From 5d5bcaf13e8823c83b0968c31e014fa7982b63bb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 14 Jan 2010 14:53:36 -0800 Subject: [PATCH] start 2.6.31.12 review cycle --- ...r-into-separate-add-remove-functions.patch | 0 ...indamage-in-audit_tree.c-untag_chunk.patch | 0 ...more-leaks-in-audit_tree.c-tag_chunk.patch | 0 .../hwmon-adt7462-fix-pin-28-monitoring.patch | 0 ...kb_dst-can-be-null-in-ipv6_hop_jumbo.patch | 0 ...tion-leak-with-print-fatal-signals-1.patch | 0 review-2.6.31/mbox | 719 ++++++++++++++++++ ...ilter-ebtables-enforce-cap_net_admin.patch | 0 ...-out-of-bounds-read-in-update_nl_seq.patch | 0 ...-for-filesystems-different-from-ext4.patch | 0 {queue-2.6.31 => review-2.6.31}/series | 0 11 files changed, 719 insertions(+) rename {queue-2.6.31 => review-2.6.31}/fasync-split-fasync_helper-into-separate-add-remove-functions.patch (100%) rename {queue-2.6.31 => review-2.6.31}/fix-braindamage-in-audit_tree.c-untag_chunk.patch (100%) rename {queue-2.6.31 => review-2.6.31}/fix-more-leaks-in-audit_tree.c-tag_chunk.patch (100%) rename {queue-2.6.31 => review-2.6.31}/hwmon-adt7462-fix-pin-28-monitoring.patch (100%) rename {queue-2.6.31 => review-2.6.31}/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch (100%) rename {queue-2.6.31 => review-2.6.31}/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch (100%) create mode 100644 review-2.6.31/mbox rename {queue-2.6.31 => review-2.6.31}/netfilter-ebtables-enforce-cap_net_admin.patch (100%) rename {queue-2.6.31 => review-2.6.31}/netfilter-nf_ct_ftp-fix-out-of-bounds-read-in-update_nl_seq.patch (100%) rename {queue-2.6.31 => review-2.6.31}/quota-fix-dquot_transfer-for-filesystems-different-from-ext4.patch (100%) rename {queue-2.6.31 => review-2.6.31}/series (100%) diff --git a/queue-2.6.31/fasync-split-fasync_helper-into-separate-add-remove-functions.patch b/review-2.6.31/fasync-split-fasync_helper-into-separate-add-remove-functions.patch similarity index 100% rename from queue-2.6.31/fasync-split-fasync_helper-into-separate-add-remove-functions.patch rename to review-2.6.31/fasync-split-fasync_helper-into-separate-add-remove-functions.patch diff --git a/queue-2.6.31/fix-braindamage-in-audit_tree.c-untag_chunk.patch b/review-2.6.31/fix-braindamage-in-audit_tree.c-untag_chunk.patch similarity index 100% rename from queue-2.6.31/fix-braindamage-in-audit_tree.c-untag_chunk.patch rename to review-2.6.31/fix-braindamage-in-audit_tree.c-untag_chunk.patch diff --git a/queue-2.6.31/fix-more-leaks-in-audit_tree.c-tag_chunk.patch b/review-2.6.31/fix-more-leaks-in-audit_tree.c-tag_chunk.patch similarity index 100% rename from queue-2.6.31/fix-more-leaks-in-audit_tree.c-tag_chunk.patch rename to review-2.6.31/fix-more-leaks-in-audit_tree.c-tag_chunk.patch diff --git a/queue-2.6.31/hwmon-adt7462-fix-pin-28-monitoring.patch b/review-2.6.31/hwmon-adt7462-fix-pin-28-monitoring.patch similarity index 100% rename from queue-2.6.31/hwmon-adt7462-fix-pin-28-monitoring.patch rename to review-2.6.31/hwmon-adt7462-fix-pin-28-monitoring.patch diff --git a/queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch b/review-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch similarity index 100% rename from queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch rename to review-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch diff --git a/queue-2.6.31/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch b/review-2.6.31/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch similarity index 100% rename from queue-2.6.31/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch rename to review-2.6.31/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch diff --git a/review-2.6.31/mbox b/review-2.6.31/mbox new file mode 100644 index 00000000000..f89a09c6bb9 --- /dev/null +++ b/review-2.6.31/mbox @@ -0,0 +1,719 @@ +From gregkh@mini.kroah.org Thu Jan 14 14:48:06 2010 +Message-Id: <20100114224806.361798368@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:37 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Al Viro , + Jeff Dike , + Matt Mackall +Subject: [1/9] fasync: split fasync_helper() into separate add/remove functions + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Linus Torvalds + +commit 53281b6d34d44308372d16acb7fb5327609f68b6 upstream. + +Yes, the add and remove cases do share the same basic loop and the +locking, but the compiler can inline and then CSE some of the end result +anyway. And splitting it up makes the code way easier to follow, +and makes it clearer exactly what the semantics are. + +In particular, we must make sure that the FASYNC flag in file->f_flags +exactly matches the state of "is this file on any fasync list", since +not only is that flag visible to user space (F_GETFL), but we also use +that flag to check whether we need to remove any fasync entries on file +close. + +We got that wrong for the case of a mixed use of file locking (which +tries to remove any fasync entries for file leases) and fasync. + +Splitting the function up also makes it possible to do some future +optimizations without making the function even messier. In particular, +since the FASYNC flag has to match the state of "is this on a list", we +can do the following future optimizations: + + - on remove, we don't even need to get the locks and traverse the list + if FASYNC isn't set, since we can know a priori that there is no + point (this is effectively the same optimization that we already do + in __fput() wrt removing fasync on file close) + + - on add, we can use the FASYNC flag to decide whether we are changing + an existing entry or need to allocate a new one. + +but this is just the cleanup + fix for the FASYNC flag. + +Acked-by: Al Viro +Tested-by: Tavis Ormandy +Cc: Jeff Dike +Cc: Matt Mackall +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fcntl.c | 102 +++++++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 66 insertions(+), 36 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -526,60 +526,90 @@ static DEFINE_RWLOCK(fasync_lock); + static struct kmem_cache *fasync_cache __read_mostly; + + /* +- * fasync_helper() is used by almost all character device drivers +- * to set up the fasync queue. It returns negative on error, 0 if it did +- * no changes and positive if it added/deleted the entry. ++ * Remove a fasync entry. If successfully removed, return ++ * positive and clear the FASYNC flag. If no entry exists, ++ * do nothing and return 0. ++ * ++ * NOTE! It is very important that the FASYNC flag always ++ * match the state "is the filp on a fasync list". ++ * ++ * We always take the 'filp->f_lock', in since fasync_lock ++ * needs to be irq-safe. + */ +-int fasync_helper(int fd, struct file * filp, int on, struct fasync_struct **fapp) ++static int fasync_remove_entry(struct file *filp, struct fasync_struct **fapp) + { + struct fasync_struct *fa, **fp; +- struct fasync_struct *new = NULL; + int result = 0; + +- if (on) { +- new = kmem_cache_alloc(fasync_cache, GFP_KERNEL); +- if (!new) +- return -ENOMEM; ++ spin_lock(&filp->f_lock); ++ write_lock_irq(&fasync_lock); ++ for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) { ++ if (fa->fa_file != filp) ++ continue; ++ *fp = fa->fa_next; ++ kmem_cache_free(fasync_cache, fa); ++ filp->f_flags &= ~FASYNC; ++ result = 1; ++ break; + } ++ write_unlock_irq(&fasync_lock); ++ spin_unlock(&filp->f_lock); ++ return result; ++} ++ ++/* ++ * Add a fasync entry. Return negative on error, positive if ++ * added, and zero if did nothing but change an existing one. ++ * ++ * NOTE! It is very important that the FASYNC flag always ++ * match the state "is the filp on a fasync list". ++ */ ++static int fasync_add_entry(int fd, struct file *filp, struct fasync_struct **fapp) ++{ ++ struct fasync_struct *new, *fa, **fp; ++ int result = 0; ++ ++ new = kmem_cache_alloc(fasync_cache, GFP_KERNEL); ++ if (!new) ++ return -ENOMEM; + +- /* +- * We need to take f_lock first since it's not an IRQ-safe +- * lock. +- */ + spin_lock(&filp->f_lock); + write_lock_irq(&fasync_lock); + for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) { +- if (fa->fa_file == filp) { +- if(on) { +- fa->fa_fd = fd; +- kmem_cache_free(fasync_cache, new); +- } else { +- *fp = fa->fa_next; +- kmem_cache_free(fasync_cache, fa); +- result = 1; +- } +- goto out; +- } ++ if (fa->fa_file != filp) ++ continue; ++ fa->fa_fd = fd; ++ kmem_cache_free(fasync_cache, new); ++ goto out; + } + +- if (on) { +- new->magic = FASYNC_MAGIC; +- new->fa_file = filp; +- new->fa_fd = fd; +- new->fa_next = *fapp; +- *fapp = new; +- result = 1; +- } ++ new->magic = FASYNC_MAGIC; ++ new->fa_file = filp; ++ new->fa_fd = fd; ++ new->fa_next = *fapp; ++ *fapp = new; ++ result = 1; ++ filp->f_flags |= FASYNC; ++ + out: +- if (on) +- filp->f_flags |= FASYNC; +- else +- filp->f_flags &= ~FASYNC; + write_unlock_irq(&fasync_lock); + spin_unlock(&filp->f_lock); + return result; + } + ++/* ++ * fasync_helper() is used by almost all character device drivers ++ * to set up the fasync queue, and for regular files by the file ++ * lease code. It returns negative on error, 0 if it did no changes ++ * and positive if it added/deleted the entry. ++ */ ++int fasync_helper(int fd, struct file * filp, int on, struct fasync_struct **fapp) ++{ ++ if (!on) ++ return fasync_remove_entry(filp, fapp); ++ return fasync_add_entry(fd, filp, fapp); ++} ++ + EXPORT_SYMBOL(fasync_helper); + + void __kill_fasync(struct fasync_struct *fa, int sig, int band) + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:06 2010 +Message-Id: <20100114224806.492063117@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:38 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Roger Blofeld , + Jean Delvare +Subject: [2/9] hwmon: (adt7462) Fix pin 28 monitoring + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Roger Blofeld + +commit bb595c923bc51dff9cdd112de18deb57ac7945d2 upstream. + +The ADT7462_PIN28_VOLT value is a 4-bit field, so the corresponding +shift must be 4. + +Signed-off-by: Roger Blofeld +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/adt7462.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/adt7462.c ++++ b/drivers/hwmon/adt7462.c +@@ -97,7 +97,7 @@ I2C_CLIENT_INSMOD_1(adt7462); + #define ADT7462_PIN24_SHIFT 6 + #define ADT7462_PIN26_VOLT_INPUT 0x08 + #define ADT7462_PIN25_VOLT_INPUT 0x20 +-#define ADT7462_PIN28_SHIFT 6 /* cfg3 */ ++#define ADT7462_PIN28_SHIFT 4 /* cfg3 */ + #define ADT7462_PIN28_VOLT 0x5 + + #define ADT7462_REG_ALARM1 0xB8 + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:06 2010 +Message-Id: <20100114224806.617287984@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:39 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Andi Kleen , + Ingo Molnar , + Oleg Nesterov +Subject: [3/9] kernel/signal.c: fix kernel information leak with print-fatal-signals=1 + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Andi Kleen + +commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream. + +When print-fatal-signals is enabled it's possible to dump any memory +reachable by the kernel to the log by simply jumping to that address from +user space. + +Or crash the system if there's some hardware with read side effects. + +The fatal signals handler will dump 16 bytes at the execution address, +which is fully controlled by ring 3. + +In addition when something jumps to a unmapped address there will be up to +16 additional useless page faults, which might be potentially slow (and at +least is not very efficient) + +Fortunately this option is off by default and only there on i386. + +But fix it by checking for kernel addresses and also stopping when there's +a page fault. + +Signed-off-by: Andi Kleen +Cc: Ingo Molnar +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -939,7 +939,8 @@ static void print_fatal_signal(struct pt + for (i = 0; i < 16; i++) { + unsigned char insn; + +- __get_user(insn, (unsigned char *)(regs->ip + i)); ++ if (get_user(insn, (unsigned char *)(regs->ip + i))) ++ break; + printk("%02x ", insn); + } + } + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:06 2010 +Message-Id: <20100114224806.743281302@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:40 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Florian Westphal , + Patrick McHardy +Subject: [4/9] netfilter: ebtables: enforce CAP_NET_ADMIN + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Florian Westphal + +commit dce766af541f6605fa9889892c0280bab31c66ab upstream. + +normal users are currently allowed to set/modify ebtables rules. +Restrict it to processes with CAP_NET_ADMIN. + +Note that this cannot be reproduced with unmodified ebtables binary +because it uses SOCK_RAW. + +Signed-off-by: Florian Westphal +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s + { + int ret; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + switch(cmd) { + case EBT_SO_SET_ENTRIES: + ret = do_replace(sock_net(sk), user, len); +@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s + struct ebt_replace tmp; + struct ebt_table *t; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (copy_from_user(&tmp, user, sizeof(tmp))) + return -EFAULT; + + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:07 2010 +Message-Id: <20100114224806.913050712@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:41 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Patrick McHardy +Subject: [5/9] netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Patrick McHardy + +commit aaff23a95aea5f000895f50d90e91f1e2f727002 upstream. + +As noticed by Dan Carpenter , update_nl_seq() +currently contains an out of bounds read of the seq_aft_nl array +when looking for the oldest sequence number position. + +Fix it to only compare valid positions. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_ftp.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nf_conntrack_ftp.c ++++ b/net/netfilter/nf_conntrack_ftp.c +@@ -323,24 +323,24 @@ static void update_nl_seq(struct nf_conn + struct nf_ct_ftp_master *info, int dir, + struct sk_buff *skb) + { +- unsigned int i, oldest = NUM_SEQ_TO_REMEMBER; ++ unsigned int i, oldest; + + /* Look for oldest: if we find exact match, we're done. */ + for (i = 0; i < info->seq_aft_nl_num[dir]; i++) { + if (info->seq_aft_nl[dir][i] == nl_seq) + return; +- +- if (oldest == info->seq_aft_nl_num[dir] || +- before(info->seq_aft_nl[dir][i], +- info->seq_aft_nl[dir][oldest])) +- oldest = i; + } + + if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) { + info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq; +- } else if (oldest != NUM_SEQ_TO_REMEMBER && +- after(nl_seq, info->seq_aft_nl[dir][oldest])) { +- info->seq_aft_nl[dir][oldest] = nl_seq; ++ } else { ++ if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1])) ++ oldest = 0; ++ else ++ oldest = 1; ++ ++ if (after(nl_seq, info->seq_aft_nl[dir][oldest])) ++ info->seq_aft_nl[dir][oldest] = nl_seq; + } + } + + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:07 2010 +Message-Id: <20100114224807.086778669@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:42 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Dmitry Monakhov , + Jan Kara +Subject: [6/9] quota: Fix dquot_transfer for filesystems different from ext4 + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jan Kara + +commit 05b5d898235401c489c68e1f3bc5706a29ad5713 upstream. + +Commit fd8fbfc1 modified the way we find amount of reserved space +belonging to an inode. The amount of reserved space is checked +from dquot_transfer and thus inode_reserved_space gets called +even for filesystems that don't provide get_reserved_space callback +which results in a BUG. + +Fix the problem by checking get_reserved_space callback and return 0 if +the filesystem does not provide it. + +CC: Dmitry Monakhov +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/dquot.