From 1583c56666a20fe3960ff1087ac3187b7ccb590c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 2 Nov 2007 10:52:19 -0700 Subject: [PATCH] more 2.6.23 patches added --- ...ecking-of-userspace-object-ownership.patch | 45 ++++++++++ ...ixfs-printks-on-corrupted-dir-i_size.patch | 76 ++++++++++++++++ ...am_sysfs_builtin-memchr-argument-fix.patch | 89 +++++++++++++++++++ queue-2.6.23/series | 4 + .../x86-fix-global_flush_tlb-bug.patch | 70 +++++++++++++++ 5 files changed, 284 insertions(+) create mode 100644 queue-2.6.23/ib-uverbs-fix-checking-of-userspace-object-ownership.patch create mode 100644 queue-2.6.23/minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch create mode 100644 queue-2.6.23/param_sysfs_builtin-memchr-argument-fix.patch create mode 100644 queue-2.6.23/x86-fix-global_flush_tlb-bug.patch diff --git a/queue-2.6.23/ib-uverbs-fix-checking-of-userspace-object-ownership.patch b/queue-2.6.23/ib-uverbs-fix-checking-of-userspace-object-ownership.patch new file mode 100644 index 00000000000..d437ecd52c0 --- /dev/null +++ b/queue-2.6.23/ib-uverbs-fix-checking-of-userspace-object-ownership.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Sun Oct 28 10:15:04 2007 +From: Roland Dreier +Date: Sun, 28 Oct 2007 10:14:32 -0700 +Subject: IB/uverbs: Fix checking of userspace object ownership +To: stable@kernel.org +Message-ID: + +From: Roland Dreier + +Upstream as cbfb50e6e2e9c580848c0f51d37c24cdfb1cb704 + +Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex") +rewrote how userspace objects are looked up in the uverbs module's +idrs, and introduced a severe bug in the process: there is no checking +that an operation is being performed by the right process any more. +Fix this by adding the missing check of uobj->context in __idr_get_uobj(). + +Apparently everyone is being very careful to only touch their own +objects, because this bug was introduced in June 2006 in 2.6.18, and +has gone undetected until now. + +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_cmd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -147,8 +147,12 @@ static struct ib_uobject *__idr_get_uobj + + spin_lock(&ib_uverbs_idr_lock); + uobj = idr_find(idr, id); +- if (uobj) +- kref_get(&uobj->ref); ++ if (uobj) { ++ if (uobj->context == context) ++ kref_get(&uobj->ref); ++ else ++ uobj = NULL; ++ } + spin_unlock(&ib_uverbs_idr_lock); + + return uobj; diff --git a/queue-2.6.23/minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch b/queue-2.6.23/minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch new file mode 100644 index 00000000000..b973ea1b824 --- /dev/null +++ b/queue-2.6.23/minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch @@ -0,0 +1,76 @@ +From f44ec6f3f89889a469773b1fd894f8fcc07c29cf Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Tue, 16 Oct 2007 23:27:15 -0700 +Subject: minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058) +Message-ID: <47276102.30608@redhat.com> + +From: Eric Sandeen + +patch f44ec6f3f89889a469773b1fd894f8fcc07c29cf upstream. + +This attempts to address CVE-2006-6058 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058 + +first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html + +Essentially a corrupted minix dir inode reporting a very large +i_size will loop for a very long time in minix_readdir, minix_find_entry, +etc, because on EIO they just move on to try the next page. This is +under the BKL, printk-storming as well. This can lock up the machine +for a very long time. Simply ratelimiting the printks gets things back +under control. Make the message a bit more informative while we're here. + +Signed-off-by: Eric Sandeen +Cc: Bodo Eggert <7eggert@gmx.de> +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/minix/itree_v1.c | 9 +++++++-- + fs/minix/itree_v2.