From: Greg Kroah-Hartman Date: Thu, 23 Oct 2008 21:12:06 +0000 (-0700) Subject: .26 patches X-Git-Tag: v2.6.27.5~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc0481cbd3760695dd90944c59fa2b67bd7c3556;p=thirdparty%2Fkernel%2Fstable-queue.git .26 patches --- diff --git a/queue-2.6.26/edac-cell-fix-incorrect-edac_mode.patch b/queue-2.6.26/edac-cell-fix-incorrect-edac_mode.patch new file mode 100644 index 00000000000..cf3eadc61c3 --- /dev/null +++ b/queue-2.6.26/edac-cell-fix-incorrect-edac_mode.patch @@ -0,0 +1,36 @@ +From jejb@kernel.org Thu Oct 23 12:58:23 2008 +From: Benjamin Herrenschmidt +Date: Mon, 20 Oct 2008 16:50:07 GMT +Subject: edac cell: fix incorrect edac_mode +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810201650.m9KGo7ld012751@hera.kernel.org> + +From: Benjamin Herrenschmidt + +commit 3b274f44d2ca05f719fe39947b6a5293a2dbd8fd upstream + +The cell_edac driver is setting the edac_mode field of the csrow's to an +incorrect value, causing the sysfs show routine for that field to go out +of an array bound and Oopsing the kernel when used. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Doug Thompson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/cell_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/cell_edac.c ++++ b/drivers/edac/cell_edac.c +@@ -141,7 +141,7 @@ static void __devinit cell_edac_init_csr + csrow->nr_pages = (r.end - r.start + 1) >> PAGE_SHIFT; + csrow->last_page = csrow->first_page + csrow->nr_pages - 1; + csrow->mtype = MEM_XDR; +- csrow->edac_mode = EDAC_FLAG_EC | EDAC_FLAG_SECDED; ++ csrow->edac_mode = EDAC_SECDED; + dev_dbg(mci->dev, + "Initialized on node %d, chanmask=0x%x," + " first_page=0x%lx, nr_pages=0x%x\n", diff --git a/queue-2.6.26/ext-avoid-printk-floods-in-the-face-of-directory-corruption.patch b/queue-2.6.26/ext-avoid-printk-floods-in-the-face-of-directory-corruption.patch new file mode 100644 index 00000000000..6678edabb23 --- /dev/null +++ b/queue-2.6.26/ext-avoid-printk-floods-in-the-face-of-directory-corruption.patch @@ -0,0 +1,247 @@ +From sandeen@redhat.com Thu Oct 23 13:13:44 2008 +From: Eric Sandeen +Date: Wed, 22 Oct 2008 10:11:52 -0500 +Subject: ext[234]: Avoid printk floods in the face of directory corruption (CVE-2008-3528) +To: stable@kernel.org +Cc: ext4 development +Message-ID: <48FF42B8.3030606@redhat.com> + +From: Eric Sandeen + +This is a trivial backport of the following upstream commits: + +- bd39597cbd42a784105a04010100e27267481c67 (ext2) +- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3) +- 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4) + +This addresses CVE-2008-3528 + +ext[234]: Avoid printk floods in the face of directory corruption + +Note: some people thinks this represents a security bug, since it +might make the system go away while it is printing a large number of +console messages, especially if a serial console is involved. Hence, +it has been assigned CVE-2008-3528, but it requires that the attacker +either has physical access to your machine to insert a USB disk with a +corrupted filesystem image (at which point why not just hit the power +button), or is otherwise able to convince the system administrator to +mount an arbitrary filesystem image (at which point why not just +include a setuid shell or