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1425,6 +1425,9 @@ static void inode_sub_rsv_space(struct i + static qsize_t inode_get_rsv_space(struct inode *inode) + { + qsize_t ret; ++ ++ if (!inode->i_sb->dq_op->get_reserved_space) ++ return 0; + spin_lock(&inode->i_lock); + ret = *inode_reserved_space(inode); + spin_unlock(&inode->i_lock); + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:07 2010 +Message-Id: <20100114224807.227254692@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:43 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Al Viro +Subject: [7/9] fix braindamage in audit_tree.c untag_chunk() + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Al Viro + +commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream. + +... aka "Al had badly fscked up when writing that thing and nobody +noticed until Eric had fixed leaks that used to mask the breakage". + +The function essentially creates a copy of old array sans one element +and replaces the references to elements of original (they are on cyclic +lists) with those to corresponding elements of new one. After that the +old one is fair game for freeing. + +First of all, there's a dumb braino: when we get to list_replace_init we +use indices for wrong arrays - position in new one with the old array +and vice versa. + +Another bug is more subtle - termination condition is wrong if the +element to be excluded happens to be the last one. We shouldn't go +until we fill the new array, we should go until we'd finished the old +one. Otherwise the element we are trying to kill will remain on the +cyclic lists... + +That crap used to be masked by several leaks, so it was not quite +trivial to hit. Eric had fixed some of those leaks a while ago and the +shit had hit the fan... + +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit_tree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/audit_tree.c ++++ b/kernel/audit_tree.c +@@ -277,7 +277,7 @@ static void untag_chunk(struct node *p) + owner->root = NULL; + } + +- for (i = j = 0; i < size; i++, j++) { ++ for (i = j = 0; j <= size; i++, j++) { + struct audit_tree *s; + if (&chunk->owners[j] == p) { + list_del_init(&p->list); +@@ -290,7 +290,7 @@ static void untag_chunk(struct node *p) + if (!s) /* result of earlier fallback */ + continue; + get_tree(s); +- list_replace_init(&chunk->owners[i].list, &new->owners[j].list); ++ list_replace_init(&chunk->owners[j].list, &new->owners[i].list); + } + + list_replace_rcu(&chunk->hash, &new->hash); + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:07 2010 +Message-Id: <20100114224807.352150724@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:44 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Al Viro +Subject: [8/9] fix more leaks in audit_tree.c tag_chunk() + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Al Viro + +commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream. + +Several leaks in audit_tree didn't get caught by commit +318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal +exit in case of multiple rules refering to the same chunk. + +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit_tree.