--- /dev/null
+From d740269867021faf4ce38a449353d2b986c34a67 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 17 Dec 2012 16:03:20 -0800
+Subject: exec: use -ELOOP for max recursion depth
+
+From: Kees Cook <keescook@chromium.org>
+
+commit d740269867021faf4ce38a449353d2b986c34a67 upstream.
+
+To avoid an explosion of request_module calls on a chain of abusive
+scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
+as maximum recursion depth is hit, the error will fail all the way back
+up the chain, aborting immediately.
+
+This also has the side-effect of stopping the user's shell from attempting
+to reexecute the top-level file as a shell script. As seen in the
+dash source:
+
+ if (cmd != path_bshell && errno == ENOEXEC) {
+ *argv-- = cmd;
+ *argv = cmd = path_bshell;
+ goto repeat;
+ }
+
+The above logic was designed for running scripts automatically that lacked
+the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
+things continue to behave as the shell expects.
+
+Additionally, when tracking recursion, the binfmt handlers should not be
+involved. The recursion being tracked is the depth of calls through
+search_binary_handler(), so that function should be exclusively responsible
+for tracking the depth.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: halfdog <me@halfdog.net>
+Cc: P J P <ppandit@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_em86.c | 1 -
+ fs/binfmt_misc.c | 6 ------
+ fs/binfmt_script.c | 4 +---
+ fs/exec.c | 10 +++++-----
+ include/linux/binfmts.h | 2 --
+ 5 files changed, 6 insertions(+), 17 deletions(-)
+
+--- a/fs/binfmt_em86.c
++++ b/fs/binfmt_em86.c
+@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm
+ return -ENOEXEC;
+ }
+
+- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
+ allow_write_access(bprm->file);
+ fput(bprm->file);
+ bprm->file = NULL;
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux
+ if (!enabled)
+ goto _ret;
+
+- retval = -ENOEXEC;
+- if (bprm->recursion_depth > BINPRM_MAX_RECURSION)
+- goto _ret;
+-
+ /* to keep locking time low, we copy the interpreter string */
+ read_lock(&entries_lock);
+ fmt = check_file(bprm);
+@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux
+ if (retval < 0)
+ goto _error;
+
+- bprm->recursion_depth++;
+-
+ retval = search_binary_handler (bprm, regs);
+ if (retval < 0)
+ goto _error;
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -22,15 +22,13 @@ static int load_script(struct linux_binp
+ char interp[BINPRM_BUF_SIZE];
+ int retval;
+
+- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
+- (bprm->recursion_depth > BINPRM_MAX_RECURSION))
++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
+ return -ENOEXEC;
+ /*
+ * This section does the #! interpretation.
+ * Sorta complicated, but hopefully it will work. -TYT
+ */
+
+- bprm->recursion_depth++;
+ allow_write_access(bprm->file);
+ fput(bprm->file);
+ bprm->file = NULL;
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1389,6 +1389,10 @@ int search_binary_handler(struct linux_b
+ struct linux_binfmt *fmt;
+ pid_t old_pid, old_vpid;
+
++ /* This allows 4 levels of binfmt rewrites before failing hard. */
++ if (depth > 5)
++ return -ELOOP;
++
+ retval = security_bprm_check(bprm);
+ if (retval)
+ return retval;
+@@ -1413,12 +1417,8 @@ int search_binary_handler(struct linux_b
+ if (!try_module_get(fmt->module))
+ continue;
+ read_unlock(&binfmt_lock);
++ bprm->recursion_depth = depth + 1;
+ retval = fn(bprm, regs);
+- /*
+- * Restore the depth counter to its starting value
+- * in this call, so we don't have to rely on every
+- * load_binary function to restore it on return.
+- */
+ bprm->recursion_depth = depth;
+ if (retval >= 0) {
+ if (depth == 0) {
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -68,8 +68,6 @@ struct linux_binprm {
+ #define BINPRM_FLAGS_EXECFD_BIT 1
+ #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
+
+-#define BINPRM_MAX_RECURSION 4
+-
+ /* Function parameter for binfmt->coredump */
+ struct coredump_params {
+ long signr;
--- /dev/null
+From d627b62ff8d4d36761adbcd90ff143d79c94ab22 Mon Sep 17 00:00:00 2001
+From: Lekensteyn <lekensteyn@gmail.com>
+Date: Tue, 26 Jun 2012 00:36:24 +0200
+Subject: i915: initialize CADL in opregion
+
+From: Lekensteyn <lekensteyn@gmail.com>
+
+commit d627b62ff8d4d36761adbcd90ff143d79c94ab22 upstream.
+
+This is rather a hack to fix brightness hotkeys on a Clevo laptop. CADL is not
+used anywhere in the driver code at the moment, but it could be used in BIOS as
+is the case with the Clevo laptop.
+
+The Clevo B7130 requires the CADL field to contain at least the ID of
+the LCD device. If this field is empty, the ACPI methods that are called
+on pressing brightness / display switching hotkeys will not trigger a
+notification. As a result, it appears as no hotkey has been pressed.
+
+Reference: https://bugs.freedesktop.org/show_bug.cgi?id=45452
+Tested-by: Peter Wu <lekensteyn@gmail.com>
+Signed-off-by: Peter Wu <lekensteyn@gmail.com>
+Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_opregion.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_opregion.c
++++ b/drivers/gpu/drm/i915/intel_opregion.c
+@@ -419,6 +419,25 @@ blind_set:
+ goto end;
+ }
+
++static void intel_setup_cadls(struct drm_device *dev)
++{
++ struct drm_i915_private *dev_priv = dev->dev_private;
++ struct intel_opregion *opregion = &dev_priv->opregion;
++ int i = 0;
++ u32 disp_id;
++
++ /* Initialize the CADL field by duplicating the DIDL values.
++ * Technically, this is not always correct as display outputs may exist,
++ * but not active. This initialization is necessary for some Clevo
++ * laptops that check this field before processing the brightness and
++ * display switching hotkeys. Just like DIDL, CADL is NULL-terminated if
++ * there are less than eight devices. */
++ do {
++ disp_id = ioread32(&opregion->acpi->didl[i]);
++ iowrite32(disp_id, &opregion->acpi->cadl[i]);
++ } while (++i < 8 && disp_id != 0);
++}
++
+ void intel_opregion_init(struct drm_device *dev)
+ {
+ struct drm_i915_private *dev_priv = dev->dev_private;
+@@ -428,8 +447,10 @@ void intel_opregion_init(struct drm_devi
+ return;
+
+ if (opregion->acpi) {
+- if (drm_core_check_feature(dev, DRIVER_MODESET))
++ if (drm_core_check_feature(dev, DRIVER_MODESET)) {
+ intel_didl_outputs(dev);
++ intel_setup_cadls(dev);
++ }
+
+ /* Notify BIOS we are ready to handle ACPI video ext notifs.
+ * Right now, all the events are handled by the ACPI video module.
--- /dev/null
+From fe685aabf7c8c9f138e5ea900954d295bf229175 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Thu, 12 Jul 2012 08:46:54 +0200
+Subject: isofs: avoid info leak on export
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit fe685aabf7c8c9f138e5ea900954d295bf229175 upstream.
+
+For type 1 the parent_offset member in struct isofs_fid gets copied
+uninitialized to userland. Fix this by initializing it to 0.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/export.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -135,6 +135,7 @@ isofs_export_encode_fh(struct dentry *de
+ len = 3;
+ fh32[0] = ei->i_iget5_block;
+ fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */
++ fh16[3] = 0; /* avoid leaking uninitialized data */
+ fh32[2] = inode->i_generation;
+ if (connectable && !S_ISDIR(inode->i_mode)) {
+ struct inode *parent;
--- /dev/null
+From a84a921978b7d56e0e4b87ffaca6367429b4d8ff Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Fri, 28 Sep 2012 12:20:02 +0100
+Subject: key: Fix resource leak
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit a84a921978b7d56e0e4b87ffaca6367429b4d8ff upstream.
+
+On an error iov may still have been reallocated and need freeing
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1081,12 +1081,12 @@ long keyctl_instantiate_key_iov(key_seri
+ ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
+ ARRAY_SIZE(iovstack), iovstack, &iov, 1);
+ if (ret < 0)
+- return ret;
++ goto err;
+ if (ret == 0)
+ goto no_payload_free;
+
+ ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+-
++err:
+ if (iov != iovstack)
+ kfree(iov);
+ return ret;
usb-serial-fix-interface-refcounting.patch
nohz-make-tick_nohz_irq_exit-irq-safe.patch
udf-fix-bitmap-overflow-on-large-filesystems-with-small-block-size.patch
+usb-garmin_gps-fix-memory-leak-on-disconnect.patch
+usb-io_ti-fix-get_icount-for-two-port-adapters.patch
+key-fix-resource-leak.patch
+isofs-avoid-info-leak-on-export.patch
+udf-avoid-info-leak-on-export.patch
+tools-hv-netlink-source-address-validation-allows-dos.patch
+i915-initialize-cadl-in-opregion.patch
+exec-use-eloop-for-max-recursion-depth.patch
--- /dev/null
+From 95a69adab9acfc3981c504737a2b6578e4d846ef Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza@redhat.com>
+Date: Thu, 8 Nov 2012 10:53:29 +0100
+Subject: tools: hv: Netlink source address validation allows DoS
+
+From: Tomas Hozza <thozza@redhat.com>
+
+commit 95a69adab9acfc3981c504737a2b6578e4d846ef upstream.
