commit 666bc219c81eeaf90cb6171dcfee4ef322abcde3 Author: Greg Kroah-Hartman Date: Thu Dec 9 13:24:40 2010 -0800 Linux 2.6.27.57 commit 4cdc2eff54305fe4ac976f091ab2ad8952100f1a Author: Phil Blundell Date: Wed Nov 24 11:49:53 2010 -0800 econet: fix CVE-2010-3850 commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream. Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation. Signed-off-by: Phil Blundell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b13ca1096cc1e5563fbf551d4ffb27798e0d731e Author: Phil Blundell Date: Wed Nov 24 11:49:19 2010 -0800 econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream. Later parts of econet_sendmsg() rely on saddr != NULL, so return early with EINVAL if NULL was passed otherwise an oops may occur. Signed-off-by: Phil Blundell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1ee97ce543460d963911ca8d0b8461ba7b48846d Author: Dan Rosenberg Date: Fri Nov 12 12:44:42 2010 -0800 x25: Prevent crashing when parsing bad X.25 facilities commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream. Now with improved comma support. On parsing malformed X.25 facilities, decrementing the remaining length may cause it to underflow. Since the length is an unsigned integer, this will result in the loop continuing until the kernel crashes. This patch adds checks to ensure decrementing the remaining length does not cause it to wrap around. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit be609a1fca672655bf831d296685f33ba330e007 Author: Dan Rosenberg Date: Wed Sep 15 18:44:22 2010 -0300 V4L/DVB: ivtvfb: prevent reading uninitialized stack memory commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 upstream. The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes of uninitialized stack memory, because the "reserved" member of the fb_vblank struct declared on the stack is not altered or zeroed before being copied back to the user. This patch takes care of it. Signed-off-by: Dan Rosenberg Signed-off-by: Andy Walls Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 9735bccca9d144ab223cab2cadcd7dfa96a958bf Author: Oliver Hartkopp Date: Wed Nov 10 12:10:30 2010 +0000 can-bcm: fix minor heap overflow commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream. On 64-bit platforms the ASCII representation of a pointer may be up to 17 bytes long. This patch increases the length of the buffer accordingly. http://marc.info/?l=linux-netdev&m=128872251418192&w=2 Reported-by: Dan Rosenberg Signed-off-by: Oliver Hartkopp CC: Linus Torvalds Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8ee234bf416ffcb2ca526ecaac90e1b7d3866825 Author: andrew hendry Date: Wed Nov 3 12:54:53 2010 +0000 memory corruption in X.25 facilities parsing commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream. Signed-of-by: Andrew Hendry Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c773a332d06e4ef459533d8299f47114b4014bdd Author: John Hughes Date: Wed Apr 7 21:29:25 2010 -0700 x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet. commit f5eb917b861828da18dc28854308068c66d1449a upstream. Here is a patch to stop X.25 examining fields beyond the end of the packet. For example, when a simple CALL ACCEPTED was received: 10 10 0f x25_parse_facilities was attempting to decode the FACILITIES field, but this packet contains no facilities field. Signed-off-by: John Hughes Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 89c5e8fb2127d908006ff47cda51708fb31151ec Author: Shan Wei Date: Tue Jan 26 02:40:38 2010 +0000 ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure commit c92b544bd5d8e7ed7d81c77bbecab6df2a95aa53 upstream. The commit 0b5ccb2(title:ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery) has broken the saddr&&daddr member of nf_ct_frag6_queue when creating new queue. And then hash value generated by nf_hashfn() was not equal with that generated by fq_find(). So, a new received fragment can't be inserted to right queue. The patch fixes the bug with adding member of user to nf_ct_frag6_queue structure. Signed-off-by: Shan Wei Acked-by: Patrick McHardy Signed-off-by: David S. Miller Cc: Pascal Hambourg Signed-off-by: Greg Kroah-Hartman commit 88e762503264d0d6bc0cf27d44be0f30cc8a8972 Author: Linus Torvalds Date: Sat Oct 30 16:43:10 2010 -0700 net: Truncate recvfrom and sendto length to INT_MAX. commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream. Signed-off-by: Linus Torvalds Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f55602fe53731957890c6af874c40f5b0c07a387 