[00/13] -stable review

[00/13] -stable review

[Chris Wright]

This is the start of the stable review cycle for the 2.6.12.4 release.
There are 13 patches in this series, all will be posted as a response to
this one.  If anyone has any issues with these being applied, please let
us know.  If anyone is a maintainer of the proper subsystem, and wants
to add a signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the Cc:
line.  If you wish to be a reviewer, please email stable@kernel.org to
add your name to the list.  If you want to be off the reviewer list,
also email us.

Responses should be made by Friday, Aug 5 07:00:00, UTC 2005.  Anything
received after that time, might be too late.

thanks,

the -stable release team

[01/13] kbuild: build TAGS problem with O=

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

For inclusion into 2.6.12.stable, extracted from current Linus git:

[PATCH] kbuild: build TAGS problem with O=

  make O=/dir TAGS

  fails with:

    MAKE   TAGS
  find: security/selinux/include: No such file or directory
  find: include: No such file or directory
  find: include/asm-i386: No such file or directory
  find: include/asm-generic: No such file or directory

  The problem is in this line:
  ifeq ($(KBUILD_OUTPUT),)

KBUILD_OUTPUT is not defined (ever) after make reruns itself.  This line is
used in the TAGS, tags, and cscope makes.

Signed-off-by: George Anzinger <george@mvista.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
 Makefile |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.12.3.orig/Makefile	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/Makefile	2005-07-28 11:17:04.000000000 -0700
@@ -1149,7 +1149,7 @@
 #(which is the most common case IMHO) to avoid unneeded clutter in the big tags file.
 #Adding $(srctree) adds about 20M on i386 to the size of the output file!
 
-ifeq ($(KBUILD_OUTPUT),)
+ifeq ($(src),$(obj))
 __srctree =
 else
 __srctree = $(srctree)/

[02/13] qla2xxx: Correct handling of fc_remote_port_add() failure case.

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

Correct handling of fc_remote_port_add() failure case.

Immediately return if fc_remote_port_add() fails to allocate
resources for the rport.  Original code would result in NULL
pointer dereference upon failure.

Reported-by: Michael Reed <mdr@sgi.com>

Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/scsi/qla2xxx/qla_init.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletion(-)

--- linux-2.6.12.3.orig/drivers/scsi/qla2xxx/qla_init.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/drivers/scsi/qla2xxx/qla_init.c	2005-07-28 11:17:08.000000000 -0700
@@ -1914,9 +1914,11 @@
 		rport_ids.roles |= FC_RPORT_ROLE_FCP_TARGET;
 
 	fcport->rport = rport = fc_remote_port_add(ha->host, 0, &rport_ids);
-	if (!rport)
+	if (!rport) {
 		qla_printk(KERN_WARNING, ha,
 		    "Unable to allocate fc remote port!\n");
+		return;
+	}
 
 	if (rport->scsi_target_id != -1 && rport->scsi_target_id < MAX_TARGETS)
 		fcport->os_target_id = rport->scsi_target_id;

[03/13] rocket.c: Fix ldisc ref count handling

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Michal Ostrowski <mostrows@watson.ibm.com>

If bailing out because there is nothing to receive in rp_do_receive(),
tty_ldisc_deref is not called.  Failure to do so increases the ref count=20
and causes release_dev() to hang since it can't get the ref count to 0.

Signed-off-by: Michal Ostrowski <mostrows@watson.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/char/rocket.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.12.3.orig/drivers/char/rocket.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/drivers/char/rocket.c	2005-07-28 11:17:09.000000000 -0700
@@ -277,7 +277,7 @@
 		ToRecv = space;
 
 	if (ToRecv <= 0)
-		return;
+		goto done;
 
 	/*
 	 * if status indicates there are errored characters in the
@@ -359,6 +359,7 @@
 	}
 	/*  Push the data up to the tty layer */
 	ld->receive_buf(tty, tty->flip.char_buf, tty->flip.flag_buf, count);
+done:
 	tty_ldisc_deref(ld);
 }
 

[04/13] x86_64 memleak from malicious 32bit elf program

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

malicious 32bit app can have an elf section at 0xffffe000.  During
exec of this app, we will have a memory leak as insert_vm_struct() is
not checking for return value in syscall32_setup_pages() and thus not
freeing the vma allocated for the vsyscall page.

Check the return value and free the vma incase of failure.

Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 arch/x86_64/ia32/syscall32.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletion(-)

--- linux-2.6.12.3.orig/arch/x86_64/ia32/syscall32.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/arch/x86_64/ia32/syscall32.c	2005-07-28 11:17:11.000000000 -0700
@@ -57,6 +57,7 @@
 	int npages = (VSYSCALL32_END - VSYSCALL32_BASE) >> PAGE_SHIFT;
 	struct vm_area_struct *vma;
 	struct mm_struct *mm = current->mm;
+	int ret;
 
 	vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
 	if (!vma)
@@ -78,7 +79,11 @@
 	vma->vm_mm = mm;
 
 	down_write(&mm->mmap_sem);
-	insert_vm_struct(mm, vma);
+	if ((ret = insert_vm_struct(mm, vma))) {
+		up_write(&mm->mmap_sem);
+		kmem_cache_free(vm_area_cachep, vma);
+		return ret;
+	}
 	mm->total_vm += npages;
 	up_write(&mm->mmap_sem);
 	return 0;

[05/13] [NET]: Fix signedness issues in net/core/filter.c

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

This is the code to load packet data into a register:

                        k = fentry->k;
                        if (k < 0) {
...
                        } else {
                                u32 _tmp, *p;
                                p = skb_header_pointer(skb, k, 4, &_tmp);
                                if (p != NULL) {
                                        A = ntohl(*p);
                                        continue;
                                }
                        }

skb_header_pointer checks if the requested data is within the
linear area:

        int hlen = skb_headlen(skb);

        if (offset + len <= hlen)
                return skb->data + offset;

When offset is within [INT_MAX-len+1..INT_MAX] the addition will
result in a negative number which is <= hlen.

I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
coworker tried on his x86 machine and it crashed immediately.

This patch fixes the check in skb_header_pointer to handle large
positive offsets similar to skb_copy_bits. Invalid data can still
be accessed using negative offsets (also similar to skb_copy_bits),
anyone using negative offsets needs to verify them himself.

Thanks to Thomas Vögtle <thomas.voegtle@coreworks.de> for verifying the
problem by crashing his machine and providing me with an Oops.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 include/linux/skbuff.h |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.12.3.orig/include/linux/skbuff.h	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/include/linux/skbuff.h	2005-07-28 11:17:12.000000000 -0700
@@ -1192,7 +1192,7 @@
 {
 	int hlen = skb_headlen(skb);
 
-	if (offset + len <= hlen)
+	if (hlen - offset >= len)
 		return skb->data + offset;
 
 	if (skb_copy_bits(skb, offset, buffer, len) < 0)

[06/13] [NETFILTER]: Fix deadlock in ip6_queue

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

[NETFILTER]: Fix deadlock in ip6_queue

Already fixed in ip_queue, ip6_queue was missed.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/ipv6/netfilter/ip6_queue.c |    2 ++
 1 files changed, 2 insertions(+)

--- linux-2.6.12.3.orig/net/ipv6/netfilter/ip6_queue.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv6/netfilter/ip6_queue.c	2005-07-28 11:17:13.000000000 -0700
@@ -76,7 +76,9 @@
 static void
 ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
 {
+	local_bh_disable();
 	nf_reinject(entry->skb, entry->info, verdict);
+	local_bh_enable();
 	kfree(entry);
 }
 

[07/13] [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)

The portptr pointing to the port in the conntrack tuple is declared static,
which could result in memory corruption when two packets of the same
protocol are NATed at the same time and one conntrack goes away.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/ipv4/netfilter/ip_nat_proto_tcp.c |    3 ++-
 net/ipv4/netfilter/ip_nat_proto_udp.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_tcp.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_tcp.c	2005-07-28 11:17:15.000000000 -0700
@@ -40,7 +40,8 @@
 		 enum ip_nat_manip_type maniptype,
 		 const struct ip_conntrack *conntrack)
 {
-	static u_int16_t port, *portptr;
+	static u_int16_t port;
+	u_int16_t *portptr;
 	unsigned int range_size, min, i;
 
 	if (maniptype == IP_NAT_MANIP_SRC)
--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_udp.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_udp.c	2005-07-28 11:17:15.000000000 -0700
@@ -41,7 +41,8 @@
 		 enum ip_nat_manip_type maniptype,
 		 const struct ip_conntrack *conntrack)
 {
-	static u_int16_t port, *portptr;
+	static u_int16_t port;
+	u_int16_t *portptr;
 	unsigned int range_size, min, i;
 
 	if (maniptype == IP_NAT_MANIP_SRC)

[08/13] [NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

[NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload

Fixes a crash when unloading ip_conntrack.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/ipv4/netfilter/ip_conntrack_core.c |    3 +++
 1 files changed, 3 insertions(+)

--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_conntrack_core.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_conntrack_core.c	2005-07-28 11:17:16.000000000 -0700
@@ -1124,6 +1124,9 @@
 		schedule();
 		goto i_see_dead_people;
 	}
+	/* wait until all references to ip_conntrack_untracked are dropped */
+	while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
+		schedule();
 
 	kmem_cache_destroy(ip_conntrack_cachep);
 	kmem_cache_destroy(ip_conntrack_expect_cachep);

[09/13] [XFRM]: Fix possible overflow of sock->sk_policy

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

[XFRM]: Fix possible overflow of sock->sk_policy

Spotted by, and original patch by, Balazs Scheidler.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/xfrm/xfrm_user.c |    3 +++
 1 files changed, 3 insertions(+)

--- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c	2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/xfrm/xfrm_user.c	2005-07-28 11:17:18.000000000 -0700
@@ -1180,6 +1180,9 @@
 	if (nr > XFRM_MAX_DEPTH)
 		return NULL;
 
+	if (p->dir > XFRM_POLICY_OUT)
+		return NULL;
+
 	xp = xfrm_policy_alloc(GFP_KERNEL);
 	if (xp == NULL) {
 		*dir = -ENOBUFS;

[10/13] [PATCH] bio_clone fix

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

[PATCH] bio_clone fix

Fix bug introduced in 2.6.11-rc2: when we clone a BIO we need to copy over the
current index into it as well.

It corrupts data with some MD setups.

See http://bugzilla.kernel.org/show_bug.cgi?id=4946

Huuuuuuuuge thanks to Matthew Stapleton <matthew4196@gmail.com> for doggedly
chasing this one down.

Acked-by: Jens Axboe <axboe@suse.de>
Cc: <linux-raid@vger.kernel.org>
Cc: <dm-devel@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---

 fs/bio.c |    1 +
 1 files changed, 1 insertion(+)

diff --git a/fs/bio.c b/fs/bio.c
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -261,6 +261,7 @@ inline void __bio_clone(struct bio *bio,
 	 */
 	bio->bi_vcnt = bio_src->bi_vcnt;
 	bio->bi_size = bio_src->bi_size;
+	bio->bi_idx = bio_src->bi_idx;
 	bio_phys_segments(q, bio);
 	bio_hw_segments(q, bio);
 }
-

[11/13] sys_get_thread_area does not clear the returned argument

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space...  since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.

This was already committed to Linus' repository.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---

 vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c |    2 ++
 1 files changed, 2 insertions(+)

diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak	2005-07-28 21:19:26.000000000 +0200
+++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c	2005-07-28 21:19:26.000000000 +0200
@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
 	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
 		return -EINVAL;
 
+	memset(&info, 0, sizeof(info));
+
 	desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
 
 	info.entry_number = idx;

[12/13] [VLAN]: Fix early vlan adding leads to not functional device

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

[VLAN]: Fix early vlan adding leads to not functional device

OK, I can see what's happening here. eth0 doesn't detect link-up until
after a few seconds, so when the vlan interface is opened immediately
after eth0 has been opened, it inherits the link-down state. Subsequently
the vlan interface is never properly activated and are thus unable to
transmit any packets.

dev->state bits are not supposed to be manipulated directly. Something
similar is probably needed for the netif_device_present() bit, although
I don't know how this is meant to work for a virtual device.
  
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---

--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -578,6 +578,14 @@ static int vlan_device_event(struct noti
 			if (!vlandev)
 				continue;
 
+			if (netif_carrier_ok(dev)) {
+				if (!netif_carrier_ok(vlandev))
+					netif_carrier_on(vlandev);
+			} else {
+				if (netif_carrier_ok(vlandev))
+					netif_carrier_off(vlandev);
+			}
+
 			if ((vlandev->state & VLAN_LINK_STATE_MASK) != flgs) {
 				vlandev->state = (vlandev->state &~ VLAN_LINK_STATE_MASK) 
 					| flgs;

[13/13] Fix powernow oops on dual-core athlon

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.

------------------

powernow-k8 requires that a data structure for
each core be created in the _cpu_init function
call.  The cpufreq infrastructure doesn't call
_cpu_init for the second core in each processor.
Some systems crashed when _get was called with
an odd-numbered core because it tried to
dereference a NULL pointer since the data
structure had not been created.

The attached patch solves the problem by
initializing data structures for all shared
cores in the _cpu_init function.  It should
apply to 2.6.12-rc6 and has been tested by
AMD and Sun.

Signed-off-by: Mark Langsdorf <mark.langsdorf@amd.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---

--- a/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
+++ b/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
@@ -44,7 +44,7 @@
 
 #define PFX "powernow-k8: "
 #define BFX PFX "BIOS error: "
-#define VERSION "version 1.40.2"
+#define VERSION "version 1.40.4"
 #include "powernow-k8.h"
 
 /* serialize freq changes  */
@@ -978,7 +978,7 @@ static int __init powernowk8_cpu_init(st
 {
 	struct powernow_k8_data *data;
 	cpumask_t oldmask = CPU_MASK_ALL;
-	int rc;
+	int rc, i;
 
 	if (!check_supported_cpu(pol->cpu))
 		return -ENODEV;
@@ -1064,7 +1064,9 @@ static int __init powernowk8_cpu_init(st
 	printk("cpu_init done, current fid 0x%x, vid 0x%x\n",
 	       data->currfid, data->currvid);
 
-	powernow_data[pol->cpu] = data;
+	for_each_cpu_mask(i, cpu_core_map[pol->cpu]) {
+		powernow_data[i] = data;
+	}
 
 	return 0;
 

Re: [10/13] [PATCH] bio_clone fix

[Jens Axboe]

On Wed, Aug 03 2005, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.

Full ack.

> 
> ------------------
> 
> [PATCH] bio_clone fix
> 
> Fix bug introduced in 2.6.11-rc2: when we clone a BIO we need to copy over the
> current index into it as well.
> 
> It corrupts data with some MD setups.
> 
> See http://bugzilla.kernel.org/show_bug.cgi?id=4946
> 
> Huuuuuuuuge thanks to Matthew Stapleton <matthew4196@gmail.com> for doggedly
> chasing this one down.
> 
> Acked-by: Jens Axboe <axboe@suse.de>
> Cc: <linux-raid@vger.kernel.org>
> Cc: <dm-devel@redhat.com>
> Signed-off-by: Andrew Morton <akpm@osdl.org>
> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
> Signed-off-by: Chris Wright <chrisw@osdl.org>
> ---
> 
>  fs/bio.c |    1 +
>  1 files changed, 1 insertion(+)
> 
> diff --git a/fs/bio.c b/fs/bio.c
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -261,6 +261,7 @@ inline void __bio_clone(struct bio *bio,
>  	 */
>  	bio->bi_vcnt = bio_src->bi_vcnt;
>  	bio->bi_size = bio_src->bi_size;
> +	bio->bi_idx = bio_src->bi_idx;
>  	bio_phys_segments(q, bio);
>  	bio_hw_segments(q, bio);
>  }
> -
> 

-- 
Jens Axboe

Re: [04/13] x86_64 memleak from malicious 32bit elf program

[Andi Kleen]

Ok for me. Thanks Suresh.

-Andi


On Tue, Aug 02, 2005 at 11:52:20PM -0700, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> 
> ------------------
> 
> malicious 32bit app can have an elf section at 0xffffe000.  During
> exec of this app, we will have a memory leak as insert_vm_struct() is
> not checking for return value in syscall32_setup_pages() and thus not
> freeing the vma allocated for the vsyscall page.
> 

Re: [01/13] kbuild: build TAGS problem with O=

[Sam Ravnborg]

On Tue, Aug 02, 2005 at 11:47:17PM -0700, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> 
> ------------------
> 
> For inclusion into 2.6.12.stable, extracted from current Linus git:
> 
> [PATCH] kbuild: build TAGS problem with O=

Ack.

	Sam