--- /dev/null
+From a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 Mon Sep 17 00:00:00 2001
+From: Eric W. Biederman <ebiederm@xmission.com>
+Date: Sun, 24 Apr 2011 01:54:57 +0000
+Subject: af_unix: Only allow recv on connected seqpacket sockets.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 upstream.
+
+This fixes the following oops discovered by Dan Aloni:
+> Anyway, the following is the output of the Oops that I got on the
+> Ubuntu kernel on which I first detected the problem
+> (2.6.37-12-generic). The Oops that followed will be more useful, I
+> guess.
+
+>[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference
+> at (null)
+> [ 5594.681606] IP: [<ffffffff81550b7b>] unix_dgram_recvmsg+0x1fb/0x420
+> [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0
+> [ 5594.693720] Oops: 0002 [#1] SMP
+> [ 5594.699888] last sysfs file:
+
+The bug was that unix domain sockets use a pseduo packet for
+connecting and accept uses that psudo packet to get the socket.
+In the buggy seqpacket case we were allowing unconnected
+sockets to call recvmsg and try to receive the pseudo packet.
+
+That is always wrong and as of commit 7361c36c5 the pseudo
+packet had become enough different from a normal packet
+that the kernel started oopsing.
+
+Do for seqpacket_recv what was done for seqpacket_send in 2.5
+and only allow it on connected seqpacket sockets.
+
+Tested-by: Dan Aloni <dan@aloni.org>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/unix/af_unix.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -524,6 +524,8 @@ static int unix_dgram_connect(struct soc
+ int, int);
+ static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *,
+ struct msghdr *, size_t);
++static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *,
++ struct msghdr *, size_t, int);
+
+ static const struct proto_ops unix_stream_ops = {
+ .family = PF_UNIX,
+@@ -583,7 +585,7 @@ static const struct proto_ops unix_seqpa
+ .setsockopt = sock_no_setsockopt,
+ .getsockopt = sock_no_getsockopt,
+ .sendmsg = unix_seqpacket_sendmsg,
+- .recvmsg = unix_dgram_recvmsg,
++ .recvmsg = unix_seqpacket_recvmsg,
+ .mmap = sock_no_mmap,
+ .sendpage = sock_no_sendpage,
+ };
+@@ -1695,6 +1697,18 @@ static int unix_seqpacket_sendmsg(struct
+ return unix_dgram_sendmsg(kiocb, sock, msg, len);
+ }
+
++static int unix_seqpacket_recvmsg(struct kiocb *iocb, struct socket *sock,
++ struct msghdr *msg, size_t size,
++ int flags)
++{
++ struct sock *sk = sock->sk;
++
++ if (sk->sk_state != TCP_ESTABLISHED)
++ return -ENOTCONN;
++
++ return unix_dgram_recvmsg(iocb, sock, msg, size, flags);
++}
++
+ static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
+ {
+ struct unix_sock *u = unix_sk(sk);
--- /dev/null
+From 0f22072ab50cac7983f9660d33974b45184da4f9 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 29 Apr 2011 15:48:07 +0100
+Subject: ARM: 6891/1: prevent heap corruption in OABI semtimedop
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream.
+
+When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
+bound the nsops argument. A sufficiently large value will cause an
+integer overflow in allocation size, followed by copying too much data
+into the allocated buffer. Fix this by restricting nsops to SEMOPM.
+Untested.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/arm/kernel/sys_oabi-compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int
+ long err;
+ int i;
+
+- if (nsops < 1)
++ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
--- /dev/null
+From 2232d31bf18ba02f5cd632bbfc3466aeca394c75 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Fri, 15 Apr 2011 00:41:43 +0200
+Subject: ath9k: fix the return value of ath_stoprecv
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 2232d31bf18ba02f5cd632bbfc3466aeca394c75 upstream.
+
+The patch 'ath9k_hw: fix stopping rx DMA during resets' added code to detect
+a condition where rx DMA was stopped, but the MAC failed to enter the idle
+state. This condition requires a hardware reset, however the return value
+of ath_stoprecv was 'true' in that case, which allowed it to skip the reset
+when issuing a fast channel change.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Reported-by: Paul Stewart <pstew@google.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath9k/recv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/recv.c
++++ b/drivers/net/wireless/ath/ath9k/recv.c
+@@ -533,7 +533,7 @@ bool ath_stoprecv(struct ath_softc *sc)
+ "confusing the DMA engine when we start RX up\n");
+ ATH_DBG_WARN_ON_ONCE(!stopped);
+ }
+- return stopped || reset;
++ return stopped && !reset;
+ }
+
+ void ath_flushrecv(struct ath_softc *sc)
--- /dev/null
+From c6914a6f261aca0c9f715f883a353ae7ff51fe83 Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Tue, 19 Apr 2011 20:36:59 -0700
+Subject: can: Add missing socket check in can/bcm release.
+
+From: Dave Jones <davej@redhat.com>
+
+commit c6914a6f261aca0c9f715f883a353ae7ff51fe83 upstream.
+
+We can get here with a NULL socket argument passed from userspace,
+so we need to handle it accordingly.
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/bcm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1427,9 +1427,14 @@ static int bcm_init(struct sock *sk)
+ static int bcm_release(struct socket *sock)
+ {
+ struct sock *sk = sock->sk;
+- struct bcm_sock *bo = bcm_sk(sk);
++ struct bcm_sock *bo;
+ struct bcm_op *op, *next;
+
++ if (sk == NULL)
++ return 0;
++
++ bo = bcm_sk(sk);
++
+ /* remove bcm_ops, timer, rx_unregister(), etc. */
+
+ unregister_netdevice_notifier(&bo->notifier);
--- /dev/null
+From c340b1d640001c8c9ecff74f68fd90422ae2448a Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns@pre-sense.de>
+Date: Thu, 14 Apr 2011 15:21:56 -0700
+Subject: fs/partitions/ldm.c: fix oops caused by corrupted partition table
+
+From: Timo Warns <Warns@pre-sense.de>
+
+commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream.
+
+The kernel automatically evaluates partition tables of storage devices.
+The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
+a bug that causes a kernel oops on certain corrupted LDM partitions.
+A kernel subsystem seems to crash, because, after the oops, the kernel no
+longer recognizes newly connected storage devices.
+
+The patch validates the value of vblk_size.
+
+[akpm@linux-foundation.org: coding-style fixes]
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Harvey Harrison <harvey.harrison@gmail.com>
+Cc: Richard Russon <rich@flatcap.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/partitions/ldm.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/partitions/ldm.c
++++ b/fs/partitions/ldm.c
+@@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data
+
+ BUG_ON (!data || !frags);
+
++ if (size < 2 * VBLK_SIZE_HEAD) {
++ ldm_error("Value of size is to small.");
++ return false;
++ }
++
+ group = get_unaligned_be32(data + 0x08);
+ rec = get_unaligned_be16(data + 0x0C);
+ num = get_unaligned_be16(data + 0x0E);
+@@ -1306,6 +1311,10 @@ static bool ldm_frag_add (const u8 *data
+ ldm_error ("A VBLK claims to have %d parts.", num);
+ return false;
+ }
++ if (rec >= num) {
++ ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
++ return false;
++ }
+
+ list_for_each (item, frags) {
+ f = list_entry (item, struct frag, list);
+@@ -1334,10 +1343,9 @@ found:
+
+ f->map |= (1 << rec);
+
+- if (num > 0) {
+- data += VBLK_SIZE_HEAD;
+- size -= VBLK_SIZE_HEAD;
+- }
++ data += VBLK_SIZE_HEAD;
++ size -= VBLK_SIZE_HEAD;
++
+ memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
+
+ return true;
--- /dev/null
+From 243e6df4ed919880d079d717641ad699c6530a03 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Apr 2011 20:44:04 +0200
+Subject: mac80211: fix SMPS debugfs locking
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 243e6df4ed919880d079d717641ad699c6530a03 upstream.
+
+The locking with SMPS requests means that the
+debugs file should lock the mgd mutex, not the
+iflist mutex. Calls to __ieee80211_request_smps()
+need to hold that mutex, so add an assertion.
+
+This has always been wrong, but for some reason
+never been noticed, probably because the locking
+error only happens while unassociated.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/cfg.c | 2 ++
+ net/mac80211/debugfs_netdev.c | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1471,6 +1471,8 @@ int __ieee80211_request_smps(struct ieee
+ enum ieee80211_smps_mode old_req;
+ int err;
+
++ lockdep_assert_held(&sdata->u.mgd.mtx);
++
+ old_req = sdata->u.mgd.req_smps;
+ sdata->u.mgd.req_smps = smps_mode;
+
+--- a/net/mac80211/debugfs_netdev.c
++++ b/net/mac80211/debugfs_netdev.c
+@@ -172,9 +172,9 @@ static int ieee80211_set_smps(struct iee
+ if (sdata->vif.type != NL80211_IFTYPE_STATION)
+ return -EOPNOTSUPP;
+
+- mutex_lock(&local->iflist_mtx);
++ mutex_lock(&sdata->u.mgd.mtx);
+ err = __ieee80211_request_smps(sdata, smps_mode);
+- mutex_unlock(&local->iflist_mtx);
++ mutex_unlock(&sdata->u.mgd.mtx);
+
+ return err;
+ }
--- /dev/null
+From 1574dff8996ab1ed92c09012f8038b5566fce313 Mon Sep 17 00:00:00 2001
+From: Sachin Prabhu <sprabhu@redhat.com>
+Date: Wed, 20 Apr 2011 13:09:35 +0100
+Subject: Open with O_CREAT flag set fails to open existing files on non writable directories
+
+From: Sachin Prabhu <sprabhu@redhat.com>
+
+commit 1574dff8996ab1ed92c09012f8038b5566fce313 upstream.
+
+An open on a NFS4 share using the O_CREAT flag on an existing file for
+which we have permissions to open but contained in a directory with no
+write permissions will fail with EACCES.
+
+A tcpdump shows that the client had set the open mode to UNCHECKED which
+indicates that the file should be created if it doesn't exist and
+encountering an existing flag is not an error. Since in this case the
+file exists and can be opened by the user, the NFS server is wrong in
+attempting to check create permissions on the parent directory.
+
+The patch adds a conditional statement to check for create permissions
+only if the file doesn't exist.
+
+Signed-off-by: Sachin S. Prabhu <sprabhu@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/vfs.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1363,7 +1363,7 @@ nfsd_create_v3(struct svc_rqst *rqstp, s
+ goto out;
+ if (!(iap->ia_valid & ATTR_MODE))
+ iap->ia_mode = 0;
+- err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE);
++ err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_EXEC);
+ if (err)
+ goto out;
+
+@@ -1385,6 +1385,13 @@ nfsd_create_v3(struct svc_rqst *rqstp, s
+ if (IS_ERR(dchild))
+ goto out_nfserr;
+
++ /* If file doesn't exist, check for permissions to create one */
++ if (!dchild->d_inode) {
++ err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE);
++ if (err)
++ goto out;
++ }
++
+ err = fh_compose(resfhp, fhp->fh_export, dchild, fhp);
+ if (err)
+ goto out;
flex_array-flex_array_prealloc-takes-a-number-of-elements-not-an-end.patch
flex_arrays-allow-zero-length-flex-arrays.patch
x86-amd-fix-apic-timer-erratum-400-affecting-k8-rev.a-e-processors.patch
+ath9k-fix-the-return-value-of-ath_stoprecv.patch
+mac80211-fix-smps-debugfs-locking.patch
+af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch
+arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch
+xz-decompressor-fix-decoding-of-empty-lzma2-streams.patch
+open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch
+can-add-missing-socket-check-in-can-bcm-release.patch
+fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch
--- /dev/null
+From 646032e3b05b32d3f20cb108a030593d9d792eb5 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Sun, 1 May 2011 19:38:42 +0300
+Subject: XZ decompressor: Fix decoding of empty LZMA2 streams
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+commit 646032e3b05b32d3f20cb108a030593d9d792eb5 upstream.
+
+The old code considered valid empty LZMA2 streams to be corrupt.
+Note that a typical empty .xz file has no LZMA2 data at all,
+and thus most .xz files having no uncompressed data are handled
+correctly even without this fix.
+
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/xz/xz_dec_lzma2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/xz/xz_dec_lzma2.c
++++ b/lib/xz/xz_dec_lzma2.c
+@@ -969,6 +969,9 @@ XZ_EXTERN enum xz_ret xz_dec_lzma2_run(s
+ */
+ tmp = b->in[b->in_pos++];
+
++ if (tmp == 0x00)
++ return XZ_STREAM_END;
++
+ if (tmp >= 0xE0 || tmp == 0x01) {
+ s->lzma2.need_props = true;
+ s->lzma2.need_dict_reset = false;
+@@ -1001,9 +1004,6 @@ XZ_EXTERN enum xz_ret xz_dec_lzma2_run(s
+ lzma_reset(s);
+ }
+ } else {
+- if (tmp == 0x00)
+- return XZ_STREAM_END;
+-
+ if (tmp > 0x02)
+ return XZ_DATA_ERROR;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