Author: Tom Marshall Date: Mon Sep 20 15:42:05 2010 -0700 tcp: Fix race in tcp_poll [ Upstream commit a4d258036ed9b2a1811c3670c6099203a0f284a0 ] If a RST comes in immediately after checking sk->sk_err, tcp_poll will return POLLIN but not POLLOUT. Fix this by checking sk->sk_err at the end of tcp_poll. Additionally, ensure the correct order of operations on SMP machines with memory barriers. Signed-off-by: Tom Marshall Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8fe45abc8d6f871411f8305d82bb999926629afb Author: Robin Holt Date: Wed Oct 20 02:03:37 2010 +0000 Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows. [ Upstream fixed this in a different way as parts of the commits: 8d987e5c7510 (net: avoid limits overflow) a9febbb4bd13 (sysctl: min/max bounds are optional) 27b3d80a7b6a (sysctl: fix min/max handling in __do_proc_doulongvec_minmax()) -DaveM ] On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and sysctl_sctp_mem[2] can integer overflow. Set limit such that they are maximized without overflowing. Signed-off-by: Robin Holt To: "David S. Miller" Cc: Willy Tarreau Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org Cc: Alexey Kuznetsov Cc: "Pekka Savola (ipv6)" Cc: James Morris Cc: Hideaki YOSHIFUJI Cc: Patrick McHardy Cc: Vlad Yasevich Cc: Sridhar Samudrala Signed-off-by: Greg Kroah-Hartman commit 9c972f1046dc4231175bc93f0bf41a3064471855 Author: Nagendra Tomar Date: Sat Oct 2 23:45:06 2010 +0000 net: Fix the condition passed to sk_wait_event() [ Upstream commit 482964e56e1320cb7952faa1932d8ecf59c4bf75 ] This patch fixes the condition (3rd arg) passed to sk_wait_event() in sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory() causes the following soft lockup in tcp_sendmsg() when the global tcp memory pool has exhausted. >>> snip <<< localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429] localhost kernel: CPU 3: localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200 localhost kernel: localhost kernel: Call Trace: localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200 localhost kernel: [] autoremove_wake_function+0x0/0x40 localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0 localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140 localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130 localhost kernel: [] autoremove_wake_function+0x0/0x40 localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170 localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190 localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90 localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83 >>> snip <<< What is happening is, that the sk_wait_event() condition passed from sk_stream_wait_memory() evaluates to true for the case of tcp global memory exhaustion. This is because both sk_stream_memory_free() and vm_wait are true which causes sk_wait_event() to *not* call schedule_timeout(). Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping. This causes the caller to again try allocation, which again fails and again calls sk_stream_wait_memory(), and so on. [ Bug introduced by commit c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088 ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ] Signed-off-by: Nagendra Singh Tomar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8ccbc9f2b9e169412c9b92d1a3e1de1dac9a9783 Author: David S. Miller Date: Mon Sep 20 15:40:35 2010 -0700 rose: Fix signedness issues wrt. digi count. [ Upstream commit 9828e6e6e3f19efcb476c567b9999891d051f52f ] Just use explicit casts, since we really can't change the types of structures exported to userspace which have been around for 15 years or so. Reported-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7c873a37d10ef7e9291b812421d7e6ef52f4793a Author: Maciej Żenczykowski Date: Sun Oct 3 14:49:00 2010 -0700 net: Fix IPv6 PMTU disc. w/ asymmetric routes [ Upstream commit ae878ae280bea286ff2b1e1cb6e609dd8cb4501d ] Signed-off-by: Maciej Żenczykowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1d58c9a17dc76d4ae75e9f63417be0e6de48bb48 Author: Ulrich Weber Date: Mon Nov 1 08:23:04 2010 -0700 xfrm4: strip ECN and IP Precedence bits in policy lookup [ Upstream commit 94e2238969e89f5112297ad2a00103089dde7e8f ] dont compare ECN and IP Precedence bits in find_bundle and use ECN bit stripped TOS value in xfrm_lookup Signed-off-by: Ulrich Weber Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 62a6deb643c058b1ad01b0c65f694822f90d2bf5 Author: Kees