--- /dev/null
+From dab5fff14df2cd16eb1ad4c02e83915e1063fece Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Tue, 12 Oct 2010 09:09:37 +0800
+Subject: acpi-cpufreq: fix a memleak when unloading driver
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+commit dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream.
+
+We didn't free per_cpu(acfreq_data, cpu)->freq_table
+when acpi_freq driver is unloaded.
+
+Resulting in the following messages in /sys/kernel/debug/kmemleak:
+
+unreferenced object 0xf6450e80 (size 64):
+ comm "modprobe", pid 1066, jiffies 4294677317 (age 19290.453s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00 ......$.......$.
+ 02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00 .....j.......5..
+ backtrace:
+ [<c123ba97>] kmemleak_alloc+0x27/0x50
+ [<c109f96f>] __kmalloc+0xcf/0x110
+ [<f9da97ee>] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq]
+ [<c11cd8d2>] cpufreq_add_dev+0x142/0x3a0
+ [<c11920b7>] sysdev_driver_register+0x97/0x110
+ [<c11cce56>] cpufreq_register_driver+0x86/0x140
+ [<f9dad080>] 0xf9dad080
+ [<c1001130>] do_one_initcall+0x30/0x160
+ [<c10626e9>] sys_init_module+0x99/0x1e0
+ [<c1002d97>] sysenter_do_call+0x12/0x26
+ [<ffffffff>] 0xffffffff
+
+https://bugzilla.kernel.org/show_bug.cgi?id=15807#c21
+
+Tested-by: Toralf Forster <toralf.foerster@gmx.de>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
++++ b/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
+@@ -742,6 +742,7 @@ static int acpi_cpufreq_cpu_exit(struct
+ per_cpu(drv_data, policy->cpu) = NULL;
+ acpi_processor_unregister_performance(data->acpi_data,
+ policy->cpu);
++ kfree(data->freq_table);
+ kfree(data);
+ }
+
--- /dev/null
+From 0e91ec0c06d2cd15071a6021c94840a50e6671aa Mon Sep 17 00:00:00 2001
+From: James Jones <jajones@nvidia.com>
+Date: Wed, 24 Nov 2010 00:21:37 +0100
+Subject: ARM: 6482/2: Fix find_next_zero_bit and related assembly
+
+From: James Jones <jajones@nvidia.com>
+
+commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream.
+
+The find_next_bit, find_first_bit, find_next_zero_bit
+and find_first_zero_bit functions were not properly
+clamping to the maxbit argument at the bit level. They
+were instead only checking maxbit at the byte level.
+To fix this, add a compare and a conditional move
+instruction to the end of the common bit-within-the-
+byte code used by all the functions and be sure not to
+clobber the maxbit argument before it is used.
+
+Reviewed-by: Nicolas Pitre <nicolas.pitre@linaro.org>
+Tested-by: Stephen Warren <swarren@nvidia.com>
+Signed-off-by: James Jones <jajones@nvidia.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/arm/lib/findbit.S | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/lib/findbit.S
++++ b/arch/arm/lib/findbit.S
+@@ -148,8 +148,8 @@ ENTRY(_find_next_bit_be)
+ */
+ .L_found:
+ #if __LINUX_ARM_ARCH__ >= 5
+- rsb r1, r3, #0
+- and r3, r3, r1
++ rsb r0, r3, #0
++ and r3, r3, r0
+ clz r3, r3
+ rsb r3, r3, #31
+ add r0, r2, r3
+@@ -164,5 +164,7 @@ ENTRY(_find_next_bit_be)
+ addeq r2, r2, #1
+ mov r0, r2
+ #endif
++ cmp r1, r0 @ Clamp to maxbit
++ movlo r0, r1
+ mov pc, lr
+
--- /dev/null
+From 3c6f27bf33052ea6ba9d82369fb460726fb779c0 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Tue, 23 Nov 2010 11:02:13 +0000
+Subject: DECnet: don't leak uninitialized stack byte
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.
