[00/09] -stable review

[00/09] -stable review

[Chris Wright]

This is the start of the stable review cycle for the 2.6.11.12 release.  There
are 9 patches in this series, all will be posted as a response to this one.
If anyone has any issues with these being applied, please let us know.  If
anyone is a maintainer of the proper subsystem, and wants to add a
signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the Cc: line.
If you wish to be a reviewer, please email stable@kernel.org to add your name tothe list.  If you want to be off the reviewer list, also email us.

Responses should be made by Fri, Jun 10, 23:00 UTC.  Anything received after
that time, might be too late.

thanks,

the -stable release team (i.e. the ones wearing the joker hat in the corner...)

[patch 01/09] try_to_unmap_cluster() passes out-of-bounds pte to pte_unmap()

[Chris Wright]

try_to_unmap_cluster() does:
        for (pte = pte_offset_map(pmd, address);
                        address < end; pte++, address += PAGE_SIZE) {
		...
	}

	pte_unmap(pte);

It may take a little staring to notice, but pte can actually fall off the
end of the pte page in this iteration, which makes life difficult for
kmap_atomic() and the users not expecting it to BUG().  Of course, we're
somewhat lucky in that arithmetic elsewhere in the function guarantees that
at least one iteration is made, lest this force larger rearrangements to be
made.  This issue and patch also apply to non-mm mainline and with trivial
adjustments, at least two related kernels.

Discovered during internal testing at Oracle.

Signed-off-by: William Irwin <wli@holomorphy.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

--- gregkh-2.6.11.10.orig/mm/rmap.c	2005-05-16 10:51:55.000000000 -0700
+++ gregkh-2.6.11.10/mm/rmap.c	2005-05-26 22:01:49.000000000 -0700
@@ -641,7 +641,7 @@
 	pgd_t *pgd;
 	pud_t *pud;
 	pmd_t *pmd;
-	pte_t *pte;
+	pte_t *pte, *original_pte;
 	pte_t pteval;
 	struct page *page;
 	unsigned long address;
@@ -673,7 +673,7 @@
 	if (!pmd_present(*pmd))
 		goto out_unlock;
 
-	for (pte = pte_offset_map(pmd, address);
+	for (original_pte = pte = pte_offset_map(pmd, address);
 			address < end; pte++, address += PAGE_SIZE) {
 
 		if (!pte_present(*pte))
@@ -710,7 +710,7 @@
 		(*mapcount)--;
 	}
 
-	pte_unmap(pte);
+	pte_unmap(original_pte);
 
 out_unlock:
 	spin_unlock(&mm->page_table_lock);

[patch 02/09] [NETFILTER]: Fix deadlock with ip_queue and tcp local input path

[Chris Wright]

When we have ip_queue being used from LOCAL_IN, then we end up with a
situation where the verdicts coming back from userspace traverse the TCP
input path from syscall context.  While this seems to work most of the
time, there's an ugly deadlock:

syscall context is interrupted by the timer interrupt.  When the timer
interrupt leaves, the timer softirq get's scheduled and calls
tcp_delack_timer() and alike.  They themselves do bh_lock_sock(sk),
which is already held from somewhere else -> boom.

I've now tested the suggested solution by Patrick McHardy and Herbert Xu to
simply use local_bh_{en,dis}able().

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>

--- 1/net/ipv4/netfilter/ip_queue.c	2005-05-27 09:44:32.000000000 +0200
+++ 2/net/ipv4/netfilter/ip_queue.c	2005-05-27 09:47:13.000000000 +0200
@@ -3,6 +3,7 @@
  * communicating with userspace via netlink.
  *
  * (C) 2000-2002 James Morris <jmorris@intercode.com.au>
+ * (C) 2003-2005 Netfilter Core Team <coreteam@netfilter.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -14,6 +15,7 @@
  *             Zander).
  * 2000-08-01: Added Nick Williams' MAC support.
  * 2002-06-25: Code cleanup.
+ * 2005-05-26: local_bh_{disable,enable} around nf_reinject (Harald Welte)
  *
  */
 #include <linux/module.h>
@@ -66,7 +68,15 @@
 static void
 ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
 {
+	/* TCP input path (and probably other bits) assume to be called
+	 * from softirq context, not from syscall, like ipq_issue_verdict is
+	 * called.  TCP input path deadlocks with locks taken from timer
+	 * softirq, e.g.  We therefore emulate this by local_bh_disable() */
+
+	local_bh_disable();
 	nf_reinject(entry->skb, entry->info, verdict);
+	local_bh_enable();
+
 	kfree(entry);
 }
 

[patch 03/09] fix hfsplus oops, hfs and hfsplus leak

[Chris Wright]

This patch fixes the leak of sb->s_fs_info in both the HFS and HFS+
modules. In addition to this, it fixes an oops happening when trying to
mount a non-hfsplus filesystem using hfsplus. This patch is from Roman
Zippel, based off patches sent by myself. It's been included in 2.6.12-
rc4. See
http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=945b092011c6af71a0107be96e119c8c08776f3f

(chrisw: backport to -stable)

Signed-off-by: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Colin Leroy <colin@colino.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>

 fs/hfs/mdb.c       |    5 +++++
 fs/hfs/super.c     |    8 +++-----
 fs/hfsplus/super.c |    6 +++++-
 3 files changed, 13 insertions(+), 6 deletions(-)

Index: release-2.6.11/fs/hfs/mdb.c
===================================================================
--- release-2.6.11.orig/fs/hfs/mdb.c
+++ release-2.6.11/fs/hfs/mdb.c
@@ -333,6 +333,8 @@ void hfs_mdb_close(struct super_block *s
  * Release the resources associated with the in-core MDB.  */
 void hfs_mdb_put(struct super_block *sb)
 {
+	if (!HFS_SB(sb))
+		return;
 	/* free the B-trees */
 	hfs_btree_close(HFS_SB(sb)->ext_tree);
 	hfs_btree_close(HFS_SB(sb)->cat_tree);
@@ -340,4 +342,7 @@ void hfs_mdb_put(struct super_block *sb)
 	/* free the buffers holding the primary and alternate MDBs */
 	brelse(HFS_SB(sb)->mdb_bh);
 	brelse(HFS_SB(sb)->alt_mdb_bh);
+
+	kfree(HFS_SB(sb));
+	sb->s_fs_info = NULL;
 }
Index: release-2.6.11/fs/hfs/super.c
===================================================================
--- release-2.6.11.orig/fs/hfs/super.c
+++ release-2.6.11/fs/hfs/super.c
@@ -263,7 +263,7 @@ static int hfs_fill_super(struct super_b
 	res = -EINVAL;
 	if (!parse_options((char *)data, sbi)) {
 		hfs_warn("hfs_fs: unable to parse mount options.\n");
-		goto bail3;
+		goto bail;
 	}
 
 	sb->s_op = &hfs_super_operations;
@@ -276,7 +276,7 @@ static int hfs_fill_super(struct super_b
 			hfs_warn("VFS: Can't find a HFS filesystem on dev %s.\n",
 				hfs_mdb_name(sb));
 		res = -EINVAL;
-		goto bail2;
+		goto bail;
 	}
 
 	/* try to get the root inode */
@@ -306,10 +306,8 @@ bail_iput:
 	iput(root_inode);
 bail_no_root:
 	hfs_warn("hfs_fs: get root inode failed.\n");
+bail:
 	hfs_mdb_put(sb);
-bail2:
-bail3:
-	kfree(sbi);
 	return res;
 }
 
Index: release-2.6.11/fs/hfsplus/super.c
===================================================================
--- release-2.6.11.orig/fs/hfsplus/super.c
+++ release-2.6.11/fs/hfsplus/super.c
@@ -207,7 +207,9 @@ static void hfsplus_write_super(struct s
 static void hfsplus_put_super(struct super_block *sb)
 {
 	dprint(DBG_SUPER, "hfsplus_put_super\n");
-	if (!(sb->s_flags & MS_RDONLY)) {
+	if (!sb->s_fs_info)
+		return;
+	if (!(sb->s_flags & MS_RDONLY) && HFSPLUS_SB(sb).s_vhdr) {
 		struct hfsplus_vh *vhdr = HFSPLUS_SB(sb).s_vhdr;
 
 		vhdr->modify_date = hfsp_now2mt();
@@ -223,6 +225,8 @@ static void hfsplus_put_super(struct sup
 	iput(HFSPLUS_SB(sb).alloc_file);
 	iput(HFSPLUS_SB(sb).hidden_dir);
 	brelse(HFSPLUS_SB(sb).s_vhbh);
+	kfree(sb->s_fs_info);
+	sb->s_fs_info = NULL;
 }
 
 static int hfsplus_statfs(struct super_block *sb, struct kstatfs *buf)

[patch 04/09] x86_64: avoid SMP boot up race

[Chris Wright]

Keep interrupts disabled during smp bootup

This avoids a race that breaks SMP bootup on some machines.
The race is not fully plugged (that is only done with much
more changes in 2.6.12), but should be good enough
for most people.

Keeping the interrupts disabled here is ok because we
don't rely on the timer interrupt for local APIC
timer setup, but always read the timer registers
directly.

(originally from Rusty Russell iirc) 

Signed-off-by: ak@suse.de
Signed-off-by: Chris Wright <chrisw@osdl.org>

diff -u linux/arch/x86_64/kernel/apic.c-o linux/arch/x86_64/kernel/apic.c
--- linux/arch/x86_64/kernel/apic.c-o	2005-05-31 16:40:01.000000000 +0200
+++ linux/arch/x86_64/kernel/apic.c	2005-05-31 16:44:05.000000000 +0200
@@ -775,9 +775,7 @@
 
 void __init setup_secondary_APIC_clock(void)
 {
-	local_irq_disable(); /* FIXME: Do we need this? --RR */
 	setup_APIC_timer(calibration_result);
-	local_irq_enable();
 }
 
 void __init disable_APIC_timer(void)
diff -u linux/arch/x86_64/kernel/smpboot.c-o linux-2.6.11/arch/x86_64/kernel/smpboot.c
--- linux/arch/x86_64/kernel/smpboot.c-o	2005-03-21 14:04:11.000000000 +0100
+++ linux/arch/x86_64/kernel/smpboot.c	2005-05-31 16:44:07.000000000 +0200
@@ -309,8 +309,6 @@
 	Dprintk("CALLIN, before setup_local_APIC().\n");
 	setup_local_APIC();
 
-	local_irq_enable();
-
 	/*
 	 * Get our bogomips.
 	 */
@@ -324,8 +322,6 @@
 	 */
  	smp_store_cpu_info(cpuid);
 
-	local_irq_disable();
-
 	/*
 	 * Allow the master to continue.
 	 */

[patch 05/09] x86_64: Fix ptrace boundary check

[Chris Wright]

Don't allow accesses below register frame in ptrace

There was a "off by one quad word" error in there. 

Found and fixed by John Blackwood

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Chris Wright <chrisw@osdl.org>

 arch/x86_64/kernel/ptrace.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

Index: release-2.6.11/arch/x86_64/kernel/ptrace.c
===================================================================
--- release-2.6.11.orig/arch/x86_64/kernel/ptrace.c
+++ release-2.6.11/arch/x86_64/kernel/ptrace.c
@@ -252,7 +252,7 @@ asmlinkage long sys_ptrace(long request,
 			break;
 
 		switch (addr) { 
-		case 0 ... sizeof(struct user_regs_struct):
+		case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
 			tmp = getreg(child, addr);
 			break;
 		case offsetof(struct user, u_debugreg[0]):
@@ -297,7 +297,7 @@ asmlinkage long sys_ptrace(long request,
 			break;
 
 		switch (addr) { 
-		case 0 ... sizeof(struct user_regs_struct): 
+		case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
 			ret = putreg(child, addr, data);
 			break;
 		/* Disallows to set a breakpoint into the vsyscall */

[patch 06/09] Fix for bttv driver (v0.9.15) for Leadtek WinFast VC100 XP capture cards

[Chris Wright]

This is a tiny patch that fixes bttv-cards.c so that Leadtek WinFast
VC100 XP video capture cards work. I've been advised to post it here
after having already posted it to the v4l mailing list.

