commit 4f49db6996167fbd99829643f4fe76fef70a7c4c Author: Greg Kroah-Hartman Date: Mon Sep 20 13:16:27 2010 -0700 Linux 2.6.27.54 commit 1b159e074a425d80c9cff0f19404a9fbe83140a5 Author: Roland McGrath Date: Tue Sep 14 12:22:58 2010 -0700 x86-64, compat: Retruncate rax after ia32 syscall entry tracing commit eefdca043e8391dcd719711716492063030b55ac upstream. In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a 32-bit tracee in system call entry. A %rax value set via ptrace at the entry tracing stop gets used whole as a 32-bit syscall number, while we only check the low 32 bits for validity. Fix it by truncating %rax back to 32 bits after syscall_trace_enter, in addition to testing the full 64 bits as has already been added. Reported-by: Ben Hawkes Signed-off-by: Roland McGrath Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 7a0e4cc1437156ac650b52653f1cd244ecfe0598 Author: Anton Vorontsov Date: Wed Sep 8 00:10:26 2010 +0400 apm_power: Add missing break statement commit 1d220334d6a8a711149234dc5f98d34ae02226b8 upstream. The missing break statement causes wrong capacity calculation for batteries that report energy. Reported-by: d binderman Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman commit a804b54dcb96b45c38443c8128123a9b7a291346 Author: Guillem Jover Date: Fri Sep 17 17:24:12 2010 +0200 hwmon: (f75375s) Do not overwrite values read from registers commit c3b327d60bbba3f5ff8fd87d1efc0e95eb6c121b upstream. All bits in the values read from registers to be used for the next write were getting overwritten, avoid doing so to not mess with the current configuration. Signed-off-by: Guillem Jover Cc: Riku Voipio Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 14df2c15035622fbc6830509d18b4256c81bbbfa Author: Guillem Jover Date: Fri Sep 17 17:24:11 2010 +0200 hwmon: (f75375s) Shift control mode to the correct bit position commit 96f3640894012be7dd15a384566bfdc18297bc6c upstream. The spec notes that fan0 and fan1 control mode bits are located in bits 7-6 and 5-4 respectively, but the FAN_CTRL_MODE macro was making the bits shift by 5 instead of by 4. Signed-off-by: Guillem Jover Cc: Riku Voipio Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 1d3fb6bbb5c235568f80fd708e5ec6149b5d141c Author: H. Peter Anvin Date: Tue Sep 7 16:16:18 2010 -0700 compat: Make compat_alloc_user_space() incorporate the access_ok() commit c41d68a513c71e35a14f66d71782d27a79a81ea6 upstream. compat_alloc_user_space() expects the caller to independently call access_ok() to verify the returned area. A missing call could introduce problems on some architectures. This patch incorporates the access_ok() check into compat_alloc_user_space() and also adds a sanity check on the length. The existing compat_alloc_user_space() implementations are renamed arch_compat_alloc_user_space() and are used as part of the implementation of the new global function. This patch assumes NULL will cause __get_user()/__put_user() to either fail or access userspace on all architectures. This should be followed by checking the return value of compat_access_user_space() for NULL in the callers, at which time the access_ok() in the callers can also be removed. Reported-by: Ben Hawkes Signed-off-by: H. Peter Anvin Acked-by: Benjamin Herrenschmidt Acked-by: Chris Metcalf Acked-by: David S. Miller Acked-by: Ingo Molnar Acked-by: Thomas Gleixner Acked-by: Tony Luck Cc: Andrew Morton Cc: Arnd Bergmann Cc: Fenghua Yu Cc: H. Peter Anvin Cc: Heiko Carstens Cc: Helge Deller Cc: James Bottomley Cc: Kyle McMartin Cc: Martin Schwidefsky Cc: Paul Mackerras Cc: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 18023624ec38bc31b5d9f16ea4077eb8b85c42bd Author: H. Peter Anvin Date: Tue Sep 14 12:42:41 2010 -0700 x86-64, compat: Test %rax for the syscall number, not %eax commit 36d001c70d8a0144ac1d038f6876c484849a74de upstream. On 64 bits, we always, by necessity, jump through the system call table via %rax. For 32-bit system calls, in theory the system call number is stored in %eax, and the code was testing %eax for a valid system call number. At one point we loaded the stored value back from the stack to enforce zero-extension, but that was removed in checkin d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process will not be able to introduce a non-zero-extended number, but it can