+
+A single uninitialized padding byte is leaked to userspace.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/decnet/af_decnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -1558,6 +1558,8 @@ static int __dn_getsockopt(struct socket
+ if (r_len > sizeof(struct linkinfo_dn))
+ r_len = sizeof(struct linkinfo_dn);
+
++ memset(&link, 0, sizeof(link));
++
+ switch(sock->state) {
+ case SS_CONNECTING:
+ link.idn_linkstate = LL_CONNECTING;
--- /dev/null
+From 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 Mon Sep 17 00:00:00 2001
+From: Nelson Elhage <nelhage@ksplice.com>
+Date: Thu, 2 Dec 2010 14:31:21 -0800
+Subject: do_exit(): make sure that we run with get_fs() == USER_DS
+
+From: Nelson Elhage <nelhage@ksplice.com>
+
+commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream.
+
+If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
+otherwise reset before do_exit(). do_exit may later (via mm_release in
+fork.c) do a put_user to a user-controlled address, potentially allowing
+a user to leverage an oops into a controlled write into kernel memory.
+
+This is only triggerable in the presence of another bug, but this
+potentially turns a lot of DoS bugs into privilege escalations, so it's
+worth fixing. I have proof-of-concept code which uses this bug along
+with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
+I've tested that this is not theoretical.
+
+A more logical place to put this fix might be when we know an oops has
+occurred, before we call do_exit(), but that would involve changing
+every architecture, in multiple places.
+
+Let's just stick it in do_exit instead.
+
+[akpm@linux-foundation.org: update code comment]
+Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
+Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/exit.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1004,6 +1004,15 @@ NORET_TYPE void do_exit(long code)
+ if (unlikely(!tsk->pid))
+ panic("Attempted to kill the idle task!");
+
++ /*
++ * If do_exit is called because this processes oopsed, it's possible
++ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
++ * continuing. Amongst other possible reasons, this is to prevent
++ * mm_release()->clear_child_tid() from writing to a user-controlled
++ * kernel address.
++ */
++ set_fs(USER_DS);
++
+ tracehook_report_exit(&code);
+
+ /*
usb-core-fix-information-leak-to-userland.patch
usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch
usb-storage-sierra_ms-fix-sysfs-file-attribute.patch
+usb-atm-ueagle-atm-fix-up-some-permissions-on-the-sysfs-files.patch
+usb-misc-cypress_cy7c63-fix-up-some-sysfs-attribute-permissions.patch
+usb-misc-usbled-fix-up-some-sysfs-attribute-permissions.patch
+usb-misc-trancevibrator-fix-up-a-sysfs-attribute-permission.patch
+acpi-cpufreq-fix-a-memleak-when-unloading-driver.patch
+do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
+decnet-don-t-leak-uninitialized-stack-byte.patch
+arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch
--- /dev/null
+From e502ac5e1eca99d7dc3f12b2a6780ccbca674858 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Mon, 15 Nov 2010 11:11:45 -0800
+Subject: USB: atm: ueagle-atm: fix up some permissions on the sysfs files
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream.
+
+Some of the sysfs files had the incorrect permissions. Some didn't make
+sense at all (writable for a file that you could not write to?)
