From: Greg Kroah-Hartman Date: Wed, 4 May 2011 23:18:39 +0000 (-0700) Subject: .38 patches X-Git-Tag: v2.6.38.6~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=096f11d2241e1c6a50c6b2ec411c329395f18561;p=thirdparty%2Fkernel%2Fstable-queue.git .38 patches --- diff --git a/queue-2.6.38/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch b/queue-2.6.38/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch new file mode 100644 index 00000000000..11b75d9bda7 --- /dev/null +++ b/queue-2.6.38/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch @@ -0,0 +1,85 @@ +From a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 Mon Sep 17 00:00:00 2001 +From: Eric W. Biederman +Date: Sun, 24 Apr 2011 01:54:57 +0000 +Subject: af_unix: Only allow recv on connected seqpacket sockets. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric W. Biederman + +commit a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 upstream. + +This fixes the following oops discovered by Dan Aloni: +> Anyway, the following is the output of the Oops that I got on the +> Ubuntu kernel on which I first detected the problem +> (2.6.37-12-generic). The Oops that followed will be more useful, I +> guess. + +>[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference +> at           (null) +> [ 5594.681606] IP: [] unix_dgram_recvmsg+0x1fb/0x420 +> [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0 +> [ 5594.693720] Oops: 0002 [#1] SMP +> [ 5594.699888] last sysfs file: + +The bug was that unix domain sockets use a pseduo packet for +connecting and accept uses that psudo packet to get the socket. +In the buggy seqpacket case we were allowing unconnected +sockets to call recvmsg and try to receive the pseudo packet. + +That is always wrong and as of commit 7361c36c5 the pseudo +packet had become enough different from a normal packet +that the kernel started oopsing. + +Do for seqpacket_recv what was done for seqpacket_send in 2.5 +and only allow it on connected seqpacket sockets. + +Tested-by: Dan Aloni +Signed-off-by: Eric W. Biederman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/unix/af_unix.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -524,6 +524,8 @@ static int unix_dgram_connect(struct soc + int, int); + static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *, + struct msghdr *, size_t); ++static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *, ++ struct msghdr *, size_t, int); + + static const struct proto_ops unix_stream_ops = { + .family = PF_UNIX, +@@ -583,7 +585,7 @@ static const struct proto_ops unix_seqpa + .setsockopt = sock_no_setsockopt, + .getsockopt = sock_no_getsockopt, + .sendmsg = unix_seqpacket_sendmsg, +- .recvmsg = unix_dgram_recvmsg, ++ .recvmsg = unix_seqpacket_recvmsg, + .mmap = sock_no_mmap, + .sendpage = sock_no_sendpage, + }; +@@ -1695,6 +1697,18 @@ static int unix_seqpacket_sendmsg(struct + return unix_dgram_sendmsg(kiocb, sock, msg, len); + } + ++static int unix_seqpacket_recvmsg(struct kiocb *iocb, struct socket *sock, ++ struct msghdr *msg, size_t size, ++ int flags) ++{ ++ struct sock *sk = sock->sk; ++ ++ if (sk->sk_state != TCP_ESTABLISHED) ++ return -ENOTCONN; ++ ++ return unix_dgram_recvmsg(iocb, sock, msg, size, flags); ++} ++ + static void unix_copy_addr(struct msghdr *msg, struct sock *sk) + { + struct unix_sock *u = unix_sk(sk); diff --git a/queue-2.6.38/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch b/queue-2.6.38/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch new file mode 100644 index 00000000000..f8dd3f97005 --- /dev/null +++ b/queue-2.6.38/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch @@ -0,0 +1,34 @@ +From 0f22072ab50cac7983f9660d33974b45184da4f9 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Fri, 29 Apr 2011 15:48:07 +0100 +Subject: ARM: 6891/1: prevent heap corruption in OABI semtimedop + +From: Dan Rosenberg + +commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream. + +When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not +bound the nsops argument. A sufficiently large value will cause an +integer overflow in allocation size, followed by copying too much data +into the allocated buffer. Fix this by restricting nsops to SEMOPM. +Untested. + +Signed-off-by: Dan Rosenberg +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/sys_oabi-compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/sys_oabi-compat.c ++++ b/arch/arm/kernel/sys_oabi-compat.c +@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int + long err; + int i; + +- if (nsops < 1) ++ if (nsops < 1 || nsops > SEMOPM) + return -EINVAL; + sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); + if (!sops) diff --git a/queue-2.6.38/ath9k-fix-the-return-value-of-ath_stoprecv.patch b/queue-2.6.38/ath9k-fix-the-return-value-of-ath_stoprecv.patch new file mode 100644 index 00000000000..4590ea8d89b --- /dev/null +++ b/queue-2.6.38/ath9k-fix-the-return-value-of-ath_stoprecv.patch @@ -0,0 +1,35 @@ +From 2232d31bf18ba02f5cd632bbfc3466aeca394c75 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 15 Apr 2011 00:41:43 +0200 +Subject: ath9k: fix the return value of ath_stoprecv + +From: Felix Fietkau + +commit 2232d31bf18ba02f5cd632bbfc3466aeca394c75 upstream. + +The patch 'ath9k_hw: fix stopping rx DMA during resets' added code to detect +a condition where rx DMA was stopped, but the MAC failed to enter the idle +state. This condition requires a hardware reset, however the return value +of ath_stoprecv was 'true' in that case, which allowed it to skip the reset +when issuing a fast channel change. + +Signed-off-by: Felix Fietkau +Reported-by: Paul Stewart +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/recv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/recv.c ++++ b/drivers/net/wireless/ath/ath9k/recv.c +@@ -533,7 +533,7 @@ bool ath_stoprecv(struct ath_softc *sc) + "confusing the DMA engine when we start RX up\n"); + ATH_DBG_WARN_ON_ONCE(!stopped); + } +- return stopped || reset; ++ return stopped && !reset; + } + + void ath_flushrecv(struct ath_softc *sc) diff --git a/queue-2.6.38/can-add-missing-socket-check-in-can-bcm-release.patch b/queue-2.6.38/can-add-missing-socket-check-in-can-bcm-release.patch new file mode 100644 index 00000000000..f0a7c0860b3 --- /dev/null +++ b/queue-2.6.38/can-add-missing-socket-check-in-can-bcm-release.patch @@ -0,0 +1,38 @@ +From c6914a6f261aca0c9f715f883a353ae7ff51fe83 Mon Sep 17 00:00:00 2001 +From: Dave Jones +Date: Tue, 19 Apr 2011 20:36:59 -0700 +Subject: can: Add missing socket check in can/bcm release. + +From: Dave Jones + +commit c6914a6f261aca0c9f715f883a353ae7ff51fe83 upstream. + +We can get here with a NULL socket argument passed from userspace, +so we need to handle it accordingly. + +Signed-off-by: Dave Jones +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/bcm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1427,9 +1427,14 @@ static int bcm_init(struct sock *sk) + static int bcm_release(struct socket *sock) + { + struct sock *sk = sock->sk; +- struct bcm_sock *bo = bcm_sk(sk); ++ struct bcm_sock *bo; + struct bcm_op *op, *next; + ++ if (sk == NULL) ++ return 0; ++ ++ bo = bcm_sk(sk); ++ + /* remove bcm_ops, timer, rx_unregister(), etc. */ + + unregister_netdevice_notifier(&bo->notifier); diff --git a/queue-2.6.38/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch b/queue-2.6.38/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch new file mode 100644 index 00000000000..f637b4d3311 --- /dev/null +++ b/queue-2.6.38/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch @@ -0,0 +1,69 @@ +From c340b1d640001c8c9ecff74f68fd90422ae2448a Mon Sep 17 00:00:00 2001 +From: Timo Warns +Date: Thu, 14 Apr 2011 15:21:56 -0700 +Subject: fs/partitions/ldm.c: fix oops caused by