[PATCH 0/7] -stable review

[PATCH 0/7] -stable review

[Chris Wright]

This is the start of the stable review cycle for the 2.6.12.6 release.
There are 7 patches in this series, all will be posted as a response to
this one.  If anyone has any issues with these being applied, please let
us know.  If anyone is a maintainer of the proper subsystem, and wants
to add a signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the
Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
to add your name tothe list.  If you want to be off the reviewer list,
also email us.

Responses should be made by Sun Aug 28 19:00 UTC 2005.  Anything received
after that time, might be too late.

thanks,

the -stable release team
--

[PATCH 1/7] [IPSEC] Restrict socket policy loading to CAP_NET_ADMIN - CAN-2005-2555

[Chris Wright]

[-- Attachment #1: ipsec-socket-policy-use-cap.patch --]
[-- Type: text/plain, Size: 1307 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

The interface needs much redesigning if we wish to allow
normal users to do this in some way.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 net/ipv4/ip_sockglue.c   |    3 +++
 net/ipv6/ipv6_sockglue.c |    3 +++
 2 files changed, 6 insertions(+)

Index: linux-2.6.12.y/net/ipv4/ip_sockglue.c
===================================================================
--- linux-2.6.12.y.orig/net/ipv4/ip_sockglue.c
+++ linux-2.6.12.y/net/ipv4/ip_sockglue.c
@@ -848,6 +848,9 @@ mc_msf_out:
  
 		case IP_IPSEC_POLICY:
 		case IP_XFRM_POLICY:
+			err = -EPERM;
+			if (!capable(CAP_NET_ADMIN))
+				break;
 			err = xfrm_user_policy(sk, optname, optval, optlen);
 			break;
 
Index: linux-2.6.12.y/net/ipv6/ipv6_sockglue.c
===================================================================
--- linux-2.6.12.y.orig/net/ipv6/ipv6_sockglue.c
+++ linux-2.6.12.y/net/ipv6/ipv6_sockglue.c
@@ -503,6 +503,9 @@ done:
 		break;
 	case IPV6_IPSEC_POLICY:
 	case IPV6_XFRM_POLICY:
+		retv = -EPERM;
+		if (!capable(CAP_NET_ADMIN))
+			break;
 		retv = xfrm_user_policy(sk, optname, optval, optlen);
 		break;
 

--

[PATCH 2/7] [PATCH] NPTL signal delivery deadlock fix

[Chris Wright]

[-- Attachment #1: nptl-signal-delivery-deadlock-fix.patch --]
[-- Type: text/plain, Size: 1241 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

This bug is quite subtle and only happens in a very interesting
situation where a real-time threaded process is in the middle of a
coredump when someone whacks it with a SIGKILL. However, this deadlock
leaves the system pretty hosed and you have to reboot to recover.

Not good for real-time priority-preemption applications like our
telephony application, with 90+ real-time (SCHED_FIFO and SCHED_RR)
processes, many of them multi-threaded, interacting with each other for
high volume call processing.

Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 kernel/signal.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

Index: linux-2.6.12.y/kernel/signal.c
===================================================================
--- linux-2.6.12.y.orig/kernel/signal.c
+++ linux-2.6.12.y/kernel/signal.c
@@ -686,7 +686,7 @@ static void handle_stop_signal(int sig, 
 {
 	struct task_struct *t;
 
-	if (p->flags & SIGNAL_GROUP_EXIT)
+	if (p->signal->flags & SIGNAL_GROUP_EXIT)
 		/*
 		 * The process is in the middle of dying already.
 		 */

--

[PATCH 3/7] [PATCH] Revert unnecessary zlib_inflate/inftrees.c fix

[Chris Wright]

[-- Attachment #1: zlib-revert-broken-change.patch --]
[-- Type: text/plain, Size: 1107 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

It turns out that empty distance code tables are not an error, and that
a compressed block with only literals can validly have an empty table
and should not be flagged as a data error.

Some old versions of gzip had problems with this case, but it does not
affect the zlib code in the kernel.

