From: Greg Kroah-Hartman Date: Wed, 15 Sep 2010 20:45:53 +0000 (-0700) Subject: .27 patches X-Git-Tag: v2.6.27.54~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=992a0162e36fa7681ef7d930f476dd69e9facc46;p=thirdparty%2Fkernel%2Fstable-queue.git .27 patches --- diff --git a/queue-2.6.27/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/queue-2.6.27/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch new file mode 100644 index 00000000000..6716f8656ec --- /dev/null +++ b/queue-2.6.27/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch @@ -0,0 +1,56 @@ +From 27f7ad53829f79e799a253285318bff79ece15bd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 6 Sep 2010 09:13:45 +0200 +Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() + +From: Takashi Iwai + +commit 27f7ad53829f79e799a253285318bff79ece15bd upstream. + +The error handling in snd_seq_oss_open() has several bad codes that +do dereferecing released pointers and double-free of kmalloc'ed data. +The object dp is release in free_devinfo() that is called via +private_free callback. The rest shouldn't touch this object any more. + +The patch changes delete_port() to call kfree() in any case, and gets +rid of unnecessary calls of destructors in snd_seq_oss_open(). + +Fixes CVE-2010-3080. + +Reported-and-tested-by: Tavis Ormandy +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss_init.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/sound/core/seq/oss/seq_oss_init.c ++++ b/sound/core/seq/oss/seq_oss_init.c +@@ -280,13 +280,10 @@ snd_seq_oss_open(struct file *file, int + return 0; + + _error: +- snd_seq_oss_writeq_delete(dp->writeq); +- snd_seq_oss_readq_delete(dp->readq); + snd_seq_oss_synth_cleanup(dp); + snd_seq_oss_midi_cleanup(dp); +- delete_port(dp); + delete_seq_queue(dp->queue); +- kfree(dp); ++ delete_port(dp); + + return rc; + } +@@ -349,8 +346,10 @@ create_port(struct seq_oss_devinfo *dp) + static int + delete_port(struct seq_oss_devinfo *dp) + { +- if (dp->port < 0) ++ if (dp->port < 0) { ++ kfree(dp); + return 0; ++ } + + debug_printk(("delete_port %i\n", dp->port)); + return snd_seq_event_port_detach(dp->cseq, dp->port); diff --git a/queue-2.6.27/ath9k_hw-fix-parsing-of-ht40-5-ghz-ctls.patch b/queue-2.6.27/ath9k_hw-fix-parsing-of-ht40-5-ghz-ctls.patch new file mode 100644 index 00000000000..568c0f2b7fa --- /dev/null +++ b/queue-2.6.27/ath9k_hw-fix-parsing-of-ht40-5-ghz-ctls.patch @@ -0,0 +1,36 @@ +From 904879748d7439a6dabdc6be9aad983e216b027d Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Mon, 30 Aug 2010 19:26:33 -0400 +Subject: ath9k_hw: fix parsing of HT40 5 GHz CTLs + +From: Luis R. Rodriguez + +commit 904879748d7439a6dabdc6be9aad983e216b027d upstream. + +The 5 GHz CTL indexes were not being read for all hardware +devices due to the masking out through the CTL_MODE_M mask +being one bit too short. Without this the calibrated regulatory +maximum values were not being picked up when devices operate +on 5 GHz in HT40 mode. The final output power used for Atheros +devices is the minimum between the calibrated CTL values and +what CRDA provides. + +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath9k/ath9k.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath9k/ath9k.h ++++ b/drivers/net/wireless/ath9k/ath9k.h +@@ -554,7 +554,7 @@ enum ath9k_cipher { + + #define SD_NO_CTL 0xE0 + #define NO_CTL 0xff +-#define CTL_MODE_M 7 ++#define CTL_MODE_M 0xf + #define CTL_11A 0 + #define CTL_11B 1 + #define CTL_11G 2