From: Greg Kroah-Hartman Date: Fri, 22 Oct 2010 16:53:08 +0000 (-0700) Subject: .27 patches X-Git-Tag: v2.6.27.55~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45ee9c6a291adcbc86ec01e60de9dd54d43eb538;p=thirdparty%2Fkernel%2Fstable-queue.git .27 patches --- diff --git a/queue-2.6.27/b44-fix-carrier-detection-on-bind.patch b/queue-2.6.27/b44-fix-carrier-detection-on-bind.patch new file mode 100644 index 00000000000..68bcff84697 --- /dev/null +++ b/queue-2.6.27/b44-fix-carrier-detection-on-bind.patch @@ -0,0 +1,41 @@ +From bcf64aa379fcadd074449cbf0c049da70071b06f Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Mon, 11 Oct 2010 15:45:35 -0700 +Subject: b44: fix carrier detection on bind + +From: Paul Fertser + +commit bcf64aa379fcadd074449cbf0c049da70071b06f upstream. + +For carrier detection to work properly when binding the driver with a cable +unplugged, netif_carrier_off() should be called after register_netdev(), +not before. + +Signed-off-by: Paul Fertser +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/b44.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/b44.c ++++ b/drivers/net/b44.c +@@ -2164,8 +2164,6 @@ static int __devinit b44_init_one(struct + dev->irq = sdev->irq; + SET_ETHTOOL_OPS(dev, &b44_ethtool_ops); + +- netif_carrier_off(dev); +- + err = ssb_bus_powerup(sdev->bus, 0); + if (err) { + dev_err(sdev->dev, +@@ -2205,6 +2203,8 @@ static int __devinit b44_init_one(struct + goto err_out_powerdown; + } + ++ netif_carrier_off(dev); ++ + ssb_set_drvdata(sdev, dev); + + /* Chip reset provides power to the b44 MAC & PCI cores, which diff --git a/queue-2.6.27/execve-improve-interactivity-with-large-arguments.patch b/queue-2.6.27/execve-improve-interactivity-with-large-arguments.patch new file mode 100644 index 00000000000..4c917d7bc11 --- /dev/null +++ b/queue-2.6.27/execve-improve-interactivity-with-large-arguments.patch @@ -0,0 +1,40 @@ +From 7993bc1f4663c0db67bb8f0d98e6678145b387cd Mon Sep 17 00:00:00 2001 +From: Roland McGrath +Date: Tue, 7 Sep 2010 19:36:28 -0700 +Subject: execve: improve interactivity with large arguments + +From: Roland McGrath + +commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd upstream. + +This adds a preemption point during the copying of the argument and +environment strings for execve, in copy_strings(). There is already +a preemption point in the count() loop, so this doesn't add any new +points in the abstract sense. + +When the total argument+environment strings are very large, the time +spent copying them can be much more than a normal user time slice. +So this change improves the interactivity of the rest of the system +when one process is doing an execve with very large arguments. + +Signed-off-by: Roland McGrath +Reviewed-by: KOSAKI Motohiro +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -436,6 +436,8 @@ static int copy_strings(int argc, char _ + while (len > 0) { + int offset, bytes_to_copy; + ++ cond_resched(); ++ + offset = pos % PAGE_SIZE; + if (offset == 0) + offset = PAGE_SIZE; diff --git a/queue-2.6.27/execve-make-responsive-to-sigkill-with-large-arguments.patch b/queue-2.6.27/execve-make-responsive-to-sigkill-with-large-arguments.patch new file mode 100644 index 00000000000..55fdd1f239b --- /dev/null +++ b/queue-2.6.27/execve-make-responsive-to-sigkill-with-large-arguments.patch @@ -0,0 +1,54 @@ +From 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 Mon Sep 17 00:00:00 2001 +From: Roland McGrath +Date: Tue, 7 Sep 2010 19:37:06 -0700 +Subject: execve: make responsive to SIGKILL with large arguments + +From: Roland McGrath + +commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 