From: Greg Kroah-Hartman Date: Fri, 6 Nov 2009 00:18:28 +0000 (-0800) Subject: more .27 patches X-Git-Tag: v2.6.31.6~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ac4c2f809d58610c416b8c1852a07e9c3b33240f;p=thirdparty%2Fkernel%2Fstable-queue.git more .27 patches --- diff --git a/queue-2.6.27/af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch b/queue-2.6.27/af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch new file mode 100644 index 00000000000..e66f661e630 --- /dev/null +++ b/queue-2.6.27/af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch @@ -0,0 +1,89 @@ +From 77238f2b942b38ab4e7f3aced44084493e4a8675 Mon Sep 17 00:00:00 2001 +From: Tomoki Sekiyama +Date: Sun, 18 Oct 2009 23:17:37 -0700 +Subject: AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621) + +From: Tomoki Sekiyama + +commit 77238f2b942b38ab4e7f3aced44084493e4a8675 upstream. + +I found a deadlock bug in UNIX domain socket, which makes able to DoS +attack against the local machine by non-root users. + +How to reproduce: +1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct + namespace(*), and shutdown(2) it. + 2. Repeat connect(2)ing to the listening socket from the other sockets + until the connection backlog is full-filled. + 3. connect(2) takes the CPU forever. If every core is taken, the + system hangs. + +PoC code: (Run as many times as cores on SMP machines.) + +int main(void) +{ + int ret; + int csd; + int lsd; + struct sockaddr_un sun; + + /* make an abstruct name address (*) */ + memset(&sun, 0, sizeof(sun)); + sun.sun_family = PF_UNIX; + sprintf(&sun.sun_path[1], "%d", getpid()); + + /* create the listening socket and shutdown */ + lsd = socket(AF_UNIX, SOCK_STREAM, 0); + bind(lsd, (struct sockaddr *)&sun, sizeof(sun)); + listen(lsd, 1); + shutdown(lsd, SHUT_RDWR); + + /* connect loop */ + alarm(15); /* forcely exit the loop after 15 sec */ + for (;;) { + csd = socket(AF_UNIX, SOCK_STREAM, 0); + ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun)); + if (-1 == ret) { + perror("connect()"); + break; + } + puts("Connection OK"); + } + return 0; +} + +(*) Make sun_path[0] = 0 to use the abstruct namespace. + If a file-based socket is used, the system doesn't deadlock because + of context switches in the file system layer. + +Why this happens: + Error checks between unix_socket_connect() and unix_wait_for_peer() are + inconsistent. The former calls the latter to wait until the backlog is + processed. Despite the latter returns without doing anything when the + socket is shutdown, the former doesn't check the shutdown state and + just retries calling the latter forever. + +Patch: + The patch below adds shutdown check into unix_socket_connect(), so + connect(2) to the shutdown socket will return -ECONREFUSED. + +Signed-off-by: Tomoki Sekiyama +Signed-off-by: Masanori Yoshida +Cc: Chuck Ebbert +Signed-off-by: David S. Miller + +--- + net/unix/af_unix.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1061,6 +1061,8 @@ restart: + err = -ECONNREFUSED; + if (other->sk_state != TCP_LISTEN) + goto out_unlock; ++ if (other->sk_shutdown & RCV_SHUTDOWN) ++ goto out_unlock; + + if (unix_recvq_full(other)) { + err = -EAGAIN; diff --git a/queue-2.6.27/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch b/queue-2.6.27/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch new file mode 100644 index 00000000000..7acc524973c --- /dev/null +++ b/queue-2.6.27/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch @@ -0,0 +1,206 @@ +From cebbert@redhat.com Thu Nov 5 15:48:56 2009 +From: Arnaldo Carvalho de Melo +Date: Mon, 26 Oct 2009 14:36:45 -0400 +Subject: appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903) +To: stable@kernel.org +Cc: David Miller +Message-ID: <20091026143645.7022001a@katamari.usersys.redhat.com> + + +From: Arnaldo Carvalho de Melo + +commit ffcfb8db540ff879c2a85bf7e404954281443414 upstream + +appletalk: Fix skb leak when ipddp interface is not loaded + +[ backport to 2.6.27 : Chuck Ebbert +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/appletalk/ipddp.c | 3 -- + net/appletalk/aarp.c | 16 +++++++++----- + net/appletalk/ddp.c | 47 +++++++++++++++++++++--------------------- + 3 files changed, 36 insertions(+), 30 deletions(-) + +--- a/drivers/net/appletalk/ipddp.c ++++ b/drivers/net/appletalk/ipddp.c +@@ -173,8 +173,7 @@ static int ipddp_xmit(struct sk_buff *sk + ((struct net_device_stats *) dev->priv)->tx_packets++; + ((struct net_device_stats *) dev->priv)->tx_bytes+=skb->len; + +- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0) +- dev_kfree_skb(skb); ++ aarp_send_ddp(rt->dev, skb, &rt->at, NULL); + + return 0; + } +--- a/net/appletalk/aarp.c ++++ b/net/appletalk/aarp.c +@@ -598,7 +598,7 @@ int aarp_send_ddp(struct net_device *dev + + /* Non ELAP we cannot do. */ + if (dev->type != ARPHRD_ETHER) +- return -1; ++ goto free_it; + + skb->dev = dev; + skb->protocol = htons(ETH_P_ATALK); +@@ -633,7 +633,7 @@ int aarp_send_ddp(struct net_device *dev + if (!a) { + /* Whoops slipped... good job it's an unreliable protocol 8) */ + write_unlock_bh(&aarp_lock); +- return -1; ++ goto free_it; + } + + /* Set up the queue */ +@@ -662,15 +662,21 @@ out_unlock: + write_unlock_bh(&aarp_lock); + + /* Tell the ddp layer we have taken over for this frame. */ +- return 0; ++ goto sent; + + sendit: + if (skb->sk) + skb->priority = skb->sk->sk_priority; +- dev_queue_xmit(skb); ++ if (dev_queue_xmit(skb)) ++ goto drop; + sent: +- return 1; ++ return NET_XMIT_SUCCESS; ++free_it: ++ kfree_skb(skb); ++drop: ++ return NET_XMIT_DROP; + } ++EXPORT_SYMBOL(aarp_send_ddp); + + /* + * An entry in the aarp unresolved queue has become resolved. Send +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1277,8 +1277,10 @@ static int handle_ip_over_ddp(struct sk_ + struct net_device_stats *stats; + + /* This needs to be able to handle ipddp"N" devices */ +- if (!dev) +- return -ENODEV; ++ if (!dev) { ++ kfree_skb(skb); ++ return NET_RX_DROP; ++ } + + skb->protocol = htons(ETH_P_IP); + skb_pull(skb, 13); +@@ -1288,8 +1290,7 @@ static int handle_ip_over_ddp(struct sk_ + stats = dev->priv; + stats->rx_packets++; + stats->rx_bytes += skb->len + 13; +- netif_rx(skb); /* Send the SKB up to a higher place. */ +- return 0; ++ return netif_rx(skb); /* Send the SKB up to a higher place. */ + } + #else + /* make it easy for gcc to optimize this test out, i.e. kill the code */ +@@ -1297,9 +1298,8 @@ static int handle_ip_over_ddp(struct sk_ + #define handle_ip_over_ddp(skb) 0 + #endif + +-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev, +- struct ddpehdr *ddp, __u16 len_hops, +- int origlen) ++static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev, ++ struct ddpehdr *ddp, __u16 len_hops, int origlen) + { + struct atalk_route *rt; + struct atalk_addr ta; +@@ -1366,8 +1366,6 @@ static void atalk_route_packet(struct sk + /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */ + struct sk_buff *nskb = skb_realloc_headroom(skb, 32); + kfree_skb(skb); +- if (!nskb) +- goto out; + skb = nskb; + } else + skb = skb_unshare(skb, GFP_ATOMIC); +@@ -1376,12 +1374,16 @@ static void atalk_route_packet(struct sk + * If the buffer didn't vanish into the lack of space bitbucket we can + * send it. + */ +- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1) +- goto free_it; +-out: +- return; ++ if (skb == NULL) ++ goto drop; ++ ++ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP) ++ return NET_RX_DROP; ++ return NET_XMIT_SUCCESS; + free_it: + kfree_skb(skb); ++drop: ++ return NET_RX_DROP; + } + + /** +@@ -1455,8 +1457,7 @@ static int atalk_rcv(struct sk_buff *skb + /* Not ours, so we route the packet via the correct + * AppleTalk iface + */ +- atalk_route_packet(skb, dev, ddp, len_hops, origlen); +- goto out; ++ return atalk_route_packet(skb, dev, ddp, len_hops, origlen); + } + + /* if IP over DDP is not selected this code will be optimized out */ +@@ -1663,10 +1664,10 @@ static int atalk_sendmsg(struct kiocb *i + if (skb2) { + loopback = 1; + SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk); +- if (aarp_send_ddp(dev, skb2, +- &usat->sat_addr, NULL) == -1) +- kfree_skb(skb2); +- /* else queued/sent above in the aarp queue */ ++ /* ++ * If it fails it is queued/sent above in the aarp queue ++ */ ++ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL); + } + } + +@@ -1696,9 +1697,10 @@ static int atalk_sendmsg(struct kiocb *i + usat = &gsat; + } + +- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1) +- kfree_skb(skb); +- /* else queued/sent above in the aarp queue */ ++ /* ++ * If it fails it is queued/sent above in the aarp queue ++ */ ++ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL); + } + SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len); + +@@ -1877,7 +1879,6 @@ static struct packet_type ppptalk_packet + static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B }; + + /* Export symbols for use by drivers when AppleTalk is a module */ +-EXPORT_SYMBOL(aarp_send_ddp); + EXPORT_SYMBOL(atrtr_get_dev); + EXPORT_SYMBOL(atalk_find_dev_addr); + diff --git a/queue-2.6.27/bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch b/queue-2.6.27/bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch new file mode 100644 index 00000000000..a4a7ab8cd78 --- /dev/null +++ b/queue-2.6.27/bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch @@ -0,0 +1,43 @@ +From d9d5283228d0c752f199c901fff6e1405dc91bcb Mon Sep 17 00:00:00 2001 +From: Jiri Bohac +Date: Wed, 28 Oct 2009 22:23:54 -0700 +Subject: bonding: fix a race condition in calls to slave MII ioctls + +From: Jiri Bohac + +commit d9d5283228d0c752f199c901fff6e1405dc91bcb upstream. + +In mii monitor mode, bond_check_dev_link() calls the the ioctl +handler of slave devices. It stores the ndo_do_ioctl function +pointer to a static (!) ioctl variable and later uses it to call the +handler with the IOCTL macro. + +If another thread executes bond_check_dev_link() at the same time +(even with a different bond, which none of the locks prevent), a +race condition occurs. If the two racing slaves have different +drivers, this may result in one driver's ioctl handler being +called with a pointer to a net_device controlled with a different +driver, resulting in unpredictable breakage. + +Unless I am overlooking something, the "static" must be a +copy'n'paste error (?). + +Signed-off-by: Jiri Bohac +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -686,7 +686,7 @@ static int bond_update_speed_duplex(stru + */ + static int bond_check_dev_link(struct bonding *bond, struct net_device *slave_dev, int reporting) + { +- static int (* ioctl)(struct net_device *, struct ifreq *, int); ++ int (* ioctl)(struct net_device *, struct ifreq *, int); + struct ifreq ifr; + struct mii_ioctl_data *mii; + diff --git a/queue-2.6.27/irda-add-irda_skb_cb-qdisc-related-padding.patch b/queue-2.6.27/irda-add-irda_skb_cb-qdisc-related-padding.patch new file mode 100644 index 00000000000..25b02952e89 --- /dev/null +++ b/queue-2.6.27/irda-add-irda_skb_cb-qdisc-related-padding.patch @@ -0,0 +1,39 @@ +From 69c30e1e7492192f882a3fc11888b320fde5206a Mon Sep 17 00:00:00 2001 +From: Samuel Ortiz +Date: Wed, 17 Dec 2008 15:44:58 -0800 +Subject: irda: Add irda_skb_cb qdisc related padding + +From: Samuel Ortiz + +commit 69c30e1e7492192f882a3fc11888b320fde5206a upstream. + +We need to pad irda_skb_cb in order to keep it safe accross dev_queue_xmit() +calls. This is some ugly and temporary hack triggered by recent qisc code +changes. +Even though it fixes bugzilla.kernel.org bug #11795, it will be replaced by a +proper fix before 2.6.29 is released. + +Signed-off-by: Samuel Ortiz +Signed-off-by: David S. Miller +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/irda/irda_device.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/include/net/irda/irda_device.h ++++ b/include/net/irda/irda_device.h +@@ -135,9 +135,11 @@ struct dongle_reg { + + /* + * Per-packet information we need to hide inside sk_buff +- * (must not exceed 48 bytes, check with struct sk_buff) ++ * (must not exceed 48 bytes, check with struct sk_buff) ++ * The default_qdisc_pad field is a temporary hack. + */ + struct irda_skb_cb { ++ unsigned int default_qdisc_pad; + magic_t magic; /* Be sure that we can trust the information */ + __u32 next_speed; /* The Speed to be set *after* this frame */ + __u16 mtt; /* Minimum turn around time */ diff --git a/queue-2.6.27/kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch b/queue-2.6.27/kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch new file mode 100644 index 00000000000..460d26c4692 --- /dev/null +++ b/queue-2.6.27/kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch @@ -0,0 +1,28 @@ +From 6a54435560efdab1a08f429a954df4d6c740bddf Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Sun, 4 Oct 2009 16:45:13 +0200 +Subject: KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638) + +From: Avi Kivity + +commit 6a54435560efdab1a08f429a954df4d6c740bddf upstream. + +The number of entries is multiplied by the entry size, which can +overflow on 32-bit hosts. Bound the entry count instead. + +Reported-by: David Wagner +Signed-off-by: Avi Kivity +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1591,6 +1591,8 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid, + + if (cpuid->nent < 1) + goto out; ++ if (cpuid->nent > KVM_MAX_CPUID_ENTRIES) ++ cpuid->nent = KVM_MAX_CPUID_ENTRIES; + r = -ENOMEM; + cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent); + if (!cpuid_entries) diff --git a/queue-2.6.27/netlink-fix-typo-in-initialization-cve-2009-3612.patch b/queue-2.6.27/netlink-fix-typo-in-initialization-cve-2009-3612.patch new file mode 100644 index 00000000000..7971612efd9 --- /dev/null +++ b/queue-2.6.27/netlink-fix-typo-in-initialization-cve-2009-3612.patch @@ -0,0 +1,33 @@ +From ad61df918c44316940404891d5082c63e79c256a Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 8 Oct 2009 01:21:46 -0700 +Subject: netlink: fix typo in initialization (CVE-2009-3612) + +From: Jiri Pirko + +commit ad61df918c44316940404891d5082c63e79c256a upstream. + +Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing +initializations in dumped data") introduced a typo in +initialization. This patch fixes this. + +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -337,7 +337,7 @@ static int tcf_fill_node(struct sk_buff + tcm = NLMSG_DATA(nlh); + tcm->tcm_family = AF_UNSPEC; + tcm->tcm__pad1 = 0; +- tcm->tcm__pad1 = 0; ++ tcm->tcm__pad2 = 0; + tcm->tcm_ifindex = qdisc_dev(tp->q)->ifindex; + tcm->tcm_parent = tp->classid; + tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol); diff --git a/queue-2.6.27/nfs-avoid-overrun-when-copying-client-ip-address-string.patch b/queue-2.6.27/nfs-avoid-overrun-when-copying-client-ip-address-string.patch new file mode 100644 index 00000000000..0b95dda411f --- /dev/null +++ b/queue-2.6.27/nfs-avoid-overrun-when-copying-client-ip-address-string.patch @@ -0,0 +1,34 @@ +From f4373bf9e67e4a653c8854acd7b02dac9714c98a Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 6 Oct 2009 15:42:18 -0400 +Subject: nfs: Avoid overrun when copying client IP address string + +From: Ben Hutchings + +commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream. + +As seen in , nfs4_init_client() can +overrun the source string when copying the client IP address from +nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since +these are both treated as null-terminated strings elsewhere, the copy +should be done with strlcpy() not memcpy(). + +Signed-off-by: Ben Hutchings +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -983,7 +983,7 @@ static int nfs4_init_client(struct nfs_c + RPC_CLNT_CREATE_DISCRTRY); + if (error < 0) + goto error; +- memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr)); ++ strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr)); + + error = nfs_idmap_new(clp); + if (error < 0) { diff --git a/queue-2.6.27/nfs-panic-when-commit-fails.patch b/queue-2.6.27/nfs-panic-when-commit-fails.patch new file mode 100644 index 00000000000..0eb4d081d43 --- /dev/null +++ b/queue-2.6.27/nfs-panic-when-commit-fails.patch @@ -0,0 +1,38 @@ +From a8b40bc7e635831b61c43acc71a86d3a68b2dff0 Mon Sep 17 00:00:00 2001 +From: Terry Loftin +Date: Thu, 22 Oct 2009 21:36:01 -0400 +Subject: nfs: Panic when commit fails + +From: Terry Loftin + +commit a8b40bc7e635831b61c43acc71a86d3a68b2dff0 