corrupted partition table + +From: Timo Warns + +commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream. + +The kernel automatically evaluates partition tables of storage devices. +The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains +a bug that causes a kernel oops on certain corrupted LDM partitions. +A kernel subsystem seems to crash, because, after the oops, the kernel no +longer recognizes newly connected storage devices. + +The patch validates the value of vblk_size. + +[akpm@linux-foundation.org: coding-style fixes] +Signed-off-by: Timo Warns +Cc: Eugene Teo +Cc: Harvey Harrison +Cc: Richard Russon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/partitions/ldm.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/partitions/ldm.c ++++ b/fs/partitions/ldm.c +@@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data + + BUG_ON (!data || !frags); + ++ if (size < 2 * VBLK_SIZE_HEAD) { ++ ldm_error("Value of size is to small."); ++ return false; ++ } ++ + group = get_unaligned_be32(data + 0x08); + rec = get_unaligned_be16(data + 0x0C); + num = get_unaligned_be16(data + 0x0E); +@@ -1306,6 +1311,10 @@ static bool ldm_frag_add (const u8 *data + ldm_error ("A VBLK claims to have %d parts.", num); + return false; + } ++ if (rec >= num) { ++ ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num); ++ return false; ++ } + + list_for_each (item, frags) { + f = list_entry (item, struct frag, list); +@@ -1334,10 +1343,9 @@ found: + + f->map |= (1 << rec); + +- if (num > 0) { +- data += VBLK_SIZE_HEAD; +- size -= VBLK_SIZE_HEAD; +- } ++ data += VBLK_SIZE_HEAD; ++ size -= VBLK_SIZE_HEAD; ++ + memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size); + + return true; diff --git a/queue-2.6.38/mac80211-fix-smps-debugfs-locking.patch b/queue-2.6.38/mac80211-fix-smps-debugfs-locking.patch new file mode 100644 index 00000000000..c4760ebef58 --- /dev/null +++ b/queue-2.6.38/mac80211-fix-smps-debugfs-locking.patch @@ -0,0 +1,52 @@ +From 243e6df4ed919880d079d717641ad699c6530a03 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 19 Apr 2011 20:44:04 +0200 +Subject: mac80211: fix SMPS debugfs locking + +From: Johannes Berg + +commit 243e6df4ed919880d079d717641ad699c6530a03 upstream. + +The locking with SMPS requests means that the +debugs file should lock the mgd mutex, not the +iflist mutex. Calls to __ieee80211_request_smps() +need to hold that mutex, so add an assertion. + +This has always been wrong, but for some reason +never been noticed, probably because the locking +error only happens while unassociated. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 2 ++ + net/mac80211/debugfs_netdev.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1471,6 +1471,8 @@ int __ieee80211_request_smps(struct ieee + enum ieee80211_smps_mode old_req; + int err; + ++ lockdep_assert_held(&sdata->u.mgd.mtx); ++ + old_req = sdata->u.mgd.req_smps; + sdata->u.mgd.req_smps = smps_mode; + +--- a/net/mac80211/debugfs_netdev.c ++++ b/net/mac80211/debugfs_netdev.c +@@ -172,9 +172,9 @@ static int ieee80211_set_smps(struct iee + if (sdata->vif.type != NL80211_IFTYPE_STATION) + return -EOPNOTSUPP; + +- mutex_lock(&local->iflist_mtx); ++ mutex_lock(&sdata->u.mgd.mtx); + err = __ieee80211_request_smps(sdata, smps_mode); +- mutex_unlock(&local->iflist_mtx); ++ mutex_unlock(&sdata->u.mgd.mtx); + + return err; + } diff --git a/queue-2.6.38/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch b/queue-2.6.38/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch new file mode 100644 index 00000000000..f7b05e209e8 --- /dev/null +++ b/queue-2.6.38/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch @@ -0,0 +1,55 @@ +From 1574dff8996ab1ed92c09012f8038b5566fce313 Mon Sep 17 00:00:00 2001 +From: Sachin Prabhu +Date: Wed, 20 Apr 2011 13:09:35 +0100 +Subject: Open with O_CREAT flag set fails to open existing files on non