Linux 2.6.38-rc5-git5
This commit is contained in:
Chuck Ebbert
parent
1edc59625c
commit
3d2b80aa7e
@ -1,42 +0,0 @@
|
||||
bridge: Fix mglist corruption that leads to memory corruption
|
||||
|
||||
The list mp->mglist is used to indicate whether a multicast group
|
||||
is active on the bridge interface itself as opposed to one of the
|
||||
constituent interfaces in the bridge.
|
||||
|
||||
Unfortunately the operation that adds the mp->mglist node to the
|
||||
list neglected to check whether it has already been added. This
|
||||
leads to list corruption in the form of nodes pointing to itself.
|
||||
|
||||
Normally this would be quite obvious as it would cause an infinite
|
||||
loop when walking the list. However, as this list is never actually
|
||||
walked (which means that we don't really need it, I'll get rid of
|
||||
it in a subsequent patch), this instead is hidden until we perform
|
||||
a delete operation on the affected nodes.
|
||||
|
||||
As the same node may now be pointed to by more than one node, the
|
||||
delete operations can then cause modification of freed memory.
|
||||
|
||||
This was observed in practice to cause corruption in 512-byte slabs,
|
||||
most commonly leading to crashes in jbd2.
|
||||
|
||||
Thanks to Josef Bacik for pointing me in the right direction.
|
||||
|
||||
Reported-by: Ian Page Hands <ihands@redhat.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
|
||||
index f701a21..802d3f8 100644
|
||||
--- a/net/bridge/br_multicast.c
|
||||
+++ b/net/bridge/br_multicast.c
|
||||
@@ -719,7 +719,8 @@ static int br_multicast_add_group(struct net_bridge *br,
|
||||
goto err;
|
||||
|
||||
if (!port) {
|
||||
- hlist_add_head(&mp->mglist, &br->mglist);
|
||||
+ if (hlist_unhashed(&mp->mglist))
|
||||
+ hlist_add_head(&mp->mglist, &br->mglist);
|
||||
mod_timer(&mp->timer, now + br->multicast_membership_interval);
|
||||
goto out;
|
||||
}
|
||||
|
||||
15
kernel.spec
15
kernel.spec
@ -84,7 +84,7 @@ Summary: The Linux kernel
|
||||
# The rc snapshot level
|
||||
%define rcrev 5
|
||||
# The git snapshot level
|
||||
%define gitrev 1
|
||||
%define gitrev 5
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 2.6.%{upstream_sublevel}
|
||||
%endif
|
||||
@ -733,14 +733,9 @@ Patch12421: fs-call-security_d_instantiate-in-d_obtain_alias.patch
|
||||
|
||||
Patch12438: ath5k-fix-fast-channel-change.patch
|
||||
|
||||
Patch12440: bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
|
||||
|
||||
# rhbz#676860
|
||||
Patch12441: usb-sierra-add-airprime-direct-ip.patch
|
||||
|
||||
# rhbz#672265
|
||||
Patch12442: revert-block-check-bdev-readonly.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
@ -1356,14 +1351,9 @@ ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch
|
||||
# rhbz#672778
|
||||
ApplyPatch ath5k-fix-fast-channel-change.patch
|
||||
|
||||
ApplyPatch bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch
|
||||
|
||||
# rhbz#676860
|
||||
ApplyPatch usb-sierra-add-airprime-direct-ip.patch
|
||||
|
||||
# rhbz#672265
|
||||
ApplyPatch revert-block-check-bdev-readonly.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
@ -1967,6 +1957,9 @@ fi
|
||||
# and build.
|
||||
|
||||
%changelog
|
||||
* Sat Feb 19 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.38-0.rc5.git5.1
|
||||
- Linux 2.6.38-rc5-git5
|
||||
|
||||
* Wed Feb 16 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.38-0.rc5.git1.1
|
||||
- Linux 2.6.38-rc5-git1
|
||||
- Add support for Airprime/Sierra USB IP modem (#676860)
|
||||
|
||||
@ -1,33 +0,0 @@
|
||||
This reverts commit 75f1dc0d076d1c1168f2115f1941ea627d38bd5a. The revert
|
||||
could not be done automatically because changes after that commit
|
||||
altered the code too much.
|
||||
|
||||
Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
|
||||
|
||||
--- a/fs/block_dev.c
|
||||
+++ b/fs/block_dev.c
|
||||
@@ -1215,12 +1215,6 @@ int blkdev_get(struct block_device *bdev
|
||||
|
||||
res = __blkdev_get(bdev, mode, 0);
|
||||
|
||||
- /* __blkdev_get() may alter read only status, check it afterwards */
|
||||
- if (!res && (mode & FMODE_WRITE) && bdev_read_only(bdev)) {
|
||||
- __blkdev_put(bdev, mode, 0);
|
||||
- res = -EACCES;
|
||||
- }
|
||||
-
|
||||
if (whole) {
|
||||
/* finish claiming */
|
||||
mutex_lock(&bdev->bd_mutex);
|
||||
@@ -1298,6 +1292,11 @@ struct block_device *blkdev_get_by_path(
|
||||
if (err)
|
||||
return ERR_PTR(err);
|
||||
|
||||
+ if ((mode & FMODE_WRITE) && bdev_read_only(bdev)) {
|
||||
+ blkdev_put(bdev, mode);
|
||||
+ return ERR_PTR(-EACCES);
|
||||
+ }
|
||||
+
|
||||
return bdev;
|
||||
}
|
||||
EXPORT_SYMBOL(blkdev_get_by_path);
|
||||
Loading…
Reference in New Issue
Block a user