From: Greg Kroah-Hartman Date: Tue, 7 Dec 2010 20:08:43 +0000 (-0800) Subject: .32 patches X-Git-Tag: v2.6.27.57~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b1055b6d4b05f07b05f8322259bfe581ed4251f5;p=thirdparty%2Fkernel%2Fstable-queue.git .32 patches --- diff --git a/queue-2.6.32/can-bcm-fix-minor-heap-overflow.patch b/queue-2.6.32/can-bcm-fix-minor-heap-overflow.patch new file mode 100644 index 00000000000..87ec6cbdd65 --- /dev/null +++ b/queue-2.6.32/can-bcm-fix-minor-heap-overflow.patch @@ -0,0 +1,35 @@ +From 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Wed, 10 Nov 2010 12:10:30 +0000 +Subject: can-bcm: fix minor heap overflow + +From: Oliver Hartkopp + +commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream. + +On 64-bit platforms the ASCII representation of a pointer may be up to 17 +bytes long. This patch increases the length of the buffer accordingly. + +http://marc.info/?l=linux-netdev&m=128872251418192&w=2 + +Reported-by: Dan Rosenberg +Signed-off-by: Oliver Hartkopp +CC: Linus Torvalds +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/bcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -124,7 +124,7 @@ struct bcm_sock { + struct list_head tx_ops; + unsigned long dropped_usr_msgs; + struct proc_dir_entry *bcm_proc_read; +- char procname [9]; /* pointer printed in ASCII with \0 */ ++ char procname [20]; /* pointer printed in ASCII with \0 */ + }; + + static inline struct bcm_sock *bcm_sk(const struct sock *sk) diff --git a/queue-2.6.32/drivers-video-efifb.c-support-framebuffer-for-nvidia-9400m-in-macbook-pro-5-1.patch b/queue-2.6.32/drivers-video-efifb.c-support-framebuffer-for-nvidia-9400m-in-macbook-pro-5-1.patch new file mode 100644 index 00000000000..6adc2de30ce --- /dev/null +++ b/queue-2.6.32/drivers-video-efifb.c-support-framebuffer-for-nvidia-9400m-in-macbook-pro-5-1.patch @@ -0,0 +1,91 @@ +From 8a3bdfe6cd841880a5d849c40f90093b3817f6e0 Mon Sep 17 00:00:00 2001 +From: Thomas Gerlach +Date: Fri, 23 Apr 2010 13:17:50 -0400 +Subject: drivers/video/efifb.c: support framebuffer for NVIDIA 9400M in MacBook Pro 5,1 + +From: Thomas Gerlach + +commit 8a3bdfe6cd841880a5d849c40f90093b3817f6e0 upstream. + +Description of patch: +--------------------- + +This is a patch for the EFI framebuffer driver to enable the framebuffer +of the NVIDIA 9400M as found in MacBook Pro (MBP) 5,1 and up. The +framebuffer of the NVIDIA graphic cards are located at the following +addresses in memory: + +9400M: 0xC0010000 +9600M GT: 0xB0030000 + +The patch delivered right here only provides the memory location of the +framebuffer of the 9400M device. The 9600M GT is not covered. It is +assumed that the 9400M is used when powered up the MBP. + +The information which device is currently powered and in use is stored in +the 64 bytes large EFI variable "gpu-power-prefs". More specifically, +byte 0x3B indicates whether 9600M GT (0x00) or 9400M (0x01) is online. + +The PCI bus IDs are the following: +9400M: PCI 03:00:00 +9600M GT: PCI 02:00:00 + +The EFI variables can be easily read-out and manipulated with "rEFIt", an +MBP specific bootloader tool. For more information on how handle rEFIt +and EFI variables please consult "http://refit.sourceforge.net" and +"http://ubuntuforums.org/archive/index.php/t-1076879.html". + +IMPORTANT NOTE: The information on how to activate the 9400M device given +at "ubuntuforums.org" is not correct, since it states + +gpu-power-prefs[0x3B] = 0x00 -> 9400M (PCI 02:00:00) +gpu-power-prefs[0x3B] = 0x01 -> 9600M GT (PCI 03:00:00) + +Actually, the assignment of the values and the PCI bus IDs are swapped. + +Suggestions: +------------ + +To cover framebuffers of both 9400M and 9600M GT, I would suggest to +implement a conditional on "gpu-power-prefs". Depending on the value of +byte 0x3B, the according framebuffer is selected. However, this requires +kernel access to the EFI variables. + +[akpm@linux-foundation.org: rename optname, per Peter Jones] +Signed-off-by: Thomas Gerlach +Acked-by: Peter Jones +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: maximilian attems +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/efifb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/efifb.c ++++ b/drivers/video/efifb.c +@@ -49,6 +49,7 @@ enum { + M_MBP_2, /* MacBook Pro 2nd gen */ + M_MBP_SR, /* MacBook Pro (Santa Rosa) */ + M_MBP_4, /* MacBook Pro, 4th gen */ ++ M_MBP_5_1, /* MacBook Pro, 5,1th gen */ + M_UNKNOWN /* placeholder */ + }; + +@@ -70,6 +71,7 @@ static struct efifb_dmi_info { + [M_MBP_2] = { "mbp2", 0, 0, 0, 0 }, /* placeholder */ + [M_MBP_SR] = { "mbp3", 0x80030000, 2048 * 4, 1440, 900 }, + [M_MBP_4] = { "mbp4", 0xc0060000, 2048 * 4, 1920, 1200 }, ++ [M_MBP_5_1] = { "mbp51", 0xc0010000, 2048 * 4, 1440, 900 }, + [M_UNKNOWN] = { NULL, 0, 0, 0, 0 } + }; + +@@ -106,6 +108,7 @@ static struct dmi_system_id __initdata d + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro3,1", M_MBP_SR), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro3,1", M_MBP_SR), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro4,1", M_MBP_4), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,1", M_MBP_5_1), + {}, + }; + diff --git a/queue-2.6.32/efifb-support-the-efi-framebuffer-on-more-apple-hardware.patch b/queue-2.6.32/efifb-support-the-efi-framebuffer-on-more-apple-hardware.patch new file mode 100644 index 00000000000..5d44a01f924 --- /dev/null +++ b/queue-2.6.32/efifb-support-the-efi-framebuffer-on-more-apple-hardware.patch @@ -0,0 +1,131 @@ +From a5757c2a474a15f87e5baa9a4caacc31cde2bae6 Mon Sep 17 00:00:00 2001 +From: Luke Macken +Date: Wed, 22 Sep 2010 13:05:04 -0700 +Subject: efifb: support the EFI framebuffer on more Apple hardware + +From: Luke Macken + +commit a5757c2a474a15f87e5baa9a4caacc31cde2bae6 upstream. + +Enable the EFI framebuffer on 14 more Macs, including the iMac11,1 +iMac10,1 iMac8,1 Macmini3,1 Macmini4,1 MacBook5,1 MacBook6,1 MacBook7,1 +MacBookPro2,2 MacBookPro5,2 MacBookPro5,3 MacBookPro6,1 MacBookPro6,2 and +MacBookPro7,1 + +Information gathered from various user submissions. + + https://bugzilla.redhat.com/show_bug.cgi?id=528232 + http://ubuntuforums.org/showthread.php?t=1557326 + +[akpm@linux-foundation.org: coding-style fixes] +Signed-off-by: Luke Macken +Signed-off-by: Peter Jones +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: maximilian attems +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/efifb.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +--- a/drivers/video/efifb.c ++++ b/drivers/video/efifb.c +@@ -39,17 +39,31 @@ enum { + M_I20, /* 20-Inch iMac */ + M_I20_SR, /* 20-Inch iMac (Santa Rosa) */ + M_I24, /* 24-Inch iMac */ ++ M_I24_8_1, /* 24-Inch iMac, 8,1th gen */ ++ M_I24_10_1, /* 24-Inch iMac, 10,1th gen */ ++ M_I27_11_1, /* 27-Inch iMac, 11,1th gen */ + M_MINI, /* Mac Mini */ ++ M_MINI_3_1, /* Mac Mini, 3,1th gen */ ++ M_MINI_4_1, /* Mac Mini, 4,1th gen */ + M_MB, /* MacBook */ + M_MB_2, /* MacBook, 2nd rev. */ + M_MB_3, /* MacBook, 3rd rev. */ ++ M_MB_5_1, /* MacBook, 5th rev. */ ++ M_MB_6_1, /* MacBook, 6th rev. */ ++ M_MB_7_1, /* MacBook, 7th rev. */ + M_MB_SR, /* MacBook, 2nd gen, (Santa Rosa) */ + M_MBA, /* MacBook Air */ + M_MBP, /* MacBook Pro */ + M_MBP_2, /* MacBook Pro 2nd gen */ ++ M_MBP_2_2, /* MacBook Pro 2,2nd gen */ + M_MBP_SR, /* MacBook Pro (Santa Rosa) */ + M_MBP_4, /* MacBook Pro, 4th gen */ + M_MBP_5_1, /* MacBook Pro, 5,1th gen */ ++ M_MBP_5_2, /* MacBook Pro, 5,2th gen */ ++ M_MBP_5_3, /* MacBook Pro, 5,3rd gen */ ++ M_MBP_6_1, /* MacBook Pro, 6,1th gen */ ++ M_MBP_6_2, /* MacBook Pro, 6,2th gen */ ++ M_MBP_7_1, /* MacBook