diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-02 14:46:28 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-02 14:46:28 -0700 |
commit | 8be978a522a2ce3b52d98d1596b31df32127abf4 (patch) | |
tree | eeb1d38cce2be00396f727827fabbeb527e6f9de | |
parent | 216f88f35249dcce54d46f58938d2ccf24ff83d9 (diff) | |
download | longterm-queue-2.6.33-8be978a522a2ce3b52d98d1596b31df32127abf4.tar.gz |
.33 patches
9 files changed, 443 insertions, 0 deletions
diff --git a/queue-2.6.33/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch b/queue-2.6.33/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch new file mode 100644 index 0000000..477b191 --- /dev/null +++ b/queue-2.6.33/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch @@ -0,0 +1,42 @@ +From 8d03e971cf403305217b8e62db3a2e5ad2d6263f Mon Sep 17 00:00:00 2001 +From: Filip Palian <s3810@pjwstk.edu.pl> +Date: Thu, 12 May 2011 19:32:46 +0200 +Subject: Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace. + +From: Filip Palian <s3810@pjwstk.edu.pl> + +commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f upstream. + +Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding +byte each. This byte in "cinfo" is copied to userspace uninitialized. + +Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl> +Acked-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/bluetooth/l2cap.c | 1 + + net/bluetooth/rfcomm/sock.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -1892,6 +1892,7 @@ static int l2cap_sock_getsockopt_old(str + break; + } + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -879,6 +879,7 @@ static int rfcomm_sock_getsockopt_old(st + + l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); + diff --git a/queue-2.6.33/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch b/queue-2.6.33/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch new file mode 100644 index 0000000..5b730d4 --- /dev/null +++ b/queue-2.6.33/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch @@ -0,0 +1,35 @@ +From 7ac28817536797fd40e9646452183606f9e17f71 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 24 Jun 2011 08:38:05 -0400 +Subject: Bluetooth: Prevent buffer overflow in l2cap config request + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit 7ac28817536797fd40e9646452183606f9e17f71 upstream. + +A remote user can provide a small value for the command size field in +the command header of an l2cap configuration request, resulting in an +integer underflow when subtracting the size of the configuration request +header. This results in copying a very large amount of data via +memcpy() and destroying the kernel heap. Check for underflow. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + + +--- + net/bluetooth/l2cap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -2741,7 +2741,7 @@ static inline int l2cap_config_req(struc + + /* Reject if config buffer is too small. */ + len = cmd_len - sizeof(*req); +- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { ++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, + l2cap_build_conf_rsp(sk, rsp, + L2CAP_CONF_REJECT, flags), rsp); diff --git a/queue-2.6.33/net_sched-fix-qdisc_notify.patch b/queue-2.6.33/net_sched-fix-qdisc_notify.patch new file mode 100644 index 0000000..5903dd0 --- /dev/null +++ b/queue-2.6.33/net_sched-fix-qdisc_notify.patch @@ -0,0 +1,69 @@ +From 53b0f08042f04813cd1a7473dacd3edfacb28eb3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Sat, 22 May 2010 20:37:44 +0000 +Subject: net_sched: Fix qdisc_notify() + +From: Eric Dumazet <eric.dumazet@gmail.com> + +commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3 upstream. + +Ben Pfaff reported a kernel oops and provided a test program to +reproduce it. + +https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805 + +tc_fill_qdisc() should not be called for builtin qdisc, or it +dereference a NULL pointer to get device ifindex. + +Fix is to always use tc_qdisc_dump_ignore() before calling +tc_fill_qdisc(). + +Reported-by: Ben Pfaff <blp@nicira.com> +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/sched/sch_api.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1195,6 +1195,11 @@ nla_put_failure: + return -1; + } + ++static bool tc_qdisc_dump_ignore(struct Qdisc *q) ++{ ++ return (q->flags & TCQ_F_BUILTIN) ? true : false; ++} ++ + static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n, + u32 clid, struct Qdisc *old, struct Qdisc *new) + { +@@ -1205,11 +1210,11 @@ static int qdisc_notify(struct sk_buff * + if (!skb) + return -ENOBUFS; + +- if (old && old->handle) { ++ if (old && !tc_qdisc_dump_ignore(old)) { + if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0) + goto err_out; + } +- if (new) { ++ if (new && !tc_qdisc_dump_ignore(new)) { + if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0) + goto err_out; + } +@@ -1222,11 +1227,6 @@ err_out: + return -EINVAL; + } + +-static bool tc_qdisc_dump_ignore(struct Qdisc *q) +-{ +- return (q->flags & TCQ_F_BUILTIN) ? true : false; +-} +- + static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb, + struct netlink_callback *cb, + int *q_idx_p, int s_q_idx) diff --git a/queue-2.6.33/nl80211-fix-overflow-in-ssid_len.patch b/queue-2.6.33/nl80211-fix-overflow-in-ssid_len.patch new file mode 100644 index 0000000..76ed840 --- /dev/null +++ b/queue-2.6.33/nl80211-fix-overflow-in-ssid_len.patch @@ -0,0 +1,46 @@ +From 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 Mon Sep 17 00:00:00 2001 +From: Luciano Coelho <coelho@ti.com> +Date: Tue, 7 Jun 2011 20:42:26 +0300 +Subject: nl80211: fix overflow in ssid_len + +From: Luciano Coelho <coelho@ti.com> + +commit 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 upstream. + +When one of the SSID's length passed in a scan or sched_scan request +is larger than 255, there will be an overflow in the u8 that is used +to store the length before checking. This causes the check to fail +and we overrun the buffer when copying the SSID. + +Fix this by checking the nl80211 attribute length before copying it to +the struct. + +This is a follow up for the previous commit +208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem +entirely. + +Reported-by: Ido Yariv <ido@wizery.com> +Signed-off-by: Luciano Coelho <coelho@ti.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/wireless/nl80211.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3078,11 +3078,11 @@ static int nl80211_trigger_scan(struct s + i = 0; + if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { + nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) { +- request->ssids[i].ssid_len = nla_len(attr); +- if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) { ++ if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) { + err = -EINVAL; + goto out_free; + } ++ request->ssids[i].ssid_len = nla_len(attr); + memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr)); + i++; + } diff --git a/queue-2.6.33/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch b/queue-2.6.33/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch new file mode 100644 index 0000000..8015c65 --- /dev/null +++ b/queue-2.6.33/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch @@ -0,0 +1,78 @@ +From 0b760113a3a155269a3fba93a409c640031dd68f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <Trond.Myklebust@netapp.com> +Date: Tue, 31 May 2011 15:15:34 -0400 +Subject: NLM: Don't hang forever on NLM unlock requests + +From: Trond Myklebust <Trond.Myklebust@netapp.com> + +commit 0b760113a3a155269a3fba93a409c640031dd68f upstream. + +If the NLM daemon is killed on the NFS server, we can currently end up +hanging forever on an 'unlock' request, instead of aborting. Basically, +if the rpcbind request fails, or the server keeps returning garbage, we +really want to quit instead of retrying. + +Tested-by: Vasily Averin <vvs@sw.ru> +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + + +--- + fs/lockd/clntproc.c | 8 +++++++- + include/linux/sunrpc/sched.h | 4 ++-- + net/sunrpc/clnt.c | 3 +++ + net/sunrpc/sched.c | 1 + + 4 files changed, 13 insertions(+), 3 deletions(-) + +--- a/fs/lockd/clntproc.c ++++ b/fs/lockd/clntproc.c +@@ -709,7 +709,13 @@ static void nlmclnt_unlock_callback(stru + + if (task->tk_status < 0) { + dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status); +- goto retry_rebind; ++ switch (task->tk_status) { ++ case -EACCES: ++ case -EIO: ++ goto die; ++ default: ++ goto retry_rebind; ++ } + } + if (status == NLM_LCK_DENIED_GRACE_PERIOD) { + rpc_delay(task, NLMCLNT_GRACE_WAIT); +--- a/include/linux/sunrpc/sched.h ++++ b/include/linux/sunrpc/sched.h +@@ -84,8 +84,8 @@ struct rpc_task { + long tk_rtt; /* round-trip time (jiffies) */ + + pid_t tk_owner; /* Process id for batching tasks */ +- unsigned char tk_priority : 2;/* Task priority */ +- ++ unsigned char tk_priority : 2,/* Task priority */ ++ tk_rebind_retry : 2; + #ifdef RPC_DEBUG + unsigned short tk_pid; /* debugging aid */ + #endif +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1052,6 +1052,9 @@ call_bind_status(struct rpc_task *task) + status = -EOPNOTSUPP; + break; + } ++ if (task->tk_rebind_retry == 0) ++ break; ++ task->tk_rebind_retry--; + rpc_delay(task, 3*HZ); + goto retry_timeout; + case -ETIMEDOUT: +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -799,6 +799,7 @@ static void rpc_init_task(struct rpc_tas + /* Initialize retry counters */ + task->tk_garb_retry = 2; + task->tk_cred_retry = 2; ++ task->tk_rebind_retry = 2; + + task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW; + task->tk_owner = current->tgid; diff --git a/queue-2.6.33/scm-lower-scm_max_fd.patch b/queue-2.6.33/scm-lower-scm_max_fd.patch new file mode 100644 index 0000000..b2c8f5b --- /dev/null +++ b/queue-2.6.33/scm-lower-scm_max_fd.patch @@ -0,0 +1,73 @@ +From bba14de98753cb6599a2dae0e520714b2153522d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Tue, 23 Nov 2010 14:09:15 +0000 +Subject: scm: lower SCM_MAX_FD + +From: Eric Dumazet <eric.dumazet@gmail.com> + +commit bba14de98753cb6599a2dae0e520714b2153522d upstream. + +Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are +halved. (commit f8d570a4 added two pointers in this structure) + +scm_fp_dup() should