From f60cbe8cd65b318fe44f87a47cf46e0f1b702e8b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Oct 2008 15:36:49 -0700 Subject: [PATCH] more .26 patches --- ...rmac-hp-detection-for-1st-imac-g3-sl.patch | 104 +++++++++++ ...-powermac-mixers-for-powermac-g4-agp.patch | 95 ++++++++++ ...ers-when-the-braille-console-is-used.patch | 57 ++++++ ...x-monochrome-color-value-calculation.patch | 39 +++++ ...er-fix-race-between-swapoff-and-exit.patch | 163 ++++++++++++++++++ ...-on-second-use-of-sigio-nofitication.patch | 118 +++++++++++++ ...dding-area-read-write-in-31-bit-mode.patch | 113 ++++++++++++ queue-2.6.26/series | 7 + 8 files changed, 696 insertions(+) create mode 100644 queue-2.6.26/alsa-snd-powermac-hp-detection-for-1st-imac-g3-sl.patch create mode 100644 queue-2.6.26/alsa-snd-powermac-mixers-for-powermac-g4-agp.patch create mode 100644 queue-2.6.26/braille_console-only-register-notifiers-when-the-braille-console-is-used.patch create mode 100644 queue-2.6.26/fbcon-fix-monochrome-color-value-calculation.patch create mode 100644 queue-2.6.26/mm-owner-fix-race-between-swapoff-and-exit.patch create mode 100644 queue-2.6.26/rtc-fix-kernel-panic-on-second-use-of-sigio-nofitication.patch create mode 100644 queue-2.6.26/s390-cve-2008-1514-prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch diff --git a/queue-2.6.26/alsa-snd-powermac-hp-detection-for-1st-imac-g3-sl.patch b/queue-2.6.26/alsa-snd-powermac-hp-detection-for-1st-imac-g3-sl.patch new file mode 100644 index 00000000000..4b31fe33470 --- /dev/null +++ b/queue-2.6.26/alsa-snd-powermac-hp-detection-for-1st-imac-g3-sl.patch @@ -0,0 +1,104 @@ +From jejb@kernel.org Mon Oct 6 15:30:17 2008 +From: Risto Suominen +Date: Thu, 2 Oct 2008 22:55:15 GMT +Subject: ALSA: snd-powermac: HP detection for 1st iMac G3 SL +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810022255.m92MtFC3022982@hera.kernel.org> + +From: Risto Suominen + +commit 030b655b062fe5190fc490e0091ea50307d7a86f upstream + +Correct headphone detection for 1st generation iMac G3 Slot-loading (Screamer). + +This patch fixes the regression in the recent snd-powermac which +doesn't support some G3/G4 PowerMacs: + http://lkml.org/lkml/2008/10/1/220 + +Signed-off-by: Risto Suominen +Tested-by: Mariusz Kozlowski +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/ppc/awacs.c | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +--- a/sound/ppc/awacs.c ++++ b/sound/ppc/awacs.c +@@ -695,7 +695,10 @@ static struct snd_kcontrol_new snd_pmac_ + static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw __initdata = + AWACS_SWITCH("PC Speaker Playback Switch", 1, SHIFT_SPKMUTE, 1); + +-static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw_imac __initdata = ++static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw_imac1 __initdata = ++AWACS_SWITCH("PC Speaker Playback Switch", 1, SHIFT_PAROUT1, 1); ++ ++static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw_imac2 __initdata = + AWACS_SWITCH("PC Speaker Playback Switch", 1, SHIFT_PAROUT1, 0); + + +@@ -772,12 +775,12 @@ static void snd_pmac_awacs_resume(struct + + #define IS_PM7500 (machine_is_compatible("AAPL,7500")) + #define IS_BEIGE (machine_is_compatible("AAPL,Gossamer")) +-#define IS_IMAC (machine_is_compatible("PowerMac2,1") \ +- || machine_is_compatible("PowerMac2,2") \ ++#define IS_IMAC1 (machine_is_compatible("PowerMac2,1")) ++#define IS_IMAC2 (machine_is_compatible("PowerMac2,2") \ + || machine_is_compatible("PowerMac4,1")) + #define IS_G4AGP (machine_is_compatible("PowerMac3,1")) + +-static int imac; ++static int imac1, imac2; + + #ifdef PMAC_SUPPORT_AUTOMUTE + /* +@@ -823,13 +826,18 @@ static void snd_pmac_awacs_update_automu + { + int reg = chip->awacs_reg[1] + | (MASK_HDMUTE | MASK_SPKMUTE); +- if (imac) { ++ if (imac1) { ++ reg &= ~MASK_SPKMUTE; ++ reg |= MASK_PAROUT1; ++ } else if (imac2) { + reg &= ~MASK_SPKMUTE; + reg &= ~MASK_PAROUT1; + } + if (snd_pmac_awacs_detect_headphone(chip)) + reg &= ~MASK_HDMUTE; +- else if (imac) ++ else if (imac1) ++ reg &= ~MASK_PAROUT1; ++ else if (imac2) + reg |= MASK_PAROUT1; + else + reg &= ~MASK_SPKMUTE; +@@ -859,9 +867,12 @@ snd_pmac_awacs_init(struct snd_pmac *chi + int pm7500 = IS_PM7500; + int beige = IS_BEIGE; + int g4agp = IS_G4AGP; ++ int imac; + int err, vol; + +- imac = IS_IMAC; ++ imac1 = IS_IMAC1; ++ imac2 = IS_IMAC2; ++ imac = imac1 || imac2; + /* looks like MASK_GAINLINE triggers something, so we set here + * as start-up + */ +@@ -1017,8 +1028,10 @@ snd_pmac_awacs_init(struct snd_pmac *chi + snd_pmac_awacs_speaker_vol); + if (err < 0) + return err; +- chip->speaker_sw_ctl = snd_ctl_new1(imac +- ? &snd_pmac_awacs_speaker_sw_imac ++ chip->speaker_sw_ctl = snd_ctl_new1(imac1 ++ ? &snd_pmac_awacs_speaker_sw_imac1 ++ : imac2 ++ ? &snd_pmac_awacs_speaker_sw_imac2 + : &snd_pmac_awacs_speaker_sw, chip); + err = snd_ctl_add(chip->card, chip->speaker_sw_ctl); + if (err < 0) diff --git a/queue-2.6.26/alsa-snd-powermac-mixers-for-powermac-g4-agp.patch b/queue-2.6.26/alsa-snd-powermac-mixers-for-powermac-g4-agp.patch new file mode 100644 index 00000000000..23a84e87380 --- /dev/null +++ b/queue-2.6.26/alsa-snd-powermac-mixers-for-powermac-g4-agp.patch @@ -0,0 +1,95 @@ +From jejb@kernel.org Mon Oct 6 15:30:43 2008 +From: Risto Suominen +Date: Thu, 2 Oct 2008 22:55:18 GMT +Subject: ALSA: snd-powermac: mixers for PowerMac G4 AGP +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810022255.m92MtIJm022994@hera.kernel.org> + +From: Risto Suominen + +commit 4dbf95ba6c344186ec6d38ff514dc675da464bec upstream + +Add mixer controls for PowerMac G4 AGP (Screamer). + +This patch fixes the regression in the recent snd-powermac which +doesn't support some G3/G4 PowerMacs: + http://lkml.org/lkml/2008/10/1/220 + +Signed-off-by: Risto Suominen +Tested-by: Mariusz Kozlowski +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/ppc/awacs.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/sound/ppc/awacs.c ++++ b/sound/ppc/awacs.c +@@ -621,6 +621,13 @@ static struct snd_kcontrol_new snd_pmac_ + AWACS_SWITCH("CD Capture Switch", 0, SHIFT_MUX_CD, 0), + }; + ++static struct snd_kcontrol_new snd_pmac_screamer_mixers_g4agp[] __initdata = { ++ AWACS_VOLUME("Line out Playback Volume", 2, 6, 1), ++ AWACS_VOLUME("Master Playback Volume", 5, 6, 1), ++ AWACS_SWITCH("CD Capture Switch", 0, SHIFT_MUX_CD, 0), ++ AWACS_SWITCH("Line Capture Switch", 0, SHIFT_MUX_MIC, 0), ++}; ++ + static struct snd_kcontrol_new snd_pmac_awacs_mixers_pmac7500[] __initdata = { + AWACS_VOLUME("Line out Playback Volume", 2, 6, 1), + AWACS_SWITCH("CD Capture Switch", 0, SHIFT_MUX_CD, 0), +@@ -768,6 +775,7 @@ static void snd_pmac_awacs_resume(struct + #define IS_IMAC (machine_is_compatible("PowerMac2,1") \ + || machine_is_compatible("PowerMac2,2") \ + || machine_is_compatible("PowerMac4,1")) ++#define IS_G4AGP (machine_is_compatible("PowerMac3,1")) + + static int imac; + +@@ -850,6 +858,7 @@ snd_pmac_awacs_init(struct snd_pmac *chi + { + int pm7500 = IS_PM7500; + int beige = IS_BEIGE; ++ int g4agp = IS_G4AGP; + int err, vol; + + imac = IS_IMAC; +@@ -939,7 +948,7 @@ snd_pmac_awacs_init(struct snd_pmac *chi + snd_pmac_awacs_mixers); + if (err < 0) + return err; +- if (beige) ++ if (beige || g4agp) + ; + else if (chip->model == PMAC_SCREAMER) + err = build_mixers(chip, ARRAY_SIZE(snd_pmac_screamer_mixers2), +@@ -961,13 +970,17 @@ snd_pmac_awacs_init(struct snd_pmac *chi + err = build_mixers(chip, + ARRAY_SIZE(snd_pmac_screamer_mixers_imac), + snd_pmac_screamer_mixers_imac); ++ else if (g4agp) ++ err = build_mixers(chip, ++ ARRAY_SIZE(snd_pmac_screamer_mixers_g4agp), ++ snd_pmac_screamer_mixers_g4agp); + else + err = build_mixers(chip, + ARRAY_SIZE(snd_pmac_awacs_mixers_pmac), + snd_pmac_awacs_mixers_pmac); + if (err < 0) + return err; +- chip->master_sw_ctl = snd_ctl_new1((pm7500 || imac) ++ chip->master_sw_ctl = snd_ctl_new1((pm7500 || imac || g4agp) + ? &snd_pmac_awacs_master_sw_imac + : &snd_pmac_awacs_master_sw, chip); + err = snd_ctl_add(chip->card, chip->master_sw_ctl); +@@ -1012,7 +1025,7 @@ snd_pmac_awacs_init(struct snd_pmac *chi + return err; + } + +- if (beige) ++ if (beige || g4agp) + err = build_mixers(chip, + ARRAY_SIZE(snd_pmac_screamer_mic_boost_beige), + snd_pmac_screamer_mic_boost_beige); diff --git a/queue-2.6.26/braille_console-only-register-notifiers-when-the-braille-console-is-used.patch b/queue-2.6.26/braille_console-only-register-notifiers-when-the-braille-console-is-used.patch new file mode 100644 index 00000000000..344b93bfa83 --- /dev/null +++ b/queue-2.6.26/braille_console-only-register-notifiers-when-the-braille-console-is-used.patch @@ -0,0 +1,57 @@ +From jejb@kernel.org Mon Oct 6 15:29:19 2008 +From: Pascal Terjan +Date: Fri, 3 Oct 2008 01:45:55 GMT +Subject: braille_console: only register notifiers when the braille console is used +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810030145.m931jt1T007158@hera.kernel.org> + +From: Pascal Terjan + +commit c0c9209ddd96bc4f1d70a8b9958710671e076080 upstream + +Only register the braille driver VT and keyboard notifiers when the +braille console is used. Avoids eating insert or backspace keys. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=11242 + +Signed-off-by: Pascal Terjan +Signed-off-by: Samuel Thibault +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Moritz Muehlenhoff +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/accessibility/braille/braille_console.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/accessibility/braille/braille_console.c ++++ b/drivers/accessibility/braille/braille_console.c +@@ -376,6 +376,8 @@ int braille_register_console(struct cons + console->flags |= CON_ENABLED; + console->index = index; + braille_co = console; ++ register_keyboard_notifier(&keyboard_notifier_block); ++ register_vt_notifier(&vt_notifier_block); + return 0; + } + +@@ -383,15 +385,8 @@ int braille_unregister_console(struct co + { + if (braille_co != console) + return -EINVAL; ++ unregister_keyboard_notifier(&keyboard_notifier_block); ++ unregister_vt_notifier(&vt_notifier_block); + braille_co = NULL; + return 0; + } +- +-static int __init braille_init(void) +-{ +- register_keyboard_notifier(&keyboard_notifier_block); +- register_vt_notifier(&vt_notifier_block); +- return 0; +-} +- +-console_initcall(braille_init); diff --git a/queue-2.6.26/fbcon-fix-monochrome-color-value-calculation.patch b/queue-2.6.26/fbcon-fix-monochrome-color-value-calculation.patch new file mode 100644 index 00000000000..c4a80127eba --- /dev/null +++ b/queue-2.6.26/fbcon-fix-monochrome-color-value-calculation.patch @@ -0,0 +1,39 @@ +From jejb@kernel.org Mon Oct 6 15:31:35 2008 +From: David Winn +Date: Fri, 3 Oct 2008 01:46:02 GMT +Subject: fbcon: fix monochrome color value calculation +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810030146.m931k2hV007197@hera.kernel.org> + +From: David Winn + +commit 08650869e0ec581f8d88cfdb563d37f5383abfe2 upstream + +Commit 22af89aa0c0b4012a7431114a340efd3665a7617 ("fbcon: replace mono_col +macro with static inline") changed the order of operations for computing +monochrome color values. This generates 0xffff000f instead of 0x0000000f +for a 4 bit monochrome color, leading to image corruption if it is passed +to cfb_imageblit or other similar functions. Fix it up. + +Cc: Harvey Harrison +Cc: "Antonino A. Daplas" +Cc: Krzysztof Helt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/fbcon.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/console/fbcon.h ++++ b/drivers/video/console/fbcon.h +@@ -110,7 +110,7 @@ static inline int mono_col(const struct + __u32 max_len; + max_len = max(info->var.green.length, info->var.red.length); + max_len = max(info->var.blue.length, max_len); +- return ~(0xfff << (max_len & 0xff)); ++ return (~(0xfff << max_len)) & 0xff; + } + + static inline int attr_col_ec(int shift, struct vc_data *vc, diff --git a/queue-2.6.26/mm-owner-fix-race-between-swapoff-and-exit.patch b/queue-2.6.26/mm-owner-fix-race-between-swapoff-and-exit.patch new file mode 100644 index 00000000000..7d19c7789d4 --- /dev/null +++ b/queue-2.6.26/mm-owner-fix-race-between-swapoff-and-exit.patch @@ -0,0 +1,163 @@ +From hugh@veritas.com Mon Oct 6 15:32:49 2008 +From: Balbir Singh +Date: Sun, 5 Oct 2008 17:43:37 +0100 (BST) +Subject: mm owner: fix race between swapoff and exit +To: stable@kernel.org +Cc: Jiri Slaby , Daisuke Nishimura , Andrew Morton , Linus Torvalds , Paul Menage , KAMEZAWA Hiroyuki , Balbir Singh +Message-ID: + +From: Balbir Singh + +[Here's a backport of 2.6.27-rc8's 31a78f23bac0069004e69f98808b6988baccb6b6 + to 2.6.26 or 2.6.26.5: I wouldn't trouble -stable for the (root only) + swapoff case which uncovered the bug, but the /proc// case + is open to all, so I think worth plugging in the next 2.6.26-stable. + - Hugh] + + +There's a race between mm->owner assignment and swapoff, more easily +seen when task slab poisoning is turned on. The condition occurs when +try_to_unuse() runs in parallel with an exiting task. A similar race +can occur with callers of get_task_mm(), such as /proc// +or ptrace or page migration. + +CPU0 CPU1 + try_to_unuse + looks at mm = task0->mm + increments mm->mm_users +task 0 exits +mm->owner needs to be updated, but no +new owner is found (mm_users > 1, but +no other task has task->mm = task0->mm) +mm_update_next_owner() leaves + mmput(mm) decrements