Pro, 7,1th gen */ + M_UNKNOWN /* placeholder */ + }; + +@@ -64,14 +78,28 @@ static struct efifb_dmi_info { + [M_I20] = { "i20", 0x80010000, 1728 * 4, 1680, 1050 }, /* guess */ + [M_I20_SR] = { "imac7", 0x40010000, 1728 * 4, 1680, 1050 }, + [M_I24] = { "i24", 0x80010000, 2048 * 4, 1920, 1200 }, /* guess */ ++ [M_I24_8_1] = { "imac8", 0xc0060000, 2048 * 4, 1920, 1200 }, ++ [M_I24_10_1] = { "imac10", 0xc0010000, 2048 * 4, 1920, 1080 }, ++ [M_I27_11_1] = { "imac11", 0xc0010000, 2560 * 4, 2560, 1440 }, + [M_MINI]= { "mini", 0x80000000, 2048 * 4, 1024, 768 }, ++ [M_MINI_3_1] = { "mini31", 0x40010000, 1024 * 4, 1024, 768 }, ++ [M_MINI_4_1] = { "mini41", 0xc0010000, 2048 * 4, 1920, 1200 }, + [M_MB] = { "macbook", 0x80000000, 2048 * 4, 1280, 800 }, ++ [M_MB_5_1] = { "macbook51", 0x80010000, 2048 * 4, 1280, 800 }, ++ [M_MB_6_1] = { "macbook61", 0x80010000, 2048 * 4, 1280, 800 }, ++ [M_MB_7_1] = { "macbook71", 0x80010000, 2048 * 4, 1280, 800 }, + [M_MBA] = { "mba", 0x80000000, 2048 * 4, 1280, 800 }, + [M_MBP] = { "mbp", 0x80010000, 1472 * 4, 1440, 900 }, + [M_MBP_2] = { "mbp2", 0, 0, 0, 0 }, /* placeholder */ ++ [M_MBP_2_2] = { "mbp22", 0x80010000, 1472 * 4, 1440, 900 }, + [M_MBP_SR] = { "mbp3", 0x80030000, 2048 * 4, 1440, 900 }, + [M_MBP_4] = { "mbp4", 0xc0060000, 2048 * 4, 1920, 1200 }, + [M_MBP_5_1] = { "mbp51", 0xc0010000, 2048 * 4, 1440, 900 }, ++ [M_MBP_5_2] = { "mbp52", 0xc0010000, 2048 * 4, 1920, 1200 }, ++ [M_MBP_5_3] = { "mbp53", 0xd0010000, 2048 * 4, 1440, 900 }, ++ [M_MBP_6_1] = { "mbp61", 0x90030000, 2048 * 4, 1920, 1200 }, ++ [M_MBP_6_2] = { "mbp62", 0x90030000, 2048 * 4, 1680, 1050 }, ++ [M_MBP_7_1] = { "mbp71", 0xc0010000, 2048 * 4, 1280, 800 }, + [M_UNKNOWN] = { NULL, 0, 0, 0, 0 } + }; + +@@ -92,7 +120,12 @@ static struct dmi_system_id __initdata d + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "iMac6,1", M_I24), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac6,1", M_I24), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac7,1", M_I20_SR), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac8,1", M_I24_8_1), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac10,1", M_I24_10_1), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac11,1", M_I27_11_1), + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "Macmini1,1", M_MINI), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "Macmini3,1", M_MINI_3_1), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "Macmini4,1", M_MINI_4_1), + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBook1,1", M_MB), + /* At least one of these two will be right; maybe both? */ + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBook2,1", M_MB), +@@ -101,14 +134,23 @@ static struct dmi_system_id __initdata d + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBook3,1", M_MB), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook3,1", M_MB), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook4,1", M_MB), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook5,1", M_MB_5_1), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook6,1", M_MB_6_1), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook7,1", M_MB_7_1), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookAir1,1", M_MBA), + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro1,1", M_MBP), + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro2,1", M_MBP_2), ++ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro2,2", M_MBP_2_2), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro2,1", M_MBP_2), + EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro3,1", M_MBP_SR), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro3,1", M_MBP_SR), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro4,1", M_MBP_4), + EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,1", M_MBP_5_1), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,2", M_MBP_5_2), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,3", M_MBP_5_3), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro6,1", M_MBP_6_1), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro6,2", M_MBP_6_2), ++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro7,1", M_MBP_7_1), + {}, + }; + diff --git a/queue-2.6.32/gianfar-fix-crashes-on-rx-path-was-re-new-linux-2.6.36-rc5-crash-with-gianfar-ethernet-at-full-line-rate-traffic.patch b/queue-2.6.32/gianfar-fix-crashes-on-rx-path-was-re-new-linux-2.6.36-rc5-crash-with-gianfar-ethernet-at-full-line-rate-traffic.patch new file mode 100644 index 00000000000..0ec4b8f8e4a --- /dev/null +++ b/queue-2.6.32/gianfar-fix-crashes-on-rx-path-was-re-new-linux-2.6.36-rc5-crash-with-gianfar-ethernet-at-full-line-rate-traffic.patch @@ -0,0 +1,61 @@ +From 45d640b3ac6aedc166ec16f2581763fbf36ed6e7 Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Tue, 19 Oct 2010 00:06:36 +0000 +Subject: gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New: linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic) + + +From: Jarek Poplawski + +[ Upstream commit 0d1fe1111c667e9c713d7efc7ae468a605f236a4 ] + +The rx_recycle queue is global per device but can be accesed by many +napi handlers at the same time, so it needs full skb_queue primitives +(with locking). Otherwise, various crashes caused by broken skbs are +possible. + +This patch resolves, at least partly, bugzilla bug 19692. (Because of +some doubts that there could be still something around which is hard +to reproduce my proposal is to leave this bug opened for a month.) + +Fixes commit: 0fd56bb5be6455d0d42241e65aed057244665e5e ("gianfar: Add +support for skb recycling") + +Reported-by: emin ak +Tested-by: emin ak +Signed-off-by: Jarek Poplawski +CC: Andy Fleming +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gianfar.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/gianfar.c ++++ b/drivers/net/gianfar.c +@@ -1621,7 +1621,7 @@ static int gfar_clean_tx_ring(struct net + if (skb_queue_len(&priv->rx_recycle) < priv->rx_ring_size && + skb_recycle_check(skb, priv->rx_buffer_size + + RXBUF_ALIGNMENT)) +- __skb_queue_head(&priv->rx_recycle, skb); ++ skb_queue_head(&priv->rx_recycle, skb); + else + dev_kfree_skb_any(skb); + +@@ -1703,7 +1703,7 @@ struct sk_buff * gfar_new_skb(struct net + struct gfar_private *priv = netdev_priv(dev); + struct sk_buff *skb = NULL; + +- skb = __skb_dequeue(&priv->rx_recycle); ++ skb = skb_dequeue(&priv->rx_recycle); + if (!skb) + skb = netdev_alloc_skb(dev, + priv->rx_buffer_size + RXBUF_ALIGNMENT); +@@ -1862,7 +1862,7 @@ int gfar_clean_rx_ring(struct net_device + * recycle list. + */ + skb->data = skb->head + NET_SKB_PAD; +- __skb_queue_head(&priv->rx_recycle, skb); ++ skb_queue_head(&priv->rx_recycle, skb); + } + } else { + /* Increment the number of packets */ diff --git a/queue-2.6.32/hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_write.patch b/queue-2.6.32/hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_write.patch new file mode 100644 index 00000000000..f15986ee621 --- /dev/null +++ b/queue-2.6.32/hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_write.patch @@ -0,0 +1,45 @@ +From e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 Mon Sep 17 00:00:00 2001 +From: Antonio Ospite +Date: Tue, 5 Oct 2010 17:20:17 +0200 +Subject: HID: hidraw, fix a NULL pointer dereference in hidraw_write + +From: Antonio Ospite + +commit e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 upstream. + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 +IP: [] hidraw_write+0x3b/0x116 [hid] +[...] + +This is reproducible by disconnecting the device while userspace writes +to dev node in a loop and doesn't check return values in order to exit +the loop. + +Signed-off-by: Antonio Ospite +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hidraw.