1 |
Author: mpagano |
2 |
Date: 2008-10-06 11:16:31 +0000 (Mon, 06 Oct 2008) |
3 |
New Revision: 1345 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch |
7 |
genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch |
8 |
genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch |
9 |
genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch |
10 |
Modified: |
11 |
genpatches-2.6/trunk/2.6.25/0000_README |
12 |
Log: |
13 |
Adding 2.6.25.17, and three security patches. A null pointer dereference in the thinkpad acpi, another one in nfs and missing capability checks. |
14 |
|
15 |
Modified: genpatches-2.6/trunk/2.6.25/0000_README |
16 |
=================================================================== |
17 |
--- genpatches-2.6/trunk/2.6.25/0000_README 2008-09-08 19:03:45 UTC (rev 1344) |
18 |
+++ genpatches-2.6/trunk/2.6.25/0000_README 2008-10-06 11:16:31 UTC (rev 1345) |
19 |
@@ -103,6 +103,22 @@ |
20 |
From: http://www.kernel.org |
21 |
Desc: Linux 2.6.25.16 |
22 |
|
23 |
+Patch: 1016_linux-2.6.25.17.patch |
24 |
+From: http://www.kernel.org |
25 |
+Desc: Linux 2.6.25.17 |
26 |
+ |
27 |
+Patch: 1500_thinkpad_acpi-null-ptr-deref-fix.patch |
28 |
+From: http://bugs.gentoo.org/222331 |
29 |
+Desc: Fixes potential NULL pointer deref in Thinkpad ACPI |
30 |
+ |
31 |
+Patch: 1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch |
32 |
+From: http://bugs.gentoo.org/222249 |
33 |
+Desc: Fixes potential NULL pointer derefs in NFSv{3,4} |
34 |
+ |
35 |
+Patch: 1502_wan-sbni_ioctl-add-missing-capability-checks.patch |
36 |
+From: http://www.kernel.org |
37 |
+Desc: Adds missing capability checks in drivers/net/wan/sbni.c -> sbni_ioctl() |
38 |
+ |
39 |
Patch: 2500_fix-missing-scsi-inlines.patch |
40 |
From: http://bugs.gentoo.org/232747 |
41 |
Desc: Fix missing inlines in header file |
42 |
|
43 |
Added: genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch |
44 |
=================================================================== |
45 |
--- genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch (rev 0) |
46 |
+++ genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch 2008-10-06 11:16:31 UTC (rev 1345) |
47 |
@@ -0,0 +1,706 @@ |
48 |
+diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c |
49 |
+index 3e18db4..f49c970 100644 |
50 |
+--- a/arch/x86/kernel/cpu/mtrr/generic.c |
51 |
++++ b/arch/x86/kernel/cpu/mtrr/generic.c |
52 |
+@@ -229,6 +229,7 @@ static void generic_get_mtrr(unsigned int reg, unsigned long *base, |
53 |
+ unsigned long *size, mtrr_type *type) |
54 |
+ { |
55 |
+ unsigned int mask_lo, mask_hi, base_lo, base_hi; |
56 |
++ unsigned int tmp, hi; |
57 |
+ |
58 |
+ rdmsr(MTRRphysMask_MSR(reg), mask_lo, mask_hi); |
59 |
+ if ((mask_lo & 0x800) == 0) { |
60 |
+@@ -242,8 +243,18 @@ static void generic_get_mtrr(unsigned int reg, unsigned long *base, |
61 |
+ rdmsr(MTRRphysBase_MSR(reg), base_lo, base_hi); |
62 |
+ |
63 |
+ /* Work out the shifted address mask. */ |
64 |
+- mask_lo = size_or_mask | mask_hi << (32 - PAGE_SHIFT) |
65 |
+- | mask_lo >> PAGE_SHIFT; |
66 |
++ tmp = mask_hi << (32 - PAGE_SHIFT) | mask_lo >> PAGE_SHIFT; |
67 |
++ mask_lo = size_or_mask | tmp; |
68 |
++ /* Expand tmp with high bits to all 1s*/ |
69 |
++ hi = fls(tmp); |
70 |
++ if (hi > 0) { |
71 |
++ tmp |= ~((1<<(hi - 1)) - 1); |
72 |
++ |
73 |
++ if (tmp != mask_lo) { |
74 |
++ WARN_ON("mtrr: your BIOS has set up an incorrect mask, fixing it up.\n"); |
75 |
++ mask_lo = tmp; |
76 |
++ } |
77 |
++ } |
78 |
+ |
79 |
+ /* This works correctly if size is a power of two, i.e. a |
80 |
+ contiguous range. */ |
81 |
+diff --git a/crypto/authenc.c b/crypto/authenc.c |
82 |
+index 4b22676..fd9f06c 100644 |
83 |
+--- a/crypto/authenc.c |
84 |
++++ b/crypto/authenc.c |
85 |
+@@ -174,8 +174,9 @@ static int crypto_authenc_genicv(struct aead_request *req, u8 *iv, |
86 |
+ static void crypto_authenc_encrypt_done(struct crypto_async_request *req, |
87 |
+ int err) |
88 |
+ { |
89 |
++ struct aead_request *areq = req->data; |
90 |
++ |
91 |
+ if (!err) { |
92 |
+- struct aead_request *areq = req->data; |
93 |
+ struct crypto_aead *authenc = crypto_aead_reqtfm(areq); |
94 |
+ struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc); |
95 |
+ struct ablkcipher_request *abreq = aead_request_ctx(areq); |
96 |
+@@ -185,7 +186,7 @@ static void crypto_authenc_encrypt_done(struct crypto_async_request *req, |
97 |
+ err = crypto_authenc_genicv(areq, iv, 0); |
98 |
+ } |
99 |
+ |
100 |
+- aead_request_complete(req->data, err); |
101 |
++ aead_request_complete(areq, err); |
102 |
+ } |
103 |
+ |
104 |
+ static int crypto_authenc_encrypt(struct aead_request *req) |
105 |
+@@ -216,14 +217,15 @@ static int crypto_authenc_encrypt(struct aead_request *req) |
106 |
