From 4bc38659bd61908021cc668b477bc298b3c8a38a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 9 Aug 2007 23:12:36 -0700 Subject: [PATCH] some 2.6.22 patches added to the queue --- .../ata_piix-update-map-10b-for-ich8m.patch | 32 +++++++++++ .../fix-oops-in-__audit_signal_info.patch | 57 +++++++++++++++++++ .../random-fix-bound-check-ordering.patch | 44 ++++++++++++++ queue-2.6.22/series | 4 ++ ...lock-of-wx_set_essid-with-assoc-work.patch | 55 ++++++++++++++++++ 5 files changed, 192 insertions(+) create mode 100644 queue-2.6.22/ata_piix-update-map-10b-for-ich8m.patch create mode 100644 queue-2.6.22/fix-oops-in-__audit_signal_info.patch create mode 100644 queue-2.6.22/random-fix-bound-check-ordering.patch create mode 100644 queue-2.6.22/series create mode 100644 queue-2.6.22/softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch diff --git a/queue-2.6.22/ata_piix-update-map-10b-for-ich8m.patch b/queue-2.6.22/ata_piix-update-map-10b-for-ich8m.patch new file mode 100644 index 00000000000..1c99729ad38 --- /dev/null +++ b/queue-2.6.22/ata_piix-update-map-10b-for-ich8m.patch @@ -0,0 +1,32 @@ +From htejun@gmail.com Thu Aug 9 23:08:47 2007 +From: Tejun Heo +Date: Tue, 7 Aug 2007 02:43:27 +0900 +Subject: ata_piix: update map 10b for ich8m +To: Jeff Garzik , linux-ide@vger.kernel.org, kristen.c.accardi@intel.com, stable@kernel.org +Message-ID: <20070806174327.GP13674@htj.dyndns.org> +Content-Disposition: inline + +From: Tejun Heo + +Fix map entry 10b for ich8. It's [P0 P2 IDE IDE] like ich6 / ich6m. + +Signed-off-by: Tejun Heo +Acked-by: kristen.c.accardi@intel.com +Cc: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ata_piix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ata_piix.c ++++ b/drivers/ata/ata_piix.c +@@ -428,7 +428,7 @@ static const struct piix_map_db ich8_map + /* PM PS SM SS MAP */ + { P0, P2, P1, P3 }, /* 00b (hardwired when in AHCI) */ + { RV, RV, RV, RV }, +- { IDE, IDE, NA, NA }, /* 10b (IDE mode) */ ++ { P0, P2, IDE, IDE }, /* 10b (IDE mode) */ + { RV, RV, RV, RV }, + }, + }; diff --git a/queue-2.6.22/fix-oops-in-__audit_signal_info.patch b/queue-2.6.22/fix-oops-in-__audit_signal_info.patch new file mode 100644 index 00000000000..a7c95a2b4d6 --- /dev/null +++ b/queue-2.6.22/fix-oops-in-__audit_signal_info.patch @@ -0,0 +1,57 @@ +From viro@ftp.linux.org.uk Thu Aug 9 22:58:53 2007 +From: Al Viro +Date: Wed, 8 Aug 2007 00:01:46 +0100 +Subject: fix oops in __audit_signal_info() +To: Linus Torvalds +Cc: linux-kernel@vger.kernel.org, stable@kernel.org +Message-ID: <20070807230146.GZ21089@ftp.linux.org.uk> +Content-Disposition: inline + +From: Al Viro + + Check for audit_signals is misplaced and check for +audit_dummy_context() is missing; as the result, if we send +signal to auditd from task with NULL ->audit_context while +we have audit_signals != 0 we end up with an oops. + +Signed-off-by: Al Viro +Acked-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditsc.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1998,19 +1998,19 @@ int __audit_signal_info(int sig, struct + extern uid_t audit_sig_uid; + extern u32 audit_sig_sid; + +- if (audit_pid && t->tgid == audit_pid && +- (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) { +- audit_sig_pid = tsk->pid; +- if (ctx) +- audit_sig_uid = ctx->loginuid; +- else +- audit_sig_uid = tsk->uid; +- selinux_get_task_sid(tsk, &audit_sig_sid); ++ if (audit_pid && t->tgid == audit_pid) { ++ if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { ++ audit_sig_pid = tsk->pid; ++ if (ctx) ++ audit_sig_uid = ctx->loginuid; ++ else ++ audit_sig_uid = tsk->uid; ++ selinux_get_task_sid(tsk, &audit_sig_sid); ++ } ++ if (!audit_signals || audit_dummy_context()) ++ return 0; + } + +- if (!audit_signals) /* audit_context checked in wrapper */ +- return 0; +- + /* optimize the common case by putting first signal recipient directly + * in audit_context */ + if (!ctx->target_pid) { diff --git a/queue-2.6.22/random-fix-bound-check-ordering.patch