Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Apr 15, 2011
  1. @gregkh

    Linux 2.6.32.38

    gregkh authored
  2. @gregkh

    Revert "net: fix rds_iovec page count overflow"

    gregkh authored
    This reverts commit bd378dd (originally
    commit 1b1f693 upstream).
    
    I messed it up in backporting it to the .32-stable kernel, so revert it
    for now and try it again the next review cycle.
    
    Cc: Thomas Pollet <thomas.pollet@gmail.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Andy Grover <andy.grover@oracle.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Apr 14, 2011
  1. @gregkh

    Linux 2.6.32.37

    gregkh authored
  2. @gregkh

    xfs: zero proper structure size for geometry calls

    Alex Elder authored gregkh committed
    commit af24ee9 upstream.
    
    Commit 493f335 added this call to
    xfs_fs_geometry() in order to avoid passing kernel stack data back
    to user space:
    
    +       memset(geo, 0, sizeof(*geo));
    
    Unfortunately, one of the callers of that function passes the
    address of a smaller data type, cast to fit the type that
    xfs_fs_geometry() requires.  As a result, this can happen:
    
    Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
    in: f87aca93
    
    Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
    Call Trace:
    
    [<c12991ac>] ? panic+0x50/0x150
    [<c102ed71>] ? __stack_chk_fail+0x10/0x18
    [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
    
    Fix this by fixing that one caller to pass the right type and then
    copy out the subset it is interested in.
    
    Note: This patch is an alternative to one originally proposed by
    Eric Sandeen.
    
    Reported-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
    Signed-off-by: Alex Elder <aelder@sgi.com>
    Reviewed-by: Eric Sandeen <sandeen@redhat.com>
    Tested-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @torvalds @gregkh

    net: fix rds_iovec page count overflow

    torvalds authored gregkh committed
    commit 1b1f693 upstream.
    
    As reported by Thomas Pollet, the rdma page counting can overflow.  We
    get the rdma sizes in 64-bit unsigned entities, but then limit it to
    UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
    an unaligned address).
    
    So each individual page count fits comfortably in an 'unsigned int' (not
    even close to overflowing into signed), but as they are added up, they
    might end up resulting in a signed return value. Which would be wrong.
    
    Catch the case of tot_pages turning negative, and return the appropriate
    error code.
    
    Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Andy Grover <andy.grover@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @utrace @gregkh

    exec: copy-and-paste the fixes into compat_do_execve() paths

    utrace authored gregkh committed
    commit 114279b upstream.
    
    Note: this patch targets 2.6.37 and tries to be as simple as possible.
    That is why it adds more copy-and-paste horror into fs/compat.c and
    uglifies fs/exec.c, this will be cleanuped later.
    
    compat_copy_strings() plays with bprm->vma/mm directly and thus has
    two problems: it lacks the RLIMIT_STACK check and argv/envp memory
    is not visible to oom killer.
    
    Export acct_arg_size() and get_arg_page(), change compat_copy_strings()
    to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0)
    as do_execve() does.
    
    Add the fatal_signal_pending/cond_resched checks into compat_count() and
    compat_copy_strings(), this matches the code in fs/exec.c and certainly
    makes sense.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @utrace @gregkh

    exec: make argv/envp memory visible to oom-killer

    utrace authored gregkh committed
    commit 3c77f84 upstream.
    
    Brad Spengler published a local memory-allocation DoS that
    evades the OOM-killer (though not the virtual memory RLIMIT):
    http://www.grsecurity.net/~spender/64bit_dos.c
    
    execve()->copy_strings() can allocate a lot of memory, but
    this is not visible to oom-killer, nobody can see the nascent
    bprm->mm and take it into account.
    
    With this patch get_arg_page() increments current's MM_ANONPAGES
    counter every time we allocate the new page for argv/envp. When
    do_execve() succeds or fails, we change this counter back.
    
    Technically this is not 100% correct, we can't know if the new
    page is swapped out and turn MM_ANONPAGES into MM_SWAPENTS, but
    I don't think this really matters and everything becomes correct
    once exec changes ->mm or fails.
    
    Reported-by: Brad Spengler <spender@grsecurity.net>
    Reviewed-and-discussed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    CAN: Use inode instead of kernel address for /proc file

    Dan Rosenberg authored gregkh committed
    commit 9f260e0 upstream.
    