not copy whole structure (and trigger kmemcheck +warnings), but only the used part. While we are at it, only allocate +needed size. + +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/net/scm.h | 5 +++-- + net/core/scm.c | 10 ++++++---- + 2 files changed, 9 insertions(+), 6 deletions(-) + +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -10,11 +10,12 @@ + /* Well, we should have at least one descriptor open + * to accept passed FDs 8) + */ +-#define SCM_MAX_FD 255 ++#define SCM_MAX_FD 253 + + struct scm_fp_list { + struct list_head list; +- int count; ++ short count; ++ short max; + struct file *fp[SCM_MAX_FD]; + }; + +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -78,10 +78,11 @@ static int scm_fp_copy(struct cmsghdr *c + return -ENOMEM; + *fplp = fpl; + fpl->count = 0; ++ fpl->max = SCM_MAX_FD; + } + fpp = &fpl->fp[fpl->count]; + +- if (fpl->count + num > SCM_MAX_FD) ++ if (fpl->count + num > fpl->max) + return -EINVAL; + + /* +@@ -302,11 +303,12 @@ struct scm_fp_list *scm_fp_dup(struct sc + if (!fpl) + return NULL; + +- new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL); ++ new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]), ++ GFP_KERNEL); + if (new_fpl) { +- for (i=fpl->count-1; i>=0; i--) ++ for (i = 0; i < fpl->count; i++) + get_file(fpl->fp[i]); +- memcpy(new_fpl, fpl, sizeof(*fpl)); ++ new_fpl->max = new_fpl->count; + } + return new_fpl; + } diff --git a/queue-2.6.33/series b/queue-2.6.33/series index ae66e17..495cad8 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -91,3 +91,11 @@ revert-usb-musb-restore-index-register-in-resume-path.patch watchdog-mtx1-wdt-fix-build-failure.patch kcore-fix-test-for-end-of-list.patch thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch +scm-lower-scm_max_fd.patch +nlm-don-t-hang-forever-on-nlm-unlock-requests.patch +bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch +vm-fix-vm_pgoff-wrap-in-stack-expansion.patch +vm-fix-vm_pgoff-wrap-in-upward-expansion.patch +bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch +nl80211-fix-overflow-in-ssid_len.patch +net_sched-fix-qdisc_notify.patch diff --git a/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch new file mode 100644 index 0000000..d41c76e --- /dev/null +++ b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch @@ -0,0 +1,50 @@ +From a626ca6a656450e9f4df91d0dda238fff23285f4 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Wed, 13 Apr 2011 08:07:28 -0700 +Subject: vm: fix vm_pgoff wrap in stack expansion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds <torvalds@linux-foundation.org> + +commit a626ca6a656450e9f4df91d0dda238fff23285f4 upstream. + +Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed +the case of a expanding mapping causing vm_pgoff wrapping when you used +mremap. But there was another case where we expand mappings hiding in +plain sight: the automatic stack expansion. + +This fixes that case too. + +This one also found by Robert Święcki, using his nasty system call +fuzzer tool. Good job. + +Reported-and-tested-by: Robert Święcki <robert@swiecki.net> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + mm/mmap.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1721,10 +1721,13 @@ static int expand_downwards(struct vm_ar + size = vma->vm_end - address; + grow = (vma->vm_start - address) >> PAGE_SHIFT; + +- error = acct_stack_growth(vma, size, grow); +- if (!error) { +- vma->vm_start = address; +- vma->vm_pgoff -= grow; ++ error = -ENOMEM; ++ if (grow <= vma->vm_pgoff) { ++ error = acct_stack_growth(vma, size, grow); ++ if (!error) { ++ vma->vm_start = address; ++ vma->vm_pgoff -= grow; ++ } + } + } + anon_vma_unlock(vma); diff --git a/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch new file mode 100644 index 0000000..004278e --- /dev/null +++ b/queue-2.6.33/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch @@ -0,0 +1,42 @@ +From 42c36f63ac1366ab0ecc2d5717821362c259f517 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins <hughd@google.com> +Date: Mon, 9 May 2011 17:44:42 -0700 +Subject: vm: fix vm_pgoff wrap in upward expansion + +From: Hugh Dickins <hughd@google.com> + +commit 42c36f63ac1366ab0ecc2d5717821362c259f517 upstream. + +Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed +the case of an expanding mapping causing vm_pgoff wrapping when you had +downward stack expansion. But there was another case where IA64 and +PA-RISC expand mappings: upward expansion. + +This fixes that case too. + +Signed-off-by: Hugh Dickins <hughd@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + mm/mmap.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1677,9 +1677,12 @@ int expand_upwards(struct vm_area_struct + size = address - vma->vm_start; + grow = (address - vma->vm_end) >> PAGE_SHIFT; + +- error = acct_stack_growth(vma, size, grow); +- if (!error) +- vma->vm_end = address; ++ error = -ENOMEM; ++ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { ++ error = acct_stack_growth(vma, size, grow); ++ if (!error) ++ vma->vm_end = address; ++ } + } + anon_vma_unlock(vma); + return error; |