From: Greg Kroah-Hartman Date: Mon, 23 Aug 2010 22:01:38 +0000 (-0700) Subject: .32 patches X-Git-Tag: v2.6.32.21~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f777e3635a3a43203d440caa60f4e2a48e69271a;p=thirdparty%2Fkernel%2Fstable-queue.git .32 patches --- diff --git a/queue-2.6.32/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch b/queue-2.6.32/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch new file mode 100644 index 00000000000..37b8fb4c162 --- /dev/null +++ b/queue-2.6.32/act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch @@ -0,0 +1,32 @@ +From a8cd2f16f11cd3cb6fb8d38bf1928ef01413d861 Mon Sep 17 00:00:00 2001 +From: Changli Gao +Date: Thu, 29 Jul 2010 14:04:18 +0000 +Subject: act_nat: the checksum of ICMP doesn't have pseudo header + + +From: Changli Gao + +[ Upstream commit 3a3dfb062c2e086c202d34f09ce29634515ad256 ] + +after updating the value of the ICMP payload, inet_proto_csum_replace4() should +be called with zero pseudohdr. + +Signed-off-by: Changli Gao +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_nat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_nat.c ++++ b/net/sched/act_nat.c +@@ -240,7 +240,7 @@ static int tcf_nat(struct sk_buff *skb, + iph->saddr = new_addr; + + inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr, +- 1); ++ 0); + break; + } + default: diff --git a/queue-2.6.32/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch b/queue-2.6.32/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch new file mode 100644 index 00000000000..d2f0b629e79 --- /dev/null +++ b/queue-2.6.32/can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch @@ -0,0 +1,159 @@ +From 53efbdbb8de2b77bf00819ae2db48aa6e0443484 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Wed, 11 Aug 2010 16:12:35 -0700 +Subject: can: add limit for nframes and clean up signed/unsigned variables + + +From: Oliver Hartkopp + +[ Upstream commit 5b75c4973ce779520b9d1e392483207d6f842cde ] + +This patch adds a limit for nframes as the number of frames in TX_SETUP and +RX_SETUP are derived from a single byte multiplex value by default. +Use-cases that would require to send/filter more than 256 CAN frames should +be implemented in userspace for complexity reasons anyway. + +Additionally the assignments of unsigned values from userspace to signed +values in kernelspace and vice versa are fixed by using unsigned values in +kernelspace consistently. + +Signed-off-by: Oliver Hartkopp +Reported-by: Ben Hawkes +Acked-by: Urs Thuermann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 41 +++++++++++++++++++++++++++-------------- + 1 file changed, 27 insertions(+), 14 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -59,6 +59,13 @@ + #include + #include + ++/* ++ * To send multiple CAN frame content within TX_SETUP or to filter ++ * CAN messages with multiplex index within RX_SETUP, the number of ++ * different filters is limited to 256 due to the one byte index value. ++ */ ++#define MAX_NFRAMES 256 ++ + /* use of last_frames[index].can_dlc */ + #define RX_RECV 0x40 /* received data for this element */ + #define RX_THR 0x80 /* element not been sent due to throttle feature */ +@@ -88,16 +95,16 @@ struct bcm_op { + struct list_head list; + int ifindex; + canid_t can_id; +- int flags; ++ u32 flags; + unsigned long frames_abs, frames_filtered; + struct timeval ival1, ival2; + struct hrtimer timer, thrtimer; + struct tasklet_struct tsklet, thrtsklet; + ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg; + int rx_ifindex; +- int count; +- int nframes; +- int currframe; ++ u32 count; ++ u32 nframes; ++ u32 currframe; + struct