Merge changes from 2.6.38-4

svn path=/dists/trunk/linux-2.6/; revision=17248
2011-04-23 17:39:39 +00:00 · 2011-04-23 17:39:39 +00:00 · 8e39faa55a
parent 93314bd859 b41229dd8f
commit 8e39faa55a
4 changed files with 161 additions and 5 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -11,6 +11,88 @@ linux-2.6 (2.6.39~rc4-1~experimental.1) UNRELEASED; urgency=low

 -- Ben Hutchings <ben@decadent.org.uk>  Wed, 06 Apr 2011 14:02:37 +0100

+linux-2.6 (2.6.38-4) unstable; urgency=low
+
+  * usb-audio: Define another USB ID for a buggy USB MIDI cable
+    (Closes: #617743)
+  * net: Enable BATMAN_ADV as module (Closes: #622361)
+  * Add stable 2.6.38.3, including:
+    - eCryptfs: Unlock page in write_begin error path
+    - irda: validate peer name and attribute lengths (CVE-2011-1180)
+    - irda: prevent heap corruption on invalid nickname
+    - nilfs2: fix data loss in mmap page write for hole blocks
+    - ALSA: pcm: fix infinite loop in snd_pcm_update_hw_ptr0()
+    - inotify: fix double free/corruption of stuct user
+    - perf: Fix task_struct reference leak
+    - ROSE: prevent heap corruption with bad facilities (CVE-2011-1493)
+    - [x86] mtrr, pat: Fix one cpu getting out of sync during resume
+    - Input: synaptics - fix crash in synaptics_module_init()
+    - ath9k: fix a chip wakeup related crash in ath9k_start
+    - mac80211: fix a crash in minstrel_ht in HT mode with no supported MCS
+      rates
+    - UBIFS: fix oops on error path in read_pnode
+    - quota: Don't write quota info in dquot_commit()
+    - mm: avoid wrapping vm_pgoff in mremap()
+    - wl12xx: fix potential buffer overflow in testmode nvs push
+    - Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
+    - bridge: netfilter: fix information leak (CVE-2011-1080)
+    - Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
+    - netfilter: ip_tables: fix infoleak to userspace (CVE-2011-1171)
+    - netfilter: arp_tables: fix infoleak to userspace (CVE-2011-1170)
+    - [x86] Revert "x86: Cleanup highmap after brk is concluded"
+      (Closes: #621072)
+    - Squashfs: handle corruption of directory structure
+    - ext4: fix a double free in ext4_register_li_request
+    - ext4: fix credits computing for indirect mapped files
+    - nfsd: fix auth_domain reference leak on nlm operations
+    - nfsd4: fix oops on lock failure
+    - char/tpm: Fix unitialized usage of data buffer (CVE-2011-1160)
+    - ipv6: netfilter: ip6_tables: fix infoleak to userspace (CVE-2011-1172)
+    - econet: 4 byte infoleak to the network (CVE-2011-1173)
+    - sound/oss: remove offset from load_patch callbacks
+      (CVE-2011-1476, CVE-2011-1477)
+    - inotify: fix double free/corruption of stuct user (CVE-2011-1479)
+    For the complete list of changes, see:
+     http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38.3
+  * Add stable 2.6.38.4, including:
+    - vm: Fix vm_pgoff wrap in stack expansion
+    - cifs: Always do is_path_accessible check in cifs_mount
+    - cifs: Check for private_data before trying to put it
+    - sn9c102: Restrict world-wirtable sysfs files
+    - UBIFS: Restrict world-writable debugfs files
+    - vm: Fix mlock() on stack guard page
+    - UBIFS: Fix assertion warnings
+    - perf: Fix task context scheduling
+    - fib: Add rtnl locking in ip_fib_net_exit
+    - l2tp: Fix possible oops on l2tp_eth module unload
+    - ipv6: Fix duplicate /proc/sys/net/ipv6/neigh directory entries.
+    - net_sched: fix ip_tos2prio
+    - pppoe: drop PPPOX_ZOMBIEs in pppoe_flush_dev
+    - xfrm: Refcount destination entry on xfrm_lookup
+    - vlan: Take into account needed_headroom
+    - bridge: Reset IPCB when entering IP stack on NF_FORWARD
+    - futex: Set FLAGS_HAS_TIMEOUT during futex_wait restart setup
+    - oom-kill: Remove boost_dying_task_prio()
+    - UBIFS: Fix oops when R/O file-system is fsync'ed
+    - sched: Fix erroneous all_pinned logic
+    - vmscan: all_unreclaimable() use zone->all_unreclaimable as a name
+    - next_pidmap: fix overflow condition
+    - proc: Do proper range check on readdir offset
+    - [powerpc] Fix oops if scan_dispatch_log is called too early
+    - ehci: Unlink unused QHs when the controller is stopped
+    - USB: Fix formatting of SuperSpeed endpoints in /proc/bus/usb/devices
+    - xhci: Fix math in xhci_get_endpoint_interval()
+    - xhci: Also free streams when resetting devices
+    - USB: Fix unplug of device with active streams
+    - bluetooth: Fix HCI_RESET command synchronization
+    - bridge: Reset IPCB in br_parse_ip_options
+    - ip: ip_options_compile() resilient to NULL skb route
+    For the complete list of changes, see:
+     http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38.4
+  * [s390] pfault: fix token handling (Closes: #622570)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 23 Apr 2011 03:17:53 +0100
+
 linux-2.6 (2.6.38-3) unstable; urgency=low

