From: Greg Kroah-Hartman Date: Thu, 1 May 2008 21:46:57 +0000 (-0700) Subject: Linux 2.6.25.1 X-Git-Tag: v2.6.25.1^0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b526939b3b751d80056922400adfade4eeed9ecb;p=thirdparty%2Fkernel%2Fstable-queue.git Linux 2.6.25.1 --- diff --git a/review-2.6.25/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch b/releases/2.6.25.1/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch similarity index 100% rename from review-2.6.25/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch rename to releases/2.6.25.1/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch diff --git a/review-2.6.25/alpha-unbreak-osf-1-binaries.patch b/releases/2.6.25.1/alpha-unbreak-osf-1-binaries.patch similarity index 100% rename from review-2.6.25/alpha-unbreak-osf-1-binaries.patch rename to releases/2.6.25.1/alpha-unbreak-osf-1-binaries.patch diff --git a/review-2.6.25/b43-add-more-btcoexist-workarounds.patch b/releases/2.6.25.1/b43-add-more-btcoexist-workarounds.patch similarity index 100% rename from review-2.6.25/b43-add-more-btcoexist-workarounds.patch rename to releases/2.6.25.1/b43-add-more-btcoexist-workarounds.patch diff --git a/review-2.6.25/b43-workaround-dma-quirks.patch b/releases/2.6.25.1/b43-workaround-dma-quirks.patch similarity index 100% rename from review-2.6.25/b43-workaround-dma-quirks.patch rename to releases/2.6.25.1/b43-workaround-dma-quirks.patch diff --git a/review-2.6.25/b43-workaround-invalid-bluetooth-settings.patch b/releases/2.6.25.1/b43-workaround-invalid-bluetooth-settings.patch similarity index 100% rename from review-2.6.25/b43-workaround-invalid-bluetooth-settings.patch rename to releases/2.6.25.1/b43-workaround-invalid-bluetooth-settings.patch diff --git a/review-2.6.25/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch b/releases/2.6.25.1/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch similarity index 100% rename from review-2.6.25/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch rename to releases/2.6.25.1/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch diff --git a/review-2.6.25/dm-snapshot-fix-chunksize-sector-conversion.patch b/releases/2.6.25.1/dm-snapshot-fix-chunksize-sector-conversion.patch similarity index 100% rename from review-2.6.25/dm-snapshot-fix-chunksize-sector-conversion.patch rename to releases/2.6.25.1/dm-snapshot-fix-chunksize-sector-conversion.patch diff --git a/review-2.6.25/drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch b/releases/2.6.25.1/drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch similarity index 100% rename from review-2.6.25/drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch rename to releases/2.6.25.1/drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch diff --git a/review-2.6.25/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch b/releases/2.6.25.1/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch similarity index 100% rename from review-2.6.25/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch rename to releases/2.6.25.1/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch diff --git a/releases/2.6.25.1/fix-dnotify-close-race.patch b/releases/2.6.25.1/fix-dnotify-close-race.patch new file mode 100644 index 00000000000..2f71ec98e2b --- /dev/null +++ b/releases/2.6.25.1/fix-dnotify-close-race.patch @@ -0,0 +1,62 @@ +From 214b7049a7929f03bbd2786aaef04b8b79db34e2 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 1 May 2008 03:52:22 +0100 +Subject: Fix dnotify/close race (CVE-2008-1375) + +From: Al Viro + +commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream. + +We have a race between fcntl() and close() that can lead to +dnotify_struct inserted into inode's list *after* the last descriptor +had been gone from current->files. + +Since that's the only point where dnotify_struct gets evicted, we are +screwed - it will stick around indefinitely. Even after struct file in +question is gone and freed. Worse, we can trigger send_sigio() on it at +any later point, which allows to send an arbitrary signal to arbitrary +process if we manage to apply enough memory pressure to get the page +that used to host that struct file and fill it with the right pattern... + +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dnotify.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/dnotify.c ++++ b/fs/dnotify.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + int dir_notify_enable __read_mostly = 1; + +@@ -66,6 +67,7 @@ int fcntl_dirnotify(int fd, struct file + struct dnotify_struct **prev; + struct inode *inode; + fl_owner_t id = current->files; ++ struct file *f; + int error = 0; + + if ((arg & ~DN_MULTISHOT) == 0) { +@@ -92,6 +94,15 @@ int fcntl_dirnotify(int fd, struct file + prev = &odn->dn_next; + } + ++ rcu_read_lock(); ++ f = fcheck(fd); ++ rcu_read_unlock(); ++ /* we'd lost the race with close(), sod off silently */ ++ /* note that inode->i_lock prevents reordering problems ++ * between accesses to descriptor table and ->i_dnotify */ ++ if (f != filp) ++ goto out_free; ++ + error = __f_setown(filp, task_pid(current), PIDTYPE_PID, 0); + if (error) + goto out_free; diff --git a/review-2.6.25/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch b/releases/2.6.25.1/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch similarity index 100% rename from review-2.6.25/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch rename to releases/2.6.25.1/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch diff --git a/review-2.6.25/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch b/releases/2.6.25.1/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch similarity index 100% rename from review-2.6.25/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch rename to releases/2.6.25.1/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch diff --git a/review-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch b/releases/2.6.25.1/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch similarity index 100% rename from review-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch rename to releases/2.6.25.1/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch diff --git a/review-2.6.25/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch b/releases/2.6.25.1/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch similarity index 100% rename from review-2.6.25/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch rename to releases/2.6.25.1/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch diff --git a/review-2.6.25/mbox b/releases/2.6.25.1/mbox similarity index 100% rename from review-2.6.25/mbox rename to releases/2.6.25.1/mbox diff --git a/review-2.6.25/mm-fix-possible-off-by-one-in-walk_pte_range.patch b/releases/2.6.25.1/mm-fix-possible-off-by-one-in-walk_pte_range.patch similarity index 100% rename from review-2.6.25/mm-fix-possible-off-by-one-in-walk_pte_range.patch rename to releases/2.6.25.1/mm-fix-possible-off-by-one-in-walk_pte_range.patch diff --git a/review-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch b/releases/2.6.25.1/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch similarity index 100% rename from review-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch rename to releases/2.6.25.1/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch diff --git a/review-2.6.25/rdma-nes-fix-adapter-reset-after-pxe-boot.patch b/releases/2.6.25.1/rdma-nes-fix-adapter-reset-after-pxe-boot.patch similarity index 100% rename from review-2.6.25/rdma-nes-fix-adapter-reset-after-pxe-boot.patch rename to releases/2.6.25.1/rdma-nes-fix-adapter-reset-after-pxe-boot.patch diff --git a/review-2.6.25/rdma-nes-free-irq-before-killing-tasklet.patch b/releases/2.6.25.1/rdma-nes-free-irq-before-killing-tasklet.patch similarity index 100% rename from review-2.6.25/rdma-nes-free-irq-before-killing-tasklet.patch rename to releases/2.6.25.1/rdma-nes-free-irq-before-killing-tasklet.patch diff --git a/review-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch b/releases/2.6.25.1/rose-socket-lock-was-not-released-before-returning-to-user-space.patch similarity index 100% rename from review-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch rename to releases/2.6.25.1/rose-socket-lock-was-not-released-before-returning-to-user-space.patch diff --git a/review-2.6.25/rtc-pcf8583-build-fix.patch b/releases/2.6.25.1/rtc-pcf8583-build-fix.patch similarity index 100% rename from review-2.6.25/rtc-pcf8583-build-fix.patch rename to releases/2.6.25.1/rtc-pcf8583-build-fix.patch diff --git a/review-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch b/releases/2.6.25.1/rtnetlink-fix-bogus-assert_rtnl-warning.patch similarity index 100% rename from review-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch rename to releases/2.6.25.1/rtnetlink-fix-bogus-assert_rtnl-warning.patch diff --git a/review-2.6.25/s2io-fix-memory-leak-during-free_tx_buffers.patch b/releases/2.6.25.1/s2io-fix-memory-leak-during-free_tx_buffers.patch similarity index 100% rename from review-2.6.25/s2io-fix-memory-leak-during-free_tx_buffers.patch rename to releases/2.6.25.1/s2io-fix-memory-leak-during-free_tx_buffers.patch diff --git a/review-2.6.25/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch b/releases/2.6.25.1/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch similarity index 100% rename from review-2.6.25/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch rename to releases/2.6.25.1/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch diff --git a/review-2.6.25/scsi-qla2xxx-correct-regression-in-relogin-code.patch b/releases/2.6.25.1/scsi-qla2xxx-correct-regression-in-relogin-code.patch similarity index 100% rename from review-2.6.25/scsi-qla2xxx-correct-regression-in-relogin-code.patch rename to releases/2.6.25.1/scsi-qla2xxx-correct-regression-in-relogin-code.patch diff --git a/review-2.6.25/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch b/releases/2.6.25.1/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch similarity index 100% rename from review-2.6.25/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch rename to releases/2.6.25.1/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch diff --git a/review-2.6.25/series b/releases/2.6.25.1/series similarity index 98% rename from review-2.6.25/series rename to releases/2.6.25.1/series index 9049abb77c4..011c70edee2 100644 --- a/review-2.6.25/series +++ b/releases/2.6.25.1/series @@ -36,3 +36,4 @@ alpha-unbreak-osf-1-binaries.patch x86-fix-32-bit-x86-msi-x-allocation-leakage.patch hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch drivers-net-tehuti-use-proper-capability-check-for-raw-io-access.patch +fix-dnotify-close-race.patch diff --git a/review-2.6.25/ssb-fix-all-ones-boardflags.patch b/releases/2.6.25.1/ssb-fix-all-ones-boardflags.patch similarity index 100% rename from review-2.6.25/ssb-fix-all-ones-boardflags.patch rename to releases/2.6.25.1/ssb-fix-all-ones-boardflags.patch diff --git a/review-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch b/releases/2.6.25.1/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch similarity index 100% rename from review-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch rename to releases/2.6.25.1/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch diff --git a/review-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch b/releases/2.6.25.1/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch similarity index 100% rename from review-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch rename to releases/2.6.25.1/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch diff --git a/review-2.6.25/tehuti-check-register-size.patch b/releases/2.6.25.1/tehuti-check-register-size.patch similarity index 100% rename from review-2.6.25/tehuti-check-register-size.patch rename to releases/2.6.25.1/tehuti-check-register-size.patch diff --git a/review-2.6.25/tehuti-move-ioctl-perm-check-closer-to-function-start.patch b/releases/2.6.25.1/tehuti-move-ioctl-perm-check-closer-to-function-start.patch similarity index 100% rename from review-2.6.25/tehuti-move-ioctl-perm-check-closer-to-function-start.patch rename to releases/2.6.25.1/tehuti-move-ioctl-perm-check-closer-to-function-start.patch diff --git a/review-2.6.25/tg3-5701-dma-corruption-fix.patch b/releases/2.6.25.1/tg3-5701-dma-corruption-fix.patch similarity index 100% rename from review-2.6.25/tg3-5701-dma-corruption-fix.patch rename to releases/2.6.25.1/tg3-5701-dma-corruption-fix.patch diff --git a/review-2.6.25/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch b/releases/2.6.25.1/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch similarity index 100% rename from review-2.6.25/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch rename to releases/2.6.25.1/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch diff --git a/review-2.6.25/usb-log-an-error-message-when-usb-enumeration-fails.patch b/releases/2.6.25.1/usb-log-an-error-message-when-usb-enumeration-fails.patch similarity index 100% rename from review-2.6.25/usb-log-an-error-message-when-usb-enumeration-fails.patch rename to releases/2.6.25.1/usb-log-an-error-message-when-usb-enumeration-fails.patch diff --git a/review-2.6.25/usb-ohci-fix-bug-in-controller-resume.patch b/releases/2.6.25.1/usb-ohci-fix-bug-in-controller-resume.patch similarity index 100% rename from review-2.6.25/usb-ohci-fix-bug-in-controller-resume.patch rename to releases/2.6.25.1/usb-ohci-fix-bug-in-controller-resume.patch diff --git a/review-2.6.25/v4l-cx88-enable-radio-gpio-correctly.patch b/releases/2.6.25.1/v4l-cx88-enable-radio-gpio-correctly.patch similarity index 100% rename from review-2.6.25/v4l-cx88-enable-radio-gpio-correctly.patch rename to releases/2.6.25.1/v4l-cx88-enable-radio-gpio-correctly.patch diff --git a/review-2.6.25/v4l-fix-vidiocgap-corruption-in-ivtv.patch b/releases/2.6.25.1/v4l-fix-vidiocgap-corruption-in-ivtv.patch similarity index 100% rename from review-2.6.25/v4l-fix-vidiocgap-corruption-in-ivtv.patch rename to releases/2.6.25.1/v4l-fix-vidiocgap-corruption-in-ivtv.patch diff --git a/review-2.6.25/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch b/releases/2.6.25.1/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch similarity index 100% rename from review-2.6.25/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch rename to releases/2.6.25.1/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch diff --git a/review-2.6.25/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch b/releases/2.6.25.1/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch similarity index 100% rename from review-2.6.25/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch rename to releases/2.6.25.1/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch diff --git a/review-2.6.25/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch b/releases/2.6.25.1/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch similarity index 100% rename from review-2.6.25/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch rename to releases/2.6.25.1/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch