From ef6f115eb9f10b24854bdb836d243d0a62172406 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 11 Jul 2013 11:16:01 -0700 Subject: [PATCH] 3.10-stable patches added patches: block-do-not-pass-disk-names-as-format-strings.patch ceph-fix-sleeping-function-called-from-invalid-context.patch charger-manager-ensure-event-is-not-used-as-format-string.patch crypto-sanitize-argument-for-format-string.patch drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch futex-take-hugepages-into-account-when-generating-futex_key.patch hpfs-better-test-for-errors.patch libceph-fix-invalid-unsigned-signed-conversion-for-timespec-encoding.patch libceph-fix-null-pointer-dereference-in-auth-client-code.patch maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch module-do-percpu-allocation-after-uniqueness-check.-no-really.patch revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch tty-reset-itty-for-other-pty.patch --- ...ot-pass-disk-names-as-format-strings.patch | 62 ++++++++ ...function-called-from-invalid-context.patch | 75 +++++++++ ...e-event-is-not-used-as-format-string.patch | 34 ++++ ...-sanitize-argument-for-format-string.patch | 35 ++++ ...m.c-use-kzalloc-for-failing-hardware.patch | 51 ++++++ ...to-account-when-generating-futex_key.patch | 149 ++++++++++++++++++ queue-3.10/hpfs-better-test-for-errors.patch | 54 +++++++ ...ned-conversion-for-timespec-encoding.patch | 79 ++++++++++ ...nter-dereference-in-auth-client-code.patch | 49 ++++++ ...txt-to-stable-maintainer-information.patch | 30 ++++ ...on-after-uniqueness-check.-no-really.patch | 100 ++++++++++++ ...nology-pci-9835-multi-i-o-controller.patch | 35 ++++ queue-3.10/series | 13 ++ queue-3.10/tty-reset-itty-for-other-pty.patch | 34 ++++ 14 files changed, 800 insertions(+) create mode 100644 queue-3.10/block-do-not-pass-disk-names-as-format-strings.patch create mode 100644 queue-3.10/ceph-fix-sleeping-function-called-from-invalid-context.patch create mode 100644 queue-3.10/charger-manager-ensure-event-is-not-used-as-format-string.patch create mode 100644 queue-3.10/crypto-sanitize-argument-for-format-string.patch create mode 100644 queue-3.10/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch create mode 100644 queue-3.10/futex-take-hugepages-into-account-when-generating-futex_key.patch create mode 100644 queue-3.10/hpfs-better-test-for-errors.patch create mode 100644 queue-3.10/libceph-fix-invalid-unsigned-signed-conversion-for-timespec-encoding.patch create mode 100644 queue-3.10/libceph-fix-null-pointer-dereference-in-auth-client-code.patch create mode 100644 queue-3.10/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch create mode 100644 queue-3.10/module-do-percpu-allocation-after-uniqueness-check.-no-really.patch create mode 100644 queue-3.10/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch create mode 100644 queue-3.10/series create mode 100644 queue-3.10/tty-reset-itty-for-other-pty.patch diff --git a/queue-3.10/block-do-not-pass-disk-names-as-format-strings.patch b/queue-3.10/block-do-not-pass-disk-names-as-format-strings.patch new file mode 100644 index 00000000000..fe9c5c52844 --- /dev/null +++ b/queue-3.10/block-do-not-pass-disk-names-as-format-strings.patch @@ -0,0 +1,62 @@ +From ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:14 -0700 +Subject: block: do not pass disk names as format strings + +From: Kees Cook + +commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream. + +Disk names may contain arbitrary strings, so they must not be +interpreted as format strings. It seems that only md allows arbitrary +strings to be used for disk names, but this could allow for a local +memory corruption from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -512,7 +512,7 @@ static void register_disk(struct gendisk + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_devi + else + blk_queue_flush(nbd->disk->queue, 0); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; diff --git a/queue-3.10/ceph-fix-sleeping-function-called-from-invalid-context.patch