From a70ea994a0d83fd0151a070be72b87d014ef0a7e Mon Sep 17 00:00:00 2001
From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Date: Thu, 9 Feb 2006 16:40:11 -0800
Subject: [NETLINK]: Fix a severe bug

netlink overrun was broken while improvement of netlink.
Destination socket is used in the place where it was meant to be source socket,
so that now overrun is never sent to user netlink sockets, when it should be,
and it even can be set on kernel socket, which results in complete deadlock
of rtnetlink.

Suggested fix is to restore status quo passing source socket as additional
argument to netlink_attachskb().

A little explanation: overrun is set on a socket, when it failed
to receive some message and sender of this messages does not or even
have no way to handle this error. This happens in two cases:
1. when kernel sends something. Kernel never retransmits and cannot
   wait for buffer space.
2. when user sends a broadcast and the message was not delivered
   to some recipients.

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 ipc/mqueue.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'ipc')

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 59302fc3643b..fd2e26b6f966 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -1018,7 +1018,8 @@ retry:
 				goto out;
 			}
 
-			ret = netlink_attachskb(sock, nc, 0, MAX_SCHEDULE_TIMEOUT);
+			ret = netlink_attachskb(sock, nc, 0,
+					MAX_SCHEDULE_TIMEOUT, NULL);
 			if (ret == 1)
 		       		goto retry;
 			if (ret) {
-- 
cgit v1.2.2


From 8e36709d8cea48a4d341294ce2b46678a2e77159 Mon Sep 17 00:00:00 2001
From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Date: Fri, 10 Feb 2006 01:51:12 -0800
Subject: [PATCH] shmdt cannot detach not-alined shm segment cleanly.

sys_shmdt() can manage shm segments which are covered by multiple vmas.  (This
can happen when a user uses mprotect() after shmat().)

This works well if shm is aligned to PAGE_SIZE, but if not, the last
segment cannot be detached.  It is because a comparison in sys_shmdt()

	(vma->vm_end - addr) < size
		addr == return address of shmat()
		size == shmsize, argments to shmget()

size should be aligned to PAGE_SIZE before being compared with vma->vm_end,
which is aligned.

Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Acked-by: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 ipc/shm.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'ipc')

diff --git a/ipc/shm.c b/ipc/shm.c
index 4c28d2d8e305..9162123a7b23 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -870,6 +870,7 @@ asmlinkage long sys_shmdt(char __user *shmaddr)
 	 * could possibly have landed at. Also cast things to loff_t to
 	 * prevent overflows and make comparisions vs. equal-width types.
 	 */
+	size = PAGE_ALIGN(size);
 	while (vma && (loff_t)(vma->vm_end - addr) <= size) {
 		next = vma->vm_next;
 
-- 
cgit v1.2.2