Commits on Apr 14, 2011
  1. @gregkh

    Linux 2.6.38.3

    gregkh committed Apr 14, 2011
  2. @gregkh

    nfsd4: fix oops on lock failure

    commit 23fcf2e upstream.
    
    Lock stateid's can have access_bmap 0 if they were only partially
    initialized (due to a failed lock request); handle that case in
    free_generic_stateid.
    
    ------------[ cut here ]------------
    kernel BUG at fs/nfsd/nfs4state.c:380!
    invalid opcode: 0000 [#1] SMP
    last sysfs file: /sys/kernel/mm/ksm/run
    Modules linked in: nfs fscache md4 nls_utf8 cifs ip6table_filter ip6_tables ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc nfsd lockd nfs_acl auth_rpcgss sunrpc ipv6 ppdev parport_pc parport pcnet32 mii pcspkr microcode i2c_piix4 BusLogic floppy [last unloaded: mperf]
    
    Pid: 1468, comm: nfsd Not tainted 2.6.38+ #120 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
    EIP: 0060:[<e24f180d>] EFLAGS: 00010297 CPU: 0
    EIP is at nfs4_access_to_omode+0x1c/0x29 [nfsd]
    EAX: ffffffff EBX: dd758120 ECX: 00000000 EDX: 00000004
    ESI: dd758120 EDI: ddfe657c EBP: dd54dde0 ESP: dd54dde0
     DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    Process nfsd (pid: 1468, ti=dd54c000 task=ddc92580 task.ti=dd54c000)
    Stack:
     dd54ddf0 e24f19ca 00000000 ddfe6560 dd54de08 e24f1a5d dd758130 deee3a20
     ddfe6560 31270000 dd54df1c e24f52fd 0000000f dd758090 e2505dd0 0be304cf
     dbb51d68 0000000e ddfe657c ddcd8020 dd758130 dd758128 dd7580d8 dd54de68
    Call Trace:
     [<e24f19ca>] free_generic_stateid+0x1c/0x3e [nfsd]
     [<e24f1a5d>] release_lockowner+0x71/0x8a [nfsd]
     [<e24f52fd>] nfsd4_lock+0x617/0x66c [nfsd]
     [<e24e57b6>] ? nfsd_setuser+0x199/0x1bb [nfsd]
     [<e24e056c>] ? nfsd_setuser_and_check_port+0x65/0x81 [nfsd]
     [<c07a0052>] ? _cond_resched+0x8/0x1c
     [<c04ca61f>] ? slab_pre_alloc_hook.clone.33+0x23/0x27
     [<c04cac01>] ? kmem_cache_alloc+0x1a/0xd2
     [<c04835a0>] ? __call_rcu+0xd7/0xdd
     [<e24e0dfb>] ? fh_verify+0x401/0x452 [nfsd]
     [<e24f0b61>] ? nfsd4_encode_operation+0x52/0x117 [nfsd]
     [<e24ea0d7>] ? nfsd4_putfh+0x33/0x3b [nfsd]
     [<e24f4ce6>] ? nfsd4_delegreturn+0xd4/0xd4 [nfsd]
     [<e24ea2c9>] nfsd4_proc_compound+0x1ea/0x33e [nfsd]
     [<e24de6ee>] nfsd_dispatch+0xd1/0x1a5 [nfsd]
     [<e1d6e1c7>] svc_process_common+0x282/0x46f [sunrpc]
     [<e1d6e578>] svc_process+0xdc/0xfa [sunrpc]
     [<e24de0fa>] nfsd+0xd6/0x115 [nfsd]
     [<e24de024>] ? nfsd_shutdown+0x24/0x24 [nfsd]
     [<c0454322>] kthread+0x62/0x67
     [<c04542c0>] ? kthread_worker_fn+0x114/0x114
     [<c07a6ebe>] kernel_thread_helper+0x6/0x10
    Code: eb 05 b8 00 00 27 4f 8d 65 f4 5b 5e 5f 5d c3 83 e0 03 55 83 f8 02 89 e5 74 17 83 f8 03 74 05 48 75 09 eb 09 b8 02 00 00 00 eb 0b <0f> 0b 31 c0 eb 05 b8 01 00 00 00 5d c3 55 89 e5 57 56 89 d6 8d
    EIP: [<e24f180d>] nfs4_access_to_omode+0x1c/0x29 [nfsd] SS:ESP 0068:dd54dde0
    ---[ end trace 2b0bf6c6557cb284 ]---
    