+ static void crypto_authenc_givencrypt_done(struct crypto_async_request *req, |
107 |
+ int err) |
108 |
+ { |
109 |
++ struct aead_request *areq = req->data; |
110 |
++ |
111 |
+ if (!err) { |
112 |
+- struct aead_request *areq = req->data; |
113 |
+ struct skcipher_givcrypt_request *greq = aead_request_ctx(areq); |
114 |
+ |
115 |
+ err = crypto_authenc_genicv(areq, greq->giv, 0); |
116 |
+ } |
117 |
+ |
118 |
+- aead_request_complete(req->data, err); |
119 |
++ aead_request_complete(areq, err); |
120 |
+ } |
121 |
+ |
122 |
+ static int crypto_authenc_givencrypt(struct aead_givcrypt_request *req) |
123 |
+diff --git a/drivers/net/forcedeth.c b/drivers/net/forcedeth.c |
124 |
+index 8e877e7..5435970 100644 |
125 |
+--- a/drivers/net/forcedeth.c |
126 |
++++ b/drivers/net/forcedeth.c |
127 |
+@@ -5249,7 +5249,7 @@ static int __devinit nv_probe(struct pci_dev *pci_dev, const struct pci_device_i |
128 |
+ if (id->driver_data & DEV_HAS_CHECKSUM) { |
129 |
+ np->rx_csum = 1; |
130 |
+ np->txrxctl_bits |= NVREG_TXRXCTL_RXCHECK; |
131 |
+- dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG; |
132 |
++ dev->features |= NETIF_F_IP_CSUM | NETIF_F_SG; |
133 |
+ dev->features |= NETIF_F_TSO; |
134 |
+ } |
135 |
+ |
136 |
+@@ -5548,7 +5548,7 @@ static int __devinit nv_probe(struct pci_dev *pci_dev, const struct pci_device_i |
137 |
+ |
138 |
+ dev_printk(KERN_INFO, &pci_dev->dev, "%s%s%s%s%s%s%s%s%s%sdesc-v%u\n", |
139 |
+ dev->features & NETIF_F_HIGHDMA ? "highdma " : "", |
140 |
+- dev->features & (NETIF_F_HW_CSUM | NETIF_F_SG) ? |
141 |
++ dev->features & (NETIF_F_IP_CSUM | NETIF_F_SG) ? |
142 |
+ "csum " : "", |
143 |
+ dev->features & (NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_TX) ? |
144 |
+ "vlan " : "", |
145 |
+diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c |
146 |
+index 42d7c0a..0e4eb15 100644 |
147 |
+--- a/drivers/net/r8169.c |
148 |
++++ b/drivers/net/r8169.c |
149 |
+@@ -2822,7 +2822,7 @@ static int rtl8169_rx_interrupt(struct net_device *dev, |
150 |
+ pkt_size, PCI_DMA_FROMDEVICE); |
151 |
+ rtl8169_mark_to_asic(desc, tp->rx_buf_sz); |
152 |
+ } else { |
153 |
+- pci_unmap_single(pdev, addr, pkt_size, |
154 |
++ pci_unmap_single(pdev, addr, tp->rx_buf_sz, |
155 |
+ PCI_DMA_FROMDEVICE); |
156 |
+ tp->Rx_skbuff[entry] = NULL; |
157 |
+ } |
158 |
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c |
159 |
+index d8160fa..9c2b7b4 100644 |
160 |
+--- a/drivers/usb/class/cdc-acm.c |
161 |
++++ b/drivers/usb/class/cdc-acm.c |
162 |
+@@ -531,8 +531,8 @@ static int acm_tty_open(struct tty_struct *tty, struct file *filp) |
163 |
+ tasklet_schedule(&acm->urb_task); |
164 |
+ |
165 |
+ done: |
166 |
+-err_out: |
167 |
+ mutex_unlock(&acm->mutex); |
168 |
++err_out: |
169 |
+ mutex_unlock(&open_mutex); |
170 |
+ return rv; |
171 |
+ |
172 |
+diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c |
173 |
+index 59df132..4835bdc 100644 |
174 |
+--- a/drivers/video/fb_defio.c |
175 |
++++ b/drivers/video/fb_defio.c |
176 |
+@@ -114,6 +114,17 @@ static struct vm_operations_struct fb_deferred_io_vm_ops = { |
177 |
+ .page_mkwrite = fb_deferred_io_mkwrite, |
178 |
+ }; |
179 |
+ |
180 |
++static int fb_deferred_io_set_page_dirty(struct page *page) |
181 |
++{ |
182 |
++ if (!PageDirty(page)) |
183 |
++ SetPageDirty(page); |
184 |
++ return 0; |
185 |
++} |
186 |
++ |
187 |
++static const struct address_space_operations fb_deferred_io_aops = { |
188 |
++ .set_page_dirty = fb_deferred_io_set_page_dirty, |
189 |
++}; |
190 |
++ |
191 |
+ static int fb_deferred_io_mmap(struct fb_info *info, struct vm_area_struct *vma) |
192 |
+ { |
193 |
+ vma->vm_ops = &fb_deferred_io_vm_ops; |
194 |
+@@ -163,6 +174,14 @@ void fb_deferred_io_init(struct fb_info *info) |
195 |
+ } |
196 |
+ EXPORT_SYMBOL_GPL(fb_deferred_io_init); |
197 |
+ |
198 |
++void fb_deferred_io_open(struct fb_info *info, |
199 |
++ struct inode *inode, |
200 |
++ struct file *file) |
201 |
++{ |
202 |
++ file->f_mapping->a_ops = &fb_deferred_io_aops; |
203 |
++} |
204 |
++EXPORT_SYMBOL_GPL(fb_deferred_io_open); |
205 |
++ |
206 |
+ void fb_deferred_io_cleanup(struct fb_info *info) |
207 |
+ { |
208 |
+ void *screen_base = (void __force *) info->screen_base; |
209 |
+diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c |
210 |
+index 01072f4..79b410c 100644 |
211 |
+--- a/drivers/video/fbmem.c |
212 |
++++ b/drivers/video/fbmem.c |
213 |
+@@ -1315,6 +1315,10 @@ fb_open(struct inode *inode, struct file *file) |
214 |
+ if (res) |
215 |
+ module_put(info->fbops->owner); |
216 |
+ } |
217 |
++#ifdef CONFIG_FB_DEFERRED_IO |
218 |
++ if (info->fbdefio) |
219 |
++ fb_deferred_io_open(info, inode, file); |
220 |
++#endif |
221 |
+ return res; |
222 |
+ } |
223 |
+ |
224 |
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c |
225 |
