2.6.18.7, 2.6.19.4 and 2.6.20.1 releases

diff --git a/releases/2.6.18.7/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch b/releases/2.6.18.7/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
new file mode 100644 (file)
index 0000000..66ec6b8
--- /dev/null
+++ b/releases/2.6.18.7/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
@@ -0,0 +1,51 @@
+From c9ce228306fda4448f5f495b4f36c07956f45acd Mon Sep 17 00:00:00 2001
+From: Greg Banks <gnb@sgi.com>
+Date: Tue, 20 Feb 2007 10:12:34 +1100
+Subject: Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)
+
+Due to type confusion, when an nfsacl verison 2 'ACCESS' request
+finishes and tries to clean up, it calls fh_put on entiredly the
+wrong thing and this can cause an oops.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, __be32 *p,
+       return 1;
+ }
+ 
+-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, u32 *p,
+-              struct nfsd_fhandle *resp)
++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, u32 *p,
++              struct nfsd_attrstat *resp)
+ {
+       fh_put(&resp->fh);
+       return 1;
+ }
+ 
++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, u32 *p,
++               struct nfsd3_accessres *resp)
++{
++       fh_put(&resp->fh);
++       return 1;
++}
++
+ #define nfsaclsvc_decode_voidargs     NULL
+ #define nfsaclsvc_encode_voidres      NULL
+ #define nfsaclsvc_release_void                NULL
+@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
+ static struct svc_procedure           nfsd_acl_procedures2[] = {
+   PROC(null,  void,           void,           void,     RC_NOCACHE, ST),
+   PROC(getacl,        getacl,         getacl,         getacl,   RC_NOCACHE, ST+1+2*(1+ACL)),
+-  PROC(setacl,        setacl,         attrstat,       fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(getattr, fhandle,      attrstat,       fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(access,        access,         access,         fhandle,  RC_NOCACHE, ST+AT+1),
++  PROC(setacl,        setacl,         attrstat,       attrstat, RC_NOCACHE, ST+AT),
++  PROC(getattr, fhandle,      attrstat,       attrstat, RC_NOCACHE, ST+AT),
++  PROC(access,        access,         access,         access,   RC_NOCACHE, ST+AT+1),
+ };
+ 
+ struct svc_version    nfsd_acl_version2 = {

diff --git a/releases/2.6.19.4/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch b/releases/2.6.19.4/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
new file mode 100644 (file)
index 0000000..e89a9f9
--- /dev/null
+++ b/releases/2.6.19.4/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
@@ -0,0 +1,53 @@
+From e162a033a5882bde0c3bf5a07ee2119f9535cd8c Mon Sep 17 00:00:00 2001
+From: Greg Banks <gnb@sgi.com>
+Date: Tue, 20 Feb 2007 10:12:34 +1100
+Subject: [PATCH] [PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)
+
+Due to type confusion, when an nfsacl verison 2 'ACCESS' request
+finishes and tries to clean up, it calls fh_put on entiredly the
+wrong thing and this can cause an oops.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
+index edde5dc..b617428 100644
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, __be32 *p,
+       return 1;
+ }
+ 
+-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, __be32 *p,
+-              struct nfsd_fhandle *resp)
++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, __be32 *p,
++              struct nfsd_attrstat *resp)
+ {
+       fh_put(&resp->fh);
+       return 1;
+ }
+ 
++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, __be32 *p,
++               struct nfsd3_accessres *resp)
++{
++       fh_put(&resp->fh);
++       return 1;
++}
++
+ #define nfsaclsvc_decode_voidargs     NULL
+ #define nfsaclsvc_encode_voidres      NULL
+ #define nfsaclsvc_release_void                NULL
+@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
+ static struct svc_procedure           nfsd_acl_procedures2[] = {
+   PROC(null,  void,           void,           void,     RC_NOCACHE, ST),
+   PROC(getacl,        getacl,         getacl,         getacl,   RC_NOCACHE, ST+1+2*(1+ACL)),
+-  PROC(setacl,        setacl,         attrstat,       fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(getattr, fhandle,      attrstat,       fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(access,        access,         access,         fhandle,  RC_NOCACHE, ST+AT+1),
++  PROC(setacl,        setacl,         attrstat,       attrstat, RC_NOCACHE, ST+AT),
++  PROC(getattr, fhandle,      attrstat,       attrstat, RC_NOCACHE, ST+AT),
++  PROC(access,        access,         access,         access,   RC_NOCACHE, ST+AT+1),
+ };
+ 
+ struct svc_version    nfsd_acl_version2 = {

diff --git a/releases/2.6.20.1/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch b/releases/2.6.20.1/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
new file mode 100644 (file)
index 0000000..e89a9f9
--- /dev/null
+++ b/releases/2.6.20.1/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
@@ -0,0 +1,53 @@
+From e162a033a5882bde0c3bf5a07ee2119f9535cd8c Mon Sep 17 00:00:00 2001
+From: Greg Banks <gnb@sgi.com>
+Date: Tue, 20 Feb 2007 10:12:34 +1100
+Subject: [PATCH] [PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)
+
+Due to type confusion, when an nfsacl verison 2 'ACCESS' request
+finishes and tries to clean up, it calls fh_put on entiredly the
+wrong thing and this can cause an oops.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
+index edde5dc..b617428 100644
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, __be32 *p,
+       return 1;
+ }
+ 
+-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, __be32 *p,
+-              struct nfsd_fhandle *resp)
++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, __be32 *p,
++              struct nfsd_attrstat *resp)
+ {
+       fh_put(&resp->fh);
+       return 1;
+ }
+ 
++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, __be32 *p,
++               struct nfsd3_accessres *resp)
++{
++       fh_put(&resp->fh);
++       return 1;
++}
++
+ #define nfsaclsvc_decode_voidargs     NULL
+ #define nfsaclsvc_encode_voidres      NULL
+ #define nfsaclsvc_release_void                NULL
+@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
+ static struct svc_procedure           nfsd_acl_procedures2[] = {
+   PROC(null,  void,           void,           void,     RC_NOCACHE, ST),
+   PROC(getacl,        getacl,         getacl,         getacl,   RC_NOCACHE, ST+1+2*(1+ACL)),
+-  PROC(setacl,        setacl,         attrstat,       fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(getattr, fhandle,      attrstat,       fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(access,        access,         access,         fhandle,  RC_NOCACHE, ST+AT+1),
++  PROC(setacl,        setacl,         attrstat,       attrstat, RC_NOCACHE, ST+AT),
++  PROC(getattr, fhandle,      attrstat,       attrstat, RC_NOCACHE, ST+AT),
++  PROC(access,        access,         access,         access,   RC_NOCACHE, ST+AT+1),
+ };
+ 
+ struct svc_version    nfsd_acl_version2 = {