Analysis and explanations thanks to Sergey Vlasov <vsu@altlinux.ru>

Cc: Sergey Vlasov <vsu@altlinux.ru>
Cc: Tavis Ormandy <taviso@gentoo.org>
Cc: Tim Yamin <plasmaroo@gentoo.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 lib/zlib_inflate/inftrees.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

Index: linux-2.6.12.y/lib/zlib_inflate/inftrees.c
===================================================================
--- linux-2.6.12.y.orig/lib/zlib_inflate/inftrees.c
+++ linux-2.6.12.y/lib/zlib_inflate/inftrees.c
@@ -141,7 +141,7 @@ static int huft_build(
   {
     *t = NULL;
     *m = 0;
-    return Z_DATA_ERROR;
+    return Z_OK;
   }
 
 

--

[PATCH 4/7] [IPV4]: Fix DST leak in icmp_push_reply()

[Chris Wright]

[-- Attachment #1: fix-dst-leak-in-icmp_push_reply.patch --]
[-- Type: text/plain, Size: 1332 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

Based upon a bug report and initial patch by
Ollie Wild.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 net/ipv4/icmp.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

Index: linux-2.6.12.y/net/ipv4/icmp.c
===================================================================
--- linux-2.6.12.y.orig/net/ipv4/icmp.c
+++ linux-2.6.12.y/net/ipv4/icmp.c
@@ -349,12 +349,12 @@ static void icmp_push_reply(struct icmp_
 {
 	struct sk_buff *skb;
 
-	ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
-		       icmp_param->data_len+icmp_param->head_len,
-		       icmp_param->head_len,
-		       ipc, rt, MSG_DONTWAIT);
-
-	if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) {
+	if (ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
+		           icmp_param->data_len+icmp_param->head_len,
+		           icmp_param->head_len,
+		           ipc, rt, MSG_DONTWAIT) < 0)
+		ip_flush_pending_frames(icmp_socket->sk);
+	else if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) {
 		struct icmphdr *icmph = skb->h.icmph;
 		unsigned int csum = 0;
 		struct sk_buff *skb1;

--

[PATCH 4/7] [IPV4]: Fix DST leak in icmp_push_reply()

[Chris Wright]

[-- Attachment #1: fix-dst-leak-in-icmp_push_reply.patch --]
[-- Type: text/plain, Size: 1332 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

Based upon a bug report and initial patch by
Ollie Wild.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 net/ipv4/icmp.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

Index: linux-2.6.12.y/net/ipv4/icmp.c
===================================================================
--- linux-2.6.12.y.orig/net/ipv4/icmp.c
+++ linux-2.6.12.y/net/ipv4/icmp.c
@@ -349,12 +349,12 @@ static void icmp_push_reply(struct icmp_
 {
 	struct sk_buff *skb;
 
-	ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
-		       icmp_param->data_len+icmp_param->head_len,
-		       icmp_param->head_len,
-		       ipc, rt, MSG_DONTWAIT);
-
-	if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) {
+	if (ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
+		           icmp_param->data_len+icmp_param->head_len,
+		           icmp_param->head_len,
+		           ipc, rt, MSG_DONTWAIT) < 0)
+		ip_flush_pending_frames(icmp_socket->sk);
+	else if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) {
 		struct icmphdr *icmph = skb->h.icmph;
 		unsigned int csum = 0;
 		struct sk_buff *skb1;

--

[PATCH 5/7] [PATCH] fix gl_skb/skb type error in genelink driver in usbnet

[Chris Wright]

[-- Attachment #1: genelink-usbnet-skb-typo.patch --]
[-- Type: text/plain, Size: 890 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

I think there is a type error when port genelink driver to 2.6..
With this error, a linux host will panic when it link with a windows
host.

Cc: David Brownell <david-b@pacbell.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 drivers/usb/net/usbnet.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

Index: linux-2.6.12.y/drivers/usb/net/usbnet.c
===================================================================
--- linux-2.6.12.y.orig/drivers/usb/net/usbnet.c
+++ linux-2.6.12.y/drivers/usb/net/usbnet.c
@@ -1922,7 +1922,7 @@ static int genelink_rx_fixup (struct usb
 
 			// copy the packet data to the new skb
 			memcpy(skb_put(gl_skb, size), packet->packet_data, size);
-			skb_return (dev, skb);
+			skb_return (dev, gl_skb);
 		}
 
 		// advance to the next packet

--

[PATCH 6/7] [PATCH] sg.c: fix a memory leak in devices seq_file implementation (2nd)

[Chris Wright]

[-- Attachment #1: fix-memory-leak-in-sg.c-seq_file.patch --]
[-- Type: text/plain, Size: 2004 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

I know that scsi procfs is legacy code but this is a fix for a memory leak.

