merge the changes from the etch-security branch as of r8377 - requested by vorlon, in case of potential update prior to 4.0r0
svn path=/dists/etch/linux-2.6/; revision=8378
This commit is contained in:
commit
fce1968d96
|
@ -23,7 +23,26 @@ linux-2.6 (2.6.18.dfsg.1-12) UNRELEASED; urgency=low
|
||||||
Thanks to Doug Nazar for the patch and to Daniel J. Priem for testing.
|
Thanks to Doug Nazar for the patch and to Daniel J. Priem for testing.
|
||||||
Closes: #409313.
|
Closes: #409313.
|
||||||
|
|
||||||
-- Steve Langasek <vorlon@debian.org> Mon, 5 Mar 2007 00:25:35 -0800
|
[ dann frazier ]
|
||||||
|
* bugfix/keys-serial-num-collision.patch
|
||||||
|
[SECURITY] Fix the key serial number collision avoidance code in
|
||||||
|
key_alloc_serial() that could lead to a local DoS (oops).
|
||||||
|
(closes: #398470)
|
||||||
|
See CVE-2007-0006
|
||||||
|
* bugfix/ipv6_getsockopt_sticky-null-opt.patch
|
||||||
|
[SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
|
||||||
|
to a local DoS (oops).
|
||||||
|
See CVE-2007-1388
|
||||||
|
* bugfix/ipv6_getsockopt_sticky-null-opt.patch
|
||||||
|
[SECURITY] Fix kernel memory leak vulnerability in
|
||||||
|
ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
|
||||||
|
See CVE-2007-1000
|
||||||
|
* bugfix/listxattr-mem-corruption.patch
|
||||||
|
[SECURITY] Fix userspace corruption vulnerability caused by
|
||||||
|
incorrectly promoted return values in bad_inode_ops
|
||||||
|
See CVE-2006-5753
|
||||||
|
|
||||||
|
-- dann frazier <dannf@debian.org> Wed, 21 Mar 2007 18:03:28 -0600
|
||||||
|
|
||||||
linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low
|
linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
From: David S. Miller <davem@sunset.davemloft.net>
|
||||||
|
Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800)
|
||||||
|
Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
|
||||||
|
X-Git-Tag: v2.6.21-rc4~99^2~7
|
||||||
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f
|
||||||
|
|
||||||
|
[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
|
||||||
|
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
|
||||||
|
index 286c867..4e0561a 100644
|
||||||
|
--- a/net/ipv6/ipv6_sockglue.c
|
||||||
|
+++ b/net/ipv6/ipv6_sockglue.c
|
||||||
|
@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
|
||||||
|
EXPORT_SYMBOL(compat_ipv6_setsockopt);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
|
||||||
|
+static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
|
||||||
|
char __user *optval, int len)
|
||||||
|
{
|
||||||
|
- if (!hdr)
|
||||||
|
+ struct ipv6_opt_hdr *hdr;
|
||||||
|
+
|
||||||
|
+ if (!opt || !opt->hopopt)
|
||||||
|
return 0;
|
||||||
|
+ hdr = opt->hopopt;
|
||||||
|
+
|
||||||
|
len = min_t(int, len, ipv6_optlen(hdr));
|
||||||
|
if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
|
||||||
|
return -EFAULT;
|
||||||
|
@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
|
||||||
|
{
|
||||||
|
|
||||||
|
lock_sock(sk);
|
||||||
|
- len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
|
||||||
|
+ len = ipv6_getsockopt_sticky(sk, np->opt,
|
||||||
|
optval, len);
|
||||||
|
release_sock(sk);
|
||||||
|
return put_user(len, optlen);
|
|
@ -0,0 +1,28 @@
|
||||||
|
From: Olaf Kirch <olaf.kirch@oracle.com>
|
||||||
|
Date: Fri, 9 Mar 2007 21:55:38 +0000 (-0800)
|
||||||
|
Subject: [IPV6]: Fix for ipv6_setsockopt NULL dereference
