.33 patches

8 files changed, 410 insertions, 0 deletions

diff --git a/queue-2.6.33/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch b/queue-2.6.33/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch
new file mode 100644
index 0000000..2428e94
--- /dev/null
+++ b/queue-2.6.33/af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch
@@ -0,0 +1,85 @@
+From a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 Mon Sep 17 00:00:00 2001
+From: Eric W. Biederman <ebiederm@xmission.com>
+Date: Sun, 24 Apr 2011 01:54:57 +0000
+Subject: af_unix: Only allow recv on connected seqpacket sockets.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 upstream.
+
+This fixes the following oops discovered by Dan Aloni:
+> Anyway, the following is the output of the Oops that I got on the
+> Ubuntu kernel on which I first detected the problem
+> (2.6.37-12-generic). The Oops that followed will be more useful, I
+> guess.
+
+>[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference
+> at           (null)
+> [ 5594.681606] IP: [<ffffffff81550b7b>] unix_dgram_recvmsg+0x1fb/0x420
+> [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0
+> [ 5594.693720] Oops: 0002 [#1] SMP
+> [ 5594.699888] last sysfs file:
+
+The bug was that unix domain sockets use a pseduo packet for
+connecting and accept uses that psudo packet to get the socket.
+In the buggy seqpacket case we were allowing unconnected
+sockets to call recvmsg and try to receive the pseudo packet.
+
+That is always wrong and as of commit 7361c36c5 the pseudo
+packet had become enough different from a normal packet
+that the kernel started oopsing.
+
+Do for seqpacket_recv what was done for seqpacket_send in 2.5
+and only allow it on connected seqpacket sockets.
+
+Tested-by: Dan Aloni <dan@aloni.org>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/unix/af_unix.c |   16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -503,6 +503,8 @@ static int unix_dgram_connect(struct soc
+ 			      int, int);
+ static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *,
+ 				  struct msghdr *, size_t);
++static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *,
++				  struct msghdr *, size_t, int);
+ 
+ static const struct proto_ops unix_stream_ops = {
+ 	.family =	PF_UNIX,
+@@ -562,7 +564,7 @@ static const struct proto_ops unix_seqpa
+ 	.setsockopt =	sock_no_setsockopt,
+ 	.getsockopt =	sock_no_getsockopt,
+ 	.sendmsg =	unix_seqpacket_sendmsg,
+-	.recvmsg =	unix_dgram_recvmsg,
++	.recvmsg =	unix_seqpacket_recvmsg,
+ 	.mmap =		sock_no_mmap,
+ 	.sendpage =	sock_no_sendpage,
+ };
+@@ -1631,6 +1633,18 @@ static int unix_seqpacket_sendmsg(struct
+ 	return unix_dgram_sendmsg(kiocb, sock, msg, len);
+ }
+ 
++static int unix_seqpacket_recvmsg(struct kiocb *iocb, struct socket *sock,
++			      struct msghdr *msg, size_t size,
++			      int flags)
++{
++	struct sock *sk = sock->sk;
++
++	if (sk->sk_state != TCP_ESTABLISHED)
++		return -ENOTCONN;
++
++	return unix_dgram_recvmsg(iocb, sock, msg, size, flags);
++}
++
+ static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
+ {
+ 	struct unix_sock *u = unix_sk(sk);
diff --git a/queue-2.6.33/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch b/queue-2.6.33/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch
new file mode 100644
index 0000000..f8dd3f9
--- /dev/null
+++ b/queue-2.6.33/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch
@@ -0,0 +1,34 @@
+From 0f22072ab50cac7983f9660d33974b45184da4f9 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 29 Apr 2011 15:48:07 +0100
+Subject: ARM: 6891/1: prevent heap corruption in OABI semtimedop
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream.
+
+When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
+bound the nsops argument.  A sufficiently large value will cause an
+integer overflow in allocation size, followed by copying too much data
+into the allocated buffer.  Fix this by restricting nsops to SEMOPM.
