From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 23 Nov 2013 02:10:29 +0000 (-0800)
Subject: 3.10-stable patches
X-Git-Tag: v3.11.10~57
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4404ccdfd8461ed6e98425aad004780f0843de55;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	aacraid-prevent-invalid-pointer-dereference.patch
	acpica-derefof-operator-update-to-fully-resolve-fieldunit-and-bufferfield-refs.patch
	libertas-potential-oops-in-debugfs.patch
---

diff --git a/queue-3.10/aacraid-prevent-invalid-pointer-dereference.patch b/queue-3.10/aacraid-prevent-invalid-pointer-dereference.patch
new file mode 100644
index 00000000000..27a9efd7049
--- /dev/null
+++ b/queue-3.10/aacraid-prevent-invalid-pointer-dereference.patch
@@ -0,0 +1,41 @@
+From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+Date: Thu, 31 Oct 2013 14:01:02 +0530
+Subject: aacraid: prevent invalid pointer dereference
+
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+
+commit b4789b8e6be3151a955ade74872822f30e8cd914 upstream.
+
+It appears that driver runs into a problem here if fibsize is too small
+because we allocate user_srbcmd with fibsize size only but later we
+access it until user_srbcmd->sg.count to copy it over to srbcmd.
+
+It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
+structure already includes one sg element and this is not needed for
+commands without data.  So, we would recommend to add the following
+(instead of test for fibsize == 0).
+
+Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/commctrl.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -510,7 +510,8 @@ static int aac_send_raw_srb(struct aac_d
+ 		goto cleanup;
+ 	}
+ 
+-	if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++	if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++	    (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ 		rcode = -EINVAL;
+ 		goto cleanup;
+ 	}
diff --git a/queue-3.10/acpica-derefof-operator-update-to-fully-resolve-fieldunit-and-bufferfield-refs.patch b/queue-3.10/acpica-derefof-operator-update-to-fully-resolve-fieldunit-and-bufferfield-refs.patch
new file mode 100644
index 00000000000..ed380fd958b
--- /dev/null
+++ b/queue-3.10/acpica-derefof-operator-update-to-fully-resolve-fieldunit-and-bufferfield-refs.patch
@@ -0,0 +1,75 @@
+From 63660e05ec719613b518547b40a1c501c10f0bc4 Mon Sep 17 00:00:00 2001
+From: Bob Moore <robert.moore@intel.com>
+Date: Thu, 8 Aug 2013 15:29:32 +0800
+Subject: ACPICA: DeRefOf operator: Update to fully resolve FieldUnit and BufferField refs.
+
+From: Bob Moore <robert.moore@intel.com>
+
+commit 63660e05ec719613b518547b40a1c501c10f0bc4 upstream.
+
+Previously, references to these objects were resolved only to the actual
+FieldUnit or BufferField object. The correct behavior is to resolve these
+references to an actual value.
+The problem is that DerefOf did not resolve these objects to actual
+values.  An "Integer" object is simple, return the value.  But a field in
+an operation region will require a read operation.  For a BufferField, the
+appropriate data must be extracted from the parent buffer.
+
+NOTE: It appears that this issues is present in Windows7 but not
+Windows8.
+
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpica/exoparg1.c |   35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/acpica/exoparg1.c
++++ b/drivers/acpi/acpica/exoparg1.c
+@@ -991,11 +991,40 @@ acpi_status acpi_ex_opcode_1A_0T_1R(stru
+ 									 acpi_namespace_node
+ 									 *)
+ 									return_desc);
+-				}
++					if (!return_desc) {
++						break;
++					}
++
++					/*
++					 * June 2013:
++					 * buffer_fields/field_units require additional resolution
++					 */
++					switch (return_desc->common.type) {
++					case ACPI_TYPE_BUFFER_FIELD:
++					case ACPI_TYPE_LOCAL_REGION_FIELD:
++					case ACPI_TYPE_LOCAL_BANK_FIELD:
++					case ACPI_TYPE_LOCAL_INDEX_FIELD:
++
++						status =
++						    acpi_ex_read_data_from_field
++						    (walk_state, return_desc,
++						     &temp_desc);
++						if (ACPI_FAILURE(status)) {
++							goto cleanup;
++						}
+ 
+-				/* Add another reference to the object! */
++						return_desc = temp_desc;
++						break;
+ 
+-				acpi_ut_add_reference(return_desc);
++					default:
++
++						/* Add another reference to the object */
++
++						acpi_ut_add_reference
++						    (return_desc);
++						break;
++					}
++				}
+ 				break;
+ 
+ 			default:
diff --git a/queue-3.10/libertas-potential-oops-in-debugfs.patch b/queue-3.10/libertas-potential-oops-in-debugfs.patch
new file mode 100644
index 00000000000..2421925ab15
--- /dev/null
+++ b/queue-3.10/libertas-potential-oops-in-debugfs.patch
@@ -0,0 +1,49 @@
+From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 30 Oct 2013 20:12:51 +0300
+Subject: libertas: potential oops in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 upstream.
+
+If we do a zero size allocation then it will oops.  Also we can't be
+sure the user passes us a NUL terminated string so I've added a
+terminator.
+
+This code can only be triggered by root.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/libertas/debugfs.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/libertas/debugfs.c
++++ b/drivers/net/wireless/libertas/debugfs.c
+@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct
+ 	char *p2;
+ 	struct debug_data *d = f->private_data;
+ 
+-	pdata = kmalloc(cnt, GFP_KERNEL);
++	if (cnt == 0)
++		return 0;
++
++	pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ 	if (pdata == NULL)
+ 		return 0;
+ 
+@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct
+ 		kfree(pdata);
+ 		return 0;
+ 	}
++	pdata[cnt] = '\0';
+ 
+ 	p0 = pdata;
+ 	for (i = 0; i < num_of_items; i++) {
diff --git a/queue-3.10/series b/queue-3.10/series
new file mode 100644
index 00000000000..6b947c169b5
--- /dev/null
+++ b/queue-3.10/series
@@ -0,0 +1,3 @@
+acpica-derefof-operator-update-to-fully-resolve-fieldunit-and-bufferfield-refs.patch
+libertas-potential-oops-in-debugfs.patch
+aacraid-prevent-invalid-pointer-dereference.patch