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/kernel/audit_tree.c ++++ b/kernel/audit_tree.c +@@ -373,15 +373,17 @@ static int tag_chunk(struct inode *inode + for (n = 0; n < old->count; n++) { + if (old->owners[n].owner == tree) { + spin_unlock(&hash_lock); +- put_inotify_watch(watch); ++ put_inotify_watch(&old->watch); + return 0; + } + } + spin_unlock(&hash_lock); + + chunk = alloc_chunk(old->count + 1); +- if (!chunk) ++ if (!chunk) { ++ put_inotify_watch(&old->watch); + return -ENOMEM; ++ } + + mutex_lock(&inode->inotify_mutex); + if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) { +@@ -425,7 +427,8 @@ static int tag_chunk(struct inode *inode + spin_unlock(&hash_lock); + inotify_evict_watch(&old->watch); + mutex_unlock(&inode->inotify_mutex); +- put_inotify_watch(&old->watch); ++ put_inotify_watch(&old->watch); /* pair to inotify_find_watch */ ++ put_inotify_watch(&old->watch); /* and kill it */ + return 0; + } + + + +From gregkh@mini.kroah.org Thu Jan 14 14:48:07 2010 +Message-Id: <20100114224807.515390123@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 14 Jan 2010 14:46:45 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" +Subject: [9/9] ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). + +2.6.31-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David S. Miller + +commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream. + +This fixes CERT-FI FICORA #341748 + +Discovered by Olli Jarva and Tuomo Untinen from the CROSS +project at Codenomicon Ltd. + +Just like in CVE-2007-4567, we can't rely upon skb_dst() being +non-NULL at this point. We fixed that in commit +e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on +skb->dst before it is assigned.") + +However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added +net argument to IP6_INC_STATS_BH") put a new version of the same bug +into this function. + +Complicating analysis further, this bug can only trigger when network +namespaces are enabled in the build. When namespaces are turned off, +the dev_net() does not evaluate it's argument, so the dereference +would not occur. + +So, for a long time, namespaces couldn't be turned on unless SYSFS was +disabled. Therefore, this code has largely been disabled except by +people turning it on explicitly for namespace development. + +With help from Eugene Teo + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/exthdrs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -559,6 +559,11 @@ static inline struct inet6_dev *ipv6_skb + return skb_dst(skb) ? ip6_dst_idev(skb_dst(skb)) : __in6_dev_get(skb->dev); + } + ++static inline struct net *ipv6_skb_net(struct sk_buff *skb) ++{ ++ return skb_dst(skb) ? dev_net(skb_dst(skb)->dev) : dev_net(skb->dev); ++} ++ + /* Router Alert as of RFC 2711 */ + + static int ipv6_hop_ra(struct sk_buff *skb, int optoff) +@@ -580,8 +585,8 @@ static int ipv6_hop_ra(struct sk_buff *s + static int ipv6_hop_jumbo(struct sk_buff *skb, int optoff) + { + const unsigned char *nh = skb_network_header(skb); ++ struct net *net = ipv6_skb_net(skb); + u32 pkt_len; +- struct net *net = dev_net(skb_dst(skb)->dev); + + if (nh[optoff + 1] != 4 || (optoff & 3) != 2) { + LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n", + + diff --git a/queue-2.6.31/netfilter-ebtables-enforce-cap_net_admin.patch b/review-2.6.31/netfilter-ebtables-enforce-cap_net_admin.patch similarity index 100% rename from queue-2.6.31/netfilter-ebtables-enforce-cap_net_admin.patch rename to review-2.6.31/netfilter-ebtables-enforce-cap_net_admin.patch diff --git a/queue-2.6.31/netfilter-nf_ct_ftp-fix-out-of-bounds-read-in-update_nl_seq.patch b/review-2.6.31/netfilter-nf_ct_ftp-fix-out-of-bounds-read-in-update_nl_seq.patch similarity index 100% rename from queue-2.6.31/netfilter-nf_ct_ftp-fix-out-of-bounds-read-in-update_nl_seq.patch rename to review-2.6.31/netfilter-nf_ct_ftp-fix-out-of-bounds-read-in-update_nl_seq.patch diff --git a/queue-2.6.31/quota-fix-dquot_transfer-for-filesystems-different-from-ext4.patch b/review-2.6.31/quota-fix-dquot_transfer-for-filesystems-different-from-ext4.patch similarity index 100% rename from queue-2.6.31/quota-fix-dquot_transfer-for-filesystems-different-from-ext4.patch rename to review-2.6.31/quota-fix-dquot_transfer-for-filesystems-different-from-ext4.patch diff --git a/queue-2.6.31/series b/review-2.6.31/series similarity index 100% rename from queue-2.6.31/series rename to review-2.6.31/series -- 2.47.3