rpms/kernel/devel kernel.spec, 1.505, 1.506 linux-2.6-firewire-git-pending.patch, 1.18, 1.19
Jarod Wilson (jwilson)
fedora-extras-commits at redhat.com
Mon Mar 17 02:56:23 UTC 2008
Author: jwilson
Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15470
Modified Files:
kernel.spec linux-2.6-firewire-git-pending.patch
Log Message:
* Sun Mar 16 2008 Jarod Wilson <jwilson at redhat.com>
- firewire: fix remaining panic in handle_at_packet (bz.kernel.org #9617)
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.505
retrieving revision 1.506
diff -u -r1.505 -r1.506
--- kernel.spec 15 Mar 2008 00:00:19 -0000 1.505
+++ kernel.spec 17 Mar 2008 02:55:44 -0000 1.506
@@ -1756,6 +1756,9 @@
%kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL} -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.conf %{with_xen} xen
%changelog
+* Sun Mar 16 2008 Jarod Wilson <jwilson at redhat.com>
+- firewire: fix remaining panic in handle_at_packet (bz.kernel.org #9617)
+
* Fri Mar 14 2008 Dave Jones <davej at redhat.com>
- 2.6.25-rc5-git4
linux-2.6-firewire-git-pending.patch:
Index: linux-2.6-firewire-git-pending.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/linux-2.6-firewire-git-pending.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- linux-2.6-firewire-git-pending.patch 14 Mar 2008 18:15:31 -0000 1.18
+++ linux-2.6-firewire-git-pending.patch 17 Mar 2008 02:55:44 -0000 1.19
@@ -630,3 +630,49 @@
+Date: Sun, 16 Mar 2008 00:56:41 +0100 (CET)
+From: Stefan Richter <stefanr at s5r6.in-berlin.de>
+Subject: [PATCH] firewire: fix panic in handle_at_packet
+To: linux1394-devel at lists.sourceforge.net
+cc: linux-kernel at vger.kernel.org,
+ Johannes Berg <johannes at sipsolutions.net>,
+ Jarod Wilson <jwilson at redhat.com>
+
+This fixes a use-after-free bug in the handling of split transactions.
+The AT DMA handler of the request was occasionally executed after the
+AR DMA handler of the response. The AT DMA handler then accessed an
+already freed packet.
+
+Reported by Johannes Berg <johannes at sipsolutions.net>.
+http://bugzilla.kernel.org/show_bug.cgi?id=9617
+
+Signed-off-by: Stefan Richter <stefanr at s5r6.in-berlin.de>
+Signed-off-by: Jarod Wilson <jwilson at redhat.com>
+---
+ drivers/firewire/fw-transaction.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: linux/drivers/firewire/fw-transaction.c
+===================================================================
+--- linux.orig/drivers/firewire/fw-transaction.c
++++ linux/drivers/firewire/fw-transaction.c
+@@ -737,6 +737,12 @@ fw_core_handle_response(struct fw_card *
+ break;
+ }
+
++ /*
++ * The response handler may be executed while the request handler
++ * is still pending. Cancel the request handler.
++ */
++ card->driver->cancel_packet(card, &t->packet);
++
+ t->callback(card, rcode, data, data_length, t->callback_data);
+ }
+ EXPORT_SYMBOL(fw_core_handle_response);
+
+--
+Stefan Richter
+-=====-==--- --== =----
+http://arcgraph.de/sr/
+
+
More information about the fedora-extras-commits
mailing list