|
||||||
|
X-Git-Tag: v2.6.21-rc4~50^2~1
|
||||||
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dfee0a725bb027b749ffdd318eb48b91d564b266
|
||||||
|
|
||||||
|
[IPV6]: Fix for ipv6_setsockopt NULL dereference
|
||||||
|
|
||||||
|
I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155
|
||||||
|
|
||||||
|
Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
|
||||||
|
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
|
||||||
|
index 4e0561a..b82333b 100644
|
||||||
|
--- a/net/ipv6/ipv6_sockglue.c
|
||||||
|
+++ b/net/ipv6/ipv6_sockglue.c
|
||||||
|
@@ -413,7 +413,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* routing header option needs extra check */
|
||||||
|
- if (optname == IPV6_RTHDR && opt->srcrt) {
|
||||||
|
+ if (optname == IPV6_RTHDR && opt && opt->srcrt) {
|
||||||
|
struct ipv6_rt_hdr *rthdr = opt->srcrt;
|
||||||
|
switch (rthdr->type) {
|
||||||
|
case IPV6_SRCRT_TYPE_0:
|
|
@ -0,0 +1,92 @@
|
||||||
|
From: David Howells <dhowells@redhat.com>
|
||||||
|
Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000)
|
||||||
|
Subject: [PATCH] Keys: Fix key serial number collision handling
|
||||||
|
X-Git-Tag: v2.6.21-rc2~42^2~22
|
||||||
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4
|
||||||
|
|
||||||
|
[PATCH] Keys: Fix key serial number collision handling
|
||||||
|
|
||||||
|
Fix the key serial number collision avoidance code in key_alloc_serial().
|
||||||
|
|
||||||
|
This didn't use to be so much of a problem as the key serial numbers were
|
||||||
|
allocated from a simple incremental counter, and it would have to go through
|
||||||
|
two billion keys before it could possibly encounter a collision. However, now
|
||||||
|
that random numbers are used instead, collisions are much more likely.
|
||||||
|
|
||||||
|
This is fixed by finding a hole in the rbtree where the next unused serial
|
||||||
|
number ought to be and using that by going almost back to the top of the
|
||||||
|
insertion routine and redoing the insertion with the new serial number rather
|
||||||
|
than trying to be clever and attempting to work out the insertion point
|
||||||
|
pointer directly.
|
||||||
|
|
||||||
|
This fixes kernel BZ #7727.
|
||||||
|
|
||||||
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/security/keys/key.c b/security/keys/key.c
|
||||||
|
index ac9326c..700400d 100644
|
||||||
|
--- a/security/keys/key.c
|
||||||
|
+++ b/security/keys/key.c
|
||||||
|
@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key)
|
||||||
|
|
||||||
|
spin_lock(&key_serial_lock);
|
||||||
|
|
||||||
|
+attempt_insertion:
|
||||||
|
parent = NULL;
|
||||||
|
p = &key_serial_tree.rb_node;
|
||||||
|
|
||||||
|
@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key)
|
||||||
|
else
|
||||||
|
goto serial_exists;
|
||||||
|
}
|
||||||
|
- goto insert_here;
|
||||||
|
+
|
||||||
|
+ /* we've found a suitable hole - arrange for this key to occupy it */
|
||||||
|
+ rb_link_node(&key->serial_node, parent, p);
|
||||||
|
+ rb_insert_color(&key->serial_node, &key_serial_tree);
|
||||||
|
+
|
||||||
|
+ spin_unlock(&key_serial_lock);
|
||||||
|
+ return;
|
||||||
|
|
||||||
|
/* we found a key with the proposed serial number - walk the tree from
|
||||||
|
* that point looking for the next unused serial number */
|
||||||
|
serial_exists:
|
||||||
|
for (;;) {
|
||||||
|
key->serial++;
