From beb2bc1aaaa9cebd5eea44a095cfd76d06e9c076 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Jun 2009 16:52:28 -0700 Subject: [PATCH] .29 patches --- ...lockdep-select-frame-pointers-on-x86.patch | 34 +++++++++ ...nstrel-single-rate-memory-corruption.patch | 53 +++++++++++++ ...sk-sanitize-the-usage-of-fown-signum.patch | 68 +++++++++++++++++ queue-2.6.29/series | 4 + ...ent_cred-from-__f_setown-to-f_modown.patch | 76 +++++++++++++++++++ 5 files changed, 235 insertions(+) create mode 100644 queue-2.6.29/lockdep-select-frame-pointers-on-x86.patch create mode 100644 queue-2.6.29/mac80211-fix-minstrel-single-rate-memory-corruption.patch create mode 100644 queue-2.6.29/send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch create mode 100644 queue-2.6.29/shift-current_cred-from-__f_setown-to-f_modown.patch diff --git a/queue-2.6.29/lockdep-select-frame-pointers-on-x86.patch b/queue-2.6.29/lockdep-select-frame-pointers-on-x86.patch new file mode 100644 index 00000000000..e593372f207 --- /dev/null +++ b/queue-2.6.29/lockdep-select-frame-pointers-on-x86.patch @@ -0,0 +1,34 @@ +From 00540e5d54be972a94a3b2ce6da8621bebe731a2 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 12 Jun 2009 10:04:01 +0200 +Subject: lockdep: Select frame pointers on x86 + +From: Peter Zijlstra + +commit 00540e5d54be972a94a3b2ce6da8621bebe731a2 upstream. + +x86 stack traces are a piece of crap without frame pointers, and its not +like the 'performance gain' of not having stack pointers matters when you +selected lockdep. + +Reported-by: Andrew Morton +LKML-Reference: +Signed-off-by: Peter Zijlstra +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -402,7 +402,7 @@ config LOCKDEP + bool + depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT + select STACKTRACE +- select FRAME_POINTER if !X86 && !MIPS && !PPC ++ select FRAME_POINTER if !MIPS && !PPC + select KALLSYMS + select KALLSYMS_ALL + diff --git a/queue-2.6.29/mac80211-fix-minstrel-single-rate-memory-corruption.patch b/queue-2.6.29/mac80211-fix-minstrel-single-rate-memory-corruption.patch new file mode 100644 index 00000000000..692d9b62086 --- /dev/null +++ b/queue-2.6.29/mac80211-fix-minstrel-single-rate-memory-corruption.patch @@ -0,0 +1,53 @@ +From 5ee58d7e6ad019675b4090582aec4fa1180d8703 Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Fri, 5 Jun 2009 08:21:50 -0400 +Subject: mac80211: fix minstrel single-rate memory corruption + +From: Bob Copeland + +commit 5ee58d7e6ad019675b4090582aec4fa1180d8703 upstream. + +The minstrel rate controller periodically looks up rate indexes in +a sampling table. When accessing a specific row and column, minstrel +correctly does a bounds check which, on the surface, appears to handle +the case where mi->n_rates < 2. However, mi->sample_idx is actually +defined as an unsigned, so the right hand side is taken to be a huge +positive number when negative, and the check will always fail. + +Consequently, the RC will overrun the array and cause random memory +corruption when communicating with a peer that has only a single rate. +The max value of mi->sample_idx is around 25 so casting to int should +have no ill effects. + +Without the change, uptime is a few minutes under load with an AP +that has a single hard-coded rate, and both the AP and STA could +potentially crash. With the change, both lasted 12 hours with a +steady load. + +Thanks to Ognjen Maric for providing the single-rate clue so I could +reproduce this. + +This fixes http://bugzilla.kernel.org/show_bug.cgi?id=12490 on the +regression list (also http://bugzilla.kernel.org/show_bug.cgi?id=13000). + +Reported-by: Sergey S. Kostyliov +Reported-by: Ognjen Maric +Signed-off-by: Bob Copeland +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rc80211_minstrel.c ++++ b/net/mac80211/rc80211_minstrel.c +@@ -216,7 +216,7 @@ minstrel_get_next_sample(struct minstrel + unsigned int sample_ndx; + sample_ndx = SAMPLE_TBL(mi, mi->sample_idx, mi->sample_column); + mi->sample_idx++; +- if (mi->sample_idx > (mi->n_rates - 2)) { ++ if ((int) mi->sample_idx > (mi->n_rates - 2)) { + mi->sample_idx = 0; + mi->sample_column++; + if (mi->sample_column >= SAMPLE_COLUMNS) diff --git a/queue-2.6.29/send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch b/queue-2.6.29/send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch new file mode 100644 index 00000000000..08caee16a0c --- /dev/null +++ b/queue-2.6.29/send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch @@ -0,0 +1,68 @@ +From 8eeee4e2f04fc551f50c9d9847da2d73d7d33728 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Wed, 17 Jun 2009 00:27:10 +0200 +Subject: send_sigio_to_task: sanitize the usage of fown->signum + +From: Oleg Nesterov + +commit 8eeee4e2f04fc551f50c9d9847da2d73d7d33728 upstream. + +send_sigio_to_task() reads fown->signum several times, we can race with +F_SETSIG which changes ->signum lockless. In theory, this can fool +security checks or we can call group_send_sig_info() with the wrong +->si_signo which does not match "int sig". + +Change the code to cache ->signum. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fcntl.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -428,14 +428,20 @@ static inline int sigio_perm(struct task + } + + static void send_sigio_to_task(struct task_struct *p, +- struct fown_struct *fown, ++ struct fown_struct *fown, + int fd, + int reason) + { +- if (!sigio_perm(p, fown, fown->signum)) ++ /* ++ * F_SETSIG can change ->signum lockless in parallel, make ++ * sure we read it once and use the same value throughout. ++ */ ++ int signum = ACCESS_ONCE(fown->signum); ++ ++ if (!sigio_perm(p, fown, signum)) + return; + +- switch (fown->signum) { ++ switch (signum) { + siginfo_t si; + default: + /* Queue a rt signal with the appropriate fd as its +@@ -444,7 +450,7 @@ static void send_sigio_to_task(struct ta + delivered even if we can't queue. Failure to + queue in this case _should_ be reported; we fall + back to SIGIO in that case. --sct */ +- si.si_signo = fown->signum; ++ si.si_signo = signum; + si.si_errno = 0; + si.si_code = reason; + /* Make sure we are called with one of the POLL_* +@@ -456,7 +462,7 @@ static void send_sigio_to_task(struct ta + else + si.si_band = band_table[reason - POLL_IN]; + si.si_fd = fd; +- if (!group_send_sig_info(fown->signum, &si, p)) ++ if (!group_send_sig_info(signum, &si, p)) + break; + /* fall-through: fall back on the old plain SIGIO signal */ + case 0: diff --git a/queue-2.6.29/series b/queue-2.6.29/series index 57ac975d608..f39857591f4 100644 --- a/queue-2.6.29/series +++ b/queue-2.6.29/series @@ -17,3 +17,7 @@ alsa-ca0106-add-missing-registrations-of-vmaster-controls.patch floppy-provide-a-pnp-device-table-in-the-module.patch ib-mlx4-add-strong-ordering-to-local-inval-and-fast-reg-work-requests.patch x86-handle-initrd-that-extends-into-unusable-memory.patch +lockdep-select-frame-pointers-on-x86.patch +mac80211-fix-minstrel-single-rate-memory-corruption.patch +shift-current_cred-from-__f_setown-to-f_modown.patch +send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch diff --git a/queue-2.6.29/shift-current_cred-from-__f_setown-to-f_modown.patch b/queue-2.6.29/shift-current_cred-from-__f_setown-to-f_modown.patch new file mode 100644 index 00000000000..a86ba87fe7d --- /dev/null +++ b/queue-2.6.29/shift-current_cred-from-__f_setown-to-f_modown.patch @@ -0,0 +1,76 @@ +From 2f38d70fb4e97e7d00e12eaac45790cf6ebd7b22 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Tue, 16 Jun 2009 22:07:46 +0200 +Subject: shift current_cred() from __f_setown() to f_modown() + +From: Oleg Nesterov + +commit 2f38d70fb4e97e7d00e12eaac45790cf6ebd7b22 upstream. + +Shift current_cred() from __f_setown() to f_modown(). This reduces +the number of arguments and saves 48 bytes from fs/fcntl.o. + +[ Note: this doesn't clear euid/uid when pid is set to NULL. But if + f_owner.pid == NULL we never use f_owner.uid/euid. Otherwise we'd + have a bug anyway: we must not send signals if pid was reset to NULL. ] + +Signed-off-by: Oleg Nesterov +Acked-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fcntl.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -198,15 +198,19 @@ static int setfl(int fd, struct file * f + } + + static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, +- uid_t uid, uid_t euid, int force) ++ int force) + { + write_lock_irq(&filp->f_owner.lock); + if (force || !filp->f_owner.pid) { + put_pid(filp->f_owner.pid); + filp->f_owner.pid = get_pid(pid); + filp->f_owner.pid_type = type; +- filp->f_owner.uid = uid; +- filp->f_owner.euid = euid; ++ ++ if (pid) { ++ const struct cred *cred = current_cred(); ++ filp->f_owner.uid = cred->uid; ++ filp->f_owner.euid = cred->euid; ++ } + } + write_unlock_irq(&filp->f_owner.lock); + } +@@ -214,14 +218,13 @@ static void f_modown(struct file *filp, + int __f_setown(struct file *filp, struct pid *pid, enum pid_type type, + int force) + { +- const struct cred *cred = current_cred(); + int err; +- ++ + err = security_file_set_fowner(filp); + if (err) + return err; + +- f_modown(filp, pid, type, cred->uid, cred->euid, force); ++ f_modown(filp, pid, type, force); + return 0; + } + EXPORT_SYMBOL(__f_setown); +@@ -247,7 +250,7 @@ EXPORT_SYMBOL(f_setown); + + void f_delown(struct file *filp) + { +- f_modown(filp, NULL, PIDTYPE_PID, 0, 0, 1); ++ f_modown(filp, NULL, PIDTYPE_PID, 1); + } + + pid_t f_getown(struct file *filp) -- 2.47.2