commit 93dadb0cbc2244388c4efb9f429ce3c0303d31cb Author: Greg Kroah-Hartman Date: Sun Jul 19 20:39:19 2009 -0700 Linux 2.6.30.2 commit d7de59fb74b6e9b94af8b9fcbfdf39eeae3b27be Author: Linus Torvalds Date: Sun Jul 12 11:25:04 2009 -0700 Don't use '-fwrapv' compiler option: it's buggy in gcc-4.1.x commit a137802ee839ace40079bebde24cfb416f73208a upstream. This causes kernel images that don't run init to completion with certain broken gcc versions. This fixes kernel bugzilla entry: http://bugzilla.kernel.org/show_bug.cgi?id=13012 I suspect the gcc problem is this: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28230 Fix the problem by using the -fno-strict-overflow flag instead, which not only does not exist in the known-to-be-broken versions of gcc (it was introduced later than fwrapv), but seems to be much less disturbing to gcc too: the difference in the generated code by -fno-strict-overflow are smaller (compared to using neither flag) than when using -fwrapv. Reported-by: Barry K. Nathan Pushed-by: Frans Pop Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0457e83ceec2a048a330713a3ae828c2fcd6c9f2 Author: Csaba Henk Date: Mon Jun 29 03:26:53 2009 +0200 fuse: fix return value of fuse_dev_write() commit b4c458b3a23d76936e76678f2074b1528f129f7a upstream. On 64 bit systems -- where sizeof(ssize_t) > sizeof(int) -- the following test exposes a bug due to a non-careful return of an int or unsigned value: implement a FUSE filesystem which sends an unsolicited notification to the kernel with invalid opcode. The respective write to /dev/fuse will return (1 << 32) - EINVAL with errno == 0 instead of -1 with errno == EINVAL. Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit f4d8cd6481fab1e7651e342b87c4828c548cbc52 Author: Miklos Szeredi Date: Tue Jun 30 20:06:24 2009 +0200 fuse: fix bad return value in fuse_file_poll() commit 201fa69a2849536ef2912e8e971ec0b01c04eff4 upstream. Fix fuse_file_poll() which returned a -errno value instead of a poll mask. Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit bfa4144ee21b9830a5c3d1e4b5d4e3d214275d3b Author: David Woodhouse Date: Wed Jul 1 18:49:06 2009 +0100 Fix iommu address space allocation commit a15a519ed6e5e644f5a33c213c00b0c1d3cfe683 upstream. This fixes kernel.org bug #13584. The IOVA code attempted to optimise the insertion of new ranges into the rbtree, with the unfortunate result that some ranges just didn't get inserted into the tree at all. Then those ranges would be handed out more than once, and things kind of go downhill from there. Introduced after 2.6.25 by ddf02886cbe665d67ca750750196ea5bf524b10b ("PCI: iova RB tree setup tweak"). Signed-off-by: David Woodhouse Cc: mark gross Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e1a4576be6c865f3514da6c73bc68ed0bb3e8d16 Author: David Woodhouse Date: Wed Jul 1 18:34:52 2009 +0100 Fix pci_unmap_addr() et al on i386. commit 788d84bba47ea3eb377f7a3ae4fd1ee84b84877b upstream. We can run a 32-bit kernel on boxes with an IOMMU, so we need pci_unmap_addr() etc. to work -- without it, drivers will leak mappings. To be honest, this whole thing looks like it's more pain than it's worth; I'm half inclined to remove the no-op #else case altogether. But this is the minimal fix, which just does the right thing if CONFIG_DMAR is set. Signed-off-by: David Woodhouse Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit adb49b219d3199a39f5894431012b3c2e3bedee0 Author: Jiri Slaby Date: Tue Jun 30 11:41:44 2009 -0700 floppy: fix lock imbalance commit 8516a500029890a72622d245f8ed32c4e30969b7 upstream. A crappy macro prevents us unlocking on a fail path. Expand the macro and unlock appropriatelly. Signed-off-by: Jiri Slaby Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ded7afa853a7771eeae2067bc8253ccb427bffa9 Author: Eric W. Biederman Date: Tue Jun 30 16:27:17 2009 +0000 Revert "ipv4: arp announce, arp_proxy and windows ip conflict verification" commit f8a68e752bc4e39644843403168137663c984524 upstream. This reverts commit 73ce7b01b4496a5fbf9caf63033c874be692333f. After discovering that we don't listen to gratuitious arps in 2.6.30 I tracked the failure down to this commit. The patch makes absolutely no sense. RFC2131 RFC3927 and RFC5227. are all in agreement that an arp request with sip == 0 should be used for the probe (to prevent learning) and an arp request with sip == tip should be used for the gratitous announcement that people can learn from. It appears the author of the broken patch got those two cases confused and modified the code to drop all gratuitous arp traffic. Ouch! Signed-off-by: Eric W. Biederman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3c92900d9a4afb176d3de335dc0da0198660a244 Author: NeilBrown Date: Wed Jul 1 11:14:04 2009 +1000 md: avoid dereferencing NULL pointer when accessing suspend_* sysfs attributes. commit b8d966efd9a46a9a35beac50cbff6e30565125ef upstream. If we try to modify one of the md/ sysfs files suspend_lo or suspend_hi when the array is not active, we dereference a NULL. Protect against that. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 042128a85db99144c34a448c75d952cda8b6c19b Author: NeilBrown Date: Wed Jul 1 12:27:21 2009 +1000 md: fix error path when duplicate name is found on md device creation. commit 1ec22eb2b4a2e1a763106bce36b11c02eaa84e61 upstream. When an md device is created by name (rather than number) we need to check that the name is not already in use. If this check finds a duplicate, we return an error without dropping the lock or freeing the newly create mddev. This patch fixes that. Found-by: Jiri Slaby Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 5de149123be72b438c5651ac8ca53223ca05a714 Author: NeilBrown Date: Wed Jul 1 13:15:35 2009 +1000 md/raid5: suspend shouldn't affect read requests. commit a5c308d4d1659b1f4833b863394e3e24cdbdfc6e upstream. md allows write to regions on an array to be suspended temporarily. This allows user-space to participate is aspects of reshape. In particular, data can be copied with not risk of a race. We should not be blocking read requests though, so don't. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 6891897d22e3df3417f451f5fb921cb9562539e7 Author: NeilBrown Date: Tue Jun 30 09:35:44 2009 +0200 blocK: Restore barrier support for md and probably other virtual devices. commit db64f680ba4b5c56c4be59f0698000df89ff0281 upstream. The next_ordered flag is only meaningful for devices that use __make_request. So move the test against next_ordered out of generic code and in to __make_request Since this test was added, barriers have not worked on md or any devices that don't use __make_request and so don't bother to set next_ordered. (dm explicitly sets something other than QUEUE_ORDERED_NONE since commit 99360b4c18f7675b50d283301d46d755affe75fd but notes in the comments that it is otherwise meaningless). Cc: Ken Milmore Signed-off-by: NeilBrown Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1d13d53f580ce84783fc7de8a25a978b47c53757 Author: Joerg Roedel Date: Tue Jun 16 12:23:58 2009 +0200 dma-debug: fix off-by-one error in overlap function commit c79ee4e466dd12347f112e2af306dca35198458f upstream. This patch fixes a bug in the overlap function which returned true if one region ends exactly before the second region begins. This is no overlap but the function returned true in that case. Reported-by: Andrew Randrianasulu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 6006f5048e1a766e7a1ca012d7f17f061b2e8dfe Author: Tejun Heo Date: Tue Jun 30 11:41:18 2009 -0700 alpha: fix percpu build breakage commit b01e8dc34379f4ba2f454390e340a025edbaaa7e upstream. alpha percpu access requires custom SHIFT_PERCPU_PTR() definition for modules to work around addressing range limitation. This is done via generating inline assembly using C preprocessing which forces the assembler to generate external reference. This happens behind the compiler's back and makes the compiler think that static percpu variables in modules are unused. This used to be worked around by using __unused attribute for percpu variables which prevent the compiler from omitting the variable; however, recent declare/definition attribute unification change broke this as __used can't be used for declaration. Also, in the process, PER_CPU_ATTRIBUTES definition in alpha percpu.h got broken. This patch adds PER_CPU_DEF_ATTRIBUTES which is only used for definitions and make alpha use it to add __used for percpu variables in modules. This also fixes the PER_CPU_ATTRIBUTES double definition bug. Signed-off-by: Tejun Heo Tested-by: maximilian attems Acked-by: Ivan Kokshaysky Cc: Richard Henderson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d2573f681a0c1c1928ce3dc32c0c069818990990 Author: Zhang Rui Date: Tue Jun 30 11:41:31 2009 -0700 kernel/resource.c: fix sign extension in reserve_setup() commit 8bc1ad7dd301b7ca7454013519fa92e8c53655ff upstream. When the 32-bit signed quantities get assigned to the u64 resource_size_t, they are incorrectly sign-extended. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13253 Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9905 Signed-off-by: Zhang Rui Reported-by: Leann Ogasawara Cc: Pierre Ossman Reported-by: Tested-by: Cc: Jesse Barnes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit eadc4345f93b857cbf8c63400ea0a7ed9b6431a2 Author: Sonny Rao Date: Fri Jul 10 18:13:13 2009 -0500 futexes: Fix infinite loop in get_futex_key() on huge page commit ce2ae53b750abfaa012ce408e93da131a5b5649b upstream. get_futex_key() can infinitely loop if it is called on a virtual address that is within a huge page but not aligned to the beginning of that page. The call to get_user_pages_fast will return the struct page for a sub-page within the huge page and the check for page->mapping will always fail. The fix is to call compound_head on the page before checking that it's mapped. Signed-off-by: Sonny Rao Acked-by: Thomas Gleixner Cc: anton@samba.org Cc: rajamony@us.ibm.com Cc: speight@us.ibm.com Cc: mstephen@us.ibm.com Cc: grimm@us.ibm.com Cc: mikey@ozlabs.au.ibm.com LKML-Reference: <20090710231313.GA23572@us.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 434f5f9696e76352c4e23b3fa99881e87149da66 Author: Thomas Gleixner Date: Thu Jul 2 18:59:39 2009 +0200 futex: Fix the write access fault problem for real commit d0725992c8a6fb63a16bc9e8b2a50094cc4db3cd and aa715284b4d28cabde6c25c568d769a6be712bc8 upstream commit 64d1304a64 (futex: setup writeable mapping for futex ops which modify user space data) did address only half of the problem of write access faults. The patch was made on two wrong assumptions: 1) access_ok(VERIFY_WRITE,...) would actually check write access. On x86 it does _NOT_. It's a pure address range check. 2) a RW mapped region can not go away under us. That's wrong as well. Nobody can prevent another thread to call mprotect(PROT_READ) on that region where the futex resides. If that call hits between the get_user_pages_fast() verification and the actual write access in the atomic region we are toast again. The solution is to not rely on access_ok and get_user() for any write access related fault on private and shared futexes. Instead we need to fault it in with verification of write access. There is no generic non destructive write mechanism which would fault the user page in trough a #PF, but as we already know that we will fault we can as well call get_user_pages() directly and avoid the #PF overhead. If get_user_pages() returns -EFAULT we know that we can not fix it anymore and need to bail out to user space. Remove a bunch of confusing comments on this issue as well. Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 934ad5062c7ae18dde894f828037cd04daae5a63 Author: Mike Frysinger Date: Tue May 26 21:48:38 2009 +0000 Blackfin: fix command line corruption with DEBUG_DOUBLEFAULT commit 37082511f06108129bd5f96d625a6fae2d5a4ab4 upstream. Commit 6b3087c6 (which introduced Blackfin SMP) broke command line passing when the DEBUG_DOUBLEFAULT config option was enabled. Switch the code to using a scratch register and not R7 which holds the command line. Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 11b46bb25fb2cc85e7414845575a17a944f59b60 Author: Sonic Zhang Date: Wed Jun 10 08:42:41 2009 +0000 Blackfin: fix deadlock in SMP IPI handler commit 86f2008bf546af9a434f480710e8d33891616bf5 upstream. When a low priority interrupt (like ethernet) is triggered between 2 high priority IPI messages, a deadlock in disable_irq() is hit by the second IPI handler. This is because the second IPI message is queued within the first IPI handler, but the handler doesn't process all messages, and new ones are inserted rather than appended. So now we process all the pending messages, and append new ones to the pending list. URL: http://blackfin.uclinux.org/gf/tracker/5226 Signed-off-by: Sonic Zhang Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit e9b64c9ce791fb691fc3c1e68b94d92ae143eca7 Author: Mike Frysinger Date: Mon Jun 15 06:10:03 2009 -0400 Blackfin: redo handling of bad irqs commit 26579216f3cdf1ae05f0af8412b444870a167510 upstream. With the common IRQ code initializing much more of the irq_desc state, we can't blindly initialize it ourselves to the local bad_irq state. If we do, we end up wrongly clobbering many fields. So punt most of the bad irq code as the common layers will handle the default state, and simply call handle_bad_irq() directly when the IRQ we are processing is invalid. Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 18cfced241c5482e94324301bb88ac6503aee6c8 Author: Sonic Zhang Date: Mon Jun 15 07:39:19 2009 +0000 Blackfin: fix accidental reset in some boot modes commit 0de4adfb8c9674fa1572b0ff1371acc94b0be901 upstream. We read the SWRST (Software Reset) register to get at the last reset state, and then we may configure the DOUBLE_FAULT bit to control behavior when a double fault occurs. But if the lower bits of the register is already set (like UART boot mode on a BF54x), we inadvertently make the system reset by writing to the SYSTEM_RESET field at the same time. So make sure the lower 4 bits are always cleared. Signed-off-by: Sonic Zhang Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 310c34c21c0ff605ff130021c827eabd83cd0b3c Author: Julien Tinnes Date: Fri Jun 26 20:27:40 2009 +0200 personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895) commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream. We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. We believe it is important to add MMAP_PAGE_ZERO, because by using this personality it is possible to have the first page mapped inside a process running as setuid root. This could be used in those scenarios: - Exploiting a NULL pointer dereference issue in a setuid root binary - Bypassing the mmap_min_addr restrictions of the Linux kernel: by running a setuid binary that would drop privileges before giving us control back (for instance by loading a user-supplied library), we could get the first page mapped in a process we control. By further using mremap and mprotect on this mapping, we can then completely bypass the mmap_min_addr restrictions. Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added since on x86 32bits it will in practice disable most of the address space layout randomization (only the stack will remain randomized). Signed-off-by: Julien Tinnes Signed-off-by: Tavis Ormandy Acked-by: Christoph Hellwig Acked-by: Kees Cook Acked-by: Eugene Teo [ Shortened lines and fixed whitespace as per Christophs' suggestion ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3f8fd3f9f677ce452556aca82473b7fcac370830 Author: Mariusz Kozlowski Date: Sun Jul 5 19:48:35 2009 +0000 tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-2009-1897) commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 upstream. Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code: int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); Reported-by: Eugene Kapun Signed-off-by: Mariusz Kozlowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2401fe3fbc5bd7db741867102fe355babce76506 Author: Christoph Lameter Date: Wed Jun 3 16:04:31 2009 -0400 security: use mmap_min_addr indepedently of security models commit e0a94c2a63f2644826069044649669b5e7ca75d3 upstream. This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY. It also sets a default mmap_min_addr of 4096. mmapping of addresses below 4096 will only be possible for processes with CAP_SYS_RAWIO. Signed-off-by: Christoph Lameter Acked-by: Eric Paris Looks-ok-by: Linus Torvalds Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 76f578b630347be522b6df7917013fd0712612e5 Author: Eugene Teo Date: Wed Jul 15 14:59:10 2009 +0800 Add '-fno-delete-null-pointer-checks' to gcc CFLAGS commit a3ca86aea507904148870946d599e07a340b39bf upstream. Turning on this flag could prevent the compiler from optimising away some "useless" checks for null pointers. Such bugs can sometimes become exploitable at compile time because of the -O2 optimisation. See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html An example that clearly shows this 'problem' is commit 6bf67672. static void __devexit agnx_pci_remove(struct pci_dev *pdev) { struct ieee80211_hw *dev = pci_get_drvdata(pdev); - struct agnx_priv *priv = dev->priv; + struct agnx_priv *priv; AGNX_TRACE; if (!dev) return; + priv = dev->priv; By reverting this patch, and compile it with and without -fno-delete-null-pointer-checks flag, we can see that the check for dev is compiled away. call printk # - testq %r12, %r12 # dev - je .L94 #, movq %r12, %rdi # dev, Clearly the 'fix' is to stop using dev before it is tested, but building with -fno-delete-null-pointer-checks flag at least makes it harder to abuse. Signed-off-by: Eugene Teo Acked-by: Eric Paris Acked-by: Wang Cong Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman