--- /dev/null
+From 77238f2b942b38ab4e7f3aced44084493e4a8675 Mon Sep 17 00:00:00 2001
+From: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
+Date: Sun, 18 Oct 2009 23:17:37 -0700
+Subject: AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
+
+From: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
+
+commit 77238f2b942b38ab4e7f3aced44084493e4a8675 upstream.
+
+I found a deadlock bug in UNIX domain socket, which makes able to DoS
+attack against the local machine by non-root users.
+
+How to reproduce:
+1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
+ namespace(*), and shutdown(2) it.
+ 2. Repeat connect(2)ing to the listening socket from the other sockets
+ until the connection backlog is full-filled.
+ 3. connect(2) takes the CPU forever. If every core is taken, the
+ system hangs.
+
+PoC code: (Run as many times as cores on SMP machines.)
+
+int main(void)
+{
+ int ret;
+ int csd;
+ int lsd;
+ struct sockaddr_un sun;
+
+ /* make an abstruct name address (*) */
+ memset(&sun, 0, sizeof(sun));
+ sun.sun_family = PF_UNIX;
+ sprintf(&sun.sun_path[1], "%d", getpid());
+
+ /* create the listening socket and shutdown */
+ lsd = socket(AF_UNIX, SOCK_STREAM, 0);
+ bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
+ listen(lsd, 1);
+ shutdown(lsd, SHUT_RDWR);
+
+ /* connect loop */
+ alarm(15); /* forcely exit the loop after 15 sec */
+ for (;;) {
+ csd = socket(AF_UNIX, SOCK_STREAM, 0);
+ ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
+ if (-1 == ret) {
+ perror("connect()");
+ break;
+ }
+ puts("Connection OK");
+ }
+ return 0;
+}
+
+(*) Make sun_path[0] = 0 to use the abstruct namespace.
+ If a file-based socket is used, the system doesn't deadlock because
+ of context switches in the file system layer.
+
+Why this happens:
+ Error checks between unix_socket_connect() and unix_wait_for_peer() are
+ inconsistent. The former calls the latter to wait until the backlog is
+ processed. Despite the latter returns without doing anything when the
+ socket is shutdown, the former doesn't check the shutdown state and
+ just retries calling the latter forever.
+
+Patch:
+ The patch below adds shutdown check into unix_socket_connect(), so
+ connect(2) to the shutdown socket will return -ECONREFUSED.
+
+Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
+Signed-off-by: Masanori Yoshida <masanori.yoshida.tv@hitachi.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ net/unix/af_unix.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1061,6 +1061,8 @@ restart:
+ err = -ECONNREFUSED;
+ if (other->sk_state != TCP_LISTEN)
+ goto out_unlock;
++ if (other->sk_shutdown & RCV_SHUTDOWN)
++ goto out_unlock;
+
+ if (unix_recvq_full(other)) {
+ err = -EAGAIN;
--- /dev/null
+From cebbert@redhat.com Thu Nov 5 15:48:56 2009
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 26 Oct 2009 14:36:45 -0400
+Subject: appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903)
+To: stable@kernel.org
+Cc: David Miller <davem@davemloft.net>
+Message-ID: <20091026143645.7022001a@katamari.usersys.redhat.com>
+
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+commit ffcfb8db540ff879c2a85bf7e404954281443414 upstream
+
+appletalk: Fix skb leak when ipddp interface is not loaded
+
+[ backport to 2.6.27 : Chuck Ebbert <cebbert@redhat.com ]
+
+And also do a better job of returning proper NET_{RX,XMIT}_ values.
+
+Based on a patch and suggestions by Mark Smith.
+
+This fixes CVE-2009-2903
+
+Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/appletalk/ipddp.c | 3 --
+ net/appletalk/aarp.c | 16 +++++++++-----
+ net/appletalk/ddp.c | 47 +++++++++++++++++++++---------------------
+ 3 files changed, 36 insertions(+), 30 deletions(-)
+
+--- a/drivers/net/appletalk/ipddp.c
++++ b/drivers/net/appletalk/ipddp.c
+@@ -173,8 +173,7 @@ static int ipddp_xmit(struct sk_buff *sk
+ ((struct net_device_stats *) dev->priv)->tx_packets++;
+ ((struct net_device_stats *) dev->priv)->tx_bytes+=skb->len;
+
+- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0)
+- dev_kfree_skb(skb);
++ aarp_send_ddp(rt->dev, skb, &rt->at, NULL);
+
+ return 0;
+ }
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -598,7 +598,7 @@ int aarp_send_ddp(struct net_device *dev
+
+ /* Non ELAP we cannot do. */
+ if (dev->type != ARPHRD_ETHER)
+- return -1;
++ goto free_it;
+
+ skb->dev = dev;
+ skb->protocol = htons(ETH_P_ATALK);
+@@ -633,7 +633,7 @@ int aarp_send_ddp(struct net_device *dev
+ if (!a) {
+ /* Whoops slipped... good job it's an unreliable protocol 8) */
+ write_unlock_bh(&aarp_lock);
+- return -1;
++ goto free_it;
+ }
+
+ /* Set up the queue */
+@@ -662,15 +662,21 @@ out_unlock:
+ write_unlock_bh(&aarp_lock);
+
+ /* Tell the ddp layer we have taken over for this frame. */
+- return 0;
++ goto sent;
+
+ sendit:
+ if (skb->sk)
+ skb->priority = skb->sk->sk_priority;
+- dev_queue_xmit(skb);
++ if (dev_queue_xmit(skb))
++ goto drop;
+ sent:
+- return 1;
++ return NET_XMIT_SUCCESS;
++free_it:
++ kfree_skb(skb);
++drop:
++ return NET_XMIT_DROP;
+ }
++EXPORT_SYMBOL(aarp_send_ddp);
+
+ /*
+ * An entry in the aarp unresolved queue has become resolved. Send
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1277,8 +1277,10 @@ static int handle_ip_over_ddp(struct sk_
+ struct net_device_stats *stats;
+
+ /* This needs to be able to handle ipddp"N" devices */
+- if (!dev)
+- return -ENODEV;
++ if (!dev) {
++ kfree_skb(skb);
++ return NET_RX_DROP;
++ }
+
+ skb->protocol = htons(ETH_P_IP);
+ skb_pull(skb, 13);
+@@ -1288,8 +1290,7 @@ static int handle_ip_over_ddp(struct sk_
+ stats = dev->priv;
+ stats->rx_packets++;
+ stats->rx_bytes += skb->len + 13;
+- netif_rx(skb); /* Send the SKB up to a higher place. */
+- return 0;
++ return netif_rx(skb); /* Send the SKB up to a higher place. */
+ }
+ #else
+ /* make it easy for gcc to optimize this test out, i.e. kill the code */
+@@ -1297,9 +1298,8 @@ static int handle_ip_over_ddp(struct sk_
+ #define handle_ip_over_ddp(skb) 0
+ #endif
+
+-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+- struct ddpehdr *ddp, __u16 len_hops,
+- int origlen)
++static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
++ struct ddpehdr *ddp, __u16 len_hops, int origlen)
+ {
+ struct atalk_route *rt;
+ struct atalk_addr ta;
+@@ -1366,8 +1366,6 @@ static void atalk_route_packet(struct sk
+ /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */
+ struct sk_buff *nskb = skb_realloc_headroom(skb, 32);
+ kfree_skb(skb);
+- if (!nskb)
+- goto out;
+ skb = nskb;
+ } else
+ skb = skb_unshare(skb, GFP_ATOMIC);
+@@ -1376,12 +1374,16 @@ static void atalk_route_packet(struct sk
+ * If the buffer didn't vanish into the lack of space bitbucket we can
+ * send it.
+ */
+- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1)
+- goto free_it;
+-out:
+- return;
++ if (skb == NULL)
++ goto drop;
++
++ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP)
++ return NET_RX_DROP;
++ return NET_XMIT_SUCCESS;
+ free_it:
+ kfree_skb(skb);
++drop:
++ return NET_RX_DROP;
+ }
+
+ /**
+@@ -1455,8 +1457,7 @@ static int atalk_rcv(struct sk_buff *skb
+ /* Not ours, so we route the packet via the correct
+ * AppleTalk iface
+ */
+- atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+- goto out;
++ return atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+ }
+
+ /* if IP over DDP is not selected this code will be optimized out */
+@@ -1663,10 +1664,10 @@ static int atalk_sendmsg(struct kiocb *i
+ if (skb2) {
+ loopback = 1;
+ SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk);
+- if (aarp_send_ddp(dev, skb2,
+- &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb2);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL);
+ }
+ }
+
+@@ -1696,9 +1697,10 @@ static int atalk_sendmsg(struct kiocb *i
+ usat = &gsat;
+ }
+
+- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL);
+ }
+ SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
+
+@@ -1877,7 +1879,6 @@ static struct packet_type ppptalk_packet
+ static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B };
+
+ /* Export symbols for use by drivers when AppleTalk is a module */
+-EXPORT_SYMBOL(aarp_send_ddp);
+ EXPORT_SYMBOL(atrtr_get_dev);
+ EXPORT_SYMBOL(atalk_find_dev_addr);
+
--- /dev/null
+From d9d5283228d0c752f199c901fff6e1405dc91bcb Mon Sep 17 00:00:00 2001
+From: Jiri Bohac <jbohac@suse.cz>
+Date: Wed, 28 Oct 2009 22:23:54 -0700
+Subject: bonding: fix a race condition in calls to slave MII ioctls
+
+From: Jiri Bohac <jbohac@suse.cz>
+
+commit d9d5283228d0c752f199c901fff6e1405dc91bcb upstream.
+
+In mii monitor mode, bond_check_dev_link() calls the the ioctl
+handler of slave devices. It stores the ndo_do_ioctl function
+pointer to a static (!) ioctl variable and later uses it to call the
+handler with the IOCTL macro.
+
+If another thread executes bond_check_dev_link() at the same time
+(even with a different bond, which none of the locks prevent), a
+race condition occurs. If the two racing slaves have different
+drivers, this may result in one driver's ioctl handler being
+called with a pointer to a net_device controlled with a different
+driver, resulting in unpredictable breakage.
+
+Unless I am overlooking something, the "static" must be a
+copy'n'paste error (?).
+
+Signed-off-by: Jiri Bohac <jbohac@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -686,7 +686,7 @@ static int bond_update_speed_duplex(stru
+ */
+ static int bond_check_dev_link(struct bonding *bond, struct net_device *slave_dev, int reporting)
+ {
+- static int (* ioctl)(struct net_device *, struct ifreq *, int);
++ int (* ioctl)(struct net_device *, struct ifreq *, int);
+ struct ifreq ifr;
+ struct mii_ioctl_data *mii;
+
--- /dev/null
+From 69c30e1e7492192f882a3fc11888b320fde5206a Mon Sep 17 00:00:00 2001
+From: Samuel Ortiz <samuel@sortiz.org>
+Date: Wed, 17 Dec 2008 15:44:58 -0800
+Subject: irda: Add irda_skb_cb qdisc related padding
+
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit 69c30e1e7492192f882a3fc11888b320fde5206a upstream.
+
+We need to pad irda_skb_cb in order to keep it safe accross dev_queue_xmit()
+calls. This is some ugly and temporary hack triggered by recent qisc code
+changes.
+Even though it fixes bugzilla.kernel.org bug #11795, it will be replaced by a
+proper fix before 2.6.29 is released.
+
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/irda/irda_device.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/irda/irda_device.h
++++ b/include/net/irda/irda_device.h
+@@ -135,9 +135,11 @@ struct dongle_reg {
+
+ /*
+ * Per-packet information we need to hide inside sk_buff
+- * (must not exceed 48 bytes, check with struct sk_buff)
++ * (must not exceed 48 bytes, check with struct sk_buff)
++ * The default_qdisc_pad field is a temporary hack.
+ */
+ struct irda_skb_cb {
++ unsigned int default_qdisc_pad;
+ magic_t magic; /* Be sure that we can trust the information */
+ __u32 next_speed; /* The Speed to be set *after* this frame */
+ __u16 mtt; /* Minimum turn around time */
--- /dev/null
+From 6a54435560efdab1a08f429a954df4d6c740bddf Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Sun, 4 Oct 2009 16:45:13 +0200
+Subject: KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638)
+
+From: Avi Kivity <avi@redhat.com>
+
+commit 6a54435560efdab1a08f429a954df4d6c740bddf upstream.
+
+The number of entries is multiplied by the entry size, which can
+overflow on 32-bit hosts. Bound the entry count instead.
+
+Reported-by: David Wagner <daw@cs.berkeley.edu>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1591,6 +1591,8 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
+
+ if (cpuid->nent < 1)
+ goto out;
++ if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
++ cpuid->nent = KVM_MAX_CPUID_ENTRIES;
+ r = -ENOMEM;
+ cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
+ if (!cpuid_entries)
--- /dev/null
+From ad61df918c44316940404891d5082c63e79c256a Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jpirko@redhat.com>
+Date: Thu, 8 Oct 2009 01:21:46 -0700
+Subject: netlink: fix typo in initialization (CVE-2009-3612)
+
+From: Jiri Pirko <jpirko@redhat.com>
+
+commit ad61df918c44316940404891d5082c63e79c256a upstream.
+
+Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing
+initializations in dumped data") introduced a typo in
+initialization. This patch fixes this.
+
+Signed-off-by: Jiri Pirko <jpirko@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/cls_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -337,7 +337,7 @@ static int tcf_fill_node(struct sk_buff
+ tcm = NLMSG_DATA(nlh);
+ tcm->tcm_family = AF_UNSPEC;
+ tcm->tcm__pad1 = 0;
+- tcm->tcm__pad1 = 0;
++ tcm->tcm__pad2 = 0;
+ tcm->tcm_ifindex = qdisc_dev(tp->q)->ifindex;
+ tcm->tcm_parent = tp->classid;
+ tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
--- /dev/null
+From f4373bf9e67e4a653c8854acd7b02dac9714c98a Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 6 Oct 2009 15:42:18 -0400
+Subject: nfs: Avoid overrun when copying client IP address string
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream.
+
+As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
+overrun the source string when copying the client IP address from
+nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
+these are both treated as null-terminated strings elsewhere, the copy
+should be done with strlcpy() not memcpy().
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -983,7 +983,7 @@ static int nfs4_init_client(struct nfs_c
+ RPC_CLNT_CREATE_DISCRTRY);
+ if (error < 0)
+ goto error;
+- memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
++ strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
+
+ error = nfs_idmap_new(clp);
+ if (error < 0) {
--- /dev/null
+From a8b40bc7e635831b61c43acc71a86d3a68b2dff0 Mon Sep 17 00:00:00 2001
+From: Terry Loftin <terry.loftin@hp.com>
+Date: Thu, 22 Oct 2009 21:36:01 -0400
+Subject: nfs: Panic when commit fails
+
+From: Terry Loftin <terry.loftin@hp.com>
+
+commit a8b40bc7e635831b61c43acc71a86d3a68b2dff0 upstream.
+
+Actually pass the NFS_FILE_SYNC option to the server to avoid a
+Panic in nfs_direct_write_complete() when a commit fails.
+
+At the end of an nfs write, if the nfs commit fails, all the writes
+will be rescheduled. They are supposed to be rescheduled as NFS_FILE_SYNC
+writes, but the rpc_task structure is not completely intialized and so
+the option is not passed. When the rescheduled writes complete, the
+return indicates that they are NFS_UNSTABLE and we try to do another
+commit. This leads to a Panic because the commit data structure pointer
+was set to null in the initial (failed) commit attempt.
+
+Signed-off-by: Terry Loftin <terry.loftin@hp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/direct.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -454,6 +454,7 @@ static void nfs_direct_write_reschedule(
+ };
+ struct rpc_task_setup task_setup_data = {
+ .rpc_client = NFS_CLIENT(inode),
++ .rpc_message = &msg,
+ .callback_ops = &nfs_write_direct_ops,
+ .workqueue = nfsiod_workqueue,
+ .flags = RPC_TASK_ASYNC,
--- /dev/null
+From 52567b03ca38b6e556ced450d64dba8d66e23b0e Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri, 23 Oct 2009 14:46:42 -0400
+Subject: NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 52567b03ca38b6e556ced450d64dba8d66e23b0e upstream.
+
+RFC 3530 states that when we recieve the error NFS4ERR_RESOURCE, we are not
+supposed to bump the sequence number on OPEN, LOCK, LOCKU, CLOSE, etc
+operations. The problem is that we map that error into EREMOTEIO in the XDR
+layer, and so the NFSv4 middle-layer routines like seqid_mutating_err(),
+and nfs_increment_seqid() don't recognise it.
+
+The fix is to defer the mapping until after the middle layers have
+processed the error.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/nfs4proc.c | 11 ++++++++---
+ fs/nfs/nfs4xdr.c | 1 -
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -71,12 +71,17 @@ static int _nfs4_proc_getattr(struct nfs
+ /* Prevent leaks of NFSv4 errors into userland */
+ int nfs4_map_errors(int err)
+ {
+- if (err < -1000) {
++ if (err >= -1000)
++ return err;
++ switch (err) {
++ case -NFS4ERR_RESOURCE:
++ return -EREMOTEIO;
++ default:
+ dprintk("%s could not handle NFSv4 error %d\n",
+ __func__, -err);
+- return -EIO;
++ break;
+ }
+- return err;
++ return -EIO;
+ }
+
+ /*
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4671,7 +4671,6 @@ static struct {
+ { NFS4ERR_SERVERFAULT, -ESERVERFAULT },
+ { NFS4ERR_BADTYPE, -EBADTYPE },
+ { NFS4ERR_LOCKED, -EAGAIN },
+- { NFS4ERR_RESOURCE, -EREMOTEIO },
+ { NFS4ERR_SYMLINK, -ELOOP },
+ { NFS4ERR_OP_ILLEGAL, -EOPNOTSUPP },
+ { NFS4ERR_DEADLOCK, -EDEADLK },
--- /dev/null
+From d953126a28f97ec965d23c69fd5795854c048f30 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue, 21 Jul 2009 19:22:38 -0400
+Subject: NFSv4: Fix a problem whereby a buggy server can oops the kernel
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit d953126a28f97ec965d23c69fd5795854c048f30 upstream.
+
+We just had a case in which a buggy server occasionally returns the wrong
+attributes during an OPEN call. While the client does catch this sort of
+condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return
+-EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a
+fallback to an ordinary lookup instead of just returning the error.
+
+When the buggy server then returns a regular file for the fallback lookup,
+the VFS allows the open, and bad things start to happen, since the open
+file doesn't have any associated NFSv4 state.
+
+The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and
+secondly to ensure that we are always careful when dereferencing the
+nfs_open_context state pointer.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1025,12 +1025,12 @@ static struct dentry *nfs_atomic_lookup(struct inode *dir, struct dentry *dentry
+ res = NULL;
+ goto out;
+ /* This turned out not to be a regular file */
+- case -EISDIR:
+ case -ENOTDIR:
+ goto no_open;
+ case -ELOOP:
+ if (!(nd->intent.open.flags & O_NOFOLLOW))
+ goto no_open;
++ /* case -EISDIR: */
+ /* case -EINVAL: */
+ default:
+ goto out;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index df24f67..6917311 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4093,15 +4093,23 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
+ if (request->fl_start < 0 || request->fl_end < 0)
+ return -EINVAL;
+
+- if (IS_GETLK(cmd))
+- return nfs4_proc_getlk(state, F_GETLK, request);
++ if (IS_GETLK(cmd)) {
++ if (state != NULL)
++ return nfs4_proc_getlk(state, F_GETLK, request);
++ return 0;
++ }
+
+ if (!(IS_SETLK(cmd) || IS_SETLKW(cmd)))
+ return -EINVAL;
+
+- if (request->fl_type == F_UNLCK)
+- return nfs4_proc_unlck(state, cmd, request);
++ if (request->fl_type == F_UNLCK) {
++ if (state != NULL)
++ return nfs4_proc_unlck(state, cmd, request);
++ return 0;
++ }
+
++ if (state == NULL)
++ return -ENOLCK;
+ do {
+ status = nfs4_proc_setlk(state, cmd, request);
+ if ((status != -EAGAIN) || IS_SETLK(cmd))
--- /dev/null
+From 3050141bae57984dd660e6861632ccf9b8bca77e Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 8 Oct 2009 11:50:55 -0400
+Subject: NFSv4: Kill nfs4_renewd_prepare_shutdown()
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 3050141bae57984dd660e6861632ccf9b8bca77e upstream.
+
+The NFSv4 renew daemon is shared between all active super blocks that refer
+to a particular NFS server, so it is wrong to be shutting it down in
+nfs4_kill_super every time a super block is destroyed.
+
+This patch therefore kills nfs4_renewd_prepare_shutdown altogether, and
+leaves it up to nfs4_shutdown_client() to also shut down the renew daemon
+by means of the existing call to nfs4_kill_renewd().
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/nfs4renewd.c | 6 ------
+ fs/nfs/super.c | 1 -
+ 2 files changed, 7 deletions(-)
+
+--- a/fs/nfs/nfs4renewd.c
++++ b/fs/nfs/nfs4renewd.c
+@@ -125,12 +125,6 @@ nfs4_schedule_state_renewal(struct nfs_c
+ }
+
+ void
+-nfs4_renewd_prepare_shutdown(struct nfs_server *server)
+-{
+- cancel_delayed_work(&server->nfs_client->cl_renewd);
+-}
+-
+-void
+ nfs4_kill_renewd(struct nfs_client *clp)
+ {
+ cancel_delayed_work_sync(&clp->cl_renewd);
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2398,7 +2398,6 @@ static void nfs4_kill_super(struct super
+ nfs_return_all_delegations(sb);
+ kill_anon_super(sb);
+
+- nfs4_renewd_prepare_shutdown(server);
+ nfs_free_server(server);
+ }
+
--- /dev/null
+From 9a3936aac133037f65124fcb2d676a6c201a90a4 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Mon, 26 Oct 2009 08:09:46 -0400
+Subject: NFSv4: The link() operation should return any delegation on the file
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 9a3936aac133037f65124fcb2d676a6c201a90a4 upstream.
+
+Otherwise, we have to wait for the server to recall it.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1526,6 +1526,8 @@ nfs_link(struct dentry *old_dentry, stru
+ old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
+ dentry->d_parent->d_name.name, dentry->d_name.name);
+
++ nfs_inode_return_delegation(inode);
++
+ d_drop(dentry);
+ error = NFS_PROTO(dir)->link(inode, dir, &dentry->d_name);
+ if (error == 0) {
--- /dev/null
+From b845b517b5e3706a3729f6ea83b88ab85f0725b0 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 8 Aug 2008 21:47:09 +0200
+Subject: printk: robustify printk
+
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+commit b845b517b5e3706a3729f6ea83b88ab85f0725b0 upstream.
+
+Avoid deadlocks against rq->lock and xtime_lock by deferring the klogd
+wakeup by polling from the timer tick.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/kernel.h | 4 ++++
+ kernel/printk.c | 19 +++++++++++++++++--
+ kernel/time/tick-sched.c | 2 +-
+ kernel/timer.c | 1 +
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -200,6 +200,8 @@ extern struct ratelimit_state printk_rat
+ extern int printk_ratelimit(void);
+ extern bool printk_timed_ratelimit(unsigned long *caller_jiffies,
+ unsigned int interval_msec);
++extern void printk_tick(void);
++extern int printk_needs_cpu(int);
+ #else
+ static inline int vprintk(const char *s, va_list args)
+ __attribute__ ((format (printf, 1, 0)));
+@@ -211,6 +213,8 @@ static inline int printk_ratelimit(void)
+ static inline bool printk_timed_ratelimit(unsigned long *caller_jiffies, \
+ unsigned int interval_msec) \
+ { return false; }
++static inline void printk_tick(void) { }
++static inline int printk_needs_cpu(int) { return 0; }
+ #endif
+
+ extern void asmlinkage __attribute__((format(printf, 1, 2)))
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -977,10 +977,25 @@ int is_console_locked(void)
+ return console_locked;
+ }
+
+-void wake_up_klogd(void)
++static DEFINE_PER_CPU(int, printk_pending);
++
++void printk_tick(void)
+ {
+- if (!oops_in_progress && waitqueue_active(&log_wait))
++ if (__get_cpu_var(printk_pending)) {
++ __get_cpu_var(printk_pending) = 0;
+ wake_up_interruptible(&log_wait);
++ }
++}
++
++int printk_needs_cpu(int cpu)
++{
++ return per_cpu(printk_pending, cpu);
++}
++
++void wake_up_klogd(void)
++{
++ if (waitqueue_active(&log_wait))
++ __get_cpu_var(printk_pending) = 1;
+ }
+
+ /**
+--- a/kernel/timer.c
++++ b/kernel/timer.c
+@@ -978,6 +978,7 @@ void update_process_times(int user_tick)
+ run_local_timers();
+ if (rcu_pending(cpu))
+ rcu_check_callbacks(cpu, user_tick);
++ printk_tick();
+ scheduler_tick();
+ run_posix_cpu_timers(p);
+ }
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -261,7 +261,7 @@ void tick_nohz_stop_sched_tick(int inidl
+ next_jiffies = get_next_timer_interrupt(last_jiffies);
+ delta_jiffies = next_jiffies - last_jiffies;
+
+- if (rcu_needs_cpu(cpu))
++ if (rcu_needs_cpu(cpu) || printk_needs_cpu(cpu))
+ delta_jiffies = 1;
+ /*
+ * Do not stop the tick, if we are only one off
revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch
tty-mark-generic_serial-users-as-broken.patch
x86-64-fix-register-leak-in-32-bit-syscall-audting.patch
+af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch
+appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch
+netlink-fix-typo-in-initialization-cve-2009-3612.patch
+kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch
+irda-add-irda_skb_cb-qdisc-related-padding.patch
+nfs-panic-when-commit-fails.patch
+nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch
+nfs-avoid-overrun-when-copying-client-ip-address-string.patch
+nfsv4-kill-nfs4_renewd_prepare_shutdown.patch
+nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch
+nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch
+printk-robustify-printk.patch
+bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
