]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
more 2.6.23 patches added
authorGreg Kroah-Hartman <gregkh@suse.de>
Fri, 2 Nov 2007 17:52:19 +0000 (10:52 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Fri, 2 Nov 2007 17:52:19 +0000 (10:52 -0700)
queue-2.6.23/ib-uverbs-fix-checking-of-userspace-object-ownership.patch [new file with mode: 0644]
queue-2.6.23/minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch [new file with mode: 0644]
queue-2.6.23/param_sysfs_builtin-memchr-argument-fix.patch [new file with mode: 0644]
queue-2.6.23/series
queue-2.6.23/x86-fix-global_flush_tlb-bug.patch [new file with mode: 0644]

diff --git a/queue-2.6.23/ib-uverbs-fix-checking-of-userspace-object-ownership.patch b/queue-2.6.23/ib-uverbs-fix-checking-of-userspace-object-ownership.patch
new file mode 100644 (file)
index 0000000..d437ecd
--- /dev/null
@@ -0,0 +1,45 @@
+From stable-bounces@linux.kernel.org Sun Oct 28 10:15:04 2007
+From: Roland Dreier <rdreier@cisco.com>
+Date: Sun, 28 Oct 2007 10:14:32 -0700
+Subject: IB/uverbs: Fix checking of userspace object ownership
+To: stable@kernel.org
+Message-ID: <ada7il7xitj.fsf@cisco.com>
+
+From: Roland Dreier <rolandd@cisco.com>
+
+Upstream as cbfb50e6e2e9c580848c0f51d37c24cdfb1cb704
+
+Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex")
+rewrote how userspace objects are looked up in the uverbs module's
+idrs, and introduced a severe bug in the process: there is no checking
+that an operation is being performed by the right process any more.
+Fix this by adding the missing check of uobj->context in __idr_get_uobj().
+
+Apparently everyone is being very careful to only touch their own
+objects, because this bug was introduced in June 2006 in 2.6.18, and
+has gone undetected until now.
+
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -147,8 +147,12 @@ static struct ib_uobject *__idr_get_uobj
+       spin_lock(&ib_uverbs_idr_lock);
+       uobj = idr_find(idr, id);
+-      if (uobj)
+-              kref_get(&uobj->ref);
++      if (uobj) {
++              if (uobj->context == context)
++                      kref_get(&uobj->ref);
++              else
++                      uobj = NULL;
++      }
+       spin_unlock(&ib_uverbs_idr_lock);
+       return uobj;
diff --git a/queue-2.6.23/minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch b/queue-2.6.23/minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch
new file mode 100644 (file)
index 0000000..b973ea1
--- /dev/null
@@ -0,0 +1,76 @@
+From f44ec6f3f89889a469773b1fd894f8fcc07c29cf Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Tue, 16 Oct 2007 23:27:15 -0700
+Subject: minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
+Message-ID: <47276102.30608@redhat.com>
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+patch f44ec6f3f89889a469773b1fd894f8fcc07c29cf upstream.
+
+This attempts to address CVE-2006-6058
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
+
+first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+
+Essentially a corrupted minix dir inode reporting a very large
+i_size will loop for a very long time in minix_readdir, minix_find_entry,
+etc, because on EIO they just move on to try the next page.  This is
+under the BKL, printk-storming as well.  This can lock up the machine
+for a very long time.  Simply ratelimiting the printks gets things back
+under control.  Make the message a bit more informative while we're here.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: Bodo Eggert <7eggert@gmx.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/minix/itree_v1.c |    9 +++++++--
+ fs/minix/itree_v2.c |    9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/fs/minix/itree_v1.c
++++ b/fs/minix/itree_v1.c
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+       int n = 0;
++      char b[BDEVNAME_SIZE];
+       if (block < 0) {
+-              printk("minix_bmap: block<0\n");
++              printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++                      block, bdevname(inode->i_sb->s_bdev, b));
+       } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+-              printk("minix_bmap: block>big\n");
++              if (printk_ratelimit())
++                      printk("MINIX-fs: block_to_path: "
++                             "block %ld too big on dev %s\n",
++                              block, bdevname(inode->i_sb->s_bdev, b));
+       } else if (block < 7) {
+               offsets[n++] = block;
+       } else if ((block -= 7) < 512) {
+--- a/fs/minix/itree_v2.c
++++ b/fs/minix/itree_v2.c
+@@ -23,12 +23,17 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+       int n = 0;
++      char b[BDEVNAME_SIZE];
+       struct super_block *sb = inode->i_sb;
+       if (block < 0) {
+-              printk("minix_bmap: block<0\n");
++              printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++                      block, bdevname(sb->s_bdev, b));
+       } else if (block >= (minix_sb(inode->i_sb)->s_max_size/sb->s_blocksize)) {
+-              printk("minix_bmap: block>big\n");
++              if (printk_ratelimit())
++                      printk("MINIX-fs: block_to_path: "
++                             "block %ld too big on dev %s\n",
++                              block, bdevname(sb->s_bdev, b));
+       } else if (block < 7) {
+               offsets[n++] = block;
+       } else if ((block -= 7) < 256) {
diff --git a/queue-2.6.23/param_sysfs_builtin-memchr-argument-fix.patch b/queue-2.6.23/param_sysfs_builtin-memchr-argument-fix.patch
new file mode 100644 (file)
index 0000000..9e310cb
--- /dev/null
@@ -0,0 +1,89 @@
+From faf8c714f4508207a9c81cc94dafc76ed6680b44 Mon Sep 17 00:00:00 2001
+From: Dave Young <hidave.darkstar@gmail.com>
+Date: Thu, 18 Oct 2007 03:05:07 -0700
+Subject: param_sysfs_builtin memchr argument fix
+Message-ID: <4720EBA6.60803@redhat.com>
+
+From: Dave Young <hidave.darkstar@gmail.com>
+
+patch faf8c714f4508207a9c81cc94dafc76ed6680b44 in mainline.
+
+If memchr argument is longer than strlen(kp->name), there will be some
+weird result.
+
+It will casuse duplicate filenames in sysfs for the "nousb".  kernel
+warning messages are as bellow:
+
+sysfs: duplicate filename 'usbcore' can not be created
+WARNING: at fs/sysfs/dir.c:416 sysfs_add_one()
+ [<c01c4750>] sysfs_add_one+0xa0/0xe0
+ [<c01c4ab8>] create_dir+0x48/0xb0
+ [<c01c4b69>] sysfs_create_dir+0x29/0x50
+ [<c024e0fb>] create_dir+0x1b/0x50
+ [<c024e3b6>] kobject_add+0x46/0x150
+ [<c024e2da>] kobject_init+0x3a/0x80
+ [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
+ [<c053b9ce>] param_sysfs_builtin+0xee/0x130
+ [<c053ba33>] param_sysfs_init+0x23/0x60
+ [<c024d062>] __next_cpu+0x12/0x20
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052a856>] do_initcalls+0x46/0x1e0
+ [<c01bdb12>] create_proc_entry+0x52/0x90
+ [<c0158d4c>] register_irq_proc+0x9c/0xc0
+ [<c01bda94>] proc_mkdir_mode+0x34/0x50
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa92>] kernel_init+0x62/0xb0
+ [<c0104f83>] kernel_thread_helper+0x7/0x14
+ =======================
+kobject_add failed for usbcore with -EEXIST, don't try to register things with the same name in the same directory.
+ [<c024e466>] kobject_add+0xf6/0x150
+ [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
+ [<c053b9ce>] param_sysfs_builtin+0xee/0x130
+ [<c053ba33>] param_sysfs_init+0x23/0x60
+ [<c024d062>] __next_cpu+0x12/0x20
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052a856>] do_initcalls+0x46/0x1e0
+ [<c01bdb12>] create_proc_entry+0x52/0x90
+ [<c0158d4c>] register_irq_proc+0x9c/0xc0
+ [<c01bda94>] proc_mkdir_mode+0x34/0x50
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa92>] kernel_init+0x62/0xb0
+ [<c0104f83>] kernel_thread_helper+0x7/0x14
+ =======================
+Module 'usbcore' failed to be added to sysfs, error number -17
+The system will be unstable now.