    Since the socket address is just being used as a unique identifier, its
    inode number is an alternative that does not leak potentially sensitive
    information.
    
    CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @gregkh

    irda: prevent integer underflow in IRLMP_ENUMDEVICES

    Dan Rosenberg authored gregkh committed
    commit fdac1e0 upstream.
    
    If the user-provided len is less than the expected offset, the
    IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
    size value.  While this isn't be a security issue on x86 because it will
    get caught by the access_ok() check, it may leak large amounts of kernel
    heap on other architectures.  In any event, this patch fixes it.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @davem330 @gregkh

    econet: Fix crash in aun_incoming().

    davem330 authored gregkh committed
    commit 4e085e7 upstream.
    
    Unconditional use of skb->dev won't work here,
    try to fetch the econet device via skb_dst()->dev
    instead.
    
    Suggested by Eric Dumazet.
    
    Reported-by: Nelson Elhage <nelhage@ksplice.com>
    Tested-by: Nelson Elhage <nelhage@ksplice.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    [jmm: Slightly adapted for 2.6.32]
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @nelhage @gregkh

    inet_diag: Make sure we actually run the same bytecode we audited.

    nelhage authored gregkh committed
    commit 22e76c8 upstream.
    
    We were using nlmsg_find_attr() to look up the bytecode by attribute when
    auditing, but then just using the first attribute when actually running
    bytecode. So, if we received a message with two attribute elements, where only
    the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
    bytecode strings.
    
    Fix this by consistently using nlmsg_find_attr everywhere.
    
    Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
    Signed-off-by: Thomas Graf <tgraf@infradead.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    [jmm: Slightly adapted to apply against 2.6.32]
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  10. @segoon @gregkh

    net: tipc: fix information leak to userland

    segoon authored gregkh committed
    commit 88f8a5e upstream.
    
    Structure sockaddr_tipc is copied to userland with padding bytes after
    "id" field in union field "name" unitialized.  It leads to leaking of
    contents of kernel stack memory.  We have to initialize them to zero.
    
    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  11. @gregkh

    nfsd: fix auth_domain reference leak on nlm operations

    J. Bruce Fields authored gregkh committed
    commit 954032d upstream.
    
    This was noticed by users who performed more than 2^32 lock operations
    and hence made this counter overflow (eventually leading to
    use-after-free's).  Setting rq_client to NULL here means that it won't
    later get auth_domain_put() when it should be.
    
    Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth
    domain lookup into svcauth" which moved most of the rq_client handling
    to common svcauth code, but left behind this one line.
    
    Cc: Neil Brown <neilb@suse.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  12. @YANGYongqiang @gregkh

    ext4: fix credits computing for indirect mapped files

    YANGYongqiang authored gregkh committed
    commit 5b41395 upstream.
    
    When writing a contiguous set of blocks, two indirect blocks could be
    needed depending on how the blocks are aligned, so we need to increase
    the number of credits needed by one.
    
    [ Also fixed a another bug which could further underestimate the
      number of journal credits needed by 1; the code was using integer
      division instead of DIV_ROUND_UP() -- tytso]
    
    Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  13. @segoon @gregkh

    net: packet: fix information leak to userland

    segoon authored gregkh committed
    commit 6728664 upstream.
    
    packet_getname_spkt() doesn't initialize all members of sa_data field of
    sockaddr struct if strlen(dev->name) < 13.  This structure is then copied
    to userland.  It leads to leaking of contents of kernel stack memory.
    We have to fully fill sa_data with strncpy() instead of strlcpy().
    
    The same with packet_getname(): it doesn't initialize sll_pkttype field of
    sockaddr_ll.  Set it to zero.
    
    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    [jmm: Backported to 2.6.32]
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  14. @segoon @gregkh

    net: ax25: fix information leak to userland

    segoon authored gregkh committed
    commit fe10ae5 upstream.
    
    Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
    field of fsa struct, also the struct has padding bytes between
    sax25_call and sax25_ndigis fields.  This structure is then copied to
    userland.  It leads to leaking of contents of kernel stack memory.
    
    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  15. @pprindeville @gregkh

    atm/solos-pci: Don't include frame pseudo-header on transmit hex-dump

    pprindeville authored gregkh committed
    commit 18b429e upstream.
    