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -105,11 +105,15 @@ out: + static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) + { + unsigned int minor = iminor(file->f_path.dentry->d_inode); +- /* FIXME: What stops hidraw_table going NULL */ +- struct hid_device *dev = hidraw_table[minor]->hid; ++ struct hid_device *dev; + __u8 *buf; + int ret = 0; + ++ if (!hidraw_table[minor]) ++ return -ENODEV; ++ ++ dev = hidraw_table[minor]->hid; ++ + if (!dev->hid_output_raw_report) + return -ENODEV; + diff --git a/queue-2.6.32/input-i8042-add-sony-vaio-vpcz122gx-to-nomux-list.patch b/queue-2.6.32/input-i8042-add-sony-vaio-vpcz122gx-to-nomux-list.patch new file mode 100644 index 00000000000..7f5c3e8db0a --- /dev/null +++ b/queue-2.6.32/input-i8042-add-sony-vaio-vpcz122gx-to-nomux-list.patch @@ -0,0 +1,42 @@ +From dmitry.torokhov@gmail.com Tue Dec 7 11:41:18 2010 +From: Dmitry Torokhov +Date: Thu, 4 Nov 2010 09:12:44 -0700 +Subject: Input: i8042 - add Sony VAIO VPCZ122GX to nomux list +To: stable@kernel.org +Message-ID: <20101104161243.GA11168@core.coreip.homeip.net> +Content-Disposition: inline + +From: Dmitry Torokhov + +[Note that the mainline will not have this particular fix but rather +will blacklist entire VAIO line based off DMI board name. For stable +I am being a bit more cautious and blacklist one particular product.] + +Trying to query/activate active multiplexing mode on this VAIO makes +both keyboard and touchpad inoperable. Futher kernels will blacklist +entire VAIO line, however here we blacklist just one particular model. + +Reported-by: Jesse Barnes +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -329,6 +329,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Sony Vaio VPCZ122GX */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "VPCZ122GX"), ++ }, ++ }, ++ { + /* Sony Vaio FS-115b */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), diff --git a/queue-2.6.32/limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers-to-prevent-integer-overflows.patch b/queue-2.6.32/limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers-to-prevent-integer-overflows.patch new file mode 100644 index 00000000000..f6a5acdd620 --- /dev/null +++ b/queue-2.6.32/limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers-to-prevent-integer-overflows.patch @@ -0,0 +1,90 @@ +From a599d3751b0eb60592e8ee8e020c8239dcd25264 Mon Sep 17 00:00:00 2001 +From: Robin Holt +Date: Wed, 20 Oct 2010 02:03:37 +0000 +Subject: Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows. + + +From: Robin Holt + +[ Upstream fixed this in a different way. -DaveM ] + +On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and +sysctl_sctp_mem[2] can integer overflow. Set limit such that they are +maximized without overflowing. + +Signed-off-by: Robin Holt +To: "David S. Miller" +Cc: Willy Tarreau +Cc: linux-kernel@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: linux-sctp@vger.kernel.org +Cc: Alexey Kuznetsov +Cc: "Pekka Savola (ipv6)" +Cc: James Morris +Cc: Hideaki YOSHIFUJI +Cc: Patrick McHardy +Cc: Vlad Yasevich +Cc: Sridhar Samudrala +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 4 +++- + net/ipv4/udp.c | 4 +++- + net/sctp/protocol.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2940,12 +2940,14 @@ void __init tcp_init(void) + + /* Set the pressure threshold to be a fraction of global memory that + * is up to 1/2 at 256 MB, decreasing toward zero with the amount of +- * memory, with a floor of 128 pages. ++ * memory, with a floor of 128 pages, and a ceiling that prevents an ++ * integer overflow. + */ + nr_pages = totalram_pages - totalhigh_pages; + limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT); + limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11); + limit = max(limit, 128UL); ++ limit = min(limit, INT_MAX * 4UL / 3 / 2); + sysctl_tcp_mem[0] = limit / 4 * 3; + sysctl_tcp_mem[1] = limit; + sysctl_tcp_mem[2] = sysctl_tcp_mem[0] * 2; +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1832,12 +1832,14 @@ void __init udp_init(void) + udp_table_init(&udp_table); + /* Set the pressure threshold up by the same strategy of TCP. It is a + * fraction of global memory that is up to 1/2 at 256 MB, decreasing +- * toward zero with the amount of memory, with a floor of 128 pages. ++ * toward zero with the amount of memory, with a floor of 128 pages, ++ * and a ceiling that prevents an integer overflow. + */ + nr_pages = totalram_pages - totalhigh_pages; + limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT); + limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11); + limit = max(limit, 128UL); ++ limit = min(limit, INT_MAX * 4UL / 3 / 2); + sysctl_udp_mem[0] = limit / 4 * 3; + sysctl_udp_mem[1] = limit; + sysctl_udp_mem[2] = sysctl_udp_mem[0] * 2; +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -1157,7 +1157,8 @@ SCTP_STATIC __init int sctp_init(void) + + /* Set the pressure threshold to be a fraction of global memory that + * is up to 1/2 at 256 MB, decreasing toward zero with the amount of +- * memory, with a floor of 128 pages. ++ * memory, with a floor of 128 pages, and a ceiling that prevents an ++ * integer overflow. + * Note this initalizes the data in sctpv6_prot too + * Unabashedly stolen from tcp_init + */ +@@ -1165,6 +1166,7 @@ SCTP_STATIC __init int sctp_init(void) + limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT); + limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11); + limit = max(limit, 128UL); ++ limit = min(limit, INT_MAX * 4UL / 3 / 2); + sysctl_sctp_mem[0] = limit / 4 * 3; + sysctl_sctp_mem[1] = limit; + sysctl_sctp_mem[2] = sysctl_sctp_mem[0] * 2; diff --git a/queue-2.6.32/memory-corruption-in-x.25-facilities-parsing.patch b/queue-2.6.32/memory-corruption-in-x.25-facilities-parsing.patch new file mode 100644 index 00000000000..02331972a13 --- /dev/null +++ b/queue-2.6.32/memory-corruption-in-x.25-facilities-parsing.patch @@ -0,0 +1,51 @@ +From a6331d6f9a4298173b413cf99a40cc86a9d92c37 Mon Sep 17 00:00:00 2001 +From: andrew hendry +Date: Wed, 3 Nov 2010 12:54:53 +0000 +Subject: memory corruption in X.25 facilities parsing + +From: andrew hendry + +commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream. + +Signed-of-by: Andrew Hendry +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/x25/x25_facilities.c | 8 ++++---- + net/x25/x25_in.c | 2 ++ + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/net/x25/x25_facilities.c ++++ b/net/x25/x25_facilities.c +@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff + case X25_FAC_CLASS_D: + switch (*p) { + case X25_FAC_CALLING_AE: +- if (p[1] > X25_MAX_DTE_FACIL_LEN) +- break; ++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) ++ return 0; + dte_facs->calling_len = p[2]; + memcpy(dte_facs->calling_ae, &p[3], p[1] - 1); + *vc_fac_mask |= X25_MASK_CALLING_AE; + break; + case X25_FAC_CALLED_AE: +- if (p[1] > X25_MAX_DTE_FACIL_LEN) +- break; ++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) ++ return 0; + dte_facs->called_len = p[2]; + memcpy(dte_facs->called_ae, &p[3], p[1] - 1); + *vc_fac_mask |= X25_MASK_CALLED_AE; +--- a/net/x25/x25_in.c ++++ b/net/x25/x25_in.c +@@ -118,6 +118,8 @@ static int x25_state1_machine(struct soc + &x25->vc_facil_mask); + if (len > 0) + skb_pull(skb, len); ++ else ++ return -1; + /* + * Copy any Call User Data. + */ diff --git a/queue-2.6.32/net-limit-socket-i-o-iovec-total-length-to-int_max.patch b/queue-2.6.32/net-limit-socket-i-o-iovec-total-length-to-int_max.patch