    The trace route is:
    
     -> nfsd4_lock()
       -> if (lock->lk_is_new) {
         -> alloc_init_lock_stateid()
    
            3739: stp->st_access_bmap = 0;
    
       ->if (status && lock->lk_is_new && lock_sop)
         -> release_lockowner()
          -> free_generic_stateid()
           -> nfs4_access_bmap_to_omode()
              -> nfs4_access_to_omode()
    
            380: BUG();   *****
    
    This problem was introduced by 0997b17.
    
    Reported-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
    Tested-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    J. Bruce Fields committed with gregkh Mar 28, 2011
  3. @gregkh

    nfsd: fix auth_domain reference leak on nlm operations

    commit 954032d upstream.
    
    This was noticed by users who performed more than 2^32 lock operations
    and hence made this counter overflow (eventually leading to
    use-after-free's).  Setting rq_client to NULL here means that it won't
    later get auth_domain_put() when it should be.
    
    Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth
    domain lookup into svcauth" which moved most of the rq_client handling
    to common svcauth code, but left behind this one line.
    
    Cc: Neil Brown <neilb@suse.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    J. Bruce Fields committed with gregkh Mar 24, 2011
  4. @YANGYongqiang @gregkh

    ext4: fix credits computing for indirect mapped files

    commit 5b41395 upstream.
    
    When writing a contiguous set of blocks, two indirect blocks could be
    needed depending on how the blocks are aligned, so we need to increase
    the number of credits needed by one.
    
    [ Also fixed a another bug which could further underestimate the
      number of journal credits needed by 1; the code was using integer
      division instead of DIV_ROUND_UP() -- tytso]
    
    Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    YANGYongqiang committed with gregkh Apr 4, 2011
  5. @taoma-tm @gregkh

    ext4: fix a double free in ext4_register_li_request

    commit 46e4690 upstream.
    
    In ext4_register_li_request, we malloc a ext4_li_request and
    inserts it into ext4_li_info->li_request_list. In case of any
    error later, we free it in the end.  But if we have some error
    in ext4_run_lazyinit_thread, the whole li_request_list will be
    dropped and freed in it. So we will double free this ext4_li_request.
    
    This patch just sets elr to NULL after it is inserted to the list
    so that the latter kfree won't double free it.
    
    Signed-off-by: Tao Ma <boyu.mt@taobao.com>
    Reviewed-by: Lukas Czerner <lczerner@redhat.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    taoma-tm committed with gregkh Apr 4, 2011
  6. @pprindeville @gregkh

    atm/solos-pci: Don't flap VCs when carrier state changes

    commit c031235 upstream.
    
    Don't flap VCs when carrier state changes; higher-level protocols
    can detect loss of connectivity and act accordingly. This is more
    consistent with how other network interfaces work.
    
    We no longer use release_vccs() so we can delete it.
    
    release_vccs() was duplicated from net/atm/common.c; make the
    corresponding function exported, since other code duplicates it
    and could leverage it if it were public.
    
    Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    pprindeville committed with gregkh Mar 30, 2011
  7. @pprindeville @gregkh

    atm/solos-pci: Don't include frame pseudo-header on transmit hex-dump

    commit 18b429e upstream.
    
    Omit pkt_hdr preamble when dumping transmitted packet as hex-dump;
    we can pull this up because the frame has already been sent, and
    dumping it is the last thing we do with it before freeing it.
    
    Also include the size, vpi, and vci in the debug as is done on
    receive.
    