+index 40b6900..a80a917 100644 |
226 |
+--- a/fs/cifs/file.c |
227 |
++++ b/fs/cifs/file.c |
228 |
+@@ -835,6 +835,10 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data, |
229 |
+ return -EBADF; |
230 |
+ open_file = (struct cifsFileInfo *) file->private_data; |
231 |
+ |
232 |
++ rc = generic_write_checks(file, poffset, &write_size, 0); |
233 |
++ if (rc) |
234 |
++ return rc; |
235 |
++ |
236 |
+ xid = GetXid(); |
237 |
+ |
238 |
+ if (*poffset > file->f_path.dentry->d_inode->i_size) |
239 |
+diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c |
240 |
+index 350680f..b392002 100644 |
241 |
+--- a/fs/cramfs/inode.c |
242 |
++++ b/fs/cramfs/inode.c |
243 |
+@@ -44,58 +44,13 @@ static DEFINE_MUTEX(read_mutex); |
244 |
+ static int cramfs_iget5_test(struct inode *inode, void *opaque) |
245 |
+ { |
246 |
+ struct cramfs_inode *cramfs_inode = opaque; |
247 |
+- |
248 |
+- if (inode->i_ino != CRAMINO(cramfs_inode)) |
249 |
+- return 0; /* does not match */ |
250 |
+- |
251 |
+- if (inode->i_ino != 1) |
252 |
+- return 1; |
253 |
+- |
254 |
+- /* all empty directories, char, block, pipe, and sock, share inode #1 */ |
255 |
+- |
256 |
+- if ((inode->i_mode != cramfs_inode->mode) || |
257 |
+- (inode->i_gid != cramfs_inode->gid) || |
258 |
+- (inode->i_uid != cramfs_inode->uid)) |
259 |
+- return 0; /* does not match */ |
260 |
+- |
261 |
+- if ((S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) && |
262 |
+- (inode->i_rdev != old_decode_dev(cramfs_inode->size))) |
263 |
+- return 0; /* does not match */ |
264 |
+- |
265 |
+- return 1; /* matches */ |
266 |
++ return inode->i_ino == CRAMINO(cramfs_inode) && inode->i_ino != 1; |
267 |
+ } |
268 |
+ |
269 |
+ static int cramfs_iget5_set(struct inode *inode, void *opaque) |
270 |
+ { |
271 |
+- static struct timespec zerotime; |
272 |
+ struct cramfs_inode *cramfs_inode = opaque; |
273 |
+- inode->i_mode = cramfs_inode->mode; |
274 |
+- inode->i_uid = cramfs_inode->uid; |
275 |
+- inode->i_size = cramfs_inode->size; |
276 |
+- inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; |
277 |
+- inode->i_gid = cramfs_inode->gid; |
278 |
+- /* Struct copy intentional */ |
279 |
+- inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; |
280 |
+ inode->i_ino = CRAMINO(cramfs_inode); |
281 |
+- /* inode->i_nlink is left 1 - arguably wrong for directories, |
282 |
+- but it's the best we can do without reading the directory |
283 |
+- contents. 1 yields the right result in GNU find, even |
284 |
+- without -noleaf option. */ |
285 |
+- if (S_ISREG(inode->i_mode)) { |
286 |
+- inode->i_fop = &generic_ro_fops; |
287 |
+- inode->i_data.a_ops = &cramfs_aops; |
288 |
+- } else if (S_ISDIR(inode->i_mode)) { |
289 |
+- inode->i_op = &cramfs_dir_inode_operations; |
290 |
+- inode->i_fop = &cramfs_directory_operations; |
291 |
+- } else if (S_ISLNK(inode->i_mode)) { |
292 |
+- inode->i_op = &page_symlink_inode_operations; |
293 |
+- inode->i_data.a_ops = &cramfs_aops; |
294 |
+- } else { |
295 |
+- inode->i_size = 0; |
296 |
+- inode->i_blocks = 0; |
297 |
+- init_special_inode(inode, inode->i_mode, |
298 |
+- old_decode_dev(cramfs_inode->size)); |
299 |
+- } |
300 |
+ return 0; |
301 |
+ } |
302 |
+ |
303 |
+@@ -105,12 +60,48 @@ static struct inode *get_cramfs_inode(struct super_block *sb, |
304 |
+ struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode), |
305 |
+ cramfs_iget5_test, cramfs_iget5_set, |
306 |
+ cramfs_inode); |
307 |
++ static struct timespec zerotime; |
308 |
++ |
309 |
+ if (inode && (inode->i_state & I_NEW)) { |
310 |
++ inode->i_mode = cramfs_inode->mode; |
311 |
++ inode->i_uid = cramfs_inode->uid; |
312 |
++ inode->i_size = cramfs_inode->size; |
313 |
++ inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; |
314 |
++ inode->i_gid = cramfs_inode->gid; |
315 |
++ /* Struct copy intentional */ |
316 |
++ inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; |
317 |
++ /* inode->i_nlink is left 1 - arguably wrong for directories, |
318 |
++ but it's the best we can do without reading the directory |
319 |
++ contents. 1 yields the right result in GNU find, even |
320 |
++ without -noleaf option. */ |
321 |
++ if (S_ISREG(inode->i_mode)) { |
322 |
++ inode->i_fop = &generic_ro_fops; |
323 |
++ inode->i_data.a_ops = &cramfs_aops; |
324 |
++ } else if (S_ISDIR(inode->i_mode)) { |
325 |
++ inode->i_op = &cramfs_dir_inode_operations; |
326 |
++ inode->i_fop = &cramfs_directory_operations; |
327 |
++ } else if (S_ISLNK(inode->i_mode)) { |
328 |
++ inode->i_op = &page_symlink_inode_operations; |
329 |
++ inode->i_data.a_ops = &cramfs_aops; |
330 |
++ } else { |
331 |
++ inode->i_size = 0; |
332 |
++ inode->i_blocks = 0; |
333 |
++ init_special_inode(inode, inode->i_mode, |
334 |
++ old_decode_dev(cramfs_inode->size)); |
335 |
++ } |
336 |
+ unlock_new_inode(inode); |
337 |
+ } |
338 |
+ return inode; |
339 |
+ } |
340 |
+ |
341 |
++static void cramfs_drop_inode(struct inode *inode) |
342 |
++{ |
343 |
++ if (inode->i_ino == 1) |
344 |
++ generic_delete_inode(inode); |
345 |
++ else |
346 |
++ generic_drop_inode(inode); |
347 |
++} |
348 |
++ |
349 |
+ /* |
350 |
+ * We have our own block cache: don't fill up the buffer cache |
351 |
+ * with the rom-image, because the way the filesystem is set |
352 |
+@@ -535,6 +526,7 @@ static const struct super_operations cramfs_ops = { |
353 |
+ .put_super = cramfs_put_super, |
354 |
+ .remount_fs = cramfs_remount, |
355 |
+ .statfs = cramfs_statfs, |
356 |
++ .drop_inode = cramfs_drop_inode, |
357 |
+ }; |
358 |
+ |
359 |
+ static int cramfs_get_sb(struct file_system_type *fs_type, |
360 |
+diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c |
361 |
+index b6ed383..54b8b41 100644 |
362 |
+--- a/fs/nfsd/nfs4acl.c |
363 |
++++ b/fs/nfsd/nfs4acl.c |
364 |
+@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt) |
365 |
+ * enough space for either: |
366 |
+ */ |
367 |
+ alloc = sizeof(struct posix_ace_state_array) |
368 |
+- + cnt*sizeof(struct posix_ace_state); |
369 |
++ + cnt*sizeof(struct posix_user_ace_state); |
370 |
+ state->users = kzalloc(alloc, GFP_KERNEL); |
371 |
+ if (!state->users) |
372 |
+ return -ENOMEM; |
373 |
+diff --git a/include/linux/fb.h b/include/linux/fb.h |
374 |
+index 58c57a3..e1ee345 100644 |
375 |
+--- a/include/linux/fb.h |
376 |
++++ b/include/linux/fb.h |
377 |
+@@ -966,6 +966,9 @@ static inline void __fb_pad_aligned_buffer(u8 *dst, u32 d_pitch, |
378 |
+ |
379 |
+ /* drivers/video/fb_defio.c */ |
380 |
+ extern void fb_deferred_io_init(struct fb_info *info); |
381 |
++extern void fb_deferred_io_open(struct fb_info *info, |
382 |
++ struct inode *inode, |
383 |
++ struct file *file); |
384 |
+ extern void fb_deferred_io_cleanup(struct fb_info *info); |
385 |
+ extern int fb_deferred_io_fsync(struct file *file, struct dentry *dentry, |
386 |
+ int datasync); |
387 |
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c |
388 |
+index f7082af..15ff806 100644 |
389 |
+--- a/mm/page_alloc.c |
390 |
++++ b/mm/page_alloc.c |
391 |
+@@ -717,6 +717,9 @@ int move_freepages(struct zone *zone, |
392 |
+ #endif |
393 |
+ |
394 |
+ for (page = start_page; page <= end_page;) { |
395 |
++ /* Make sure we are not inadvertently changing nodes */ |
396 |
++ VM_BUG_ON(page_to_nid(page) != zone_to_nid(zone)); |
397 |
++ |
398 |
+ if (!pfn_valid_within(page_to_pfn(page))) { |
399 |
+ page++; |
400 |
+ continue; |
401 |
+@@ -2476,6 +2479,10 @@ static void setup_zone_migrate_reserve(struct zone *zone) |
402 |
+ continue; |
403 |
+ page = pfn_to_page(pfn); |
404 |
+ |
405 |
++ /* Watch out for overlapping nodes */ |
406 |
++ if (page_to_nid(page) != zone_to_nid(zone)) |
407 |
++ continue; |
408 |
++ |
409 |
+ /* Blocks with reserved pages will never free, skip them. */ |
410 |
+ if (PageReserved(page)) |
411 |
+ continue; |
412 |
+diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c |
413 |
+index 4aa2b45..d11f8d6 100644 |
414 |
+--- a/net/sched/sch_prio.c |
415 |
++++ b/net/sched/sch_prio.c |
416 |
+@@ -228,14 +228,20 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt) |
417 |
+ { |
418 |
+ struct prio_sched_data *q = qdisc_priv(sch); |
419 |
+ struct tc_prio_qopt *qopt; |
420 |
+- struct nlattr *tb[TCA_PRIO_MAX + 1]; |
421 |
++ struct nlattr *tb[TCA_PRIO_MAX + 1] = {0}; |
422 |
+ int err; |
423 |
+ int i; |
424 |
+ |
425 |
+- err = nla_parse_nested_compat(tb, TCA_PRIO_MAX, opt, NULL, qopt, |
426 |
+- sizeof(*qopt)); |
427 |
+- if (err < 0) |
428 |
+- return err; |
429 |
++ qopt = nla_data(opt); |
430 |
++ if (nla_len(opt) < sizeof(*qopt)) |
431 |
++ return -1; |
432 |
++ |
433 |
++ if (nla_len(opt) >= sizeof(*qopt) + sizeof(struct nlattr)) { |
434 |
++ err = nla_parse_nested(tb, TCA_PRIO_MAX, |
435 |
++ (struct nlattr *) (qopt + 1), NULL); |
436 |
++ if (err < 0) |
437 |
++ return err; |
438 |
++ } |
439 |
+ |
440 |
+ q->bands = qopt->bands; |
441 |
+ /* If we're multiqueue, make sure the number of incoming bands |
442 |
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c |
443 |
+index 675a5c3..52db5f6 100644 |
444 |
+--- a/net/sctp/auth.c |
445 |
++++ b/net/sctp/auth.c |
446 |
+@@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp) |
447 |
+ { |
448 |
+ struct sctp_auth_bytes *key; |
449 |
+ |
450 |
++ /* Verify that we are not going to overflow INT_MAX */ |
451 |
++ if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes)) |
452 |
++ return NULL; |
453 |
++ |
454 |
+ /* Allocate the shared key */ |
455 |
+ key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp); |
456 |
+ if (!key) |
457 |
