diff --git a/debian/changelog b/debian/changelog index f17c9e511..7a5e380bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -44,6 +44,9 @@ linux (3.2.23-1) UNRELEASED; urgency=low * [x86] hwmon: Enable SENSORS_SCH5636 as module (Closes: #680934) * atl1c: fix issue of transmit queue 0 timed out * raid5: delayed stripe fix (Closes: #680366) + * fs: Remove easily user-triggerable BUG from generic_setlease + * tcp: drop SYN+FIN messages + * fifo: Do not restart open() if it already found a partner (Closes: #678852) [ Arnaud Patard ] * [mipsel] add r8169 to d-i udeb. diff --git a/debian/patches/bugfix/all/fifo-do-not-restart-open-if-it-already-found-a-partner.patch b/debian/patches/bugfix/all/fifo-do-not-restart-open-if-it-already-found-a-partner.patch new file mode 100644 index 000000000..8b280cd2d --- /dev/null +++ b/debian/patches/bugfix/all/fifo-do-not-restart-open-if-it-already-found-a-partner.patch @@ -0,0 +1,110 @@ +From: Anders Kaseorg +Date: Sun, 15 Jul 2012 17:14:25 -0400 +Subject: fifo: Do not restart open() if it already found a partner +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 05d290d66be6ef77a0b962ebecf01911bd984a78 upstream. + +If a parent and child process open the two ends of a fifo, and the +child immediately exits, the parent may receive a SIGCHLD before its +open() returns. In that case, we need to make sure that open() will +return successfully after the SIGCHLD handler returns, instead of +throwing EINTR or being restarted. Otherwise, the restarted open() +would incorrectly wait for a second partner on the other end. + +The following test demonstrates the EINTR that was wrongly thrown from +the parent’s open(). Change .sa_flags = 0 to .sa_flags = SA_RESTART +to see a deadlock instead, in which the restarted open() waits for a +second reader that will never come. (On my systems, this happens +pretty reliably within about 5 to 500 iterations. Others report that +it manages to loop ~forever sometimes; YMMV.) + + #include + #include + #include + #include + #include + #include + #include + #include + + #define CHECK(x) do if ((x) == -1) {perror(#x); abort();} while(0) + + void handler(int signum) {} + + int main() + { + struct sigaction act = {.sa_handler = handler, .sa_flags = 0}; + CHECK(sigaction(SIGCHLD, &act, NULL)); + CHECK(mknod("fifo", S_IFIFO | S_IRWXU, 0)); + for (;;) { + int fd; + pid_t pid; + putc('.', stderr); + CHECK(pid = fork()); + if (pid == 0) { + CHECK(fd = open("fifo", O_RDONLY)); + _exit(0); + } + CHECK(fd = open("fifo", O_WRONLY)); + CHECK(close(fd)); + CHECK(waitpid(pid, NULL, 0)); + } + } + +This is what I suspect was causing the Git test suite to fail in +t9010-svn-fe.sh: + + http://bugs.debian.org/678852 + +Signed-off-by: Anders Kaseorg +Reviewed-by: Jonathan Nieder +Signed-off-by: Linus Torvalds +Signed-off-by: Ben Hutchings +--- + fs/fifo.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/fifo.c b/fs/fifo.c +index b1a524d..cf6f434 100644 +--- a/fs/fifo.c ++++ b/fs/fifo.c +@@ -14,7 +14,7 @@ + #include + #include + +-static void wait_for_partner(struct inode* inode, unsigned int *cnt) ++static int wait_for_partner(struct inode* inode, unsigned int *cnt) + { + int cur = *cnt; + +@@ -23,6 +23,7 @@ static void wait_for_partner(struct inode* inode, unsigned int *cnt) + if (signal_pending(current)) + break; + } ++ return cur == *cnt ? -ERESTARTSYS : 0; + } + + static void wake_up_partner(struct inode* inode) +@@ -67,8 +68,7 @@ static int fifo_open(struct inode *inode, struct file *filp) + * seen a writer */ + filp->f_version = pipe->w_counter; + } else { +- wait_for_partner(inode, &pipe->w_counter); +- if(signal_pending(current)) ++ if (wait_for_partner(inode, &pipe->w_counter)) + goto