mm->mm_users +task0 freed + dereferencing mm->owner fails + +The fix is to notify the subsystem via mm_owner_changed callback(), +if no new owner is found, by specifying the new task as NULL. + +Jiri Slaby: +mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but +must be set after that, so as not to pass NULL as old owner causing oops. + +Daisuke Nishimura: +mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task() +and its callers need to take account of this situation to avoid oops. + +Hugh Dickins: +Lockdep warning and hang below exec_mmap() when testing these patches. +exit_mm() up_reads mmap_sem before calling mm_update_next_owner(), +so exec_mmap() now needs to do the same. And with that repositioning, +there's now no point in mm_need_new_owner() allowing for NULL mm. + +Reported-by: Hugh Dickins +Signed-off-by: Balbir Singh +Signed-off-by: Jiri Slaby +Signed-off-by: Daisuke Nishimura +Signed-off-by: Hugh Dickins +Cc: KAMEZAWA Hiroyuki +Cc: Paul Menage +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 2 +- + kernel/cgroup.c | 5 +++-- + kernel/exit.c | 12 ++++++++++-- + mm/memcontrol.c | 13 +++++++++++++ + 4 files changed, 27 insertions(+), 5 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -740,11 +740,11 @@ static int exec_mmap(struct mm_struct *m + tsk->active_mm = mm; + activate_mm(active_mm, mm); + task_unlock(tsk); +- mm_update_next_owner(old_mm); + arch_pick_mmap_layout(mm); + if (old_mm) { + up_read(&old_mm->mmap_sem); + BUG_ON(active_mm != old_mm); ++ mm_update_next_owner(old_mm); + mmput(old_mm); + return 0; + } +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -2761,14 +2761,15 @@ void cgroup_fork_callbacks(struct task_s + */ + void cgroup_mm_owner_callbacks(struct task_struct *old, struct task_struct *new) + { +- struct cgroup *oldcgrp, *newcgrp; ++ struct cgroup *oldcgrp, *newcgrp = NULL; + + if (need_mm_owner_callback) { + int i; + for (i = 0; i < CGROUP_SUBSYS_COUNT; i++) { + struct cgroup_subsys *ss = subsys[i]; + oldcgrp = task_cgroup(old, ss->subsys_id); +- newcgrp = task_cgroup(new, ss->subsys_id); ++ if (new) ++ newcgrp = task_cgroup(new, ss->subsys_id); + if (oldcgrp == newcgrp) + continue; + if (ss->mm_owner_changed) +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -577,8 +577,6 @@ mm_need_new_owner(struct mm_struct *mm, + * If there are other users of the mm and the owner (us) is exiting + * we need to find a new owner to take on the responsibility. + */ +- if (!mm) +- return 0; + if (atomic_read(&mm->mm_users) <= 1) + return 0; + if (mm->owner != p) +@@ -621,6 +619,16 @@ retry: + } while_each_thread(g, c); + + read_unlock(&tasklist_lock); ++ /* ++ * We found no owner yet mm_users > 1: this implies that we are ++ * most likely racing with swapoff (try_to_unuse()) or /proc or ++ * ptrace or page migration (get_task_mm()). Mark owner as NULL, ++ * so that subsystems can understand the callback and take action. ++ */ ++ down_write(&mm->mmap_sem); ++ cgroup_mm_owner_callbacks(mm->owner, NULL); ++ mm->owner = NULL; ++ up_write(&mm->mmap_sem); + return; + + assign_new_owner: +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -250,6 +250,14 @@ static struct mem_cgroup *mem_cgroup_fro + + struct mem_cgroup *mem_cgroup_from_task(struct task_struct *p) + { ++ /* ++ * mm_update_next_owner() may clear mm->owner to NULL ++ * if it races with swapoff, page migration, etc. ++ * So this can be called with p == NULL. ++ */ ++ if (unlikely(!p)) ++ return NULL; ++ + return container_of(task_subsys_state(p, mem_cgroup_subsys_id), + struct mem_cgroup, css); + } +@@ -574,6 +582,11 @@ retry: + + rcu_read_lock(); + mem = mem_cgroup_from_task(rcu_dereference(mm->owner)); ++ if (unlikely(!mem)) { ++ rcu_read_unlock(); ++ kmem_cache_free(page_cgroup_cache, pc); ++ return 0; ++ } + /* + * For every charge from the cgroup, increment reference count + */ diff --git a/queue-2.6.26/rtc-fix-kernel-panic-on-second-use-of-sigio-nofitication.patch b/queue-2.6.26/rtc-fix-kernel-panic-on-second-use-of-sigio-nofitication.patch new file mode 100644 index 00000000000..266df924e3c --- /dev/null +++ b/queue-2.6.26/rtc-fix-kernel-panic-on-second-use-of-sigio-nofitication.patch @@ -0,0 +1,118 @@ +From jejb@kernel.org Mon Oct 6 15:31:59 2008 +From: Marcin Slusarz +Date: Sat, 4 Oct 2008 01:25:03 GMT +Subject: rtc: fix kernel panic on second use of SIGIO nofitication +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810040125.m941P38o017682@hera.kernel.org> + +From: Marcin Slusarz + +commit 2e4a75cdcb89ff53bb182dda3a6dcdc14befe007 upstream + +When userspace uses SIGIO notification and forgets to disable it before +closing file descriptor, rtc->async_queue contains stale pointer to struct +file. When user space enables again SIGIO notification in different +process, kernel dereferences this (poisoned) pointer and crashes. + +So disable SIGIO notification on close. + +Kernel panic: +(second run of qemu (requires echo 1024 > /sys/class/rtc/rtc0/max_user_freq)) + +general protection fault: 0000 [1] PREEMPT +CPU 0 +Modules linked in: af_packet snd_pcm_oss snd_mixer_oss snd_seq_oss snd_seq_midi_event snd_seq usbhid tuner tea5767 tda8290 tuner_xc2028 xc5000 tda9887 tuner_simple tuner_types mt20xx tea5761 tda9875 uhci_hcd ehci_hcd usbcore bttv snd_via82xx snd_ac97_codec ac97_bus snd_pcm snd_timer ir_common compat_ioctl32 snd_page_alloc videodev v4l1_compat snd_mpu401_uart snd_rawmidi v4l2_common videobuf_dma_sg videobuf_core snd_seq_device snd btcx_risc soundcore tveeprom i2c_viapro +Pid: 5781, comm: qemu-system-x86 Not tainted 2.6.27-rc6 #363 +RIP: 0010:[] [] __lock_acquire+0x3db/0x73f +RSP: 0000:ffffffff80674cb8 EFLAGS: 00010002 +RAX: ffff8800224c62f0 RBX: 0000000000000046 RCX: 0000000000000002 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800224c62f0 +RBP: ffffffff80674d08 R08: 0000000000000002 R09: 0000000000000001 +R10: ffffffff80238941 R11: 0000000000000001 R12: 0000000000000000 +R13: 6b6b6b6b6b6b6b6b R14: ffff88003a450080 R15: 0000000000000000 +FS: 00007f98b69516f0(0000) GS:ffffffff80623200(0000) knlGS:00000000f7cc86d0 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 0000000000a87000 CR3: 0000000022598000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process qemu-system-x86 (pid: 5781, threadinfo ffff880028812000, task ffff88003a450080) +Stack: ffffffff80674cf8 0000000180238440 0000000200000002 0000000000000000 + ffff8800224c62f0 0000000000000046 0000000000000000 0000000000000002 + 0000000000000002 0000000000000000 ffffffff80674d68 ffffffff8024fc7a +Call Trace: + [] lock_acquire+0x85/0xa9 + [] ? send_sigio+0x2a/0x184 + [] _read_lock+0x3e/0x4a + [] ? send_sigio+0x2a/0x184 + [] send_sigio+0x2a/0x184 + [] ? __lock_acquire+0x6e1/0x73f + [] ? kill_fasync+0x2c/0x4e + [] __kill_fasync+0x54/0x65 + [] kill_fasync+0x3a/0x4e + [] rtc_update_irq+0x9c/0xa5 + [] cmos_interrupt+0xae/0xc0 + [] handle_IRQ_event+0x25/0x5a + [] handle_edge_irq+0xdd/0x123 + [] do_IRQ+0xe4/0x144 + [] ret_from_intr+0x0/0xf + [] ? __alloc_pages_internal+0xe7/0x3ad + [] ? clear_page_c+0x7/0x10 + [] ? get_page_from_freelist+0x385/0x450 + [] ? __alloc_pages_internal+0xe7/0x3ad + [] ? anon_vma_prepare+0x2e/0xf6 + [] ? handle_mm_fault+0x227/0x6a5 + [] ? do_page_fault+0x494/0x83f + [] ? error_exit+0x0/0xa9 + +Code: cc 41 39 45 28 74 24 e8 5e 1d 0f 00 85 c0 0f 84 6a 03 00 00 83 3d 8f a9 aa 00 00 be 47 03 00 00 0f 84 6a 02 00 00 e9 53 03 00 00 <41> ff 85 38 01 00 00 45 8b be 90 06 00 00 41 83 ff 2f 76 24 e8 +RIP [] __lock_acquire+0x3db/0x73f + RSP +---[ end trace 431877d860448760 ]--- +Kernel panic - not syncing: Aiee, killing interrupt handler! + +Signed-off-by: Marcin Slusarz +Acked-by: Alessandro Zummo +Acked-by: David Brownell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-dev.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/rtc/rtc-dev.c ++++ b/drivers/rtc/rtc-dev.c +@@ -401,6 +401,12 @@ static int rtc_dev_ioctl(struct inode *i + return err; + } + ++static int rtc_dev_fasync(int fd, struct file *file, int on) ++{ ++ struct rtc_device *rtc = file->private_data; ++ return fasync_helper(fd, file, on, &rtc->async_queue); ++} ++ + static int rtc_dev_release(struct inode *inode, struct file *file) + { + struct rtc_device *rtc = file->private_data; +@@ -411,16 +417,13 @@ static int rtc_dev_release(struct inode + if (rtc->ops->release) + rtc->ops->release(rtc->dev.parent); + ++ if (file->f_flags & FASYNC) ++ rtc_dev_fasync(-1, file, 0); ++ + clear_bit_unlock(RTC_DEV_BUSY, &rtc->flags); + return 0; + } + +-static int rtc_dev_fasync(int fd, struct file *file, int on) +-{ +- struct rtc_device *rtc = file->private_data; +- return fasync_helper(fd, file, on, &rtc->async_queue); +-} +- + static const struct file_operations rtc_dev_fops = { + .owner = THIS_MODULE, + .llseek = no_llseek, diff --git a/queue-2.6.26/s390-cve-2008-1514-prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch b/queue-2.6.26/s390-cve-2008-1514-prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch new file mode 100644 index 00000000000..eda78d4eff6 --- /dev/null +++ b/queue-2.6.26/s390-cve-2008-1514-prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch @@ -0,0 +1,113 @@ +From 3d6e48f43340343d97839eadb1ab7b6a3ea98797 Mon Sep 17 00:00:00 2001 +From: Jarod Wilson +Date: Tue, 9 Sep 2008 12:38:56 +0200 +Subject: S390: CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode + +From: Jarod Wilson + +commit 3d6e48f43340343d97839eadb1ab7b6a3ea98797 upstream + +When running a 31-bit ptrace, on either an s390 or s390x kernel, +reads and writes into a padding area in struct user_regs_struct32 +will result in a kernel panic. + +This is also known as CVE-2008-1514. + +Test case available here: +http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap + +Steps to reproduce: +1) wget the above +2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31 +3) ./user-area-padding-31bit + + +Test status +----------- +Without patch, both s390 and s390x kernels panic. With patch, the test case, +as well as the gdb testsuite, pass without incident, padding area reads +returning zero, writes ignored. + +Nb: original version returned -EINVAL on write attempts, which broke the +gdb test and made the test case slightly unhappy, Jan Kratochvil suggested +the change to return 0 on write attempts. + +Signed-off-by: Jarod Wilson +Tested-by: Jan Kratochvil +Signed-off-by: Martin Schwidefsky +Cc: Moritz Muehlenhoff +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/compat_ptrace.h | 1 + + arch/s390/kernel/ptrace.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + +--- a/arch/s390/kernel/compat_ptrace.h ++++ b/arch/s390/kernel/compat_ptrace.h +@@ -42,6 +42,7 @@ struct user_regs_struct32 + u32 gprs[NUM_GPRS]; + u32 acrs[NUM_ACRS]; + u32 orig_gpr2; ++ /* nb: there's a 4-byte hole here */ + s390_fp_regs fp_regs; + /* + * These per registers are in here so that gdb can modify them +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -177,6 +177,13 @@ peek_user(struct task_struct *child, add + */ + tmp = (addr_t) task_pt_regs(child)->orig_gpr2; + ++ } else if (addr < (addr_t) &dummy->regs.fp_regs) { ++ /* ++ * prevent reads of padding hole between ++ * orig_gpr2 and fp_regs on s390. ++ */ ++ tmp = 0; ++ + } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { + /* + * floating point regs. are stored in the thread structure +@@ -268,6 +275,13 @@ poke_user(struct task_struct *child, add + */ + task_pt_regs(child)->orig_gpr2 = data; + ++ } else if (addr < (addr_t) &dummy->regs.fp_regs) { ++ /* ++ * prevent writes of padding hole between ++ * orig_gpr2 and fp_regs on s390. ++ */ ++ return 0; ++ + } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { + /* + * floating point regs. are stored in the thread structure +@@ -409,6 +423,13 @@ peek_user_emu31(struct task_struct *chil + */ + tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); + ++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) { ++ /* ++ * prevent reads of padding hole between ++ * orig_gpr2 and fp_regs on s390. ++ */ ++ tmp = 0; ++ + } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { + /* + * floating point regs. are stored in the thread structure +@@ -488,6 +509,13 @@ poke_user_emu31(struct task_struct *chil + */ + *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; + ++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) { ++ /* ++ * prevent writess of padding hole between ++ * orig_gpr2 and fp_regs on s390. ++ */ ++ return 0; ++ + } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { + /* + * floating point regs. are stored in the thread structure diff --git a/queue-2.6.26/series b/queue-2.6.26/series index 05181b19a7c..f718a29d435 100644 --- a/queue-2.6.26/series +++ b/queue-2.6.26/series @@ -62,3 +62,10 @@ pcmcia-fix-broken-abuse-of-dev-driver_data.patch 0003-sparc64-Fix-OOPS-in-psycho_pcierr_intr_other.patch 0004-sparc64-Fix-disappearing-PCI-devices-on-e3500.patch 0005-sparc64-Fix-missing-devices-due-to-PCI-bridge-test.patch +braille_console-only-register-notifiers-when-the-braille-console-is-used.patch +alsa-snd-powermac-mixers-for-powermac-g4-agp.patch +alsa-snd-powermac-hp-detection-for-1st-imac-g3-sl.patch +fbcon-fix-monochrome-color-value-calculation.patch +rtc-fix-kernel-panic-on-second-use-of-sigio-nofitication.patch +mm-owner-fix-race-between-swapoff-and-exit.patch +s390-cve-2008-1514-prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch -- 2.47.3