From: Greg Kroah-Hartman Date: Mon, 6 Dec 2010 22:47:12 +0000 (-0800) Subject: .27 patches X-Git-Tag: v2.6.27.57~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=272182a6d744b780be3f174ad7a26ae3e0f33c95;p=thirdparty%2Fkernel%2Fstable-queue.git .27 patches --- diff --git a/queue-2.6.27/acpi-cpufreq-fix-a-memleak-when-unloading-driver.patch b/queue-2.6.27/acpi-cpufreq-fix-a-memleak-when-unloading-driver.patch new file mode 100644 index 00000000000..988b918c951 --- /dev/null +++ b/queue-2.6.27/acpi-cpufreq-fix-a-memleak-when-unloading-driver.patch @@ -0,0 +1,53 @@ +From dab5fff14df2cd16eb1ad4c02e83915e1063fece Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Tue, 12 Oct 2010 09:09:37 +0800 +Subject: acpi-cpufreq: fix a memleak when unloading driver + +From: Zhang Rui + +commit dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream. + +We didn't free per_cpu(acfreq_data, cpu)->freq_table +when acpi_freq driver is unloaded. + +Resulting in the following messages in /sys/kernel/debug/kmemleak: + +unreferenced object 0xf6450e80 (size 64): + comm "modprobe", pid 1066, jiffies 4294677317 (age 19290.453s) + hex dump (first 32 bytes): + 00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00 ......$.......$. + 02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00 .....j.......5.. + backtrace: + [] kmemleak_alloc+0x27/0x50 + [] __kmalloc+0xcf/0x110 + [] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq] + [] cpufreq_add_dev+0x142/0x3a0 + [] sysdev_driver_register+0x97/0x110 + [] cpufreq_register_driver+0x86/0x140 + [] 0xf9dad080 + [] do_one_initcall+0x30/0x160 + [] sys_init_module+0x99/0x1e0 + [] sysenter_do_call+0x12/0x26 + [] 0xffffffff + +https://bugzilla.kernel.org/show_bug.cgi?id=15807#c21 + +Tested-by: Toralf Forster +Signed-off-by: Zhang Rui +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c ++++ b/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c +@@ -742,6 +742,7 @@ static int acpi_cpufreq_cpu_exit(struct + per_cpu(drv_data, policy->cpu) = NULL; + acpi_processor_unregister_performance(data->acpi_data, + policy->cpu); ++ kfree(data->freq_table); + kfree(data); + } + diff --git a/queue-2.6.27/arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch b/queue-2.6.27/arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch new file mode 100644 index 00000000000..a416b2d3da0 --- /dev/null +++ b/queue-2.6.27/arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch @@ -0,0 +1,49 @@ +From 0e91ec0c06d2cd15071a6021c94840a50e6671aa Mon Sep 17 00:00:00 2001 +From: James Jones +Date: Wed, 24 Nov 2010 00:21:37 +0100 +Subject: ARM: 6482/2: Fix find_next_zero_bit and related assembly + +From: James Jones + +commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream. + +The find_next_bit, find_first_bit, find_next_zero_bit +and find_first_zero_bit functions were not properly +clamping to the maxbit argument at the bit level. They +were instead only checking maxbit at the byte level. +To fix this, add a compare and a conditional move +instruction to the end of the common bit-within-the- +byte code used by all the functions and be sure not to +clobber the maxbit argument before it is used. + +Reviewed-by: Nicolas Pitre +Tested-by: Stephen Warren +Signed-off-by: James Jones +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/lib/findbit.S | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/lib/findbit.S ++++ b/arch/arm/lib/findbit.S +@@ -148,8 +148,8 @@ ENTRY(_find_next_bit_be) + */ + .L_found: + #if __LINUX_ARM_ARCH__ >= 5 +- rsb r1, r3, #0 +- and r3, r3, r1 ++ rsb r0, r3, #0 ++ and r3, r3, r0 + clz r3, r3 + rsb r3, r3, #31 + add r0, r2, r3 +@@ -164,5 +164,7 @@ ENTRY(_find_next_bit_be) + addeq r2, r2, #1 + mov r0, r2 + #endif ++ cmp r1, r0 @ Clamp to maxbit ++ movlo r0, r1 + mov pc, lr + diff --git a/queue-2.6.27/decnet-don-t-leak-uninitialized-stack-byte.patch b/queue-2.6.27/decnet-don-t-leak-uninitialized-stack-byte.patch new file mode 100644 index 00000000000..159def53efa --- /dev/null +++ b/queue-2.6.27/decnet-don-t-leak-uninitialized-stack-byte.patch @@ -0,0 +1,30 @@ +From 3c6f27bf33052ea6ba9d82369fb460726fb779c0 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Tue, 23 Nov 2010 11:02:13 +0000 +Subject: DECnet: don't leak uninitialized stack byte + +From: Dan Rosenberg + +commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream. + +A single uninitialized padding byte is leaked to userspace. + +Signed-off-by: Dan