+Untested.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/arm/kernel/sys_oabi-compat.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int
+ 	long err;
+ 	int i;
+ 
+-	if (nsops < 1)
++	if (nsops < 1 || nsops > SEMOPM)
+ 		return -EINVAL;
+ 	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ 	if (!sops)
diff --git a/queue-2.6.33/can-add-missing-socket-check-in-can-bcm-release.patch b/queue-2.6.33/can-add-missing-socket-check-in-can-bcm-release.patch
new file mode 100644
index 0000000..212e3ad
--- /dev/null
+++ b/queue-2.6.33/can-add-missing-socket-check-in-can-bcm-release.patch
@@ -0,0 +1,38 @@
+From c6914a6f261aca0c9f715f883a353ae7ff51fe83 Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Tue, 19 Apr 2011 20:36:59 -0700
+Subject: can: Add missing socket check in can/bcm release.
+
+From: Dave Jones <davej@redhat.com>
+
+commit c6914a6f261aca0c9f715f883a353ae7ff51fe83 upstream.
+
+We can get here with a NULL socket argument passed from userspace,
+so we need to handle it accordingly.
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/bcm.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1412,9 +1412,14 @@ static int bcm_init(struct sock *sk)
+ static int bcm_release(struct socket *sock)
+ {
+ 	struct sock *sk = sock->sk;
+-	struct bcm_sock *bo = bcm_sk(sk);
++	struct bcm_sock *bo;
+ 	struct bcm_op *op, *next;
+ 
++	if (sk == NULL)
++		return 0;
++
++	bo = bcm_sk(sk);
++
+ 	/* remove bcm_ops, timer, rx_unregister(), etc. */
+ 
+ 	unregister_netdevice_notifier(&bo->notifier);
diff --git a/queue-2.6.33/fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch b/queue-2.6.33/fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch
new file mode 100644
index 0000000..a2014ff
--- /dev/null
+++ b/queue-2.6.33/fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch
@@ -0,0 +1,72 @@
+From 22d3243de86bc92d874abb7c5b185d5c47aba323 Mon Sep 17 00:00:00 2001
+From: Jim Bos <jim876@xs4all.nl>
+Date: Mon, 15 Nov 2010 21:22:37 +0100
+Subject: Fix gcc 4.5.1 miscompiling drivers/char/i8k.c (again)
+
+From: Jim Bos <jim876@xs4all.nl>
+
+commit 22d3243de86bc92d874abb7c5b185d5c47aba323 upstream.
+
+The fix in commit 6b4e81db2552 ("i8k: Tell gcc that *regs gets
+clobbered") to work around the gcc miscompiling i8k.c to add "+m
+(*regs)" caused register pressure problems and a build failure.
+
+Changing the 'asm' statement to 'asm volatile' instead should prevent
+that and works around the gcc bug as well, so we can remove the "+m".
+
+[ Background on the gcc bug: a memory clobber fails to mark the function
+  the asm resides in as non-pure (aka "__attribute__((const))"), so if
+  the function does nothing else that triggers the non-pure logic, gcc
+  will think that that function has no side effects at all. As a result,
+  callers will be mis-compiled.
+
+  Adding the "+m" made gcc see that it's not a pure function, and so
+  does "asm volatile". The problem was never really the need to mark
+  "*regs" as changed, since the memory clobber did that part - the
+  problem was just a bug in the gcc "pure" function analysis  - Linus ]
+
+Signed-off-by: Jim Bos <jim876@xs4all.nl>
+Acked-by: Jakub Jelinek <jakub@redhat.com>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/i8k.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/i8k.c
++++ b/drivers/char/i8k.c
+@@ -119,7 +119,7 @@ static int i8k_smm(struct smm_regs *regs
+ 	int eax = regs->eax;
+ 
+ #if defined(CONFIG_X86_64)
+-	asm("pushq %%rax\n\t"
++	asm volatile("pushq %%rax\n\t"
+ 		"movl 0(%%rax),%%edx\n\t"
+ 		"pushq %%rdx\n\t"
+ 		"movl 4(%%rax),%%ebx\n\t"
+@@ -141,11 +141,11 @@ static int i8k_smm(struct smm_regs *regs
+ 		"lahf\n\t"
+ 		"shrl $8,%%eax\n\t"
+ 		"andl $1,%%eax\n"
+-		:"=a"(rc), "+m" (*regs)
++		:"=a"(rc)
+ 		:    "a"(regs)
+ 		:    "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory");
+ #else
+-	asm("pushl %%eax\n\t"
++	asm volatile("pushl %%eax\n\t"
+ 	    "movl 0(%%eax),%%edx\n\t"
+ 	    "push %%edx\n\t"
+ 	    "movl 4(%%eax),%%ebx\n\t"
+@@ -167,7 +167,7 @@ static int i8k_smm(struct smm_regs *regs
+ 	    "lahf\n\t"
+ 	    "shrl $8,%%eax\n\t"
+ 	    "andl $1,%%eax\n"
+-	    :"=a"(rc), "+m" (*regs)
++	    :"=a"(rc)
+ 	    :    "a"(regs)
+ 	    :    "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory");
+ #endif
diff --git a/queue-2.6.33/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch b/queue-2.6.33/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch
new file mode 100644
index 0000000..f637b4d
--- /dev/null
+++ b/queue-2.6.33/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch
@@ -0,0 +1,69 @@
+From c340b1d640001c8c9ecff74f68fd90422ae2448a Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns@pre-sense.de>
+Date: Thu, 14 Apr 2011 15:21:56 -0700
+Subject: fs/partitions/ldm.c: fix oops caused by corrupted partition table
+
+From: Timo Warns <Warns@pre-sense.de>
+
+commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream.
