From bf3e8f859596087a319cd8259b34542655da7b9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederik=20Sch=C3=BCler?= Date: Mon, 10 Oct 2005 22:11:21 +0000 Subject: [PATCH] Added patch-2.6.13.4. svn path=/dists/trunk/linux-2.6/; revision=4387 --- debian/changelog | 10 +- debian/patches-debian/patch-2.6.13.4 | 369 ++++++++++++++++++++++++++ debian/patches-debian/series/2.6.13-2 | 1 + 3 files changed, 379 insertions(+), 1 deletion(-) create mode 100644 debian/patches-debian/patch-2.6.13.4 create mode 100644 debian/patches-debian/series/2.6.13-2 diff --git a/debian/changelog b/debian/changelog index fb244495b..b44101ae5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,8 +25,16 @@ linux-2.6 (2.6.13-2) UNRELEASED; urgency=low [ Frederik Schüler ] * deactivate FB_RIVA on all architectures. + * Added patch-2.6.13.4: + - key: plug request_key_auth memleak (CAN-2005-3119) + - Fix drm 'debug' sysfs permissions + - Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL + - Fix userland FPU state corruption. + - BIC coding bug in Linux 2.6.13 + - orinoco: Information leakage due to incorrect padding + - ieee1394/sbp2: fixes for hot-unplug and module unloading - -- Frederik Schüler Mon, 10 Oct 2005 19:50:00 +0200 + -- Frederik Schüler Mon, 10 Oct 2005 23:56:37 +0200 linux-2.6 (2.6.13-1) experimental; urgency=low diff --git a/debian/patches-debian/patch-2.6.13.4 b/debian/patches-debian/patch-2.6.13.4 new file mode 100644 index 000000000..ad129abec --- /dev/null +++ b/debian/patches-debian/patch-2.6.13.4 @@ -0,0 +1,369 @@ +diff --git a/arch/sparc64/kernel/entry.S b/arch/sparc64/kernel/entry.S +--- a/arch/sparc64/kernel/entry.S ++++ b/arch/sparc64/kernel/entry.S +@@ -186,7 +186,7 @@ vmalloc_addr: + /* This is trivial with the new code... */ + .globl do_fpdis + do_fpdis: +- sethi %hi(TSTATE_PEF), %g4 ! IEU0 ++ sethi %hi(TSTATE_PEF), %g4 + rdpr %tstate, %g5 + andcc %g5, %g4, %g0 + be,pt %xcc, 1f +@@ -203,18 +203,18 @@ do_fpdis: + add %g0, %g0, %g0 + ba,a,pt %xcc, rtrap_clr_l6 + +-1: ldub [%g6 + TI_FPSAVED], %g5 ! Load Group +- wr %g0, FPRS_FEF, %fprs ! LSU Group+4bubbles +- andcc %g5, FPRS_FEF, %g0 ! IEU1 Group +- be,a,pt %icc, 1f ! CTI +- clr %g7 ! IEU0 +- ldx [%g6 + TI_GSR], %g7 ! Load Group +-1: andcc %g5, FPRS_DL, %g0 ! IEU1 +- bne,pn %icc, 2f ! CTI +- fzero %f0 ! FPA +- andcc %g5, FPRS_DU, %g0 ! IEU1 Group +- bne,pn %icc, 1f ! CTI +- fzero %f2 ! FPA ++1: ldub [%g6 + TI_FPSAVED], %g5 ++ wr %g0, FPRS_FEF, %fprs ++ andcc %g5, FPRS_FEF, %g0 ++ be,a,pt %icc, 1f ++ clr %g7 ++ ldx [%g6 + TI_GSR], %g7 ++1: andcc %g5, FPRS_DL, %g0 ++ bne,pn %icc, 2f ++ fzero %f0 ++ andcc %g5, FPRS_DU, %g0 ++ bne,pn %icc, 1f ++ fzero %f2 + faddd %f0, %f2, %f4 + fmuld %f0, %f2, %f6 + faddd %f0, %f2, %f8 +@@ -257,8 +257,10 @@ cplus_fptrap_insn_1: + add %g6, TI_FPREGS + 0xc0, %g2 + faddd %f0, %f2, %f8 + fmuld %f0, %f2, %f10 +- ldda [%g1] ASI_BLK_S, %f32 ! grrr, where is ASI_BLK_NUCLEUS 8-( ++ membar #Sync ++ ldda [%g1] ASI_BLK_S, %f32 + ldda [%g2] ASI_BLK_S, %f48 ++ membar #Sync + faddd %f0, %f2, %f12 + fmuld %f0, %f2, %f14 + faddd %f0, %f2, %f16 +@@ -269,7 +271,6 @@ cplus_fptrap_insn_1: + fmuld %f0, %f2, %f26 + faddd %f0, %f2, %f28 + fmuld %f0, %f2, %f30 +- membar #Sync + b,pt %xcc, fpdis_exit + nop + 2: andcc %g5, FPRS_DU, %g0 +@@ -286,8 +287,10 @@ cplus_fptrap_insn_2: + add %g6, TI_FPREGS + 0x40, %g2 + faddd %f32, %f34, %f36 + fmuld %f32, %f34, %f38 +- ldda [%g1] ASI_BLK_S, %f0 ! grrr, where is ASI_BLK_NUCLEUS 8-( ++ membar #Sync ++ ldda [%g1] ASI_BLK_S, %f0 + ldda [%g2] ASI_BLK_S, %f16 ++ membar #Sync + faddd %f32, %f34, %f40 + fmuld %f32, %f34, %f42 + faddd %f32, %f34, %f44 +@@ -300,7 +303,6 @@ cplus_fptrap_insn_2: + fmuld %f32, %f34, %f58 + faddd %f32, %f34, %f60 + fmuld %f32, %f34, %f62 +- membar #Sync + ba,pt %xcc, fpdis_exit + nop + 3: mov SECONDARY_CONTEXT, %g3 +@@ -311,7 +313,8 @@ cplus_fptrap_insn_3: + stxa %g2, [%g3] ASI_DMMU + membar #Sync + mov 0x40, %g2 +- ldda [%g1] ASI_BLK_S, %f0 ! grrr, where is ASI_BLK_NUCLEUS 8-( ++ membar #Sync ++ ldda [%g1] ASI_BLK_S, %f0 + ldda [%g1 + %g2] ASI_BLK_S, %f16 + add %g1, 0x80, %g1 + ldda [%g1] ASI_BLK_S, %f32 +diff --git a/arch/sparc64/kernel/rtrap.S b/arch/sparc64/kernel/rtrap.S +--- a/arch/sparc64/kernel/rtrap.S ++++ b/arch/sparc64/kernel/rtrap.S +@@ -310,32 +310,33 @@ kern_fpucheck: ldub [%g6 + TI_FPDEPTH] + wr %g1, FPRS_FEF, %fprs + ldx [%o1 + %o5], %g1 + add %g6, TI_XFSR, %o1 +- membar #StoreLoad | #LoadLoad + sll %o0, 8, %o2 + add %g6, TI_FPREGS, %o3 + brz,pn %l6, 1f + add %g6, TI_FPREGS+0x40, %o4 + ++ membar #Sync + ldda [%o3 + %o2] ASI_BLK_P, %f0 + ldda [%o4 + %o2] ASI_BLK_P, %f16 ++ membar #Sync + 1: andcc %l2, FPRS_DU, %g0 + be,pn %icc, 1f + wr %g1, 0, %gsr + add %o2, 0x80, %o2 ++ membar #Sync + ldda [%o3 + %o2] ASI_BLK_P, %f32 + ldda [%o4 + %o2] ASI_BLK_P, %f48 +- + 1: membar #Sync + ldx [%o1 + %o5], %fsr + 2: stb %l5, [%g6 + TI_FPDEPTH] + ba,pt %xcc, rt_continue + nop + 5: wr %g0, FPRS_FEF, %fprs +- membar #StoreLoad | #LoadLoad + sll %o0, 8, %o2 + + add %g6, TI_FPREGS+0x80, %o3 + add %g6, TI_FPREGS+0xc0, %o4 ++ membar #Sync + ldda [%o3 + %o2] ASI_BLK_P, %f32 + ldda [%o4 + %o2] ASI_BLK_P, %f48 + membar #Sync +diff --git a/arch/sparc64/lib/VISsave.S b/arch/sparc64/lib/VISsave.S +--- a/arch/sparc64/lib/VISsave.S ++++ b/arch/sparc64/lib/VISsave.S +@@ -59,15 +59,17 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 + be,pn %icc, 9b + add %g6, TI_FPREGS, %g2 + andcc %o5, FPRS_DL, %g0 +- membar #StoreStore | #LoadStore + + be,pn %icc, 4f + add %g6, TI_FPREGS+0x40, %g3 ++ membar #Sync + stda %f0, [%g2 + %g1] ASI_BLK_P + stda %f16, [%g3 + %g1] ASI_BLK_P ++ membar #Sync + andcc %o5, FPRS_DU, %g0 + be,pn %icc, 5f + 4: add %g1, 128, %g1 ++ membar #Sync + stda %f32, [%g2 + %g1] ASI_BLK_P + + stda %f48, [%g3 + %g1] ASI_BLK_P +@@ -87,7 +89,7 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 + sll %g1, 5, %g1 + add %g6, TI_FPREGS+0xc0, %g3 + wr %g0, FPRS_FEF, %fprs +- membar #StoreStore | #LoadStore ++ membar #Sync + stda %f32, [%g2 + %g1] ASI_BLK_P + stda %f48, [%g3 + %g1] ASI_BLK_P + membar #Sync +@@ -128,8 +130,8 @@ VISenterhalf: + be,pn %icc, 4f + add %g6, TI_FPREGS, %g2 + +- membar #StoreStore | #LoadStore + add %g6, TI_FPREGS+0x40, %g3 ++ membar #Sync + stda %f0, [%g2 + %g1] ASI_BLK_P + stda %f16, [%g3 + %g1] ASI_BLK_P + membar #Sync +diff --git a/drivers/char/drm/drm_stub.c b/drivers/char/drm/drm_stub.c +--- a/drivers/char/drm/drm_stub.c ++++ b/drivers/char/drm/drm_stub.c +@@ -47,7 +47,7 @@ MODULE_PARM_DESC(cards_limit, "Maximum n + MODULE_PARM_DESC(debug, "Enable debug output"); + + module_param_named(cards_limit, drm_cards_limit, int, 0444); +-module_param_named(debug, drm_debug, int, 0666); ++module_param_named(debug, drm_debug, int, 0600); + + drm_head_t **drm_heads; + struct drm_sysfs_class *drm_class; +diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c +--- a/drivers/ieee1394/sbp2.c ++++ b/drivers/ieee1394/sbp2.c +@@ -596,6 +596,11 @@ static void sbp2util_mark_command_comple + spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); + } + ++static inline int sbp2util_node_is_available(struct scsi_id_instance_data *scsi_id) ++{ ++ return scsi_id && scsi_id->ne && !scsi_id->ne->in_limbo; ++} ++ + + + /********************************************* +@@ -631,11 +636,23 @@ static int sbp2_remove(struct device *de + { + struct unit_directory *ud; + struct scsi_id_instance_data *scsi_id; ++ struct scsi_device *sdev; + + SBP2_DEBUG("sbp2_remove"); + + ud = container_of(dev, struct unit_directory, device); + scsi_id = ud->device.driver_data; ++ if (!scsi_id) ++ return 0; ++ ++ /* Trigger shutdown functions in scsi's highlevel. */ ++ if (scsi_id->scsi_host) ++ scsi_unblock_requests(scsi_id->scsi_host); ++ sdev = scsi_id->sdev; ++ if (sdev) { ++ scsi_id->sdev = NULL; ++ scsi_remove_device(sdev); ++ } + + sbp2_logout_device(scsi_id); + sbp2_remove_device(scsi_id); +@@ -944,6 +961,7 @@ alloc_fail: + SBP2_ERR("scsi_add_device failed"); + return PTR_ERR(sdev); + } ++ scsi_device_put(sdev); + + return 0; + } +@@ -2480,7 +2498,7 @@ static int sbp2scsi_queuecommand(struct + * If scsi_id is null, it means there is no device in this slot, + * so we should return selection timeout. + */ +- if (!scsi_id) { ++ if (!sbp2util_node_is_available(scsi_id)) { + SCpnt->result = DID_NO_CONNECT << 16; + done (SCpnt); + return 0; +@@ -2683,6 +2701,18 @@ static void sbp2scsi_complete_command(st + } + + ++static int sbp2scsi_slave_alloc(struct scsi_device *sdev) ++{ ++ ((struct scsi_id_instance_data *)sdev->host->hostdata[0])->sdev = sdev; ++ return 0; ++} ++ ++static void sbp2scsi_slave_destroy(struct scsi_device *sdev) ++{ ++ ((struct scsi_id_instance_data *)sdev->host->hostdata[0])->sdev = NULL; ++ return; ++} ++ + static int sbp2scsi_slave_configure (struct scsi_device *sdev) + { + blk_queue_dma_alignment(sdev->request_queue, (512 - 1)); +@@ -2705,7 +2735,7 @@ static int sbp2scsi_abort(struct scsi_cm + SBP2_ERR("aborting sbp2 command"); + scsi_print_command(SCpnt); + +- if (scsi_id) { ++ if (sbp2util_node_is_available(scsi_id)) { + + /* + * Right now, just return any matching command structures +@@ -2749,7 +2779,7 @@ static int __sbp2scsi_reset(struct scsi_ + + SBP2_ERR("reset requested"); + +- if (scsi_id) { ++ if (sbp2util_node_is_available(scsi_id)) { + SBP2_ERR("Generating sbp2 fetch agent reset"); + sbp2_agent_reset(scsi_id, 0); + } +@@ -2817,7 +2847,9 @@ static struct scsi_host_template scsi_dr + .eh_device_reset_handler = sbp2scsi_reset, + .eh_bus_reset_handler = sbp2scsi_reset, + .eh_host_reset_handler = sbp2scsi_reset, ++ .slave_alloc = sbp2scsi_slave_alloc, + .slave_configure = sbp2scsi_slave_configure, ++ .slave_destroy = sbp2scsi_slave_destroy, + .this_id = -1, + .sg_tablesize = SG_ALL, + .use_clustering = ENABLE_CLUSTERING, +diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c +--- a/drivers/net/wireless/orinoco.c ++++ b/drivers/net/wireless/orinoco.c +@@ -502,9 +502,14 @@ static int orinoco_xmit(struct sk_buff * + return 0; + } + +- /* Length of the packet body */ +- /* FIXME: what if the skb is smaller than this? */ +- len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN); ++ /* Check packet length, pad short packets, round up odd length */ ++ len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN); ++ if (skb->len < len) { ++ skb = skb_padto(skb, len); ++ if (skb == NULL) ++ goto fail; ++ } ++ len -= ETH_HLEN; + + eh = (struct ethhdr *)skb->data; + +@@ -556,8 +561,7 @@ static int orinoco_xmit(struct sk_buff * + p = skb->data; + } + +- /* Round up for odd length packets */ +- err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2), ++ err = hermes_bap_pwrite(hw, USER_BAP, p, data_len, + txfid, data_off); + if (err) { + printk(KERN_ERR "%s: Error %d writing packet to BAP\n", +diff --git a/fs/namei.c b/fs/namei.c +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1557,19 +1557,19 @@ do_link: + if (nd->last_type != LAST_NORM) + goto exit; + if (nd->last.name[nd->last.len]) { +- putname(nd->last.name); ++ __putname(nd->last.name); + goto exit; + } + error = -ELOOP; + if (count++==32) { +- putname(nd->last.name); ++ __putname(nd->last.name); + goto exit; + } + dir = nd->dentry; + down(&dir->d_inode->i_sem); + path.dentry = __lookup_hash(&nd->last, nd->dentry, nd); + path.mnt = nd->mnt; +- putname(nd->last.name); ++ __putname(nd->last.name); + goto do_last; + } + +diff --git a/net/ipv4/tcp_bic.c b/net/ipv4/tcp_bic.c +--- a/net/ipv4/tcp_bic.c ++++ b/net/ipv4/tcp_bic.c +@@ -136,7 +136,7 @@ static inline void bictcp_update(struct + else if (cwnd < ca->last_max_cwnd + max_increment*(BICTCP_B-1)) + /* slow start */ + ca->cnt = (cwnd * (BICTCP_B-1)) +- / cwnd-ca->last_max_cwnd; ++ / (cwnd - ca->last_max_cwnd); + else + /* linear increase */ + ca->cnt = cwnd / max_increment; +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -96,6 +96,7 @@ static void request_key_auth_destroy(str + kenter("{%d}", key->serial); + + key_put(rka->target_key); ++ kfree(rka); + + } /* end request_key_auth_destroy() */ + diff --git a/debian/patches-debian/series/2.6.13-2 b/debian/patches-debian/series/2.6.13-2 new file mode 100644 index 000000000..6c4bc5d7e --- /dev/null +++ b/debian/patches-debian/series/2.6.13-2 @@ -0,0 +1 @@ ++ patch-2.6.13.4