writable directories + +From: Sachin Prabhu + +commit 1574dff8996ab1ed92c09012f8038b5566fce313 upstream. + +An open on a NFS4 share using the O_CREAT flag on an existing file for +which we have permissions to open but contained in a directory with no +write permissions will fail with EACCES. + +A tcpdump shows that the client had set the open mode to UNCHECKED which +indicates that the file should be created if it doesn't exist and +encountering an existing flag is not an error. Since in this case the +file exists and can be opened by the user, the NFS server is wrong in +attempting to check create permissions on the parent directory. + +The patch adds a conditional statement to check for create permissions +only if the file doesn't exist. + +Signed-off-by: Sachin S. Prabhu +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/vfs.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1363,7 +1363,7 @@ nfsd_create_v3(struct svc_rqst *rqstp, s + goto out; + if (!(iap->ia_valid & ATTR_MODE)) + iap->ia_mode = 0; +- err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE); ++ err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_EXEC); + if (err) + goto out; + +@@ -1385,6 +1385,13 @@ nfsd_create_v3(struct svc_rqst *rqstp, s + if (IS_ERR(dchild)) + goto out_nfserr; + ++ /* If file doesn't exist, check for permissions to create one */ ++ if (!dchild->d_inode) { ++ err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE); ++ if (err) ++ goto out; ++ } ++ + err = fh_compose(resfhp, fhp->fh_export, dchild, fhp); + if (err) + goto out; diff --git a/queue-2.6.38/series b/queue-2.6.38/series index 5fb2fb0c9d2..a9e0c9731ca 100644 --- a/queue-2.6.38/series +++ b/queue-2.6.38/series @@ -25,3 +25,11 @@ imon-add-conditional-locking-in-change_protocol.patch flex_array-flex_array_prealloc-takes-a-number-of-elements-not-an-end.patch flex_arrays-allow-zero-length-flex-arrays.patch x86-amd-fix-apic-timer-erratum-400-affecting-k8-rev.a-e-processors.patch +ath9k-fix-the-return-value-of-ath_stoprecv.patch +mac80211-fix-smps-debugfs-locking.patch +af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch +arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch +xz-decompressor-fix-decoding-of-empty-lzma2-streams.patch +open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch +can-add-missing-socket-check-in-can-bcm-release.patch +fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch diff --git a/queue-2.6.38/xz-decompressor-fix-decoding-of-empty-lzma2-streams.patch b/queue-2.6.38/xz-decompressor-fix-decoding-of-empty-lzma2-streams.patch new file mode 100644 index 00000000000..70c4c1b453e --- /dev/null +++ b/queue-2.6.38/xz-decompressor-fix-decoding-of-empty-lzma2-streams.patch @@ -0,0 +1,44 @@ +From 646032e3b05b32d3f20cb108a030593d9d792eb5 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sun, 1 May 2011 19:38:42 +0300 +Subject: XZ decompressor: Fix decoding of empty LZMA2 streams + +From: Lasse Collin + +commit 646032e3b05b32d3f20cb108a030593d9d792eb5 upstream. + +The old code considered valid empty LZMA2 streams to be corrupt. +Note that a typical empty .xz file has no LZMA2 data at all, +and thus most .xz files having no uncompressed data are handled +correctly even without this fix. + +Signed-off-by: Lasse Collin +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/xz/xz_dec_lzma2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/xz/xz_dec_lzma2.c ++++ b/lib/xz/xz_dec_lzma2.c +@@ -969,6 +969,9 @@ XZ_EXTERN enum xz_ret xz_dec_lzma2_run(s + */ + tmp = b->in[b->in_pos++]; + ++ if (tmp == 0x00) ++ return XZ_STREAM_END; ++ + if (tmp >= 0xE0 || tmp == 0x01) { + s->lzma2.need_props = true; + s->lzma2.need_dict_reset = false; +@@ -1001,9 +1004,6 @@ XZ_EXTERN enum xz_ret xz_dec_lzma2_run(s + lzma_reset(s); + } + } else { +- if (tmp == 0x00) +- return XZ_STREAM_END; +- + if (tmp > 0x02) + return XZ_DATA_ERROR; +