.33 patches

9 files changed, 443 insertions, 0 deletions

diff --git a/queue-2.6.33/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch b/queue-2.6.33/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
new file mode 100644
index 0000000..477b191
--- /dev/null
+++ b/queue-2.6.33/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
@@ -0,0 +1,42 @@
+From 8d03e971cf403305217b8e62db3a2e5ad2d6263f Mon Sep 17 00:00:00 2001
+From: Filip Palian <s3810@pjwstk.edu.pl>
+Date: Thu, 12 May 2011 19:32:46 +0200
+Subject: Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
+
+From: Filip Palian <s3810@pjwstk.edu.pl>
+
+commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f upstream.
+
+Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
+byte each. This byte in "cinfo" is copied to userspace uninitialized.
+
+Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bluetooth/l2cap.c       |    1 +
+ net/bluetooth/rfcomm/sock.c |    1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -1892,6 +1892,7 @@ static int l2cap_sock_getsockopt_old(str
+ 			break;
+ 		}
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+ 
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -879,6 +879,7 @@ static int rfcomm_sock_getsockopt_old(st
+ 
+ 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+ 
diff --git a/queue-2.6.33/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch b/queue-2.6.33/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
new file mode 100644
index 0000000..5b730d4
--- /dev/null
+++ b/queue-2.6.33/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
@@ -0,0 +1,35 @@
+From 7ac28817536797fd40e9646452183606f9e17f71 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 24 Jun 2011 08:38:05 -0400
+Subject: Bluetooth: Prevent buffer overflow in l2cap config request
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 7ac28817536797fd40e9646452183606f9e17f71 upstream.
+
+A remote user can provide a small value for the command size field in
+the command header of an l2cap configuration request, resulting in an
+integer underflow when subtracting the size of the configuration request
+header.  This results in copying a very large amount of data via
+memcpy() and destroying the kernel heap.  Check for underflow.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/bluetooth/l2cap.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2741,7 +2741,7 @@ static inline int l2cap_config_req(struc
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++	if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 				l2cap_build_conf_rsp(sk, rsp,
+ 					L2CAP_CONF_REJECT, flags), rsp);
diff --git a/queue-2.6.33/net_sched-fix-qdisc_notify.patch b/queue-2.6.33/net_sched-fix-qdisc_notify.patch
new file mode 100644
index 0000000..5903dd0
--- /dev/null
+++ b/queue-2.6.33/net_sched-fix-qdisc_notify.patch
@@ -0,0 +1,69 @@
+From 53b0f08042f04813cd1a7473dacd3edfacb28eb3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat, 22 May 2010 20:37:44 +0000
+Subject: net_sched: Fix qdisc_notify()
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3 upstream.
+
+Ben Pfaff reported a kernel oops and provided a test program to
+reproduce it.
+
+https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805
+
+tc_fill_qdisc() should not be called for builtin qdisc, or it
+dereference a NULL pointer to get device ifindex.
+
+Fix is to always use tc_qdisc_dump_ignore() before calling
+tc_fill_qdisc().
+
+Reported-by: Ben Pfaff <blp@nicira.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/sch_api.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1195,6 +1195,11 @@ nla_put_failure:
+ 	return -1;
+ }
+ 
++static bool tc_qdisc_dump_ignore(struct Qdisc *q)
++{
++	return (q->flags & TCQ_F_BUILTIN) ? true : false;
++}
++
+ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ 			u32 clid, struct Qdisc *old, struct Qdisc *new)
+ {
+@@ -1205,11 +1210,11 @@ static int qdisc_notify(struct sk_buff *
+ 	if (!skb)
+ 		return -ENOBUFS;
+ 
+-	if (old && old->handle) {
++	if (old && !tc_qdisc_dump_ignore(old)) {
+ 		if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
+ 			goto err_out;
+ 	}
+-	if (new) {
++	if (new && !tc_qdisc_dump_ignore(new)) {
+ 		if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
+ 			goto err_out;
+ 	}
+@@ -1222,11 +1227,6 @@ err_out:
+ 	return -EINVAL;
+ }
+ 
+-static bool tc_qdisc_dump_ignore(struct Qdisc *q)
+-{
+-	return (q->flags & TCQ_F_BUILTIN) ? true : false;
+-}
+-
+ static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb,
+ 			      struct netlink_callback *cb,
+ 			      int *q_idx_p, int s_q_idx)
diff --git a/queue-2.6.33/nl80211-fix-overflow-in-ssid_len.patch b/queue-2.6.33/nl80211-fix-overflow-in-ssid_len.patch
new file mode 100644
index 0000000..76ed840
--- /dev/null
+++ b/queue-2.6.33/nl80211-fix-overflow-in-ssid_len.patch
@@ -0,0 +1,46 @@
+From 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 Mon Sep 17 00:00:00 2001
+From: Luciano Coelho <coelho@ti.com>
+Date: Tue, 7 Jun 2011 20:42:26 +0300
+Subject: nl80211: fix overflow in ssid_len
+
+From: Luciano Coelho <coelho@ti.com>
+
+commit 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 upstream.