    Use "port" consistently instead of "device" intermittently.
    
    Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    pprindeville committed with gregkh Mar 30, 2011
  8. @plougher @gregkh

    Squashfs: handle corruption of directory structure

    commit 44cff8a upstream.
    
    Handle the rare case where a directory metadata block is uncompressed and
    corrupted, leading to a kernel oops in directory scanning (memcpy).
    Normally corruption is detected at the decompression stage and dealt with
    then, however, this will not happen if:
    
    - metadata isn't compressed (users can optionally request no metadata
      compression), or
    - the compressed metadata block was larger than the original, in which
      case the uncompressed version was used, or
    - the data was corrupt after decompression
    
    This patch fixes this by adding some sanity checks against known maximum
    values.
    
    Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    plougher committed with gregkh Mar 15, 2011
  9. @plougher @gregkh

    Squashfs: Use vmalloc rather than kmalloc for zlib workspace

    commit 117a91e upstream.
    
    Bugzilla bug 31422 reports occasional "page allocation failure. order:4"
    at Squashfs mount time.  Fix this by making zlib workspace allocation
    use vmalloc rather than kmalloc.
    
    Reported-by: Mehmet Giritli <mehmet@giritli.eu>
    Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    plougher committed with gregkh Mar 22, 2011
  10. @gregkh

    Revert "x86: Cleanup highmap after brk is concluded"

    This reverts upstream commit e5f15b4
    
    It caused problems in the stable tree and should not have been there.
    
    Cc: Yinghai Lu <yinghai@kernel.org>
    Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    gregkh committed Apr 11, 2011
  11. @gregkh

    acer-wmi: does not set persistence state by rfkill_init_sw_state

    commit 8215af0 upstream.
    
    Acer BIOS keeps devices state when system reboot, but reset to default
    device states (Wlan on, Bluetooth off, wwan on) if system cold boot.
    That means BIOS's initial state is not always real persistence.
    
    So, removed rfkill_init_sw_state because it sets initial state to
    persistence then replicate to other new killswitch when rfkill-input
    enabled.
    After removed it, acer-wmi set initial soft-block state after rfkill
    register, and doesn't allow set_block until rfkill initial finished.
    
    Reference: bko#31002
    	https://bugzilla.kernel.org/show_bug.cgi?id=31002
    
    Cc: Carlos Corbacho <carlos@strangeworlds.co.uk>
    Cc: Matthew Garrett <mjg@redhat.com>
    Cc: Dmitry Torokhov <dtor@mail.ru>
    Cc: Corentin Chary <corentincj@iksaif.net>
    Cc: Oldřich Jedlička <oldium.pro@seznam.cz>
    Cc: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: Chun-Yi Lee <jlee@novell.com>
    Signed-off-by: Matthew Garrett <mjg@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Chun-Yi Lee committed with gregkh Mar 28, 2011
  12. @cromlehg @gregkh

    drivers/media/video/tlg2300/pd-video.c: Remove second mutex_unlock in…

    … pd_vidioc_s_fmt
    
    commit a07500e upstream.
    
    Error path in file drivers/media/video/tlg2300/pd-video.c:
    1. First mutex_unlock on &pd->lock in line 767 (in function that
       called from line 805)
    2. Second in line  806
    
     805        pd_vidioc_s_fmt(pd, &f->fmt.pix);
     806        mutex_unlock(&pd->lock);
    
    Found by Linux Device Drivers Verification Project
    
    Signed-off-by: Alexander Strakh <strakh@ispras.ru>
    Acked-by: Huang Shijie <shijie8@gmail.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    cromlehg committed with gregkh Jan 25, 2011
  13. @gregkh

    sound/oss: remove offset from load_patch callbacks

    commit b769f49 upstream.
    
    Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
    uninitialized value, and signedness issue
    
    The offset passed to midi_synth_load_patch() can be essentially
    arbitrary.  If it's greater than the header length, this will result in
    a copy_from_user(dst, src, negative_val).  While this will just return
    -EFAULT on x86, on other architectures this may cause memory corruption.
    Additionally, the length field of the sysex_info structure may not be
    initialized prior to its use.  Finally, a signed comparison may result
    in an unintentionally large loop.
    
