--- /dev/null
+From d740269867021faf4ce38a449353d2b986c34a67 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 17 Dec 2012 16:03:20 -0800
+Subject: exec: use -ELOOP for max recursion depth
+
+From: Kees Cook <keescook@chromium.org>
+
+commit d740269867021faf4ce38a449353d2b986c34a67 upstream.
+
+To avoid an explosion of request_module calls on a chain of abusive
+scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
+as maximum recursion depth is hit, the error will fail all the way back
+up the chain, aborting immediately.
+
+This also has the side-effect of stopping the user's shell from attempting
+to reexecute the top-level file as a shell script. As seen in the
+dash source:
+
+ if (cmd != path_bshell && errno == ENOEXEC) {
+ *argv-- = cmd;
+ *argv = cmd = path_bshell;
+ goto repeat;
+ }
+
+The above logic was designed for running scripts automatically that lacked
+the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
+things continue to behave as the shell expects.
+
+Additionally, when tracking recursion, the binfmt handlers should not be
+involved. The recursion being tracked is the depth of calls through
+search_binary_handler(), so that function should be exclusively responsible
+for tracking the depth.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: halfdog <me@halfdog.net>
+Cc: P J P <ppandit@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_em86.c | 1 -
+ fs/binfmt_misc.c | 6 ------
+ fs/binfmt_script.c | 4 +---
+ fs/exec.c | 10 +++++-----
+ include/linux/binfmts.h | 2 --
+ 5 files changed, 6 insertions(+), 17 deletions(-)
+
+--- a/fs/binfmt_em86.c
++++ b/fs/binfmt_em86.c
+@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm
+ return -ENOEXEC;
+ }
+
+- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
+ allow_write_access(bprm->file);
+ fput(bprm->file);
+ bprm->file = NULL;
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -116,10 +116,6 @@ static int load_misc_binary(struct linux
+ if (!enabled)
+ goto _ret;
+
+- retval = -ENOEXEC;
+- if (bprm->recursion_depth > BINPRM_MAX_RECURSION)
+- goto _ret;
+-
+ /* to keep locking time low, we copy the interpreter string */
+ read_lock(&entries_lock);
+ fmt = check_file(bprm);
+@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux
+ if (retval < 0)
+ goto _error;
+
+- bprm->recursion_depth++;
+-
+ retval = search_binary_handler (bprm, regs);
+ if (retval < 0)
+ goto _error;
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -22,15 +22,13 @@ static int load_script(struct linux_binp
+ char interp[BINPRM_BUF_SIZE];
+ int retval;
+
+- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
+- (bprm->recursion_depth > BINPRM_MAX_RECURSION))
++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
+ return -ENOEXEC;
+ /*
+ * This section does the #! interpretation.
+ * Sorta complicated, but hopefully it will work. -TYT
+ */
+
+- bprm->recursion_depth++;
+ allow_write_access(bprm->file);
+ fput(bprm->file);
+ bprm->file = NULL;
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1369,6 +1369,10 @@ int search_binary_handler(struct linux_b
+ int try,retval;
+ struct linux_binfmt *fmt;
+
++ /* This allows 4 levels of binfmt rewrites before failing hard. */
++ if (depth > 5)
++ return -ELOOP;
++
+ retval = security_bprm_check(bprm);
+ if (retval)
+ return retval;
+@@ -1387,12 +1391,8 @@ int search_binary_handler(struct linux_b
+ if (!try_module_get(fmt->module))
+ continue;
+ read_unlock(&binfmt_lock);
++ bprm->recursion_depth = depth + 1;
+ retval = fn(bprm, regs);
+- /*
+- * Restore the depth counter to its starting value
+- * in this call, so we don't have to rely on every
+- * load_binary function to restore it on return.
+- */
+ bprm->recursion_depth = depth;
+ if (retval >= 0) {
+ if (depth == 0)
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -67,8 +67,6 @@ struct linux_binprm {
+ #define BINPRM_FLAGS_EXECFD_BIT 1
+ #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
+
+-#define BINPRM_MAX_RECURSION 4
+-
+ /* Function parameter for binfmt->coredump */
+ struct coredump_params {
+ long signr;
--- /dev/null
+From 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon, 25 Feb 2013 10:20:36 -0500
+Subject: Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 upstream.
+
+Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
+compat_process_vm_rw() shows that the compatibility code requires an
+explicit "access_ok()" check before calling
+compat_rw_copy_check_uvector(). The same difference seems to appear when
+we compare fs/read_write.c:do_readv_writev() to
+fs/compat.c:compat_do_readv_writev().
+
+This subtle difference between the compat and non-compat requirements
+should probably be debated, as it seems to be error-prone. In fact,
+there are two others sites that use this function in the Linux kernel,
+and they both seem to get it wrong:
+
+Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
+also ends up calling compat_rw_copy_check_uvector() through
+aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
+be missing. Same situation for
+security/keys/compat.c:compat_keyctl_instantiate_key_iov().
+
+I propose that we add the access_ok() check directly into
+compat_rw_copy_check_uvector(), so callers don't have to worry about it,
+and it therefore makes the compat call code similar to its non-compat
+counterpart. Place the access_ok() check in the same location where
+copy_from_user() can trigger a -EFAULT error in the non-compat code, so
+the ABI behaviors are alike on both compat and non-compat.
+
+While we are here, fix compat_do_readv_writev() so it checks for
+compat_rw_copy_check_uvector() negative return values.
+
+And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
+handling.
+
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/compat.c | 15 +++++++--------
+ security/keys/compat.c | 4 ++--
+ 2 files changed, 9 insertions(+), 10 deletions(-)
+
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -576,6 +576,10 @@ ssize_t compat_rw_copy_check_uvector(int
+ }
+ *ret_pointer = iov;
+
++ ret = -EFAULT;
++ if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
++ goto out;
++
+ /*
+ * Single unix specification:
+ * We should -EINVAL if an element length is not >= 0 and fitting an
+@@ -1106,17 +1110,12 @@ static ssize_t compat_do_readv_writev(in
+ if (!file->f_op)
+ goto out;
+
+- ret = -EFAULT;
+- if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
+- goto out;
+-
+- tot_len = compat_rw_copy_check_uvector(type, uvector, nr_segs,
++ ret = compat_rw_copy_check_uvector(type, uvector, nr_segs,
+ UIO_FASTIOV, iovstack, &iov);
+- if (tot_len == 0) {
+- ret = 0;
++ if (ret <= 0)
+ goto out;
+- }
+
++ tot_len = ret;
+ ret = rw_verify_area(type, file, pos, tot_len);
+ if (ret < 0)
+ goto out;
+--- a/security/keys/compat.c
++++ b/security/keys/compat.c
+@@ -40,12 +40,12 @@ long compat_keyctl_instantiate_key_iov(
+ ARRAY_SIZE(iovstack),
+ iovstack, &iov);
+ if (ret < 0)
+- return ret;
++ goto err;
+ if (ret == 0)
+ goto no_payload_free;
+
+ ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+-
++err:
+ if (iov != iovstack)
+ kfree(iov);
+ return ret;
--- /dev/null
+From d627b62ff8d4d36761adbcd90ff143d79c94ab22 Mon Sep 17 00:00:00 2001
+From: Lekensteyn <lekensteyn@gmail.com>
+Date: Tue, 26 Jun 2012 00:36:24 +0200
+Subject: i915: initialize CADL in opregion
+
+From: Lekensteyn <lekensteyn@gmail.com>
+
+commit d627b62ff8d4d36761adbcd90ff143d79c94ab22 upstream.
+
+This is rather a hack to fix brightness hotkeys on a Clevo laptop. CADL is not
+used anywhere in the driver code at the moment, but it could be used in BIOS as
+is the case with the Clevo laptop.
+
+The Clevo B7130 requires the CADL field to contain at least the ID of
+the LCD device. If this field is empty, the ACPI methods that are called
+on pressing brightness / display switching hotkeys will not trigger a
+notification. As a result, it appears as no hotkey has been pressed.
+
+Reference: https://bugs.freedesktop.org/show_bug.cgi?id=45452
+Tested-by: Peter Wu <lekensteyn@gmail.com>
+Signed-off-by: Peter Wu <lekensteyn@gmail.com>
+Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_opregion.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_opregion.c
++++ b/drivers/gpu/drm/i915/intel_opregion.c
+@@ -413,6 +413,25 @@ blind_set:
+ goto end;
+ }
+
++static void intel_setup_cadls(struct drm_device *dev)
++{
++ struct drm_i915_private *dev_priv = dev->dev_private;
++ struct intel_opregion *opregion = &dev_priv->opregion;
++ int i = 0;
++ u32 disp_id;
++
++ /* Initialize the CADL field by duplicating the DIDL values.
++ * Technically, this is not always correct as display outputs may exist,
++ * but not active. This initialization is necessary for some Clevo
++ * laptops that check this field before processing the brightness and
++ * display switching hotkeys. Just like DIDL, CADL is NULL-terminated if
++ * there are less than eight devices. */
++ do {
++ disp_id = ioread32(&opregion->acpi->didl[i]);
++ iowrite32(disp_id, &opregion->acpi->cadl[i]);
++ } while (++i < 8 && disp_id != 0);
++}
++
+ void intel_opregion_init(struct drm_device *dev)
+ {
+ struct drm_i915_private *dev_priv = dev->dev_private;
+@@ -422,8 +441,10 @@ void intel_opregion_init(struct drm_devi
+ return;
+
+ if (opregion->acpi) {
+- if (drm_core_check_feature(dev, DRIVER_MODESET))
++ if (drm_core_check_feature(dev, DRIVER_MODESET)) {
+ intel_didl_outputs(dev);
++ intel_setup_cadls(dev);
++ }
+
+ /* Notify BIOS we are ready to handle ACPI video ext notifs.
+ * Right now, all the events are handled by the ACPI video module.
--- /dev/null
+From fe685aabf7c8c9f138e5ea900954d295bf229175 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Thu, 12 Jul 2012 08:46:54 +0200
+Subject: isofs: avoid info leak on export
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit fe685aabf7c8c9f138e5ea900954d295bf229175 upstream.
+
+For type 1 the parent_offset member in struct isofs_fid gets copied
+uninitialized to userland. Fix this by initializing it to 0.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/export.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -135,6 +135,7 @@ isofs_export_encode_fh(struct dentry *de
+ len = 3;
+ fh32[0] = ei->i_iget5_block;
+ fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */
++ fh16[3] = 0; /* avoid leaking uninitialized data */
+ fh32[2] = inode->i_generation;
+ if (connectable && !S_ISDIR(inode->i_mode)) {
+ struct inode *parent;
--- /dev/null
+From a84a921978b7d56e0e4b87ffaca6367429b4d8ff Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Fri, 28 Sep 2012 12:20:02 +0100
+Subject: key: Fix resource leak
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit a84a921978b7d56e0e4b87ffaca6367429b4d8ff upstream.
+
+On an error iov may still have been reallocated and need freeing
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1067,12 +1067,12 @@ long keyctl_instantiate_key_iov(key_seri
+ ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
+ ARRAY_SIZE(iovstack), iovstack, &iov);
+ if (ret < 0)
+- return ret;
++ goto err;
+ if (ret == 0)
+ goto no_payload_free;
+
+ ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+-
++err:
+ if (iov != iovstack)
+ kfree(iov);
+ return ret;
usb-xhci-fix-bit-definitions-for-iman-register.patch
usb-serial-fix-interface-refcounting.patch
udf-fix-bitmap-overflow-on-large-filesystems-with-small-block-size.patch
+usb-garmin_gps-fix-memory-leak-on-disconnect.patch
+usb-io_ti-fix-get_icount-for-two-port-adapters.patch
+key-fix-resource-leak.patch
+fix-compat_rw_copy_check_uvector-misuse-in-aio-readv-writev-and-security-keys.patch
+isofs-avoid-info-leak-on-export.patch
+udf-avoid-info-leak-on-export.patch
+i915-initialize-cadl-in-opregion.patch
+exec-use-eloop-for-max-recursion-depth.patch
--- /dev/null
+From 0143fc5e9f6f5aad4764801015bc8d4b4a278200 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Thu, 12 Jul 2012 08:46:55 +0200
+Subject: udf: avoid info leak on export
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 0143fc5e9f6f5aad4764801015bc8d4b4a278200 upstream.
+
+For type 0x51 the udf.parent_partref member in struct fid gets copied
+uninitialized to userland. Fix this by initializing it to 0.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1297,6 +1297,7 @@ static int udf_encode_fh(struct dentry *
+ *lenp = 3;
+ fid->udf.block = location.logicalBlockNum;
+ fid->udf.partref = location.partitionReferenceNum;
++ fid->udf.parent_partref = 0;
+ fid->udf.generation = inode->i_generation;
+
+ if (connectable && !S_ISDIR(inode->i_mode)) {
--- /dev/null
+From 618aa1068df29c37a58045fe940f9106664153fd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 19 Mar 2013 09:21:07 +0100
+Subject: USB: garmin_gps: fix memory leak on disconnect
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 618aa1068df29c37a58045fe940f9106664153fd upstream.
+
+Remove bogus disconnect test introduced by 95bef012e ("USB: more serial
+drivers writing after disconnect") which prevented queued data from
+being freed on disconnect.
+
+The possible IO it was supposed to prevent is long gone.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/garmin_gps.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/garmin_gps.c
++++ b/drivers/usb/serial/garmin_gps.c
+@@ -973,10 +973,7 @@ static void garmin_close(struct usb_seri
+ if (!serial)
+ return;
+
+- mutex_lock(&port->serial->disc_mutex);
+-
+- if (!port->serial->disconnected)
+- garmin_clear(garmin_data_p);
++ garmin_clear(garmin_data_p);
+
+ /* shutdown our urbs */
+ usb_kill_urb(port->read_urb);
+@@ -985,8 +982,6 @@ static void garmin_close(struct usb_seri
+ /* keep reset state so we know that we must start a new session */
+ if (garmin_data_p->state != STATE_RESET)
+ garmin_data_p->state = STATE_DISCONNECTED;
+-
+- mutex_unlock(&port->serial->disc_mutex);
+ }
+
+
--- /dev/null
+From 5492bf3d5655b4954164f69c02955a7fca267611 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 19 Mar 2013 09:21:08 +0100
+Subject: USB: io_ti: fix get_icount for two port adapters
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 5492bf3d5655b4954164f69c02955a7fca267611 upstream.
+
+Add missing get_icount field to two-port driver.
+
+The two-port driver was not updated when switching to the new icount
+interface in commit 0bca1b913aff ("tty: Convert the USB drivers to the
+new icount interface").
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_ti.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -2793,6 +2793,7 @@ static struct usb_serial_driver edgeport
+ .set_termios = edge_set_termios,
+ .tiocmget = edge_tiocmget,
+ .tiocmset = edge_tiocmset,
++ .get_icount = edge_get_icount,
+ .write = edge_write,
+ .write_room = edge_write_room,
+ .chars_in_buffer = edge_chars_in_buffer,
projects / thirdparty / kernel / stable-queue.git / commitdiff