can_frame *frames; + struct can_frame *last_frames; + struct can_frame sframe; +@@ -174,7 +181,7 @@ static int bcm_proc_show(struct seq_file + + seq_printf(m, "rx_op: %03X %-5s ", + op->can_id, bcm_proc_getifname(ifname, op->ifindex)); +- seq_printf(m, "[%d]%c ", op->nframes, ++ seq_printf(m, "[%u]%c ", op->nframes, + (op->flags & RX_CHECK_DLC)?'d':' '); + if (op->kt_ival1.tv64) + seq_printf(m, "timeo=%lld ", +@@ -197,7 +204,7 @@ static int bcm_proc_show(struct seq_file + + list_for_each_entry(op, &bo->tx_ops, list) { + +- seq_printf(m, "tx_op: %03X %s [%d] ", ++ seq_printf(m, "tx_op: %03X %s [%u] ", + op->can_id, + bcm_proc_getifname(ifname, op->ifindex), + op->nframes); +@@ -282,7 +289,7 @@ static void bcm_send_to_user(struct bcm_ + struct can_frame *firstframe; + struct sockaddr_can *addr; + struct sock *sk = op->sk; +- int datalen = head->nframes * CFSIZ; ++ unsigned int datalen = head->nframes * CFSIZ; + int err; + + skb = alloc_skb(sizeof(*head) + datalen, gfp_any()); +@@ -467,7 +474,7 @@ rx_changed_settime: + * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly + * received data stored in op->last_frames[] + */ +-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index, ++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index, + const struct can_frame *rxdata) + { + /* +@@ -553,7 +560,8 @@ static enum hrtimer_restart bcm_rx_timeo + /* + * bcm_rx_do_flush - helper for bcm_rx_thr_flush + */ +-static inline int bcm_rx_do_flush(struct bcm_op *op, int update, int index) ++static inline int bcm_rx_do_flush(struct bcm_op *op, int update, ++ unsigned int index) + { + if ((op->last_frames) && (op->last_frames[index].can_dlc & RX_THR)) { + if (update) +@@ -574,7 +582,7 @@ static int bcm_rx_thr_flush(struct bcm_o + int updated = 0; + + if (op->nframes > 1) { +- int i; ++ unsigned int i; + + /* for MUX filter we start at index 1 */ + for (i = 1; i < op->nframes; i++) +@@ -623,7 +631,7 @@ static void bcm_rx_handler(struct sk_buf + { + struct bcm_op *op = (struct bcm_op *)data; + const struct can_frame *rxframe = (struct can_frame *)skb->data; +- int i; ++ unsigned int i; + + /* disable timeout */ + hrtimer_cancel(&op->timer); +@@ -823,14 +831,15 @@ static int bcm_tx_setup(struct bcm_msg_h + { + struct bcm_sock *bo = bcm_sk(sk); + struct bcm_op *op; +- int i, err; ++ unsigned int i; ++ int err; + + /* we need a real device to send frames */ + if (!ifindex) + return -ENODEV; + +- /* we need at least one can_frame */ +- if (msg_head->nframes < 1) ++ /* check nframes boundaries - we need at least one can_frame */ ++ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES) + return -EINVAL; + + /* check the given can_id */ +@@ -994,6 +1003,10 @@ static int bcm_rx_setup(struct bcm_msg_h + msg_head->nframes = 0; + } + ++ /* the first element contains the mux-mask => MAX_NFRAMES + 1 */ ++ if (msg_head->nframes > MAX_NFRAMES + 1) ++ return -EINVAL; ++ + if ((msg_head->flags & RX_RTR_FRAME) && + ((msg_head->nframes != 1) || + (!(msg_head->can_id & CAN_RTR_FLAG)))) diff --git a/queue-2.6.32/isdn-fix-information-leak.patch b/queue-2.6.32/isdn-fix-information-leak.patch new file mode 100644 index 00000000000..f31a499c123 --- /dev/null +++ b/queue-2.6.32/isdn-fix-information-leak.patch @@ -0,0 +1,67 @@ +From d8be78ce534e6546d3c4d0d78e6b98c72d1bf470 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 4 Aug 2010 23:38:06 +0000 +Subject: isdn: fix information leak + + +From: Dan Carpenter + +[ Upstream commit 4b030d4288a569d6bdeca884d7f102d951f097f2 ] + +The main motivation of this patch changing strcpy() to strlcpy(). +We strcpy() to copy a 48 byte buffers into a 49 byte buffers. So at +best the last byte has leaked information, or maybe there is an +overflow? Anyway, this patch closes the information leaks by zeroing +the memory and the calls to strlcpy() prevent overflows. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/sc/ioctl.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/isdn/sc/ioctl.c ++++ b/drivers/isdn/sc/ioctl.c +@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data) + pr_debug("%s: SCIOGETSPID: ioctl received\n", + sc_adapter[card]->devicename); + +- spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL); ++ spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL); + if (!spid) { + kfree(rcvmsg); + return -ENOMEM; +@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data) + kfree(rcvmsg); + return status; + } +- strcpy(spid, rcvmsg->msg_data.byte_array); ++ strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE); + + /* + * Package the switch type and send to user space +@@ -272,12 +272,12 @@ int sc_ioctl(int card, scs_ioctl *data) + return status; + } + +- dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL); ++ dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL); + if (!dn) { + kfree(rcvmsg); + return -ENOMEM; + } +- strcpy(dn, rcvmsg->msg_data.byte_array); ++ strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE); + kfree(rcvmsg); + + /* +@@ -348,7 +348,7 @@ int sc_ioctl(int card, scs_ioctl *data) + pr_debug("%s: SCIOSTAT: ioctl received\n", + sc_adapter[card]->devicename); + +- bi = kmalloc (sizeof(boardInfo), GFP_KERNEL); ++ bi = kzalloc(sizeof(boardInfo), GFP_KERNEL); + if (!bi) { + kfree(rcvmsg); + return -ENOMEM; diff --git a/queue-2.6.32/net-fix-a-memmove-bug-in-dev_gro_receive.patch b/queue-2.6.32/net-fix-a-memmove-bug-in-dev_gro_receive.patch new file mode 100644 index 00000000000..c9d7bbed5d4 --- /dev/null +++ b/queue-2.6.32/net-fix-a-memmove-bug-in-dev_gro_receive.patch @@ -0,0 +1,41 @@ +From a8d23973cdb1b7a67774a1a649e22d72a02b97e1 Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Wed, 11 Aug 2010 02:02:10 +0000 +Subject: net: Fix a memmove bug in dev_gro_receive() + + +From: Jarek Poplawski + +[ Upstream commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 ] + +>Xin Xiaohui wrote: +> I looked into the code dev_gro_receive(), found the code here: +> if the frags[0] is pulled to 0, then the page will be released, +> and memmove() frags left. +> Is that right? I'm not sure if memmove do right or not, but +> frags[0].size is never set after memove at least. what I think +> a simple way is not to do anything if we found frags[0].size == 0. +> The patch is as followed. +... + +This version of the patch fixes the bug directly in memmove. + +Reported-by: "Xin, Xiaohui" +Signed-off-by: Jarek Poplawski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2519,7 +2519,7 @@ pull: + put_page(skb_shinfo(skb)->frags[0].page); + memmove(skb_shinfo(skb)->frags, + skb_shinfo(skb)->frags + 1, +- --skb_shinfo(skb)->nr_frags); ++ --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t)); + } + } + diff --git a/queue-2.6.32/series b/queue-2.6.32/series index c4adff55ff2..88e38eb714d 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -31,3 +31,7 @@ sunxvr500-ignore-secondary-output-pci-devices.patch sparc64-add-missing-id-to-parport-probing-code.patch sparc64-fix-rwsem-constant-bug-leading-to-hangs.patch sparc64-fix-atomic64_t-routine-return-values.patch +net-fix-a-memmove-bug-in-dev_gro_receive.patch +can-add-limit-for-nframes-and-clean-up-signed-unsigned-variables.patch +isdn-fix-information-leak.patch +act_nat-the-checksum-of-icmp-doesn-t-have-pseudo-header.patch