    On suggestion by Takashi Iwai, version two removes the offset argument
    from the load_patch callbacks entirely, which also resolves similar
    issues in opl3.  Compile tested only.
    
    v3 adjusts comments and hopefully gets copy offsets right.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Dan Rosenberg committed with gregkh Mar 23, 2011
  14. @kdave @gregkh

    netfilter: h323: bug in parsing of ASN1 SEQOF field

    commit b4232a2 upstream.
    
    Static analyzer of clang found a dead store which appears to be a bug in
    reading count of items in SEQOF field, only the lower byte of word is
    stored. This may lead to corrupted read and communication shutdown.
    
    The bug has been in the module since it's first inclusion into linux
    kernel.
    
    [Patrick: the bug is real, but without practical consequence since the
     largest amount of sequence-of members we parse is 30.]
    
    Signed-off-by: David Sterba <dsterba@suse.cz>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    kdave committed with gregkh Apr 4, 2011
  15. @gregkh

    econet: 4 byte infoleak to the network

    commit 67c5c6c upstream.
    
    struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
    x86_64.  These bytes are not initialized in the variable 'ah' before
    sending 'ah' to the network.  This leads to 4 bytes kernel stack
    infoleak.
    
    This bug was introduced before the git epoch.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 17, 2011
  16. @gregkh

    drivers/leds/leds-lp5521.c: world-writable sysfs engine* files

    commit 67d1da7 upstream.
    
    Don't allow everybody to change LED settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Richard Purdie <rpurdie@rpsys.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  17. @gregkh

    drivers/leds/leds-lp5523.c: world-writable engine* sysfs files

    commit ccd7510 upstream.
    
    Don't allow everybody to change LED settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Richard Purdie <rpurdie@rpsys.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  18. @gregkh

    drivers/misc/ep93xx_pwm.c: world-writable sysfs files

    commit deb187e upstream.
    
    Don't allow everybody to change device settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Hartley Sweeten <hartleys@visionengravers.com>
    Cc: Matthieu Crapet <mcrapet@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  19. @gregkh

    drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file

    commit 49d50fb upstream.
    
    Don't allow everybogy to write to NVRAM.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Andy Sharp <andy.sharp@onstor.com>
    Cc: Alessandro Zummo <a.zummo@towertech.it>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  20. @gregkh

    mfd: ab3100: world-writable debugfs *_priv files

    commit f8a0697 upstream.
    
    Don't allow everybody to change device hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  21. @gregkh

    mfd: ab3500: world-writable debugfs register-* files

    commit 90c861c upstream.
    
    Don't allow everybody to interact with hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  22. @gregkh

    mfd: ab8500: world-writable debugfs register-* files

    commit 44bdcb5 upstream.
    
    Don't allow everybody to interact with hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  23. @gregkh

    scsi_transport_iscsi: make priv_sess file writeable only by root

    commit 523f3c8 upstream.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Mike Christie <michaelc@cs.wisc.edu>
    Signed-off-by: James Bottomley <James.Bottomley@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  24. @gregkh

    ipv6: netfilter: ip6_tables: fix infoleak to userspace

    commit 6a8ab06 upstream.
    
    Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first bug was introduced before the git epoch;  the second was
    introduced in 3bc3fe5 (v2.6.25-rc1);  the third is introduced by
    6b7d31f (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 15, 2011
  25. @gregkh

    netfilter: ipt_CLUSTERIP: fix buffer overflow

    commit 961ed18 upstream.
    
    'buffer' string is copied from userspace.  It is not checked whether it is
    zero terminated.  This may lead to overflow inside of simple_strtoul().
    Changli Gao suggested to copy not more than user supplied 'size' bytes.
    
