From: Chris Wright Date: Mon, 29 Aug 2005 17:36:10 +0000 (-0700) Subject: Add full 2.6.12.6 patch series X-Git-Tag: v2.6.12.6~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=57b019a59796b030a67f3d7feb59493f059ca862;p=thirdparty%2Fkernel%2Fstable-queue.git Add full 2.6.12.6 patch series --- diff --git a/queue/fix-dst-leak-in-icmp_push_reply.patch b/queue/fix-dst-leak-in-icmp_push_reply.patch new file mode 100644 index 00000000000..1cf41a8a8db --- /dev/null +++ b/queue/fix-dst-leak-in-icmp_push_reply.patch @@ -0,0 +1,40 @@ +From linux-kernel-owner+chrisw=40osdl.org-S932397AbVHRS7i@vger.kernel.org Thu Aug 18 12:00:13 2005 +Date: Thu, 18 Aug 2005 20:59:37 +0200 +From: Patrick McHardy +To: Ollie Wild +CC: linux-kernel@vger.kernel.org, Maillist netdev +Subject: [IPV4]: Fix DST leak in icmp_push_reply() + +Based upon a bug report and initial patch by +Ollie Wild. + +Signed-off-by: Patrick McHardy +Signed-off-by: "David S. Miller" +Signed-off-by: Chris Wright +--- + net/ipv4/icmp.c | 12 ++++++------ + 1 files changed, 6 insertions(+), 6 deletions(-) + +Index: linux-2.6.12.y/net/ipv4/icmp.c +=================================================================== +--- linux-2.6.12.y.orig/net/ipv4/icmp.c ++++ linux-2.6.12.y/net/ipv4/icmp.c +@@ -349,12 +349,12 @@ static void icmp_push_reply(struct icmp_ + { + struct sk_buff *skb; + +- ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param, +- icmp_param->data_len+icmp_param->head_len, +- icmp_param->head_len, +- ipc, rt, MSG_DONTWAIT); +- +- if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) { ++ if (ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param, ++ icmp_param->data_len+icmp_param->head_len, ++ icmp_param->head_len, ++ ipc, rt, MSG_DONTWAIT) < 0) ++ ip_flush_pending_frames(icmp_socket->sk); ++ else if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) { + struct icmphdr *icmph = skb->h.icmph; + unsigned int csum = 0; + struct sk_buff *skb1; diff --git a/queue/fix-memory-leak-in-sg.c-seq_file.patch b/queue/fix-memory-leak-in-sg.c-seq_file.patch new file mode 100644 index 00000000000..74cbe696af3 --- /dev/null +++ b/queue/fix-memory-leak-in-sg.c-seq_file.patch @@ -0,0 +1,75 @@ +From linux-kernel-owner+chrisw=40osdl.org-S932372AbVHWUZ3@vger.kernel.org Tue Aug 23 13:25:47 2005 +Date: Tue, 23 Aug 2005 22:25:14 +0200 +From: Jan Blunck +To: Ingo Oeser +CC: linux-scsi@vger.kernel.org, Andrew Morton , linux-kernel@vger.kernel.org +Subject: [PATCH] sg.c: fix a memory leak in devices seq_file implementation (2nd) + +I know that scsi procfs is legacy code but this is a fix for a memory leak. + +While reading through sg.c I realized that the implementation of +/proc/scsi/sg/devices with seq_file is leaking memory due to freeing the +pointer returned by the next() iterator method. Since next() might +return NULL or an error this is wrong. This patch fixes it through using +the seq_files private field for holding the reference to the iterator +object. + +Here is a small bash script to trigger the leak. Use slabtop to watch +the size-32 usage grow and grow. + +#!/bin/sh + +while true; do + cat /proc/scsi/sg/devices > /dev/null +done + +Signed-off-by: Jan Blunck +Signed-off-by: Chris Wright +--- + drivers/scsi/sg.c | 15 ++++++++------- + 1 files changed, 8 insertions(+), 7 deletions(-) + +Index: linux-2.6.12.y/drivers/scsi/sg.c +=================================================================== +--- linux-2.6.12.y.orig/drivers/scsi/sg.c ++++ linux-2.6.12.y/drivers/scsi/sg.c +@@ -2969,23 +2969,22 @@ static void * dev_seq_start(struct seq_f + { + struct sg_proc_deviter * it = kmalloc(sizeof(*it), GFP_KERNEL); + ++ s->private = it; + if (! it) + return NULL; ++ + if (NULL == sg_dev_arr) +- goto err1; ++ return NULL; + it->index = *pos; + it->max = sg_last_dev(); + if (it->index >= it->max) +- goto err1; ++ return NULL; + return it; +-err1: +- kfree(it); +- return NULL; + } + + static