upstream. + +Actually pass the NFS_FILE_SYNC option to the server to avoid a +Panic in nfs_direct_write_complete() when a commit fails. + +At the end of an nfs write, if the nfs commit fails, all the writes +will be rescheduled. They are supposed to be rescheduled as NFS_FILE_SYNC +writes, but the rpc_task structure is not completely intialized and so +the option is not passed. When the rescheduled writes complete, the +return indicates that they are NFS_UNSTABLE and we try to do another +commit. This leads to a Panic because the commit data structure pointer +was set to null in the initial (failed) commit attempt. + +Signed-off-by: Terry Loftin +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/direct.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -454,6 +454,7 @@ static void nfs_direct_write_reschedule( + }; + struct rpc_task_setup task_setup_data = { + .rpc_client = NFS_CLIENT(inode), ++ .rpc_message = &msg, + .callback_ops = &nfs_write_direct_ops, + .workqueue = nfsiod_workqueue, + .flags = RPC_TASK_ASYNC, diff --git a/queue-2.6.27/nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch b/queue-2.6.27/nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch new file mode 100644 index 00000000000..85a4991ca02 --- /dev/null +++ b/queue-2.6.27/nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch @@ -0,0 +1,59 @@ +From 52567b03ca38b6e556ced450d64dba8d66e23b0e Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 23 Oct 2009 14:46:42 -0400 +Subject: NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE + +From: Trond Myklebust + +commit 52567b03ca38b6e556ced450d64dba8d66e23b0e upstream. + +RFC 3530 states that when we recieve the error NFS4ERR_RESOURCE, we are not +supposed to bump the sequence number on OPEN, LOCK, LOCKU, CLOSE, etc +operations. The problem is that we map that error into EREMOTEIO in the XDR +layer, and so the NFSv4 middle-layer routines like seqid_mutating_err(), +and nfs_increment_seqid() don't recognise it. + +The fix is to defer the mapping until after the middle layers have +processed the error. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 11 ++++++++--- + fs/nfs/nfs4xdr.c | 1 - + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -71,12 +71,17 @@ static int _nfs4_proc_getattr(struct nfs + /* Prevent leaks of NFSv4 errors into userland */ + int nfs4_map_errors(int err) + { +- if (err < -1000) { ++ if (err >= -1000) ++ return err; ++ switch (err) { ++ case -NFS4ERR_RESOURCE: ++ return -EREMOTEIO; ++ default: + dprintk("%s could not handle NFSv4 error %d\n", + __func__, -err); +- return -EIO; ++ break; + } +- return err; ++ return -EIO; + } + + /* +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4671,7 +4671,6 @@ static struct { + { NFS4ERR_SERVERFAULT, -ESERVERFAULT }, + { NFS4ERR_BADTYPE, -EBADTYPE }, + { NFS4ERR_LOCKED, -EAGAIN }, +- { NFS4ERR_RESOURCE, -EREMOTEIO }, + { NFS4ERR_SYMLINK, -ELOOP }, + { NFS4ERR_OP_ILLEGAL, -EOPNOTSUPP }, + { NFS4ERR_DEADLOCK, -EDEADLK }, diff --git a/queue-2.6.27/nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch b/queue-2.6.27/nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch new file mode 100644 index 00000000000..e2ecfabbe18 --- /dev/null +++ b/queue-2.6.27/nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch @@ -0,0 +1,74 @@ +From d953126a28f97ec965d23c69fd5795854c048f30 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 21 Jul 2009 19:22:38 -0400 +Subject: NFSv4: Fix a problem whereby a buggy server can oops the kernel + +From: Trond Myklebust + +commit d953126a28f97ec965d23c69fd5795854c048f30 upstream. + +We just had a case in which a buggy server occasionally returns the wrong +attributes during an OPEN call. While the client does catch this sort of +condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return +-EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a +fallback to an ordinary lookup instead of just returning the error. + +When the buggy server then returns a regular file for the fallback lookup, +the VFS allows the open, and bad things start to happen, since the open +file doesn't have any associated NFSv4 state. + +The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and +secondly to ensure that we are always careful when dereferencing the +nfs_open_context state pointer. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1025,12 +1025,12 @@ static struct dentry *nfs_atomic_lookup(struct inode *dir, struct dentry *dentry + res = NULL; + goto out; + /* This turned out not to be a regular file */ +- case -EISDIR: + case -ENOTDIR: + goto no_open; + case -ELOOP: + if (!(nd->intent.open.flags & O_NOFOLLOW)) + goto no_open; ++ /* case -EISDIR: */ + /* case -EINVAL: */ + default: + goto out; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index df24f67..6917311 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4093,15 +4093,23 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request) + if (request->fl_start < 0 || request->fl_end < 0) + return -EINVAL; + +- if (IS_GETLK(cmd)) +- return nfs4_proc_getlk(state, F_GETLK, request); ++ if (IS_GETLK(cmd)) { ++ if (state != NULL) ++ return nfs4_proc_getlk(state, F_GETLK, request); ++ return 0; ++ } + + if (!(IS_SETLK(cmd) || IS_SETLKW(cmd))) + return -EINVAL; + +- if (request->fl_type == F_UNLCK) +- return nfs4_proc_unlck(state, cmd, request); ++ if (request->fl_type == F_UNLCK) { ++ if (state != NULL) ++ return nfs4_proc_unlck(state, cmd, request); ++ return 0; ++ } + ++ if (state == NULL) ++ return -ENOLCK; + do { + status = nfs4_proc_setlk(state, cmd, request); + if ((status != -EAGAIN) || IS_SETLK(cmd)) diff --git a/queue-2.6.27/nfsv4-kill-nfs4_renewd_prepare_shutdown.patch b/queue-2.6.27/nfsv4-kill-nfs4_renewd_prepare_shutdown.patch new file mode 100644 index 00000000000..a035571287b --- /dev/null +++ b/queue-2.6.27/nfsv4-kill-nfs4_renewd_prepare_shutdown.patch @@ -0,0 +1,50 @@ +From 3050141bae57984dd660e6861632ccf9b8bca77e Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 8 Oct 2009 11:50:55 -0400 +Subject: NFSv4: Kill nfs4_renewd_prepare_shutdown() + +From: Trond Myklebust + +commit 3050141bae57984dd660e6861632ccf9b8bca77e upstream. + +The NFSv4 renew daemon is shared between all active super blocks that refer +to a particular NFS server, so it is wrong to be shutting it down in +nfs4_kill_super every time a super block is destroyed. + +This patch therefore kills nfs4_renewd_prepare_shutdown altogether, and +leaves it up to nfs4_shutdown_client() to also shut down the renew daemon +by means of the existing call to nfs4_kill_renewd(). + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4renewd.c | 6 ------ + fs/nfs/super.c | 1 - + 2 files changed, 7 deletions(-) + +--- a/fs/nfs/nfs4renewd.c ++++ b/fs/nfs/nfs4renewd.c +@@ -125,12 +125,6 @@ nfs4_schedule_state_renewal(struct nfs_c + } + + void +-nfs4_renewd_prepare_shutdown(struct nfs_server *server) +-{ +- cancel_delayed_work(&server->nfs_client->cl_renewd); +-} +- +-void + nfs4_kill_renewd(struct nfs_client *clp) + { + cancel_delayed_work_sync(&clp->cl_renewd); +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2398,7 +2398,6 @@ static void nfs4_kill_super(struct super + nfs_return_all_delegations(sb); + kill_anon_super(sb); + +- nfs4_renewd_prepare_shutdown(server); + nfs_free_server(server); + } + diff --git a/queue-2.6.27/nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch b/queue-2.6.27/nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch new file mode 100644 index 00000000000..2ac0002edba --- /dev/null +++ b/queue-2.6.27/nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch @@ -0,0 +1,29 @@ +From 9a3936aac133037f65124fcb2d676a6c201a90a4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 26 Oct 2009 08:09:46 -0400 +Subject: NFSv4: The link() operation should return any delegation on the file + +From: Trond Myklebust + +commit 9a3936aac133037f65124fcb2d676a6c201a90a4 upstream. + +Otherwise, we have to wait for the server to recall it. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1526,6 +1526,8 @@ nfs_link(struct dentry *old_dentry, stru + old_dentry->d_parent->d_name.name, old_dentry->d_name.name, + dentry->d_parent->d_name.name, dentry->d_name.name); + ++ nfs_inode_return_delegation(inode); ++ + d_drop(dentry); + error = NFS_PROTO(dir)->link(inode, dir, &dentry->d_name); + if (error == 0) { diff --git a/queue-2.6.27/printk-robustify-printk.patch b/queue-2.6.27/printk-robustify-printk.patch new file mode 100644 index 00000000000..707521bed0c --- /dev/null +++ b/queue-2.6.27/printk-robustify-printk.patch @@ -0,0 +1,94 @@ +From b845b517b5e3706a3729f6ea83b88ab85f0725b0 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 8 Aug 2008 21:47:09 +0200 +Subject: printk: robustify printk + +From: Peter Zijlstra + +commit b845b517b5e3706a3729f6ea83b88ab85f0725b0 upstream. + +Avoid deadlocks against rq->lock and xtime_lock by deferring the klogd +wakeup by polling from the timer tick. + +Signed-off-by: Peter Zijlstra +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kernel.h | 4 ++++ + kernel/printk.c | 19 +++++++++++++++++-- + kernel/time/tick-sched.c | 2 +- + kernel/timer.c | 1 + + 4 files changed, 23 insertions(+), 3 deletions(-) + +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -200,6 +200,8 @@ extern struct ratelimit_state printk_rat + extern int printk_ratelimit(void); + extern bool printk_timed_ratelimit(unsigned long *caller_jiffies, + unsigned int interval_msec); ++extern void printk_tick(void); ++extern int printk_needs_cpu(int); + #else + static inline int vprintk(const char *s, va_list args) + __attribute__ ((format (printf, 1, 0))); +@@ -211,6 +213,8 @@ static inline int printk_ratelimit(void) + static inline bool printk_timed_ratelimit(unsigned long *caller_jiffies, \ + unsigned int interval_msec) \ + { return false; } ++static inline void printk_tick(void) { } ++static inline int printk_needs_cpu(int) { return 0; } + #endif + + extern void asmlinkage __attribute__((format(printf, 1, 2))) +--- a/kernel/printk.c ++++ b/kernel/printk.c +@@ -977,10 +977,25 @@ int is_console_locked(void) + return console_locked; + } + +-void wake_up_klogd(void) ++static DEFINE_PER_CPU(int, printk_pending); ++ ++void printk_tick(void) + { +- if (!oops_in_progress && waitqueue_active(&log_wait)) ++ if (__get_cpu_var(printk_pending)) { ++ __get_cpu_var(printk_pending) = 0; + wake_up_interruptible(&log_wait); ++ } ++} ++ ++int printk_needs_cpu(int cpu) ++{ ++ return per_cpu(printk_pending, cpu); ++} ++ ++void wake_up_klogd(void) ++{ ++ if (waitqueue_active(&log_wait)) ++ __get_cpu_var(printk_pending) = 1; + } + + /** +--- a/kernel/timer.c ++++ b/kernel/timer.c +@@ -978,6 +978,7 @@ void update_process_times(int user_tick) + run_local_timers(); + if (rcu_pending(cpu)) + rcu_check_callbacks(cpu, user_tick); ++ printk_tick(); + scheduler_tick(); + run_posix_cpu_timers(p); + } +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -261,7 +261,7 @@ void tick_nohz_stop_sched_tick(int inidl + next_jiffies = get_next_timer_interrupt(last_jiffies); + delta_jiffies = next_jiffies - last_jiffies; + +- if (rcu_needs_cpu(cpu)) ++ if (rcu_needs_cpu(cpu) || printk_needs_cpu(cpu)) + delta_jiffies = 1; + /* + * Do not stop the tick, if we are only one off diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 8754b3d1eef..0fb8d9940b8 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -13,3 +13,16 @@ ray_cs-fix-copy_from_user-handling.patch revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch tty-mark-generic_serial-users-as-broken.patch x86-64-fix-register-leak-in-32-bit-syscall-audting.patch +af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch +appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch +netlink-fix-typo-in-initialization-cve-2009-3612.patch +kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch +irda-add-irda_skb_cb-qdisc-related-padding.patch +nfs-panic-when-commit-fails.patch +nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch +nfs-avoid-overrun-when-copying-client-ip-address-string.patch +nfsv4-kill-nfs4_renewd_prepare_shutdown.patch +nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch +nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch +printk-robustify-printk.patch +bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch