to flush that queue.
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Dec 30 15:29:08 2006
+Message-ID: <4596F4F7.3010709@gentoo.org>
+Date: Sat, 30 Dec 2006 18:23:35 -0500
+From: Daniel Drake <dsd@gentoo.org>
+To: stable@kernel.org
+Cc: sandeen@redhat.com
+Subject: grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)
+
+From: Andrew Morton <akpm@osdl.org>
+
+If grow_buffers() is for some reason passed a block number which wants to lie
+outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it
+will accidentally truncate `index' and will then instnatiate a page at the
+wrong pagecache offset. This causes __getblk_slow() to go into an infinite
+loop.
+
+This can happen with corrupted disks, or with software errors elsewhere.
+
+Detect that, and handle it.
+
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Date: Wed, 11 Oct 2006 08:21:46 +0000 (-0700)
+Subject: [PATCH] grow_buffers() infinite loop fix
+X-Git-Tag: v2.6.19-rc2
+X-Git-Url: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e5657933863f43cc6bb76a54d659303dafaa9e58
+
+ fs/buffer.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- linux-2.6.18.6.orig/fs/buffer.c
++++ linux-2.6.18.6/fs/buffer.c
+@@ -1179,8 +1179,21 @@ grow_buffers(struct block_device *bdev,
+ } while ((size << sizebits) < PAGE_SIZE);
+
+ index = block >> sizebits;
+- block = index << sizebits;
+
++ /*
++ * Check for a block which wants to lie outside our maximum possible
++ * pagecache index. (this comparison is done using sector_t types).
++ */
++ if (unlikely(index != block >> sizebits)) {
++ char b[BDEVNAME_SIZE];
++
++ printk(KERN_ERR "%s: requested out-of-range block %llu for "
++ "device %s\n",
++ __FUNCTION__, (unsigned long long)block,
++ bdevname(bdev, b));
++ return -EIO;
++ }
++ block = index << sizebits;
+ /* Create a page with the proper size buffers.. */
+ page = grow_dev_page(bdev, block, index, size);
+ if (!page)
+@@ -1207,12 +1220,16 @@ __getblk_slow(struct block_device *bdev,
+
+ for (;;) {
+ struct buffer_head * bh;
++ int ret;
+
+ bh = __find_get_block(bdev, block, size);
+ if (bh)
+ return bh;
+
+- if (!grow_buffers(bdev, block, size))
++ ret = grow_buffers(bdev, block, size);
++ if (ret < 0)
++ return NULL;
++ if (ret == 0)
+ free_more_memory();
+ }
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Dec 30 15:34:45 2006
+Message-ID: <4596F649.5020406@gentoo.org>
+Date: Sat, 30 Dec 2006 18:29:13 -0500
+From: Daniel Drake <dsd@gentoo.org>
+To: stable@kernel.org
+Cc: sandeen@redhat.com
+Subject: hfs_fill_super returns success even if no root inode (CVE-2006-6056)
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html
+
+mount that image...
+fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only.
+hfs: get root inode failed.
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
+ printing eip
+...
+EIP is at superblock_doinit+0x21/0x767
+...
+ [] selinux_sb_kern_mount+0xc/0x4b
+ [] vfs_kern_mount+0x99/0xf6
+ [] do_kern_mount+0x2d/0x3e
+ [] do_mount+0x5fa/0x66d
+ [] sys_mount+0x77/0xae
+ [] syscall_call+0x7/0xb
+DWARF2 unwinder stuck at syscall_call+0x7/0xb
+
+hfs_fill_super() returns success even if
+ root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+or
+ sb->s_root = d_alloc_root(root_inode);
+
+fails. This superblock finds its way to superblock_doinit() which does:
+
+ struct dentry *root = sb->s_root;
+ struct inode *inode = root->d_inode;
+
+and boom. Need to make sure the error cases return an error, I think.
+
+[akpm@osdl.org: return -ENOMEM on oom]
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800)
+Subject: [PATCH] hfs_fill_super returns success even if no root inode
+X-Git-Tag: v2.6.19
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d6ddf55440833fd9404138026af246c51ebeef22
+
+ fs/hfs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.18.6.orig/fs/hfs/super.c
++++ linux-2.6.18.6/fs/hfs/super.c
+@@ -391,11 +391,13 @@ static int hfs_fill_super(struct super_b
+ hfs_find_exit(&fd);
+ goto bail_no_root;
+ }
++ res = -EINVAL;
+ root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+ hfs_find_exit(&fd);
+ if (!root_inode)
+ goto bail_no_root;
+
++ res = -ENOMEM;
+ sb->s_root = d_alloc_root(root_inode);
+ if (!sb->s_root)
+ goto bail_iput;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Dec 19 23:40:57 2006
+Date: Wed, 20 Dec 2006 08:34:43 +0100
+From: Jean Delvare <khali@linux-fr.org>
+To: stable@kernel.org
+Message-Id: <20061220083443.45e488cb.khali@linux-fr.org>
+Cc: Dirk Eibach <eibach@gdsys.de>, Adrian Bunk <bunk@stusta.de>
+Subject: i2c: fix broken ds1337 initialization
+
+From: Dirk Eibach <eibach@gdsys.de>
+
+On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to
+2.6.18 broke RTC support.
+
+The main problem are changes to ds1337_init_client().
+When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7
+in status register is set. This has to be reset by writing 0 to status
+register. But since there are only 16 byte written to the chip and the
+first byte is interpreted as an address, the status register (which is
+the 16th) is never written.
+The other problem is, that initializing all registers to zero is not
+valid for day, date and month register. Funny enough this is checked by
+ds1337_detect(), which depends on this values not being zero. So then
+treated by ds1337_init_client() the ds1337 is not detected anymore,
+whereas the failure bit in the status register is still set.
+
+Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1,
+2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit
+763d9c046a2e511ec090a8986d3f85edf7448e7e).
+
+Signed-off-by: Dirk Stieler <stieler@gdsys.de>
+Signed-off-by: Dirk Eibach <eibach@gdsys.de>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/i2c/chips/ds1337.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- linux-2.6.18.6.orig/drivers/i2c/chips/ds1337.c
++++ linux-2.6.18.6/drivers/i2c/chips/ds1337.c
+@@ -347,13 +347,19 @@ static void ds1337_init_client(struct i2
+
+ if ((status & 0x80) || (control & 0x80)) {
+ /* RTC not running */
+- u8 buf[16];
++ u8 buf[1+16]; /* First byte is interpreted as address */
+ struct i2c_msg msg[1];
+
+ dev_dbg(&client->dev, "%s: RTC not running!\n", __FUNCTION__);
+
+ /* Initialize all, including STATUS and CONTROL to zero */
+ memset(buf, 0, sizeof(buf));
++
++ /* Write valid values in the date/time registers */
++ buf[1+DS1337_REG_DAY] = 1;
++ buf[1+DS1337_REG_DATE] = 1;
++ buf[1+DS1337_REG_MONTH] = 1;
++
+ msg[0].addr = client->addr;
+ msg[0].flags = 0;
+ msg[0].len = sizeof(buf);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jan 11 11:51:30 2007
+To: stable@kernel.org
+From: Roland Dreier <rdreier@cisco.com>
+Date: Thu, 11 Jan 2007 11:42:49 -0800
+Message-ID: <ada4pqxjqo6.fsf@cisco.com>
+Cc: mst@mellanox.co.il, openib-general@openib.org
+Subject: IB/mad: Fix race between cancel and receive completion
+
+When ib_cancel_mad() is called, it puts the canceled send on a list
+and schedules a "flushed" callback from process context. However,
+this leaves a window where a receive completion could be processed
+before the send is fully flushed.
+
+This is fine, except that ib_find_send_mad() will find the MAD and
+return it to the receive processing, which results in the sender
+getting both a successful receive and a "flushed" send completion for
+the same request. Understandably, this confuses the sender, which is
+expecting only one of these two callbacks, and leads to grief such as
+a use-after-free in IPoIB.
+
+Fix this by changing ib_find_send_mad() to return a send struct only
+if the status is still successful (and not "flushed"). The search of
+the send_list already had this check, so this patch just adds the same
+check to the search of the wait_list.
+
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+This fixes a crash seen in production when switching between IPoIB
+interfaces in a HA setup.
+
+ drivers/infiniband/core/mad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.18.6.orig/drivers/infiniband/core/mad.c
++++ linux-2.6.18.6/drivers/infiniband/core/mad.c
+@@ -1750,7 +1750,7 @@ ib_find_send_mad(struct ib_mad_agent_pri
+ */
+ (is_direct(wc->recv_buf.mad->mad_hdr.mgmt_class) ||
+ rcv_has_same_gid(mad_agent_priv, wr, wc)))
+- return wr;
++ return (wr->status == IB_WC_SUCCESS) ? wr : NULL;
+ }
+
+ /*
don-t-leak-nt-bit-into-next-task.patch
scsi-add-missing-cdb-clearing-in-scsi_execute.patch
ib-srp-fix-fmr-mapping-for-32-bit-kernels-and-addresses-above-4g.patch
+i2c-fix-broken-ds1337-initialization.patch
+grow_buffers-infinite-loop-fix.patch
+hfs_fill_super-returns-success-even-if-no-root-inode.patch
+ib-mad-fix-race-between-cancel-and-receive-completion.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
