From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 24 Aug 2010 18:16:16 +0000 (-0700)
Subject: .32 patches
X-Git-Tag: v2.6.32.21~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3e8e337b0f9047af6b66f5d59941d1e401fe6ae;p=thirdparty%2Fkernel%2Fstable-queue.git

.32 patches
---

diff --git a/queue-2.6.32/drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch b/queue-2.6.32/drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch
new file mode 100644
index 00000000000..82ff8bd9392
--- /dev/null
+++ b/queue-2.6.32/drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch
@@ -0,0 +1,31 @@
+From 0537398b211b4f040564beec458e23571042d335 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Tue, 17 Aug 2010 00:35:45 -0400
+Subject: drm/radeon/kms: fix typo in radeon_compute_pll_gain
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit 0537398b211b4f040564beec458e23571042d335 upstream.
+
+Looks like this got copied from the ddx wrong.
+
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/radeon_legacy_crtc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
++++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
+@@ -261,7 +261,7 @@ static uint8_t radeon_compute_pll_gain(u
+ 	if (!ref_div)
+ 		return 1;
+ 
+-	vcoFreq = ((unsigned)ref_freq & fb_div) / ref_div;
++	vcoFreq = ((unsigned)ref_freq * fb_div) / ref_div;
+ 
+ 	/*
+ 	 * This is horribly crude: the VCO frequency range is divided into
diff --git a/queue-2.6.32/drm-stop-information-leak-of-old-kernel-stack.patch b/queue-2.6.32/drm-stop-information-leak-of-old-kernel-stack.patch
new file mode 100644
index 00000000000..c3f8c1ada97
--- /dev/null
+++ b/queue-2.6.32/drm-stop-information-leak-of-old-kernel-stack.patch
@@ -0,0 +1,40 @@
+From b9f0aee83335db1f3915f4e42a5e21b351740afd Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 17 Aug 2010 14:46:00 +1000
+Subject: drm: stop information leak of old kernel stack.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream.
+
+non-critical issue, CVE-2010-2803
+
+Userspace controls the amount of memory to be allocate, so it can
+get the ioctl to allocate more memory than the kernel uses, and get
+access to kernel stack. This can only be done for processes authenticated
+to the X server for DRI access, and if the user has DRI access.
+
+Fix is to just memset the data to 0 if the user doesn't copy into
+it in the first place.
+
+Reported-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/drm_drv.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -470,7 +470,9 @@ int drm_ioctl(struct inode *inode, struc
+ 				retcode = -EFAULT;
+ 				goto err_i1;
+ 			}
+-		}
++		} else
++			memset(kdata, 0, _IOC_SIZE(cmd));
++
+ 		retcode = func(dev, kdata, file_priv);
+ 
+ 		if (cmd & IOC_OUT) {
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index 5f6a7932930..6777347a4ed 100644
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -43,3 +43,5 @@ oprofile-add-support-for-intel-processor-model-30.patch
 fixes-for-using-make-3.82.patch
 alsa-intel8x0-mute-external-amplifier-by-default-for-thinkpad-x31.patch
 netlink-fix-compat-recvmsg.patch
+drm-radeon-kms-fix-typo-in-radeon_compute_pll_gain.patch
+drm-stop-information-leak-of-old-kernel-stack.patch