    Omit pkt_hdr preamble when dumping transmitted packet as hex-dump;
    we can pull this up because the frame has already been sent, and
    dumping it is the last thing we do with it before freeing it.
    
    Also include the size, vpi, and vci in the debug as is done on
    receive.
    
    Use "port" consistently instead of "device" intermittently.
    
    Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  16. @gregkh

    sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set

    Wei Yongjun authored gregkh committed
    commit a8170c3 upstream.
    
    When calculating the INIT/INIT-ACK chunk length, we should not
    only account the length of parameters, but also the parameters
    zero padding length, such as AUTH HMACS parameter and CHUNKS
    parameter. Without the parameters zero padding length we may get
    following oops.
    
    skb_over_panic: text:ce2068d2 len:130 put:6 head:cac3fe00 data:cac3fe00 tail:0xcac3fe82 end:0xcac3fe80 dev:<NULL>
    ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:127!
    invalid opcode: 0000 [#2] SMP
    last sysfs file: /sys/module/aes_generic/initstate
    Modules linked in: authenc ......
    
    Pid: 4102, comm: sctp_darn Tainted: G      D    2.6.34-rc2 #6
    EIP: 0060:[<c0607630>] EFLAGS: 00010282 CPU: 0
    EIP is at skb_over_panic+0x37/0x3e
    EAX: 00000078 EBX: c07c024b ECX: c07c02b9 EDX: cb607b78
    ESI: 00000000 EDI: cac3fe7a EBP: 00000002 ESP: cb607b74
     DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
    Process sctp_darn (pid: 4102, ti=cb607000 task=cabdc990 task.ti=cb607000)
    Stack:
     c07c02b9 ce2068d2 00000082 00000006 cac3fe00 cac3fe00 cac3fe82 cac3fe80
    <0> c07c024b cac3fe7c cac3fe7a c0608dec ca986e80 ce2068d2 00000006 0000007a
    <0> cb8120ca ca986e80 cb812000 00000003 cb8120c4 ce208a25 cb8120ca cadd9400
    Call Trace:
     [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
     [<c0608dec>] ? skb_put+0x2e/0x32
     [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
     [<ce208a25>] ? sctp_make_init+0x279/0x28c [sctp]
     [<c0686a92>] ? apic_timer_interrupt+0x2a/0x30
     [<ce1fdc0b>] ? sctp_sf_do_prm_asoc+0x2b/0x7b [sctp]
     [<ce202823>] ? sctp_do_sm+0xa0/0x14a [sctp]
     [<ce2133b9>] ? sctp_pname+0x0/0x14 [sctp]
     [<ce211d72>] ? sctp_primitive_ASSOCIATE+0x2b/0x31 [sctp]
     [<ce20f3cf>] ? sctp_sendmsg+0x7a0/0x9eb [sctp]
     [<c064eb1e>] ? inet_sendmsg+0x3b/0x43
     [<c04244b7>] ? task_tick_fair+0x2d/0xd9
     [<c06031e1>] ? sock_sendmsg+0xa7/0xc1
     [<c0416afe>] ? smp_apic_timer_interrupt+0x6b/0x75
     [<c0425123>] ? dequeue_task_fair+0x34/0x19b
     [<c0446abb>] ? sched_clock_local+0x17/0x11e
     [<c052ea87>] ? _copy_from_user+0x2b/0x10c
     [<c060ab3a>] ? verify_iovec+0x3c/0x6a
     [<c06035ca>] ? sys_sendmsg+0x186/0x1e2
     [<c042176b>] ? __wake_up_common+0x34/0x5b
     [<c04240c2>] ? __wake_up+0x2c/0x3b
     [<c057e35c>] ? tty_wakeup+0x43/0x47
     [<c04430f2>] ? remove_wait_queue+0x16/0x24
     [<c0580c94>] ? n_tty_read+0x5b8/0x65e
     [<c042be02>] ? default_wake_function+0x0/0x8
     [<c0604e0e>] ? sys_socketcall+0x17f/0x1cd
     [<c040264c>] ? sysenter_do_call+0x12/0x22
    Code: 0f 45 de 53 ff b0 98 00 00 00 ff b0 94 ......
    EIP: [<c0607630>] skb_over_panic+0x37/0x3e SS:ESP 0068:cb607b74
    
    To reproduce:
    
