Commits on Sep 20, 2010
  1. Linux

    gregkh committed Sep 20, 2010
  2. x86-64, compat: Retruncate rax after ia32 syscall entry tracing

    Roland McGrath committed with gregkh Sep 14, 2010
    commit eefdca0 upstream.
    In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
    32-bit tracee in system call entry.  A %rax value set via ptrace at the
    entry tracing stop gets used whole as a 32-bit syscall number, while we
    only check the low 32 bits for validity.
    Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
    in addition to testing the full 64 bits as has already been added.
    Reported-by: Ben Hawkes <>
    Signed-off-by: Roland McGrath <>
    Signed-off-by: H. Peter Anvin <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. apm_power: Add missing break statement

    enomsg committed with gregkh Sep 7, 2010
    commit 1d22033 upstream.
    The missing break statement causes wrong capacity calculation for
    batteries that report energy.
    Reported-by: d binderman <>
    Signed-off-by: Anton Vorontsov <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. hwmon: (f75375s) Do not overwrite values read from registers

    guillemj committed with gregkh Sep 17, 2010
    commit c3b327d upstream.
    All bits in the values read from registers to be used for the next
    write were getting overwritten, avoid doing so to not mess with the
    current configuration.
    Signed-off-by: Guillem Jover <>
    Cc: Riku Voipio <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. hwmon: (f75375s) Shift control mode to the correct bit position

    guillemj committed with gregkh Sep 17, 2010
    commit 96f3640 upstream.
    The spec notes that fan0 and fan1 control mode bits are located in bits
    7-6 and 5-4 respectively, but the FAN_CTRL_MODE macro was making the
    bits shift by 5 instead of by 4.
    Signed-off-by: Guillem Jover <>
    Cc: Riku Voipio <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. compat: Make compat_alloc_user_space() incorporate the access_ok()

    H. Peter Anvin committed with gregkh Sep 7, 2010
    commit c41d68a upstream.
    compat_alloc_user_space() expects the caller to independently call
    access_ok() to verify the returned area.  A missing call could
    introduce problems on some architectures.
    This patch incorporates the access_ok() check into
    compat_alloc_user_space() and also adds a sanity check on the length.
    The existing compat_alloc_user_space() implementations are renamed
    arch_compat_alloc_user_space() and are used as part of the
    implementation of the new global function.
    This patch assumes NULL will cause __get_user()/__put_user() to either
    fail or access userspace on all architectures.  This should be
    followed by checking the return value of compat_access_user_space()
    for NULL in the callers, at which time the access_ok() in the callers
    can also be removed.
    Reported-by: Ben Hawkes <>
    Signed-off-by: H. Peter Anvin <>
    Acked-by: Benjamin Herrenschmidt <>
    Acked-by: Chris Metcalf <>
    Acked-by: David S. Miller <>
    Acked-by: Ingo Molnar <>
    Acked-by: Thomas Gleixner <>
    Acked-by: Tony Luck <>
    Cc: Andrew Morton <>
    Cc: Arnd Bergmann <>
    Cc: Fenghua Yu <>
    Cc: H. Peter Anvin <>
    Cc: Heiko Carstens <>
    Cc: Helge Deller <>
    Cc: James Bottomley <>
    Cc: Kyle McMartin <>
    Cc: Martin Schwidefsky <>
    Cc: Paul Mackerras <>
    Cc: Ralf Baechle <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. x86-64, compat: Test %rax for the syscall number, not %eax

    H. Peter Anvin committed with gregkh Sep 14, 2010
    commit 36d001c upstream.
    On 64 bits, we always, by necessity, jump through the system call
    table via %rax.  For 32-bit system calls, in theory the system call
    number is stored in %eax, and the code was testing %eax for a valid
    system call number.  At one point we loaded the stored value back from
    the stack to enforce zero-extension, but that was removed in checkin
    d4d6715.  An actual 32-bit process
    will not be able to introduce a non-zero-extended number, but it can
    happen via ptrace.
    Instead of re-introducing the zero-extension, test what we are
    actually going to use, i.e. %rax.  This only adds a handful of REX
    prefixes to the code.
    Reported-by: Ben Hawkes <>
    Signed-off-by: H. Peter Anvin <>
    Cc: Roland McGrath <>
    Cc: Andrew Morton <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. bounce: call flush_dcache_page() after bounce_copy_vec()

