Add NFS client O_DIRECT fix (CVE-2006-0555).

diff --git a/queue/normal-user-can-panic-nfs-client-with-direct-i-o.patch b/queue/normal-user-can-panic-nfs-client-with-direct-i-o.patch
new file mode 100644 (file)
index 0000000..f823459
--- /dev/null
+++ b/queue/normal-user-can-panic-nfs-client-with-direct-i-o.patch
@@ -0,0 +1,31 @@
+From vendor-sec-admin@lst.de  Tue Feb 14 21:47:34 2006
+Date: Wed, 15 Feb 2006 00:42:26 -0500 (EST)
+From: "Mike O'Connor" <mjo@dojo.mi.org>
+Cc: trond.myklebust@netapp.com, Greg Banks <gnb@melbourne.sgi.com>
+Subject: Normal user can panic NFS client with direct I/O
+
+From: Trond Myklebust <trond.myklebust@netapp.com>
+
+This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
+NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/nfs/direct.c |    5 +++++
+ 1 files changed, 5 insertions(+)
+
+--- linux-2.6.15.4.orig/fs/nfs/direct.c
++++ linux-2.6.15.4/fs/nfs/direct.c
+@@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
+               result = get_user_pages(current, current->mm, user_addr,
+                                       page_count, (rw == READ), 0,
+                                       *pages, NULL);
++              if (result >= 0 && result < page_count) {
++                      nfs_free_user_pages(*pages, result, 0);
++                      *pages = NULL;
++                      result = -EFAULT;
++              }
+               up_read(&current->mm->mmap_sem);
+       }
+       return result;

diff --git a/queue/series b/queue/series
index c2e04304b336de2e142708c469a047cd87f0eab7..06fcea1f3cbafd48cffca1a980f8dedbbed60241 100644 (file)
--- a/queue/series
+++ b/queue/series
@@ -35,3 +35,4 @@ fix-a-severe-bug.patch
 sd-fix-memory-corruption-with-broken-mode-page-headers.patch
 sbp2-fix-another-deadlock-after-disconnection.patch
 xfs-ftruncate-bug-could-expose-stale-data.patch
+normal-user-can-panic-nfs-client-with-direct-i-o.patch