+@@ -782,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep, |
458 |
+ for (i = 0; i < hmacs->shmac_num_idents; i++) { |
459 |
+ id = hmacs->shmac_idents[i]; |
460 |
+ |
461 |
++ if (id > SCTP_AUTH_HMAC_ID_MAX) |
462 |
++ return -EOPNOTSUPP; |
463 |
++ |
464 |
+ if (SCTP_AUTH_HMAC_ID_SHA1 == id) |
465 |
+ has_sha1 = 1; |
466 |
+ |
467 |
+diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c |
468 |
+index e39a0cd..4c8d9f4 100644 |
469 |
+--- a/net/sctp/endpointola.c |
470 |
++++ b/net/sctp/endpointola.c |
471 |
+@@ -103,6 +103,7 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep, |
472 |
+ |
473 |
+ /* Initialize the CHUNKS parameter */ |
474 |
+ auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS; |
475 |
++ auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t)); |
476 |
+ |
477 |
+ /* If the Add-IP functionality is enabled, we must |
478 |
+ * authenticate, ASCONF and ASCONF-ACK chunks |
479 |
+@@ -110,8 +111,7 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep, |
480 |
+ if (sctp_addip_enable) { |
481 |
+ auth_chunks->chunks[0] = SCTP_CID_ASCONF; |
482 |
+ auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK; |
483 |
+- auth_chunks->param_hdr.length = |
484 |
+- htons(sizeof(sctp_paramhdr_t) + 2); |
485 |
++ auth_chunks->param_hdr.length += htons(2); |
486 |
+ } |
487 |
+ } |
488 |
+ |
489 |
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c |
490 |
+index 2d42260..f8c66d6 100644 |
491 |
+--- a/net/sctp/socket.c |
492 |
++++ b/net/sctp/socket.c |
493 |
+@@ -2983,6 +2983,9 @@ static int sctp_setsockopt_auth_chunk(struct sock *sk, |
494 |
+ { |
495 |
+ struct sctp_authchunk val; |
496 |
+ |
497 |
++ if (!sctp_auth_enable) |
498 |
++ return -EACCES; |
499 |
++ |
500 |
+ if (optlen != sizeof(struct sctp_authchunk)) |
501 |
+ return -EINVAL; |
502 |
+ if (copy_from_user(&val, optval, optlen)) |
503 |
+@@ -3011,8 +3014,12 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk, |
504 |
+ int optlen) |
505 |
+ { |
506 |
+ struct sctp_hmacalgo *hmacs; |
507 |
++ u32 idents; |
508 |
+ int err; |
509 |
+ |
510 |
++ if (!sctp_auth_enable) |
511 |
++ return -EACCES; |
512 |
++ |
513 |
+ if (optlen < sizeof(struct sctp_hmacalgo)) |
514 |
+ return -EINVAL; |
515 |
+ |
516 |
+@@ -3025,8 +3032,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk, |
517 |
+ goto out; |
518 |
+ } |
519 |
+ |
520 |
+- if (hmacs->shmac_num_idents == 0 || |
521 |
+- hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) { |
522 |
++ idents = hmacs->shmac_num_idents; |
523 |
++ if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS || |
524 |
++ (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) { |
525 |
+ err = -EINVAL; |
526 |
+ goto out; |
527 |
+ } |
528 |
+@@ -3051,6 +3059,9 @@ static int sctp_setsockopt_auth_key(struct sock *sk, |
529 |
+ struct sctp_association *asoc; |
530 |
+ int ret; |
531 |
+ |
532 |
++ if (!sctp_auth_enable) |
533 |
++ return -EACCES; |
534 |
++ |
535 |
+ if (optlen <= sizeof(struct sctp_authkey)) |
536 |
+ return -EINVAL; |
537 |
+ |
538 |
+@@ -3063,6 +3074,11 @@ static int sctp_setsockopt_auth_key(struct sock *sk, |
539 |
+ goto out; |
540 |
+ } |
541 |
+ |
542 |
++ if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) { |
543 |
++ ret = -EINVAL; |
544 |
++ goto out; |
545 |
++ } |
546 |
++ |
547 |
+ asoc = sctp_id2assoc(sk, authkey->sca_assoc_id); |
548 |
+ if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) { |
549 |
+ ret = -EINVAL; |
550 |
+@@ -3088,6 +3104,9 @@ static int sctp_setsockopt_active_key(struct sock *sk, |
551 |
+ struct sctp_authkeyid val; |
552 |
+ struct sctp_association *asoc; |
553 |
+ |
554 |
++ if (!sctp_auth_enable) |
555 |
++ return -EACCES; |
556 |
++ |
557 |
+ if (optlen != sizeof(struct sctp_authkeyid)) |
558 |
+ return -EINVAL; |
559 |
+ if (copy_from_user(&val, optval, optlen)) |
560 |
+@@ -3113,6 +3132,9 @@ static int sctp_setsockopt_del_key(struct sock *sk, |
561 |
+ struct sctp_authkeyid val; |
562 |
+ struct sctp_association *asoc; |
563 |
+ |
564 |
++ if (!sctp_auth_enable) |
565 |
++ return -EACCES; |
566 |
++ |
567 |
+ if (optlen != sizeof(struct sctp_authkeyid)) |
568 |
+ return -EINVAL; |
569 |
+ if (copy_from_user(&val, optval, optlen)) |
570 |
+@@ -5073,19 +5095,29 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len, |
571 |
+ static int sctp_getsockopt_hmac_ident(struct sock *sk, int len, |
572 |
+ char __user *optval, int __user *optlen) |
573 |
+ { |
574 |
++ struct sctp_hmacalgo __user *p = (void __user *)optval; |
575 |
+ struct sctp_hmac_algo_param *hmacs; |
576 |
+- __u16 param_len; |
577 |
++ __u16 data_len = 0; |
578 |
++ u32 num_idents; |
579 |
++ |
580 |
++ if (!sctp_auth_enable) |
581 |
++ return -EACCES; |
582 |
+ |
583 |
+ hmacs = sctp_sk(sk)->ep->auth_hmacs_list; |
584 |
+- param_len = ntohs(hmacs->param_hdr.length); |