|
||||||
|
- if (key->serial < 2)
|
||||||
|
- key->serial = 2;
|
||||||
|
-
|
||||||
|
- if (!rb_parent(parent))
|
||||||
|
- p = &key_serial_tree.rb_node;
|
||||||
|
- else if (rb_parent(parent)->rb_left == parent)
|
||||||
|
- p = &(rb_parent(parent)->rb_left);
|
||||||
|
- else
|
||||||
|
- p = &(rb_parent(parent)->rb_right);
|
||||||
|
+ if (key->serial < 3) {
|
||||||
|
+ key->serial = 3;
|
||||||
|
+ goto attempt_insertion;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
parent = rb_next(parent);
|
||||||
|
if (!parent)
|
||||||
|
- break;
|
||||||
|
+ goto attempt_insertion;
|
||||||
|
|
||||||
|
xkey = rb_entry(parent, struct key, serial_node);
|
||||||
|
if (key->serial < xkey->serial)
|
||||||
|
- goto insert_here;
|
||||||
|
+ goto attempt_insertion;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* we've found a suitable hole - arrange for this key to occupy it */
|
||||||
|
-insert_here:
|
||||||
|
- rb_link_node(&key->serial_node, parent, p);
|
||||||
|
- rb_insert_color(&key->serial_node, &key_serial_tree);
|
||||||
|
-
|
||||||
|
- spin_unlock(&key_serial_lock);
|
||||||
|
-
|
||||||
|
} /* end key_alloc_serial() */
|
||||||
|
|
||||||
|
/*****************************************************************************/
|
|
@ -0,0 +1,441 @@
|
||||||
|
From: Eric Sandeen <sandeen@redhat.com>
|
||||||
|
Date: Sat, 6 Jan 2007 00:36:36 +0000 (-0800)
|
||||||
|
Subject: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
|
||||||
|
X-Git-Tag: v2.6.20-rc4~60
|
||||||
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8;hp=2723f9603a8f8bb2cd8c7b581f7c94b8d75e3837
|
||||||
|
|
||||||
|
[PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
|
||||||
|
|
||||||
|
CVE-2006-5753 is for a case where an inode can be marked bad, switching
|
||||||
|
the ops to bad_inode_ops, which are all connected as:
|
||||||
|
|
||||||
|
static int return_EIO(void)
|
||||||
|
{
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
|
||||||
|
#define EIO_ERROR ((void *) (return_EIO))
|
||||||
|
|
||||||
|
static struct inode_operations bad_inode_ops =
|
||||||
|
{
|
||||||
|
.create = bad_inode_create
|
||||||
|
...etc...
|
||||||
|
|
||||||
|
The problem here is that the void cast causes return types to not be
|
||||||
|
promoted, and for ops such as listxattr which expect more than 32 bits of
|
||||||
|
return value, the 32-bit -EIO is interpreted as a large positive 64-bit
|
||||||
|
number, i.e. 0x00000000fffffffa instead of 0xfffffffa.
|
||||||
|
|
||||||
|
This goes particularly badly when the return value is taken as a number of
|
||||||
|
bytes to copy into, say, a user's buffer for example...
|
||||||
|
|
||||||
|
I originally had coded up the fix by creating a return_EIO_<TYPE> macro
|
||||||
|
for each return type, like this:
|
||||||
|
|
||||||
|
static int return_EIO_int(void)
|
||||||
|
{
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
#define EIO_ERROR_INT ((void *) (return_EIO_int))
|
||||||
|
|
||||||
|
static struct inode_operations bad_inode_ops =
|
||||||
|
{
|
||||||
|
.create = EIO_ERROR_INT,
|
||||||
|
...etc...
|
||||||
|
|
||||||
|
but Al felt that it was probably better to create an EIO-returner for each
|
||||||
|
actual op signature. Since so few ops share a signature, I just went ahead
|
||||||
|
& created an EIO function for each individual file & inode op that returns
|
||||||
|
a value.