While reading through sg.c I realized that the implementation of
/proc/scsi/sg/devices with seq_file is leaking memory due to freeing the
pointer returned by the next() iterator method. Since next() might
return NULL or an error this is wrong. This patch fixes it through using
the seq_files private field for holding the reference to the iterator
object.

Here is a small bash script to trigger the leak. Use slabtop to watch
the size-32 usage grow and grow.

#!/bin/sh

while true; do
	cat /proc/scsi/sg/devices > /dev/null
done

Signed-off-by: Jan Blunck <j.blunck@tu-harburg.de>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 drivers/scsi/sg.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

Index: linux-2.6.12.y/drivers/scsi/sg.c
===================================================================
--- linux-2.6.12.y.orig/drivers/scsi/sg.c
+++ linux-2.6.12.y/drivers/scsi/sg.c
@@ -2969,23 +2969,22 @@ static void * dev_seq_start(struct seq_f
 {
 	struct sg_proc_deviter * it = kmalloc(sizeof(*it), GFP_KERNEL);
 
+	s->private = it;
 	if (! it)
 		return NULL;
+
 	if (NULL == sg_dev_arr)
-		goto err1;
+		return NULL;
 	it->index = *pos;
 	it->max = sg_last_dev();
 	if (it->index >= it->max)
-		goto err1;
+		return NULL;
 	return it;
-err1:
-	kfree(it);
-	return NULL;
 }
 
 static void * dev_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-	struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
+	struct sg_proc_deviter * it = s->private;
 
 	*pos = ++it->index;
 	return (it->index < it->max) ? it : NULL;
@@ -2993,7 +2992,9 @@ static void * dev_seq_next(struct seq_fi
 
 static void dev_seq_stop(struct seq_file *s, void *v)
 {
-	kfree (v);
+	struct sg_proc_deviter * it = s->private;
+
+	kfree (it);
 }
 
 static int sg_proc_open_dev(struct inode *inode, struct file *file)

--

Re: [PATCH 6/7] [PATCH] sg.c: fix a memory leak in devices seq_file implementation (2nd)

[James Bottomley]

On Fri, 2005-08-26 at 12:18 -0700, Chris Wright wrote:
> plain text document attachment (fix-memory-leak-in-sg.c-
> seq_file.patch)
> -stable review patch.  If anyone has any  objections, please let us know.

Looks fine to me.

James

Re: [PATCH 6/7] [PATCH] sg.c: fix a memory leak in devices seq_file implementation (2nd)

[Douglas Gilbert]

James Bottomley wrote:
> On Fri, 2005-08-26 at 12:18 -0700, Chris Wright wrote:
> 
>>plain text document attachment (fix-memory-leak-in-sg.c-
>>seq_file.patch)
>>-stable review patch.  If anyone has any  objections, please let us know.
> 
> 
> Looks fine to me.

James,
Please apply this patch, if you haven't already.

Signed-off-by: Douglas Gilbert <dougg@torque.net>

Doug Gilbert

[PATCH 7/7] [IPV6]: Fix SKB leak in ip6_input_finish()

[Chris Wright]

[-- Attachment #1: ipv6-skb-leak.patch --]
[-- Type: text/plain, Size: 1072 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------

Changing it to how ip_input handles should fix it.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 net/ipv6/ip6_input.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

Index: linux-2.6.12.y/net/ipv6/ip6_input.c
===================================================================
--- linux-2.6.12.y.orig/net/ipv6/ip6_input.c
+++ linux-2.6.12.y/net/ipv6/ip6_input.c
@@ -198,12 +198,13 @@ resubmit:
 		if (!raw_sk) {
 			if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 				IP6_INC_STATS_BH(IPSTATS_MIB_INUNKNOWNPROTOS);
-				icmpv6_param_prob(skb, ICMPV6_UNK_NEXTHDR, nhoff);
+				icmpv6_send(skb, ICMPV6_PARAMPROB,
+				            ICMPV6_UNK_NEXTHDR, nhoff,
+				            skb->dev);
 			}
-		} else {
+		} else
 			IP6_INC_STATS_BH(IPSTATS_MIB_INDELIVERS);
-			kfree_skb(skb);
-		}
+		kfree_skb(skb);
 	}
 	rcu_read_unlock();
 	return 0;

--