Cook Date: Mon Nov 1 08:19:00 2010 -0700 net: clear heap allocations for privileged ethtool actions [ Upstream commit b00916b189d13a615ff05c9242201135992fcda3 ] Several other ethtool functions leave heap uncleared (potentially) by drivers. Some interfaces appear safe (eeprom, etc), in that the sizes are well controlled. In some situations (e.g. unchecked error conditions), the heap will remain unchanged in areas before copying back to userspace. Note that these are less of an issue since these all require CAP_NET_ADMIN. Cc: stable@kernel.org Signed-off-by: Kees Cook Acked-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f0097b8e359731d22c017805421dca8ab3bf691c Author: James Jones Date: Wed Nov 24 00:21:37 2010 +0100 ARM: 6482/2: Fix find_next_zero_bit and related assembly commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream. The find_next_bit, find_first_bit, find_next_zero_bit and find_first_zero_bit functions were not properly clamping to the maxbit argument at the bit level. They were instead only checking maxbit at the byte level. To fix this, add a compare and a conditional move instruction to the end of the common bit-within-the- byte code used by all the functions and be sure not to clobber the maxbit argument before it is used. Reviewed-by: Nicolas Pitre Tested-by: Stephen Warren Signed-off-by: James Jones Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 7f8ad3074fee297abee71d801c93a2ee0d90e451 Author: Dan Rosenberg Date: Tue Nov 23 11:02:13 2010 +0000 DECnet: don't leak uninitialized stack byte commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream. A single uninitialized padding byte is leaked to userspace. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ec1793bd760a355fb69468f01705d3267651f8ca Author: Nelson Elhage Date: Thu Dec 2 14:31:21 2010 -0800 do_exit(): make sure that we run with get_fs() == USER_DS commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream. If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not otherwise reset before do_exit(). do_exit may later (via mm_release in fork.c) do a put_user to a user-controlled address, potentially allowing a user to leverage an oops into a controlled write into kernel memory. This is only triggerable in the presence of another bug, but this potentially turns a lot of DoS bugs into privilege escalations, so it's worth fixing. I have proof-of-concept code which uses this bug along with CVE-2010-3849 to write a zero to an arbitrary kernel address, so I've tested that this is not theoretical. A more logical place to put this fix might be when we know an oops has occurred, before we call do_exit(), but that would involve changing every architecture, in multiple places. Let's just stick it in do_exit instead. [akpm@linux-foundation.org: update code comment] Signed-off-by: Nelson Elhage Cc: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8d41cfeeacabaaace31b13071a46b8e0e4afb592 Author: Zhang Rui Date: Tue Oct 12 09:09:37 2010 +0800 acpi-cpufreq: fix a memleak when unloading driver commit dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream. We didn't free per_cpu(acfreq_data, cpu)->freq_table when acpi_freq driver is unloaded. Resulting in the following messages in /sys/kernel/debug/kmemleak: unreferenced object 0xf6450e80 (size 64): comm "modprobe", pid 1066, jiffies 4294677317 (age 19290.453s) hex dump (first 32 bytes): 00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00 ......$.......$. 02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00 .....j.......5.. backtrace: [] kmemleak_alloc+0x27/0x50 [] __kmalloc+0xcf/0x110 [] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq] [] cpufreq_add_dev+0x142/0x3a0 [] sysdev_driver_register+0x97/0x110 [] cpufreq_register_driver+0x86/0x140 [] 0xf9dad080 [] do_one_initcall+0x30/0x160 [] sys_init_module+0x99/0x1e0 [] sysenter_do_call+0x12/0x26 [] 0xffffffff https://bugzilla.kernel.org/show_bug.cgi?id=15807#c21 Tested-by: Toralf Forster Signed-off-by: Zhang Rui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 98a2e745dc5e83ed1979de40c9bc25f685933d96 Author: Greg Kroah-Hartman Date: Mon Nov 15 11:34:26 2010 -0800 USB: misc: trancevibrator: fix up a sysfs attribute permission commit d489a4b3926bad571d404ca6508f6744b9602776 upstream. It should not be writable by any user. Reported-by: Linus Torvalds Cc: Sam Hocevar Signed-off-by: Greg Kroah-Hartman commit 7a8cf409628a881397dee0ae7bc11085e61427ad Author: Greg Kroah-Hartman Date: Mon Nov 15 11:35:49 