Acked-by: Gerd Knorr <kraxel@bytesex.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>

--- ./drivers/media/video/bttv-cards.c.orig	2005-04-24 23:39:41.000000000 +0100
+++ ./drivers/media/video/bttv-cards.c	2005-04-25 19:59:27.000000000 +0100
@@ -1939,7 +1939,6 @@
         .no_tda9875     = 1,
         .no_tda7432     = 1,
         .tuner_type     = TUNER_ABSENT,
-        .no_video       = 1,
 	.pll            = PLL_28,
 },{
 	.name           = "Teppro TEV-560/InterVision IV-560",

[patch 07/09] ext3: fix log_do_checkpoint() assertion failure

[Chris Wright]

Fix possible false assertion failure in log_do_checkpoint(). We might fail
to detect that we actually made a progress when cleaning up the checkpoint
lists if we don't retry after writing something to disk. The patch was
confirmed to fix observed assertion failures for several users.

When we flushed some buffers we need to retry scanning the list.
Otherwise we can fail to detect our progress.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>

diff -rupX /home/jack/.kerndiffexclude linux-2.6.12-rc5/fs/jbd/checkpoint.c linux-2.6.12-rc5-1-checkretry/fs/jbd/checkpoint.c
--- linux-2.6.12-rc5/fs/jbd/checkpoint.c	2005-03-03 18:58:29.000000000 +0100
+++ linux-2.6.12-rc5-1-checkretry/fs/jbd/checkpoint.c	2005-05-27 11:15:31.000000000 +0200
@@ -339,8 +339,10 @@ int log_do_checkpoint(journal_t *journal
 			}
 		} while (jh != last_jh && !retry);
 
-		if (batch_count)
+		if (batch_count) {
 			__flush_batch(journal, bhs, &batch_count);
+			retry = 1;
+		}
 
 		/*
 		 * If someone cleaned up this transaction while we slept, we're

[patch 08/09] [BRIDGE]: prevent bad forwarding table updates

[Chris Wright]

Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
risk.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>

Index: 2.6.11.11-net/net/bridge/br_input.c
===================================================================
--- 2.6.11.11-net.orig/net/bridge/br_input.c
+++ 2.6.11.11-net/net/bridge/br_input.c
@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf
 	struct net_bridge_fdb_entry *dst;
 	int passedup = 0;
 
+	/* insert into forwarding database after filtering to avoid spoofing */
+	br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
+
 	if (br->dev->flags & IFF_PROMISC) {
 		struct sk_buff *skb2;
 
@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po
 	if (eth_hdr(skb)->h_source[0] & 1)
 		goto err;
 
-	if (p->state == BR_STATE_LEARNING ||
-	    p->state == BR_STATE_FORWARDING)
+	if (p->state == BR_STATE_LEARNING)
 		br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
 
 	if (p->br->stp_enabled &&
Index: 2.6.11.11-net/net/bridge/br_stp_bpdu.c
===================================================================
--- 2.6.11.11-net.orig/net/bridge/br_stp_bpdu.c
+++ 2.6.11.11-net/net/bridge/br_stp_bpdu.c
@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s
 	struct net_bridge *br = p->br;
 	unsigned char *buf;
 
+	/* insert into forwarding database after filtering to avoid spoofing */
+	br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
+
 	/* need at least the 802 and STP headers */
 	if (!pskb_may_pull(skb, sizeof(header)+1) ||
 	    memcmp(skb->data, header, sizeof(header)))

[patch 09/09] [PKT_SCHED]: netem: duplication fix

[Chris Wright]