    Gary King committed with gregkh Sep 9, 2010
    commit ac8456d upstream.
    I have been seeing problems on Tegra 2 (ARMv7 SMP) systems with HIGHMEM
    enabled on 2.6.35 (plus some patches targetted at 2.6.36 to perform cache
    maintenance lazily), and the root cause appears to be that the mm bouncing
    code is calling flush_dcache_page before it copies the bounce buffer into
    the bio.
    The bounced page needs to be flushed after data is copied into it, to
    ensure that architecture implementations can synchronize instruction and
    data caches if necessary.
    Signed-off-by: Gary King <>
    Cc: Tejun Heo <>
    Cc: Russell King <>
    Acked-by: Jens Axboe <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. irda: off by one

    error27 committed with gregkh Sep 4, 2010
    commit cf9b94f upstream.
    This is an off by one.  We would go past the end when we NUL terminate
    the "value" string at end of the function.  The "value" buffer is
    allocated in irlan_client_parse_response() or
    Signed-off-by: Dan Carpenter <>
    Signed-off-by: David S. Miller <>
  10. tracing: Do not allow llseek to set_ftrace_filter

    Steven Rostedt committed with gregkh Sep 8, 2010
    commit 9c55cb1 upstream.
    Reading the file set_ftrace_filter does three things.
    1) shows whether or not filters are set for the function tracer
    2) shows what functions are set for the function tracer
    3) shows what triggers are set on any functions
    3 is independent from 1 and 2.
    The way this file currently works is that it is a state machine,
    and as you read it, it may change state. But this assumption breaks
    when you use lseek() on the file. The state machine gets out of sync
    and the t_show() may use the wrong pointer and cause a kernel oops.
    Luckily, this will only kill the app that does the lseek, but the app
    dies while holding a mutex. This prevents anyone else from using the
    set_ftrace_filter file (or any other function tracing file for that matter).
    A real fix for this is to rewrite the code, but that is too much for
    a -rc release or stable. This patch simply disables llseek on the
    set_ftrace_filter() file for now, and we can do the proper fix for the
    next major release.
    Reported-by: Robert Swiecki <>
    Cc: Chris Wright <>
    Cc: Tavis Ormandy <>
    Cc: Eugene Teo <>
    Signed-off-by: Steven Rostedt <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. ath9k_hw: fix parsing of HT40 5 GHz CTLs

    Luis R. Rodriguez committed with gregkh Aug 30, 2010
    commit 9048797 upstream.
    The 5 GHz CTL indexes were not being read for all hardware
    devices due to the masking out through the CTL_MODE_M mask
    being one bit too short. Without this the calibrated regulatory
    maximum values were not being picked up when devices operate
    on 5 GHz in HT40 mode. The final output power used for Atheros
    devices is the minimum between the calibrated CTL values and
    what CRDA provides.
    Signed-off-by: Luis R. Rodriguez <>
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()

    tiwai committed with gregkh Sep 6, 2010
    commit 27f7ad5 upstream.
    The error handling in snd_seq_oss_open() has several bad codes that
    do dereferecing released pointers and double-free of kmalloc'ed data.
    The object dp is release in free_devinfo() that is called via
    private_free callback.  The rest shouldn't touch this object any more.
    The patch changes delete_port() to call kfree() in any case, and gets
    rid of unnecessary calls of destructors in snd_seq_oss_open().
    Fixes CVE-2010-3080.
    Reported-and-tested-by: Tavis Ormandy <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Aug 26, 2010
  1. Linux

    gregkh committed Aug 26, 2010
  2. USB: io_ti: check firmware version before updating

    gregkh committed Aug 17, 2010
    commit 0827a9f upstream.
    If we can't read the firmware for a device from the disk, and yet the
    device already has a valid firmware image in it, we don't want to
    replace the firmware with something invalid.  So check the version
    number to be less than the current one to verify this is the correct
    thing to do.
    Reported-by: Chris Beauchamp <>
    Tested-by: Chris Beauchamp <>
    Cc: Alan Stern <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. USB: add device IDs for igotu to navman

    rossburton committed with gregkh Aug 6, 2010
    commit 0eee6a2 upstream.
    I recently bought a i-gotU USB GPS, and whilst hunting around for linux
    support discovered this post by you back in 2009:
    >Try the navman driver instead.  You can either add the device id to the
    > driver and rebuild it, or do this before you plug the device in:
    > 	modprobe navman
    > 	echo -n "0x0df7 0x0900" > /sys/bus/usb-serial/drivers/navman/new_id
    > and then plug your device in and see if that works.
    I can confirm that the navman driver works with the right device IDs on
    my i-gotU GT-600, which has the same device IDs.  Attached is a patch
    adding the IDs.
    From: Ross Burton <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. drm: stop information leak of old kernel stack.