+
+When one of the SSID's length passed in a scan or sched_scan request
+is larger than 255, there will be an overflow in the u8 that is used
+to store the length before checking.  This causes the check to fail
+and we overrun the buffer when copying the SSID.
+
+Fix this by checking the nl80211 attribute length before copying it to
+the struct.
+
+This is a follow up for the previous commit
+208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
+entirely.
+
+Reported-by: Ido Yariv <ido@wizery.com>
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/nl80211.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3078,11 +3078,11 @@ static int nl80211_trigger_scan(struct s
+ 	i = 0;
+ 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+-			request->ssids[i].ssid_len = nla_len(attr);
+-			if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
++			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
+ 				err = -EINVAL;
+ 				goto out_free;
+ 			}
++			request->ssids[i].ssid_len = nla_len(attr);
+ 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+ 			i++;
+ 		}
diff --git a/queue-2.6.33/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch b/queue-2.6.33/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch
new file mode 100644
index 0000000..8015c65
--- /dev/null
+++ b/queue-2.6.33/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch
@@ -0,0 +1,78 @@
+From 0b760113a3a155269a3fba93a409c640031dd68f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue, 31 May 2011 15:15:34 -0400
+Subject: NLM: Don't hang forever on NLM unlock requests
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 0b760113a3a155269a3fba93a409c640031dd68f upstream.
+
+If the NLM daemon is killed on the NFS server, we can currently end up
+hanging forever on an 'unlock' request, instead of aborting. Basically,
+if the rpcbind request fails, or the server keeps returning garbage, we
+really want to quit instead of retrying.
+
+Tested-by: Vasily Averin <vvs@sw.ru>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ fs/lockd/clntproc.c          |    8 +++++++-
+ include/linux/sunrpc/sched.h |    4 ++--
+ net/sunrpc/clnt.c            |    3 +++
+ net/sunrpc/sched.c           |    1 +
+ 4 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/fs/lockd/clntproc.c
++++ b/fs/lockd/clntproc.c
+@@ -709,7 +709,13 @@ static void nlmclnt_unlock_callback(stru
+ 
+ 	if (task->tk_status < 0) {
+ 		dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status);
+-		goto retry_rebind;
++		switch (task->tk_status) {
++		case -EACCES:
++		case -EIO:
++			goto die;
++		default:
++			goto retry_rebind;
++		}
+ 	}
+ 	if (status == NLM_LCK_DENIED_GRACE_PERIOD) {
+ 		rpc_delay(task, NLMCLNT_GRACE_WAIT);
+--- a/include/linux/sunrpc/sched.h
++++ b/include/linux/sunrpc/sched.h
+@@ -84,8 +84,8 @@ struct rpc_task {
+ 	long			tk_rtt;		/* round-trip time (jiffies) */
+ 
+ 	pid_t			tk_owner;	/* Process id for batching tasks */
+-	unsigned char		tk_priority : 2;/* Task priority */
+-
++	unsigned char		tk_priority : 2,/* Task priority */
++				tk_rebind_retry : 2;
+ #ifdef RPC_DEBUG
+ 	unsigned short		tk_pid;		/* debugging aid */
+ #endif
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -1052,6 +1052,9 @@ call_bind_status(struct rpc_task *task)
+ 			status = -EOPNOTSUPP;
+ 			break;
+ 		}
++		if (task->tk_rebind_retry == 0)
++			break;
++		task->tk_rebind_retry--;
+ 		rpc_delay(task, 3*HZ);
+ 		goto retry_timeout;
+ 	case -ETIMEDOUT:
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -799,6 +799,7 @@ static void rpc_init_task(struct rpc_tas
+ 	/* Initialize retry counters */
+ 	task->tk_garb_retry = 2;
+ 	task->tk_cred_retry = 2;
++	task->tk_rebind_retry = 2;
+ 
+ 	task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW;
+ 	task->tk_owner = current->tgid;
diff --git a/queue-2.6.33/scm-lower-scm_max_fd.patch b/queue-2.6.33/scm-lower-scm_max_fd.patch
new file mode 100644
index 0000000..b2c8f5b
--- /dev/null
+++ b/queue-2.6.33/scm-lower-scm_max_fd.patch
@@ -0,0 +1,73 @@
+From bba14de98753cb6599a2dae0e520714b2153522d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Tue, 23 Nov 2010 14:09:15 +0000
+Subject: scm: lower SCM_MAX_FD
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit bba14de98753cb6599a2dae0e520714b2153522d upstream.