585 |
++ data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t); |
586 |
+ |
587 |
+- if (len < param_len) |
588 |
++ if (len < sizeof(struct sctp_hmacalgo) + data_len) |
589 |
+ return -EINVAL; |
590 |
++ |
591 |
++ len = sizeof(struct sctp_hmacalgo) + data_len; |
592 |
++ num_idents = data_len / sizeof(u16); |
593 |
++ |
594 |
+ if (put_user(len, optlen)) |
595 |
+ return -EFAULT; |
596 |
+- if (copy_to_user(optval, hmacs->hmac_ids, len)) |
597 |
++ if (put_user(num_idents, &p->shmac_num_idents)) |
598 |
++ return -EFAULT; |
599 |
++ if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len)) |
600 |
+ return -EFAULT; |
601 |
+- |
602 |
+ return 0; |
603 |
+ } |
604 |
+ |
605 |
+@@ -5095,6 +5127,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len, |
606 |
+ struct sctp_authkeyid val; |
607 |
+ struct sctp_association *asoc; |
608 |
+ |
609 |
++ if (!sctp_auth_enable) |
610 |
++ return -EACCES; |
611 |
++ |
612 |
+ if (len < sizeof(struct sctp_authkeyid)) |
613 |
+ return -EINVAL; |
614 |
+ if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid))) |
615 |
+@@ -5109,6 +5144,12 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len, |
616 |
+ else |
617 |
+ val.scact_keynumber = sctp_sk(sk)->ep->active_key_id; |
618 |
+ |
619 |
++ len = sizeof(struct sctp_authkeyid); |
620 |
++ if (put_user(len, optlen)) |
621 |
++ return -EFAULT; |
622 |
++ if (copy_to_user(optval, &val, len)) |
623 |
++ return -EFAULT; |
624 |
++ |
625 |
+ return 0; |
626 |
+ } |
627 |
+ |
628 |
+@@ -5119,13 +5160,16 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len, |
629 |
+ struct sctp_authchunks val; |
630 |
+ struct sctp_association *asoc; |
631 |
+ struct sctp_chunks_param *ch; |
632 |
+- u32 num_chunks; |
633 |
++ u32 num_chunks = 0; |
634 |
+ char __user *to; |
635 |
+ |
636 |
+- if (len <= sizeof(struct sctp_authchunks)) |
637 |
++ if (!sctp_auth_enable) |
638 |
++ return -EACCES; |
639 |
++ |
640 |
++ if (len < sizeof(struct sctp_authchunks)) |
641 |
+ return -EINVAL; |
642 |
+ |
643 |
+- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks))) |
644 |
++ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) |
645 |
+ return -EFAULT; |
646 |
+ |
647 |
+ to = p->gauth_chunks; |
648 |
+@@ -5134,20 +5178,21 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len, |
649 |
+ return -EINVAL; |
650 |
+ |
651 |
+ ch = asoc->peer.peer_chunks; |
652 |
++ if (!ch) |
653 |
++ goto num; |
654 |
+ |
655 |
+ /* See if the user provided enough room for all the data */ |
656 |
+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t); |
657 |
+ if (len < num_chunks) |
658 |
+ return -EINVAL; |
659 |
+ |
660 |
+- len = num_chunks; |
661 |
+- if (put_user(len, optlen)) |
662 |
++ if (copy_to_user(to, ch->chunks, num_chunks)) |
663 |
+ return -EFAULT; |
664 |
++num: |
665 |
++ len = sizeof(struct sctp_authchunks) + num_chunks; |
666 |
++ if (put_user(len, optlen)) return -EFAULT; |
667 |
+ if (put_user(num_chunks, &p->gauth_number_of_chunks)) |
668 |
+ return -EFAULT; |
669 |
+- if (copy_to_user(to, ch->chunks, len)) |
670 |
+- return -EFAULT; |
671 |
+- |
672 |
+ return 0; |
673 |
+ } |
674 |
+ |
675 |
+@@ -5158,13 +5203,16 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len, |
676 |
+ struct sctp_authchunks val; |
677 |
+ struct sctp_association *asoc; |
678 |
+ struct sctp_chunks_param *ch; |
679 |
+- u32 num_chunks; |
680 |
++ u32 num_chunks = 0; |
681 |
+ char __user *to; |
682 |
+ |
683 |
+- if (len <= sizeof(struct sctp_authchunks)) |
684 |
++ if (!sctp_auth_enable) |
685 |
++ return -EACCES; |
686 |
++ |
687 |
++ if (len < sizeof(struct sctp_authchunks)) |
688 |
+ return -EINVAL; |
689 |
+ |
690 |
+- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks))) |
691 |
++ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) |
692 |
+ return -EFAULT; |
693 |
+ |
694 |
+ to = p->gauth_chunks; |
695 |
+@@ -5177,17 +5225,21 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len, |
696 |
+ else |
697 |
+ ch = sctp_sk(sk)->ep->auth_chunk_list; |
698 |
+ |
699 |
++ if (!ch) |
700 |
++ goto num; |
701 |
++ |
702 |
+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t); |
703 |
+- if (len < num_chunks) |
704 |
++ if (len < sizeof(struct sctp_authchunks) + num_chunks) |
705 |
+ return -EINVAL; |
706 |
+ |
707 |
+- len = num_chunks; |
708 |
++ if (copy_to_user(to, ch->chunks, num_chunks)) |
709 |
++ return -EFAULT; |
710 |
++num: |
711 |
++ len = sizeof(struct sctp_authchunks) + num_chunks; |
712 |
+ if (put_user(len, optlen)) |
713 |
+ return -EFAULT; |
714 |
+ if (put_user(num_chunks, &p->gauth_number_of_chunks)) |
715 |
+ return -EFAULT; |
716 |
+- if (copy_to_user(to, ch->chunks, len)) |
717 |
+- return -EFAULT; |
718 |
+ |
719 |
+ return 0; |
720 |
+ } |
721 |
