diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-04-14 16:11:54 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-04-14 16:11:54 -0700 |
commit | 38582e201138679c3f25e9dbd1eb9601d2b3d16b (patch) | |
tree | 24459bfbc2f1ceb7164136e49d3bf962436c87fc | |
parent | 4692dd5806bd27b56f66e43714452dfdce895b6c (diff) | |
download | longterm-queue-2.6.33-38582e201138679c3f25e9dbd1eb9601d2b3d16b.tar.gz |
xfs patch added to queue
-rw-r--r-- | review-2.6.33/series | 1 | ||||
-rw-r--r-- | review-2.6.33/xfs-zero-proper-structure-size-for-geometry-calls.patch | 70 |
2 files changed, 71 insertions, 0 deletions
diff --git a/review-2.6.33/series b/review-2.6.33/series index c6e77bc..c083af0 100644 --- a/review-2.6.33/series +++ b/review-2.6.33/series @@ -69,3 +69,4 @@ can-use-inode-instead-of-kernel-address-for-proc-file.patch exec-make-argv-envp-memory-visible-to-oom-killer.patch exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch net-fix-rds_iovec-page-count-overflow.patch +xfs-zero-proper-structure-size-for-geometry-calls.patch diff --git a/review-2.6.33/xfs-zero-proper-structure-size-for-geometry-calls.patch b/review-2.6.33/xfs-zero-proper-structure-size-for-geometry-calls.patch new file mode 100644 index 0000000..6340a5a --- /dev/null +++ b/review-2.6.33/xfs-zero-proper-structure-size-for-geometry-calls.patch @@ -0,0 +1,70 @@ +From af24ee9ea8d532e16883251a6684dfa1be8eec29 Mon Sep 17 00:00:00 2001 +From: Alex Elder <aelder@sgi.com> +Date: Tue, 1 Mar 2011 17:50:00 +0000 +Subject: xfs: zero proper structure size for geometry calls + +From: Alex Elder <aelder@sgi.com> + +commit af24ee9ea8d532e16883251a6684dfa1be8eec29 upstream. + +Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to +xfs_fs_geometry() in order to avoid passing kernel stack data back +to user space: + ++ memset(geo, 0, sizeof(*geo)); + +Unfortunately, one of the callers of that function passes the +address of a smaller data type, cast to fit the type that +xfs_fs_geometry() requires. As a result, this can happen: + +Kernel panic - not syncing: stack-protector: Kernel stack is corrupted +in: f87aca93 + +Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1 +Call Trace: + +[<c12991ac>] ? panic+0x50/0x150 +[<c102ed71>] ? __stack_chk_fail+0x10/0x18 +[<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs] + +Fix this by fixing that one caller to pass the right type and then +copy out the subset it is interested in. + +Note: This patch is an alternative to one originally proposed by +Eric Sandeen. + +Reported-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu> +Signed-off-by: Alex Elder <aelder@sgi.com> +Reviewed-by: Eric Sandeen <sandeen@redhat.com> +Tested-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/xfs/linux-2.6/xfs_ioctl.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/xfs/linux-2.6/xfs_ioctl.c ++++ b/fs/xfs/linux-2.6/xfs_ioctl.c +@@ -699,14 +699,19 @@ xfs_ioc_fsgeometry_v1( + xfs_mount_t *mp, + void __user *arg) + { +- xfs_fsop_geom_v1_t fsgeo; ++ xfs_fsop_geom_t fsgeo; + int error; + +- error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3); ++ error = xfs_fs_geometry(mp, &fsgeo, 3); + if (error) + return -error; + +- if (copy_to_user(arg, &fsgeo, sizeof(fsgeo))) ++ /* ++ * Caller should have passed an argument of type ++ * xfs_fsop_geom_v1_t. This is a proper subset of the ++ * xfs_fsop_geom_t that xfs_fs_geometry() fills in. ++ */ ++ if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t))) + return -XFS_ERROR(EFAULT); + return 0; + } |