err_rd; + } + } +@@ -90,8 +90,7 @@ static int fifo_open(struct inode *inode, struct file *filp) + wake_up_partner(inode); + + if (!pipe->readers) { +- wait_for_partner(inode, &pipe->r_counter); +- if (signal_pending(current)) ++ if (wait_for_partner(inode, &pipe->r_counter)) + goto err_wr; + } + break; diff --git a/debian/patches/bugfix/all/remove-easily-user-triggerable-bug-from-generic_setlease.patch b/debian/patches/bugfix/all/remove-easily-user-triggerable-bug-from-generic_setlease.patch new file mode 100644 index 000000000..f77cb8e75 --- /dev/null +++ b/debian/patches/bugfix/all/remove-easily-user-triggerable-bug-from-generic_setlease.patch @@ -0,0 +1,37 @@ +From: Dave Jones +Date: Fri, 13 Jul 2012 13:35:36 -0400 +Subject: Remove easily user-triggerable BUG from generic_setlease + +commit 8d657eb3b43861064d36241e88d9d61c709f33f0 upstream. + +This can be trivially triggered from userspace by passing in something unexpected. + + kernel BUG at fs/locks.c:1468! + invalid opcode: 0000 [#1] SMP + RIP: 0010:generic_setlease+0xc2/0x100 + Call Trace: + __vfs_setlease+0x35/0x40 + fcntl_setlease+0x76/0x150 + sys_fcntl+0x1c6/0x810 + system_call_fastpath+0x1a/0x1f + +Signed-off-by: Dave Jones +Signed-off-by: Linus Torvalds +Signed-off-by: Ben Hutchings +--- + fs/locks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/locks.c b/fs/locks.c +index 814c51d..fce6238 100644 +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -1465,7 +1465,7 @@ int generic_setlease(struct file *filp, long arg, struct file_lock **flp) + case F_WRLCK: + return generic_add_lease(filp, arg, flp); + default: +- BUG(); ++ return -EINVAL; + } + } + EXPORT_SYMBOL(generic_setlease); diff --git a/debian/patches/bugfix/all/tcp-drop-syn-fin-messages.patch b/debian/patches/bugfix/all/tcp-drop-syn-fin-messages.patch new file mode 100644 index 000000000..4c2444140 --- /dev/null +++ b/debian/patches/bugfix/all/tcp-drop-syn-fin-messages.patch @@ -0,0 +1,32 @@ +From: Eric Dumazet +Date: Fri, 2 Dec 2011 23:41:42 +0000 +Subject: tcp: drop SYN+FIN messages + +commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa upstream. + +Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his +linux machines to their limits. + +Dont call conn_request() if the TCP flags includes SYN flag + +Reported-by: Denys Fedoryshchenko +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +--- + net/ipv4/tcp_input.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 78dd38c..0cbb440 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5811,6 +5811,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + goto discard; + + if (th->syn) { ++ if (th->fin) ++ goto discard; + if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) + return 1; + diff --git a/debian/patches/series b/debian/patches/series index 93454001d..987d668d7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -379,8 +379,12 @@ features/all/fermi-accel/drm-nouveau-inform-userspace-of-relaxed-kernel-subch.pa features/all/fermi-accel/drm-nouveau-oops-increase-channel-dispc_vma-to-4.patch features/all/fermi-accel/drm-nvd0-disp-ignore-clock-set-if-no-pclk.patch features/all/fermi-accel/drm-nouveau-bump-version-to-1.0.0.patch + bugfix/all/net-e100-ucode-is-optional-in-some-cases.patch bugfix/x86/drm-i915-prefer-wide-slow-to-fast-narrow-in-DP-confi.patch bugfix/all/cipso-don-t-follow-a-NULL-pointer-when-setsockopt-is.patch bugfix/all/atl1c-fix-issue-of-transmit-queue-0-timed-out.patch bugfix/all/raid5-delayed-stripe-fix.patch +bugfix/all/remove-easily-user-triggerable-bug-from-generic_setlease.patch +bugfix/all/tcp-drop-syn-fin-messages.patch +bugfix/all/fifo-do-not-restart-open-if-it-already-found-a-partner.patch