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 4 deletions(-) + +--- a/fs/minix/itree_v1.c ++++ b/fs/minix/itree_v1.c +@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + + if (block < 0) { +- printk("minix_bmap: block<0\n"); ++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { +- printk("minix_bmap: block>big\n"); ++ if (printk_ratelimit()) ++ printk("MINIX-fs: block_to_path: " ++ "block %ld too big on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block < 7) { + offsets[n++] = block; + } else if ((block -= 7) < 512) { +--- a/fs/minix/itree_v2.c ++++ b/fs/minix/itree_v2.c +@@ -23,12 +23,17 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + struct super_block *sb = inode->i_sb; + + if (block < 0) { +- printk("minix_bmap: block<0\n"); ++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", ++ block, bdevname(sb->s_bdev, b)); + } else if (block >= (minix_sb(inode->i_sb)->s_max_size/sb->s_blocksize)) { +- printk("minix_bmap: block>big\n"); ++ if (printk_ratelimit()) ++ printk("MINIX-fs: block_to_path: " ++ "block %ld too big on dev %s\n", ++ block, bdevname(sb->s_bdev, b)); + } else if (block < 7) { + offsets[n++] = block; + } else if ((block -= 7) < 256) { diff --git a/queue-2.6.23/param_sysfs_builtin-memchr-argument-fix.patch b/queue-2.6.23/param_sysfs_builtin-memchr-argument-fix.patch new file mode 100644 index 00000000000..9e310cb4a7e --- /dev/null +++ b/queue-2.6.23/param_sysfs_builtin-memchr-argument-fix.patch @@ -0,0 +1,89 @@ +From faf8c714f4508207a9c81cc94dafc76ed6680b44 Mon Sep 17 00:00:00 2001 +From: Dave Young +Date: Thu, 18 Oct 2007 03:05:07 -0700 +Subject: param_sysfs_builtin memchr argument fix +Message-ID: <4720EBA6.60803@redhat.com> + +From: Dave Young + +patch faf8c714f4508207a9c81cc94dafc76ed6680b44 in mainline. + +If memchr argument is longer than strlen(kp->name), there will be some +weird result. + +It will casuse duplicate filenames in sysfs for the "nousb". kernel +warning messages are as bellow: + +sysfs: duplicate filename 'usbcore' can not be created +WARNING: at fs/sysfs/dir.c:416 sysfs_add_one() + [] sysfs_add_one+0xa0/0xe0 + [] create_dir+0x48/0xb0 + [] sysfs_create_dir+0x29/0x50 + [] create_dir+0x1b/0x50 + [] kobject_add+0x46/0x150 + [] kobject_init+0x3a/0x80 + [] kernel_param_sysfs_setup+0x50/0xb0 + [] param_sysfs_builtin+0xee/0x130 + [] param_sysfs_init+0x23/0x60 + [] __next_cpu+0x12/0x20 + [] kernel_init+0x0/0xb0 + [] kernel_init+0x0/0xb0 + [] do_initcalls+0x46/0x1e0 + [] create_proc_entry+0x52/0x90 + [] register_irq_proc+0x9c/0xc0 + [] proc_mkdir_mode+0x34/0x50 + [] kernel_init+0x0/0xb0 + [] kernel_init+0x62/0xb0 + [] kernel_thread_helper+0x7/0x14 + ======================= +kobject_add failed for usbcore with -EEXIST, don't try to register things with the same name in the same directory. + [] kobject_add+0xf6/0x150 + [] kernel_param_sysfs_setup+0x50/0xb0 + [] param_sysfs_builtin+0xee/0x130 + [] param_sysfs_init+0x23/0x60 + [] __next_cpu+0x12/0x20 + [] kernel_init+0x0/0xb0 + [] kernel_init+0x0/0xb0 + [] do_initcalls+0x46/0x1e0 + [] create_proc_entry+0x52/0x90 + [] register_irq_proc+0x9c/0xc0 + [] proc_mkdir_mode+0x34/0x50 + [] kernel_init+0x0/0xb0 + [] kernel_init+0x62/0xb0 + [] kernel_thread_helper+0x7/0x14 + ======================= +Module 'usbcore' failed to be added to sysfs, error number -17 +The system will be unstable now. + +Signed-off-by: Dave Young +Cc: Greg KH +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/params.