+
+Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are
+halved. (commit f8d570a4 added two pointers in this structure)
+
+scm_fp_dup() should not copy whole structure (and trigger kmemcheck
+warnings), but only the used part. While we are at it, only allocate
+needed size.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/scm.h |    5 +++--
+ net/core/scm.c    |   10 ++++++----
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -10,11 +10,12 @@
+ /* Well, we should have at least one descriptor open
+  * to accept passed FDs 8)
+  */
+-#define SCM_MAX_FD	255
++#define SCM_MAX_FD	253
+ 
+ struct scm_fp_list {
+ 	struct list_head	list;
+-	int			count;
++	short			count;
++	short			max;
+ 	struct file		*fp[SCM_MAX_FD];
+ };
+ 
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -78,10 +78,11 @@ static int scm_fp_copy(struct cmsghdr *c
+ 			return -ENOMEM;
+ 		*fplp = fpl;
+ 		fpl->count = 0;
++		fpl->max = SCM_MAX_FD;
+ 	}
+ 	fpp = &fpl->fp[fpl->count];
+ 
+-	if (fpl->count + num > SCM_MAX_FD)
++	if (fpl->count + num > fpl->max)
+ 		return -EINVAL;
+ 
+ 	/*
+@@ -302,11 +303,12 @@ struct scm_fp_list *scm_fp_dup(struct sc
+ 	if (!fpl)
+ 		return NULL;
+ 
+-	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
++	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
++			  GFP_KERNEL);
+ 	if (new_fpl) {
+-		for (i=fpl->count-1; i>=0; i--)
++		for (i = 0; i < fpl->count; i++)
+ 			get_file(fpl->fp[i]);
+-		memcpy(new_fpl, fpl, sizeof(*fpl));
++		new_fpl->max = new_fpl->count;
+ 	}
+ 	return new_fpl;
+ }
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index ae66e17..495cad8 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -91,3 +91,11 @@ revert-usb-musb-restore-index-register-in-resume-path.patch
 watchdog-mtx1-wdt-fix-build-failure.patch
 kcore-fix-test-for-end-of-list.patch
 thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch
+scm-lower-scm_max_fd.patch
+nlm-don-t-hang-forever-on-nlm-unlock-requests.patch
+bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
+vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
+bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
+nl80211-fix-overflow-in-ssid_len.patch
+net_sched-fix-qdisc_notify.patch
diff --git a/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
new file mode 100644
index 0000000..d41c76e
--- /dev/null
+++ b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
@@ -0,0 +1,50 @@
+From a626ca6a656450e9f4df91d0dda238fff23285f4 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 Apr 2011 08:07:28 -0700
+Subject: vm: fix vm_pgoff wrap in stack expansion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a626ca6a656450e9f4df91d0dda238fff23285f4 upstream.
+
+Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+the case of a expanding mapping causing vm_pgoff wrapping when you used
+mremap.  But there was another case where we expand mappings hiding in
+plain sight: the automatic stack expansion.
+
+This fixes that case too.
+
+This one also found by Robert Święcki, using his nasty system call
+fuzzer tool.  Good job.
+
+Reported-and-tested-by: Robert Święcki <robert@swiecki.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mmap.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1721,10 +1721,13 @@ static int expand_downwards(struct vm_ar
+ 		size = vma->vm_end - address;
+ 		grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ 
+-		error = acct_stack_growth(vma, size, grow);
+-		if (!error) {
+-			vma->vm_start = address;
+-			vma->vm_pgoff -= grow;
++		error = -ENOMEM;
++		if (grow <= vma->vm_pgoff) {
++			error = acct_stack_growth(vma, size, grow);
++			if (!error) {
++				vma->vm_start = address;
++				vma->vm_pgoff -= grow;
++			}
+ 		}
+ 	}
+ 	anon_vma_unlock(vma);
diff --git a/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
new file mode 100644
index 0000000..004278e
--- /dev/null
+++ b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
@@ -0,0 +1,42 @@
+From 42c36f63ac1366ab0ecc2d5717821362c259f517 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Mon, 9 May 2011 17:44:42 -0700
+Subject: vm: fix vm_pgoff wrap in upward expansion
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 42c36f63ac1366ab0ecc2d5717821362c259f517 upstream.
+
+Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
+the case of an expanding mapping causing vm_pgoff wrapping when you had
+downward stack expansion.  But there was another case where IA64 and
+PA-RISC expand mappings: upward expansion.
+
+This fixes that case too.
+
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mmap.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1677,9 +1677,12 @@ int expand_upwards(struct vm_area_struct
+ 		size = address - vma->vm_start;
+ 		grow = (address - vma->vm_end) >> PAGE_SHIFT;
+ 
+-		error = acct_stack_growth(vma, size, grow);
+-		if (!error)
+-			vma->vm_end = address;
++		error = -ENOMEM;
++		if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
++			error = acct_stack_growth(vma, size, grow);
++			if (!error)
++				vma->vm_end = address;
++		}
+ 	}
+ 	anon_vma_unlock(vma);
+ 	return error;