.32 patches

diff --git a/queue-2.6.32/drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch b/queue-2.6.32/drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch
new file mode 100644 (file)
index 0000000..82ff8bd
--- /dev/null
+++ b/queue-2.6.32/drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch
@@ -0,0 +1,31 @@
+From 0537398b211b4f040564beec458e23571042d335 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Tue, 17 Aug 2010 00:35:45 -0400
+Subject: drm/radeon/kms: fix typo in radeon_compute_pll_gain
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit 0537398b211b4f040564beec458e23571042d335 upstream.
+
+Looks like this got copied from the ddx wrong.
+
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/radeon_legacy_crtc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
++++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
+@@ -261,7 +261,7 @@ static uint8_t radeon_compute_pll_gain(u
+       if (!ref_div)
+               return 1;
+ 
+-      vcoFreq = ((unsigned)ref_freq & fb_div) / ref_div;
++      vcoFreq = ((unsigned)ref_freq * fb_div) / ref_div;
+ 
+       /*
+        * This is horribly crude: the VCO frequency range is divided into

diff --git a/queue-2.6.32/drm-stop-information-leak-of-old-kernel-stack.patch b/queue-2.6.32/drm-stop-information-leak-of-old-kernel-stack.patch
new file mode 100644 (file)
index 0000000..c3f8c1a
--- /dev/null
+++ b/queue-2.6.32/drm-stop-information-leak-of-old-kernel-stack.patch
@@ -0,0 +1,40 @@
+From b9f0aee83335db1f3915f4e42a5e21b351740afd Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 17 Aug 2010 14:46:00 +1000
+Subject: drm: stop information leak of old kernel stack.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream.
+
+non-critical issue, CVE-2010-2803
+
+Userspace controls the amount of memory to be allocate, so it can
+get the ioctl to allocate more memory than the kernel uses, and get
+access to kernel stack. This can only be done for processes authenticated
+to the X server for DRI access, and if the user has DRI access.
+
+Fix is to just memset the data to 0 if the user doesn't copy into
+it in the first place.
+
+Reported-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/drm_drv.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -470,7 +470,9 @@ int drm_ioctl(struct inode *inode, struc
+                               retcode = -EFAULT;
+                               goto err_i1;
+                       }
+-              }
++              } else
++                      memset(kdata, 0, _IOC_SIZE(cmd));
++
+               retcode = func(dev, kdata, file_priv);
+ 
+               if (cmd & IOC_OUT) {

diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index 5f6a79329308ed1d2e41a0fabc55c53f11e0282c..6777347a4edc420af197c590a9f34427d0059373 100644 (file)
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -43,3 +43,5 @@ oprofile-add-support-for-intel-processor-model-30.patch
 fixes-for-using-make-3.82.patch
 alsa-intel8x0-mute-external-amplifier-by-default-for-thinkpad-x31.patch
 netlink-fix-compat-recvmsg.patch
+drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch
+drm-stop-information-leak-of-old-kernel-stack.patch