2010 -0800 USB: misc: usbled: fix up some sysfs attribute permissions commit 48f115470e68d443436b76b22dad63ffbffd6b97 upstream. They should not be writable by any user. Reported-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 76845882ec8ffa9f70a0ed215ad72b582e10e2ad Author: Greg Kroah-Hartman Date: Mon Nov 15 11:32:38 2010 -0800 USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions commit c990600d340641150f7270470a64bd99a5c0b225 upstream. They should not be writable by any user. Reported-by: Linus Torvalds Cc: Oliver Bock Signed-off-by: Greg Kroah-Hartman commit 466b01f62d894f05242e246838d94078c22d6c7e Author: Greg Kroah-Hartman Date: Mon Nov 15 11:11:45 2010 -0800 USB: atm: ueagle-atm: fix up some permissions on the sysfs files commit e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream. Some of the sysfs files had the incorrect permissions. Some didn't make sense at all (writable for a file that you could not write to?) Reported-by: Linus Torvalds Cc: Matthieu Castet Cc: Stanislaw Gruszka Cc: Damien Bergamini Signed-off-by: Greg Kroah-Hartman commit d5f1f27112f1c969a6dc8ea9984fe6777b5344e3 Author: Greg Kroah-Hartman Date: Mon Nov 15 11:17:52 2010 -0800 USB: storage: sierra_ms: fix sysfs file attribute commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream. A non-writable sysfs file shouldn't have writable attributes. Reported-by: Linus Torvalds Cc: Kevin Lloyd Cc: Matthew Dharm Signed-off-by: Greg Kroah-Hartman commit acfaf795b87fa4f34022a2c127930848a93742d3 Author: Alan Stern Date: Tue Nov 16 10:57:37 2010 -0500 USB: EHCI: fix obscure race in ehci_endpoint_disable commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream. This patch (as1435) fixes an obscure and unlikely race in ehci-hcd. When an async URB is unlinked, the corresponding QH is removed from the async list. If the QH's endpoint is then disabled while the URB is being given back, ehci_endpoint_disable() won't find the QH on the async list, causing it to believe that the QH has been lost. This will lead to a memory leak at best and quite possibly to an oops. The solution is to trust usbcore not to lose track of endpoints. If the QH isn't on the async list then it doesn't need to be taken off the list, but the driver should still wait for the QH to become IDLE before disabling it. In theory this fixes Bugzilla #20182. In fact the race is so rare that it's not possible to tell whether the bug is still present. However, adding delays and making other changes to force the race seems to show that the patch works. Signed-off-by: Alan Stern Reported-by: Stefan Richter CC: David Brownell Signed-off-by: Greg Kroah-Hartman commit 3ddf4f97bee674e72412d9b0a3be2695d80dad3a Author: Vasiliy Kulikov Date: Sat Nov 6 17:41:28 2010 +0300 usb: core: fix information leak to userland commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream. Structure usbdevfs_connectinfo is copied to userland with padding byted after "slow" field uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: Greg Kroah-Hartman commit 82d1639ec939d83169f0b556a29c711e43a0290e Author: Vasiliy Kulikov Date: Sat Nov 6 17:41:31 2010 +0300 usb: misc: iowarrior: fix information leak to userland commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream. Structure iowarrior_info is copied to userland with padding byted between "serial" and "revision" fields uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Acked-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit a4548d087ffaaecc406518cc3dfae2c92a28aea2 Author: Vasiliy Kulikov Date: Sat Nov 6 17:41:35 2010 +0300 usb: misc: sisusbvga: fix information leak to userland commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream. Structure sisusb_info is copied to userland with "sisusb_reserved" field uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: Greg Kroah-Hartman commit 330b3db2ccf393581e2c06d2cb36e0689dd585e3 Author: Tejun Heo Date: Mon Nov 1 11:39:19 2010 +0100 libata: fix NULL sdev dereference race in atapi_qc_complete() commit 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 upstream. SCSI commands may be issued between __scsi_add_device() and dev->sdev assignment, so it's unsafe for ata_qc_complete() to dereference dev->sdev->locked without checking whether it's NULL or not. Fix it. Signed-off-by: Tejun Heo Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 99b6f6c69d47e4e61856884e96020bb4a57d6158 Author: Jens Axboe Date: Wed Nov 10 14:36:25 2010 +0100 bio: take care not