+
+The kernel automatically evaluates partition tables of storage devices.
+The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
+a bug that causes a kernel oops on certain corrupted LDM partitions.
+A kernel subsystem seems to crash, because, after the oops, the kernel no
+longer recognizes newly connected storage devices.
+
+The patch validates the value of vblk_size.
+
+[akpm@linux-foundation.org: coding-style fixes]
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Harvey Harrison <harvey.harrison@gmail.com>
+Cc: Richard Russon <rich@flatcap.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/partitions/ldm.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/partitions/ldm.c
++++ b/fs/partitions/ldm.c
+@@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data
+ 
+ 	BUG_ON (!data || !frags);
+ 
++	if (size < 2 * VBLK_SIZE_HEAD) {
++		ldm_error("Value of size is to small.");
++		return false;
++	}
++
+ 	group = get_unaligned_be32(data + 0x08);
+ 	rec   = get_unaligned_be16(data + 0x0C);
+ 	num   = get_unaligned_be16(data + 0x0E);
+@@ -1306,6 +1311,10 @@ static bool ldm_frag_add (const u8 *data
+ 		ldm_error ("A VBLK claims to have %d parts.", num);
+ 		return false;
+ 	}
++	if (rec >= num) {
++		ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
++		return false;
++	}
+ 
+ 	list_for_each (item, frags) {
+ 		f = list_entry (item, struct frag, list);
+@@ -1334,10 +1343,9 @@ found:
+ 
+ 	f->map |= (1 << rec);
+ 
+-	if (num > 0) {
+-		data += VBLK_SIZE_HEAD;
+-		size -= VBLK_SIZE_HEAD;
+-	}
++	data += VBLK_SIZE_HEAD;
++	size -= VBLK_SIZE_HEAD;
++
+ 	memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
+ 
+ 	return true;
diff --git a/queue-2.6.33/i8k-tell-gcc-that-regs-gets-clobbered.patch b/queue-2.6.33/i8k-tell-gcc-that-regs-gets-clobbered.patch
new file mode 100644
index 0000000..005abc0
--- /dev/null
+++ b/queue-2.6.33/i8k-tell-gcc-that-regs-gets-clobbered.patch
@@ -0,0 +1,50 @@
+From 6b4e81db2552bad04100e7d5ddeed7e848f53b48 Mon Sep 17 00:00:00 2001
+From: Jim Bos <jim876@xs4all.nl>
+Date: Sat, 13 Nov 2010 12:13:53 +0100
+Subject: i8k: Tell gcc that *regs gets clobbered
+
+From: Jim Bos <jim876@xs4all.nl>
+
+commit 6b4e81db2552bad04100e7d5ddeed7e848f53b48 upstream.
+
+More recent GCC caused the i8k driver to stop working, on Slackware
+compiler was upgraded from gcc-4.4.4 to gcc-4.5.1 after which it didn't
+work anymore, meaning the driver didn't load or gave total nonsensical
+output.
+
+As it turned out the asm(..) statement forgot to mention it modifies the
+*regs variable.