    Dave Airlie committed with gregkh Aug 17, 2010
    commit b9f0aee upstream.
    non-critical issue, CVE-2010-2803
    Userspace controls the amount of memory to be allocate, so it can
    get the ioctl to allocate more memory than the kernel uses, and get
    access to kernel stack. This can only be done for processes authenticated
    to the X server for DRI access, and if the user has DRI access.
    Fix is to just memset the data to 0 if the user doesn't copy into
    it in the first place.
    Reported-by: Kees Cook <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. fixes for using make 3.82

    Jan Beulich committed with gregkh Aug 16, 2010
    commit 3c955b4 upstream.
    It doesn't like pattern and explicit rules to be on the same line,
    and it seems to be more picky when matching file (or really directory)
    names with different numbers of trailing slashes.
    Signed-off-by: Jan Beulich <>
    Acked-by: Sam Ravnborg <>
    Andrew Benton <>
    Signed-off-by: Michal Marek <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. can: add limit for nframes and clean up signed/unsigned variables

    hartkopp committed with gregkh Aug 11, 2010
    commit 5b75c49 upstream.
    This patch adds a limit for nframes as the number of frames in TX_SETUP and
    RX_SETUP are derived from a single byte multiplex value by default.
    Use-cases that would require to send/filter more than 256 CAN frames should
    be implemented in userspace for complexity reasons anyway.
    Additionally the assignments of unsigned values from userspace to signed
    values in kernelspace and vice versa are fixed by using unsigned values in
    kernelspace consistently.
    Signed-off-by: Oliver Hartkopp <>
    Reported-by: Ben Hawkes <>
    Acked-by: Urs Thuermann <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. selinux: use default proc sid on symlinks

    stephensmalley committed with gregkh Sep 22, 2008
    commit ea6b184 upstream.
    As we are not concerned with fine-grained control over reading of
    symlinks in proc, always use the default proc SID for all proc symlinks.
    This should help avoid permission issues upon changes to the proc tree
    as in the /proc/net -> /proc/self/net example.
    This does not alter labeling of symlinks within /proc/pid directories.
    ls -Zd /proc/net output before and after the patch should show the difference.
    Signed-off-by:  Stephen D. Smalley <>
    Signed-off-by: James Morris <>
    Cc: Florian Mickler <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. kbuild: fix make incompatibility

    Sam Ravnborg committed with gregkh Dec 13, 2008
    commit 31110eb upstream.
    "Paul Smith" <> reported that we would fail
    to build with a new check that may be enabled in an
    upcoming version of make.
    The error was:
          Makefile:442: *** mixed implicit and normal rules.  Stop.
    The problem is that we did stuff like this:
    config %config: ...
    The solution was simple - the above was split into two with identical
    prerequisites and commands.
    With only three lines it was not worth to try to avoid the duplication.
    Cc: "Paul Smith" <>
    Signed-off-by: Sam Ravnborg <>
    Cc: Thomas Backlund <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. ARM: Tighten check for allowable CPSR values

    Russell King committed with gregkh Aug 13, 2010
    commit 41e2e8f upstream.
    Reviewed-by: Arve Hjønnevåg <>
    Acked-by: Dima Zavin <>
    Signed-off-by: Russell King <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Aug 20, 2010
  1. Linux

    gregkh committed Aug 20, 2010
  2. mm: fix up some user-visible effects of the stack guard page

    torvalds committed with gregkh Aug 15, 2010
    commit d782437 upstream.
    This commit makes the stack guard page somewhat less visible to user
    space. It does this by:
     - not showing the guard page in /proc/<pid>/maps
       It looks like lvm-tools will actually read /proc/self/maps to figure
       out where all its mappings are, and effectively do a specialized
       "mlockall()" in user space.  By not showing the guard page as part of
       the mapping (by just adding PAGE_SIZE to the start for grows-up
       pages), lvm-tools ends up not being aware of it.
     - by also teaching the _real_ mlock() functionality not to try to lock
       the guard page.
       That would just expand the mapping down to create a new guard page,
       so there really is no point in trying to lock it in place.
    It would perhaps be nice to show the guard page specially in
    /proc/<pid>/maps (or at least mark grow-down segments some way), but
    let's not open ourselves up to more breakage by user space from programs
    that depends on the exact deails of the 'maps' file.
    Special thanks to Henrique de Moraes Holschuh for diving into lvm-tools
    source code to see what was going on with the whole new warning.
    [Note, for .27, only the /proc change is done, mlock is not modified
    here. - gregkh]
    Reported-and-tested-by: François Valenduc <
    Reported-by: Henrique de Moraes Holschuh <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. mm: fix page table unmap for stack guard page properly

    torvalds committed with gregkh Aug 14, 2010
    commit 11ac552 upstream.
    We do in fact need to unmap the page table _before_ doing the whole
    stack guard page logic, because if it is needed (mainly 32-bit x86 with
    PAE and CONFIG_HIGHPTE, but other architectures may use it too) then it
    will do a kmap_atomic/kunmap_atomic.
    And those kmaps will create an atomic region that we cannot do
    allocations in.  However, the whole stack expand code will need to do
    anon_vma_prepare() and vma_lock_anon_vma() and they cannot do that in an
    atomic region.
    Now, a better model might actually be to do the anon_vma_prepare() when
    _creating_ a VM_GROWSDOWN segment, and not have to worry about any of
    this at page fault time.  But in the meantime, this is the
    straightforward fix for the issue.
    See for details.
    Reported-by: Wylda <>
    Reported-by: Sedat Dilek <>
    Reported-by: Mike Pagano <>
    Reported-by: François Valenduc <>
    Tested-by: Ed Tomlinson <>
    Cc: Pekka Enberg <>
    Cc: Greg KH <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. mm: pass correct mm when growing stack

    Hugh Dickins committed with gregkh Apr 16, 2009
    commit 05fa199 upstream.
    Tetsuo Handa reports seeing the WARN_ON(current->mm == NULL) in
    security_vm_enough_memory(), when do_execve() is touching the
    target mm's stack, to set up its args and environment.
    Yes, a UMH_NO_WAIT or UMH_WAIT_PROC call_usermodehelper() spawns
    an mm-less kernel thread to do the exec.  And in any case, that
    vm_enough_memory check when growing stack ought to be done on the
    target mm, not on the execer's mm (though apart from the warning,
    it only makes a slight tweak to OVERCOMMIT_NEVER behaviour).
    Reported-by: Tetsuo Handa <>
    Signed-off-by: Hugh Dickins <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. x86: don't send SIGBUS for kernel page faults

    gregkh committed Aug 13, 2010
    Based on commit 9605456 upstream,
    authored by Linus Torvalds.
    This is my backport to the .27 kernel tree, hopefully preserving
    the same functionality.
    Original commit message:
    	It's wrong for several reasons, but the most direct one is that the
    	fault may be for the stack accesses to set up a previous SIGBUS.  When
    	we have a kernel exception, the kernel exception handler does all the
    	fixups, not some user-level signal handler.
    	Even apart from the nested SIGBUS issue, it's also wrong to give out
    	kernel fault addresses in the signal handler info block, or to send a
    	SIGBUS when a system call already returns EFAULT.
    Cc: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. mm: fix missing page table unmap for stack guard page failure case

    torvalds committed with gregkh Aug 13, 2010
    commit 5528f91 upstream.
    .. which didn't show up in my tests because it's a no-op on x86-64 and
    most other architectures.  But we enter the function with the last-level
    page table mapped, and should unmap it at exit.
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. mm: keep a guard page below a grow-down stack segment

    torvalds committed with gregkh Aug 13, 2010
    commit 320b2b8 upstream.
    This is a rather minimally invasive patch to solve the problem of the
    user stack growing into a memory mapped area below it.  Whenever we fill
    the first page of the stack segment, expand the segment down by one
    Now, admittedly some odd application might _want_ the stack to grow down
    into the preceding memory mapping, and so we may at some point need to
    make this a process tunable (some people might also want to have more
    than a single page of guarding), but let's try the minimal approach
    Tested with trivial application that maps a single page just below the
    stack, and then starts recursing.  Without this, we will get a SIGSEGV
    _after_ the stack has smashed the mapping.  With this patch, we'll get a
    nice SIGBUS just as the stack touches the page just above the mapping.
    Requested-by: Keith Packard <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Aug 13, 2010
  1. Linux

    gregkh committed Aug 13, 2010
  2. mm/backing-dev.c: remove recently-added WARN_ON()