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matthieu Castet <castet.matthieu@free.fr>
+Cc: Stanislaw Gruszka <stf_xl@wp.pl>
+Cc: Damien Bergamini <damien.bergamini@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/atm/ueagle-atm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/atm/ueagle-atm.c
++++ b/drivers/usb/atm/ueagle-atm.c
+@@ -2258,7 +2258,7 @@ out:
+ return ret;
+ }
+
+-static DEVICE_ATTR(stat_status, S_IWUGO | S_IRUGO, read_status, reboot);
++static DEVICE_ATTR(stat_status, S_IWUSR | S_IRUGO, read_status, reboot);
+
+ static ssize_t read_human_status(struct device *dev, struct device_attribute *attr,
+ char *buf)
+@@ -2321,7 +2321,7 @@ out:
+ return ret;
+ }
+
+-static DEVICE_ATTR(stat_human_status, S_IWUGO | S_IRUGO, read_human_status, NULL);
++static DEVICE_ATTR(stat_human_status, S_IRUGO, read_human_status, NULL);
+
+ static ssize_t read_delin(struct device *dev, struct device_attribute *attr,
+ char *buf)
+@@ -2353,7 +2353,7 @@ out:
+ return ret;
+ }
+
+-static DEVICE_ATTR(stat_delin, S_IWUGO | S_IRUGO, read_delin, NULL);
++static DEVICE_ATTR(stat_delin, S_IRUGO, read_delin, NULL);
+
+ #define UEA_ATTR(name, reset) \
+ \
--- /dev/null
+From c990600d340641150f7270470a64bd99a5c0b225 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Mon, 15 Nov 2010 11:32:38 -0800
+Subject: USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit c990600d340641150f7270470a64bd99a5c0b225 upstream.
+
+They should not be writable by any user.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oliver Bock <bock@tfh-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/cypress_cy7c63.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/misc/cypress_cy7c63.c
++++ b/drivers/usb/misc/cypress_cy7c63.c
+@@ -195,11 +195,9 @@ static ssize_t get_port1_handler(struct
+ return read_port(dev, attr, buf, 1, CYPRESS_READ_PORT_ID1);
+ }
+
+-static DEVICE_ATTR(port0, S_IWUGO | S_IRUGO,
+- get_port0_handler, set_port0_handler);
++static DEVICE_ATTR(port0, S_IRUGO | S_IWUSR, get_port0_handler, set_port0_handler);
+
+-static DEVICE_ATTR(port1, S_IWUGO | S_IRUGO,
+- get_port1_handler, set_port1_handler);
++static DEVICE_ATTR(port1, S_IRUGO | S_IWUSR, get_port1_handler, set_port1_handler);
+
+
+ static int cypress_probe(struct usb_interface *interface,
--- /dev/null
+From d489a4b3926bad571d404ca6508f6744b9602776 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Mon, 15 Nov 2010 11:34:26 -0800
+Subject: USB: misc: trancevibrator: fix up a sysfs attribute permission
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit d489a4b3926bad571d404ca6508f6744b9602776 upstream.
+
+It should not be writable by any user.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Sam Hocevar <sam@zoy.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/trancevibrator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/trancevibrator.c
++++ b/drivers/usb/misc/trancevibrator.c
+@@ -85,7 +85,7 @@ static ssize_t set_speed(struct device *
+ return count;
+ }
+
+-static DEVICE_ATTR(speed, S_IWUGO | S_IRUGO, show_speed, set_speed);
++static DEVICE_ATTR(speed, S_IRUGO | S_IWUSR, show_speed, set_speed);
+
+ static int tv_probe(struct usb_interface *interface,
+ const struct usb_device_id *id)
--- /dev/null
+From 48f115470e68d443436b76b22dad63ffbffd6b97 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Mon, 15 Nov 2010 11:35:49 -0800
+Subject: USB: misc: usbled: fix up some sysfs attribute permissions
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit 48f115470e68d443436b76b22dad63ffbffd6b97 upstream.
+
+They should not be writable by any user.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/usbled.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/usbled.c
++++ b/drivers/usb/misc/usbled.c
+@@ -94,7 +94,7 @@ static ssize_t set_##value(struct device
+ change_color(led); \
+ return count; \
+ } \
+-static DEVICE_ATTR(value, S_IWUGO | S_IRUGO, show_##value, set_##value);
++static DEVICE_ATTR(value, S_IRUGO | S_IWUSR, show_##value, set_##value);
+ show_set(blue);
+ show_set(red);
+ show_set(green);
projects / thirdparty / kernel / stable-queue.git / commitdiff