void * dev_seq_next(struct seq_file *s, void *v, loff_t *pos) + { +- struct sg_proc_deviter * it = (struct sg_proc_deviter *) v; ++ struct sg_proc_deviter * it = s->private; + + *pos = ++it->index; + return (it->index < it->max) ? it : NULL; +@@ -2993,7 +2992,9 @@ static void * dev_seq_next(struct seq_fi + + static void dev_seq_stop(struct seq_file *s, void *v) + { +- kfree (v); ++ struct sg_proc_deviter * it = s->private; ++ ++ kfree (it); + } + + static int sg_proc_open_dev(struct inode *inode, struct file *file) diff --git a/queue/genelink-usbnet-skb-typo.patch b/queue/genelink-usbnet-skb-typo.patch new file mode 100644 index 00000000000..c774c9a6168 --- /dev/null +++ b/queue/genelink-usbnet-skb-typo.patch @@ -0,0 +1,30 @@ +From linux-kernel-owner+chrisw=40osdl.org-S1751397AbVHVWiz@vger.kernel.org Mon Aug 22 15:40:19 2005 +Date: Mon, 22 Aug 2005 14:02:39 +0800 +From: lepton +To: dbrownell@users.sourceforge.net +Cc: linux-kernel@vger.kernel.org +Subject: [PATCH] fix gl_skb/skb type error in genelink driver in usbnet + +I think there is a type error when port genelink driver to 2.6.. +With this error, a linux host will panic when it link with a windows +host. + +Cc: David Brownell +Signed-off-by: Chris Wright +--- + drivers/usb/net/usbnet.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.12.y/drivers/usb/net/usbnet.c +=================================================================== +--- linux-2.6.12.y.orig/drivers/usb/net/usbnet.c ++++ linux-2.6.12.y/drivers/usb/net/usbnet.c +@@ -1922,7 +1922,7 @@ static int genelink_rx_fixup (struct usb + + // copy the packet data to the new skb + memcpy(skb_put(gl_skb, size), packet->packet_data, size); +- skb_return (dev, skb); ++ skb_return (dev, gl_skb); + } + + // advance to the next packet diff --git a/queue/ipsec-socket-policy-use-cap.patch b/queue/ipsec-socket-policy-use-cap.patch new file mode 100644 index 00000000000..929a1a4ec96 --- /dev/null +++ b/queue/ipsec-socket-policy-use-cap.patch @@ -0,0 +1,44 @@ +From foo@baz.com Thu Aug 18 12:00:13 2005 +From: Herbert Xu +Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700) +Subject: [IPSEC] Restrict socket policy loading to CAP_NET_ADMIN - CAN-2005-2555 + +The interface needs much redesigning if we wish to allow +normal users to do this in some way. + +Signed-off-by: Herbert Xu +Signed-off-by: "David S. Miller" +Signed-off-by: Chris Wright +--- + net/ipv4/ip_sockglue.c | 3 +++ + net/ipv6/ipv6_sockglue.c | 3 +++ + 2 files changed, 6 insertions(+) + +Index: linux-2.6.12.y/net/ipv4/ip_sockglue.c +=================================================================== +--- linux-2.6.12.y.orig/net/ipv4/ip_sockglue.c ++++ linux-2.6.12.y/net/ipv4/ip_sockglue.c +@@ -848,6 +848,9 @@ mc_msf_out: + + case IP_IPSEC_POLICY: + case IP_XFRM_POLICY: ++ err = -EPERM; ++ if (!capable(CAP_NET_ADMIN)) ++ break; + err = xfrm_user_policy(sk, optname, optval, optlen); + break; + +Index: linux-2.6.12.y/net/ipv6/ipv6_sockglue.c +=================================================================== +--- linux-2.6.12.y.orig/net/ipv6/ipv6_sockglue.c ++++ linux-2.6.12.y/net/ipv6/ipv6_sockglue.c +@@ -503,6 +503,9 @@ done: + break; + case IPV6_IPSEC_POLICY: + case IPV6_XFRM_POLICY: ++ retv = -EPERM; ++ if (!capable(CAP_NET_ADMIN)) ++ break; + retv = xfrm_user_policy(sk, optname, optval, optlen); + break; + diff --git a/queue/ipv6-skb-leak.patch b/queue/ipv6-skb-leak.patch new file mode 100644 index 00000000000..01e3aa130e8 --- /dev/null +++ b/queue/ipv6-skb-leak.patch @@ -0,0 +1,36 @@ +From foo@baz.com Thu Aug 18 12:00:13 2005 +From: Patrick McHardy +Date: Wed Aug 17 12:04:22 2005 -0700 +Subject: [IPV6]: Fix SKB leak in ip6_input_finish() + +Changing it to how ip_input handles should fix it. + +Signed-off-by: Patrick McHardy +Signed-off-by: "David S. Miller" +Signed-off-by: Chris Wright +--- + net/ipv6/ip6_input.