|
||||||
|
|
||||||
|
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||||
|
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@osdl.org>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
||||||
|
---
|
||||||
|
|
||||||
|
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
|
||||||
|
|
||||||
|
--- linux-source-2.6.18/fs/bad_inode.c.orig 2006-09-19 21:42:06.000000000 -0600
|
||||||
|
+++ linux-source-2.6.18/fs/bad_inode.c 2007-03-19 20:56:08.000000000 -0600
|
||||||
|
@@ -14,61 +14,321 @@
|
||||||
|
#include <linux/time.h>
|
||||||
|
#include <linux/smp_lock.h>
|
||||||
|
#include <linux/namei.h>
|
||||||
|
+#include <linux/poll.h>
|
||||||
|
|
||||||
|
-static int return_EIO(void)
|
||||||
|
+
|
||||||
|
+static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_read(struct file *filp, char __user *buf,
|
||||||
|
+ size_t size, loff_t *ppos)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_write(struct file *filp, const char __user *buf,
|
||||||
|
+ size_t siz, loff_t *ppos)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_aio_read(struct kiocb *iocb, char __user *buf,
|
||||||
|
+ size_t siz, loff_t pos)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_aio_write(struct kiocb *iocb, const char __user *buf,
|
||||||
|
+ size_t siz, loff_t pos)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static unsigned int bad_file_poll(struct file *filp, poll_table *wait)
|
||||||
|
+{
|
||||||
|
+ return POLLERR;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_ioctl (struct inode *inode, struct file *filp,
|
||||||
|
+ unsigned int cmd, unsigned long arg)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static long bad_file_unlocked_ioctl(struct file *file, unsigned cmd,
|
||||||
|
+ unsigned long arg)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static long bad_file_compat_ioctl(struct file *file, unsigned int cmd,
|
||||||
|
+ unsigned long arg)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_mmap(struct file *file, struct vm_area_struct *vma)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_open(struct inode *inode, struct file *filp)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_flush(struct file *file, fl_owner_t id)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_release(struct inode *inode, struct file *filp)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_fsync(struct file *file, struct dentry *dentry,
|
||||||
|
+ int datasync)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_aio_fsync(struct kiocb *iocb, int datasync)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_fasync(int fd, struct file *filp, int on)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_lock(struct file *file, int cmd, struct file_lock *fl)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_readv(struct file *filp, const struct iovec *iov,
|
||||||
|
+ unsigned long nr_segs, loff_t *ppos)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_writev(struct file *filp, const struct iovec *iov,
|
||||||
|
+ unsigned long nr_segs, loff_t *ppos)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_sendfile(struct file *in_file, loff_t *ppos,
|
||||||
|
+ size_t count, read_actor_t actor, void *target)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_sendpage(struct file *file, struct page *page,
|
||||||
|
+ int off, size_t len, loff_t *pos, int more)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static unsigned long bad_file_get_unmapped_area(struct file *file,
|
||||||
|
+ unsigned long addr, unsigned long len,
|
||||||
|
+ unsigned long pgoff, unsigned long flags)
|
||||||
|
{
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define EIO_ERROR ((void *) (return_EIO))
|
||||||
|
+static int bad_file_check_flags(int flags)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_dir_notify(struct file *file, unsigned long arg)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_file_flock(struct file *filp, int cmd, struct file_lock *fl)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_splice_write(struct pipe_inode_info *pipe,