+diff --git a/net/sunrpc/sysctl.c b/net/sunrpc/sysctl.c |
722 |
+index 0f8c439..5231f7a 100644 |
723 |
+--- a/net/sunrpc/sysctl.c |
724 |
++++ b/net/sunrpc/sysctl.c |
725 |
+@@ -60,24 +60,14 @@ static int proc_do_xprt(ctl_table *table, int write, struct file *file, |
726 |
+ void __user *buffer, size_t *lenp, loff_t *ppos) |
727 |
+ { |
728 |
+ char tmpbuf[256]; |
729 |
+- int len; |
730 |
++ size_t len; |
731 |
++ |
732 |
+ if ((*ppos && !write) || !*lenp) { |
733 |
+ *lenp = 0; |
734 |
+ return 0; |
735 |
+ } |
736 |
+- if (write) |
737 |
+- return -EINVAL; |
738 |
+- else { |
739 |
+- len = svc_print_xprts(tmpbuf, sizeof(tmpbuf)); |
740 |
+- if (!access_ok(VERIFY_WRITE, buffer, len)) |
741 |
+- return -EFAULT; |
742 |
+- |
743 |
+- if (__copy_to_user(buffer, tmpbuf, len)) |
744 |
+- return -EFAULT; |
745 |
+- } |
746 |
+- *lenp -= len; |
747 |
+- *ppos += len; |
748 |
+- return 0; |
749 |
++ len = svc_print_xprts(tmpbuf, sizeof(tmpbuf)); |
750 |
++ return simple_read_from_buffer(buffer, *lenp, ppos, tmpbuf, len); |
751 |
+ } |
752 |
+ |
753 |
+ static int |
754 |
|
755 |
Added: genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch |
756 |
=================================================================== |
757 |
--- genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch (rev 0) |
758 |
+++ genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch 2008-10-06 11:16:31 UTC (rev 1345) |
759 |
@@ -0,0 +1,27 @@ |
760 |
+From: Cyrill Gorcunov <gorcunov@×××××.com> |
761 |
+Date: Fri, 18 Apr 2008 20:27:29 +0000 (-0700) |
762 |
+Subject: thinkpad_acpi: fix possible NULL pointer dereference if kstrdup failed |
763 |
+X-Git-Tag: v2.6.26-rc1~101^2~1^8~3 |
764 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=90fe17f4df2f830601ffd422b11d1f7f9a9d0355 |
765 |
+ |
766 |
+thinkpad_acpi: fix possible NULL pointer dereference if kstrdup failed |
767 |
+ |
768 |
+Signed-off-by: Cyrill Gorcunov <gorcunov@×××××.com> |
769 |
+Acked-by: Henrique de Moraes Holschuh <hmh@×××××××.br> |
770 |
+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org> |
771 |
+Signed-off-by: Len Brown <len.brown@×××××.com> |
772 |
+--- |
773 |
+ |
774 |
+diff --git a/drivers/misc/thinkpad_acpi.c b/drivers/misc/thinkpad_acpi.c |
775 |
+index 6cb7812..31115c9 100644 |
776 |
+--- a/drivers/misc/thinkpad_acpi.c |
777 |
++++ b/drivers/misc/thinkpad_acpi.c |
778 |
+@@ -5826,7 +5826,7 @@ static void __init get_thinkpad_model_data(struct thinkpad_id_data *tp) |
779 |
+ |
780 |
+ tp->model_str = kstrdup(dmi_get_system_info(DMI_PRODUCT_VERSION), |
781 |
+ GFP_KERNEL); |
782 |
+- if (strnicmp(tp->model_str, "ThinkPad", 8) != 0) { |
783 |
++ if (tp->model_str && strnicmp(tp->model_str, "ThinkPad", 8) != 0) { |
784 |
+ kfree(tp->model_str); |
785 |
+ tp->model_str = NULL; |
786 |
+ } |
787 |
|
788 |
Added: genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch |
789 |
=================================================================== |
790 |
--- genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch (rev 0) |
791 |
+++ genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch 2008-10-06 11:16:31 UTC (rev 1345) |
792 |
@@ -0,0 +1,77 @@ |
793 |
+From: Cyrill Gorcunov <gorcunov@×××××.com> |
794 |
+Date: Thu, 17 Apr 2008 16:42:09 +0000 (+0400) |
795 |
+Subject: NFS - fix potential NULL pointer dereference v2 |
796 |
+X-Git-Tag: v2.6.26-rc1~1082^2^2~3 |
797 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=63649bd7080a6a50fabcb1935f4b7c4e64155066 |
798 |
+ |
799 |
+NFS - fix potential NULL pointer dereference v2 |
800 |
+ |
801 |
+There is possible NULL pointer dereference if kstr[n]dup failed. |
802 |
+So fix them for safety. |
803 |
+ |
804 |
+Signed-off-by: Cyrill Gorcunov <gorcunov@×××××.com> |
805 |
+Signed-off-by: Trond Myklebust <Trond.Myklebust@××××××.com> |
806 |
+--- |
807 |
+ |
808 |
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c |
809 |
+index c99ca1f..2215bcd 100644 |
810 |
+--- a/fs/nfs/super.c |
811 |
++++ b/fs/nfs/super.c |
812 |
+@@ -1297,6 +1297,8 @@ static int nfs_validate_mount_data(void *options, |
813 |
+ args->namlen = data->namlen; |
814 |
+ args->bsize = data->bsize; |
815 |
+ args->auth_flavors[0] = data->pseudoflavor; |
816 |
++ if (!args->nfs_server.hostname) |
817 |
++ goto out_nomem; |
818 |
+ |
819 |
+ /* |
820 |
+ * The legacy version 6 binary mount data from userspace has a |
821 |
+@@ -1343,6 +1345,8 @@ static int nfs_validate_mount_data(void *options, |
822 |
+ len = c - dev_name; |
823 |
+ /* N.B. caller will free nfs_server.hostname in all cases */ |
824 |
+ args->nfs_server.hostname = kstrndup(dev_name, len, GFP_KERNEL); |
825 |
++ if (!args->nfs_server.hostname) |
826 |
++ goto out_nomem; |
827 |
+ |
828 |
+ c++; |
829 |
+ if (strlen(c) > NFS_MAXPATHLEN) |
830 |