+
+Credits to Andi Kleen and Andreas Schwab for providing the fix.
+
+Signed-off-by: Jim Bos <jim876@xs4all.nl>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/i8k.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/i8k.c
++++ b/drivers/char/i8k.c
+@@ -141,7 +141,7 @@ static int i8k_smm(struct smm_regs *regs
+ 		"lahf\n\t"
+ 		"shrl $8,%%eax\n\t"
+ 		"andl $1,%%eax\n"
+-		:"=a"(rc)
++		:"=a"(rc), "+m" (*regs)
+ 		:    "a"(regs)
+ 		:    "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory");
+ #else
+@@ -166,7 +166,8 @@ static int i8k_smm(struct smm_regs *regs
+ 	    "movl %%edx,0(%%eax)\n\t"
+ 	    "lahf\n\t"
+ 	    "shrl $8,%%eax\n\t"
+-	    "andl $1,%%eax\n":"=a"(rc)
++	    "andl $1,%%eax\n"
++	    :"=a"(rc), "+m" (*regs)
+ 	    :    "a"(regs)
+ 	    :    "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory");
+ #endif
diff --git a/queue-2.6.33/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch b/queue-2.6.33/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch
new file mode 100644
index 0000000..42905d4
--- /dev/null
+++ b/queue-2.6.33/open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch
@@ -0,0 +1,55 @@
+From 1574dff8996ab1ed92c09012f8038b5566fce313 Mon Sep 17 00:00:00 2001
+From: Sachin Prabhu <sprabhu@redhat.com>
+Date: Wed, 20 Apr 2011 13:09:35 +0100
+Subject: Open with O_CREAT flag set fails to open existing files on non writable directories
+
+From: Sachin Prabhu <sprabhu@redhat.com>
+
+commit 1574dff8996ab1ed92c09012f8038b5566fce313 upstream.
+
+An open on a NFS4 share using the O_CREAT flag on an existing file for
+which we have permissions to open but contained in a directory with no
+write permissions will fail with EACCES.
+
+A tcpdump shows that the client had set the open mode to UNCHECKED which
+indicates that the file should be created if it doesn't exist and
+encountering an existing flag is not an error. Since in this case the
+file exists and can be opened by the user, the NFS server is wrong in
+attempting to check create permissions on the parent directory.
+
+The patch adds a conditional statement to check for create permissions
+only if the file doesn't exist.
+
+Signed-off-by: Sachin S. Prabhu <sprabhu@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/vfs.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1387,7 +1387,7 @@ nfsd_create_v3(struct svc_rqst *rqstp, s
+ 		goto out;
+ 	if (!(iap->ia_valid & ATTR_MODE))
+ 		iap->ia_mode = 0;
+-	err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE);
++	err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_EXEC);
+ 	if (err)
+ 		goto out;
+ 
+@@ -1409,6 +1409,13 @@ nfsd_create_v3(struct svc_rqst *rqstp, s
+ 	if (IS_ERR(dchild))
+ 		goto out_nfserr;
+ 
++	/* If file doesn't exist, check for permissions to create one */
++	if (!dchild->d_inode) {
++		err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE);
++		if (err)
++			goto out;
++	}
++
+ 	err = fh_compose(resfhp, fhp->fh_export, dchild, fhp);
+ 	if (err)
+ 		goto out;
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index 0018bf3..8e71807 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -31,3 +31,10 @@ mmc-sdhci-check-mrq-cmd-in-sdhci_tasklet_finish.patch
 mmc-sdhci-check-mrq-null-in-sdhci_tasklet_finish.patch
 usb-fix-regression-in-usbip-by-setting-has_tt-flag.patch
 x86-amd-fix-apic-timer-erratum-400-affecting-k8-rev.a-e-processors.patch
+af_unix-only-allow-recv-on-connected-seqpacket-sockets.patch
+arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch
+i8k-tell-gcc-that-regs-gets-clobbered.patch
+fix-gcc-4.5.1-miscompiling-drivers-char-i8k.c-again.patch
+open-with-o_creat-flag-set-fails-to-open-existing-files-on-non-writable-directories.patch
+can-add-missing-socket-check-in-can-bcm-release.patch
+fs-partitions-ldm.c-fix-oops-caused-by-corrupted-partition-table.patch