- Apr 14, 2011
-
-
Vasiliy Kulikov authored
commit 67d1da79 upstream. Don't allow everybody to change LED settings. Signed-off-by:
Vasiliy Kulikov <segoon@openwall.com> Cc: Richard Purdie <rpurdie@rpsys.net> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Vasiliy Kulikov authored
commit ccd7510f upstream. Don't allow everybody to change LED settings. Signed-off-by:
-
Vasiliy Kulikov authored
commit deb187e7 upstream. Don't allow everybody to change device settings. Signed-off-by:
Hartley Sweeten <hartleys@visionengravers.com> Cc: Matthieu Crapet <mcrapet@gmail.com> Signed-off-by:
-
Vasiliy Kulikov authored
commit 49d50fb1 upstream. Don't allow everybogy to write to NVRAM. Signed-off-by:
-
Vasiliy Kulikov authored
commit f8a06977 upstream. Don't allow everybody to change device hardware registers. Signed-off-by:
Linus Walleij <linus.walleij@stericsson.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
-
Vasiliy Kulikov authored
commit 90c861c2 upstream. Don't allow everybody to interact with hardware registers. Signed-off-by:
-
Vasiliy Kulikov authored
commit 44bdcb54 upstream. Don't allow everybody to interact with hardware registers. Signed-off-by:
-
Vasiliy Kulikov authored
commit 523f3c80 upstream. Signed-off-by:
Mike Christie <michaelc@cs.wisc.edu> Signed-off-by:
James Bottomley <James.Bottomley@suse.de> Signed-off-by:
-
Vasiliy Kulikov authored
commit 6a8ab060 upstream. Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second was introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Vasiliy Kulikov authored
commit 961ed183 upstream. 'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. Signed-off-by:
Changli Gao <xiaosuo@gmail.com> Signed-off-by:
-
Vasiliy Kulikov authored
commit 42eab94f upstream. Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second is introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by:
-
Eric Dumazet authored
commit db856674 upstream. commit f3c5c1bf (make ip_tables reentrant) introduced a race in handling the stackptr restore, at the end of ipt_do_table() We should do it before the call to xt_info_rdunlock_bh(), or we allow cpu preemption and another cpu overwrites stackptr of original one. A second fix is to change the underflow test to check the origptr value instead of 0 to detect underflow, or else we allow a jump from different hooks. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Cc: Jan Engelhardt <jengelh@medozas.de> Signed-off-by:
-
Vasiliy Kulikov authored
commit 78b79876 upstream. Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first and the third bugs were introduced before the git epoch; the second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by:
-
Peter Huewe authored
commit 1309d7af upstream. This patch fixes information leakage to the userspace by initializing the data buffer to zero. Reported-by:
Peter Huewe <huewe.external@infineon.com> Signed-off-by:
Marcel Selhorst <m.selhorst@sirrix.com> [ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way deeper problems than a simple multiplication can fix. - Linus ] Signed-off-by:
-
Goldwyn Rodrigues authored
commit 272b62c1 upstream. When a hole spans across page boundaries, the next write forces a read of the block. This could end up reading existing garbage data from the disk in ocfs2_map_page_blocks. This leads to non-zero holes. In order to avoid this, mark the writes as new when the holes span across page boundaries. Signed-off-by:
Goldwyn Rodrigues <rgoldwyn@suse.de> Signed-off-by:
jlbec <jlbec@evilplan.org> Signed-off-by:
-
Marc-Antoine Perennou authored
commit 63a8588d upstream. Just adding the vendor details makes it work fine. Signed-off-by:
Marc-Antoine Perennou <Marc-Antoine@Perennou.com> Signed-off-by:
Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by:
Grant Likely <grant.likely@secretlab.ca>
-
Vasiliy Kulikov authored
commit 43629f8f upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by:
-
Vasiliy Kulikov authored
commit d846f711 upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by:
-
Vasiliy Kulikov authored
commit c4c896e1 upstream. struct sco_conninfo has one padding byte in the end. Local variable cinfo of type sco_conninfo is copied to userspace with this uninizialized one byte, leading to old stack contents leak. Signed-off-by:
-
John W. Linville authored
commit c85ce65e upstream. Otherwise, skb_put inside of dma_rx can fail... https://bugzilla.kernel.org/show_bug.cgi?id=32042 Signed-off-by:
John W. Linville <linville@tuxdriver.com> Acked-by:
Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by:
-
Randy Dunlap authored
commit 1b149bbe upstream. RADIO_WL1273 needs to make sure that the mfd core is built to avoid build errors: ERROR: "mfd_add_devices" [drivers/mfd/wl1273-core.ko] undefined! ERROR: "mfd_remove_devices" [drivers/mfd/wl1273-core.ko] undefined! Signed-off-by:
Randy Dunlap <randy.dunlap@oracle.com> Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab@redhat.com> Cc: Mike Frysinger <vapier.adi@gmail.com> Signed-off-by:
-
Luciano Coelho authored
commit 09b661b3 upstream. We were allocating the size of the NVS file struct and not checking whether the length of the buffer passed was correct before copying it into the allocated memory. This is a security hole because buffer overflows can occur if the userspace passes a bigger file than what is expected. With this patch, we check if the size of the data passed from userspace matches the size required. This bug was introduced in 2.6.36. Reported-by:
Ido Yariv <ido@wizery.com> Signed-off-by:
Luciano Coelho <coelho@ti.com> Signed-off-by:
-
Stanislaw Gruszka authored
commit 37f4ee0b upstream. {rx,tx}done_work's are only initialized for usb devices. Signed-off-by:
Stanislaw Gruszka <sgruszka@redhat.com> Acked-by:
Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by:
-
RA-Jay Hung authored
commit 7f6e144f upstream. PCI/PCIE radio off behavior is different from SOC/USB. They mainly use MCU command to disable DMA, TX/RX and enter power saving mode. Signed-off-by:
RA-Jay Hung <jay_hung@ralinktech.com> Signed-off-by:
-
Christian Lamparter authored
commit 22010761 upstream. Reported-by: Mark Davis [via p54/devices wiki] Signed-off-by:
Christian Lamparter <chunkeey@googlemail.com> Signed-off-by:
-
John W. Linville authored
commit 3d7dc7e8 upstream. A number of these devices have appeared "in the wild", and apparently the Windows driver is perfectly happy to support this EEPROM version. Signed-off-by:
Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by:
-
Trond Myklebust authored
commit 0867659f upstream. This reverts commit 411b5e05. Olga Kornievskaia reports: Problem: linux client mounting linux server using rc4-hmac-md5 enctype. gssd fails with create a context after receiving a reply from the server. Diagnose: putting printout statements in the server kernel and kerberos libraries revealed that client and server derived different integrity keys. Server kernel code was at fault due the the commit [aglo@skydive linux-pnfs]$ git show 411b5e05 Trond: The problem is that since it relies on virt_to_page(), you cannot call sg_set_buf() for data in the const section. Reported-by:
Olga Kornievskaia <aglo@citi.umich.edu> Signed-off-by:
Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by:
-
Linus Torvalds authored
commit 982134ba upstream. The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. Noticed by Robert Swiecki when running a system call fuzzer, where it caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A vma dumping patch by Hugh then pinpointed the crazy wrapped case. Reported-and-tested-by:
Robert Swiecki <robert@swiecki.net> Acked-by:
Hugh Dickins <hughd@google.com> Signed-off-by:
-
Jan Kara authored
commit b03f2456 upstream. There's no reason to write quota info in dquot_commit(). The writing is a relict from the old days when we didn't have dquot_acquire() and dquot_release() and thus dquot_commit() could have created / removed quota structures from the file. These days dquot_commit() only updates usage counters / limits in quota structure and thus there's no need to write quota info. This also fixes an issue with journaling filesystem which didn't reserve enough space in the transaction for write of quota info (it could have been dirty at the time of dquot_commit() because of a race with other operation changing it). Reported-and-tested-by:
Lukas Czerner <lczerner@redhat.com> Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
-
Artem Bityutskiy authored
commit 7da6443a upstream. This patch fixes a debugging failure with which looks like this: UBIFS error (pid 32313): dbg_check_space_info: free space changed from 6019344 to 6022654 The reason for this failure is described in the comment this patch adds to the code. But in short - 'c->freeable_cnt' may be different before and after re-mounting, and this is normal. So the debugging code should make sure that free space calculations do not depend on 'c->freeable_cnt'. A similar issue has been reported here: http://lists.infradead.org/pipermail/linux-mtd/2011-April/034647.html This patch should fix it. For the -stable guys: this patch is only relevant for kernels 2.6.30 onwards. Signed-off-by:
Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by:
-
Artem Bityutskiy authored
commit 54acbaaa upstream. Thanks to coverity which spotted that UBIFS will oops if 'kmalloc()' in 'read_pnode()' fails and we dereference a NULL 'pnode' pointer when we 'goto out'. Signed-off-by:
-
Artem Bityutskiy authored
commit 8b229c76 upstream. This fix makes the 'dbg_check_old_index()' function return immediately if debugging is disabled, instead of executing incorrect 'goto out' which causes UBIFS to: 1. Allocate memory 2. Read the flash On every commit. OK, we do not commit that often, but it is still silly to do unneeded I/O anyway. Credits to coverity for spotting this silly issue. Signed-off-by:
-
Michael Hennerich authored
commit 0fea4d61 upstream. Signed-off-by:
Michael Hennerich <michael.hennerich@analog.com> Acked-by:
Jonathan Cameron <jic23@cam.ac.uk> Signed-off-by:
-
Michael Hennerich authored
commit b1811197 upstream. Signed-off-by:
-
Michael Hennerich authored
commit c59c95ce upstream. Add delay after self test to satisfy timing requirements. Increase start-up delay. Signed-off-by:
-
Michael Hennerich authored
commit fc5b85b0 upstream. cs_change must not be set in the last transfer of a spi message Signed-off-by:
-
Felix Fietkau authored
commit 4dc217df upstream. When a client connects in HT mode but does not provide any valid MCS rates, the function that finds the next sample rate gets stuck in an infinite loop. Fix this by falling back to legacy rates if no usable MCS rates are found. Signed-off-by:
Felix Fietkau <nbd@openwrt.org> Signed-off-by:
-
Felix Fietkau authored
commit f62d816f upstream. When the chip is still asleep when ath9k_start is called, ath9k_hw_configpcipowersave can trigger a data bus error. Signed-off-by:
-
Jan Beulich authored
commit 70874867 upstream. 'struct dmi_system_id' arrays must always have a terminator to keep dmi_check_system() from looking at data (and possibly crashing) it isn't supposed to look at. The issue went unnoticed until ef8313bb, but was introduced about a year earlier with 7705d548 (which also similarly changed lifebook.c, but the problem there got eliminated shortly afterwards). The first hunk therefore is a stable candidate back to 2.6.33, while the full change is needed only on 2.6.38. Signed-off-by:
Jan Beulich <jbeulich@novell.com> Signed-off-by:
Dmitry Torokhov <dtor@mail.ru> Signed-off-by:
-
Suresh Siddha authored
commit 84ac7cdb upstream. On laptops with core i5/i7, there were reports that after resume graphics workloads were performing poorly on a specific AP, while the other cpu's were ok. This was observed on a 32bit kernel specifically. Debug showed that the PAT init was not happening on that AP during resume and hence it contributing to the poor workload performance on that cpu. On this system, resume flow looked like this: 1. BP starts the resume sequence and we reinit BP's MTRR's/PAT early on using mtrr_bp_restore() 2. Resume sequence brings all AP's online 3. Resume sequence now kicks off the MTRR reinit on all the AP's. 4. For some reason, between point 2 and 3, we moved from BP to one of the AP's. My guess is that printk() during resume sequence is contributing to this. We don't see similar behavior with the 64bit kernel but there is no guarantee that at this point the remaining resume sequence (after AP's bringup) has to happen on BP. 5. set_mtrr() was assuming that we are still on BP and skipped the MTRR/PAT init on that cpu (because of 1 above) 6. But we were on an AP and this led to not reprogramming PAT on this cpu leading to bad performance. Fix this by doing unconditional mtrr_if->set_all() in set_mtrr() during MTRR/PAT init. This might be unnecessary if we are still running on BP. But it is of no harm and will guarantee that after resume, all the cpu's will be in sync with respect to the MTRR/PAT registers. Signed-off-by:
Suresh Siddha <suresh.b.siddha@intel.com> LKML-Reference: <1301438292-28370-1-git-send-email-eric@anholt.net> Signed-off-by:
Eric Anholt <eric@anholt.net> Tested-by:
Keith Packard <keithp@keithp.com> Signed-off-by:
H. Peter Anvin <hpa@linux.intel.com> Signed-off-by:
-
