Update to Linux 3.1.10
This commit is contained in:
parent
cd4ffd10e8
commit
7655e85b74
|
@ -1,206 +0,0 @@
|
|||
From 423873736b78f549fbfa2f715f2e4de7e6c5e1e9 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Williamson <alex.williamson@redhat.com>
|
||||
Date: Tue, 20 Dec 2011 21:59:03 -0700
|
||||
Subject: [PATCH 1/2] KVM: Remove ability to assign a device without iommu
|
||||
support
|
||||
|
||||
This option has no users and it exposes a security hole that we
|
||||
can allow devices to be assigned without iommu protection. Make
|
||||
KVM_DEV_ASSIGN_ENABLE_IOMMU a mandatory option.
|
||||
|
||||
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
virt/kvm/assigned-dev.c | 18 +++++++++---------
|
||||
1 files changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/virt/kvm/assigned-dev.c b/virt/kvm/assigned-dev.c
|
||||
index 3ad0925..a251a28 100644
|
||||
--- a/virt/kvm/assigned-dev.c
|
||||
+++ b/virt/kvm/assigned-dev.c
|
||||
@@ -487,6 +487,9 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
|
||||
struct kvm_assigned_dev_kernel *match;
|
||||
struct pci_dev *dev;
|
||||
|
||||
+ if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
mutex_lock(&kvm->lock);
|
||||
idx = srcu_read_lock(&kvm->srcu);
|
||||
|
||||
@@ -544,16 +547,14 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
|
||||
|
||||
list_add(&match->list, &kvm->arch.assigned_dev_head);
|
||||
|
||||
- if (assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU) {
|
||||
- if (!kvm->arch.iommu_domain) {
|
||||
- r = kvm_iommu_map_guest(kvm);
|
||||
- if (r)
|
||||
- goto out_list_del;
|
||||
- }
|
||||
- r = kvm_assign_device(kvm, match);
|
||||
+ if (!kvm->arch.iommu_domain) {
|
||||
+ r = kvm_iommu_map_guest(kvm);
|
||||
if (r)
|
||||
goto out_list_del;
|
||||
}
|
||||
+ r = kvm_assign_device(kvm, match);
|
||||
+ if (r)
|
||||
+ goto out_list_del;
|
||||
|
||||
out:
|
||||
srcu_read_unlock(&kvm->srcu, idx);
|
||||
@@ -593,8 +594,7 @@ static int kvm_vm_ioctl_deassign_device(struct kvm *kvm,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if (match->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU)
|
||||
- kvm_deassign_device(kvm, match);
|
||||
+ kvm_deassign_device(kvm, match);
|
||||
|
||||
kvm_free_assigned_device(kvm, match);
|
||||
|
||||
--
|
||||
1.7.7.5
|
||||
|
||||
|
||||
From 3d27e23b17010c668db311140b17bbbb70c78fb9 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Williamson <alex.williamson@redhat.com>
|
||||
Date: Tue, 20 Dec 2011 21:59:09 -0700
|
||||
Subject: [PATCH 2/2] KVM: Device assignment permission checks
|
||||
|
||||
Only allow KVM device assignment to attach to devices which:
|
||||
|
||||
- Are not bridges
|
||||
- Have BAR resources (assume others are special devices)
|
||||
- The user has permissions to use
|
||||
|
||||
Assigning a bridge is a configuration error, it's not supported, and
|
||||
typically doesn't result in the behavior the user is expecting anyway.
|
||||
Devices without BAR resources are typically chipset components that
|
||||
also don't have host drivers. We don't want users to hold such devices
|
||||
captive or cause system problems by fencing them off into an iommu
|
||||
domain. We determine "permission to use" by testing whether the user
|
||||
has access to the PCI sysfs resource files. By default a normal user
|
||||
will not have access to these files, so it provides a good indication
|
||||
that an administration agent has granted the user access to the device.