  [ Ben Hutchings ]
--- a/debian/config/config
+++ b/debian/config/config
@ -2414,11 +2414,6 @@ CONFIG_STAGING=y
 ##
 CONFIG_AUTOFS_FS=m

-##
-## file: drivers/staging/batman-adv/Kconfig
-##
-# CONFIG_BATMAN_ADV is not set
-
 ##
 ## file: drivers/staging/comedi/Kconfig
 ##
@ -3684,6 +3679,11 @@ CONFIG_NET_9P_VIRTIO=m
 CONFIG_NET_9P_RDMA=m
 # CONFIG_NET_9P_DEBUG is not set

+##
+## file: net/batman-adv/Kconfig
+##
+CONFIG_BATMAN_ADV=m
+
 ##
 ## file: net/bluetooth/Kconfig
 ##
--- a/debian/patches/bugfix/s390/S390-pfault-fix-token-handling.patch
+++ b/debian/patches/bugfix/s390/S390-pfault-fix-token-handling.patch
@ -0,0 +1,73 @@
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Subject: [S390] pfault: fix token handling
+Date: Tue, 19 Apr 2011 08:34:01 +0200
+
+f6649a7e "[S390] cleanup lowcore access from external interrupts" changed
+handling of external interrupts. Instead of letting the external interrupt
+handlers accessing the per cpu lowcore the entry code of the kernel reads
+already all fields that are necessary and passes them to the handlers.
+The pfault interrupt handler was incorrectly converted. It tries to
+dereference a value which used to be a pointer to a lowcore field. After
+the conversion however it is not anymore the pointer to the field but its
+content. So instead of a dereference only a cast is needed to get the
+task pointer that caused the pfault.
+
+Fixes a NULL pointer dereference and a subsequent kernel crash:
+
+Unable to handle kernel pointer dereference at virtual kernel address (null)
+Oops: 0004 [#1] SMP
+Modules linked in: nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc
+                   loop qeth_l3 qeth vmur ccwgroup ext3 jbd mbcache dm_mod
+                   dasd_eckd_mod dasd_diag_mod dasd_mod
+CPU: 0 Not tainted 2.6.38-2-s390x #1
+Process cron (pid: 1106, task: 000000001f962f78, ksp: 000000001fa0f9d0)
+Krnl PSW : 0404200180000000 000000000002c03e (pfault_interrupt+0xa2/0x138)
+           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
+Krnl GPRS: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
+           000000001f962f78 0000000000518968 0000000090000002 000000001ff03280
+           0000000000000000 000000000064f000 000000001f962f78 0000000000002603
+           0000000006002603 0000000000000000 000000001ff7fe68 000000001ff7fe48
+Krnl Code: 000000000002c036: 5820d010            l       %r2,16(%r13)
+           000000000002c03a: 1832                lr      %r3,%r2
+           000000000002c03c: 1a31                ar      %r3,%r1
+          >000000000002c03e: ba23d010            cs      %r2,%r3,16(%r13)
+           000000000002c042: a744fffc            brc     4,2c03a
+           000000000002c046: a7290002            lghi    %r2,2
+           000000000002c04a: e320d0000024        stg     %r2,0(%r13)
+           000000000002c050: 07f0                bcr     15,%r0
+Call Trace:
+ ([<000000001f962f78>] 0x1f962f78)
+  [<000000000001acda>] do_extint+0xf6/0x138
+  [<000000000039b6ca>] ext_no_vtime+0x30/0x34
+  [<000000007d706e04>] 0x7d706e04
+Last Breaking-Event-Address:
+  [<0000000000000000>] 0x0
+
+For stable maintainers:
+the first kernel which contains this bug is 2.6.37.
+
+Reported-by: Stephen Powell <zlinuxman@wowway.com>
+Cc: Jonathan Nieder <jrnieder@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+---
+
+ arch/s390/mm/fault.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
+index 9217e33..4cf85fe 100644
+--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
+@@ -558,9 +558,9 @@ static void pfault_interrupt(unsigned int ext_int_code,
+ 	 * Get the token (= address of the task structure of the affected task).
+ 	 */
+ #ifdef CONFIG_64BIT
+-	tsk = *(struct task_struct **) param64;
+	tsk = (struct task_struct *) param64;
+ #else
+-	tsk = *(struct task_struct **) param32;
+	tsk = (struct task_struct *) param32;
+ #endif
+ 
+ 	if (subcode & 0x0080) {
--- a/debian/patches/series/base
+++ b/debian/patches/series/base
@ -44,3 +44,4 @@
 + debian/sched-autogroup-disabled.patch
 + bugfix/all/kconfig-Avoid-buffer-underrun-in-choice-input.patch
 + bugfix/all/rt2800-disable-powersaving-as-default.patch
+ bugfix/s390/S390-pfault-fix-token-handling.patch