    It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
    root writable only by default, however, on some setups permissions might be
    relaxed to e.g. network admin user.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Changli Gao <xiaosuo@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 20, 2011
  26. @gregkh

    netfilter: arp_tables: fix infoleak to userspace

    commit 42eab94 upstream.
    
    Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first bug was introduced before the git epoch;  the second is
    introduced by 6b7d31f (v2.6.15-rc1);  the third is introduced by
    6b7d31f (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 15, 2011
  27. @gregkh

    netfilter: xtables: fix reentrancy

    commit db85667 upstream.
    
    commit f3c5c1b (make ip_tables reentrant) introduced a race in
    handling the stackptr restore, at the end of ipt_do_table()
    
    We should do it before the call to xt_info_rdunlock_bh(), or we allow
    cpu preemption and another cpu overwrites stackptr of original one.
    
    A second fix is to change the underflow test to check the origptr value
    instead of 0 to detect underflow, or else we allow a jump from different
    hooks.
    
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Eric Dumazet committed with gregkh Mar 20, 2011
  28. @gregkh

    netfilter: ip_tables: fix infoleak to userspace

    commit 78b7987 upstream.
    
    Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first and the third bugs were introduced before the git epoch; the
    second was introduced in 2722971 (v2.6.17-rc1).  To trigger the bug
    one should have CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 15, 2011
  29. @gregkh

    char/tpm: Fix unitialized usage of data buffer

    commit 1309d7a upstream.
    
    This patch fixes information leakage to the userspace by initializing
    the data buffer to zero.
    
    Reported-by: Peter Huewe <huewe.external@infineon.com>
    Signed-off-by: Peter Huewe <huewe.external@infineon.com>
    Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com>
    [ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
      deeper problems than a simple multiplication can fix.   - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Peter Huewe committed with gregkh Mar 29, 2011
  30. @goldwynr @gregkh

    Treat writes as new when holes span across page boundaries

    commit 272b62c upstream.
    
    When a hole spans across page boundaries, the next write forces
    a read of the block. This could end up reading existing garbage
    data from the disk in ocfs2_map_page_blocks. This leads to
    non-zero holes. In order to avoid this, mark the writes as new
    when the holes span across page boundaries.
    
    Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.de>
    Signed-off-by: jlbec <jlbec@evilplan.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    goldwynr committed with gregkh Feb 17, 2011
  31. @Keruspe @gregkh

    Bluetooth: add support for Apple MacBook Pro 8,2

    commit 63a8588 upstream.
    
    Just adding the vendor details makes it work fine.
    
    Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Tested-by: Grant Likely <grant.likely@secretlab.ca>
    Keruspe committed with gregkh Mar 24, 2011
  32. @gregkh

    Bluetooth: bnep: fix buffer overflow

    commit 43629f8 upstream.
    
    Struct ca is copied from userspace.  It is not checked whether the "device"
    field is NULL terminated.  This potentially leads to BUG() inside of
    alloc_netdev_mqs() and/or information leak by creating a device with a name
    made of contents of kernel stack.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 14, 2011
  33. @gregkh

    bridge: netfilter: fix information leak

    commit d846f71 upstream.
    
    Struct tmp is copied from userspace.  It is not checked whether the "name"
    field is NULL terminated.  This may lead to buffer overflow and passing
    contents of kernel stack as a module name to try_then_request_module() and,
    consequently, to modprobe commandline.  It would be seen by all userspace
    processes.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 14, 2011
  34. @gregkh

    Bluetooth: sco: fix information leak to userspace

    commit c4c896e upstream.
    
    struct sco_conninfo has one padding byte in the end.  Local variable
    cinfo of type sco_conninfo is copied to userspace with this uninizialized
    one byte, leading to old stack contents leak.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 14, 2011
  35. @linvjw @gregkh

    b43: allocate receive buffers big enough for max frame len + offset

    commit c85ce65 upstream.
    
    Otherwise, skb_put inside of dma_rx can fail...
    
    	https://bugzilla.kernel.org/show_bug.cgi?id=32042
    
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    linvjw committed with gregkh Mar 30, 2011