--- /dev/null
+From 434a964daa14b9db083ce20404a4a2add54d037a Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <plougher@redhat.com>
+Date: Wed, 2 Nov 2011 13:38:01 -0700
+Subject: hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops
+
+From: Phillip Lougher <plougher@redhat.com>
+
+commit 434a964daa14b9db083ce20404a4a2add54d037a upstream.
+
+Clement Lecigne reports a filesystem which causes a kernel oops in
+hfs_find_init() trying to dereference sb->ext_tree which is NULL.
+
+This proves to be because the filesystem has a corrupted MDB extent
+record, where the extents file does not fit into the first three extents
+in the file record (the first blocks).
+
+In hfs_get_block() when looking up the blocks for the extent file
+(HFS_EXT_CNID), it fails the first blocks special case, and falls
+through to the extent code (which ultimately calls hfs_find_init())
+which is in the process of being initialised.
+
+Hfs avoids this scenario by always having the extents b-tree fitting
+into the first blocks (the extents B-tree can't have overflow extents).
+
+The fix is to check at mount time that the B-tree fits into first
+blocks, i.e. fail if HFS_I(inode)->alloc_blocks >=
+HFS_I(inode)->first_blocks
+
+Note, the existing commit 47f365eb57573 ("hfs: fix oops on mount with
+corrupted btree extent records") becomes subsumed into this as a special
+case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
+acceptable for the catalog B-Tree file to grow beyond three extents,
+with the remaining extent descriptors in the extents overfow.
+
+This fixes CVE-2011-2203
+
+Reported-by: Clement LECIGNE <clement.lecigne@netasq.com>
+Signed-off-by: Phillip Lougher <plougher@redhat.com>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Moritz Mühlenhoff <jmm@inutil.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hfs/btree.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -46,11 +46,26 @@ struct hfs_btree *hfs_btree_open(struct
+ case HFS_EXT_CNID:
+ hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
+ mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
++ if (HFS_I(tree->inode)->alloc_blocks >
++ HFS_I(tree->inode)->first_blocks) {
++ printk(KERN_ERR "hfs: invalid btree extent records\n");
++ unlock_new_inode(tree->inode);
++ goto free_inode;
++ }
++
+ tree->inode->i_mapping->a_ops = &hfs_btree_aops;
+ break;
+ case HFS_CAT_CNID:
+ hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
+ mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
++
++ if (!HFS_I(tree->inode)->first_blocks) {
++ printk(KERN_ERR "hfs: invalid btree extent records "
++ "(0 size).\n");
++ unlock_new_inode(tree->inode);
++ goto free_inode;
++ }
++
+ tree->inode->i_mapping->a_ops = &hfs_btree_aops;
+ break;
+ default:
+@@ -59,11 +74,6 @@ struct hfs_btree *hfs_btree_open(struct
+ }
+ unlock_new_inode(tree->inode);
+
+- if (!HFS_I(tree->inode)->first_blocks) {
+- printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n");
+- goto free_inode;
+- }
+-
+ mapping = tree->inode->i_mapping;
+ page = read_mapping_page(mapping, 0, NULL);
+ if (IS_ERR(page))
--- /dev/null
+From 0b57d7602b68f7b2786b2f0e22da39cbd4139a95 Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@gmail.com>
+Date: Thu, 8 Dec 2011 08:04:12 -0500
+Subject: hwmon: (jz4740) fix signedness bug
+
+From: Axel Lin <axel.lin@gmail.com>
+
+commit 0b57d7602b68f7b2786b2f0e22da39cbd4139a95 upstream.
+
+wait_for_completion_interruptible_timeout() may return negative value.
+In this case, checking if (t > 0) will return true if t is unsigned.
+
+Signed-off-by: Axel Lin <axel.lin@gmail.com>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hwmon/jz4740-hwmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/jz4740-hwmon.c
++++ b/drivers/hwmon/jz4740-hwmon.c
+@@ -59,7 +59,7 @@ static ssize_t jz4740_hwmon_read_adcin(s
+ {
+ struct jz4740_hwmon *hwmon = dev_get_drvdata(dev);
+ struct completion *completion = &hwmon->read_completion;
+- unsigned long t;
++ long t;
+ unsigned long val;
+ int ret;
+
--- /dev/null
+From 8762202dd0d6e46854f786bdb6fb3780a1625efe Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Tue, 1 Nov 2011 19:04:59 -0400
+Subject: jbd/jbd2: validate sb->s_first in journal_get_superblock()
+
+From: Eryu Guan <guaneryu@gmail.com>
+
+commit 8762202dd0d6e46854f786bdb6fb3780a1625efe upstream.
+
+I hit a J_ASSERT(blocknr != 0) failure in cleanup_journal_tail() when
+mounting a fsfuzzed ext3 image. It turns out that the corrupted ext3
+image has s_first = 0 in journal superblock, and the 0 is passed to
+journal->j_head in journal_reset(), then to blocknr in
+cleanup_journal_tail(), in the end the J_ASSERT failed.
+
+So validate s_first after reading journal superblock from disk in
+journal_get_superblock() to ensure s_first is valid.
+
+The following script could reproduce it:
+
+fstype=ext3
+blocksize=1024
+img=$fstype.img
+offset=0
+found=0
+magic="c0 3b 39 98"
+
+dd if=/dev/zero of=$img bs=1M count=8
+mkfs -t $fstype -b $blocksize -F $img
+filesize=`stat -c %s $img`
+while [ $offset -lt $filesize ]
+do
+ if od -j $offset -N 4 -t x1 $img | grep -i "$magic";then
+ echo "Found journal: $offset"
+ found=1
+ break
+ fi
+ offset=`echo "$offset+$blocksize" | bc`
+done
+
+if [ $found -ne 1 ];then
+ echo "Magic \"$magic\" not found"
+ exit 1
+fi
+
+dd if=/dev/zero of=$img seek=$(($offset+23)) conv=notrunc bs=1 count=1
+
+mkdir -p ./mnt
+mount -o loop $img ./mnt
+
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Cc: Moritz Mühlenhoff <jmm@inutil.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/jbd/journal.c | 8 ++++++++
+ fs/jbd2/journal.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/fs/jbd/journal.c
++++ b/fs/jbd/journal.c
+@@ -1131,6 +1131,14 @@ static int journal_get_superblock(journa
+ goto out;
+ }
+
++ if (be32_to_cpu(sb->s_first) == 0 ||
++ be32_to_cpu(sb->s_first) >= journal->j_maxlen) {
++ printk(KERN_WARNING
++ "JBD: Invalid start block of journal: %u\n",
++ be32_to_cpu(sb->s_first));
++ goto out;
++ }
++
+ return 0;
+
+ out:
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1251,6 +1251,14 @@ static int journal_get_superblock(journa
+ goto out;
+ }
+
++ if (be32_to_cpu(sb->s_first) == 0 ||
++ be32_to_cpu(sb->s_first) >= journal->j_maxlen) {
++ printk(KERN_WARNING
++ "JBD2: Invalid start block of journal: %u\n",
++ be32_to_cpu(sb->s_first));
++ goto out;
++ }
++
+ return 0;
+
+ out:
--- /dev/null
+From 13c07b0286d340275f2d97adf085cecda37ede37 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 12 Dec 2011 22:06:55 -0800
+Subject: linux/log2.h: Fix rounddown_pow_of_two(1)
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 13c07b0286d340275f2d97adf085cecda37ede37 upstream.
+
+Exactly like roundup_pow_of_two(1), the rounddown version was buggy for
+the case of a compile-time constant '1' argument. Probably because it
+originated from the same code, sharing history with the roundup version
+from before the bugfix (for that one, see commit 1a06a52ee1b0: "Fix
+roundup_pow_of_two(1)").
+
+However, unlike the roundup version, the fix for rounddown is to just
+remove the broken special case entirely. It's simply not needed - the
+generic code
+
+ 1UL << ilog2(n)
+
+does the right thing for the constant '1' argment too. The only reason
+roundup needed that special case was because rounding up does so by
+subtracting one from the argument (and then adding one to the result)
+causing the obvious problems with "ilog2(0)".
+
+But rounddown doesn't do any of that, since ilog2() naturally truncates
+(ie "rounds down") to the right rounded down value. And without the
+ilog2(0) case, there's no reason for the special case that had the wrong
+value.
+
+tl;dr: rounddown_pow_of_two(1) should be 1, not 0.
+
+Acked-by: Dmitry Torokhov <dtor@vmware.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/log2.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/include/linux/log2.h
++++ b/include/linux/log2.h
+@@ -185,7 +185,6 @@ unsigned long __rounddown_pow_of_two(uns
+ #define rounddown_pow_of_two(n) \
+ ( \
+ __builtin_constant_p(n) ? ( \
+- (n == 1) ? 0 : \
+ (1UL << ilog2(n))) : \
+ __rounddown_pow_of_two(n) \
+ )
--- /dev/null
+From 1a51410abe7d0ee4b1d112780f46df87d3621043 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 19 Sep 2011 17:04:37 -0700
+Subject: Make TASKSTATS require root access
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a51410abe7d0ee4b1d112780f46df87d3621043 upstream.
+
+Ok, this isn't optimal, since it means that 'iotop' needs admin
+capabilities, and we may have to work on this some more. But at the
+same time it is very much not acceptable to let anybody just read
+anybody elses IO statistics quite at this level.
+
+Use of the GENL_ADMIN_PERM suggested by Johannes Berg as an alternative
+to checking the capabilities by hand.
+
+Reported-by: Vasiliy Kulikov <segoon@openwall.com>
+Cc: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Moritz Mühlenhoff <jmm@inutil.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/taskstats.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -657,6 +657,7 @@ static struct genl_ops taskstats_ops = {
+ .cmd = TASKSTATS_CMD_GET,
+ .doit = taskstats_user_cmd,
+ .policy = taskstats_cmd_get_policy,
++ .flags = GENL_ADMIN_PERM,
+ };
+
+ static struct genl_ops cgroupstats_ops = {
--- /dev/null
+From e58f516ff4730c4047c3f104b061f7a03e9a263c Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Fri, 11 Nov 2011 16:28:05 +0100
+Subject: mmc: mxcmmc: fix falling back to PIO
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit e58f516ff4730c4047c3f104b061f7a03e9a263c upstream.
+
+When we can't configure the dma channel we want to fall
+back to PIO. We do this by setting host->do_dma to zero.
+This does not work as do_dma is used to see whether dma
+can be used for the current transfer. Instead, we have
+to set host->dma to NULL.
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Chris Ball <cjb@laptop.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mmc/host/mxcmmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mxcmmc.c
++++ b/drivers/mmc/host/mxcmmc.c
+@@ -731,6 +731,7 @@ static void mxcmci_set_ios(struct mmc_ho
+ "failed to config DMA channel. Falling back to PIO\n");
+ dma_release_channel(host->dma);
+ host->do_dma = 0;
++ host->dma = NULL;
+ }
+ }
+
percpu-fix-chunk-range-calculation.patch
iwlwifi-do-not-re-configure-ht40-after-associated.patch
mac80211-fix-race-condition-caused-by-late-addba-response.patch
+linux-log2.h-fix-rounddown_pow_of_two-1.patch
+hwmon-jz4740-fix-signedness-bug.patch
+mmc-mxcmmc-fix-falling-back-to-pio.patch
+x86-hpet-immediately-disable-hpet-timer-1-if-rtc-irq-is-masked.patch
+jbd-jbd2-validate-sb-s_first-in-journal_get_superblock.patch
+make-taskstats-require-root-access.patch
+hfs-fix-hfs_find_init-sb-ext_tree-null-ptr-oops.patch
--- /dev/null
+From 2ded6e6a94c98ea453a156748cb7fabaf39a76b9 Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mark.langsdorf@amd.com>
+Date: Fri, 18 Nov 2011 16:33:06 +0100
+Subject: x86, hpet: Immediately disable HPET timer 1 if rtc irq is masked
+
+From: Mark Langsdorf <mark.langsdorf@amd.com>
+
+commit 2ded6e6a94c98ea453a156748cb7fabaf39a76b9 upstream.
+
+When HPET is operating in RTC mode, the TN_ENABLE bit on timer1
+controls whether the HPET or the RTC delivers interrupts to irq8. When
+the system goes into suspend, the RTC driver sends a signal to the
+HPET driver so that the HPET releases control of irq8, allowing the
+RTC to wake the system from suspend. The switchover is accomplished by
+a write to the HPET configuration registers which currently only
+occurs while servicing the HPET interrupt.
+
+On some systems, I have seen the system suspend before an HPET
+interrupt occurs, preventing the write to the HPET configuration
+register and leaving the HPET in control of the irq8. As the HPET is
+not active during suspend, it does not generate a wake signal and RTC
+alarms do not work.
+
+This patch forces the HPET driver to immediately transfer control of
+the irq8 channel to the RTC instead of waiting until the next
+interrupt event.
+
+Signed-off-by: Mark Langsdorf <mark.langsdorf@amd.com>
+Link: http://lkml.kernel.org/r/20111118153306.GB16319@alberich.amd.com
+Tested-by: Andreas Herrmann <andreas.herrmann3@amd.com>
+Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/hpet.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -1054,6 +1054,14 @@ int hpet_rtc_timer_init(void)
+ }
+ EXPORT_SYMBOL_GPL(hpet_rtc_timer_init);
+
++static void hpet_disable_rtc_channel(void)
++{
++ unsigned long cfg;
++ cfg = hpet_readl(HPET_T1_CFG);
++ cfg &= ~HPET_TN_ENABLE;
++ hpet_writel(cfg, HPET_T1_CFG);
++}
++
+ /*
+ * The functions below are called from rtc driver.
+ * Return 0 if HPET is not being used.
+@@ -1065,6 +1073,9 @@ int hpet_mask_rtc_irq_bit(unsigned long
+ return 0;
+
+ hpet_rtc_flags &= ~bit_mask;
++ if (unlikely(!hpet_rtc_flags))
++ hpet_disable_rtc_channel();
++
+ return 1;
+ }
+ EXPORT_SYMBOL_GPL(hpet_mask_rtc_irq_bit);
+@@ -1130,15 +1141,11 @@ EXPORT_SYMBOL_GPL(hpet_rtc_dropped_irq);
+
+ static void hpet_rtc_timer_reinit(void)
+ {
+- unsigned int cfg, delta;
++ unsigned int delta;
+ int lost_ints = -1;
+
+- if (unlikely(!hpet_rtc_flags)) {
+- cfg = hpet_readl(HPET_T1_CFG);
+- cfg &= ~HPET_TN_ENABLE;
+- hpet_writel(cfg, HPET_T1_CFG);
+- return;
+- }
++ if (unlikely(!hpet_rtc_flags))
++ hpet_disable_rtc_channel();
+
+ if (!(hpet_rtc_flags & RTC_PIE) || hpet_pie_limit)
+ delta = hpet_default_delta;
projects / thirdparty / kernel / stable-queue.git / commitdiff
