From: chrisw@osdl.org Date: Mon, 21 Mar 2005 22:09:03 +0000 (-0800) Subject: [PATCH] Add ipsec-icmp-deadlock.patch and i2c-fix-oops-in-eeprom-driver.patch X-Git-Tag: v2.6.11.9~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=88ced67e36cd760fbbd6188e9de238be401daa4c;p=thirdparty%2Fkernel%2Fstable-queue.git [PATCH] Add ipsec-icmp-deadlock.patch and i2c-fix-oops-in-eeprom-driver.patch --- diff --git a/queue/i2c-fix-oops-in-eeprom-driver.patch b/queue/i2c-fix-oops-in-eeprom-driver.patch new file mode 100644 index 00000000000..fc0515e280c --- /dev/null +++ b/queue/i2c-fix-oops-in-eeprom-driver.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Sat Mar 19 01:23:27 2005 +Date: Sat, 19 Mar 2005 10:23:26 +0100 +From: Jean Delvare +To: stable@kernel.org +Cc: +Subject: [PATCH 2.6] I2C: Fix oops in eeprom driver + +This fixes an oops in the eeprom driver. It was first reported here: + http://bugzilla.kernel.org/show_bug.cgi?id=4347 + +It was additionally discussed here (while tracking a completely +different bug): + http://archives.andrew.net.au/lm-sensors/msg30021.html + +The patch is already in 2.6.12-rc1: + http://linux.bkbits.net:8080/linux-2.5/cset@1.2227 + +The oops happens when one reads data from the sysfs interface file such +that (off < 16) and (count < 16 - off). For example "sensors" from +lm_sensors 2.9.0 does this, and causes the oops. + +Signed-off-by: Jean Delvare +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright + +--- linux-2.6.11.4/drivers/i2c/chips/eeprom.c.orig 2005-03-13 10:00:01.000000000 +0100 ++++ linux-2.6.11.4/drivers/i2c/chips/eeprom.c 2005-03-17 19:54:07.000000000 +0100 +@@ -130,7 +130,8 @@ + + /* Hide Vaio security settings to regular users (16 first bytes) */ + if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) { +- int in_row1 = 16 - off; ++ size_t in_row1 = 16 - off; ++ in_row1 = min(in_row1, count); + memset(buf, 0, in_row1); + if (count - in_row1 > 0) + memcpy(buf + in_row1, &data->data[16], count - in_row1); + + diff --git a/queue/ipsec-icmp-deadlock.patch b/queue/ipsec-icmp-deadlock.patch new file mode 100644 index 00000000000..9046d1f1a09 --- /dev/null +++ b/queue/ipsec-icmp-deadlock.patch @@ -0,0 +1,73 @@ +From stable-bounces@linux.kernel.org Sun Mar 20 07:59:10 2005 +Date: Sun, 20 Mar 2005 16:58:50 +0100 +From: Patrick McHardy +To: stable@kernel.org +Cc: +Subject: [IPSEC]: Do not hold state lock while checking size + +This patch from Herbert Xu fixes a deadlock with IPsec. +When an ICMP frag. required is sent and the ICMP message +needs the same SA as the packet that caused it the state +will be locked twice. + +[IPSEC]: Do not hold state lock while checking size. + +This can elicit ICMP message output and thus result in a +deadlock. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +diff -Nru a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c +--- a/net/ipv4/xfrm4_output.c 2005-03-20 16:53:05 +01:00 ++++ b/net/ipv4/xfrm4_output.c 2005-03-20 16:53:05 +01:00 +@@ -103,16 +103,16 @@ + goto error_nolock; + } + +- spin_lock_bh(&x->lock); +- err = xfrm_state_check(x, skb); +- if (err) +- goto error; +- + if (x->props.mode) { + err = xfrm4_tunnel_check_size(skb); + if (err) +- goto error; ++ goto error_nolock; + } ++ ++ spin_lock_bh(&x->lock); ++ err = xfrm_state_check(x, skb); ++ if (err) ++ goto error; + + xfrm4_encap(skb); + +diff -Nru a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +--- a/net/ipv6/xfrm6_output.c 2005-03-20 16:53:05 +01:00 ++++ b/net/ipv6/xfrm6_output.c 2005-03-20 16:53:05 +01:00 +@@ -103,16 +103,16 @@ + goto error_nolock; + } + +- spin_lock_bh(&x->lock); +- err = xfrm_state_check(x, skb); +- if (err) +- goto error; +- + if (x->props.mode) { + err = xfrm6_tunnel_check_size(skb); + if (err) +- goto error; ++ goto error_nolock; + } ++ ++ spin_lock_bh(&x->lock); ++ err = xfrm_state_check(x, skb); ++ if (err) ++ goto error; + + xfrm6_encap(skb); +