From: Chris Wright Date: Mon, 5 Feb 2007 22:07:01 +0000 (-0800) Subject: add some lingering patches into the old 2.6.18 queue in case it's useful X-Git-Tag: v2.6.18.7~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=386a2dbd97ad8e2798633201ac8b1c5fa39e2b46;p=thirdparty%2Fkernel%2Fstable-queue.git add some lingering patches into the old 2.6.18 queue in case it's useful to flush that queue. --- diff --git a/queue-2.6.18/grow_buffers-infinite-loop-fix.patch b/queue-2.6.18/grow_buffers-infinite-loop-fix.patch new file mode 100644 index 00000000000..eb1e09bac3e --- /dev/null +++ b/queue-2.6.18/grow_buffers-infinite-loop-fix.patch @@ -0,0 +1,75 @@ +From stable-bounces@linux.kernel.org Sat Dec 30 15:29:08 2006 +Message-ID: <4596F4F7.3010709@gentoo.org> +Date: Sat, 30 Dec 2006 18:23:35 -0500 +From: Daniel Drake +To: stable@kernel.org +Cc: sandeen@redhat.com +Subject: grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060) + +From: Andrew Morton + +If grow_buffers() is for some reason passed a block number which wants to lie +outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it +will accidentally truncate `index' and will then instnatiate a page at the +wrong pagecache offset. This causes __getblk_slow() to go into an infinite +loop. + +This can happen with corrupted disks, or with software errors elsewhere. + +Detect that, and handle it. + +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- +Date: Wed, 11 Oct 2006 08:21:46 +0000 (-0700) +Subject: [PATCH] grow_buffers() infinite loop fix +X-Git-Tag: v2.6.19-rc2 +X-Git-Url: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e5657933863f43cc6bb76a54d659303dafaa9e58 + + fs/buffer.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- linux-2.6.18.6.orig/fs/buffer.c ++++ linux-2.6.18.6/fs/buffer.c +@@ -1179,8 +1179,21 @@ grow_buffers(struct block_device *bdev, + } while ((size << sizebits) < PAGE_SIZE); + + index = block >> sizebits; +- block = index << sizebits; + ++ /* ++ * Check for a block which wants to lie outside our maximum possible ++ * pagecache index. (this comparison is done using sector_t types). ++ */ ++ if (unlikely(index != block >> sizebits)) { ++ char b[BDEVNAME_SIZE]; ++ ++ printk(KERN_ERR "%s: requested out-of-range block %llu for " ++ "device %s\n", ++ __FUNCTION__, (unsigned long long)block, ++ bdevname(bdev, b)); ++ return -EIO; ++ } ++ block = index << sizebits; + /* Create a page with the proper size buffers.. */ + page = grow_dev_page(bdev, block, index, size); + if (!page) +@@ -1207,12 +1220,16 @@ __getblk_slow(struct block_device *bdev, + + for (;;) { + struct buffer_head * bh; ++ int ret; + + bh = __find_get_block(bdev, block, size); + if (bh) + return bh; + +- if (!grow_buffers(bdev, block, size)) ++ ret = grow_buffers(bdev, block, size); ++ if (ret < 0) ++ return NULL; ++ if (ret == 0) + free_more_memory(); + } + } diff --git a/queue-2.6.18/hfs_fill_super-returns-success-even-if-no-root-inode.patch b/queue-2.6.18/hfs_fill_super-returns-success-even-if-no-root-inode.patch new file mode 100644 index 00000000000..f8a95c10890 --- /dev/null +++ b/queue-2.6.18/hfs_fill_super-returns-success-even-if-no-root-inode.patch @@ -0,0 +1,71 @@ +From stable-bounces@linux.kernel.org Sat Dec 30 15:34:45 2006 +Message-ID: <4596F649.5020406@gentoo.org> +Date: Sat, 30 Dec 2006 18:29:13 -0500 +From: Daniel Drake +To: stable@kernel.org +Cc: sandeen@redhat.com +Subject: hfs_fill_super returns success even if no root inode (CVE-2006-6056) + +From: Eric Sandeen + +http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html + +mount that image... +fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only. +hfs: get root inode failed. +BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018 + printing eip +... +EIP is at superblock_doinit+0x21/0x767 +... + [] selinux_sb_kern_mount+0xc/0x4b + [] vfs_kern_mount+0x99/0xf6 + [] do_kern_mount+0x2d/0x3e + [] do_mount+0x5fa/0x66d + [] sys_mount+0x77/0xae + [] syscall_call+0x7/0xb +DWARF2 unwinder stuck at syscall_call+0x7/0xb + +hfs_fill_super() returns success even if + root_inode = hfs_iget(sb, &fd.search_key->cat, &rec); +or + sb->s_root = d_alloc_root(root_inode); + +fails. This superblock finds its way to superblock_doinit() which does: + + struct dentry *root = sb->s_root; + struct inode *inode = root->d_inode; + +and boom. Need to make sure the error cases return an error, I think. + +[akpm@osdl.org: return -ENOMEM on oom] +Signed-off-by: Eric Sandeen +Cc: Roman Zippel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- +Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800) +Subject: [PATCH] hfs_fill_super returns success even if no root inode +X-Git-Tag: v2.6.19 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d6ddf55440833fd9404138026af246c51ebeef22 + + fs/hfs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.18.6.orig/fs/hfs/super.c ++++ linux-2.6.18.6/fs/hfs/super.c +@@ -391,11 +391,13 @@ static int hfs_fill_super(struct super_b + hfs_find_exit(&fd); + goto bail_no_root; + } ++ res = -EINVAL; + root_inode = hfs_iget(sb, &fd.search_key->cat, &rec); + hfs_find_exit(&fd); + if (!root_inode) + goto bail_no_root; + ++ res = -ENOMEM; + sb->s_root = d_alloc_root(root_inode); + if (!sb->s_root) + goto bail_iput; diff --git a/queue-2.6.18/i2c-fix-broken-ds1337-initialization.patch b/queue-2.6.18/i2c-fix-broken-ds1337-initialization.patch new file mode 100644 index 00000000000..a0082b05120 --- /dev/null +++ b/queue-2.6.18/i2c-fix-broken-ds1337-initialization.patch @@ -0,0 +1,60 @@ +From stable-bounces@linux.kernel.org Tue Dec 19 23:40:57 2006 +Date: Wed, 20 Dec 2006 08:34:43 +0100 +From: Jean Delvare +To: stable@kernel.org +Message-Id: <20061220083443.45e488cb.khali@linux-fr.org> +Cc: Dirk Eibach , Adrian Bunk +Subject: i2c: fix broken ds1337 initialization + +From: Dirk Eibach + +On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to +2.6.18 broke RTC support. + +The main problem are changes to ds1337_init_client(). +When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7 +in status register is set. This has to be reset by writing 0 to status +register. But since there are only 16 byte written to the chip and the +first byte is interpreted as an address, the status register (which is +the 16th) is never written. +The other problem is, that initializing all registers to zero is not +valid for day, date and month register. Funny enough this is checked by +ds1337_detect(), which depends on this values not being zero. So then +treated by ds1337_init_client() the ds1337 is not detected anymore, +whereas the failure bit in the status register is still set. + +Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1, +2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit +763d9c046a2e511ec090a8986d3f85edf7448e7e). + +Signed-off-by: Dirk Stieler +Signed-off-by: Dirk Eibach +Signed-off-by: Jean Delvare +Signed-off-by: Chris Wright +--- + drivers/i2c/chips/ds1337.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- linux-2.6.18.6.orig/drivers/i2c/chips/ds1337.c ++++ linux-2.6.18.6/drivers/i2c/chips/ds1337.c +@@ -347,13 +347,19 @@ static void ds1337_init_client(struct i2 + + if ((status & 0x80) || (control & 0x80)) { + /* RTC not running */ +- u8 buf[16]; ++ u8 buf[1+16]; /* First byte is interpreted as address */ + struct i2c_msg msg[1]; + + dev_dbg(&client->dev, "%s: RTC not running!\n", __FUNCTION__); + + /* Initialize all, including STATUS and CONTROL to zero */ + memset(buf, 0, sizeof(buf)); ++ ++ /* Write valid values in the date/time registers */ ++ buf[1+DS1337_REG_DAY] = 1; ++ buf[1+DS1337_REG_DATE] = 1; ++ buf[1+DS1337_REG_MONTH] = 1; ++ + msg[0].addr = client->addr; + msg[0].flags = 0; + msg[0].len = sizeof(buf); diff --git a/queue-2.6.18/ib-mad-fix-race-between-cancel-and-receive-completion.patch b/queue-2.6.18/ib-mad-fix-race-between-cancel-and-receive-completion.patch new file mode 100644 index 00000000000..56987bdc9ab --- /dev/null +++ b/queue-2.6.18/ib-mad-fix-race-between-cancel-and-receive-completion.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Thu Jan 11 11:51:30 2007 +To: stable@kernel.org +From: Roland Dreier +Date: Thu, 11 Jan 2007 11:42:49 -0800 +Message-ID: +Cc: mst@mellanox.co.il, openib-general@openib.org +Subject: IB/mad: Fix race between cancel and receive completion + +When ib_cancel_mad() is called, it puts the canceled send on a list +and schedules a "flushed" callback from process context. However, +this leaves a window where a receive completion could be processed +before the send is fully flushed. + +This is fine, except that ib_find_send_mad() will find the MAD and +return it to the receive processing, which results in the sender +getting both a successful receive and a "flushed" send completion for +the same request. Understandably, this confuses the sender, which is +expecting only one of these two callbacks, and leads to grief such as +a use-after-free in IPoIB. + +Fix this by changing ib_find_send_mad() to return a send struct only +if the status is still successful (and not "flushed"). The search of +the send_list already had this check, so this patch just adds the same +check to the search of the wait_list. + +Signed-off-by: Roland Dreier +Signed-off-by: Chris Wright +--- +This fixes a crash seen in production when switching between IPoIB +interfaces in a HA setup. + + drivers/infiniband/core/mad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.18.6.orig/drivers/infiniband/core/mad.c ++++ linux-2.6.18.6/drivers/infiniband/core/mad.c +@@ -1750,7 +1750,7 @@ ib_find_send_mad(struct ib_mad_agent_pri + */ + (is_direct(wc->recv_buf.mad->mad_hdr.mgmt_class) || + rcv_has_same_gid(mad_agent_priv, wr, wc))) +- return wr; ++ return (wr->status == IB_WC_SUCCESS) ? wr : NULL; + } + + /* diff --git a/queue-2.6.18/series b/queue-2.6.18/series index ce0b7fae377..1151c59a010 100644 --- a/queue-2.6.18/series +++ b/queue-2.6.18/series @@ -1,3 +1,7 @@ don-t-leak-nt-bit-into-next-task.patch scsi-add-missing-cdb-clearing-in-scsi_execute.patch ib-srp-fix-fmr-mapping-for-32-bit-kernels-and-addresses-above-4g.patch +i2c-fix-broken-ds1337-initialization.patch +grow_buffers-infinite-loop-fix.patch +hfs_fill_super-returns-success-even-if-no-root-inode.patch +ib-mad-fix-race-between-cancel-and-receive-completion.patch