]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
projects / thirdparty / kernel / stable-queue.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8925deb)
Linux 2.6.25.1 v2.6.25.1
authorGreg Kroah-Hartman <gregkh@suse.de>
Thu, 1 May 2008 21:46:57 +0000 (14:46 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 1 May 2008 21:46:57 +0000 (14:46 -0700)
41 files changed:
releases/2.6.25.1/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch [moved from review-2.6.25/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/alpha-unbreak-osf-1-binaries.patch [moved from review-2.6.25/alpha-unbreak-osf-1-binaries.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/b43-add-more-btcoexist-workarounds.patch [moved from review-2.6.25/b43-add-more-btcoexist-workarounds.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/b43-workaround-dma-quirks.patch [moved from review-2.6.25/b43-workaround-dma-quirks.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/b43-workaround-invalid-bluetooth-settings.patch [moved from review-2.6.25/b43-workaround-invalid-bluetooth-settings.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch [moved from review-2.6.25/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/dm-snapshot-fix-chunksize-sector-conversion.patch [moved from review-2.6.25/dm-snapshot-fix-chunksize-sector-conversion.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch [moved from review-2.6.25/drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch [moved from review-2.6.25/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/fix-dnotify-close-race.patch [new file with mode: 0644] patch | blob
releases/2.6.25.1/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch [moved from review-2.6.25/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch [moved from review-2.6.25/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch [moved from review-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch [moved from review-2.6.25/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/mbox [moved from review-2.6.25/mbox with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/mm-fix-possible-off-by-one-in-walk_pte_range.patch [moved from review-2.6.25/mm-fix-possible-off-by-one-in-walk_pte_range.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch [moved from review-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/rdma-nes-fix-adapter-reset-after-pxe-boot.patch [moved from review-2.6.25/rdma-nes-fix-adapter-reset-after-pxe-boot.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/rdma-nes-free-irq-before-killing-tasklet.patch [moved from review-2.6.25/rdma-nes-free-irq-before-killing-tasklet.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/rose-socket-lock-was-not-released-before-returning-to-user-space.patch [moved from review-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/rtc-pcf8583-build-fix.patch [moved from review-2.6.25/rtc-pcf8583-build-fix.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/rtnetlink-fix-bogus-assert_rtnl-warning.patch [moved from review-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/s2io-fix-memory-leak-during-free_tx_buffers.patch [moved from review-2.6.25/s2io-fix-memory-leak-during-free_tx_buffers.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch [moved from review-2.6.25/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/scsi-qla2xxx-correct-regression-in-relogin-code.patch [moved from review-2.6.25/scsi-qla2xxx-correct-regression-in-relogin-code.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch [moved from review-2.6.25/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/series [moved from review-2.6.25/series with 98% similarity] patch | blob | blame | history
releases/2.6.25.1/ssb-fix-all-ones-boardflags.patch [moved from review-2.6.25/ssb-fix-all-ones-boardflags.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch [moved from review-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch [moved from review-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/tehuti-check-register-size.patch [moved from review-2.6.25/tehuti-check-register-size.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/tehuti-move-ioctl-perm-check-closer-to-function-start.patch [moved from review-2.6.25/tehuti-move-ioctl-perm-check-closer-to-function-start.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/tg3-5701-dma-corruption-fix.patch [moved from review-2.6.25/tg3-5701-dma-corruption-fix.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch [moved from review-2.6.25/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/usb-log-an-error-message-when-usb-enumeration-fails.patch [moved from review-2.6.25/usb-log-an-error-message-when-usb-enumeration-fails.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/usb-ohci-fix-bug-in-controller-resume.patch [moved from review-2.6.25/usb-ohci-fix-bug-in-controller-resume.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/v4l-cx88-enable-radio-gpio-correctly.patch [moved from review-2.6.25/v4l-cx88-enable-radio-gpio-correctly.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/v4l-fix-vidiocgap-corruption-in-ivtv.patch [moved from review-2.6.25/v4l-fix-vidiocgap-corruption-in-ivtv.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch [moved from review-2.6.25/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch [moved from review-2.6.25/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch with 100% similarity] patch | blob | blame | history
releases/2.6.25.1/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch [moved from review-2.6.25/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch with 100% similarity] patch | blob | blame | history

diff --git a/releases/2.6.25.1/fix-dnotify-close-race.patch b/releases/2.6.25.1/fix-dnotify-close-race.patch
new file mode 100644 (file)
index 0000000..2f71ec9
--- /dev/null
+++ b/releases/2.6.25.1/fix-dnotify-close-race.patch
@@ -0,0 +1,62 @@
+From 214b7049a7929f03bbd2786aaef04b8b79db34e2 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu, 1 May 2008 03:52:22 +0100
+Subject: Fix dnotify/close race (CVE-2008-1375)
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream.
+
+We have a race between fcntl() and close() that can lead to
+dnotify_struct inserted into inode's list *after* the last descriptor
+had been gone from current->files.
+
+Since that's the only point where dnotify_struct gets evicted, we are
+screwed - it will stick around indefinitely.  Even after struct file in
+question is gone and freed.  Worse, we can trigger send_sigio() on it at
+any later point, which allows to send an arbitrary signal to arbitrary
+process if we manage to apply enough memory pressure to get the page
+that used to host that struct file and fill it with the right pattern...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/dnotify.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/dnotify.c
++++ b/fs/dnotify.c
+@@ -20,6 +20,7 @@
+ #include <linux/init.h>
+ #include <linux/spinlock.h>
+ #include <linux/slab.h>
++#include <linux/file.h>
+ int dir_notify_enable __read_mostly = 1;
+@@ -66,6 +67,7 @@ int fcntl_dirnotify(int fd, struct file 
+       struct dnotify_struct **prev;
+       struct inode *inode;
+       fl_owner_t id = current->files;
++      struct file *f;
+       int error = 0;
+       if ((arg & ~DN_MULTISHOT) == 0) {
+@@ -92,6 +94,15 @@ int fcntl_dirnotify(int fd, struct file 
+               prev = &odn->dn_next;
+       }
++      rcu_read_lock();
++      f = fcheck(fd);
++      rcu_read_unlock();
++      /* we'd lost the race with close(), sod off silently */
++      /* note that inode->i_lock prevents reordering problems
++       * between accesses to descriptor table and ->i_dnotify */
++      if (f != filp)
++              goto out_free;
++
+       error = __f_setown(filp, task_pid(current), PIDTYPE_PID, 0);
+       if (error)
+               goto out_free;
diff --git a/review-2.6.25/mbox b/releases/2.6.25.1/mbox
similarity index 100%
rename from review-2.6.25/mbox
rename to releases/2.6.25.1/mbox
diff --git a/review-2.6.25/series b/releases/2.6.25.1/series
similarity index 98%
rename from review-2.6.25/series
rename to releases/2.6.25.1/series
index 9049abb77c49b3d5d5fe8cb5afc3592b9bc12d10..011c70edee28f6ac1e501e4084bf22e8609cfa69 100644 (file)
--- a/review-2.6.25/series
+++ b/releases/2.6.25.1/series
@@ -36,3 +36,4 @@ alpha-unbreak-osf-1-binaries.patch
 x86-fix-32-bit-x86-msi-x-allocation-leakage.patch
 hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch
 drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch
+fix-dnotify-close-race.patch
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git