|
||||||
|
+ struct file *out, loff_t *ppos, size_t len,
|
||||||
|
+ unsigned int flags)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_file_splice_read(struct file *in, loff_t *ppos,
|
||||||
|
+ struct pipe_inode_info *pipe, size_t len,
|
||||||
|
+ unsigned int flags)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
|
||||||
|
static const struct file_operations bad_file_ops =
|
||||||
|
{
|
||||||
|
- .llseek = EIO_ERROR,
|
||||||
|
- .aio_read = EIO_ERROR,
|
||||||
|
- .read = EIO_ERROR,
|
||||||
|
- .write = EIO_ERROR,
|
||||||
|
- .aio_write = EIO_ERROR,
|
||||||
|
- .readdir = EIO_ERROR,
|
||||||
|
- .poll = EIO_ERROR,
|
||||||
|
- .ioctl = EIO_ERROR,
|
||||||
|
- .mmap = EIO_ERROR,
|
||||||
|
- .open = EIO_ERROR,
|
||||||
|
- .flush = EIO_ERROR,
|
||||||
|
- .release = EIO_ERROR,
|
||||||
|
- .fsync = EIO_ERROR,
|
||||||
|
- .aio_fsync = EIO_ERROR,
|
||||||
|
- .fasync = EIO_ERROR,
|
||||||
|
- .lock = EIO_ERROR,
|
||||||
|
- .readv = EIO_ERROR,
|
||||||
|
- .writev = EIO_ERROR,
|
||||||
|
- .sendfile = EIO_ERROR,
|
||||||
|
- .sendpage = EIO_ERROR,
|
||||||
|
- .get_unmapped_area = EIO_ERROR,
|
||||||
|
+ .llseek = bad_file_llseek,
|
||||||
|
+ .read = bad_file_read,
|
||||||
|
+ .write = bad_file_write,
|
||||||
|
+ .aio_read = bad_file_aio_read,
|
||||||
|
+ .aio_write = bad_file_aio_write,
|
||||||
|
+ .readdir = bad_file_readdir,
|
||||||
|
+ .poll = bad_file_poll,
|
||||||
|
+ .ioctl = bad_file_ioctl,
|
||||||
|
+ .unlocked_ioctl = bad_file_unlocked_ioctl,
|
||||||
|
+ .compat_ioctl = bad_file_compat_ioctl,
|
||||||
|
+ .mmap = bad_file_mmap,
|
||||||
|
+ .open = bad_file_open,
|
||||||
|
+ .flush = bad_file_flush,
|
||||||
|
+ .release = bad_file_release,
|
||||||
|
+ .fsync = bad_file_fsync,
|
||||||
|
+ .aio_fsync = bad_file_aio_fsync,
|
||||||
|
+ .fasync = bad_file_fasync,
|
||||||
|
+ .lock = bad_file_lock,
|
||||||
|
+ .readv = bad_file_readv,
|
||||||
|
+ .writev = bad_file_writev,
|
||||||
|
+ .sendfile = bad_file_sendfile,
|
||||||
|
+ .sendpage = bad_file_sendpage,
|
||||||
|
+ .get_unmapped_area = bad_file_get_unmapped_area,
|
||||||
|
+ .check_flags = bad_file_check_flags,
|
||||||
|
+ .dir_notify = bad_file_dir_notify,
|
||||||
|
+ .flock = bad_file_flock,
|
||||||
|
+ .splice_write = bad_file_splice_write,
|
||||||
|
+ .splice_read = bad_file_splice_read,
|
||||||
|
};
|
||||||
|
|
||||||
|
+static int bad_inode_create (struct inode *dir, struct dentry *dentry,
|
||||||
|
+ int mode, struct nameidata *nd)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct dentry *bad_inode_lookup(struct inode *dir,
|
||||||
|
+ struct dentry *dentry, struct nameidata *nd)
|
||||||
|
+{
|
||||||
|
+ return ERR_PTR(-EIO);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_link (struct dentry *old_dentry, struct inode *dir,
|
||||||
|
+ struct dentry *dentry)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_unlink(struct inode *dir, struct dentry *dentry)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_symlink (struct inode *dir, struct dentry *dentry,
|
||||||
|
+ const char *symname)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_mkdir(struct inode *dir, struct dentry *dentry,
|
||||||
|
+ int mode)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_rmdir (struct inode *dir, struct dentry *dentry)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_mknod (struct inode *dir, struct dentry *dentry,
|
||||||
|
+ int mode, dev_t rdev)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_rename (struct inode *old_dir, struct dentry *old_dentry,
|
||||||
|
+ struct inode *new_dir, struct dentry *new_dentry)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_readlink(struct dentry *dentry, char __user *buffer,
|
||||||
|
+ int buflen)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_permission(struct inode *inode, int mask,
|
||||||
|
+ struct nameidata *nd)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_getattr(struct vfsmount *mnt, struct dentry *dentry,
|
||||||
|
+ struct kstat *stat)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_setattr(struct dentry *direntry, struct iattr *attrs)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_setxattr(struct dentry *dentry, const char *name,
|
||||||
|
+ const void *value, size_t size, int flags)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_inode_getxattr(struct dentry *dentry, const char *name,
|
||||||
|
+ void *buffer, size_t size)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t bad_inode_listxattr(struct dentry *dentry, char *buffer,
|
||||||
|
+ size_t buffer_size)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int bad_inode_removexattr(struct dentry *dentry, const char *name)
|
||||||
|
+{
|
||||||
|
+ return -EIO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static struct inode_operations bad_inode_ops =
|
||||||
|
{
|
||||||
|
- .create = EIO_ERROR,
|
||||||
|
- .lookup = EIO_ERROR,
|
||||||
|
- .link = EIO_ERROR,
|
||||||
|
- .unlink = EIO_ERROR,
|
||||||
|
- .symlink = EIO_ERROR,
|
||||||
|
- .mkdir = EIO_ERROR,
|
||||||
|
- .rmdir = EIO_ERROR,
|
||||||
|
- .mknod = EIO_ERROR,
|
||||||
|
- .rename = EIO_ERROR,
|
||||||
|
- .readlink = EIO_ERROR,
|
||||||
|
+ .create = bad_inode_create,
|
||||||
|
+ .lookup = bad_inode_lookup,
|
||||||
|
+ .link = bad_inode_link,
|
||||||
|
+ .unlink = bad_inode_unlink,
|
||||||
|
+ .symlink = bad_inode_symlink,
|
||||||
|
+ .mkdir = bad_inode_mkdir,
|
||||||
|
+ .rmdir = bad_inode_rmdir,
|
||||||
|
+ .mknod = bad_inode_mknod,
|
||||||
|
+ .rename = bad_inode_rename,
|
||||||
|
+ .readlink = bad_inode_readlink,
|
||||||
|
/* follow_link must be no-op, otherwise unmounting this inode
|
||||||
|
won't work */
|
||||||
|
- .truncate = EIO_ERROR,
|
||||||
|
- .permission = EIO_ERROR,
|
||||||
|
- .getattr = EIO_ERROR,
|
||||||
|
- .setattr = EIO_ERROR,
|
||||||
|
- .setxattr = EIO_ERROR,
|
||||||
|
- .getxattr = EIO_ERROR,
|
||||||
|
- .listxattr = EIO_ERROR,
|
||||||
|
- .removexattr = EIO_ERROR,
|
||||||
|
+ /* put_link returns void */
|
||||||
|
+ /* truncate returns void */
|
||||||
|
+ .permission = bad_inode_permission,
|
||||||
|
+ .getattr = bad_inode_getattr,
|
||||||
|
+ .setattr = bad_inode_setattr,
|
||||||
|
+ .setxattr = bad_inode_setxattr,
|
||||||
|
+ .getxattr = bad_inode_getxattr,
|
||||||
|
+ .listxattr = bad_inode_listxattr,
|
||||||
|
+ .removexattr = bad_inode_removexattr,
|
||||||
|
+ /* truncate_range returns void */
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@@ -90,7 +350,7 @@
|
||||||
|
* on it to fail from this point on.
|
||||||
|
*/
|
||||||
|
|
||||||
|
-void make_bad_inode(struct inode * inode)
|
||||||
|
+void make_bad_inode(struct inode *inode)
|
||||||
|
{
|
||||||
|
remove_inode_hash(inode);
|
||||||
|
|
||||||
|
@@ -115,7 +375,7 @@
|
||||||
|
* Returns true if the inode in question has been marked as bad.
|
||||||
|
*/
|
||||||
|
|
||||||
|
-int is_bad_inode(struct inode * inode)
|
||||||
|
+int is_bad_inode(struct inode *inode)
|
||||||
|
{
|
||||||
|
return (inode->i_op == &bad_inode_ops);
|
||||||
|
}
|
|
@ -2,3 +2,7 @@
|
||||||
+ bugfix/sparc/eth1394-unaligned-access.patch
|
+ bugfix/sparc/eth1394-unaligned-access.patch
|
||||||
+ bugfix/sparc/kenvctrld-cpu-consumption.patch
|
+ bugfix/sparc/kenvctrld-cpu-consumption.patch
|
||||||
+ bugfix/sparc/ip_rcv-unaligned-access.patch
|
+ bugfix/sparc/ip_rcv-unaligned-access.patch
|
||||||
|
+ bugfix/keys-serial-num-collision.patch
|
||||||
|
+ bugfix/ipv6_setsockopt-NULL-deref.patch
|
||||||
|
+ bugfix/ipv6_getsockopt_sticky-null-opt.patch
|
||||||
|
+ bugfix/listxattr-mem-corruption.patch
|
||||||
|
|
Loading…
Reference in New Issue