b/queue-2.6.22/random-fix-bound-check-ordering.patch new file mode 100644 index 00000000000..1e3b8664b02 --- /dev/null +++ b/queue-2.6.22/random-fix-bound-check-ordering.patch @@ -0,0 +1,44 @@ +From w@1wt.eu Thu Aug 9 23:04:22 2007 +Date: Sun, 15 Jul 2007 17:10:14 -0700 +From: Chris Wright +Subject: random: fix bound check ordering (CVE-2007-3105) +To: torvalds@linux-foundation.org +Cc: security@kernel.org, Theodore Tso , Willy Tarreau , Matt Mackall + +From: Matt Mackall + +If root raised the default wakeup threshold over the size of the +output pool, the pool transfer function could overflow the stack with +RNG bytes, causing a DoS or potential privilege escalation. + +(Bug reported by the PaX Team ) + +Cc: Theodore Tso +Cc: Willy Tarreau +Signed-off-by: Matt Mackall +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct e + + if (r->pull && r->entropy_count < nbytes * 8 && + r->entropy_count < r->poolinfo->POOLBITS) { +- int bytes = max_t(int, random_read_wakeup_thresh / 8, +- min_t(int, nbytes, sizeof(tmp))); ++ /* If we're limited, always leave two wakeup worth's BITS */ + int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; ++ int bytes = nbytes; ++ ++ /* pull at least as many as BYTES as wakeup BITS */ ++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); ++ /* but never more than the buffer size */ ++ bytes = min_t(int, bytes, sizeof(tmp)); + + DEBUG_ENT("going to reseed %s with %d bits " + "(%d of %d requested)\n", diff --git a/queue-2.6.22/series b/queue-2.6.22/series new file mode 100644 index 00000000000..0a0ccc7f6c3 --- /dev/null +++ b/queue-2.6.22/series @@ -0,0 +1,4 @@ +fix-oops-in-__audit_signal_info.patch +random-fix-bound-check-ordering.patch +softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch +ata_piix-update-map-10b-for-ich8m.patch diff --git a/queue-2.6.22/softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch b/queue-2.6.22/softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch new file mode 100644 index 00000000000..c747c1ea61b --- /dev/null +++ b/queue-2.6.22/softmac-fix-deadlock-of-wx_set_essid-with-assoc-work.patch @@ -0,0 +1,55 @@ +From mb@bu3sch.de Thu Aug 9 23:05:43 2007 +From: Michael Buesch +Date: Tue, 7 Aug 2007 12:20:40 +0200 +Subject: softmac: Fix deadlock of wx_set_essid with assoc work +To: Greg KH +Cc: linux-wireless@vger.kernel.org, Johannes Berg , David Woodhouse , stable@kernel.org, "John W. Linville" +Message-ID: <200708071220.41123.mb@bu3sch.de> +Content-Disposition: inline + +From: Michael Buesch + +The essid wireless extension does deadlock against the assoc mutex, +as we don't unlock the assoc mutex when flushing the workqueue, which +also holds the lock. + +Signed-off-by: Michael Buesch +Signed-off-by: Greg Kroah-Hartman + +--- + net/ieee80211/softmac/ieee80211softmac_wx.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/net/ieee80211/softmac/ieee80211softmac_wx.c ++++ b/net/ieee80211/softmac/ieee80211softmac_wx.c +@@ -74,8 +74,8 @@ ieee80211softmac_wx_set_essid(struct net + struct ieee80211softmac_auth_queue_item *authptr; + int length = 0; + ++check_assoc_again: + mutex_lock(&sm->associnfo.mutex); +- + /* Check if we're already associating to this or another network + * If it's another network, cancel and start over with our new network + * If it's our network, ignore the change, we're already doing it! +@@ -98,13 +98,18 @@ ieee80211softmac_wx_set_essid(struct net + cancel_delayed_work(&authptr->work); + sm->associnfo.bssvalid = 0; + sm->associnfo.bssfixed = 0; +- flush_scheduled_work(); + sm->associnfo.associating = 0; + sm->associnfo.associated = 0; ++ /* We must unlock to avoid deadlocks with the assoc workqueue ++ * on the associnfo.mutex */ ++ mutex_unlock(&sm->associnfo.mutex); ++ flush_scheduled_work(); ++ /* Avoid race! Check assoc status again. Maybe someone started an ++ * association while we flushed. */ ++ goto check_assoc_again; + } + } + +- + sm->associnfo.static_essid = 0; + sm->associnfo.assoc_wait = 0; + -- 2.47.3