+
+The source code without this patch caused hypervkvpd to exit when it processed
+a spoofed Netlink packet which has been sent from an untrusted local user.
+Now Netlink messages with a non-zero nl_pid source address are ignored
+and a warning is printed into the syslog.
+
+Signed-off-by: Tomas Hozza <thozza@redhat.com>
+Acked-by: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/hv/hv_kvp_daemon.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -727,13 +727,19 @@ int main(void)
+ len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
+ addr_p, &addr_l);
+
+- if (len < 0 || addr.nl_pid) {
++ if (len < 0) {
+ syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
+ addr.nl_pid, errno, strerror(errno));
+ close(fd);
+ return -1;
+ }
+
++ if (addr.nl_pid) {
++ syslog(LOG_WARNING, "Received packet from untrusted pid:%u",
++ addr.nl_pid);
++ continue;
++ }
++
+ incoming_msg = (struct nlmsghdr *)kvp_recv_buffer;
+ incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg);
+ hv_msg = (struct hv_kvp_msg *)incoming_cn_msg->data;
--- /dev/null
+From 0143fc5e9f6f5aad4764801015bc8d4b4a278200 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Thu, 12 Jul 2012 08:46:55 +0200
+Subject: udf: avoid info leak on export
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 0143fc5e9f6f5aad4764801015bc8d4b4a278200 upstream.
+
+For type 0x51 the udf.parent_partref member in struct fid gets copied
+uninitialized to userland. Fix this by initializing it to 0.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1280,6 +1280,7 @@ static int udf_encode_fh(struct dentry *
+ *lenp = 3;
+ fid->udf.block = location.logicalBlockNum;
+ fid->udf.partref = location.partitionReferenceNum;
++ fid->udf.parent_partref = 0;
+ fid->udf.generation = inode->i_generation;
+
+ if (connectable && !S_ISDIR(inode->i_mode)) {
--- /dev/null
+From 618aa1068df29c37a58045fe940f9106664153fd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 19 Mar 2013 09:21:07 +0100
+Subject: USB: garmin_gps: fix memory leak on disconnect
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 618aa1068df29c37a58045fe940f9106664153fd upstream.
+
+Remove bogus disconnect test introduced by 95bef012e ("USB: more serial
+drivers writing after disconnect") which prevented queued data from
+being freed on disconnect.
+
+The possible IO it was supposed to prevent is long gone.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/garmin_gps.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/garmin_gps.c
++++ b/drivers/usb/serial/garmin_gps.c
+@@ -971,10 +971,7 @@ static void garmin_close(struct usb_seri
+ if (!serial)
+ return;
+
+- mutex_lock(&port->serial->disc_mutex);
+-
+- if (!port->serial->disconnected)
+- garmin_clear(garmin_data_p);
++ garmin_clear(garmin_data_p);
+
+ /* shutdown our urbs */
+ usb_kill_urb(port->read_urb);
+@@ -983,8 +980,6 @@ static void garmin_close(struct usb_seri
+ /* keep reset state so we know that we must start a new session */
+ if (garmin_data_p->state != STATE_RESET)
+ garmin_data_p->state = STATE_DISCONNECTED;
+-
+- mutex_unlock(&port->serial->disc_mutex);
+ }
+
+
--- /dev/null
+From 5492bf3d5655b4954164f69c02955a7fca267611 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 19 Mar 2013 09:21:08 +0100
+Subject: USB: io_ti: fix get_icount for two port adapters
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 5492bf3d5655b4954164f69c02955a7fca267611 upstream.
+
+Add missing get_icount field to two-port driver.
+
+The two-port driver was not updated when switching to the new icount
+interface in commit 0bca1b913aff ("tty: Convert the USB drivers to the
+new icount interface").
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_ti.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -2770,6 +2770,7 @@ static struct usb_serial_driver edgeport
+ .set_termios = edge_set_termios,
+ .tiocmget = edge_tiocmget,
+ .tiocmset = edge_tiocmset,
++ .get_icount = edge_get_icount,
+ .write = edge_write,
+ .write_room = edge_write_room,
+ .chars_in_buffer = edge_chars_in_buffer,
projects / thirdparty / kernel / stable-queue.git / commitdiff