b/queue-3.10/ceph-fix-sleeping-function-called-from-invalid-context.patch new file mode 100644 index 00000000000..864da9eff3c --- /dev/null +++ b/queue-3.10/ceph-fix-sleeping-function-called-from-invalid-context.patch @@ -0,0 +1,75 @@ +From a1dc1937337a93e699eaa56968b7de6e1a9e77cf Mon Sep 17 00:00:00 2001 +From: majianpeng +Date: Wed, 19 Jun 2013 14:58:10 +0800 +Subject: ceph: fix sleeping function called from invalid context. + +From: majianpeng + +commit a1dc1937337a93e699eaa56968b7de6e1a9e77cf upstream. + +[ 1121.231883] BUG: sleeping function called from invalid context at kernel/rwsem.c:20 +[ 1121.231935] in_atomic(): 1, irqs_disabled(): 0, pid: 9831, name: mv +[ 1121.231971] 1 lock held by mv/9831: +[ 1121.231973] #0: (&(&ci->i_ceph_lock)->rlock){+.+...},at:[] ceph_getxattr+0x58/0x1d0 [ceph] +[ 1121.231998] CPU: 3 PID: 9831 Comm: mv Not tainted 3.10.0-rc6+ #215 +[ 1121.232000] Hardware name: To Be Filled By O.E.M. To Be Filled By +O.E.M./To be filled by O.E.M., BIOS 080015 11/09/2011 +[ 1121.232027] ffff88006d355a80 ffff880092f69ce0 ffffffff8168348c ffff880092f69cf8 +[ 1121.232045] ffffffff81070435 ffff88006d355a20 ffff880092f69d20 ffffffff816899ba +[ 1121.232052] 0000000300000004 ffff8800b76911d0 ffff88006d355a20 ffff880092f69d68 +[ 1121.232056] Call Trace: +[ 1121.232062] [] dump_stack+0x19/0x1b +[ 1121.232067] [] __might_sleep+0xe5/0x110 +[ 1121.232071] [] down_read+0x2a/0x98 +[ 1121.232080] [] ceph_vxattrcb_layout+0x60/0xf0 [ceph] +[ 1121.232088] [] ceph_getxattr+0x9f/0x1d0 [ceph] +[ 1121.232093] [] vfs_getxattr+0xa8/0xd0 +[ 1121.232097] [] getxattr+0xab/0x1c0 +[ 1121.232100] [] ? final_putname+0x22/0x50 +[ 1121.232104] [] ? kmem_cache_free+0xb0/0x260 +[ 1121.232107] [] ? final_putname+0x22/0x50 +[ 1121.232110] [] ? trace_hardirqs_on+0xd/0x10 +[ 1121.232114] [] ? sysret_check+0x1b/0x56 +[ 1121.232120] [] SyS_fgetxattr+0x6c/0xc0 +[ 1121.232125] [] system_call_fastpath+0x16/0x1b +[ 1121.232129] BUG: scheduling while atomic: mv/9831/0x10000002 +[ 1121.232154] 1 lock held by mv/9831: +[ 1121.232156] #0: (&(&ci->i_ceph_lock)->rlock){+.+...}, at: +[] ceph_getxattr+0x58/0x1d0 [ceph] + +I think move the ci->i_ceph_lock down is safe because we can't free +ceph_inode_info at there. + +Signed-off-by: Jianpeng Ma +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/xattr.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -675,17 +675,18 @@ ssize_t ceph_getxattr(struct dentry *den + if (!ceph_is_valid_xattr(name)) + return -ENODATA; + +- spin_lock(&ci->i_ceph_lock); +- dout("getxattr %p ver=%lld index_ver=%lld\n", inode, +- ci->i_xattrs.version, ci->i_xattrs.index_version); + + /* let's see if a virtual xattr was requested */ + vxattr = ceph_match_vxattr(inode, name); + if (vxattr && !(vxattr->exists_cb && !vxattr->exists_cb(ci))) { + err = vxattr->getxattr_cb(ci, value, size); +- goto out; ++ return err; + } + ++ spin_lock(&ci->i_ceph_lock); ++ dout("getxattr %p ver=%lld index_ver=%lld\n", inode, ++ ci->i_xattrs.version, ci->i_xattrs.index_version); ++ + if (__ceph_caps_issued_mask(ci, CEPH_CAP_XATTR_SHARED, 1) && + (ci->i_xattrs.index_version >= ci->i_xattrs.version)) { + goto get_xattr; diff --git a/queue-3.10/charger-manager-ensure-event-is-not-used-as-format-string.patch b/queue-3.10/charger-manager-ensure-event-is-not-used-as-format-string.patch new file mode 100644 index 00000000000..9658fc88741 --- /dev/null +++ b/queue-3.10/charger-manager-ensure-event-is-not-used-as-format-string.patch @@ -0,0 +1,34 @@ +From 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 6 Jun 2013 13:52:21 -0700 +Subject: charger-manager: Ensure event is not used as format string + +From: Kees Cook + +commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream. + +The exposed interface for cm_notify_event() could result in the event msg +string being parsed as a format string. Make sure it is only used as a +literal string. + +Signed-off-by: Kees Cook +Cc: Anton Vorontsov +Cc: David Woodhouse +Signed-off-by: Anton Vorontsov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/charger-manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/charger-manager.c ++++ b/drivers/power/charger-manager.c +@@ -450,7 +450,7 @@ static void uevent_notify(struct charger + strncpy(env_str, event, UEVENT_BUF_SIZE); + kobject_uevent(&cm->dev->kobj, KOBJ_CHANGE); + +- dev_info(cm->dev, event); ++ dev_info(cm->dev, "%s", event); + } + + /** diff --git a/queue-3.10/crypto-sanitize-argument-for-format-string.patch b/queue-3.10/crypto-sanitize-argument-for-format-string.patch new file mode 100644 index 00000000000..063f72fac0c --- /dev/null +++ b/queue-3.10/crypto-sanitize-argument-for-format-string.patch @@ -0,0 +1,35 @@ +From 1c8fca1d92e14859159a82b8a380d220139b7344 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:15 -0700 +Subject: crypto: sanitize argument for format string + +From: Kees Cook + +commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream. + +The template lookup interface does not provide a way to use format +strings, so make sure that the interface cannot be abused accidentally. + +Signed-off-by: Kees Cook +Cc: Herbert Xu +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -495,7 +495,8 @@ static struct crypto_template *__crypto_ + + struct crypto_template *crypto_lookup_template(const char *name) + { +- return try_then_request_module(__crypto_lookup_template(name), name); ++ return try_then_request_module(__crypto_lookup_template(name), "%s", ++ name); + } + EXPORT_SYMBOL_GPL(crypto_lookup_template); + diff --git a/queue-3.10/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch b/queue-3.10/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch new file mode 100644 index 00000000000..41d2d9d6c52 --- /dev/null +++ b/queue-3.10/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch @@ -0,0 +1,51 @@ +From 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 Mon Sep 17 00:00:00 2001 +From: Jonathan Salwan +Date: Wed, 3 Jul 2013 15:01:13 -0700 +Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware + +From: Jonathan Salwan + +commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream. + +In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory +area with kmalloc in line 2885. + + 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); + 2886 if (cgc->buffer == NULL) + 2887 return -ENOMEM; + +In line 2908 we can find the copy_to_user function: + + 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) + +The cgc->buffer is never cleaned and initialized before this function. +If ret = 0 with the previous basic block, it's possible to display some +memory bytes in kernel space from userspace. + +When we read a block from the disk it normally fills the ->buffer but if +the drive is malfunctioning there is a chance that it would only be +partially filled. The result is an leak information to userspace. + +Signed-off-by: Dan Carpenter +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Jonathan Salwan +Cc: Luis Henriques +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + diff --git a/queue-3.10/futex-take-hugepages-into-account-when-generating-futex_key.patch b/queue-3.10/futex-take-hugepages-into-account-when-generating-futex_key.patch new file mode 100644 index 00000000000..7ec3b6cbfa4 --- /dev/null +++ b/queue-3.10/futex-take-hugepages-into-account-when-generating-futex_key.patch @@ -0,0 +1,149 @@ +From 13d60f4b6ab5b702dc8d2ee20999f98a93728aec Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Tue, 25 Jun 2013 21:19:31 +0800 +Subject: futex: Take hugepages into account when generating futex_key + +From: Zhang Yi + +commit 13d60f4b6ab5b702dc8d2ee20999f98a93728aec upstream. + +The futex_keys of process shared futexes are generated from the page +offset, the mapping host and the mapping index of the futex user space +address. This should result in an unique identifier for each futex. + +Though this is not true when futexes are located in different subpages +of an hugepage. The reason