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +Index: linux-2.6.12.y/net/ipv6/ip6_input.c +=================================================================== +--- linux-2.6.12.y.orig/net/ipv6/ip6_input.c ++++ linux-2.6.12.y/net/ipv6/ip6_input.c +@@ -198,12 +198,13 @@ resubmit: + if (!raw_sk) { + if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { + IP6_INC_STATS_BH(IPSTATS_MIB_INUNKNOWNPROTOS); +- icmpv6_param_prob(skb, ICMPV6_UNK_NEXTHDR, nhoff); ++ icmpv6_send(skb, ICMPV6_PARAMPROB, ++ ICMPV6_UNK_NEXTHDR, nhoff, ++ skb->dev); + } +- } else { ++ } else + IP6_INC_STATS_BH(IPSTATS_MIB_INDELIVERS); +- kfree_skb(skb); +- } ++ kfree_skb(skb); + } + rcu_read_unlock(); + return 0; diff --git a/queue/nptl-signal-delivery-deadlock-fix.patch b/queue/nptl-signal-delivery-deadlock-fix.patch new file mode 100644 index 00000000000..f6cc7e101c4 --- /dev/null +++ b/queue/nptl-signal-delivery-deadlock-fix.patch @@ -0,0 +1,36 @@ +From linux-kernel-owner+chrisw=40osdl.org-S1751189AbVHQS3c@vger.kernel.org Wed Aug 17 11:30:11 2005 +From: "Bhavesh P. Davda" +To: linux-kernel@vger.kernel.org, torvalds@osdl.org +Cc: "Kathleen Glass" , "James E Rhodes" +Subject: [PATCH] NPTL signal delivery deadlock fix + +This bug is quite subtle and only happens in a very interesting +situation where a real-time threaded process is in the middle of a +coredump when someone whacks it with a SIGKILL. However, this deadlock +leaves the system pretty hosed and you have to reboot to recover. + +Not good for real-time priority-preemption applications like our +telephony application, with 90+ real-time (SCHED_FIFO and SCHED_RR) +processes, many of them multi-threaded, interacting with each other for +high volume call processing. + +Acked-by: Roland McGrath +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + kernel/signal.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.12.y/kernel/signal.c +=================================================================== +--- linux-2.6.12.y.orig/kernel/signal.c ++++ linux-2.6.12.y/kernel/signal.c +@@ -686,7 +686,7 @@ static void handle_stop_signal(int sig, + { + struct task_struct *t; + +- if (p->flags & SIGNAL_GROUP_EXIT) ++ if (p->signal->flags & SIGNAL_GROUP_EXIT) + /* + * The process is in the middle of dying already. + */ diff --git a/queue/series b/queue/series new file mode 100644 index 00000000000..af33636efde --- /dev/null +++ b/queue/series @@ -0,0 +1,7 @@ +ipsec-socket-policy-use-cap.patch +nptl-signal-delivery-deadlock-fix.patch +zlib-revert-broken-change.patch +fix-dst-leak-in-icmp_push_reply.patch +genelink-usbnet-skb-typo.patch +fix-memory-leak-in-sg.c-seq_file.patch +ipv6-skb-leak.patch diff --git a/queue/zlib-revert-broken-change.patch b/queue/zlib-revert-broken-change.patch new file mode 100644 index 00000000000..5c7eb14921a --- /dev/null +++ b/queue/zlib-revert-broken-change.patch @@ -0,0 +1,37 @@ +From plasmaroo@gentoo.org Wed Aug 17 13:19:31 2005 +Date: Wed, 17 Aug 2005 21:19:24 +0100 +Subject: [PATCH] Revert unnecessary zlib_inflate/inftrees.c fix + +From: Linus Torvalds + +It turns out that empty distance code tables are not an error, and that +a compressed block with only literals can validly have an empty table +and should not be flagged as a data error. + +Some old versions of gzip had problems with this case, but it does not +affect the zlib code in the kernel. + +Analysis and explanations thanks to Sergey Vlasov + +Cc: Sergey Vlasov +Cc: Tavis Ormandy +Cc: Tim Yamin +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + lib/zlib_inflate/inftrees.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.12.y/lib/zlib_inflate/inftrees.c +=================================================================== +--- linux-2.6.12.y.orig/lib/zlib_inflate/inftrees.c ++++ linux-2.6.12.y/lib/zlib_inflate/inftrees.c +@@ -141,7 +141,7 @@ static int huft_build( + { + *t = NULL; + *m = 0; +- return Z_DATA_ERROR; ++ return Z_OK; + } + +