional-in-some-cases.patch
 bugfix/x86/drm-i915-prefer-wide-slow-to-fast-narrow-in-DP-confi.patch
 bugfix/all/cipso-don-t-follow-a-NULL-pointer-when-setsockopt-is.patch
 bugfix/all/atl1c-fix-issue-of-transmit-queue-0-timed-out.patch
 bugfix/all/raid5-delayed-stripe-fix.patch
+bugfix/all/remove-easily-user-triggerable-bug-from-generic_setlease.patch
+bugfix/all/tcp-drop-syn-fin-messages.patch
+bugfix/all/fifo-do-not-restart-open-if-it-already-found-a-partner.patch