world-writable hard disk device file or some +such). Me, I think they're just being silly. --tytso + +Signed-off-by: Eric Sandeen +Signed-off-by: "Theodore Ts'o" +Cc: linux-ext4@vger.kernel.org +Cc: Eugene Teo +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext2/dir.c | 60 +++++++++++++++++++++++++++++++++------------------------- + fs/ext3/dir.c | 10 ++++++--- + fs/ext4/dir.c | 11 +++++++--- + 3 files changed, 50 insertions(+), 31 deletions(-) + +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -103,7 +103,7 @@ static int ext2_commit_chunk(struct page + return err; + } + +-static void ext2_check_page(struct page *page) ++static void ext2_check_page(struct page *page, int quiet) + { + struct inode *dir = page->mapping->host; + struct super_block *sb = dir->i_sb; +@@ -146,10 +146,10 @@ out: + /* Too bad, we had an error */ + + Ebadsize: +- ext2_error(sb, "ext2_check_page", +- "size of directory #%lu is not a multiple of chunk size", +- dir->i_ino +- ); ++ if (!quiet) ++ ext2_error(sb, __func__, ++ "size of directory #%lu is not a multiple " ++ "of chunk size", dir->i_ino); + goto fail; + Eshort: + error = "rec_len is smaller than minimal"; +@@ -166,32 +166,36 @@ Espan: + Einumber: + error = "inode out of bounds"; + bad_entry: +- ext2_error (sb, "ext2_check_page", "bad entry in directory #%lu: %s - " +- "offset=%lu, inode=%lu, rec_len=%d, name_len=%d", +- dir->i_ino, error, (page->index<inode), +- rec_len, p->name_len); ++ if (!quiet) ++ ext2_error(sb, __func__, "bad entry in directory #%lu: : %s - " ++ "offset=%lu, inode=%lu, rec_len=%d, name_len=%d", ++ dir->i_ino, error, (page->index<inode), ++ rec_len, p->name_len); + goto fail; + Eend: +- p = (ext2_dirent *)(kaddr + offs); +- ext2_error (sb, "ext2_check_page", +- "entry in directory #%lu spans the page boundary" +- "offset=%lu, inode=%lu", +- dir->i_ino, (page->index<inode)); ++ if (!quiet) { ++ p = (ext2_dirent *)(kaddr + offs); ++ ext2_error(sb, "ext2_check_page", ++ "entry in directory #%lu spans the page boundary" ++ "offset=%lu, inode=%lu", ++ dir->i_ino, (page->index<inode)); ++ } + fail: + SetPageChecked(page); + SetPageError(page); + } + +-static struct page * ext2_get_page(struct inode *dir, unsigned long n) ++static struct page * ext2_get_page(struct inode *dir, unsigned long n, ++ int quiet) + { + struct address_space *mapping = dir->i_mapping; + struct page *page = read_mapping_page(mapping, n, NULL); + if (!IS_ERR(page)) { + kmap(page); + if (!PageChecked(page)) +- ext2_check_page(page); ++ ext2_check_page(page, quiet); + if (PageError(page)) + goto fail; + } +@@ -292,7 +296,7 @@ ext2_readdir (struct file * filp, void * + for ( ; n < npages; n++, offset = 0) { + char *kaddr, *limit; + ext2_dirent *de; +- struct page *page = ext2_get_page(inode, n); ++ struct page *page = ext2_get_page(inode, n, 0); + + if (IS_ERR(page)) { + ext2_error(sb, __func__, +@@ -361,6 +365,7 @@ struct ext2_dir_entry_2 * ext2_find_entr + struct page *page = NULL; + struct ext2_inode_info *ei = EXT2_I(dir); + ext2_dirent * de; ++ int dir_has_error = 0; + + if (npages == 0) + goto out; +@@ -374,7 +379,7 @@ struct ext2_dir_entry_2 * ext2_find_entr + n = start; + do { + char *kaddr; +- page = ext2_get_page(dir, n); ++ page = ext2_get_page(dir, n, dir_has_error); + if (!IS_ERR(page)) { + kaddr = page_address(page); + de = (ext2_dirent *) kaddr; +@@ -391,7 +396,9 @@ struct ext2_dir_entry_2 * ext2_find_entr + de = ext2_next_entry(de); + } + ext2_put_page(page); +- } ++ } else ++ dir_has_error = 1; ++ + if (++n >= npages) + n = 0; + /* next page is past the blocks we've got */ +@@ -414,7 +421,7 @@ found: + + struct ext2_dir_entry_2 * ext2_dotdot (struct inode *dir, struct page **p) + { +- struct page *page = ext2_get_page(dir, 0); ++ struct page *page = ext2_get_page(dir, 0, 0); + ext2_dirent *de = NULL; + + if (!IS_ERR(page)) { +@@ -487,7 +494,7 @@ int ext2_add_link (struct dentry *dentry + for (n = 0; n <= npages; n++) { + char *dir_end; + +- page = ext2_get_page(dir, n); ++ page = ext2_get_page(dir, n, 0); + err = PTR_ERR(page); + if (IS_ERR(page)) + goto out; +@@ -655,14 +662,17 @@ int ext2_empty_dir (struct inode * inode + { + struct page *page = NULL; + unsigned long i, npages = dir_pages(inode); ++ int dir_has_error = 0; + + for (i = 0; i < npages; i++) { + char *kaddr; + ext2_dirent * de; +- page = ext2_get_page(inode, i); ++ page = ext2_get_page(inode, i, dir_has_error); + +- if (IS_ERR(page)) ++ if (IS_ERR(page)) { ++ dir_has_error = 1; + continue; ++ } + + kaddr = page_address(page); + de = (ext2_dirent *)kaddr; +--- a/fs/ext3/dir.c ++++ b/fs/ext3/dir.c +@@ -102,6 +102,7 @@ static int ext3_readdir(struct file * fi + int err; + struct inode *inode = filp->f_path.dentry->d_inode; + int ret = 0; ++ int dir_has_error = 0; + + sb = inode->i_sb; + +@@ -148,9 +149,12 @@ static int ext3_readdir(struct file * fi + * of recovering data when there's a bad sector + */ + if (!bh) { +- ext3_error (sb, "ext3_readdir", +- "directory #%lu contains a hole at offset %lu", +- inode->i_ino, (unsigned long)filp->f_pos); ++ if (!dir_has_error) { ++ ext3_error(sb, __func__, "directory #%lu " ++ "contains a hole at offset %lld", ++ inode->i_ino, filp->f_pos); ++ dir_has_error = 1; ++ } + /* corrupt size? Maybe no more blocks to read */ + if (filp->f_pos > inode->i_blocks << 9) + break; +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -102,6 +102,7 @@ static int ext4_readdir(struct file * fi + int err; + struct inode *inode = filp->f_path.dentry->d_inode; + int ret = 0; ++ int dir_has_error = 0; + + sb = inode->i_sb; + +@@ -147,9 +148,13 @@ static int ext4_readdir(struct file * fi + * of recovering data when there's a bad sector + */ + if (!bh) { +- ext4_error (sb, "ext4_readdir", +- "directory #%lu contains a hole at offset %lu", +- inode->i_ino, (unsigned long)filp->f_pos); ++ if (!dir_has_error) { ++ ext4_error(sb, __func__, "directory #%lu " ++ "contains a hole at offset %Lu", ++ inode->i_ino, ++ (unsigned long long) filp->f_pos); ++ dir_has_error = 1; ++ } + /* corrupt size? Maybe no more blocks to read */ + if (filp->f_pos > inode->i_blocks << 9) + break; diff --git a/queue-2.6.26/gpiolib-fix-oops-in-gpio_get_value_cansleep.patch b/queue-2.6.26/gpiolib-fix-oops-in-gpio_get_value_cansleep.patch new file mode 100644 index 00000000000..8a70dd97a9c --- /dev/null +++ b/queue-2.6.26/gpiolib-fix-oops-in-gpio_get_value_cansleep.patch @@ -0,0 +1,58 @@ +From jejb@kernel.org Thu Oct 23 12:54:37 2008 +From: David Brownell +Date: Mon, 20 Oct 2008 16:50:10 GMT +Subject: gpiolib: fix oops in