Netem duplication can cause infinite loop in qdisc_run
because the qlen of the parent qdisc is not affected by the duplication.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>

Index: 2.6.11.11-net/net/sched/sch_netem.c
===================================================================
--- 2.6.11.11-net.orig/net/sched/sch_netem.c
+++ 2.6.11.11-net/net/sched/sch_netem.c
@@ -184,10 +184,15 @@ static int netem_enqueue(struct sk_buff 
 	/* Random duplication */
 	if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor)) {
 		struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
-
-		pr_debug("netem_enqueue: dup %p\n", skb2);
-		if (skb2)
-			delay_skb(sch, skb2);
+		if (skb2) {
+			struct Qdisc *rootq = sch->dev->qdisc;
+			u32 dupsave = q->duplicate; 
+
+			/* prevent duplicating a dup... */
+			q->duplicate = 0;
+			rootq->enqueue(skb2, rootq);
+			q->duplicate = dupsave;
+		}
 	}
 
 	/* If doing simple delay then gap == 0 so all packets

Re: [patch 04/09] x86_64: avoid SMP boot up race

[Horms]

Hi,

I'm wondering if anyone could comment on if this could
be conceived as a security bug. My initial instinct was
yes, but on further considertation I can't conceive
a way it could be exploited, well not by anyone
who couldn't DoS the box in any number of other ways,
including shutting it down.

On Wed, Jun 08, 2005 at 05:04:08PM -0700, Chris Wright wrote:
> Keep interrupts disabled during smp bootup
> 
> This avoids a race that breaks SMP bootup on some machines.
> The race is not fully plugged (that is only done with much
> more changes in 2.6.12), but should be good enough
> for most people.
> 
> Keeping the interrupts disabled here is ok because we
> don't rely on the timer interrupt for local APIC
> timer setup, but always read the timer registers
> directly.
> 
> (originally from Rusty Russell iirc) 
> 
> Signed-off-by: ak@suse.de
> Signed-off-by: Chris Wright <chrisw@osdl.org>
> 
> diff -u linux/arch/x86_64/kernel/apic.c-o linux/arch/x86_64/kernel/apic.c
> --- linux/arch/x86_64/kernel/apic.c-o	2005-05-31 16:40:01.000000000 +0200
> +++ linux/arch/x86_64/kernel/apic.c	2005-05-31 16:44:05.000000000 +0200
> @@ -775,9 +775,7 @@
>  
>  void __init setup_secondary_APIC_clock(void)
>  {
> -	local_irq_disable(); /* FIXME: Do we need this? --RR */
>  	setup_APIC_timer(calibration_result);
> -	local_irq_enable();
>  }
>  
>  void __init disable_APIC_timer(void)
> diff -u linux/arch/x86_64/kernel/smpboot.c-o linux-2.6.11/arch/x86_64/kernel/smpboot.c
> --- linux/arch/x86_64/kernel/smpboot.c-o	2005-03-21 14:04:11.000000000 +0100
> +++ linux/arch/x86_64/kernel/smpboot.c	2005-05-31 16:44:07.000000000 +0200
> @@ -309,8 +309,6 @@
>  	Dprintk("CALLIN, before setup_local_APIC().\n");
>  	setup_local_APIC();
>  
> -	local_irq_enable();
> -
>  	/*
>  	 * Get our bogomips.
>  	 */
> @@ -324,8 +322,6 @@
>  	 */
>   	smp_store_cpu_info(cpuid);
>  
> -	local_irq_disable();
> -
>  	/*
>  	 * Allow the master to continue.
>  	 */
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

-- 
Horms

Re: [patch 04/09] x86_64: avoid SMP boot up race

[Chris Wright]

* Horms (horms@verge.net.au) wrote:
> I'm wondering if anyone could comment on if this could
> be conceived as a security bug. My initial instinct was
> yes, but on further considertation I can't conceive
> a way it could be exploited, well not by anyone
> who couldn't DoS the box in any number of other ways,
> including shutting it down.

That code is run early during boot up when bringing online a cpu.
If you can control this, you own the box.