    # modprobe sctp
    # echo 1 > /proc/sys/net/sctp/addip_enable
    # echo 1 > /proc/sys/net/sctp/auth_enable
    # sctp_test -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 800 -l
    # sctp_darn -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 900 -h 192.168.0.21 -p 800 -I -s -t
    sctp_darn ready to send...
    3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.0.21
    3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.1.21
    3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> snd=10
    
    ------------------------------------------------------------------
    eth0 has addresses: 3ffe:501:ffff:100:20c:29ff:fe4d:f37e and 192.168.0.21
    eth1 has addresses: 192.168.1.21
    ------------------------------------------------------------------
    
    Reported-by: George Cheimonidis <gchimon@gmail.com>
    Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  17. @plougher @gregkh

    Squashfs: handle corruption of directory structure

    plougher authored gregkh committed
    commit 44cff8a upstream.
    
    Handle the rare case where a directory metadata block is uncompressed and
    corrupted, leading to a kernel oops in directory scanning (memcpy).
    Normally corruption is detected at the decompression stage and dealt with
    then, however, this will not happen if:
    
    - metadata isn't compressed (users can optionally request no metadata
      compression), or
    - the compressed metadata block was larger than the original, in which
      case the uncompressed version was used, or
    - the data was corrupt after decompression
    
    This patch fixes this by adding some sanity checks against known maximum
    values.
    
    Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @gregkh

    Revert "x86: Cleanup highmap after brk is concluded"

    gregkh authored
    This reverts upstream commit e5f15b4
    
    It caused problems in the stable tree and should not have been there.
    
    Cc: Yinghai Lu <yinghai@kernel.org>
    Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  19. @kamalesh-babulal @gregkh

    powerpc: Fix default_machine_crash_shutdown #ifdef botch

    kamalesh-babulal authored gregkh committed
    powerpc: Fix default_machine_crash_shutdown #ifdef botch
    
    Commit: c2be054 upstream
    
    crash_kexec_wait_realmode() is defined only if CONFIG_PPC_STD_MMU_64
    and CONFIG_SMP, but is called if CONFIG_PPC_STD_MMU_64 even if !CONFIG_SMP.
    Fix the conditional compilation around the invocation.
    
    Reported-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Acked-by: Michael Neuling <mikey@neuling.org>
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
    cc: Anton Blanchard <anton@samba.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  20. @kamalesh-babulal @gregkh

    powerpc/kexec: Add ifdef CONFIG_PPC_STD_MMU_64 to PPC64 code

    kamalesh-babulal authored gregkh committed
    powerpc/kexec: Add ifdef CONFIG_PPC_STD_MMU_64 to PPC64 code
    
    This patch introduces PPC64 specific #ifdef bits from the upstream
    commit: b3df895.
    
    Reported-and-tested-by: dann frazier <dannf@dannf.org>
    Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
    Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
    cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    cc: Anton Blanchard <anton@samba.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @gregkh

    x86, microcode, AMD: Extend ucode size verification

    Borislav Petkov authored gregkh committed
    Upstream commit: 44d60c0
    
    The different families have a different max size for the ucode patch,
    adjust size checking to the family we're running on. Also, do not
    vzalloc the max size of the ucode but only the actual size that is
    passed on from the firmware loader.
    
    Cc: <stable@kernel.org>
    Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. @reasand @gregkh

    x86, amd-ucode: Remove needless log messages

    reasand authored gregkh committed
    Upstream commit: 6e18da7
    
    Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
    Cc: Borislav Petkov <borislav.petkov@amd.com>
    LKML-Reference: <20091029134742.GD30802@alberich.amd.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23. @gregkh

    gro: reset skb_iif on reuse

    Andy Gospodarek authored gregkh committed
    commit 6d152e2 upstream.
    
    Like Herbert's change from a few days ago:
    
    66c46d7 gro: Reset dev pointer on reuse
    
    this may not be necessary at this point, but we should still clean up
    the skb->skb_iif.  If not we may end up with an invalid valid for
    skb->skb_iif when the skb is reused and the check is done in
    __netif_receive_skb.
    
    Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brandon Philips <bphilips@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24. @herbertx @gregkh

    gro: Reset dev pointer on reuse

    herbertx authored gregkh committed
    commit 66c46d7 upstream.
    
    On older kernels the VLAN code may zero skb->dev before dropping
    it and causing it to be reused by GRO.
    
    Unfortunately we didn't reset skb->dev in that case which causes
    the next GRO user to get a bogus skb->dev pointer.
    
    This particular problem no longer happens with the current upstream
    kernel due to changes in VLAN processing.
    
    However, for correctness we should still reset the skb->dev pointer
    in the GRO reuse function in case a future user does the same thing.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brandon Philips <bphilips@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  25. @jwessel @gregkh

    repair gdbstub to match the gdbserial protocol specification

    jwessel authored gregkh committed
    commit fb82c0f upstream.
    
    The gdbserial protocol handler should return an empty packet instead
    of an error string when ever it responds to a command it does not
    implement.
    
    The problem cases come from a debugger client sending
    qTBuffer, qTStatus, qSearch, qSupported.
    
    The incorrect response from the gdbstub leads the debugger clients to
    not function correctly.  Recent versions of gdb will not detach correctly as a result of this behavior.
    
    Backport-request-by: Frank Pan <frankpzh@gmail.com>
    Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
    Signed-off-by: Dongdong Deng <dongdong.deng@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  26. @segoon @gregkh

    sound: oss: midi_synth: check get_user() return value

    segoon authored gregkh committed
    commit b3390ce upstream.
    
    get_user() may fail, if so return -EFAULT.
    
    Signed-off-by: Kulikov Vasiliy <segooon@gmail.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  27. @gregkh

    sound/oss: remove offset from load_patch callbacks

    Dan Rosenberg authored gregkh committed
    commit b769f49 upstream.
    
    Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
    uninitialized value, and signedness issue
    
    The offset passed to midi_synth_load_patch() can be essentially
    arbitrary.  If it's greater than the header length, this will result in
    a copy_from_user(dst, src, negative_val).  While this will just return
    -EFAULT on x86, on other architectures this may cause memory corruption.
    Additionally, the length field of the sysex_info structure may not be
    initialized prior to its use.  Finally, a signed comparison may result
    in an unintentionally large loop.
    
    On suggestion by Takashi Iwai, version two removes the offset argument
    from the load_patch callbacks entirely, which also resolves similar
    issues in opl3.  Compile tested only.
    
    v3 adjusts comments and hopefully gets copy offsets right.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  28. @gregkh

    econet: 4 byte infoleak to the network

    Vasiliy Kulikov authored gregkh committed
    commit 67c5c6c upstream.
    
    struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
    x86_64.  These bytes are not initialized in the variable 'ah' before
    sending 'ah' to the network.  This leads to 4 bytes kernel stack
    infoleak.
    
    This bug was introduced before the git epoch.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  29. @gregkh

    drivers/misc/ep93xx_pwm.c: world-writable sysfs files

    Vasiliy Kulikov authored gregkh committed
    commit deb187e upstream.
    
    Don't allow everybody to change device settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Hartley Sweeten <hartleys@visionengravers.com>
    Cc: Matthieu Crapet <mcrapet@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  30. @gregkh

    drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file

    Vasiliy Kulikov authored gregkh committed
    commit 49d50fb upstream.
    
    Don't allow everybogy to write to NVRAM.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Andy Sharp <andy.sharp@onstor.com>
    Cc: Alessandro Zummo <a.zummo@towertech.it>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  31. @gregkh

    mfd: ab3100: world-writable debugfs *_priv files

    Vasiliy Kulikov authored gregkh committed
    commit f8a0697 upstream.
    
    Don't allow everybody to change device hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  32. @gregkh

    ipv6: netfilter: ip6_tables: fix infoleak to userspace

    Vasiliy Kulikov authored gregkh committed
    commit 6a8ab06 upstream.
    
    Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first bug was introduced before the git epoch;  the second was
    introduced in 3bc3fe5 (v2.6.25-rc1);  the third is introduced by
    6b7d31f (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  33. @gregkh

    netfilter: ipt_CLUSTERIP: fix buffer overflow

    Vasiliy Kulikov authored gregkh committed
    commit 961ed18 upstream.
    
    'buffer' string is copied from userspace.  It is not checked whether it is
    zero terminated.  This may lead to overflow inside of simple_strtoul().
    Changli Gao suggested to copy not more than user supplied 'size' bytes.
    
    It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
    root writable only by default, however, on some setups permissions might be
    relaxed to e.g. network admin user.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Changli Gao <xiaosuo@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.