+
+Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/params.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -595,11 +595,17 @@ static void __init param_sysfs_builtin(v
+       for (i=0; i < __stop___param - __start___param; i++) {
+               char *dot;
++              size_t kplen;
+               kp = &__start___param[i];
++              kplen = strlen(kp->name);
+               /* We do not handle args without periods. */
+-              dot = memchr(kp->name, '.', MAX_KBUILD_MODNAME);
++              if (kplen > MAX_KBUILD_MODNAME) {
++                      DEBUGP("kernel parameter name is too long: %s\n", kp->name);
++                      continue;
++              }
++              dot = memchr(kp->name, '.', kplen);
+               if (!dot) {
+                       DEBUGP("couldn't find period in %s\n", kp->name);
+                       continue;
index 7501c7c12085a559e5b6043a4a1944fd69a04f18..84ae4b35131b53de618e8c606d3d7a0214eed5bd 100644 (file)
@@ -11,3 +11,7 @@ hwmon-lm87-disable-vid-when-it-should-be.patch
 add-get_unaligned-to-ieee80211_get_radiotap_len.patch
 mac80211-improve-sanity-checks-on-injected-packets.patch
 remove-broken-ptrace-special-case-code-from-file-mapping.patch
+x86-fix-global_flush_tlb-bug.patch
+param_sysfs_builtin-memchr-argument-fix.patch
+minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch
+ib-uverbs-fix-checking-of-userspace-object-ownership.patch
diff --git a/queue-2.6.23/x86-fix-global_flush_tlb-bug.patch b/queue-2.6.23/x86-fix-global_flush_tlb-bug.patch
new file mode 100644 (file)
index 0000000..7c0c569
--- /dev/null
@@ -0,0 +1,70 @@
+From 9a24d04a3c26c223f22493492c5c9085b8773d4a Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@elte.hu>
+Date: Fri, 19 Oct 2007 12:19:26 +0200
+Subject: [PATCH] x86: fix global_flush_tlb() bug
+
+From: Ingo Molnar <mingo@elte.hu>
+
+patch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream
+
+While we were reviewing pageattr_32/64.c for unification,
+Thomas Gleixner noticed the following serious SMP bug in
+global_flush_tlb():
+
+       down_read(&init_mm.mmap_sem);
+       list_replace_init(&deferred_pages, &l);
+       up_read(&init_mm.mmap_sem);
+
+this is SMP-unsafe because list_replace_init() done on two CPUs in
+parallel can corrupt the list.
+
+This bug has been introduced about a year ago in the 64-bit tree:
+
+       commit ea7322decb974a4a3e804f96a0201e893ff88ce3
+       Author: Andi Kleen <ak@suse.de>
+       Date:   Thu Dec 7 02:14:05 2006 +0100
+
+       [PATCH] x86-64: Speed and clean up cache flushing in change_page_attr
+
+                down_read(&init_mm.mmap_sem);
+        -       dpage = xchg(&deferred_pages, NULL);
+        +       list_replace_init(&deferred_pages, &l);
+                up_read(&init_mm.mmap_sem);
+
+the xchg() based version was SMP-safe, but list_replace_init() is not.
+So this "cleanup" introduced a nasty bug.
+
+why this bug never become prominent is a mystery - it can probably be
+explained with the (still) relative obscurity of the x86_64 architecture.
+
+the safe fix for now is to write-lock init_mm.mmap_sem.
+
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andi Kleen <ak@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86_64/mm/pageattr.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86_64/mm/pageattr.c
++++ b/arch/x86_64/mm/pageattr.c
+@@ -229,9 +229,14 @@ void global_flush_tlb(void)
+       struct page *pg, *next;
+       struct list_head l;
+-      down_read(&init_mm.mmap_sem);
++      /*
++       * Write-protect the semaphore, to exclude two contexts
++       * doing a list_replace_init() call in parallel and to
++       * exclude new additions to the deferred_pages list:
++       */
++      down_write(&init_mm.mmap_sem);
+       list_replace_init(&deferred_pages, &l);
+-      up_read(&init_mm.mmap_sem);
++      up_write(&init_mm.mmap_sem);
+       flush_map(&l);