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -595,11 +595,17 @@ static void __init param_sysfs_builtin(v + + for (i=0; i < __stop___param - __start___param; i++) { + char *dot; ++ size_t kplen; + + kp = &__start___param[i]; ++ kplen = strlen(kp->name); + + /* We do not handle args without periods. */ +- dot = memchr(kp->name, '.', MAX_KBUILD_MODNAME); ++ if (kplen > MAX_KBUILD_MODNAME) { ++ DEBUGP("kernel parameter name is too long: %s\n", kp->name); ++ continue; ++ } ++ dot = memchr(kp->name, '.', kplen); + if (!dot) { + DEBUGP("couldn't find period in %s\n", kp->name); + continue; diff --git a/queue-2.6.23/series b/queue-2.6.23/series index 7501c7c1208..84ae4b35131 100644 --- a/queue-2.6.23/series +++ b/queue-2.6.23/series @@ -11,3 +11,7 @@ hwmon-lm87-disable-vid-when-it-should-be.patch add-get_unaligned-to-ieee80211_get_radiotap_len.patch mac80211-improve-sanity-checks-on-injected-packets.patch remove-broken-ptrace-special-case-code-from-file-mapping.patch +x86-fix-global_flush_tlb-bug.patch +param_sysfs_builtin-memchr-argument-fix.patch +minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch +ib-uverbs-fix-checking-of-userspace-object-ownership.patch diff --git a/queue-2.6.23/x86-fix-global_flush_tlb-bug.patch b/queue-2.6.23/x86-fix-global_flush_tlb-bug.patch new file mode 100644 index 00000000000..7c0c5695064 --- /dev/null +++ b/queue-2.6.23/x86-fix-global_flush_tlb-bug.patch @@ -0,0 +1,70 @@ +From 9a24d04a3c26c223f22493492c5c9085b8773d4a Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Fri, 19 Oct 2007 12:19:26 +0200 +Subject: [PATCH] x86: fix global_flush_tlb() bug + +From: Ingo Molnar + +patch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream + +While we were reviewing pageattr_32/64.c for unification, +Thomas Gleixner noticed the following serious SMP bug in +global_flush_tlb(): + + down_read(&init_mm.mmap_sem); + list_replace_init(&deferred_pages, &l); + up_read(&init_mm.mmap_sem); + +this is SMP-unsafe because list_replace_init() done on two CPUs in +parallel can corrupt the list. + +This bug has been introduced about a year ago in the 64-bit tree: + + commit ea7322decb974a4a3e804f96a0201e893ff88ce3 + Author: Andi Kleen + Date: Thu Dec 7 02:14:05 2006 +0100 + + [PATCH] x86-64: Speed and clean up cache flushing in change_page_attr + + down_read(&init_mm.mmap_sem); + - dpage = xchg(&deferred_pages, NULL); + + list_replace_init(&deferred_pages, &l); + up_read(&init_mm.mmap_sem); + +the xchg() based version was SMP-safe, but list_replace_init() is not. +So this "cleanup" introduced a nasty bug. + +why this bug never become prominent is a mystery - it can probably be +explained with the (still) relative obscurity of the x86_64 architecture. + +the safe fix for now is to write-lock init_mm.mmap_sem. + +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Gleixner +Cc: Andi Kleen +Cc: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86_64/mm/pageattr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86_64/mm/pageattr.c ++++ b/arch/x86_64/mm/pageattr.c +@@ -229,9 +229,14 @@ void global_flush_tlb(void) + struct page *pg, *next; + struct list_head l; + +- down_read(&init_mm.mmap_sem); ++ /* ++ * Write-protect the semaphore, to exclude two contexts ++ * doing a list_replace_init() call in parallel and to ++ * exclude new additions to the deferred_pages list: ++ */ ++ down_write(&init_mm.mmap_sem); + list_replace_init(&deferred_pages, &l); +- up_read(&init_mm.mmap_sem); ++ up_write(&init_mm.mmap_sem); + + flush_map(&l); + -- 2.47.3