is, that the mapping index for all those +futexes evaluates to the index of the base page of the hugetlbfs +mapping. So a futex at offset 0 of the hugepage mapping and another +one at offset PAGE_SIZE of the same hugepage mapping have identical +futex_keys. This happens because the futex code blindly uses +page->index. + +Steps to reproduce the bug: + +1. Map a file from hugetlbfs. Initialize pthread_mutex1 at offset 0 + and pthread_mutex2 at offset PAGE_SIZE of the hugetlbfs + mapping. + + The mutexes must be initialized as PTHREAD_PROCESS_SHARED because + PTHREAD_PROCESS_PRIVATE mutexes are not affected by this issue as + their keys solely depend on the user space address. + +2. Lock mutex1 and mutex2 + +3. Create thread1 and in the thread function lock mutex1, which + results in thread1 blocking on the locked mutex1. + +4. Create thread2 and in the thread function lock mutex2, which + results in thread2 blocking on the locked mutex2. + +5. Unlock mutex2. Despite the fact that mutex2 got unlocked, thread2 + still blocks on mutex2 because the futex_key points to mutex1. + +To solve this issue we need to take the normal page index of the page +which contains the futex into account, if the futex is in an hugetlbfs +mapping. In other words, we calculate the normal page mapping index of +the subpage in the hugetlbfs mapping. + +Mappings which are not based on hugetlbfs are not affected and still +use page->index. + +Thanks to Mel Gorman who provided a patch for adding proper evaluation +functions to the hugetlbfs code to avoid exposing hugetlbfs specific +details to the futex code. + +[ tglx: Massaged changelog ] + +Signed-off-by: Zhang Yi +Reviewed-by: Jiang Biao +Tested-by: Ma Chenggong +Reviewed-by: 'Mel Gorman' +Acked-by: 'Darren Hart' +Cc: 'Peter Zijlstra' +Link: http://lkml.kernel.org/r/000101ce71a6%24a83c5880%24f8b50980%24@com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hugetlb.h | 16 ++++++++++++++++ + kernel/futex.c | 3 ++- + mm/hugetlb.c | 17 +++++++++++++++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -358,6 +358,17 @@ static inline int hstate_index(struct hs + return h - hstates; + } + ++pgoff_t __basepage_index(struct page *page); ++ ++/* Return page->index in PAGE_SIZE units */ ++static inline pgoff_t basepage_index(struct page *page) ++{ ++ if (!PageCompound(page)) ++ return page->index; ++ ++ return __basepage_index(page); ++} ++ + #else /* CONFIG_HUGETLB_PAGE */ + struct hstate {}; + #define alloc_huge_page_node(h, nid) NULL +@@ -378,6 +389,11 @@ static inline unsigned int pages_per_hug + } + #define hstate_index_to_shift(index) 0 + #define hstate_index(h) 0 ++ ++static inline pgoff_t basepage_index(struct page *page) ++{ ++ return page->index; ++} + #endif /* CONFIG_HUGETLB_PAGE */ + + #endif /* _LINUX_HUGETLB_H */ +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -61,6 +61,7 @@ + #include + #include + #include ++#include + + #include + +@@ -365,7 +366,7 @@ again: + } else { + key->both.offset |= FUT_OFF_INODE; /* inode-based key */ + key->shared.inode = page_head->mapping->host; +- key->shared.pgoff = page_head->index; ++ key->shared.pgoff = basepage_index(page); + } + + get_futex_key_refs(key); +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -690,6 +690,23 @@ int PageHuge(struct page *page) + } + EXPORT_SYMBOL_GPL(PageHuge); + ++pgoff_t __basepage_index(struct page *page) ++{ ++ struct page *page_head = compound_head(page); ++ pgoff_t index = page_index(page_head); ++ unsigned long compound_idx; ++ ++ if (!PageHuge(page_head)) ++ return page_index(page); ++ ++ if (compound_order(page_head) >= MAX_ORDER) ++ compound_idx = page_to_pfn(page) - page_to_pfn(page_head); ++ else ++ compound_idx = page - page_head; ++ ++ return (index << compound_order(page_head)) + compound_idx; ++} ++ + static struct page *alloc_fresh_huge_page_node(struct hstate *h, int nid) + { + struct page *page; diff --git a/queue-3.10/hpfs-better-test-for-errors.patch b/queue-3.10/hpfs-better-test-for-errors.patch new file mode 100644 index 00000000000..e9566d12454 --- /dev/null +++ b/queue-3.10/hpfs-better-test-for-errors.patch @@ -0,0 +1,54 @@ +From 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 4 Jul 2013 18:42:29 +0200 +Subject: hpfs: better test for errors + +From: Mikulas Patocka + +commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream. + +The test if bitmap access is out of bound could errorneously pass if the +device size is divisible by 16384 sectors and we are asking for one bitmap +after the end. + +Check for invalid size in the superblock. Invalid size could cause integer +overflows in the rest of the code. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/map.c | 3 ++- + fs/hpfs/super.c | 8 +++++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/hpfs/map.c ++++ b/fs/hpfs/map.c +@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_blo + struct quad_buffer_head *qbh, char *id) + { + secno sec; +- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) { ++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14; ++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) { + hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id); + return NULL; + } +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_ + sbi->sb_cp_table = NULL; + sbi->sb_c_bitmap = -1; + sbi->sb_max_fwd_alloc = 0xffffff; +- ++ ++ if (sbi->sb_fs_size >= 0x80000000) { ++ hpfs_error(s, "invalid size in superblock: %08x", ++ (unsigned)sbi->sb_fs_size); ++ goto bail4; ++ } ++ + /* Load bitmap directory */ + if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps)))) + goto bail4; diff --git a/queue-3.10/libceph-fix-invalid-unsigned-signed-conversion-for-timespec-encoding.patch b/queue-3.10/libceph-fix-invalid-unsigned-signed-conversion-for-timespec-encoding.patch new file mode 100644 index 00000000000..399e5af1216 --- /dev/null +++ b/queue-3.10/libceph-fix-invalid-unsigned-signed-conversion-for-timespec-encoding.patch @@ -0,0 +1,79 @@ +From 8b8cf8917f9b5d74e04f281272d8719ce335a497 Mon Sep 17 00:00:00 2001 +From: Josh Durgin +Date: Fri, 28 Jun 2013 13:13:16 -0700 +Subject: libceph: fix invalid unsigned->signed conversion for timespec encoding + +From: Josh Durgin + +commit 8b8cf8917f9b5d74e04f281272d8719ce335a497 upstream. + +__kernel_time_t is a long, which cannot hold a U32_MAX on 32-bit +architectures. Just drop this check as it has limited value. + +This fixes a crash like: + +[ 957.905812] kernel BUG at /srv/autobuild-ceph/gitbuilder.git/build/include/linux/ceph/decode.h:164! +[ 957.914849] Internal error: Oops - BUG: 0 [#1] SMP ARM +[ 957.919978] Modules linked in: rbd libceph libcrc32c ipmi_devintf ipmi_si ipmi_msghandler nfsd nfs_acl auth_rpcgss nfs fscache lockd sunrpc +[ 957.932547] CPU: 1 Tainted: G W (3.9.0-ceph-19bb6a83-highbank #1) +[ 957.939881] PC is at ceph_osdc_build_request+0x8c/0x4f8 [libceph] +[ 957.945967] LR is at 0xec520904 +[ 957.949103] pc : [] lr : [] psr: 20000153 +[ 957.949103] sp : ec753df8 ip : 00000001 fp : ec53e100 +[ 957.960571] r10: ebef25c0 r9 : ec5fa400 r8 : ecbcc000 +[ 957.965788] r7 : 00000000 r6 : 00000000 r5 : ffffffff r4 : 00000020 +[ 957.972307] r3 : 51cc8143 r2 : ec520900 r1 : ec753e58 r0 : ec520908 +[ 957.978827] Flags: nzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment user +[ 957.986039] Control: 10c5387d Table: 2c59c04a DAC: 00000015 +[ 957.991777] Process rbd (pid: 2138, stack limit = 0xec752238) +[ 957.997514] Stack: (0xec753df8 to 0xec754000) +[ 958.001864] 3de0: 00000001 00000001 +[ 958.010032] 3e00: 00000001 bf139744 ecbcc000 ec55a0a0 00000024 00000000 ebef25c0 fffffffe +[ 958.018204] 3e20: ffffffff 00000000 00000000 00000001 ec5fa400 ebef25c0 ec53e100 bf166b68 +[ 958.026377] 3e40: 00000000 0000220f fffffffe ffffffff ec753e58 bf13ff24 51cc8143 05b25ed2 +[ 958.034548] 3e60: 00000001 00000000 00000000 bf1688d4 00000001 00000000 00000000 00000000 +[ 958.042720] 3e80: 00000001 00000060 ec5fa400 ed53d200 ed439600 ed439300 00000001 00000060 +[ 958.050888] 3ea0: ec5fa400 ed53d200 00000000 bf16a320 00000000 ec53e100 00000040 ec753eb8 +[ 958.059059] 3ec0: ec51df00 ed53d7c0 ed53d200 ed53d7c0 00000000 ed53d7c0 ec5fa400 bf16ed70 +[ 958.067230] 3ee0: 00000000 00000060 00000002 ed53d200 00000000 bf16acf4 ed53d7c0 ec752000 +[ 958.075402] 3f00: ed980e50 e954f5d8 00000000 00000060 ed53d240 ed53d258 ec753f80 c04f44a8 +[ 958.083574] 3f20: edb7910c ec664700 01ade920 c02e4c44 00000060 c016b3dc ec51de40 01adfb84 +[ 958.091745] 3f40: 00000060 ec752000 ec753f80 ec752000 00000060 c0108444 00000007 ec51de48 +[ 958.099914] 3f60: ed0eb8c0 00000000 00000000 ec51de40 01adfb84 00000001 00000060 c0108858 +[ 958.108085] 3f80: 00000000 00000000 51cc8143 00000060 01adfb84 00000007 00000004 c000dd68 +[ 958.116257] 3fa0: 00000000 c000dbc0 00000060 01adfb84 00000007 01adfb84 00000060 01adfb80 +[ 958.124429] 3fc0: 00000060 01adfb84 00000007 00000004 beded1a8 00000000 01adf2f0 01ade920 +[ 958.132599] 3fe0: 00000000 beded180 b6811324 b6811334 800f0010 00000007 2e7f5821 2e7f5c21 +[ 958.140815] [] (ceph_osdc_build_request+0x8c/0x4f8 [libceph]) from [] (rbd_osd_req_format_write+0x50/0x7c [rbd]) +[ 958.152739] [] (rbd_osd_req_format_write+0x50/0x7c [rbd]) from [] (rbd_dev_header_watch_sync+0xe0/0x204 [rbd]) +[ 958.164486] [] (rbd_dev_header_watch_sync+0xe0/0x204 [rbd]) from [] (rbd_dev_image_probe+0x23c/0x850 [rbd]) +[ 958.175967] [] (rbd_dev_image_probe+0x23c/0x850 [rbd]) from [] (rbd_add+0x3c0/0x918 [rbd]) +[ 958.185975] [] (rbd_add+0x3c0/0x918 [rbd]) from [] (bus_attr_store+0x20/0x2c) +[ 958.194850] [] (bus_attr_store+0x20/0x2c) from [] (sysfs_write_file+0x168/0x198) +[ 958.203984] [] (sysfs_write_file+0x168/0x198) from [] (vfs_write+0x9c/0x170) +[ 958.212768] [] (vfs_write+0x9c/0x170) from [] (sys_write+0x3c/0x70) +[ 958.220768] [] (sys_write+0x3c/0x70) from [] (ret_fast_syscall+0x0/0x30) +[ 958.229199] Code: e59d1058 e5913000 e3530000 ba000114 (e7f001f2) + +Signed-off-by: Josh Durgin +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/ceph/decode.h | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/include/linux/ceph/decode.h ++++ b/include/linux/ceph/decode.h +@@ -160,11 +160,6 @@ static inline void ceph_decode_timespec( + static inline void ceph_encode_timespec(struct ceph_timespec *tv, + const struct timespec *ts) + { +- BUG_ON(ts->tv_sec < 0); +- BUG_ON(ts->tv_sec > (__kernel_time_t)U32_MAX); +- BUG_ON(ts->tv_nsec < 0); +- BUG_ON(ts->tv_nsec > (long)U32_MAX); +- + tv->tv_sec = cpu_to_le32((u32)ts->tv_sec); + tv->tv_nsec = cpu_to_le32((u32)ts->tv_nsec); + } diff --git a/queue-3.10/libceph-fix-null-pointer-dereference-in-auth-client-code.patch b/queue-3.10/libceph-fix-null-pointer-dereference-in-auth-client-code.patch new file mode 100644 index 00000000000..d445460c629 --- /dev/null +++ b/queue-3.10/libceph-fix-null-pointer-dereference-in-auth-client-code.patch @@ -0,0 +1,49 @@ +From 2cb33cac622afde897aa02d3dcd9fbba8bae839e Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 20 Jun 2013 13:13:59 -0700 +Subject: libceph: Fix NULL pointer dereference in auth client code + +From: Tyler Hicks + +commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream. + +A malicious monitor can craft an auth reply message that could cause a +NULL function pointer dereference in the client's kernel. + +To prevent this, the auth_none protocol handler needs an empty +ceph_auth_client_ops->build_request() function. + +CVE-2013-1059 + +Signed-off-by: Tyler Hicks +Reported-by: Chanam Park +Reviewed-by: Seth Arnold +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/auth_none.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ceph/auth_none.c ++++ b/net/ceph/auth_none.c +@@ -39,6 +39,11 @@ static int should_authenticate(struct ce + return xi->starting; + } + ++static int build_request(struct ceph_auth_client *ac, void *buf, void *end) ++{ ++ return 0; ++} ++ + /* + * the generic auth code decode the global_id, and we carry no actual + * authenticate state, so nothing happens here. +@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops + .destroy = destroy, + .is_authenticated = is_authenticated, + .should_authenticate = should_authenticate, ++ .build_request = build_request, + .handle_reply = handle_reply, + .create_authorizer = ceph_auth_none_create_authorizer, + .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/queue-3.10/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch b/queue-3.10/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch new file mode 100644 index 00000000000..dbc385304c1 --- /dev/null +++ b/queue-3.10/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch @@ -0,0 +1,30 @@ +From 7b175c46720f8e6b92801bb634c93d1016f80c62 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 18 Jun 2013 12:58:12 -0700 +Subject: MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information + +From: Greg Kroah-Hartman + +commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream. + +This hopefully will help point developers to the proper way that patches +should be submitted for inclusion in the stable kernel releases. + +Reported-by: David Howells +Acked-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 1 + + 1 file changed, 1 insertion(+) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -7667,6 +7667,7 @@ STABLE BRANCH + M: Greg Kroah-Hartman + L: stable@vger.kernel.org + S: Supported ++F: Documentation/stable_kernel_rules.txt + + STAGING SUBSYSTEM + M: Greg Kroah-Hartman diff --git a/queue-3.10/module-do-percpu-allocation-after-uniqueness-check.-no-really.patch b/queue-3.10/module-do-percpu-allocation-after-uniqueness-check.-no-really.patch new file mode 100644 index 00000000000..095c5a2096f --- /dev/null +++ b/queue-3.10/module-do-percpu-allocation-after-uniqueness-check.-no-really.patch @@ -0,0 +1,100 @@ +From 8d8022e8aba85192e937f1f0f7450e256d66ae5c Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Wed, 3 Jul 2013 10:06:28 +0930 +Subject: module: do percpu allocation after uniqueness check. No, really! + +From: Rusty Russell + +commit 8d8022e8aba85192e937f1f0f7450e256d66ae5c upstream. + +v3.8-rc1-5-g1fb9341 was supposed to stop parallel kvm loads exhausting +percpu memory on large machines: + + Now we have a new state MODULE_STATE_UNFORMED, we can insert the + module into the list (and thus guarantee its uniqueness) before we + allocate the per-cpu region. + +In my defence, it didn't actually say the patch did this. Just that +we "can". + +This patch actually *does* it. + +Signed-off-by: Rusty Russell +Tested-by: Jim Hull +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/module.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2927,7 +2927,6 @@ static struct module *layout_and_allocat + { + /* Module within temporary copy. */ + struct module *mod; +- Elf_Shdr *pcpusec; + int err; + + mod = setup_load_info(info, flags); +@@ -2942,17 +2941,10 @@ static struct module *layout_and_allocat + err = module_frob_arch_sections(info->hdr, info->sechdrs, + info->secstrings, mod); + if (err < 0) +- goto out; ++ return ERR_PTR(err); + +- pcpusec = &info->sechdrs[info->index.pcpu]; +- if (pcpusec->sh_size) { +- /* We have a special allocation for this section. */ +- err = percpu_modalloc(mod, +- pcpusec->sh_size, pcpusec->sh_addralign); +- if (err) +- goto out; +- pcpusec->sh_flags &= ~(unsigned long)SHF_ALLOC; +- } ++ /* We will do a special allocation for per-cpu sections later. */ ++ info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; + + /* Determine total sizes, and put offsets in sh_entsize. For now + this is done generically; there doesn't appear to be any +@@ -2963,17 +2955,22 @@ static struct module *layout_and_allocat + /* Allocate and move to the final place */ + err = move_module(mod, info); + if (err) +- goto free_percpu; ++ return ERR_PTR(err); + + /* Module has been copied to its final place now: return it. */ + mod = (void *)info->sechdrs[info->index.mod].sh_addr; + kmemleak_load_module(mod, info); + return mod; ++} + +-free_percpu: +- percpu_modfree(mod); +-out: +- return ERR_PTR(err); ++static int alloc_module_percpu(struct module *mod, struct load_info *info) ++{ ++ Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu]; ++ if (!pcpusec->sh_size) ++ return 0; ++ ++ /* We have a special allocation for this section. */ ++ return percpu_modalloc(mod, pcpusec->sh_size, pcpusec->sh_addralign); + } + + /* mod is no longer valid after this! */ +@@ -3237,6 +3234,11 @@ static int load_module(struct load_info + } + #endif + ++ /* To avoid stressing percpu allocator, do this once we're unique. */ ++ err = alloc_module_percpu(mod, info); ++ if (err) ++ goto unlink_mod; ++ + /* Now module is in final location, initialize linked lists, etc. */ + err = module_unload_init(mod); + if (err) diff --git a/queue-3.10/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch b/queue-3.10/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch new file mode 100644 index 00000000000..c08c7c95c63 --- /dev/null +++ b/queue-3.10/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch @@ -0,0 +1,35 @@ +From 828c6a102b1f2b8583fadc0e779c46b31d448f0b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 30 Jun 2013 09:03:06 -0700 +Subject: Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller" + +From: Greg Kroah-Hartman + +commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream. + +This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366. + +As reported by Stefan, this device already works with the parport_serial +driver, so the 8250_pci driver should not also try to grab it as well. + +Reported-by: Stefan Seyfried +Cc: Wang YanQing +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -4797,10 +4797,6 @@ static struct pci_device_id serial_pci_t + PCI_VENDOR_ID_IBM, 0x0299, + 0, 0, pbn_b0_bt_2_115200 }, + +- { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835, +- 0x1000, 0x0012, +- 0, 0, pbn_b0_bt_2_115200 }, +- + { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901, + 0xA000, 0x1000, + 0, 0, pbn_b0_1_115200 }, diff --git a/queue-3.10/series b/queue-3.10/series new file mode 100644 index 00000000000..30bb22d4632 --- /dev/null +++ b/queue-3.10/series @@ -0,0 +1,13 @@ +libceph-fix-null-pointer-dereference-in-auth-client-code.patch +ceph-fix-sleeping-function-called-from-invalid-context.patch +libceph-fix-invalid-unsigned-signed-conversion-for-timespec-encoding.patch +drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch +module-do-percpu-allocation-after-uniqueness-check.-no-really.patch +charger-manager-ensure-event-is-not-used-as-format-string.patch +hpfs-better-test-for-errors.patch +block-do-not-pass-disk-names-as-format-strings.patch +crypto-sanitize-argument-for-format-string.patch +maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch +futex-take-hugepages-into-account-when-generating-futex_key.patch +tty-reset-itty-for-other-pty.patch +revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch diff --git a/queue-3.10/tty-reset-itty-for-other-pty.patch b/queue-3.10/tty-reset-itty-for-other-pty.patch new file mode 100644 index 00000000000..6e06573e352 --- /dev/null +++ b/queue-3.10/tty-reset-itty-for-other-pty.patch @@ -0,0 +1,34 @@ +From 64e377dcd7d75c241d614458e9619d3445de44ef Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Sat, 15 Jun 2013 09:01:00 -0400 +Subject: tty: Reset itty for other pty + +From: Peter Hurley + +commit 64e377dcd7d75c241d614458e9619d3445de44ef upstream. + +Commit 19ffd68f816878aed456d5e87697f43bd9e3bd2b +('pty: Remove redundant itty reset') introduced a regression +whereby the other pty's linkage is not cleared on teardown. +This triggers a false positive diagnostic in testing. + +Properly reset the itty linkage. + +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1618,6 +1618,8 @@ static void release_tty(struct tty_struc + tty_free_termios(tty); + tty_driver_remove_tty(tty->driver, tty); + tty->port->itty = NULL; ++ if (tty->link) ++ tty->link->port->itty = NULL; + cancel_work_sync(&tty->port->buf.work); + + if (tty->link) -- 2.47.3