happen via ptrace. Instead of re-introducing the zero-extension, test what we are actually going to use, i.e. %rax. This only adds a handful of REX prefixes to the code. Reported-by: Ben Hawkes Signed-off-by: H. Peter Anvin Cc: Roland McGrath Cc: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit c0a328941a72e32e194c3dcc9802b5970f55d9e9 Author: Gary King Date: Thu Sep 9 16:38:05 2010 -0700 bounce: call flush_dcache_page() after bounce_copy_vec() commit ac8456d6f9a3011c824176bd6084d39e5f70a382 upstream. I have been seeing problems on Tegra 2 (ARMv7 SMP) systems with HIGHMEM enabled on 2.6.35 (plus some patches targetted at 2.6.36 to perform cache maintenance lazily), and the root cause appears to be that the mm bouncing code is calling flush_dcache_page before it copies the bounce buffer into the bio. The bounced page needs to be flushed after data is copied into it, to ensure that architecture implementations can synchronize instruction and data caches if necessary. Signed-off-by: Gary King Cc: Tejun Heo Cc: Russell King Acked-by: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a80e26256afc836ea0b0e09444b1087cea46fd0a Author: Dan Carpenter Date: Sat Sep 4 03:14:35 2010 +0000 irda: off by one commit cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad upstream. This is an off by one. We would go past the end when we NUL terminate the "value" string at end of the function. The "value" buffer is allocated in irlan_client_parse_response() or irlan_provider_parse_command(). CC: stable@kernel.org Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller commit 9af1d24a2b18b890a9f73aa6e3efdc70a16c54aa Author: Steven Rostedt Date: Wed Sep 8 11:20:37 2010 -0400 tracing: Do not allow llseek to set_ftrace_filter commit 9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 upstream. Reading the file set_ftrace_filter does three things. 1) shows whether or not filters are set for the function tracer 2) shows what functions are set for the function tracer 3) shows what triggers are set on any functions 3 is independent from 1 and 2. The way this file currently works is that it is a state machine, and as you read it, it may change state. But this assumption breaks when you use lseek() on the file. The state machine gets out of sync and the t_show() may use the wrong pointer and cause a kernel oops. Luckily, this will only kill the app that does the lseek, but the app dies while holding a mutex. This prevents anyone else from using the set_ftrace_filter file (or any other function tracing file for that matter). A real fix for this is to rewrite the code, but that is too much for a -rc release or stable. This patch simply disables llseek on the set_ftrace_filter() file for now, and we can do the proper fix for the next major release. Reported-by: Robert Swiecki Cc: Chris Wright Cc: Tavis Ormandy Cc: Eugene Teo Cc: vendor-sec@lst.de Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit d14a2c2005c205bcd6742cac79dacd69436603b6 Author: Luis R. Rodriguez Date: Mon Aug 30 19:26:33 2010 -0400 ath9k_hw: fix parsing of HT40 5 GHz CTLs commit 904879748d7439a6dabdc6be9aad983e216b027d upstream. The 5 GHz CTL indexes were not being read for all hardware devices due to the masking out through the CTL_MODE_M mask being one bit too short. Without this the calibrated regulatory maximum values were not being picked up when devices operate on 5 GHz in HT40 mode. The final output power used for Atheros devices is the minimum between the calibrated CTL values and what CRDA provides. Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d0d3c686c7cb5a1b4d75df7fd76cae0d80f657a4 Author: Takashi Iwai Date: Mon Sep 6 09:13:45 2010 +0200 ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() commit 27f7ad53829f79e799a253285318bff79ece15bd upstream. The error handling in snd_seq_oss_open() has several bad codes that do dereferecing released pointers and double-free of kmalloc'ed data. The object dp is release in free_devinfo() that is called via private_free callback. The rest shouldn't touch this object any more. The patch changes delete_port() to call kfree() in any case, and gets rid of unnecessary calls of destructors in snd_seq_oss_open(). Fixes CVE-2010-3080. Reported-and-tested-by: Tavis Ormandy Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman