]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
some 2.6.22 patches added to the queue
authorGreg Kroah-Hartman <gregkh@suse.de>
Fri, 10 Aug 2007 06:12:36 +0000 (23:12 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Fri, 10 Aug 2007 06:12:36 +0000 (23:12 -0700)
queue-2.6.22/ata_piix-update-map-10b-for-ich8m.patch [new file with mode: 0644]
queue-2.6.22/fix-oops-in-__audit_signal_info.patch [new file with mode: 0644]
queue-2.6.22/random-fix-bound-check-ordering.patch [new file with mode: 0644]
queue-2.6.22/series [new file with mode: 0644]
queue-2.6.22/softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch [new file with mode: 0644]

diff --git a/queue-2.6.22/ata_piix-update-map-10b-for-ich8m.patch b/queue-2.6.22/ata_piix-update-map-10b-for-ich8m.patch
new file mode 100644 (file)
index 0000000..1c99729
--- /dev/null
@@ -0,0 +1,32 @@
+From htejun@gmail.com  Thu Aug  9 23:08:47 2007
+From: Tejun Heo <htejun@gmail.com>
+Date: Tue, 7 Aug 2007 02:43:27 +0900
+Subject: ata_piix: update map 10b for ich8m
+To: Jeff Garzik <jeff@garzik.org>, linux-ide@vger.kernel.org, kristen.c.accardi@intel.com, stable@kernel.org
+Message-ID: <20070806174327.GP13674@htj.dyndns.org>
+Content-Disposition: inline
+
+From: Tejun Heo <htejun@gmail.com>
+
+Fix map entry 10b for ich8.  It's [P0 P2 IDE IDE] like ich6 / ich6m.
+
+Signed-off-by: Tejun Heo <htejun@gmail.com>
+Acked-by: <Kristen Carlson Accardi> kristen.c.accardi@intel.com
+Cc: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/ata_piix.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/ata_piix.c
++++ b/drivers/ata/ata_piix.c
+@@ -428,7 +428,7 @@ static const struct piix_map_db ich8_map
+               /* PM   PS   SM   SS       MAP */
+               {  P0,  P2,  P1,  P3 }, /* 00b (hardwired when in AHCI) */
+               {  RV,  RV,  RV,  RV },
+-              {  IDE,  IDE,  NA,  NA }, /* 10b (IDE mode) */
++              {  P0,  P2, IDE, IDE }, /* 10b (IDE mode) */
+               {  RV,  RV,  RV,  RV },
+       },
+ };
diff --git a/queue-2.6.22/fix-oops-in-__audit_signal_info.patch b/queue-2.6.22/fix-oops-in-__audit_signal_info.patch
new file mode 100644 (file)
index 0000000..a7c95a2
--- /dev/null
@@ -0,0 +1,57 @@
+From viro@ftp.linux.org.uk  Thu Aug  9 22:58:53 2007
+From: Al Viro <viro@ftp.linux.org.uk>
+Date: Wed, 8 Aug 2007 00:01:46 +0100
+Subject: fix oops in __audit_signal_info()
+To: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-kernel@vger.kernel.org, stable@kernel.org
+Message-ID: <20070807230146.GZ21089@ftp.linux.org.uk>
+Content-Disposition: inline
+
+From: Al Viro <viro@ftp.linux.org.uk>
+
+       Check for audit_signals is misplaced and check for
+audit_dummy_context() is missing; as the result, if we send
+signal to auditd from task with NULL ->audit_context while
+we have audit_signals != 0 we end up with an oops.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/auditsc.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1998,19 +1998,19 @@ int __audit_signal_info(int sig, struct 
+       extern uid_t audit_sig_uid;
+       extern u32 audit_sig_sid;
+-      if (audit_pid && t->tgid == audit_pid &&
+-          (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) {
+-              audit_sig_pid = tsk->pid;
+-              if (ctx)
+-                      audit_sig_uid = ctx->loginuid;
+-              else
+-                      audit_sig_uid = tsk->uid;
+-              selinux_get_task_sid(tsk, &audit_sig_sid);
++      if (audit_pid && t->tgid == audit_pid) {
++              if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
++                      audit_sig_pid = tsk->pid;
++                      if (ctx)
++                              audit_sig_uid = ctx->loginuid;
++                      else
++                              audit_sig_uid = tsk->uid;
++                      selinux_get_task_sid(tsk, &audit_sig_sid);
++              }
++              if (!audit_signals || audit_dummy_context())
++                      return 0;
+       }
+-      if (!audit_signals) /* audit_context checked in wrapper */
+-              return 0;
+-
+       /* optimize the common case by putting first signal recipient directly
+        * in audit_context */
+       if (!ctx->target_pid) {
diff --git a/queue-2.6.22/random-fix-bound-check-ordering.patch b/queue-2.6.22/random-fix-bound-check-ordering.patch
new file mode 100644 (file)
index 0000000..1e3b866
--- /dev/null
@@ -0,0 +1,44 @@
+From w@1wt.eu  Thu Aug  9 23:04:22 2007
+Date: Sun, 15 Jul 2007 17:10:14 -0700
+From: Chris Wright <chrisw@sous-sol.org>
+Subject: random: fix bound check ordering (CVE-2007-3105)
+To: torvalds@linux-foundation.org
+Cc: security@kernel.org, Theodore Tso <tytso@mit.edu>, Willy Tarreau <w@1wt.eu>, Matt Mackall <mpm@selenic.com>
+
+From: Matt Mackall <mpm@selenic.com>
+
+If root raised the default wakeup threshold over the size of the
+output pool, the pool transfer function could overflow the stack with
+RNG bytes, causing a DoS or potential privilege escalation.
+
+(Bug reported by the PaX Team <pageexec@freemail.hu>)
+
+Cc: Theodore Tso <tytso@mit.edu>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Matt Mackall <mpm@selenic.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/random.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct e
+       if (r->pull && r->entropy_count < nbytes * 8 &&
+           r->entropy_count < r->poolinfo->POOLBITS) {
+-              int bytes = max_t(int, random_read_wakeup_thresh / 8,
+-                              min_t(int, nbytes, sizeof(tmp)));
++              /* If we're limited, always leave two wakeup worth's BITS */
+               int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
++              int bytes = nbytes;
++
++              /* pull at least as many as BYTES as wakeup BITS */
++              bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
++              /* but never more than the buffer size */
++              bytes = min_t(int, bytes, sizeof(tmp));
+               DEBUG_ENT("going to reseed %s with %d bits "
+                         "(%d of %d requested)\n",
diff --git a/queue-2.6.22/series b/queue-2.6.22/series
new file mode 100644 (file)
index 0000000..0a0ccc7
--- /dev/null
@@ -0,0 +1,4 @@
+fix-oops-in-__audit_signal_info.patch
+random-fix-bound-check-ordering.patch
+softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch
+ata_piix-update-map-10b-for-ich8m.patch
diff --git a/queue-2.6.22/softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch b/queue-2.6.22/softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch
new file mode 100644 (file)
index 0000000..c747c1e
--- /dev/null
@@ -0,0 +1,55 @@
+From mb@bu3sch.de  Thu Aug  9 23:05:43 2007
+From: Michael Buesch <mb@bu3sch.de>
+Date: Tue, 7 Aug 2007 12:20:40 +0200
+Subject: softmac: Fix deadlock of wx_set_essid with assoc work
+To: Greg KH <greg@kroah.com>
+Cc: linux-wireless@vger.kernel.org, Johannes Berg <johannes@sipsolutions.net>, David Woodhouse <dwmw2@infradead.org>, stable@kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <200708071220.41123.mb@bu3sch.de>
+Content-Disposition: inline
+
+From: Michael Buesch <mb@bu3sch.de>
+
+The essid wireless extension does deadlock against the assoc mutex,
+as we don't unlock the assoc mutex when flushing the workqueue, which
+also holds the lock.
+
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ieee80211/softmac/ieee80211softmac_wx.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/net/ieee80211/softmac/ieee80211softmac_wx.c
++++ b/net/ieee80211/softmac/ieee80211softmac_wx.c
+@@ -74,8 +74,8 @@ ieee80211softmac_wx_set_essid(struct net
+       struct ieee80211softmac_auth_queue_item *authptr;
+       int length = 0;
++check_assoc_again:
+       mutex_lock(&sm->associnfo.mutex);
+-
+       /* Check if we're already associating to this or another network
+        * If it's another network, cancel and start over with our new network
+        * If it's our network, ignore the change, we're already doing it!
+@@ -98,13 +98,18 @@ ieee80211softmac_wx_set_essid(struct net
+                               cancel_delayed_work(&authptr->work);
+                       sm->associnfo.bssvalid = 0;
+                       sm->associnfo.bssfixed = 0;
+-                      flush_scheduled_work();
+                       sm->associnfo.associating = 0;
+                       sm->associnfo.associated = 0;
++                      /* We must unlock to avoid deadlocks with the assoc workqueue
++                       * on the associnfo.mutex */
++                      mutex_unlock(&sm->associnfo.mutex);
++                      flush_scheduled_work();
++                      /* Avoid race! Check assoc status again. Maybe someone started an
++                       * association while we flushed. */
++                      goto check_assoc_again;
+               }
+       }
+-
+       sm->associnfo.static_essid = 0;
+       sm->associnfo.assoc_wait = 0;