overflow page count when mapping/copying user data commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream. If the iovec is being set up in a way that causes uaddr + PAGE_SIZE to overflow, we could end up attempting to map a huge number of pages. Check for this invalid input type. Reported-by: Dan Rosenberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b2fcddfdd588f3a719fc50f3ef0934daa0d2cbe1 Author: Tyler Hicks Date: Thu Sep 23 02:35:04 2010 -0500 eCryptfs: Clear LOOKUP_OPEN flag when creating lower file commit 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 upstream. eCryptfs was passing the LOOKUP_OPEN flag through to the lower file system, even though ecryptfs_create() doesn't support the flag. A valid filp for the lower filesystem could be returned in the nameidata if the lower file system's create() function supported LOOKUP_OPEN, possibly resulting in unencrypted writes to the lower file. However, this is only a potential problem in filesystems (FUSE, NFS, CIFS, CEPH, 9p) that eCryptfs isn't known to support today. https://bugs.launchpad.net/ecryptfs/+bug/641703 Reported-by: Kevin Buhr Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit 1a9dd6359be697ed777a645d6ce8719b70cb9dba Author: Graham Gower Date: Wed Oct 27 15:33:00 2010 -0700 drivers/char/vt_ioctl.c: fix VT_OPENQRY error value commit 1e0ad2881d50becaeea70ec696a80afeadf944d2 upstream. When all VT's are in use, VT_OPENQRY casts -1 to unsigned char before returning it to userspace as an int. VT255 is not the next available console. Signed-off-by: Graham Gower Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ff63490293484aa5f62268fc46e34645c07c483a Author: Dan Rosenberg Date: Thu Sep 30 15:15:31 2010 -0700 sys_semctl: fix kernel stack leakage commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream. The semctl syscall has several code paths that lead to the leakage of uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO, IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete version of the semid_ds struct. The copy_semid_to_user() function declares a semid_ds struct on the stack and copies it back to the user without initializing or zeroing the "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers, allowing the leakage of 16 bytes of kernel stack memory. The code is still reachable on 32-bit systems - when calling semctl() newer glibc's automatically OR the IPC command with the IPC_64 flag, but invoking the syscall directly allows users to use the older versions of the struct. Signed-off-by: Dan Rosenberg Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 77f5c399311bd4a6d8836dbd788dd0e45a582d15 Author: Vasiliy Kulikov Date: Sat Oct 30 18:22:49 2010 +0400 ipc: shm: fix information leak to userland commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream. The shmid_ds structure is copied to userland with shm_unused{,2,3} fields unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Acked-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f6d7c2efda237f01fedc31965d056226e0df6a1d Author: Dan Rosenberg Date: Wed Oct 27 15:34:17 2010 -0700 ipc: initialize structure memory to zero for compat functions commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream. This takes care of leaking uninitialized kernel stack memory to userspace from non-zeroed fields in structs in compat ipc functions. Signed-off-by: Dan Rosenberg Cc: Manfred Spraul Cc: Arnd Bergmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6b5df7b78075c50f4918da9f4d7cdb99b145de23 Author: KAMEZAWA Hiroyuki Date: Tue Oct 26 14:22:08 2010 -0700 mm: fix is_mem_section_removable() page_order BUG_ON check commit 572438f9b52236bd8938b1647cc15e027d27ef55 upstream. page_order() is called by memory hotplug's user interface to check the section is removable or not. (is_mem_section_removable()) It calls page_order() withoug holding zone->lock. So, even if the caller does if (PageBuddy(page)) ret = page_order(page) ... The caller may hit BUG_ON(). For fixing this, there are 2 choices. 