upstream. + +An execve with a very large total of argument/environment strings +can take a really long time in the execve system call. It runs +uninterruptibly to count and copy all the strings. This change +makes it abort the exec quickly if sent a SIGKILL. + +Note that this is the conservative change, to interrupt only for +SIGKILL, by using fatal_signal_pending(). It would be perfectly +correct semantics to let any signal interrupt the string-copying in +execve, i.e. use signal_pending() instead of fatal_signal_pending(). +We'll save that change for later, since it could have user-visible +consequences, such as having a timer set too quickly make it so that +an execve can never complete, though it always happened to work before. + +Signed-off-by: Roland McGrath +Reviewed-by: KOSAKI Motohiro +Cc: Chuck Ebbert +Signed-off-by: Linus Torvalds + +--- + fs/exec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -393,6 +393,9 @@ static int count(char __user * __user * + argv++; + if(++i > max) + return -E2BIG; ++ ++ if (fatal_signal_pending(current)) ++ return -ERESTARTNOHAND; + cond_resched(); + } + } +@@ -436,6 +439,10 @@ static int copy_strings(int argc, char _ + while (len > 0) { + int offset, bytes_to_copy; + ++ if (fatal_signal_pending(current)) { ++ ret = -ERESTARTNOHAND; ++ goto out; ++ } + cond_resched(); + + offset = pos % PAGE_SIZE; diff --git a/queue-2.6.27/series b/queue-2.6.27/series index d154ff977f3..407c41680bd 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -11,3 +11,7 @@ r6040-fix-r6040_multicast_list.patch r6040-fix-multicast-list-iteration-when-hash-filter-is-used.patch powerpc-initialise-paca-kstack-before-early_setup_secondary.patch powerpc-don-t-use-kernel-stack-with-translation-off.patch +b44-fix-carrier-detection-on-bind.patch +setup_arg_pages-diagnose-excessive-argument-size.patch +execve-improve-interactivity-with-large-arguments.patch +execve-make-responsive-to-sigkill-with-large-arguments.patch diff --git a/queue-2.6.27/setup_arg_pages-diagnose-excessive-argument-size.patch b/queue-2.6.27/setup_arg_pages-diagnose-excessive-argument-size.patch new file mode 100644 index 00000000000..fd4f03c677d --- /dev/null +++ b/queue-2.6.27/setup_arg_pages-diagnose-excessive-argument-size.patch @@ -0,0 +1,46 @@ +From 1b528181b2ffa14721fb28ad1bd539fe1732c583 Mon Sep 17 00:00:00 2001 +From: Roland McGrath +Date: Tue, 7 Sep 2010 19:35:49 -0700 +Subject: setup_arg_pages: diagnose excessive argument size + +From: Roland McGrath + +commit 1b528181b2ffa14721fb28ad1bd539fe1732c583 upstream. + +The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not +check the size of the argument/environment area on the stack. +When it is unworkably large, shift_arg_pages() hits its BUG_ON. +This is exploitable with a very large RLIMIT_STACK limit, to +create a crash pretty easily. + +Check that the initial stack is not too large to make it possible +to map in any executable. We're not checking that the actual +executable (or intepreter, for binfmt_elf) will fit. So those +mappings might clobber part of the initial stack mapping. But +that is just userland lossage that userland made happen, not a +kernel problem. + +Signed-off-by: Roland McGrath +Reviewed-by: KOSAKI Motohiro +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -608,6 +608,11 @@ int setup_arg_pages(struct linux_binprm + #else + stack_top = arch_align_stack(stack_top); + stack_top = PAGE_ALIGN(stack_top); ++ ++ if (unlikely(stack_top < mmap_min_addr) || ++ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr)) ++ return -ENOMEM; ++ + stack_shift = vma->vm_end - stack_top; + + bprm->p -= stack_shift;