|
||||
|
||||
[Yang Bai: add missing #include]
|
||||
[avi: fix comment style]
|
||||
|
||||
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
|
||||
Signed-off-by: Yang Bai <hamo.by@gmail.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
virt/kvm/assigned-dev.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 files changed, 75 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/virt/kvm/assigned-dev.c b/virt/kvm/assigned-dev.c
|
||||
index a251a28..758e3b3 100644
|
||||
--- a/virt/kvm/assigned-dev.c
|
||||
+++ b/virt/kvm/assigned-dev.c
|
||||
@@ -17,6 +17,8 @@
|
||||
#include <linux/pci.h>
|
||||
#include <linux/interrupt.h>
|
||||
#include <linux/slab.h>
|
||||
+#include <linux/namei.h>
|
||||
+#include <linux/fs.h>
|
||||
#include "irq.h"
|
||||
|
||||
static struct kvm_assigned_dev_kernel *kvm_find_assigned_dev(struct list_head *head,
|
||||
@@ -480,12 +482,73 @@ out:
|
||||
return r;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * We want to test whether the caller has been granted permissions to
|
||||
+ * use this device. To be able to configure and control the device,
|
||||
+ * the user needs access to PCI configuration space and BAR resources.
|
||||
+ * These are accessed through PCI sysfs. PCI config space is often
|
||||
+ * passed to the process calling this ioctl via file descriptor, so we
|
||||
+ * can't rely on access to that file. We can check for permissions
|
||||
+ * on each of the BAR resource files, which is a pretty clear
|
||||
+ * indicator that the user has been granted access to the device.
|
||||
+ */
|
||||
+static int probe_sysfs_permissions(struct pci_dev *dev)
|
||||
+{
|
||||
+#ifdef CONFIG_SYSFS
|
||||
+ int i;
|
||||
+ bool bar_found = false;
|
||||
+
|
||||
+ for (i = PCI_STD_RESOURCES; i <= PCI_STD_RESOURCE_END; i++) {
|
||||
+ char *kpath, *syspath;
|
||||
+ struct path path;
|
||||
+ struct inode *inode;
|
||||
+ int r;
|
||||
+
|
||||
+ if (!pci_resource_len(dev, i))
|
||||
+ continue;
|
||||
+
|
||||
+ kpath = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
|
||||
+ if (!kpath)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
+ /* Per sysfs-rules, sysfs is always at /sys */
|
||||
+ syspath = kasprintf(GFP_KERNEL, "/sys%s/resource%d", kpath, i);
|
||||
+ kfree(kpath);
|
||||
+ if (!syspath)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
+ r = kern_path(syspath, LOOKUP_FOLLOW, &path);
|
||||
+ kfree(syspath);
|
||||
+ if (r)
|
||||
+ return r;
|
||||
+
|
||||
+ inode = path.dentry->d_inode;
|
||||
+
|
||||
+ r = inode_permission(inode, MAY_READ | MAY_WRITE | MAY_ACCESS);
|
||||
+ path_put(&path);
|
||||
+ if (r)
|
||||
+ return r;
|
||||
+
|
||||
+ bar_found = true;
|
||||
+ }
|
||||
+
|
||||
+ /* If no resources, probably something special */
|
||||
+ if (!bar_found)
|
||||
+ return -EPERM;
|
||||
+
|
||||
+ return 0;
|
||||
+#else
|
||||
+ return -EINVAL; /* No way to control the device without sysfs */
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
|
||||
struct kvm_assigned_pci_dev *assigned_dev)
|
||||
{
|
||||
int r = 0, idx;
|
||||
struct kvm_assigned_dev_kernel *match;
|
||||
struct pci_dev *dev;
|
||||
+ u8 header_type;
|
||||
|
||||
if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
|
||||
return -EINVAL;
|
||||
@@ -516,6 +579,18 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
|
||||
r = -EINVAL;
|
||||
goto out_free;
|
||||
}
|
||||
+
|
||||
+ /* Don't allow bridges to be assigned */
|
||||
+ pci_read_config_byte(dev, PCI_HEADER_TYPE, &header_type);
|
||||
+ if ((header_type & PCI_HEADER_TYPE) != PCI_HEADER_TYPE_NORMAL) {
|
||||
+ r = -EPERM;
|
||||
+ goto out_put;
|
||||
+ }
|
||||
+
|
||||
+ r = probe_sysfs_permissions(dev);
|
||||
+ if (r)
|
||||
+ goto out_put;
|
||||
+
|
||||
if (pci_enable_device(dev)) {
|
||||
printk(KERN_INFO "%s: Could not enable PCI device\n", __func__);
|
||||
r = -EBUSY;
|
||||
--
|
||||
1.7.7.5
|
||||
|
|
@ -1,69 +0,0 @@
|
|||
From 0924ab2cfa98b1ece26c033d696651fd62896c69 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kiszka <jan.kiszka@siemens.com>
|
||||
Date: Wed, 14 Dec 2011 19:25:13 +0100
|
||||
Subject: [PATCH] KVM: x86: Prevent starting PIT timers in the absence of
|
||||
irqchip support
|
||||
|
||||
User space may create the PIT and forgets about setting up the irqchips.
|
||||
In that case, firing PIT IRQs will crash the host:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000128
|
||||
IP: [<ffffffffa10f6280>] kvm_set_irq+0x30/0x170 [kvm]
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffffa11228c1>] pit_do_work+0x51/0xd0 [kvm]
|
||||
[<ffffffff81071431>] process_one_work+0x111/0x4d0
|
||||
[<ffffffff81071bb2>] worker_thread+0x152/0x340
|
||||
[<ffffffff81075c8e>] kthread+0x7e/0x90
|
||||
[<ffffffff815a4474>] kernel_thread_helper+0x4/0x10
|
||||
|
||||
Prevent this by checking the irqchip mode before starting a timer. We
|
||||
can't deny creating the PIT if the irqchips aren't set up yet as
|
||||
current user land expects this order to work.
|
||||
|
||||
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/i8254.c | 10 +++++++---
|
||||
1 files changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
|
||||
index 76e3f1c..405f262 100644
|
||||
--- a/arch/x86/kvm/i8254.c
|
||||
+++ b/arch/x86/kvm/i8254.c
|
||||
@@ -338,11 +338,15 @@ static enum hrtimer_restart pit_timer_fn(struct hrtimer *data)
|
||||
return HRTIMER_NORESTART;
|
||||
}
|
||||
|
||||
-static void create_pit_timer(struct kvm_kpit_state *ps, u32 val, int is_period)
|
||||
+static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
|
||||
{
|
||||
+ struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
|
||||
struct kvm_timer *pt = &ps->pit_timer;
|
||||
s64 interval;
|
||||
|
||||
+ if (!irqchip_in_kernel(kvm))
|
||||
+ return;
|
||||
+
|
||||
interval = muldiv64(val, NSEC_PER_SEC, KVM_PIT_FREQ);
|
||||
|
||||
pr_debug("create pit timer, interval is %llu nsec\n", interval);
|
||||
@@ -394,13 +398,13 @@ static void pit_load_count(struct kvm *kvm, int channel, u32 val)
|
||||
/* FIXME: enhance mode 4 precision */
|
||||
case 4:
|
||||
if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)) {
|
||||
- create_pit_timer(ps, val, 0);
|
||||
+ create_pit_timer(kvm, val, 0);
|
||||
}
|
||||
break;
|
||||
case 2:
|
||||
case 3:
|
||||
if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)){
|
||||
- create_pit_timer(ps, val, 1);
|
||||
+ create_pit_timer(kvm, val, 1);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
--
|
||||
1.7.6.2
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
From d4afc7754a60b885b63ef23fd194984e2d53a4e6 Mon Sep 17 00:00:00 2001
|
||||
From: Rene Bollford <xsecute@googlemail.com>
|
||||
Date: Sun, 23 Oct 2011 09:56:42 +0200
|
||||
Subject: [PATCH] [PATCH] ideapad: Check if acpi already handle backlight
|
||||
power to avoid a page fault
|
||||
|
||||
This patch avoid a page fault in the ideapad-laptop extras when
|
||||
turning the backlight power on or off.
|
||||
|
||||
Signed-off-by: Rene Bolldorf <xsecute@googlemail.com>
|
||||
Signed-off-by: Matthew Garrett <mjg@redhat.com>
|
||||
---
|
||||
drivers/platform/x86/ideapad-laptop.c | 2 ++
|
||||
1 files changed, 2 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
|
||||
index 0c59541..0d94eec 100644
|
||||
--- a/drivers/platform/x86/ideapad-laptop.c
|
||||
+++ b/drivers/platform/x86/ideapad-laptop.c
|
||||
@@ -493,6 +493,8 @@ static void ideapad_backlight_notify_power(struct ideapad_private *priv)
|
||||
unsigned long power;
|
||||
struct backlight_device *blightdev = priv->blightdev;
|
||||
|
||||
+ if (!blightdev)
|
||||
+ return;
|
||||
if (read_ec_data(ideapad_handle, 0x18, &power))
|
||||
return;
|
||||
blightdev->props.power = power ? FB_BLANK_UNBLANK : FB_BLANK_POWERDOWN;
|
||||
--
|
||||
1.7.6.4
|
||||
|
31
kernel.spec
31
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# When changing real_sublevel below, reset this by hand to 1
|
||||
# (or to 0 and then use rpmdev-bumpspec).
|
||||
#
|
||||
%global baserelease 4
|
||||
%global baserelease 1
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# real_sublevel is the 3.x kernel version we're starting with
|
||||
|
@ -51,7 +51,7 @@ Summary: The Linux kernel
|
|||
%define fake_sublevel %(echo $((40 + %{real_sublevel})))
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 9
|
||||
%define stable_update 10
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -651,9 +651,6 @@ Patch3500: jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch
|
|||
|
||||
# NFSv4
|
||||
|
||||
#rhbz 753236
|
||||
Patch4000: nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
|
||||
|
||||
# patches headed upstream
|
||||
Patch12010: add-appleir-usb-driver.patch
|
||||
|
||||
|
@ -694,9 +691,6 @@ Patch21040: x86-code-dump-fix-truncation.patch
|
|||
#rhbz 728607
|
||||
Patch21060: elantech.patch
|
||||
|
||||
#rhbz 748210
|
||||
Patch21061: ideapad-Check-if-acpi-already-handle-backlight.patch
|
||||
|
||||
#backport brcm80211 from 3.2-rc1
|
||||
Patch21090: brcm80211.patch
|
||||
Patch21091: bcma-brcmsmac-compat.patch
|
||||
|
@ -725,12 +719,6 @@ Patch21048: b44-Use-dev_kfree_skb_irq-in-b44_tx.patch
|
|||
#rhbz 771006
|
||||
Patch21050: thp-reduce-khugepaged-freezing-latency.patch
|
||||
|
||||
#rhbz 770102
|
||||
Patch21055: KVM-x86-Prevent-starting-PIT-timers-in-the-absence-of.patch
|
||||
|
||||
#rhbz 770096
|
||||
Patch21056: KVM-fix-device-assignment-permissions.patch
|
||||
|
||||
#rhbz 770233
|
||||
Patch21065: Bluetooth-Add-support-for-BCM20702A0.patch
|
||||
|
||||
|
@ -1204,7 +1192,6 @@ ApplyPatch jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch
|
|||
# eCryptfs
|
||||
|
||||
# NFSv4
|
||||
ApplyPatch nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
|
||||
|
||||
# USB
|
||||
|
||||
|
@ -1341,9 +1328,6 @@ ApplyPatch x86-code-dump-fix-truncation.patch
|
|||
#rhbz 728607
|
||||
ApplyPatch elantech.patch
|
||||
|
||||
#rhbz 748210
|
||||
ApplyPatch ideapad-Check-if-acpi-already-handle-backlight.patch
|
||||
|
||||
#backport brcm80211 from 3.2-rc1
|
||||
ApplyPatch brcm80211.patch
|
||||
# Remove overlap between bcma/b43 and brcmsmac and reenable bcm4331
|
||||
|
@ -1373,20 +1357,12 @@ ApplyPatch b44-Use-dev_kfree_skb_irq-in-b44_tx.patch
|
|||
#rhbz 771006
|
||||
ApplyPatch thp-reduce-khugepaged-freezing-latency.patch
|
||||
|
||||
#rhbz 770102
|
||||
ApplyPatch KVM-x86-Prevent-starting-PIT-timers-in-the-absence-of.patch
|
||||
|
||||
#rhbz 770233
|
||||
ApplyPatch Bluetooth-Add-support-for-BCM20702A0.patch
|
||||
|
||||
#rhbz 770096
|
||||
ApplyPatch KVM-fix-device-assignment-permissions.patch
|
||||
|
||||
ApplyPatch ext4-Fix-error-handling-on-inode-bitmap-corruption.patch
|
||||
ApplyPatch ext3-Fix-error-handling-on-inode-bitmap-corruption.patch
|
||||
|
||||
ApplyPatch mac80211-fix-rx-key-NULL-ptr-deref-in-promiscuous-mode.patch
|
||||
|
||||
#rhbz 773392
|
||||
ApplyPatch KVM-x86-extend-struct-x86_emulate_ops-with-get_cpuid.patch
|
||||
ApplyPatch KVM-x86-fix-missing-checks-in-syscall-emulation.patch
|
||||
|
@ -2052,6 +2028,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Wed Jan 18 2012 Josh Boyer <jwboyer@redhat.com> 2.6.41.10-1
|
||||
- Linux 3.1.10
|
||||
|
||||
* Wed Jan 18 2012 Dennis Gilmore <dennis@ausil.us>
|
||||
- build perf on armv7hl
|
||||
|
||||
|
|
|
@ -1,118 +0,0 @@
|
|||
From: Andy Adamson <andros@xxxxxxxxxx>
|
||||
|
||||
The NFSv4 bitmap size is unbounded: a server can return an arbitrary
|
||||
sized bitmap in an FATTR4_WORD0_ACL request. Replace using the
|
||||
nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server
|
||||
with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data
|
||||
xdr length to the (cached) acl page data.
|
||||
|
||||
This is a general solution to commit e5012d1f "NFSv4.1: update
|
||||
nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead
|
||||
when getting ACLs.
|
||||
|
||||
Cc:stable@xxxxxxxxxx
|
||||
Signed-off-by: Andy Adamson <andros@xxxxxxxxxx>
|
||||
---
|
||||
fs/nfs/nfs4proc.c | 20 ++++++++++++++++++--
|
||||
fs/nfs/nfs4xdr.c | 15 ++++++++++++---
|
||||
2 files changed, 30 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
|
||||
index deb88d9..97014dd 100644
|
||||
--- a/fs/nfs/nfs4proc.c
|
||||
+++ b/fs/nfs/nfs4proc.c
|
||||
@@ -3671,6 +3671,22 @@ static void nfs4_zap_acl_attr(struct inode *inode)
|
||||
nfs4_set_cached_acl(inode, NULL);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * The bitmap xdr length, bitmasks, and the attr xdr length are stored in
|
||||
+ * the acl cache to handle variable length bitmasks. Just copy the acl data.
|
||||
+ */
|
||||
+static void nfs4_copy_acl(char *buf, char *acl_data, size_t acl_len)
|
||||
+{
|
||||
+ __be32 *q, *p = (__be32 *)acl_data;
|
||||
+ int32_t len;
|
||||
+
|
||||
+ len = be32_to_cpup(p); /* number of bitmasks */
|
||||
+ len += 2; /* add words for bitmap and attr xdr len */
|
||||
+ q = p + len;
|
||||
+ len = len << 2; /* convert to bytes for acl_len math */
|
||||
+ memcpy(buf, (char *)q, acl_len - len);
|
||||
+}
|
||||
+
|
||||
static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_t buflen)
|
||||
{
|
||||
struct nfs_inode *nfsi = NFS_I(inode);
|
||||
@@ -3688,7 +3704,7 @@ static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_
|
||||
ret = -ERANGE; /* see getxattr(2) man page */
|
||||
if (acl->len > buflen)
|
||||
goto out;
|
||||
- memcpy(buf, acl->data, acl->len);
|
||||
+ nfs4_copy_acl(buf, acl->data, acl->len);
|
||||
out_len:
|
||||
ret = acl->len;
|
||||
out:
|
||||
@@ -3763,7 +3779,7 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
|
||||
if (res.acl_len > buflen)
|
||||
goto out_free;
|
||||
if (localpage)
|
||||
- memcpy(buf, resp_buf, res.acl_len);
|
||||
+ nfs4_copy_acl(buf, resp_buf, res.acl_len);
|
||||
}
|
||||
ret = res.acl_len;
|
||||
out_free:
|
||||
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
|
||||
index f9fd96d..9c07380 100644
|
||||
--- a/fs/nfs/nfs4xdr.c
|
||||
+++ b/fs/nfs/nfs4xdr.c
|
||||
@@ -2513,7 +2513,7 @@ static void nfs4_xdr_enc_getacl(struct rpc_rqst *req, struct xdr_stream *xdr,
|
||||
encode_compound_hdr(xdr, req, &hdr);
|
||||
encode_sequence(xdr, &args->seq_args, &hdr);
|
||||
encode_putfh(xdr, args->fh, &hdr);
|
||||
- replen = hdr.replen + op_decode_hdr_maxsz + nfs4_fattr_bitmap_maxsz + 1;
|
||||
+ replen = hdr.replen + op_decode_hdr_maxsz + 1;
|
||||
encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr);
|
||||
|
||||
xdr_inline_pages(&req->rq_rcv_buf, replen << 2,
|
||||
@@ -4955,7 +4955,7 @@ decode_restorefh(struct xdr_stream *xdr)
|
||||
static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
|
||||
size_t *acl_len)
|
||||
{
|
||||
- __be32 *savep;
|
||||
+ __be32 *savep, *bm_p;
|
||||
uint32_t attrlen,
|
||||
bitmap[3] = {0};
|
||||
struct kvec *iov = req->rq_rcv_buf.head;
|
||||
@@ -4964,6 +4964,7 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
|
||||
*acl_len = 0;
|
||||
if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)
|
||||
goto out;
|
||||
+ bm_p = xdr->p;
|
||||
if ((status = decode_attr_bitmap(xdr, bitmap)) != 0)
|
||||
goto out;
|
||||
if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)
|
||||
@@ -4972,12 +4973,20 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
|
||||
if (unlikely(bitmap[0] & (FATTR4_WORD0_ACL - 1U)))
|
||||
return -EIO;
|
||||
if (likely(bitmap[0] & FATTR4_WORD0_ACL)) {
|
||||
- size_t hdrlen;
|
||||
+ size_t hdrlen, len;
|
||||
u32 recvd;
|
||||
|
||||
+ /*The bitmap (xdr len + bitmasks) and the attr xdr len words
|
||||
+ * are stored with the acl data to handle the problem of
|
||||
+ * variable length bitmasks.*/
|
||||
+ xdr->p = bm_p;
|
||||
+ len = be32_to_cpup(bm_p);
|
||||
+ len += 2; /* add bitmap and attr xdr len words */
|
||||
+
|
||||
/* We ignore &savep and don't do consistency checks on
|
||||
* the attr length. Let userspace figure it out.... */
|
||||
hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base;
|
||||
+ attrlen += len << 2; /* attrlen is in bytes */
|
||||
recvd = req->rq_rcv_buf.len - hdrlen;
|
||||
if (attrlen > recvd) {
|
||||
dprintk("NFS: server cheating in getattr"
|
||||
--
|
||||
1.7.6.4
|
Loading…
Reference in New Issue