1. add zone->lock. 2. remove BUG_ON(). is_mem_section_removable() is used for some "advice" and doesn't need to be 100% accurate. This is_removable() can be called via user program.. We don't want to take this important lock for long by user's request. So, this patch removes BUG_ON(). Signed-off-by: KAMEZAWA Hiroyuki Acked-by: Wu Fengguang Acked-by: Michal Hocko Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b9187a11bc39b9c499593a04d6a132ce784e0623 Author: KAMEZAWA Hiroyuki Date: Tue Oct 26 14:21:10 2010 -0700 mm: fix return value of scan_lru_pages in memory unplug commit f8f72ad5396987e05a42cf7eff826fb2a15ff148 upstream. scan_lru_pages returns pfn. So, it's type should be "unsigned long" not "int". Note: I guess this has been work until now because memory hotplug tester's machine has not very big memory.... physical address < 32bit << PAGE_SHIFT. Reported-by: KOSAKI Motohiro Signed-off-by: KAMEZAWA Hiroyuki Reviewed-by: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 466321450a6e69af401c6cf9e146fa92cde6debb Author: Eric Dumazet Date: Wed Oct 27 19:33:43 2010 +0200 numa: fix slab_node(MPOL_BIND) commit 800416f799e0723635ac2d720ad4449917a1481c upstream. When a node contains only HighMem memory, slab_node(MPOL_BIND) dereferences a NULL pointer. [ This code seems to go back all the way to commit 19770b32609b: "mm: filter based on a nodemask as well as a gfp_mask". Which was back in April 2008, and it got merged into 2.6.26. - Linus ] Signed-off-by: Eric Dumazet Cc: Mel Gorman Cc: Christoph Lameter Cc: Lee Schermerhorn Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 94b2a12ba99c20eb0bb79e3a9513176334c23dad Author: Richard Weinberger Date: Tue Oct 26 14:21:13 2010 -0700 um: fix global timer issue when using CONFIG_NO_HZ commit 482db6df1746c4fa7d64a2441d4cb2610249c679 upstream. This fixes a issue which was introduced by fe2cc53e ("uml: track and make up lost ticks"). timeval_to_ns() returns long long and not int. Due to that UML's timer did not work properlt and caused timer freezes. Signed-off-by: Richard Weinberger Acked-by: Pekka Enberg Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8123c0be8dd7204cbbe7080b3049169d86c10a01 Author: Masanori ITOH Date: Tue Oct 26 14:21:20 2010 -0700 percpu: fix list_head init bug in __percpu_counter_init() commit 8474b591faf3bb0a1e08a60d21d6baac498f15e4 upstream. WARNING: at lib/list_debug.c:26 __list_add+0x3f/0x81() Hardware name: Express5800/B120a [N8400-085] list_add corruption. next->prev should be prev (ffffffff81a7ea00), but was dead000000200200. (next=ffff88080b872d58). Modules linked in: aoe ipt_MASQUERADE iptable_nat nf_nat autofs4 sunrpc bridge 8021q garp stp llc ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_round_robin dm_multipath kvm_intel kvm uinput lpfc scsi_transport_fc igb ioatdma scsi_tgt i2c_i801 i2c_core dca iTCO_wdt iTCO_vendor_support pcspkr shpchp megaraid_sas [last unloaded: aoe] Pid: 54, comm: events/3 Tainted: G W 2.6.34-vanilla1 #1 Call Trace: [] warn_slowpath_common+0x7c/0x94 [] warn_slowpath_fmt+0x41/0x43 [] __list_add+0x3f/0x81 [] __percpu_counter_init+0x59/0x6b [] bdi_init+0x118/0x17e [] blk_alloc_queue_node+0x79/0x143 [] blk_alloc_queue+0x11/0x13 [] aoeblk_gdalloc+0x8e/0x1c9 [aoe] [] aoecmd_sleepwork+0x25/0xa8 [aoe] [] worker_thread+0x1a9/0x237 [] ? aoecmd_sleepwork+0x0/0xa8 [aoe] [] ? autoremove_wake_function+0x0/0x39 [] ? worker_thread+0x0/0x237 [] kthread+0x7f/0x87 [] kernel_thread_helper+0x4/0x10 [] ? kthread+0x0/0x87 [] ? kernel_thread_helper+0x0/0x10 It's because there is no initialization code for a list_head contained in the struct backing_dev_info under CONFIG_HOTPLUG_CPU, and the bug comes up when block device drivers calling blk_alloc_queue() are used. In case of me, I got them by using aoe. Signed-off-by: Masanori Itoh Cc: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7d4ffa17797e86b7a17cc3fb26ab37cef6d00205 Author: Samuel Ortiz Date: Wed Oct 6 01:03:12 2010 +0200 irda: Fix heap memory corruption in iriap.c commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream. While parsing the GetValuebyClass command frame, we could potentially write passed the skb->data pointer. Reported-by: Ilja Van Sprundel Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit a1b9505e4a663cdb5bc522b9dfa5ac1d1528bae2 Author: Samuel Ortiz Date: Mon Oct 11 01:17:56 2010 +0200 irda: Fix parameter extraction stack overflow commit efc463eb508798da4243625b08c7396462cabf9f upstream. Reported-by: Ilja Van Sprundel Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 9a8fd43f43c06d372c6c3f3ae592683cc8603277 Author: Jens Axboe Date: Fri Oct 29 08:10:18 2010 -0600 block: check for proper length of iov entries in blk_rq_map_user_iov() commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream. Ensure that we pass down properly validated iov segments before calling into the mapping or copy functions. Reported-by: Dan Rosenberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman