--- /dev/null
+From 3d392475c873c10c10d6d96b94d092a34ebd4791 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 02:27:43 +0000
+Subject: appletalk: fix atalk_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 3d392475c873c10c10d6d96b94d092a34ebd4791 upstream.
+
+atalk_getname() can leak 8 bytes of kernel memory to user
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/appletalk/ddp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1245,6 +1245,7 @@ static int atalk_getname(struct socket *
+ return -ENOBUFS;
+
+ *uaddr_len = sizeof(struct sockaddr_at);
++ memset(&sat.sat_zero, 0, sizeof(sat.sat_zero));
+
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
--- /dev/null
+From e84b90ae5eb3c112d1f208964df1d8156a538289 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 20:27:04 +0000
+Subject: can: Fix raw_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream.
+
+raw_getname() can leak 10 bytes of kernel memory to user
+
+(two bytes hole between can_family and can_ifindex,
+8 bytes at the end of sockaddr_can structure)
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Acked-by: Oliver Hartkopp <oliver@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/raw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -396,6 +396,7 @@ static int raw_getname(struct socket *so
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(addr, 0, sizeof(*addr));
+ addr->can_family = AF_CAN;
+ addr->can_ifindex = ro->ifindex;
+
--- /dev/null
+From 0083fc2c50e6c5127c2802ad323adf8143ab7856 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 1 Aug 2009 10:34:56 -0700
+Subject: do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0083fc2c50e6c5127c2802ad323adf8143ab7856 upstream.
+
+Ulrich Drepper correctly points out that there is generally padding in
+the structure on 64-bit hosts, and that copying the structure from
+kernel to user space can leak information from the kernel stack in those
+padding bytes.
+
+Avoid the whole issue by just copying the three members one by one
+instead, which also means that the function also can avoid the need for
+a stack frame. This also happens to match how we copy the new structure
+from user space, so it all even makes sense.
+
+[ The obvious solution of adding a memset() generates horrid code, gcc
+ does really stupid things. ]
+
+Reported-by: Ulrich Drepper <drepper@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/signal.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2353,11 +2353,9 @@ do_sigaltstack (const stack_t __user *us
+ stack_t oss;
+ int error;
+
+- if (uoss) {
+- oss.ss_sp = (void __user *) current->sas_ss_sp;
+- oss.ss_size = current->sas_ss_size;
+- oss.ss_flags = sas_ss_flags(sp);
+- }
++ oss.ss_sp = (void __user *) current->sas_ss_sp;
++ oss.ss_size = current->sas_ss_size;
++ oss.ss_flags = sas_ss_flags(sp);
+
+ if (uss) {
+ void __user *ss_sp;
+@@ -2400,13 +2398,16 @@ do_sigaltstack (const stack_t __user *us
+ current->sas_ss_size = ss_size;
+ }
+
++ error = 0;
+ if (uoss) {
+ error = -EFAULT;
+- if (copy_to_user(uoss, &oss, sizeof(oss)))
++ if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
+ goto out;
++ error = __put_user(oss.ss_sp, &uoss->ss_sp) |
++ __put_user(oss.ss_size, &uoss->ss_size) |
++ __put_user(oss.ss_flags, &uoss->ss_flags);
+ }
+
+- error = 0;
+ out:
+ return error;
+ }
--- /dev/null
+From 80922bbb12a105f858a8f0abb879cb4302d0ecaa Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:48:36 +0000
+Subject: econet: Fix econet_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa upstream.
+
+econet_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -520,6 +520,7 @@ static int econet_getname(struct socket
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(sec, 0, sizeof(*sec));
+ mutex_lock(&econet_mutex);
+
+ sk = sock->sk;
--- /dev/null
+From 09384dfc76e526c3993c09c42e016372dc9dd22c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:55:04 +0000
+Subject: irda: Fix irda_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 09384dfc76e526c3993c09c42e016372dc9dd22c upstream.
+
+irda_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -714,6 +714,7 @@ static int irda_getname(struct socket *s
+ struct sock *sk = sock->sk;
+ struct irda_sock *self = irda_sk(sk);
+
++ memset(&saddr, 0, sizeof(saddr));
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
--- /dev/null
+From oleg@redhat.com Thu Sep 3 15:22:09 2009
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Mon, 24 Aug 2009 12:45:29 +0200
+Subject: kthreads: fix kthread_create() vs kthread_stop() race
+To: Greg Kroah-Hartman <gregkh@suse.de>, Rusty Russell <rusty@rustcorp.com.au>
+Cc: Robert Peterson <rpeterso@redhat.com>, stable@kernel.org, linux-kernel@vger.kernel.org
+Message-ID: <20090824104529.GA6899@redhat.com>
+Content-Disposition: inline
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+The bug should be "accidently" fixed by recent changes in 2.6.31,
+all kernels <= 2.6.30 need the fix. The problem was never noticed before,
+it was found because it causes mysterious failures with GFS mount/umount.
+
+Credits to Robert Peterson. He blaimed kthread.c from the very beginning.
+But, despite my promise, I forgot to inspect the old implementation until
+he did a lot of testing and reminded me. This led to huge delay in fixing
+this bug.
+
+kthread_stop() does put_task_struct(k) before it clears kthread_stop_info.k.
+This means another kthread_create() can re-use this task_struct, but the
+new kthread can still see kthread_should_stop() == T and exit even without
+calling threadfn().
+
+Reported-by: Robert Peterson <rpeterso@redhat.com>
+Tested-by: Robert Peterson <rpeterso@redhat.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/kthread.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -213,12 +213,12 @@ int kthread_stop(struct task_struct *k)
+ /* Now set kthread_should_stop() to true, and wake it up. */
+ kthread_stop_info.k = k;
+ wake_up_process(k);
+- put_task_struct(k);
+
+ /* Once it dies, reset stop ptr, gather result and we're done. */
+ wait_for_completion(&kthread_stop_info.done);
+ kthread_stop_info.k = NULL;
+ ret = kthread_stop_info.err;
++ put_task_struct(k);
+ mutex_unlock(&kthread_stop_lock);
+
+ return ret;
--- /dev/null
+From 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sun, 23 Aug 2009 22:55:51 -0700
+Subject: NET: llc, zero sockaddr_llc struct
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc upstream.
+
+sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
+before copying to the above layer's structure.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/llc/af_llc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -915,6 +915,7 @@ static int llc_ui_getname(struct socket
+ struct llc_sock *llc = llc_sk(sk);
+ int rc = 0;
+
++ memset(&sllc, 0, sizeof(sllc));
+ lock_sock(sk);
+ if (sock_flag(sk, SOCK_ZAPPED))
+ goto out;
--- /dev/null
+From f6b97b29513950bfbf621a83d85b6f86b39ec8db Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:31:07 +0000
+Subject: netrom: Fix nr_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit f6b97b29513950bfbf621a83d85b6f86b39ec8db upstream.
+
+nr_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -848,6 +848,7 @@ static int nr_getname(struct socket *soc
+ sax->fsa_ax25.sax25_family = AF_NETROM;
+ sax->fsa_ax25.sax25_ndigis = 1;
+ sax->fsa_ax25.sax25_call = nr->user_addr;
++ memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater));
+ sax->fsa_digipeater[0] = nr->dest_addr;
+ *uaddr_len = sizeof(struct full_sockaddr_ax25);
+ } else {
--- /dev/null
+From e7432675f8ca868a4af365759a8d4c3779a3d922 Mon Sep 17 00:00:00 2001
+From: Sunil Mushran <sunil.mushran@oracle.com>
+Date: Thu, 6 Aug 2009 16:12:58 -0700
+Subject: ocfs2: Initialize the cluster we're writing to in a non-sparse extend
+
+From: Sunil Mushran <sunil.mushran@oracle.com>
+
+commit e7432675f8ca868a4af365759a8d4c3779a3d922 upstream.
+
+In a non-sparse extend, we correctly allocate (and zero) the clusters between
+the old_i_size and pos, but we don't zero the portions of the cluster we're
+writing to outside of pos<->len.
+
+It handles clustersize > pagesize and blocksize < pagesize.
+
+[Cleaned up by Joel Becker.]
+
+Signed-off-by: Sunil Mushran <sunil.mushran@oracle.com>
+Signed-off-by: Joel Becker <joel.becker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ocfs2/aops.c | 64 ++++++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 46 insertions(+), 18 deletions(-)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -908,18 +908,17 @@ struct ocfs2_write_cluster_desc {
+ */
+ unsigned c_new;
+ unsigned c_unwritten;
++ unsigned c_needs_zero;
+ };
+
+-static inline int ocfs2_should_zero_cluster(struct ocfs2_write_cluster_desc *d)
+-{
+- return d->c_new || d->c_unwritten;
+-}
+-
+ struct ocfs2_write_ctxt {
+ /* Logical cluster position / len of write */
+ u32 w_cpos;
+ u32 w_clen;
+
++ /* First cluster allocated in a nonsparse extend */
++ u32 w_first_new_cpos;
++
+ struct ocfs2_write_cluster_desc w_desc[OCFS2_MAX_CLUSTERS_PER_PAGE];
+
+ /*
+@@ -997,6 +996,7 @@ static int ocfs2_alloc_write_ctxt(struct
+ return -ENOMEM;
+
+ wc->w_cpos = pos >> osb->s_clustersize_bits;
++ wc->w_first_new_cpos = UINT_MAX;
+ cend = (pos + len - 1) >> osb->s_clustersize_bits;
+ wc->w_clen = cend - wc->w_cpos + 1;
+ get_bh(di_bh);
+@@ -1239,13 +1239,11 @@ static int ocfs2_write_cluster(struct ad
+ struct ocfs2_write_ctxt *wc, u32 cpos,
+ loff_t user_pos, unsigned user_len)
+ {
+- int ret, i, new, should_zero = 0;
++ int ret, i, new;
+ u64 v_blkno, p_blkno;
+ struct inode *inode = mapping->host;
+
+ new = phys == 0 ? 1 : 0;
+- if (new || unwritten)
+- should_zero = 1;
+
+ if (new) {
+ u32 tmp_pos;
+@@ -1356,7 +1354,9 @@ static int ocfs2_write_cluster_by_desc(s
+ local_len = osb->s_clustersize - cluster_off;
+
+ ret = ocfs2_write_cluster(mapping, desc->c_phys,
+- desc->c_unwritten, data_ac, meta_ac,
++ desc->c_unwritten,
++ desc->c_needs_zero,
++ data_ac, meta_ac,
+ wc, desc->c_cpos, pos, local_len);
+ if (ret) {
+ mlog_errno(ret);
+@@ -1406,14 +1406,14 @@ static void ocfs2_set_target_boundaries(
+ * newly allocated cluster.
+ */
+ desc = &wc->w_desc[0];
+- if (ocfs2_should_zero_cluster(desc))
++ if (desc->c_needs_zero)
+ ocfs2_figure_cluster_boundaries(osb,
+ desc->c_cpos,
+ &wc->w_target_from,
+ NULL);
+
+ desc = &wc->w_desc[wc->w_clen - 1];
+- if (ocfs2_should_zero_cluster(desc))
++ if (desc->c_needs_zero)
+ ocfs2_figure_cluster_boundaries(osb,
+ desc->c_cpos,
+ NULL,
+@@ -1481,13 +1481,28 @@ static int ocfs2_populate_write_desc(str
+ phys++;
+ }
+
++ /*
++ * If w_first_new_cpos is < UINT_MAX, we have a non-sparse
++ * file that got extended. w_first_new_cpos tells us
++ * where the newly allocated clusters are so we can
++ * zero them.
++ */
++ if (desc->c_cpos >= wc->w_first_new_cpos) {
++ BUG_ON(phys == 0);
++ desc->c_needs_zero = 1;
++ }
++
+ desc->c_phys = phys;
+ if (phys == 0) {
+ desc->c_new = 1;
++ desc->c_needs_zero = 1;
+ *clusters_to_alloc = *clusters_to_alloc + 1;
+ }
+- if (ext_flags & OCFS2_EXT_UNWRITTEN)
++
++ if (ext_flags & OCFS2_EXT_UNWRITTEN) {
+ desc->c_unwritten = 1;
++ desc->c_needs_zero = 1;
++ }
+
+ num_clusters--;
+ }
+@@ -1644,10 +1659,13 @@ static int ocfs2_expand_nonsparse_inode(
+ if (newsize <= i_size_read(inode))
+ return 0;
+
+- ret = ocfs2_extend_no_holes(inode, newsize, newsize - len);
++ ret = ocfs2_extend_no_holes(inode, newsize, pos);
+ if (ret)
+ mlog_errno(ret);
+
++ wc->w_first_new_cpos =
++ ocfs2_clusters_for_bytes(inode->i_sb, i_size_read(inode));
++
+ return ret;
+ }
+
+@@ -1656,7 +1674,7 @@ int ocfs2_write_begin_nolock(struct addr
+ struct page **pagep, void **fsdata,
+ struct buffer_head *di_bh, struct page *mmap_page)
+ {
+- int ret, credits = OCFS2_INODE_UPDATE_CREDITS;
++ int ret, cluster_of_pages, credits = OCFS2_INODE_UPDATE_CREDITS;
+ unsigned int clusters_to_alloc, extents_to_split;
+ struct ocfs2_write_ctxt *wc;
+ struct inode *inode = mapping->host;
+@@ -1724,8 +1742,19 @@ int ocfs2_write_begin_nolock(struct addr
+
+ }
+
+- ocfs2_set_target_boundaries(osb, wc, pos, len,
+- clusters_to_alloc + extents_to_split);
++ /*
++ * We have to zero sparse allocated clusters, unwritten extent clusters,
++ * and non-sparse clusters we just extended. For non-sparse writes,
++ * we know zeros will only be needed in the first and/or last cluster.
++ */
++ if (clusters_to_alloc || extents_to_split ||
++ wc->w_desc[0].c_needs_zero ||
++ wc->w_desc[wc->w_clen - 1].c_needs_zero)
++ cluster_of_pages = 1;
++ else
++ cluster_of_pages = 0;
++
++ ocfs2_set_target_boundaries(osb, wc, pos, len, cluster_of_pages);
+
+ handle = ocfs2_start_trans(osb, credits);
+ if (IS_ERR(handle)) {
+@@ -1753,8 +1782,7 @@ int ocfs2_write_begin_nolock(struct addr
+ * extent.
+ */
+ ret = ocfs2_grab_pages_for_write(mapping, wc, wc->w_cpos, pos,
+- clusters_to_alloc + extents_to_split,
+- mmap_page);
++ cluster_of_pages, mmap_page);
+ if (ret) {
+ mlog_errno(ret);
+ goto out_commit;
--- /dev/null
+From 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:34:06 +0000
+Subject: rose: Fix rose_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 upstream.
+
+rose_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -957,6 +957,7 @@ static int rose_getname(struct socket *s
+ struct rose_sock *rose = rose_sk(sk);
+ int n;
+
++ memset(srose, 0, sizeof(*srose));
+ if (peer != 0) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch
kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch
kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch
+appletalk-fix-atalk_getname-leak.patch
+can-fix-raw_getname-leak.patch
+do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch
+econet-fix-econet_getname-leak.patch
+irda-fix-irda_getname-leak.patch
+kthreads-fix-kthread_create-vs-kthread_stop-race.patch
+net-llc-zero-sockaddr_llc-struct.patch
+netrom-fix-nr_getname-leak.patch
+ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch
+rose-fix-rose_getname-leak.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