    akpm00 committed with gregkh Dec 9, 2008
    commit 69fc208 upstream.
    On second thoughts, this is just going to disturb people while telling us
    things which we already knew.
    Cc: Peter Korsgaard <>
    Cc: Peter Zijlstra <>
    Cc: Kay Sievers <>
    Cc: David Woodhouse <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Cc: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. bdi: register sysfs bdi device only once per queue

    kaysievers committed with gregkh Dec 2, 2008
    commit f1d0b06 upstream.
    Devices which share the same queue, like floppies and mtd devices, get
    registered multiple times in the bdi interface, but bdi accounts only the
    last registered device of the devices sharing one queue.
    On remove, all earlier registered devices leak, stay around in sysfs, and
    cause "duplicate filename" errors if the devices are re-created.
    This prevents the creation of multiple bdi interfaces per queue, and the
    bdi device will carry the dev_t name of the block device which is the
    first one registered, of the pool of devices using the same queue.
    [ add a WARN_ON so we know which drivers are misbehaving]
    Tested-by: Peter Korsgaard <>
    Acked-by: Peter Zijlstra <>
    Signed-off-by: Kay Sievers <>
    Cc: David Woodhouse <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Cc: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. xen: drop xen_sched_clock in favour of using plain wallclock time

    Jeremy Fitzhardinge committed with gregkh Jul 12, 2010
    commit 8a22b99 upstream.
    xen_sched_clock only counts unstolen time.  In principle this should
    be useful to the Linux scheduler so that it knows how much time a process
    actually consumed.  But in practice this doesn't work very well as the
    scheduler expects the sched_clock time to be synchronized between
    cpus.  It also uses sched_clock to measure the time a task spends
    sleeping, in which case "unstolen time" isn't meaningful.
    So just use plain xen_clocksource_read to return wallclock nanoseconds
    for sched_clock.
    Signed-off-by: Jeremy Fitzhardinge <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. jfs: don't allow os2 xattr namespace overlap with others

    Dave Kleikamp committed with gregkh Aug 9, 2010
    commit aca0fa3 upstream.
    It's currently possible to bypass xattr namespace access rules by
    prefixing valid xattr names with "os2.", since the os2 namespace stores
    extended attributes in a legacy format with no prefix.
    This patch adds checking to deny access to any valid namespace prefix
    following "os2.".
    Signed-off-by: Dave Kleikamp <>
    Reported-by: Sergey Vlasov <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. signalfd: fill in ssi_int for posix timers and message queues

    nathanlynch committed with gregkh Aug 11, 2010
    commit a2a20c4 upstream.
    If signalfd is used to consume a signal generated by a POSIX interval
    timer or POSIX message queue, the ssi_int field does not reflect the data
    (sigevent->sigev_value) supplied to timer_create(2) or mq_notify(3).  (The
    ssi_ptr field, however, is filled in.)
    This behavior differs from signalfd's treatment of sigqueue-generated
    signals -- see the default case in signalfd_copyinfo.  It also gives
    results that differ from the case when a signal is handled conventionally
    via a sigaction-registered handler.
    So, set signalfd_siginfo->ssi_int in the remaining cases (__SI_TIMER,
    __SI_MESGQ) where ssi_ptr is set.
    akpm: a non-back-compatible change.  Merge into -stable to minimise the
    number of kernels which are in the field and which miss this feature.
    Signed-off-by: Nathan Lynch <>
    Acked-by: Davide Libenzi <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. fs/ecryptfs/file.c: introduce missing free

    JuliaLawall committed with gregkh Aug 6, 2010
    commit ceeab92 upstream.
    The comments in the code indicate that file_info should be released if the
    function fails.  This releasing is done at the label out_free, not out.
    The semantic match that finds this problem is as follows:
    // <smpl>
    @r exists@
    local idexpression x;
    statement S;
    expression E;
    identifier f,f1,l;
    position p1,p2;
    expression *ptr != NULL;
    x@p1 = kmem_cache_zalloc(...);
    if (x == NULL) S
    <... when != x
         when != if (...) { <+...x...+> }
    x->f1 = E
     (x->f1 == NULL || ...)
     return <+...x...+>;
     return@p2 ...;
    p1 << r.p1;
    p2 << r.p2;
    print "* file: %s kmem_cache_zalloc %s" % (p1[0].file,p1[0].line)
    // </smpl>
    Signed-off-by: Julia Lawall <>
    Signed-off-by: Tyler Hicks <>
    Signed-off-by: Greg Kroah-Hartman <>