+@@ -1386,6 +1390,10 @@ out_v3_not_compiled: |
831 |
+ return -EPROTONOSUPPORT; |
832 |
+ #endif /* !CONFIG_NFS_V3 */ |
833 |
+ |
834 |
++out_nomem: |
835 |
++ dfprintk(MOUNT, "NFS: not enough memory to handle mount options\n"); |
836 |
++ return -ENOMEM; |
837 |
++ |
838 |
+ out_no_address: |
839 |
+ dfprintk(MOUNT, "NFS: mount program didn't pass remote address\n"); |
840 |
+ return -EINVAL; |
841 |
+@@ -1892,12 +1900,16 @@ static int nfs4_validate_mount_data(void *options, |
842 |
+ return -ENAMETOOLONG; |
843 |
+ /* N.B. caller will free nfs_server.hostname in all cases */ |
844 |
+ args->nfs_server.hostname = kstrndup(dev_name, len, GFP_KERNEL); |
845 |
++ if (!args->nfs_server.hostname) |
846 |
++ goto out_nomem; |
847 |
+ |
848 |
+ c++; /* step over the ':' */ |
849 |
+ len = strlen(c); |
850 |
+ if (len > NFS4_MAXPATHLEN) |
851 |
+ return -ENAMETOOLONG; |
852 |
+ args->nfs_server.export_path = kstrndup(c, len, GFP_KERNEL); |
853 |
++ if (!args->nfs_server.export_path) |
854 |
++ goto out_nomem; |
855 |
+ |
856 |
+ dprintk("NFS: MNTPATH: '%s'\n", args->nfs_server.export_path); |
857 |
+ |
858 |
+@@ -1919,6 +1931,10 @@ out_inval_auth: |
859 |
+ data->auth_flavourlen); |
860 |
+ return -EINVAL; |
861 |
+ |
862 |
++out_nomem: |
863 |
++ dfprintk(MOUNT, "NFS4: not enough memory to handle mount options\n"); |
864 |
++ return -ENOMEM; |
865 |
++ |
866 |
+ out_no_address: |
867 |
+ dfprintk(MOUNT, "NFS4: mount program didn't pass remote address\n"); |
868 |
+ return -EINVAL; |
869 |
+ |
870 |
|
871 |
Added: genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch |
872 |
=================================================================== |
873 |
--- genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch (rev 0) |
874 |
+++ genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch 2008-10-06 11:16:31 UTC (rev 1345) |
875 |
@@ -0,0 +1,79 @@ |
876 |
+From: Eugene Teo <eugeneteo@××××××.sg> |
877 |
+Date: Wed, 27 Aug 2008 11:50:30 +0000 (-0700) |
878 |
+Subject: wan: Missing capability checks in sbni_ioctl() |
879 |
+X-Git-Tag: v2.6.27-rc5~8^2~2 |
880 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f2455eb176ac87081bbfc9a44b21c7cd2bc1967e |
881 |
+ |
882 |
+wan: Missing capability checks in sbni_ioctl() |
883 |
+ |
884 |
+There are missing capability checks in the following code: |
885 |
+ |
886 |
+1300 static int |
887 |
+1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd) |
888 |
+1302 { |
889 |
+[...] |
890 |
+1319 case SIOCDEVRESINSTATS : |
891 |
+1320 if( current->euid != 0 ) /* root only */ |
892 |
+1321 return -EPERM; |
893 |
+[...] |
894 |
+1336 case SIOCDEVSHWSTATE : |
895 |
+1337 if( current->euid != 0 ) /* root only */ |
896 |
+1338 return -EPERM; |
897 |
+[...] |
898 |
+1357 case SIOCDEVENSLAVE : |
899 |
+1358 if( current->euid != 0 ) /* root only */ |
900 |
+1359 return -EPERM; |
901 |
+[...] |
902 |
+1372 case SIOCDEVEMANSIPATE : |
903 |
+1373 if( current->euid != 0 ) /* root only */ |
904 |
+1374 return -EPERM; |
905 |
+ |
906 |
+Here's my proposed fix: |
907 |
+ |
908 |
+Missing capability checks. |
909 |
+ |
910 |
+Signed-off-by: Eugene Teo <eugeneteo@××××××.sg> |
911 |
+Signed-off-by: David S. Miller <davem@×××××××××.net> |
912 |
+--- |
913 |
+ |
914 |
+diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c |
915 |
+index e59255a..6596cd0 100644 |
916 |
+--- a/drivers/net/wan/sbni.c |
917 |
++++ b/drivers/net/wan/sbni.c |
918 |
+@@ -1317,7 +1317,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd ) |
919 |
+ break; |
920 |
+ |
921 |
+ case SIOCDEVRESINSTATS : |
922 |
+- if( current->euid != 0 ) /* root only */ |
923 |
++ if (!capable(CAP_NET_ADMIN)) |
924 |
+ return -EPERM; |
925 |
+ memset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) ); |
926 |
+ break; |
927 |
+@@ -1334,7 +1334,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd ) |
928 |
+ break; |
929 |
+ |
930 |
+ case SIOCDEVSHWSTATE : |
931 |
+- if( current->euid != 0 ) /* root only */ |
932 |
++ if (!capable(CAP_NET_ADMIN)) |
933 |
+ return -EPERM; |
934 |
+ |
935 |
+ spin_lock( &nl->lock ); |
936 |
+@@ -1355,7 +1355,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd ) |
937 |
+ #ifdef CONFIG_SBNI_MULTILINE |
938 |
+ |
939 |
+ case SIOCDEVENSLAVE : |
940 |
+- if( current->euid != 0 ) /* root only */ |
941 |
++ if (!capable(CAP_NET_ADMIN)) |
942 |
+ return -EPERM; |
943 |
+ |
944 |
+ if (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name )) |
945 |
+@@ -1370,7 +1370,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd ) |
946 |
+ return enslave( dev, slave_dev ); |
947 |
+ |
948 |
+ case SIOCDEVEMANSIPATE : |
949 |
+- if( current->euid != 0 ) /* root only */ |
950 |
++ if (!capable(CAP_NET_ADMIN)) |
951 |
+ return -EPERM; |
952 |
+ |
953 |
+ return emancipate( dev ); |
954 |
+ |