commit 70d6a219673f4e7c48e0487e8f83dfb2811a1ad8 Author: Greg Kroah-Hartman Date: Mon Jan 18 10:34:45 2010 -0800 Linux 2.6.27.44 commit ac32beada1873026a419939687df7fbf060e7840 Author: Neil Campbell Date: Mon Dec 14 04:08:57 2009 +0000 powerpc: Handle VSX alignment faults correctly in little-endian mode commit bb7f20b1c639606def3b91f4e4aca6daeee5d80a upstream. This patch fixes the handling of VSX alignment faults in little-endian mode (the current code assumes the processor is in big-endian mode). The patch also makes the handlers clear the top 8 bytes of the register when handling an 8 byte VSX load. This is based on 2.6.32. Signed-off-by: Neil Campbell Acked-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 816972c12bfc3a1a92a64bf0fba633501004e4c6 Author: Michael Neuling Date: Wed Apr 1 18:02:42 2009 +0000 powerpc: Disable VSX or current process in giveup_fpu/altivec commit 7e875e9dc8af70d126fa632446e967327ac3fdda upstream. When we call giveup_fpu, we need to need to turn off VSX for the current process. If we don't, on return to userspace it may execute a VSX instruction before the next FP instruction, and not have its register state refreshed correctly from the thread_struct. Ditto for altivec. This caused a bug where an unaligned lfs or stfs results in fix_alignment calling giveup_fpu so it can use the FPRs (in order to do a single <-> double conversion), and then returning to userspace with FP off but VSX on. Then if a VSX instruction is executed, before another FP instruction, it will proceed without another exception and hence have the incorrect register state for VSX registers 0-31. lfs unaligned <- alignment exception turns FP off but leaves VSX on VSX instruction <- no exception since VSX on, hence we get the wrong VSX register values for VSX registers 0-31, which overlap the FPRs. Signed-off-by: Michael Neuling Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 6f5195525e548d474a77ce00baa927e5c7ed6976 Author: Al Viro Date: Sat Dec 19 16:03:30 2009 +0000 fix more leaks in audit_tree.c tag_chunk() commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream. Several leaks in audit_tree didn't get caught by commit 318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal exit in case of multiple rules refering to the same chunk. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0ad8dbec4622c3eef0abe019b9f036ff6a12f277 Author: Al Viro Date: Sat Dec 19 15:59:45 2009 +0000 fix braindamage in audit_tree.c untag_chunk() commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream. ... aka "Al had badly fscked up when writing that thing and nobody noticed until Eric had fixed leaks that used to mask the breakage". The function essentially creates a copy of old array sans one element and replaces the references to elements of original (they are on cyclic lists) with those to corresponding elements of new one. After that the old one is fair game for freeing. First of all, there's a dumb braino: when we get to list_replace_init we use indices for wrong arrays - position in new one with the old array and vice versa. Another bug is more subtle - termination condition is wrong if the element to be excluded happens to be the last one. We shouldn't go until we fill the new array, we should go until we'd finished the old one. Otherwise the element we are trying to kill will remain on the cyclic lists... That crap used to be masked by several leaks, so it was not quite trivial to hit. Eric had fixed some of those leaks a while ago and the shit had hit the fan... Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f21c582a940198ef810e7744c9f91cdafd1a6ed5 Author: Florian Westphal Date: Fri Jan 8 17:31:24 2010 +0100 netfilter: ebtables: enforce CAP_NET_ADMIN commit dce766af541f6605fa9889892c0280bab31c66ab upstream. normal users are currently allowed to set/modify ebtables rules. Restrict it to processes with CAP_NET_ADMIN. Note that this cannot be reproduced with unmodified ebtables binary because it uses SOCK_RAW. Signed-off-by: Florian Westphal Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit e3f94f64a91768da5b136b22dc5faa2447ec2ac8 Author: Andi Kleen Date: Fri Jan 8 14:42:52 2010 -0800 kernel/signal.c: fix kernel information leak with print-fatal-signals=1 commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream. When print-fatal-signals is enabled it's possible to dump any memory reachable by the kernel to the log by simply jumping to that address from user space. Or crash the system if there's some hardware with read side effects. The fatal signals handler will dump 16 bytes at the execution address, which is fully controlled by ring 3. In addition when something jumps to a unmapped address there will be up to 16 additional useless page faults, which might be potentially slow (and at least is not very efficient) Fortunately this option is off by default and only there on i386. But fix it by checking for kernel addresses and also stopping when there's a page fault. Signed-off-by: Andi Kleen Cc: Ingo Molnar Cc: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman