From: Greg Kroah-Hartman Date: Mon, 11 Apr 2011 22:32:04 +0000 (-0700) Subject: .38 patches X-Git-Tag: v2.6.38.3~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fe06ddaad865402d334ab61c85418d031be2bc66;p=thirdparty%2Fkernel%2Fstable-queue.git .38 patches --- diff --git a/queue-2.6.38/char-tpm-fix-unitialized-usage-of-data-buffer.patch b/queue-2.6.38/char-tpm-fix-unitialized-usage-of-data-buffer.patch new file mode 100644 index 00000000000..591cf0e7ca0 --- /dev/null +++ b/queue-2.6.38/char-tpm-fix-unitialized-usage-of-data-buffer.patch @@ -0,0 +1,35 @@ +From 1309d7afbed112f0e8e90be9af975550caa0076b Mon Sep 17 00:00:00 2001 +From: Peter Huewe +Date: Tue, 29 Mar 2011 13:31:25 +0200 +Subject: char/tpm: Fix unitialized usage of data buffer + +From: Peter Huewe + +commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream. + +This patch fixes information leakage to the userspace by initializing +the data buffer to zero. + +Reported-by: Peter Huewe +Signed-off-by: Peter Huewe +Signed-off-by: Marcel Selhorst +[ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way + deeper problems than a simple multiplication can fix. - Linus ] +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -980,7 +980,7 @@ int tpm_open(struct inode *inode, struct + return -EBUSY; + } + +- chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL); ++ chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL); + if (chip->data_buffer == NULL) { + clear_bit(0, &chip->is_open); + put_device(chip->dev); diff --git a/queue-2.6.38/drivers-leds-leds-lp5521.c-world-writable-sysfs-engine-files.patch b/queue-2.6.38/drivers-leds-leds-lp5521.c-world-writable-sysfs-engine-files.patch new file mode 100644 index 00000000000..c34dcc4eda8 --- /dev/null +++ b/queue-2.6.38/drivers-leds-leds-lp5521.c-world-writable-sysfs-engine-files.patch @@ -0,0 +1,54 @@ +From 67d1da79b25c05d9a38b820bb5b5d89c91070ab2 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Tue, 22 Mar 2011 16:30:19 -0700 +Subject: drivers/leds/leds-lp5521.c: world-writable sysfs engine* files + +From: Vasiliy Kulikov + +commit 67d1da79b25c05d9a38b820bb5b5d89c91070ab2 upstream. + +Don't allow everybody to change LED settings. + +Signed-off-by: Vasiliy Kulikov +Cc: Richard Purdie +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-lp5521.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/leds/leds-lp5521.c ++++ b/drivers/leds/leds-lp5521.c +@@ -534,7 +534,7 @@ static ssize_t lp5521_selftest(struct de + } + + /* led class device attributes */ +-static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current); ++static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current); + static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL); + + static struct attribute *lp5521_led_attributes[] = { +@@ -548,15 +548,15 @@ static struct attribute_group lp5521_led + }; + + /* device attributes */ +-static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR, + show_engine1_mode, store_engine1_mode); +-static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR, + show_engine2_mode, store_engine2_mode); +-static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR, + show_engine3_mode, store_engine3_mode); +-static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load); +-static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load); +-static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load); ++static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load); ++static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load); ++static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load); + static DEVICE_ATTR(selftest, S_IRUGO, lp5521_selftest, NULL); + + static struct attribute *lp5521_attributes[] = { diff --git a/queue-2.6.38/drivers-leds-leds-lp5523.c-world-writable-engine-sysfs-files.patch b/queue-2.6.38/drivers-leds-leds-lp5523.c-world-writable-engine-sysfs-files.patch new file mode 100644 index 00000000000..250dbec1dd4 --- /dev/null +++ b/queue-2.6.38/drivers-leds-leds-lp5523.c-world-writable-engine-sysfs-files.patch @@ -0,0 +1,63 @@ +From ccd7510fd8dea5b4b2af87fb2aef2ebd6b23b76b Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Tue, 22 Mar 2011 16:30:20 -0700 +Subject: drivers/leds/leds-lp5523.c: world-writable engine* sysfs files + +From: Vasiliy Kulikov + +commit ccd7510fd8dea5b4b2af87fb2aef2ebd6b23b76b upstream. + +Don't allow everybody to change LED settings. + +Signed-off-by: Vasiliy Kulikov +Cc: Richard Purdie +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-lp5523.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/leds/leds-lp5523.c ++++ b/drivers/leds/leds-lp5523.c +@@ -713,7 +713,7 @@ static ssize_t store_current(struct devi + } + + /* led class device attributes */ +-static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current); ++static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current); + static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL); + + static struct attribute *lp5523_led_attributes[] = { +@@ -727,21 +727,21 @@ static struct attribute_group lp5523_led + }; + + /* device attributes */ +-static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR, + show_engine1_mode, store_engine1_mode); +-static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR, + show_engine2_mode, store_engine2_mode); +-static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR, + show_engine3_mode, store_engine3_mode); +-static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUSR, + show_engine1_leds, store_engine1_leds); +-static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUSR, + show_engine2_leds, store_engine2_leds); +-static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUGO, ++static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUSR, + show_engine3_leds, store_engine3_leds); +-static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load); +-static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load); +-static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load); ++static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load); ++static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load); ++static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load); + static DEVICE_ATTR(selftest, S_IRUGO, lp5523_selftest, NULL); + + static struct attribute *lp5523_attributes[] = { diff --git a/queue-2.6.38/drivers-media-video-tlg2300-pd-video.c-remove-second-mutex_unlock-in-pd_vidioc_s_fmt.patch b/queue-2.6.38/drivers-media-video-tlg2300-pd-video.c-remove-second-mutex_unlock-in-pd_vidioc_s_fmt.patch new file mode 100644 index 00000000000..81d274d7ad1 --- /dev/null +++ b/queue-2.6.38/drivers-media-video-tlg2300-pd-video.c-remove-second-mutex_unlock-in-pd_vidioc_s_fmt.patch @@ -0,0 +1,42 @@ +From a07500ef690fcbec76e879ee2093d7ca69883825 Mon Sep 17 00:00:00 2001 +From: Alexander Strakh +Date: Tue, 25 Jan 2011 18:00:13 -0300 +Subject: [media] drivers/media/video/tlg2300/pd-video.c: Remove second mutex_unlock in pd_vidioc_s_fmt + +From: Alexander Strakh + +commit a07500ef690fcbec76e879ee2093d7ca69883825 upstream. + +Error path in file drivers/media/video/tlg2300/pd-video.c: +1. First mutex_unlock on &pd->lock in line 767 (in function that + called from line 805) +2. Second in line 806 + + 805 pd_vidioc_s_fmt(pd, &f->fmt.pix); + 806 mutex_unlock(&pd->lock); + +Found by Linux Device Drivers Verification Project + +Signed-off-by: Alexander Strakh +Acked-by: Huang Shijie +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/tlg2300/pd-video.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/media/video/tlg2300/pd-video.c ++++ b/drivers/media/video/tlg2300/pd-video.c +@@ -764,10 +764,8 @@ static int pd_vidioc_s_fmt(struct poseid + } + ret |= send_set_req(pd, VIDEO_ROSOLU_SEL, + vid_resol, &cmd_status); +- if (ret || cmd_status) { +- mutex_unlock(&pd->lock); ++ if (ret || cmd_status) + return -EBUSY; +- } + + pix_def->pixelformat = pix->pixelformat; /* save it */ + pix->height = (context->tvnormid & V4L2_STD_525_60) ? 480 : 576; diff --git a/queue-2.6.38/drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch b/queue-2.6.38/drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch new file mode 100644 index 00000000000..5168f4be7d6 --- /dev/null +++ b/queue-2.6.38/drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch @@ -0,0 +1,39 @@ +From deb187e72470b0382d4f0cb859e76e1ebc3a1082 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Tue, 22 Mar 2011 16:34:01 -0700 +Subject: drivers/misc/ep93xx_pwm.c: world-writable sysfs files + +From: Vasiliy Kulikov + +commit deb187e72470b0382d4f0cb859e76e1ebc3a1082 upstream. + +Don't allow everybody to change device settings. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Hartley Sweeten +Cc: Matthieu Crapet +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/ep93xx_pwm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/misc/ep93xx_pwm.c ++++ b/drivers/misc/ep93xx_pwm.c +@@ -249,11 +249,11 @@ static ssize_t ep93xx_pwm_set_invert(str + + static DEVICE_ATTR(min_freq, S_IRUGO, ep93xx_pwm_get_min_freq, NULL); + static DEVICE_ATTR(max_freq, S_IRUGO, ep93xx_pwm_get_max_freq, NULL); +-static DEVICE_ATTR(freq, S_IWUGO | S_IRUGO, ++static DEVICE_ATTR(freq, S_IWUSR | S_IRUGO, + ep93xx_pwm_get_freq, ep93xx_pwm_set_freq); +-static DEVICE_ATTR(duty_percent, S_IWUGO | S_IRUGO, ++static DEVICE_ATTR(duty_percent, S_IWUSR | S_IRUGO, + ep93xx_pwm_get_duty_percent, ep93xx_pwm_set_duty_percent); +-static DEVICE_ATTR(invert, S_IWUGO | S_IRUGO, ++static DEVICE_ATTR(invert, S_IWUSR | S_IRUGO, + ep93xx_pwm_get_invert, ep93xx_pwm_set_invert); + + static struct attribute *ep93xx_pwm_attrs[] = { diff --git a/queue-2.6.38/drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-file.patch b/queue-2.6.38/drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-file.patch new file mode 100644 index 00000000000..12782efe925 --- /dev/null +++ b/queue-2.6.38/drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-file.patch @@ -0,0 +1,33 @@ +From 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Tue, 22 Mar 2011 16:34:53 -0700 +Subject: drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file + +From: Vasiliy Kulikov + +commit 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 upstream. + +Don't allow everybogy to write to NVRAM. + +Signed-off-by: Vasiliy Kulikov +Cc: Andy Sharp +Cc: Alessandro Zummo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-ds1511.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-ds1511.c ++++ b/drivers/rtc/rtc-ds1511.c +@@ -485,7 +485,7 @@ ds1511_nvram_write(struct file *filp, st + static struct bin_attribute ds1511_nvram_attr = { + .attr = { + .name = "nvram", +- .mode = S_IRUGO | S_IWUGO, ++ .mode = S_IRUGO | S_IWUSR, + }, + .size = DS1511_RAM_MAX, + .read = ds1511_nvram_read, diff --git a/queue-2.6.38/econet-4-byte-infoleak-to-the-network.patch b/queue-2.6.38/econet-4-byte-infoleak-to-the-network.patch new file mode 100644 index 00000000000..42803170e64 --- /dev/null +++ b/queue-2.6.38/econet-4-byte-infoleak-to-the-network.patch @@ -0,0 +1,39 @@ +From 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Thu, 17 Mar 2011 01:40:10 +0000 +Subject: econet: 4 byte infoleak to the network + +From: Vasiliy Kulikov + +commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream. + +struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on +x86_64. These bytes are not initialized in the variable 'ah' before +sending 'ah' to the network. This leads to 4 bytes kernel stack +infoleak. + +This bug was introduced before the git epoch. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Phil Blundell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/econet/af_econet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/econet/af_econet.c ++++ b/net/econet/af_econet.c +@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb * + udpdest.sin_addr.s_addr = htonl(network | addr.station); + } + ++ memset(&ah, 0, sizeof(ah)); + ah.port = port; + ah.cb = cb & 0x7f; + ah.code = 2; /* magic */ +- ah.pad = 0; + + /* tack our header on the front of the iovec */ + size = sizeof(struct aunhdr); diff --git a/queue-2.6.38/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch b/queue-2.6.38/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch new file mode 100644 index 00000000000..b262e737817 --- /dev/null +++ b/queue-2.6.38/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch @@ -0,0 +1,55 @@ +From 6a8ab060779779de8aea92ce3337ca348f973f54 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Tue, 15 Mar 2011 13:37:13 +0100 +Subject: ipv6: netfilter: ip6_tables: fix infoleak to userspace + +From: Vasiliy Kulikov + +commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream. + +Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are +copied from userspace. Fields of these structs that are +zero-terminated strings are not checked. When they are used as argument +to a format string containing "%s" in request_module(), some sensitive +information is leaked to userspace via argument of spawned modprobe +process. + +The first bug was introduced before the git epoch; the second was +introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by +6b7d31fc (v2.6.15-rc1). To trigger the bug one should have +CAP_NET_ADMIN. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/netfilter/ip6_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1274,6 +1274,7 @@ do_replace(struct net *net, const void _ + /* overflow check */ + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); + if (!newinfo) +@@ -1820,6 +1821,7 @@ compat_do_replace(struct net *net, void + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); + if (!newinfo) +@@ -2049,6 +2051,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd + ret = -EFAULT; + break; + } ++ rev.name[sizeof(rev.name)-1] = 0; + + if (cmd == IP6T_SO_GET_REVISION_TARGET) + target = 1; diff --git a/queue-2.6.38/mfd-ab3100-world-writable-debugfs-_priv-files.patch b/queue-2.6.38/mfd-ab3100-world-writable-debugfs-_priv-files.patch new file mode 100644 index 00000000000..9db14af5b36 --- /dev/null +++ b/queue-2.6.38/mfd-ab3100-world-writable-debugfs-_priv-files.patch @@ -0,0 +1,40 @@ +From f8a0697722d12a201588225999cfc8bfcbc82781 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 15:23:36 +0300 +Subject: mfd: ab3100: world-writable debugfs *_priv files + +From: Vasiliy Kulikov + +commit f8a0697722d12a201588225999cfc8bfcbc82781 upstream. + +Don't allow everybody to change device hardware registers. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Linus Walleij +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/ab3100-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mfd/ab3100-core.c ++++ b/drivers/mfd/ab3100-core.c +@@ -613,7 +613,7 @@ static void ab3100_setup_debugfs(struct + ab3100_get_priv.ab3100 = ab3100; + ab3100_get_priv.mode = false; + ab3100_get_reg_file = debugfs_create_file("get_reg", +- S_IWUGO, ab3100_dir, &ab3100_get_priv, ++ S_IWUSR, ab3100_dir, &ab3100_get_priv, + &ab3100_get_set_reg_fops); + if (!ab3100_get_reg_file) { + err = -ENOMEM; +@@ -623,7 +623,7 @@ static void ab3100_setup_debugfs(struct + ab3100_set_priv.ab3100 = ab3100; + ab3100_set_priv.mode = true; + ab3100_set_reg_file = debugfs_create_file("set_reg", +- S_IWUGO, ab3100_dir, &ab3100_set_priv, ++ S_IWUSR, ab3100_dir, &ab3100_set_priv, + &ab3100_get_set_reg_fops); + if (!ab3100_set_reg_file) { + err = -ENOMEM; diff --git a/queue-2.6.38/mfd-ab3500-world-writable-debugfs-register-files.patch b/queue-2.6.38/mfd-ab3500-world-writable-debugfs-register-files.patch new file mode 100644 index 00000000000..c6403e3ea74 --- /dev/null +++ b/queue-2.6.38/mfd-ab3500-world-writable-debugfs-register-files.patch @@ -0,0 +1,43 @@ +From 90c861c2a83d974684974441093ff8a50e6b430b Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 15:23:39 +0300 +Subject: mfd: ab3500: world-writable debugfs register-* files + +From: Vasiliy Kulikov + +commit 90c861c2a83d974684974441093ff8a50e6b430b upstream. + +Don't allow everybody to interact with hardware registers. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Linus Walleij +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/ab3550-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mfd/ab3550-core.c ++++ b/drivers/mfd/ab3550-core.c +@@ -1053,17 +1053,17 @@ static inline void ab3550_setup_debugfs( + goto exit_destroy_dir; + + ab3550_bank_file = debugfs_create_file("register-bank", +- (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_bank_fops); ++ (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_bank_fops); + if (!ab3550_bank_file) + goto exit_destroy_reg; + + ab3550_address_file = debugfs_create_file("register-address", +- (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_address_fops); ++ (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_address_fops); + if (!ab3550_address_file) + goto exit_destroy_bank; + + ab3550_val_file = debugfs_create_file("register-value", +- (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_val_fops); ++ (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_val_fops); + if (!ab3550_val_file) + goto exit_destroy_address; + diff --git a/queue-2.6.38/mfd-ab8500-world-writable-debugfs-register-files.patch b/queue-2.6.38/mfd-ab8500-world-writable-debugfs-register-files.patch new file mode 100644 index 00000000000..78c4ca167a5 --- /dev/null +++ b/queue-2.6.38/mfd-ab8500-world-writable-debugfs-register-files.patch @@ -0,0 +1,44 @@ +From 44bdcb54df2714da18c4a0c6f711a350ab4ed93c Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 15:23:43 +0300 +Subject: mfd: ab8500: world-writable debugfs register-* files + +From: Vasiliy Kulikov + +commit 44bdcb54df2714da18c4a0c6f711a350ab4ed93c upstream. + +Don't allow everybody to interact with hardware registers. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Linus Walleij +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/ab8500-debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mfd/ab8500-debugfs.c ++++ b/drivers/mfd/ab8500-debugfs.c +@@ -585,18 +585,18 @@ static int __devinit ab8500_debug_probe( + goto exit_destroy_dir; + + ab8500_bank_file = debugfs_create_file("register-bank", +- (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_bank_fops); ++ (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_bank_fops); + if (!ab8500_bank_file) + goto exit_destroy_reg; + + ab8500_address_file = debugfs_create_file("register-address", +- (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, ++ (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, + &ab8500_address_fops); + if (!ab8500_address_file) + goto exit_destroy_bank; + + ab8500_val_file = debugfs_create_file("register-value", +- (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_val_fops); ++ (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_val_fops); + if (!ab8500_val_file) + goto exit_destroy_address; + diff --git a/queue-2.6.38/netfilter-arp_tables-fix-infoleak-to-userspace.patch b/queue-2.6.38/netfilter-arp_tables-fix-infoleak-to-userspace.patch new file mode 100644 index 00000000000..13f15bb26df --- /dev/null +++ b/queue-2.6.38/netfilter-arp_tables-fix-infoleak-to-userspace.patch @@ -0,0 +1,55 @@ +From 42eab94fff18cb1091d3501cd284d6bd6cc9c143 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Tue, 15 Mar 2011 13:35:21 +0100 +Subject: netfilter: arp_tables: fix infoleak to userspace + +From: Vasiliy Kulikov + +commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream. + +Structures ipt_replace, compat_ipt_replace, and xt_get_revision are +copied from userspace. Fields of these structs that are +zero-terminated strings are not checked. When they are used as argument +to a format string containing "%s" in request_module(), some sensitive +information is leaked to userspace via argument of spawned modprobe +process. + +The first bug was introduced before the git epoch; the second is +introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by +6b7d31fc (v2.6.15-rc1). To trigger the bug one should have +CAP_NET_ADMIN. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1065,6 +1065,7 @@ static int do_replace(struct net *net, c + /* overflow check */ + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); + if (!newinfo) +@@ -1486,6 +1487,7 @@ static int compat_do_replace(struct net + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); + if (!newinfo) +@@ -1738,6 +1740,7 @@ static int do_arpt_get_ctl(struct sock * + ret = -EFAULT; + break; + } ++ rev.name[sizeof(rev.name)-1] = 0; + + try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name, + rev.revision, 1, &ret), diff --git a/queue-2.6.38/netfilter-h323-bug-in-parsing-of-asn1-seqof-field.patch b/queue-2.6.38/netfilter-h323-bug-in-parsing-of-asn1-seqof-field.patch new file mode 100644 index 00000000000..ff033aa7d2e --- /dev/null +++ b/queue-2.6.38/netfilter-h323-bug-in-parsing-of-asn1-seqof-field.patch @@ -0,0 +1,38 @@ +From b4232a22776aa5d063f890d21ca69870dbbe431b Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Mon, 4 Apr 2011 15:21:02 +0200 +Subject: netfilter: h323: bug in parsing of ASN1 SEQOF field + +From: David Sterba + +commit b4232a22776aa5d063f890d21ca69870dbbe431b upstream. + +Static analyzer of clang found a dead store which appears to be a bug in +reading count of items in SEQOF field, only the lower byte of word is +stored. This may lead to corrupted read and communication shutdown. + +The bug has been in the module since it's first inclusion into linux +kernel. + +[Patrick: the bug is real, but without practical consequence since the + largest amount of sequence-of members we parse is 30.] + +Signed-off-by: David Sterba +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, co + CHECK_BOUND(bs, 2); + count = *bs->cur++; + count <<= 8; +- count = *bs->cur++; ++ count += *bs->cur++; + break; + case SEMI: + BYTE_ALIGN(bs); diff --git a/queue-2.6.38/netfilter-ip_tables-fix-infoleak-to-userspace.patch b/queue-2.6.38/netfilter-ip_tables-fix-infoleak-to-userspace.patch new file mode 100644 index 00000000000..22d065acf37 --- /dev/null +++ b/queue-2.6.38/netfilter-ip_tables-fix-infoleak-to-userspace.patch @@ -0,0 +1,54 @@ +From 78b79876761b86653df89c48a7010b5cbd41a84a Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Tue, 15 Mar 2011 13:36:05 +0100 +Subject: netfilter: ip_tables: fix infoleak to userspace + +From: Vasiliy Kulikov + +commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream. + +Structures ipt_replace, compat_ipt_replace, and xt_get_revision are +copied from userspace. Fields of these structs that are +zero-terminated strings are not checked. When they are used as argument +to a format string containing "%s" in request_module(), some sensitive +information is leaked to userspace via argument of spawned modprobe +process. + +The first and the third bugs were introduced before the git epoch; the +second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug +one should have CAP_NET_ADMIN. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ip_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1261,6 +1261,7 @@ do_replace(struct net *net, const void _ + /* overflow check */ + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); + if (!newinfo) +@@ -1805,6 +1806,7 @@ compat_do_replace(struct net *net, void + return -ENOMEM; + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) + return -ENOMEM; ++ tmp.name[sizeof(tmp.name)-1] = 0; + + newinfo = xt_alloc_table_info(tmp.size); + if (!newinfo) +@@ -2034,6 +2036,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, + ret = -EFAULT; + break; + } ++ rev.name[sizeof(rev.name)-1] = 0; + + if (cmd == IPT_SO_GET_REVISION_TARGET) + target = 1; diff --git a/queue-2.6.38/netfilter-ipt_clusterip-fix-buffer-overflow.patch b/queue-2.6.38/netfilter-ipt_clusterip-fix-buffer-overflow.patch new file mode 100644 index 00000000000..f340776be27 --- /dev/null +++ b/queue-2.6.38/netfilter-ipt_clusterip-fix-buffer-overflow.patch @@ -0,0 +1,41 @@ +From 961ed183a9fd080cf306c659b8736007e44065a5 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sun, 20 Mar 2011 15:42:52 +0100 +Subject: netfilter: ipt_CLUSTERIP: fix buffer overflow + +From: Vasiliy Kulikov + +commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream. + +'buffer' string is copied from userspace. It is not checked whether it is +zero terminated. This may lead to overflow inside of simple_strtoul(). +Changli Gao suggested to copy not more than user supplied 'size' bytes. + +It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are +root writable only by default, however, on some setups permissions might be +relaxed to e.g. network admin user. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Changli Gao +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -669,8 +669,11 @@ static ssize_t clusterip_proc_write(stru + char buffer[PROC_WRITELEN+1]; + unsigned long nodenum; + +- if (copy_from_user(buffer, input, PROC_WRITELEN)) ++ if (size > PROC_WRITELEN) ++ return -EIO; ++ if (copy_from_user(buffer, input, size)) + return -EFAULT; ++ buffer[size] = 0; + + if (*buffer == '+') { + nodenum = simple_strtoul(buffer+1, NULL, 10); diff --git a/queue-2.6.38/netfilter-xtables-fix-reentrancy.patch b/queue-2.6.38/netfilter-xtables-fix-reentrancy.patch new file mode 100644 index 00000000000..b612af7bcb1 --- /dev/null +++ b/queue-2.6.38/netfilter-xtables-fix-reentrancy.patch @@ -0,0 +1,73 @@ +From db856674ac69e31946e56085239757cca3f7655f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 20 Mar 2011 15:40:06 +0100 +Subject: netfilter: xtables: fix reentrancy + +From: Eric Dumazet + +commit db856674ac69e31946e56085239757cca3f7655f upstream. + +commit f3c5c1bfd4308 (make ip_tables reentrant) introduced a race in +handling the stackptr restore, at the end of ipt_do_table() + +We should do it before the call to xt_info_rdunlock_bh(), or we allow +cpu preemption and another cpu overwrites stackptr of original one. + +A second fix is to change the underflow test to check the origptr value +instead of 0 to detect underflow, or else we allow a jump from different +hooks. + +Signed-off-by: Eric Dumazet +Cc: Jan Engelhardt +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ip_tables.c | 4 ++-- + net/ipv6/netfilter/ip6_tables.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -387,7 +387,7 @@ ipt_do_table(struct sk_buff *skb, + verdict = (unsigned)(-v) - 1; + break; + } +- if (*stackptr == 0) { ++ if (*stackptr <= origptr) { + e = get_entry(table_base, + private->underflow[hook]); + pr_debug("Underflow (this is normal) " +@@ -427,10 +427,10 @@ ipt_do_table(struct sk_buff *skb, + /* Verdict */ + break; + } while (!acpar.hotdrop); +- xt_info_rdunlock_bh(); + pr_debug("Exiting %s; resetting sp from %u to %u\n", + __func__, *stackptr, origptr); + *stackptr = origptr; ++ xt_info_rdunlock_bh(); + #ifdef DEBUG_ALLOW_ALL + return NF_ACCEPT; + #else +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -410,7 +410,7 @@ ip6t_do_table(struct sk_buff *skb, + verdict = (unsigned)(-v) - 1; + break; + } +- if (*stackptr == 0) ++ if (*stackptr <= origptr) + e = get_entry(table_base, + private->underflow[hook]); + else +@@ -441,8 +441,8 @@ ip6t_do_table(struct sk_buff *skb, + break; + } while (!acpar.hotdrop); + +- xt_info_rdunlock_bh(); + *stackptr = origptr; ++ xt_info_rdunlock_bh(); + + #ifdef DEBUG_ALLOW_ALL + return NF_ACCEPT; diff --git a/queue-2.6.38/scsi_transport_iscsi-make-priv_sess-file-writeable-only-by-root.patch b/queue-2.6.38/scsi_transport_iscsi-make-priv_sess-file-writeable-only-by-root.patch new file mode 100644 index 00000000000..2a39683bbe8 --- /dev/null +++ b/queue-2.6.38/scsi_transport_iscsi-make-priv_sess-file-writeable-only-by-root.patch @@ -0,0 +1,29 @@ +From 523f3c80bc41d663d5b35c0cd6ce0fad7f3e7188 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 15:24:14 +0300 +Subject: [SCSI] scsi_transport_iscsi: make priv_sess file writeable only by root + +From: Vasiliy Kulikov + +commit 523f3c80bc41d663d5b35c0cd6ce0fad7f3e7188 upstream. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Mike Christie +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_transport_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -1847,7 +1847,7 @@ store_priv_session_##field(struct device + #define iscsi_priv_session_rw_attr(field, format) \ + iscsi_priv_session_attr_show(field, format) \ + iscsi_priv_session_attr_store(field) \ +-static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUGO, \ ++static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUSR, \ + show_priv_session_##field, \ + store_priv_session_##field) + iscsi_priv_session_rw_attr(recovery_tmo, "%d"); diff --git a/queue-2.6.38/series b/queue-2.6.38/series index 9d7b0d6364a..634599cf672 100644 --- a/queue-2.6.38/series +++ b/queue-2.6.38/series @@ -74,3 +74,22 @@ bluetooth-sco-fix-information-leak-to-userspace.patch bridge-netfilter-fix-information-leak.patch bluetooth-bnep-fix-buffer-overflow.patch bluetooth-add-support-for-apple-macbook-pro-8-2.patch +treat-writes-as-new-when-holes-span-across-page-boundaries.patch +char-tpm-fix-unitialized-usage-of-data-buffer.patch +netfilter-ip_tables-fix-infoleak-to-userspace.patch +netfilter-xtables-fix-reentrancy.patch +netfilter-arp_tables-fix-infoleak-to-userspace.patch +netfilter-ipt_clusterip-fix-buffer-overflow.patch +ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch +scsi_transport_iscsi-make-priv_sess-file-writeable-only-by-root.patch +mfd-ab8500-world-writable-debugfs-register-files.patch +mfd-ab3500-world-writable-debugfs-register-files.patch +mfd-ab3100-world-writable-debugfs-_priv-files.patch +drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-file.patch +drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch +drivers-leds-leds-lp5523.c-world-writable-engine-sysfs-files.patch +drivers-leds-leds-lp5521.c-world-writable-sysfs-engine-files.patch +econet-4-byte-infoleak-to-the-network.patch +netfilter-h323-bug-in-parsing-of-asn1-seqof-field.patch +sound-oss-remove-offset-from-load_patch-callbacks.patch +drivers-media-video-tlg2300-pd-video.c-remove-second-mutex_unlock-in-pd_vidioc_s_fmt.patch diff --git a/queue-2.6.38/sound-oss-remove-offset-from-load_patch-callbacks.patch b/queue-2.6.38/sound-oss-remove-offset-from-load_patch-callbacks.patch new file mode 100644 index 00000000000..d4391c2e61a --- /dev/null +++ b/queue-2.6.38/sound-oss-remove-offset-from-load_patch-callbacks.patch @@ -0,0 +1,152 @@ +From b769f49463711205d57286e64cf535ed4daf59e9 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 23 Mar 2011 10:53:41 -0400 +Subject: sound/oss: remove offset from load_patch callbacks + +From: Dan Rosenberg + +commit b769f49463711205d57286e64cf535ed4daf59e9 upstream. + +Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of +uninitialized value, and signedness issue + +The offset passed to midi_synth_load_patch() can be essentially +arbitrary. If it's greater than the header length, this will result in +a copy_from_user(dst, src, negative_val). While this will just return +-EFAULT on x86, on other architectures this may cause memory corruption. +Additionally, the length field of the sysex_info structure may not be +initialized prior to its use. Finally, a signed comparison may result +in an unintentionally large loop. + +On suggestion by Takashi Iwai, version two removes the offset argument +from the load_patch callbacks entirely, which also resolves similar +issues in opl3. Compile tested only. + +v3 adjusts comments and hopefully gets copy offsets right. + +Signed-off-by: Dan Rosenberg +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/oss/dev_table.h | 2 +- + sound/oss/midi_synth.c | 30 +++++++++++++----------------- + sound/oss/midi_synth.h | 2 +- + sound/oss/opl3.c | 8 ++------ + sound/oss/sequencer.c | 2 +- + 5 files changed, 18 insertions(+), 26 deletions(-) + +--- a/sound/oss/dev_table.h ++++ b/sound/oss/dev_table.h +@@ -271,7 +271,7 @@ struct synth_operations + void (*reset) (int dev); + void (*hw_control) (int dev, unsigned char *event); + int (*load_patch) (int dev, int format, const char __user *addr, +- int offs, int count, int pmgr_flag); ++ int count, int pmgr_flag); + void (*aftertouch) (int dev, int voice, int pressure); + void (*controller) (int dev, int voice, int ctrl_num, int value); + void (*panning) (int dev, int voice, int value); +--- a/sound/oss/midi_synth.c ++++ b/sound/oss/midi_synth.c +@@ -476,7 +476,7 @@ EXPORT_SYMBOL(midi_synth_hw_control); + + int + midi_synth_load_patch(int dev, int format, const char __user *addr, +- int offs, int count, int pmgr_flag) ++ int count, int pmgr_flag) + { + int orig_dev = synth_devs[dev]->midi_dev; + +@@ -491,33 +491,29 @@ midi_synth_load_patch(int dev, int forma + if (!prefix_cmd(orig_dev, 0xf0)) + return 0; + ++ /* Invalid patch format */ + if (format != SYSEX_PATCH) +- { +-/* printk("MIDI Error: Invalid patch format (key) 0x%x\n", format);*/ + return -EINVAL; +- } ++ ++ /* Patch header too short */ + if (count < hdr_size) +- { +-/* printk("MIDI Error: Patch header too short\n");*/ + return -EINVAL; +- } ++ + count -= hdr_size; + + /* +- * Copy the header from user space but ignore the first bytes which have +- * been transferred already. ++ * Copy the header from user space + */ + +- if(copy_from_user(&((char *) &sysex)[offs], &(addr)[offs], hdr_size - offs)) ++ if (copy_from_user(&sysex, addr, hdr_size)) + return -EFAULT; +- +- if (count < sysex.len) +- { +-/* printk(KERN_WARNING "MIDI Warning: Sysex record too short (%d<%d)\n", count, (int) sysex.len);*/ ++ ++ /* Sysex record too short */ ++ if ((unsigned)count < (unsigned)sysex.len) + sysex.len = count; +- } +- left = sysex.len; +- src_offs = 0; ++ ++ left = sysex.len; ++ src_offs = 0; + + for (i = 0; i < left && !signal_pending(current); i++) + { +--- a/sound/oss/midi_synth.h ++++ b/sound/oss/midi_synth.h +@@ -8,7 +8,7 @@ int midi_synth_open (int dev, int mode); + void midi_synth_close (int dev); + void midi_synth_hw_control (int dev, unsigned char *event); + int midi_synth_load_patch (int dev, int format, const char __user * addr, +- int offs, int count, int pmgr_flag); ++ int count, int pmgr_flag); + void midi_synth_panning (int dev, int channel, int pressure); + void midi_synth_aftertouch (int dev, int channel, int pressure); + void midi_synth_controller (int dev, int channel, int ctrl_num, int value); +--- a/sound/oss/opl3.c ++++ b/sound/oss/opl3.c +@@ -820,7 +820,7 @@ static void opl3_hw_control(int dev, uns + } + + static int opl3_load_patch(int dev, int format, const char __user *addr, +- int offs, int count, int pmgr_flag) ++ int count, int pmgr_flag) + { + struct sbi_instrument ins; + +@@ -830,11 +830,7 @@ static int opl3_load_patch(int dev, int + return -EINVAL; + } + +- /* +- * What the fuck is going on here? We leave junk in the beginning +- * of ins and then check the field pretty close to that beginning? +- */ +- if(copy_from_user(&((char *) &ins)[offs], addr + offs, sizeof(ins) - offs)) ++ if (copy_from_user(&ins, addr, sizeof(ins))) + return -EFAULT; + + if (ins.channel < 0 || ins.channel >= SBFM_MAXINSTR) +--- a/sound/oss/sequencer.c ++++ b/sound/oss/sequencer.c +@@ -241,7 +241,7 @@ int sequencer_write(int dev, struct file + return -ENXIO; + + fmt = (*(short *) &event_rec[0]) & 0xffff; +- err = synth_devs[dev]->load_patch(dev, fmt, buf, p + 4, c, 0); ++ err = synth_devs[dev]->load_patch(dev, fmt, buf + p, c, 0); + if (err < 0) + return err; + diff --git a/queue-2.6.38/treat-writes-as-new-when-holes-span-across-page-boundaries.patch b/queue-2.6.38/treat-writes-as-new-when-holes-span-across-page-boundaries.patch new file mode 100644 index 00000000000..f6e9097be87 --- /dev/null +++ b/queue-2.6.38/treat-writes-as-new-when-holes-span-across-page-boundaries.patch @@ -0,0 +1,38 @@ +From 272b62c1f0f6f742046e45b50b6fec98860208a0 Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues +Date: Thu, 17 Feb 2011 09:44:40 -0600 +Subject: Treat writes as new when holes span across page boundaries + +From: Goldwyn Rodrigues + +commit 272b62c1f0f6f742046e45b50b6fec98860208a0 upstream. + +When a hole spans across page boundaries, the next write forces +a read of the block. This could end up reading existing garbage +data from the disk in ocfs2_map_page_blocks. This leads to +non-zero holes. In order to avoid this, mark the writes as new +when the holes span across page boundaries. + +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: jlbec +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/aops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -1026,6 +1026,12 @@ static int ocfs2_prepare_page_for_write( + ocfs2_figure_cluster_boundaries(OCFS2_SB(inode->i_sb), cpos, + &cluster_start, &cluster_end); + ++ /* treat the write as new if the a hole/lseek spanned across ++ * the page boundary. ++ */ ++ new = new | ((i_size_read(inode) <= page_offset(page)) && ++ (page_offset(page) <= user_pos)); ++ + if (page == wc->w_target_page) { + map_from = user_pos & (PAGE_CACHE_SIZE - 1); + map_to = map_from + user_len;