--- /dev/null
+From aca218f461aeb9f7ee9bd4978db2b67a889cf87f Mon Sep 17 00:00:00 2001
+From: Eugene Teo <eugeneteo@kernel.sg>
+Date: Mon, 23 Feb 2009 15:38:41 -0800
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+From: Eugene Teo <eugeneteo@kernel.sg>
+
+[ Upstream commit 50fee1dec5d71b8a14c1b82f2f42e16adc227f8b ]
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -696,7 +696,7 @@ int sock_getsockopt(struct socket *sock,
+ if (len < 0)
+ return -EINVAL;
+
+- v.val = 0;
++ memset(&v, 0, sizeof(v));
+
+ switch(optname) {
+ case SO_DEBUG:
--- /dev/null
+From be6562d8f13915451fd63a8718562f1db3dea36e Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Tue, 17 Feb 2009 21:24:05 -0800
+Subject: net: Kill skb_truesize_check(), it only catches false-positives.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 92a0acce186cde8ead56c6915d9479773673ea1a ]
+
+A long time ago we had bugs, primarily in TCP, where we would modify
+skb->truesize (for TSO queue collapsing) in ways which would corrupt
+the socket memory accounting.
+
+skb_truesize_check() was added in order to try and catch this error
+more systematically.
+
+However this debugging check has morphed into a Frankenstein of sorts
+and these days it does nothing other than catch false-positives.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/skbuff.h | 9 ---------
+ include/net/sock.h | 1 -
+ net/core/skbuff.c | 8 --------
+ net/core/sock.c | 1 -
+ 4 files changed, 19 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -411,15 +411,6 @@ extern void skb_over_panic(struct
+ void *here);
+ extern void skb_under_panic(struct sk_buff *skb, int len,
+ void *here);
+-extern void skb_truesize_bug(struct sk_buff *skb);
+-
+-static inline void skb_truesize_check(struct sk_buff *skb)
+-{
+- int len = sizeof(struct sk_buff) + skb->len;
+-
+- if (unlikely((int)skb->truesize < len))
+- skb_truesize_bug(skb);
+-}
+
+ extern int skb_append_datato_frags(struct sock *sk, struct sk_buff *skb,
+ int getfrag(void *from, char *to, int offset,
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -784,7 +784,6 @@ static inline void sk_mem_uncharge(struc
+
+ static inline void sk_wmem_free_skb(struct sock *sk, struct sk_buff *skb)
+ {
+- skb_truesize_check(skb);
+ sock_set_flag(sk, SOCK_QUEUE_SHRUNK);
+ sk->sk_wmem_queued -= skb->truesize;
+ sk_mem_uncharge(sk, skb->truesize);
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -143,14 +143,6 @@ void skb_under_panic(struct sk_buff *skb
+ BUG();
+ }
+
+-void skb_truesize_bug(struct sk_buff *skb)
+-{
+- WARN(net_ratelimit(), KERN_ERR "SKB BUG: Invalid truesize (%u) "
+- "len=%u, sizeof(sk_buff)=%Zd\n",
+- skb->truesize, skb->len, sizeof(struct sk_buff));
+-}
+-EXPORT_SYMBOL(skb_truesize_bug);
+-
+ /* Allocate a new skbuff. We do this ourselves so we can fill in a few
+ * 'private' fields and also do memory statistics to find all the
+ * [BEEP] leaks.
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1137,7 +1137,6 @@ void sock_rfree(struct sk_buff *skb)
+ {
+ struct sock *sk = skb->sk;
+
+- skb_truesize_check(skb);
+ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+ sk_mem_uncharge(skb->sk, skb->truesize);
+ }
--- /dev/null
+net-amend-the-fix-for-so_bsdcompat-gsopt-infoleak.patch
+net-kill-skb_truesize_check-it-only-catches-false-positives.patch
+sparc64-fix-crashes-in-jbusmc_print_dimm.patch
+sparc64-fix-dax-handling-via-userspace-access-from-kernel.patch
--- /dev/null
+From c58782f7cc112f93f95554d7a8ab05b1fdd92ae6 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Wed, 11 Feb 2009 00:54:07 -0800
+Subject: sparc64: Fix crashes in jbusmc_print_dimm()
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 1b0e235cc9bfae4bc0f5cd0cba929206fb0f6a64 ]
+
+Return was missing for the case where there is no dimm
+info match.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/chmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/sparc64/kernel/chmc.c
++++ b/arch/sparc64/kernel/chmc.c
+@@ -306,6 +306,7 @@ static int jbusmc_print_dimm(int syndrom
+ buf[1] = '?';
+ buf[2] = '?';
+ buf[3] = '\0';
++ return 0;
+ }
+ p = dp->controller;
+ prop = &p->layout;
--- /dev/null
+From 02c18518b706b8e53fd916befe6fab2bd12a5189 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Mon, 19 Jan 2009 22:56:51 -0800
+Subject: sparc64: Fix DAX handling via userspace access from kernel.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit fcd26f7ae2ea5889134e8b3d60a42ce8b993c95f ]
+
+If we do a userspace access from kernel mode, and get a
+data access exception, we need to check the exception
+table just like a normal fault does.
+
+The spitfire DAX handler was doing this, but such logic
+was missing from the sun4v DAX code.
+
+Reported-by: Dennis Gilmore <dgilmore@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/traps.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc64/kernel/traps.c
++++ b/arch/sparc64/kernel/traps.c
+@@ -1,6 +1,6 @@
+ /* arch/sparc64/kernel/traps.c
+ *
+- * Copyright (C) 1995,1997,2008 David S. Miller (davem@davemloft.net)
++ * Copyright (C) 1995,1997,2008,2009 David S. Miller (davem@davemloft.net)
+ * Copyright (C) 1997,1999,2000 Jakub Jelinek (jakub@redhat.com)
+ */
+
+@@ -313,6 +313,21 @@ void sun4v_data_access_exception(struct
+ return;
+
+ if (regs->tstate & TSTATE_PRIV) {
++ /* Test if this comes from uaccess places. */
++ const struct exception_table_entry *entry;
++
++ entry = search_exception_tables(regs->tpc);
++ if (entry) {
++ /* Ouch, somebody is trying VM hole tricks on us... */
++#ifdef DEBUG_EXCEPTIONS
++ printk("Exception: PC<%016lx> faddr<UNKNOWN>\n", regs->tpc);
++ printk("EX_TABLE: insn<%016lx> fixup<%016lx>\n",
++ regs->tpc, entry->fixup);
++#endif
++ regs->tpc = entry->fixup;
++ regs->tnpc = regs->tpc + 4;
++ return;
++ }
+ printk("sun4v_data_access_exception: ADDR[%016lx] "
+ "CTX[%04x] TYPE[%04x], going.\n",
+ addr, ctx, type);
projects / thirdparty / kernel / stable-queue.git / commitdiff