Rosenberg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/decnet/af_decnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -1558,6 +1558,8 @@ static int __dn_getsockopt(struct socket + if (r_len > sizeof(struct linkinfo_dn)) + r_len = sizeof(struct linkinfo_dn); + ++ memset(&link, 0, sizeof(link)); ++ + switch(sock->state) { + case SS_CONNECTING: + link.idn_linkstate = LL_CONNECTING; diff --git a/queue-2.6.27/do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch b/queue-2.6.27/do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch new file mode 100644 index 00000000000..58698909efc --- /dev/null +++ b/queue-2.6.27/do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch @@ -0,0 +1,55 @@ +From 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 Mon Sep 17 00:00:00 2001 +From: Nelson Elhage +Date: Thu, 2 Dec 2010 14:31:21 -0800 +Subject: do_exit(): make sure that we run with get_fs() == USER_DS + +From: Nelson Elhage + +commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream. + +If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not +otherwise reset before do_exit(). do_exit may later (via mm_release in +fork.c) do a put_user to a user-controlled address, potentially allowing +a user to leverage an oops into a controlled write into kernel memory. + +This is only triggerable in the presence of another bug, but this +potentially turns a lot of DoS bugs into privilege escalations, so it's +worth fixing. I have proof-of-concept code which uses this bug along +with CVE-2010-3849 to write a zero to an arbitrary kernel address, so +I've tested that this is not theoretical. + +A more logical place to put this fix might be when we know an oops has +occurred, before we call do_exit(), but that would involve changing +every architecture, in multiple places. + +Let's just stick it in do_exit instead. + +[akpm@linux-foundation.org: update code comment] +Signed-off-by: Nelson Elhage +Cc: KOSAKI Motohiro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1004,6 +1004,15 @@ NORET_TYPE void do_exit(long code) + if (unlikely(!tsk->pid)) + panic("Attempted to kill the idle task!"); + ++ /* ++ * If do_exit is called because this processes oopsed, it's possible ++ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before ++ * continuing. Amongst other possible reasons, this is to prevent ++ * mm_release()->clear_child_tid() from writing to a user-controlled ++ * kernel address. ++ */ ++ set_fs(USER_DS); ++ + tracehook_report_exit(&code); + + /* diff --git a/queue-2.6.27/series b/queue-2.6.27/series index dc465c9107c..ddb1538f439 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -18,3 +18,11 @@ usb-misc-iowarrior-fix-information-leak-to-userland.patch usb-core-fix-information-leak-to-userland.patch usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch usb-storage-sierra_ms-fix-sysfs-file-attribute.patch +usb-atm-ueagle-atm-fix-up-some-permissions-on-the-sysfs-files.patch +usb-misc-cypress_cy7c63-fix-up-some-sysfs-attribute-permissions.patch +usb-misc-usbled-fix-up-some-sysfs-attribute-permissions.patch +usb-misc-trancevibrator-fix-up-a-sysfs-attribute-permission.patch +acpi-cpufreq-fix-a-memleak-when-unloading-driver.patch +do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch +decnet-don-t-leak-uninitialized-stack-byte.patch +arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch diff --git a/queue-2.6.27/usb-atm-ueagle-atm-fix-up-some-permissions-on-the-sysfs-files.patch b/queue-2.6.27/usb-atm-ueagle-atm-fix-up-some-permissions-on-the-sysfs-files.patch new file mode 100644 index 00000000000..ce7176fecdb --- /dev/null +++ b/queue-2.6.27/usb-atm-ueagle-atm-fix-up-some-permissions-on-the-sysfs-files.patch @@ -0,0 +1,51 @@ +From e502ac5e1eca99d7dc3f12b2a6780ccbca674858 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 15 Nov 2010 11:11:45 -0800 +Subject: USB: atm: ueagle-atm: fix up some permissions on the sysfs files + +From: Greg Kroah-Hartman + +commit e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream. + +Some of the sysfs files had the incorrect permissions. Some didn't make +sense at all (writable for a file that you could not write to?) + +Reported-by: Linus Torvalds +Cc: Matthieu Castet +Cc: Stanislaw Gruszka +Cc: Damien Bergamini +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/atm/ueagle-atm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/atm/ueagle-atm.c ++++ b/drivers/usb/atm/ueagle-atm.c +@@ -2258,7 +2258,7 @@ out: + return ret; + } + +-static DEVICE_ATTR(stat_status, S_IWUGO | S_IRUGO, read_status, reboot); ++static DEVICE_ATTR(stat_status, S_IWUSR | S_IRUGO, read_status, reboot); + + static ssize_t read_human_status(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -2321,7 +2321,7 @@ out: + return ret; + } + +-static DEVICE_ATTR(stat_human_status, S_IWUGO | S_IRUGO, read_human_status, NULL); ++static DEVICE_ATTR(stat_human_status, S_IRUGO, read_human_status, NULL); + + static ssize_t read_delin(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -2353,7 +2353,7 @@ out: + return ret; + } + +-static DEVICE_ATTR(stat_delin, S_IWUGO | S_IRUGO, read_delin, NULL); ++static DEVICE_ATTR(stat_delin, S_IRUGO, read_delin, NULL); + + #define UEA_ATTR(name, reset) \ + \ diff --git a/queue-2.6.27/usb-misc-cypress_cy7c63-fix-up-some-sysfs-attribute-permissions.patch b/queue-2.6.27/usb-misc-cypress_cy7c63-fix-up-some-sysfs-attribute-permissions.patch new file mode 100644 index 00000000000..ffd0e72d75e --- /dev/null +++ b/queue-2.6.27/usb-misc-cypress_cy7c63-fix-up-some-sysfs-attribute-permissions.patch @@ -0,0 +1,35 @@ +From c990600d340641150f7270470a64bd99a5c0b225 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 15 Nov 2010 11:32:38 -0800 +Subject: USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions + +From: Greg Kroah-Hartman + +commit c990600d340641150f7270470a64bd99a5c0b225 upstream. + +They should not be writable by any user. + +Reported-by: Linus Torvalds +Cc: Oliver Bock +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/cypress_cy7c63.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/misc/cypress_cy7c63.c ++++ b/drivers/usb/misc/cypress_cy7c63.c +@@ -195,11 +195,9 @@ static ssize_t get_port1_handler(struct + return read_port(dev, attr, buf, 1, CYPRESS_READ_PORT_ID1); + } + +-static DEVICE_ATTR(port0, S_IWUGO | S_IRUGO, +- get_port0_handler, set_port0_handler); ++static DEVICE_ATTR(port0, S_IRUGO | S_IWUSR, get_port0_handler, set_port0_handler); + +-static DEVICE_ATTR(port1, S_IWUGO | S_IRUGO, +- get_port1_handler, set_port1_handler); ++static DEVICE_ATTR(port1, S_IRUGO | S_IWUSR, get_port1_handler, set_port1_handler); + + + static int cypress_probe(struct usb_interface *interface, diff --git a/queue-2.6.27/usb-misc-trancevibrator-fix-up-a-sysfs-attribute-permission.patch b/queue-2.6.27/usb-misc-trancevibrator-fix-up-a-sysfs-attribute-permission.patch new file mode 100644 index 00000000000..cb71604b774 --- /dev/null +++ b/queue-2.6.27/usb-misc-trancevibrator-fix-up-a-sysfs-attribute-permission.patch @@ -0,0 +1,30 @@ +From d489a4b3926bad571d404ca6508f6744b9602776 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 15 Nov 2010 11:34:26 -0800 +Subject: USB: misc: trancevibrator: fix up a sysfs attribute permission + +From: Greg Kroah-Hartman + +commit d489a4b3926bad571d404ca6508f6744b9602776 upstream. + +It should not be writable by any user. + +Reported-by: Linus Torvalds +Cc: Sam Hocevar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/trancevibrator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/trancevibrator.c ++++ b/drivers/usb/misc/trancevibrator.c +@@ -85,7 +85,7 @@ static ssize_t set_speed(struct device * + return count; + } + +-static DEVICE_ATTR(speed, S_IWUGO | S_IRUGO, show_speed, set_speed); ++static DEVICE_ATTR(speed, S_IRUGO | S_IWUSR, show_speed, set_speed); + + static int tv_probe(struct usb_interface *interface, + const struct usb_device_id *id) diff --git a/queue-2.6.27/usb-misc-usbled-fix-up-some-sysfs-attribute-permissions.patch b/queue-2.6.27/usb-misc-usbled-fix-up-some-sysfs-attribute-permissions.patch new file mode 100644 index 00000000000..71be6253b1a --- /dev/null +++ b/queue-2.6.27/usb-misc-usbled-fix-up-some-sysfs-attribute-permissions.patch @@ -0,0 +1,29 @@ +From 48f115470e68d443436b76b22dad63ffbffd6b97 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 15 Nov 2010 11:35:49 -0800 +Subject: USB: misc: usbled: fix up some sysfs attribute permissions + +From: Greg Kroah-Hartman + +commit 48f115470e68d443436b76b22dad63ffbffd6b97 upstream. + +They should not be writable by any user. + +Reported-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/usbled.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/usbled.c ++++ b/drivers/usb/misc/usbled.c +@@ -94,7 +94,7 @@ static ssize_t set_##value(struct device + change_color(led); \ + return count; \ + } \ +-static DEVICE_ATTR(value, S_IWUGO | S_IRUGO, show_##value, set_##value); ++static DEVICE_ATTR(value, S_IRUGO | S_IWUSR, show_##value, set_##value); + show_set(blue); + show_set(red); + show_set(green);