gpio_get_value_cansleep() +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810201650.m9KGoAvI012814@hera.kernel.org> + +From: David Brownell + +commit 978ccaa8ea5d8c7bf6b676209f2fc126eae6355b upstream + +We can get the following oops from gpio_get_value_cansleep() when a GPIO +controller doesn't provide a get() callback: + + Unable to handle kernel paging request for instruction fetch + Faulting instruction address: 0x00000000 + Oops: Kernel access of bad area, sig: 11 [#1] + [...] + NIP [00000000] 0x0 + LR [c0182fb0] gpio_get_value_cansleep+0x40/0x50 + Call Trace: + [c7b79e80] [c0183f28] gpio_value_show+0x5c/0x94 + [c7b79ea0] [c01a584c] dev_attr_show+0x30/0x7c + [c7b79eb0] [c00d6b48] fill_read_buffer+0x68/0xe0 + [c7b79ed0] [c00d6c54] sysfs_read_file+0x94/0xbc + [c7b79ef0] [c008f24c] vfs_read+0xb4/0x16c + [c7b79f10] [c008f580] sys_read+0x4c/0x90 + [c7b79f40] [c0013a14] ret_from_syscall+0x0/0x38 + +It's OK to request the value of *any* GPIO; most GPIOs are bidirectional, +so configuring them as outputs just enables an output driver and doesn't +disable the input logic. + +So the problem is that gpio_get_value_cansleep() isn't making the same +sanity check that gpio_get_value() does: making sure this GPIO isn't one +of the atypical "no input logic" cases. + +Reported-by: Anton Vorontsov +Signed-off-by: David Brownell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -517,7 +517,7 @@ int gpio_get_value_cansleep(unsigned gpi + + might_sleep_if(extra_checks); + chip = gpio_to_chip(gpio); +- return chip->get(chip, gpio - chip->base); ++ return chip->get ? chip->get(chip, gpio - chip->base) : 0; + } + EXPORT_SYMBOL_GPL(gpio_get_value_cansleep); + diff --git a/queue-2.6.26/scsi-qla2xxx-skip-fdmi-registration-on-isp21xx-22xx-parts.patch b/queue-2.6.26/scsi-qla2xxx-skip-fdmi-registration-on-isp21xx-22xx-parts.patch new file mode 100644 index 00000000000..449aaa1086e --- /dev/null +++ b/queue-2.6.26/scsi-qla2xxx-skip-fdmi-registration-on-isp21xx-22xx-parts.patch @@ -0,0 +1,39 @@ +From wferi@niif.hu Thu Oct 23 14:10:17 2008 +From: Andrew Vasquez +Date: Tue, 21 Oct 2008 20:25:04 +0200 +Subject: SCSI: qla2xxx: Skip FDMI registration on ISP21xx/22xx parts. +To: stable@kernel.org +Message-ID: <87d4htn6v3.fsf@tac.ki.iif.hu> + + +From: Andrew Vasquez + +commit 031e134e5f95233d80fb1b62fdaf5e1be587597c upstream + +Firmware does not have the facilities to issue management server +IOCBs. + +Signed-off-by: Andrew Vasquez +Signed-off-by: James Bottomley +Cc: Ferenc Wagner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_gs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -1661,6 +1661,12 @@ qla2x00_fdmi_register(scsi_qla_host_t *h + { + int rval; + ++ if (IS_QLA2100(ha) || IS_QLA2200(ha)) { ++ DEBUG2(printk("scsi(%ld): FDMI unsupported on " ++ "ISP2100/ISP2200.\n", ha->host_no)); ++ return QLA_SUCCESS; ++ } ++ + rval = qla2x00_mgmt_svr_login(ha); + if (rval) + return rval; diff --git a/queue-2.6.26/series b/queue-2.6.26/series new file mode 100644 index 00000000000..284bd6c140c --- /dev/null +++ b/queue-2.6.26/series @@ -0,0 +1,4 @@ +gpiolib-fix-oops-in-gpio_get_value_cansleep.patch +ext-avoid-printk-floods-in-the-face-of-directory-corruption.patch +edac-cell-fix-incorrect-edac_mode.patch +scsi-qla2xxx-skip-fdmi-registration-on-isp21xx-22xx-parts.patch