new file mode 100644 index 00000000000..75c230d543e --- /dev/null +++ b/queue-2.6.32/net-limit-socket-i-o-iovec-total-length-to-int_max.patch @@ -0,0 +1,104 @@ +From 8acfe468b0384e834a303f08ebc4953d72fb690a Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Thu, 28 Oct 2010 11:41:55 -0700 +Subject: net: Limit socket I/O iovec total length to INT_MAX. + +From: David S. Miller + +commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream. + +This helps protect us from overflow issues down in the +individual protocol sendmsg/recvmsg handlers. Once +we hit INT_MAX we truncate out the rest of the iovec +by setting the iov_len members to zero. + +This works because: + +1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial + writes are allowed and the application will just continue + with another write to send the rest of the data. + +2) For datagram oriented sockets, where there must be a + one-to-one correspondance between write() calls and + packets on the wire, INT_MAX is going to be far larger + than the packet size limit the protocol is going to + check for and signal with -EMSGSIZE. + +Based upon a patch by Linus Torvalds. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/socket.h | 2 +- + net/compat.c | 10 ++++++---- + net/core/iovec.c | 20 +++++++++----------- + 3 files changed, 16 insertions(+), 16 deletions(-) + +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -304,7 +304,7 @@ extern int csum_partial_copy_fromiovecen + int offset, + unsigned int len, __wsum *csump); + +-extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode); ++extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode); + extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len); + extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata, + int offset, int len); +--- a/net/compat.c ++++ b/net/compat.c +@@ -40,10 +40,12 @@ static inline int iov_from_user_compat_t + compat_size_t len; + + if (get_user(len, &uiov32->iov_len) || +- get_user(buf, &uiov32->iov_base)) { +- tot_len = -EFAULT; +- break; +- } ++ get_user(buf, &uiov32->iov_base)) ++ return -EFAULT; ++ ++ if (len > INT_MAX - tot_len) ++ len = INT_MAX - tot_len; ++ + tot_len += len; + kiov->iov_base = compat_ptr(buf); + kiov->iov_len = (__kernel_size_t) len; +--- a/net/core/iovec.c ++++ b/net/core/iovec.c +@@ -36,10 +36,9 @@ + * in any case. + */ + +-long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode) ++int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode) + { +- int size, ct; +- long err; ++ int size, ct, err; + + if (m->msg_namelen) { + if (mode == VERIFY_READ) { +@@ -61,14 +60,13 @@ long verify_iovec(struct msghdr *m, stru + err = 0; + + for (ct = 0; ct < m->msg_iovlen; ct++) { +- err += iov[ct].iov_len; +- /* +- * Goal is not to verify user data, but to prevent returning +- * negative value, which is interpreted as errno. +- * Overflow is still possible, but it is harmless. +- */ +- if (err < 0) +- return -EMSGSIZE; ++ size_t len = iov[ct].iov_len; ++ ++ if (len > INT_MAX - err) { ++ len = INT_MAX - err; ++ iov[ct].iov_len = len; ++ } ++ err += len; + } + + return err; diff --git a/queue-2.6.32/net-truncate-recvfrom-and-sendto-length-to-int_max.patch b/queue-2.6.32/net-truncate-recvfrom-and-sendto-length-to-int_max.patch new file mode 100644 index 00000000000..27fbbb8294e --- /dev/null +++ b/queue-2.6.32/net-truncate-recvfrom-and-sendto-length-to-int_max.patch @@ -0,0 +1,37 @@ +From 253eacc070b114c2ec1f81b067d2fed7305467b0 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 30 Oct 2010 16:43:10 -0700 +Subject: net: Truncate recvfrom and sendto length to INT_MAX. + +From: Linus Torvalds + +commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream. + +Signed-off-by: Linus Torvalds +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1673,6 +1673,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __ + struct iovec iov; + int fput_needed; + ++ if (len > INT_MAX) ++ len = INT_MAX; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +@@ -1730,6 +1732,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void + int err, err2; + int fput_needed; + ++ if (size > INT_MAX) ++ size = INT_MAX; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; diff --git a/queue-2.6.32/series b/queue-2.6.32/series index 7ce83a5f935..1fa30963a82 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -93,3 +93,22 @@ staging-frontier-fix-up-some-sysfs-attribute-permissions.patch staging-rtl8187se-change-panic-to-warn-when-rf-switch-turned-off.patch net-sched-fix-kernel-leak-in-act_police.patch hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch +hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_write.patch +gianfar-fix-crashes-on-rx-path-was-re-new-linux-2.6.36-rc5-crash-with-gianfar-ethernet-at-full-line-rate-traffic.patch +limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers-to-prevent-integer-overflows.patch +sparc64-fix-race-in-signal-instruction-flushing.patch +sparc-don-t-mask-signal-when-we-can-t-setup-signal-frame.patch +sparc-prevent-no-handler-signal-syscall-restart-recursion.patch +x86-uv-delete-unneeded-boot-messages.patch +x86-uv-fix-initialization-of-max_pnode.patch +drivers-video-efifb.c-support-framebuffer-for-nvidia-9400m-in-macbook-pro-5-1.patch +efifb-support-the-efi-framebuffer-on-more-apple-hardware.patch +v4l-dvb-13154-uvcvideo-handle-garbage-at-the-end-of-streaming-interface-descriptors.patch +input-i8042-add-sony-vaio-vpcz122gx-to-nomux-list.patch +x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch +memory-corruption-in-x.25-facilities-parsing.patch +can-bcm-fix-minor-heap-overflow.patch +v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch +x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch +net-truncate-recvfrom-and-sendto-length-to-int_max.patch +net-limit-socket-i-o-iovec-total-length-to-int_max.patch diff --git a/queue-2.6.32/sparc-don-t-mask-signal-when-we-can-t-setup-signal-frame.patch b/queue-2.6.32/sparc-don-t-mask-signal-when-we-can-t-setup-signal-frame.patch new file mode 100644 index 00000000000..1e8aed7ade1 --- /dev/null +++ b/queue-2.6.32/sparc-don-t-mask-signal-when-we-can-t-setup-signal-frame.patch @@ -0,0 +1,317 @@ +From c036c08cb4749a66ea4fbbfd665daa0f485207c4 Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Tue, 21 Sep 2010 21:41:12 -0700 +Subject: sparc: Don't mask signal when we can't setup signal frame. + + +From: David S. Miller + +[ Upstream commit 392c21802ee3aa85cee0e703105f797a8a7b9416 ] + +Don't invoke the signal handler tracehook in that situation +either. + +Reported-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/signal32.c | 55 +++++++++++++++++++++++++----------------- + arch/sparc/kernel/signal_32.c | 53 +++++++++++++++++++++++++--------------- + arch/sparc/kernel/signal_64.c | 43 +++++++++++++++++++------------- + 3 files changed, 93 insertions(+), 58 deletions(-) + +--- a/arch/sparc/kernel/signal32.c ++++ b/arch/sparc/kernel/signal32.c +@@ -511,8 +511,8 @@ out_irqs_on: + + } + +-static void setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, +- int signo, sigset_t *oldset) ++static int setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, ++ int signo, sigset_t *oldset) + { + struct signal_frame32 __user *sf; + int sigframe_size; +@@ -620,13 +620,16 @@ static void setup_frame32(struct k_sigac + + sigill: + do_exit(SIGILL); ++ return -EINVAL; ++ + sigsegv: + force_sigsegv(signo, current); ++ return -EFAULT; + } + +-static void setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs, +- unsigned long signr, sigset_t *oldset, +- siginfo_t *info) ++static int setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs, ++ unsigned long signr, sigset_t *oldset, ++ siginfo_t *info) + { + struct rt_signal_frame32 __user *sf; + int sigframe_size; +@@ -738,22 +741,30 @@ static void setup_rt_frame32(struct k_si + + flush_signal_insns(address); + } +- return; ++ return 0; + + sigill: + do_exit(SIGILL); ++ return -EINVAL; ++ + sigsegv: + force_sigsegv(signr, current); ++ return -EFAULT; + } + +-static inline void handle_signal32(unsigned long signr, struct k_sigaction *ka, +- siginfo_t *info, +- sigset_t *oldset, struct pt_regs *regs) ++static inline int handle_signal32(unsigned long signr, struct k_sigaction *ka, ++ siginfo_t *info, ++ sigset_t *oldset, struct pt_regs *regs) + { ++ int err; ++ + if (ka->sa.sa_flags & SA_SIGINFO) +- setup_rt_frame32(ka, regs, signr, oldset, info); ++ err = setup_rt_frame32(ka, regs, signr, oldset, info); + else +- setup_frame32(ka, regs, signr, oldset); ++ err = setup_frame32(ka, regs, signr, oldset); ++ ++ if (err) ++ return err; + + spin_lock_irq(¤t->sighand->siglock); + sigorsets(¤t->blocked,¤t->blocked,&ka->sa.sa_mask); +@@ -761,6 +772,10 @@ static inline void handle_signal32(unsig + sigaddset(¤t->blocked,signr); + recalc_sigpending(); + spin_unlock_irq(¤t->sighand->siglock); ++ ++ tracehook_signal_handler(signr, info, ka, regs, 0); ++ ++ return 0; + } + + static inline void syscall_restart32(unsigned long orig_i0, struct pt_regs *regs, +@@ -807,16 +822,14 @@ void do_signal32(sigset_t *oldset, struc + if (signr > 0) { + if (restart_syscall) + syscall_restart32(orig_i0, regs, &ka.sa); +- handle_signal32(signr, &ka, &info, oldset, regs); +- +- /* A signal was successfully delivered; the saved +- * sigmask will have been stored in the signal frame, +- * and will be restored by sigreturn, so we can simply +- * clear the TS_RESTORE_SIGMASK flag. +- */ +- current_thread_info()->status &= ~TS_RESTORE_SIGMASK; +- +- tracehook_signal_handler(signr, &info, &ka, regs, 0); ++ if (handle_signal32(signr, &ka, &info, oldset, regs) == 0) { ++ /* A signal was successfully delivered; the saved ++ * sigmask will have been stored in the signal frame, ++ * and will be restored by sigreturn, so we can simply ++ * clear the TS_RESTORE_SIGMASK flag. ++ */ ++ current_thread_info()->status &= ~TS_RESTORE_SIGMASK; ++ } + return; + } + if (restart_syscall && +--- a/arch/sparc/kernel/signal_32.c ++++ b/arch/sparc/kernel/signal_32.c +@@ -315,8 +315,8 @@ save_fpu_state(struct pt_regs *regs, __s + return err; + } + +-static void setup_frame(struct k_sigaction *ka, struct pt_regs *regs, +- int signo, sigset_t *oldset) ++static int setup_frame(struct k_sigaction *ka, struct pt_regs *regs, ++ int signo, sigset_t *oldset) + { + struct signal_frame __user *sf; + int sigframe_size, err; +@@ -384,16 +384,19 @@ static void setup_frame(struct k_sigacti + /* Flush instruction space. */ + flush_sig_insns(current->mm, (unsigned long) &(sf->insns[0])); + } +- return; ++ return 0; + + sigill_and_return: + do_exit(SIGILL); ++ return -EINVAL; ++ + sigsegv: + force_sigsegv(signo, current); ++ return -EFAULT; + } + +-static void setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, +- int signo, sigset_t *oldset, siginfo_t *info) ++static int setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, ++ int signo, sigset_t *oldset, siginfo_t *info) + { + struct rt_signal_frame __user *sf; + int sigframe_size; +@@ -466,22 +469,30 @@ static void setup_rt_frame(struct k_siga + /* Flush instruction space. */ + flush_sig_insns(current->mm, (unsigned long) &(sf->insns[0])); + } +- return; ++ return 0; + + sigill: + do_exit(SIGILL); ++ return -EINVAL; ++ + sigsegv: + force_sigsegv(signo, current); ++ return -EFAULT; + } + +-static inline void ++static inline int + handle_signal(unsigned long signr, struct k_sigaction *ka, + siginfo_t *info, sigset_t *oldset, struct pt_regs *regs) + { ++ int err; ++ + if (ka->sa.sa_flags & SA_SIGINFO) +- setup_rt_frame(ka, regs, signr, oldset, info); ++ err = setup_rt_frame(ka, regs, signr, oldset, info); + else +- setup_frame(ka, regs, signr, oldset); ++ err = setup_frame(ka, regs, signr, oldset); ++ ++ if (err) ++ return err; + + spin_lock_irq(¤t->sighand->siglock); + sigorsets(¤t->blocked,¤t->blocked,&ka->sa.sa_mask); +@@ -489,6 +500,10 @@ handle_signal(unsigned long signr, struc + sigaddset(¤t->blocked, signr); + recalc_sigpending(); + spin_unlock_irq(¤t->sighand->siglock); ++ ++ tracehook_signal_handler(signr, info, ka, regs, 0); ++ ++ return 0; + } + + static inline void syscall_restart(unsigned long orig_i0, struct pt_regs *regs, +@@ -546,17 +561,15 @@ static void do_signal(struct pt_regs *re + if (signr > 0) { + if (restart_syscall) + syscall_restart(orig_i0, regs, &ka.sa); +- handle_signal(signr, &ka, &info, oldset, regs); +- +- /* a signal was successfully delivered; the saved +- * sigmask will have been stored in the signal frame, +- * and will be restored by sigreturn, so we can simply +- * clear the TIF_RESTORE_SIGMASK flag. +- */ +- if (test_thread_flag(TIF_RESTORE_SIGMASK)) +- clear_thread_flag(TIF_RESTORE_SIGMASK); +- +- tracehook_signal_handler(signr, &info, &ka, regs, 0); ++ if (handle_signal(signr, &ka, &info, oldset, regs) == 0) { ++ /* a signal was successfully delivered; the saved ++ * sigmask will have been stored in the signal frame, ++ * and will be restored by sigreturn, so we can simply ++ * clear the TIF_RESTORE_SIGMASK flag. ++ */ ++ if (test_thread_flag(TIF_RESTORE_SIGMASK)) ++ clear_thread_flag(TIF_RESTORE_SIGMASK); ++ } + return; + } + if (restart_syscall && +--- a/arch/sparc/kernel/signal_64.c ++++ b/arch/sparc/kernel/signal_64.c +@@ -409,7 +409,7 @@ static inline void __user *get_sigframe( + return (void __user *) sp; + } + +-static inline void ++static inline int + setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, + int signo, sigset_t *oldset, siginfo_t *info) + { +@@ -483,26 +483,37 @@ setup_rt_frame(struct k_sigaction *ka, s + } + /* 4. return to kernel instructions */ + regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer; +- return; ++ return 0; + + sigill: + do_exit(SIGILL); ++ return -EINVAL; ++ + sigsegv: + force_sigsegv(signo, current); ++ return -EFAULT; + } + +-static inline void handle_signal(unsigned long signr, struct k_sigaction *ka, +- siginfo_t *info, +- sigset_t *oldset, struct pt_regs *regs) ++static inline int handle_signal(unsigned long signr, struct k_sigaction *ka, ++ siginfo_t *info, ++ sigset_t *oldset, struct pt_regs *regs) + { +- setup_rt_frame(ka, regs, signr, oldset, +- (ka->sa.sa_flags & SA_SIGINFO) ? info : NULL); ++ int err; ++ ++ err = setup_rt_frame(ka, regs, signr, oldset, ++ (ka->sa.sa_flags & SA_SIGINFO) ? info : NULL); ++ if (err) ++ return err; + spin_lock_irq(¤t->sighand->siglock); + sigorsets(¤t->blocked,¤t->blocked,&ka->sa.sa_mask); + if (!(ka->sa.sa_flags & SA_NOMASK)) + sigaddset(¤t->blocked,signr); + recalc_sigpending(); + spin_unlock_irq(¤t->sighand->siglock); ++ ++ tracehook_signal_handler(signr, info, ka, regs, 0); ++ ++ return 0; + } + + static inline void syscall_restart(unsigned long orig_i0, struct pt_regs *regs, +@@ -571,16 +582,14 @@ static void do_signal(struct pt_regs *re + if (signr > 0) { + if (restart_syscall) + syscall_restart(orig_i0, regs, &ka.sa); +- handle_signal(signr, &ka, &info, oldset, regs); +- +- /* A signal was successfully delivered; the saved +- * sigmask will have been stored in the signal frame, +- * and will be restored by sigreturn, so we can simply +- * clear the TS_RESTORE_SIGMASK flag. +- */ +- current_thread_info()->status &= ~TS_RESTORE_SIGMASK; +- +- tracehook_signal_handler(signr, &info, &ka, regs, 0); ++ if (handle_signal(signr, &ka, &info, oldset, regs) == 0) { ++ /* A signal was successfully delivered; the saved ++ * sigmask will have been stored in the signal frame, ++ * and will be restored by sigreturn, so we can simply ++ * clear the TS_RESTORE_SIGMASK flag. ++ */ ++ current_thread_info()->status &= ~TS_RESTORE_SIGMASK; ++ } + return; + } + if (restart_syscall && diff --git a/queue-2.6.32/sparc-prevent-no-handler-signal-syscall-restart-recursion.patch b/queue-2.6.32/sparc-prevent-no-handler-signal-syscall-restart-recursion.patch new file mode 100644 index 00000000000..f8caa4e8847 --- /dev/null +++ b/queue-2.6.32/sparc-prevent-no-handler-signal-syscall-restart-recursion.patch @@ -0,0 +1,83 @@ +From e1c8548d96185aba30c84187758d0b68f73d70a4 Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Tue, 21 Sep 2010 22:30:13 -0700 +Subject: sparc: Prevent no-handler signal syscall restart recursion. + + +From: David S. Miller + +[ Upstream commit c27852597829128a9c9d96d79ec454a83c6b0da5 ] + +Explicitly clear the "in-syscall" bit when we have no signal +handler and back up the program counters to back up the system +call. + +Reported-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/signal32.c | 4 +++- + arch/sparc/kernel/signal_32.c | 2 ++ + arch/sparc/kernel/signal_64.c | 2 ++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/sparc/kernel/signal32.c ++++ b/arch/sparc/kernel/signal32.c +@@ -616,7 +616,7 @@ static int setup_frame32(struct k_sigact + + flush_signal_insns(address); + } +- return; ++ return 0; + + sigill: + do_exit(SIGILL); +@@ -840,12 +840,14 @@ void do_signal32(sigset_t *oldset, struc + regs->u_regs[UREG_I0] = orig_i0; + regs->tpc -= 4; + regs->tnpc -= 4; ++ pt_regs_clear_syscall(regs); + } + if (restart_syscall && + regs->u_regs[UREG_I0] == ERESTART_RESTARTBLOCK) { + regs->u_regs[UREG_G1] = __NR_restart_syscall; + regs->tpc -= 4; + regs->tnpc -= 4; ++ pt_regs_clear_syscall(regs); + } + + /* If there's no signal to deliver, we just put the saved sigmask +--- a/arch/sparc/kernel/signal_32.c ++++ b/arch/sparc/kernel/signal_32.c +@@ -580,12 +580,14 @@ static void do_signal(struct pt_regs *re + regs->u_regs[UREG_I0] = orig_i0; + regs->pc -= 4; + regs->npc -= 4; ++ pt_regs_clear_syscall(regs); + } + if (restart_syscall && + regs->u_regs[UREG_I0] == ERESTART_RESTARTBLOCK) { + regs->u_regs[UREG_G1] = __NR_restart_syscall; + regs->pc -= 4; + regs->npc -= 4; ++ pt_regs_clear_syscall(regs); + } + + /* if there's no signal to deliver, we just put the saved sigmask +--- a/arch/sparc/kernel/signal_64.c ++++ b/arch/sparc/kernel/signal_64.c +@@ -600,12 +600,14 @@ static void do_signal(struct pt_regs *re + regs->u_regs[UREG_I0] = orig_i0; + regs->tpc -= 4; + regs->tnpc -= 4; ++ pt_regs_clear_syscall(regs); + } + if (restart_syscall && + regs->u_regs[UREG_I0] == ERESTART_RESTARTBLOCK) { + regs->u_regs[UREG_G1] = __NR_restart_syscall; + regs->tpc -= 4; + regs->tnpc -= 4; ++ pt_regs_clear_syscall(regs); + } + + /* If there's no signal to deliver, we just put the saved sigmask diff --git a/queue-2.6.32/sparc64-fix-race-in-signal-instruction-flushing.patch b/queue-2.6.32/sparc64-fix-race-in-signal-instruction-flushing.patch new file mode 100644 index 00000000000..823e138b546 --- /dev/null +++ b/queue-2.6.32/sparc64-fix-race-in-signal-instruction-flushing.patch @@ -0,0 +1,165 @@ +From e0832e5ad62316d6b64b73c69dd13abdf76e0ffa Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Mon, 20 Sep 2010 23:24:52 -0700 +Subject: sparc64: Fix race in signal instruction flushing. + + +From: David S. Miller + +[ Upstream commit 05c5e7698bdc54b3079a3517d86077f49ebcc788 ] + +If another cpu does a very wide munmap() on the signal frame area, +it can tear down the page table hierarchy from underneath us. + +Borrow an idea from the 64-bit fault path's get_user_insn(), and +disable cross call interrupts during the page table traversal +to lock them in place while we operate. + +Reported-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/signal32.c | 102 +++++++++++++++++++++++++------------------ + 1 file changed, 60 insertions(+), 42 deletions(-) + +--- a/arch/sparc/kernel/signal32.c ++++ b/arch/sparc/kernel/signal32.c +@@ -453,6 +453,64 @@ static int save_fpu_state32(struct pt_re + return err; + } + ++/* The I-cache flush instruction only works in the primary ASI, which ++ * right now is the nucleus, aka. kernel space. ++ * ++ * Therefore we have to kick the instructions out using the kernel ++ * side linear mapping of the physical address backing the user ++ * instructions. ++ */ ++static void flush_signal_insns(unsigned long address) ++{ ++ unsigned long pstate, paddr; ++ pte_t *ptep, pte; ++ pgd_t *pgdp; ++ pud_t *pudp; ++ pmd_t *pmdp; ++ ++ /* Commit all stores of the instructions we are about to flush. */ ++ wmb(); ++ ++ /* Disable cross-call reception. In this way even a very wide ++ * munmap() on another cpu can't tear down the page table ++ * hierarchy from underneath us, since that can't complete ++ * until the IPI tlb flush returns. ++ */ ++ ++ __asm__ __volatile__("rdpr %%pstate, %0" : "=r" (pstate)); ++ __asm__ __volatile__("wrpr %0, %1, %%pstate" ++ : : "r" (pstate), "i" (PSTATE_IE)); ++ ++ pgdp = pgd_offset(current->mm, address); ++ if (pgd_none(*pgdp)) ++ goto out_irqs_on; ++ pudp = pud_offset(pgdp, address); ++ if (pud_none(*pudp)) ++ goto out_irqs_on; ++ pmdp = pmd_offset(pudp, address); ++ if (pmd_none(*pmdp)) ++ goto out_irqs_on; ++ ++ ptep = pte_offset_map(pmdp, address); ++ pte = *ptep; ++ if (!pte_present(pte)) ++ goto out_unmap; ++ ++ paddr = (unsigned long) page_address(pte_page(pte)); ++ ++ __asm__ __volatile__("flush %0 + %1" ++ : /* no outputs */ ++ : "r" (paddr), ++ "r" (address & (PAGE_SIZE - 1)) ++ : "memory"); ++ ++out_unmap: ++ pte_unmap(ptep); ++out_irqs_on: ++ __asm__ __volatile__("wrpr %0, 0x0, %%pstate" : : "r" (pstate)); ++ ++} ++ + static void setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, + int signo, sigset_t *oldset) + { +@@ -547,13 +605,7 @@ static void setup_frame32(struct k_sigac + if (ka->ka_restorer) { + regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer; + } else { +- /* Flush instruction space. */ + unsigned long address = ((unsigned long)&(sf->insns[0])); +- pgd_t *pgdp = pgd_offset(current->mm, address); +- pud_t *pudp = pud_offset(pgdp, address); +- pmd_t *pmdp = pmd_offset(pudp, address); +- pte_t *ptep; +- pte_t pte; + + regs->u_regs[UREG_I7] = (unsigned long) (&(sf->insns[0]) - 2); + +@@ -562,22 +614,7 @@ static void setup_frame32(struct k_sigac + if (err) + goto sigsegv; + +- preempt_disable(); +- ptep = pte_offset_map(pmdp, address); +- pte = *ptep; +- if (pte_present(pte)) { +- unsigned long page = (unsigned long) +- page_address(pte_page(pte)); +- +- wmb(); +- __asm__ __volatile__("flush %0 + %1" +- : /* no outputs */ +- : "r" (page), +- "r" (address & (PAGE_SIZE - 1)) +- : "memory"); +- } +- pte_unmap(ptep); +- preempt_enable(); ++ flush_signal_insns(address); + } + return; + +@@ -687,12 +724,7 @@ static void setup_rt_frame32(struct k_si + if (ka->ka_restorer) + regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer; + else { +- /* Flush instruction space. */ + unsigned long address = ((unsigned long)&(sf->insns[0])); +- pgd_t *pgdp = pgd_offset(current->mm, address); +- pud_t *pudp = pud_offset(pgdp, address); +- pmd_t *pmdp = pmd_offset(pudp, address); +- pte_t *ptep; + + regs->u_regs[UREG_I7] = (unsigned long) (&(sf->insns[0]) - 2); + +@@ -704,21 +736,7 @@ static void setup_rt_frame32(struct k_si + if (err) + goto sigsegv; + +- preempt_disable(); +- ptep = pte_offset_map(pmdp, address); +- if (pte_present(*ptep)) { +- unsigned long page = (unsigned long) +- page_address(pte_page(*ptep)); +- +- wmb(); +- __asm__ __volatile__("flush %0 + %1" +- : /* no outputs */ +- : "r" (page), +- "r" (address & (PAGE_SIZE - 1)) +- : "memory"); +- } +- pte_unmap(ptep); +- preempt_enable(); ++ flush_signal_insns(address); + } + return; + diff --git a/queue-2.6.32/v4l-dvb-13154-uvcvideo-handle-garbage-at-the-end-of-streaming-interface-descriptors.patch b/queue-2.6.32/v4l-dvb-13154-uvcvideo-handle-garbage-at-the-end-of-streaming-interface-descriptors.patch new file mode 100644 index 00000000000..77802478d51 --- /dev/null +++ b/queue-2.6.32/v4l-dvb-13154-uvcvideo-handle-garbage-at-the-end-of-streaming-interface-descriptors.patch @@ -0,0 +1,64 @@ +From c4ed8c66d79d707d89fe732ff5b97739edf1ba62 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Thu, 8 Oct 2009 19:38:10 -0300 +Subject: V4L/DVB (13154): uvcvideo: Handle garbage at the end of streaming interface descriptors + +From: Laurent Pinchart + +commit c4ed8c66d79d707d89fe732ff5b97739edf1ba62 upstream. + +At least one 5986:0241 webcam model includes vendor-specific descriptors +at the end of its streaming interface descriptors. Print an information +UVC_TRACE_DESCR message and try to continue parsing the descriptors +rather than bailing out with an error. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Cc: maximilian attems +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/uvc/uvc_driver.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/media/video/uvc/uvc_driver.c ++++ b/drivers/media/video/uvc/uvc_driver.c +@@ -436,7 +436,8 @@ static int uvc_parse_format(struct uvc_d + /* Parse the frame descriptors. Only uncompressed, MJPEG and frame + * based formats have frame descriptors. + */ +- while (buflen > 2 && buffer[2] == ftype) { ++ while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && ++ buffer[2] == ftype) { + frame = &format->frame[format->nframes]; + if (ftype != UVC_VS_FRAME_FRAME_BASED) + n = buflen > 25 ? buffer[25] : 0; +@@ -513,12 +514,14 @@ static int uvc_parse_format(struct uvc_d + buffer += buffer[0]; + } + +- if (buflen > 2 && buffer[2] == UVC_VS_STILL_IMAGE_FRAME) { ++ if (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && ++ buffer[2] == UVC_VS_STILL_IMAGE_FRAME) { + buflen -= buffer[0]; + buffer += buffer[0]; + } + +- if (buflen > 2 && buffer[2] == UVC_VS_COLORFORMAT) { ++ if (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && ++ buffer[2] == UVC_VS_COLORFORMAT) { + if (buflen < 6) { + uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming " + "interface %d COLORFORMAT error\n", +@@ -759,6 +762,11 @@ static int uvc_parse_streaming(struct uv + buffer += buffer[0]; + } + ++ if (buflen) ++ uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming interface " ++ "%d has %u bytes of trailing descriptor garbage.\n", ++ dev->udev->devnum, alts->desc.bInterfaceNumber, buflen); ++ + /* Parse the alternate settings to find the maximum bandwidth. */ + for (i = 0; i < intf->num_altsetting; ++i) { + struct usb_host_endpoint *ep; diff --git a/queue-2.6.32/v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch b/queue-2.6.32/v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch new file mode 100644 index 00000000000..9d76120b26b --- /dev/null +++ b/queue-2.6.32/v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch @@ -0,0 +1,34 @@ +From 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 15 Sep 2010 18:44:22 -0300 +Subject: V4L/DVB: ivtvfb: prevent reading uninitialized stack memory + +From: Dan Rosenberg + +commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 upstream. + +The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 +bytes of uninitialized stack memory, because the "reserved" member of +the fb_vblank struct declared on the stack is not altered or zeroed +before being copied back to the user. This patch takes care of it. + +Signed-off-by: Dan Rosenberg +Signed-off-by: Andy Walls +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/ivtv/ivtvfb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/video/ivtv/ivtvfb.c ++++ b/drivers/media/video/ivtv/ivtvfb.c +@@ -457,6 +457,8 @@ static int ivtvfb_ioctl(struct fb_info * + struct fb_vblank vblank; + u32 trace; + ++ memset(&vblank, 0, sizeof(struct fb_vblank)); ++ + vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT | + FB_VBLANK_HAVE_VSYNC; + trace = read_reg(0x028c0) >> 16; diff --git a/queue-2.6.32/x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch b/queue-2.6.32/x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch new file mode 100644 index 00000000000..c3e90140744 --- /dev/null +++ b/queue-2.6.32/x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch @@ -0,0 +1,181 @@ +From f5eb917b861828da18dc28854308068c66d1449a Mon Sep 17 00:00:00 2001 +From: John Hughes +Date: Wed, 7 Apr 2010 21:29:25 -0700 +Subject: x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet. + +From: John Hughes + +commit f5eb917b861828da18dc28854308068c66d1449a upstream. + +Here is a patch to stop X.25 examining fields beyond the end of the packet. + +For example, when a simple CALL ACCEPTED was received: + + 10 10 0f + +x25_parse_facilities was attempting to decode the FACILITIES field, but this +packet contains no facilities field. + +Signed-off-by: John Hughes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/x25.h | 4 ++++ + net/x25/af_x25.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++- + net/x25/x25_facilities.c | 12 +++++++++++- + net/x25/x25_in.c | 15 +++++++++++---- + 4 files changed, 72 insertions(+), 6 deletions(-) + +--- a/include/net/x25.h ++++ b/include/net/x25.h +@@ -182,6 +182,10 @@ extern int sysctl_x25_clear_request_tim + extern int sysctl_x25_ack_holdback_timeout; + extern int sysctl_x25_forward; + ++extern int x25_parse_address_block(struct sk_buff *skb, ++ struct x25_address *called_addr, ++ struct x25_address *calling_addr); ++ + extern int x25_addr_ntoa(unsigned char *, struct x25_address *, + struct x25_address *); + extern int x25_addr_aton(unsigned char *, struct x25_address *, +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -81,6 +81,41 @@ struct compat_x25_subscrip_struct { + }; + #endif + ++ ++int x25_parse_address_block(struct sk_buff *skb, ++ struct x25_address *called_addr, ++ struct x25_address *calling_addr) ++{ ++ unsigned char len; ++ int needed; ++ int rc; ++ ++ if (skb->len < 1) { ++ /* packet has no address block */ ++ rc = 0; ++ goto empty; ++ } ++ ++ len = *skb->data; ++ needed = 1 + (len >> 4) + (len & 0x0f); ++ ++ if (skb->len < needed) { ++ /* packet is too short to hold the addresses it claims ++ to hold */ ++ rc = -1; ++ goto empty; ++ } ++ ++ return x25_addr_ntoa(skb->data, called_addr, calling_addr); ++ ++empty: ++ *called_addr->x25_addr = 0; ++ *calling_addr->x25_addr = 0; ++ ++ return rc; ++} ++ ++ + int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr, + struct x25_address *calling_addr) + { +@@ -871,16 +906,26 @@ int x25_rx_call_request(struct sk_buff * + /* + * Extract the X.25 addresses and convert them to ASCII strings, + * and remove them. ++ * ++ * Address block is mandatory in call request packets + */ +- addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr); ++ addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr); ++ if (addr_len <= 0) ++ goto out_clear_request; + skb_pull(skb, addr_len); + + /* + * Get the length of the facilities, skip past them for the moment + * get the call user data because this is needed to determine + * the correct listener ++ * ++ * Facilities length is mandatory in call request packets + */ ++ if (skb->len < 1) ++ goto out_clear_request; + len = skb->data[0] + 1; ++ if (skb->len < len) ++ goto out_clear_request; + skb_pull(skb,len); + + /* +--- a/net/x25/x25_facilities.c ++++ b/net/x25/x25_facilities.c +@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff + struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask) + { + unsigned char *p = skb->data; +- unsigned int len = *p++; ++ unsigned int len; + + *vc_fac_mask = 0; + +@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff + memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae)); + memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae)); + ++ if (skb->len < 1) ++ return 0; ++ ++ len = *p++; ++ ++ if (len >= skb->len) ++ return -1; ++ + while (len > 0) { + switch (*p & X25_FAC_CLASS_MASK) { + case X25_FAC_CLASS_A: +@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_b + memcpy(new, ours, sizeof(*new)); + + len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); ++ if (len < 0) ++ return len; + + /* + * They want reverse charging, we won't accept it. +--- a/net/x25/x25_in.c ++++ b/net/x25/x25_in.c +@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct soc + static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype) + { + struct x25_address source_addr, dest_addr; ++ int len; + + switch (frametype) { + case X25_CALL_ACCEPTED: { +@@ -106,11 +107,17 @@ static int x25_state1_machine(struct soc + * Parse the data in the frame. + */ + skb_pull(skb, X25_STD_MIN_LEN); +- skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr)); +- skb_pull(skb, +- x25_parse_facilities(skb, &x25->facilities, ++ ++ len = x25_parse_address_block(skb, &source_addr, ++ &dest_addr); ++ if (len > 0) ++ skb_pull(skb, len); ++ ++ len = x25_parse_facilities(skb, &x25->facilities, + &x25->dte_facilities, +- &x25->vc_facil_mask)); ++ &x25->vc_facil_mask); ++ if (len > 0) ++ skb_pull(skb, len); + /* + * Copy any Call User Data. + */ diff --git a/queue-2.6.32/x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch b/queue-2.6.32/x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch new file mode 100644 index 00000000000..c6a1aa54c7e --- /dev/null +++ b/queue-2.6.32/x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch @@ -0,0 +1,75 @@ +From 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Fri, 12 Nov 2010 12:44:42 -0800 +Subject: x25: Prevent crashing when parsing bad X.25 facilities + +From: Dan Rosenberg + +commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream. + +Now with improved comma support. + +On parsing malformed X.25 facilities, decrementing the remaining length +may cause it to underflow. Since the length is an unsigned integer, +this will result in the loop continuing until the kernel crashes. + +This patch adds checks to ensure decrementing the remaining length does +not cause it to wrap around. + +Signed-off-by: Dan Rosenberg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/x25/x25_facilities.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/x25/x25_facilities.c ++++ b/net/x25/x25_facilities.c +@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff + while (len > 0) { + switch (*p & X25_FAC_CLASS_MASK) { + case X25_FAC_CLASS_A: ++ if (len < 2) ++ return 0; + switch (*p) { + case X25_FAC_REVERSE: + if((p[1] & 0x81) == 0x81) { +@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff + len -= 2; + break; + case X25_FAC_CLASS_B: ++ if (len < 3) ++ return 0; + switch (*p) { + case X25_FAC_PACKET_SIZE: + facilities->pacsize_in = p[1]; +@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff + len -= 3; + break; + case X25_FAC_CLASS_C: ++ if (len < 4) ++ return 0; + printk(KERN_DEBUG "X.25: unknown facility %02X, " + "values %02X, %02X, %02X\n", + p[0], p[1], p[2], p[3]); +@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff + len -= 4; + break; + case X25_FAC_CLASS_D: ++ if (len < p[1] + 2) ++ return 0; + switch (*p) { + case X25_FAC_CALLING_AE: + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) +@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff + break; + default: + printk(KERN_DEBUG "X.25: unknown facility %02X," +- "length %d, values %02X, %02X, " +- "%02X, %02X\n", +- p[0], p[1], p[2], p[3], p[4], p[5]); ++ "length %d\n", p[0], p[1]); + break; + } + len -= p[1] + 2; diff --git a/queue-2.6.32/x86-uv-delete-unneeded-boot-messages.patch b/queue-2.6.32/x86-uv-delete-unneeded-boot-messages.patch new file mode 100644 index 00000000000..ed074c37dd2 --- /dev/null +++ b/queue-2.6.32/x86-uv-delete-unneeded-boot-messages.patch @@ -0,0 +1,34 @@ +From 2acebe9ecb2b77876e87a1480729cfb2db4570dd Mon Sep 17 00:00:00 2001 +From: Jack Steiner +Date: Wed, 17 Mar 2010 10:40:38 -0500 +Subject: x86, UV: Delete unneeded boot messages + +From: Jack Steiner + +commit 2acebe9ecb2b77876e87a1480729cfb2db4570dd upstream. + +SGI:UV: Delete extra boot messages that describe the system +topology. These messages are no longer useful. + +Signed-off-by: Jack Steiner +LKML-Reference: <20100317154038.GA29346@sgi.com> +Signed-off-by: Ingo Molnar +Cc: maximilian attems +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/x2apic_uv_x.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/x86/kernel/apic/x2apic_uv_x.c ++++ b/arch/x86/kernel/apic/x2apic_uv_x.c +@@ -636,9 +636,6 @@ void __init uv_system_init(void) + uv_node_to_blade[nid] = blade; + uv_cpu_to_blade[cpu] = blade; + max_pnode = max(pnode, max_pnode); +- +- printk(KERN_DEBUG "UV: cpu %d, apicid 0x%x, pnode %d, nid %d, lcpu %d, blade %d\n", +- cpu, apicid, pnode, nid, lcpu, blade); + } + + /* Add blade/pnode info for nodes without cpus */ diff --git a/queue-2.6.32/x86-uv-fix-initialization-of-max_pnode.patch b/queue-2.6.32/x86-uv-fix-initialization-of-max_pnode.patch new file mode 100644 index 00000000000..87269b5fbff --- /dev/null +++ b/queue-2.6.32/x86-uv-fix-initialization-of-max_pnode.patch @@ -0,0 +1,54 @@ +From 36ac4b987bea9a95217e1af552252f275ca7fc44 Mon Sep 17 00:00:00 2001 +From: Jack Steiner +Date: Fri, 10 Sep 2010 10:08:08 -0500 +Subject: x86, UV: Fix initialization of max_pnode + +From: Jack Steiner + +commit 36ac4b987bea9a95217e1af552252f275ca7fc44 upstream. + +Fix calculation of "max_pnode" for systems where the the highest +blade has neither cpus or memory. (And, yes, although rare this +does occur). + +Signed-off-by: Jack Steiner +LKML-Reference: <20100910150808.GA19802@sgi.com> +Signed-off-by: Ingo Molnar +Cc: maximilian attems +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/x2apic_uv_x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/x2apic_uv_x.c ++++ b/arch/x86/kernel/apic/x2apic_uv_x.c +@@ -595,9 +595,11 @@ void __init uv_system_init(void) + for (j = 0; j < 64; j++) { + if (!test_bit(j, &present)) + continue; +- uv_blade_info[blade].pnode = (i * 64 + j); ++ pnode = (i * 64 + j); ++ uv_blade_info[blade].pnode = pnode; + uv_blade_info[blade].nr_possible_cpus = 0; + uv_blade_info[blade].nr_online_cpus = 0; ++ max_pnode = max(pnode, max_pnode); + blade++; + } + } +@@ -635,7 +637,6 @@ void __init uv_system_init(void) + uv_cpu_hub_info(cpu)->scir.offset = uv_scir_offset(apicid); + uv_node_to_blade[nid] = blade; + uv_cpu_to_blade[cpu] = blade; +- max_pnode = max(pnode, max_pnode); + } + + /* Add blade/pnode info for nodes without cpus */ +@@ -647,7 +648,6 @@ void __init uv_system_init(void) + pnode = (paddr >> m_val) & pnode_mask; + blade = boot_pnode_to_blade(pnode); + uv_node_to_blade[nid] = blade; +- max_pnode = max(pnode, max_pnode); + } + + map_gru_high(max_pnode);