[kernel] r18010 - in dists/squeeze/linux-2.6: . debian debian/patches/bugfix/all debian/patches/debian debian/patches/features/all/openvz debian/patches/features/all/vserver debian/patches/series
Ben Hutchings
benh at alioth.debian.org
Fri Aug 26 03:51:42 UTC 2011
Author: benh
Date: Fri Aug 26 03:51:39 2011
New Revision: 18010
Log:
Merge changes from squeeze-security branch
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/perf-remove-the-nmi-parameter-from-the-swevent-and-overflow-interface.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/perf-remove-the-nmi-parameter-from-the-swevent-and-overflow-interface.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-syscall-stack-personality-races.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-syscall-stack-personality-races.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
dists/squeeze/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
dists/squeeze/linux-2.6/debian/patches/series/35squeeze1
- copied unchanged from r18009, dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified:
dists/squeeze/linux-2.6/ (props changed)
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/squeeze/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.7.patch
dists/squeeze/linux-2.6/debian/patches/series/36
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Thu Aug 25 10:25:03 2011 (r18009)
+++ dists/squeeze/linux-2.6/debian/changelog Fri Aug 26 03:51:39 2011 (r18010)
@@ -15,7 +15,6 @@
(CVE-2011-2183)
- TTY: ldisc, do not close until there are readers
- uvcvideo: Remove buffers from the queues when freeing
- - taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
- inet_diag: fix inet_diag_bc_audit() (CVE-2011-2213)
- net: filter: Use WARN_RATELIMIT
- af_packet: prevent information leak
@@ -41,7 +40,6 @@
- brd: handle on-demand devices correctly
- xen mmu: fix a race window causing leave_mm BUG()
- SCSI: Fix oops caused by queue refcounting failure
- - nl80211: fix check for valid SSID size in scan operations
- fat: Fix corrupt inode flags when remove ATTR_SYS flag
- pata_cm64x: fix boot crash on parisc (Closes: #622745, #622997)
- Revert "iwlagn: Support new 5000 microcode." (Closes: #632778)
@@ -70,6 +68,36 @@
-- maximilian attems <maks at debian.org> Sat, 25 Jun 2011 10:22:27 +0200
+linux-2.6 (2.6.32-35squeeze1) UNRELEASED; urgency=high
+
+ [ dann frazier ]
+ * Fix regression in fix for CVE-2011-1768 (Closes: #633738)
+ * net: Fix memory leak/corruption on VLAN GRO_DROP (CVE-2011-1576)
+ * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
+ * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
+ * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
+ * proc: restrict access to /proc/PID/io (CVE-2011-2495)
+ * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
+ * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
+ * nl80211: fix check for valid SSID size in scan operations
+ * net_sched: Fix qdisc_notify() (CVE-2011-2525)
+ * gro: Only reset frag0 when skb can be pulled (CVE-2011-2723)
+ * comedi: fix infoleak to userspace (CVE-2011-2909)
+ * restrict access to /proc/pid/* after setuid exec (CVE-2011-1020)
+ * cifs: fix possible memory corruption in CIFSFindNext (CVE-2011-3191)
+ * befs: Validate length of long symbolic links (CVE-2011-2928)
+ * perf overflow/perf_count_sw_cpu_clock crash (CVE-2011-2918)
+
+ [ Moritz Muehlenhoff ]
+ * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
+ * Switch to MD5 for sequence number generation (CVE-2011-3188)
+
+ [ Jonathan Nieder ]
+ * perf: do not look at ./config for configuration (Closes: #632923)
+ (CVE-2011-2905)
+
+ -- dann frazier <dannf at debian.org> Mon, 15 Aug 2011 00:04:12 -0600
+
linux-2.6 (2.6.32-35) stable; urgency=high
[ Ben Hutchings ]
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch)
@@ -0,0 +1,975 @@
+diff -u b/drivers/char/random.c b/drivers/char/random.c
+--- b/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1339,330 +1339,14 @@
+ };
+ #endif /* CONFIG_SYSCTL */
+
+-/********************************************************************
+- *
+- * Random funtions for networking
+- *
+- ********************************************************************/
++static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
+
+-/*
+- * TCP initial sequence number picking. This uses the random number
+- * generator to pick an initial secret value. This value is hashed
+- * along with the TCP endpoint information to provide a unique
+- * starting point for each pair of TCP endpoints. This defeats
+- * attacks which rely on guessing the initial TCP sequence number.
+- * This algorithm was suggested by Steve Bellovin.
+- *
+- * Using a very strong hash was taking an appreciable amount of the total
+- * TCP connection establishment time, so this is a weaker hash,
+- * compensated for by changing the secret periodically.
+- */
+-
+-/* F, G and H are basic MD4 functions: selection, majority, parity */
+-#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+-#define G(x, y, z) (((x) & (y)) + (((x) ^ (y)) & (z)))
+-#define H(x, y, z) ((x) ^ (y) ^ (z))
+-
+-/*
+- * The generic round function. The application is so specific that
+- * we don't bother protecting all the arguments with parens, as is generally
+- * good macro practice, in favor of extra legibility.
+- * Rotation is separate from addition to prevent recomputation
+- */
+-#define ROUND(f, a, b, c, d, x, s) \
+- (a += f(b, c, d) + x, a = (a << s) | (a >> (32 - s)))
+-#define K1 0
+-#define K2 013240474631UL
+-#define K3 015666365641UL
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-
+-static __u32 twothirdsMD4Transform(__u32 const buf[4], __u32 const in[12])
++static int __init random_int_secret_init(void)
+ {
+- __u32 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
+-
+- /* Round 1 */
+- ROUND(F, a, b, c, d, in[ 0] + K1, 3);
+- ROUND(F, d, a, b, c, in[ 1] + K1, 7);
+- ROUND(F, c, d, a, b, in[ 2] + K1, 11);
+- ROUND(F, b, c, d, a, in[ 3] + K1, 19);
+- ROUND(F, a, b, c, d, in[ 4] + K1, 3);
+- ROUND(F, d, a, b, c, in[ 5] + K1, 7);
+- ROUND(F, c, d, a, b, in[ 6] + K1, 11);
+- ROUND(F, b, c, d, a, in[ 7] + K1, 19);
+- ROUND(F, a, b, c, d, in[ 8] + K1, 3);
+- ROUND(F, d, a, b, c, in[ 9] + K1, 7);
+- ROUND(F, c, d, a, b, in[10] + K1, 11);
+- ROUND(F, b, c, d, a, in[11] + K1, 19);
+-
+- /* Round 2 */
+- ROUND(G, a, b, c, d, in[ 1] + K2, 3);
+- ROUND(G, d, a, b, c, in[ 3] + K2, 5);
+- ROUND(G, c, d, a, b, in[ 5] + K2, 9);
+- ROUND(G, b, c, d, a, in[ 7] + K2, 13);
+- ROUND(G, a, b, c, d, in[ 9] + K2, 3);
+- ROUND(G, d, a, b, c, in[11] + K2, 5);
+- ROUND(G, c, d, a, b, in[ 0] + K2, 9);
+- ROUND(G, b, c, d, a, in[ 2] + K2, 13);
+- ROUND(G, a, b, c, d, in[ 4] + K2, 3);
+- ROUND(G, d, a, b, c, in[ 6] + K2, 5);
+- ROUND(G, c, d, a, b, in[ 8] + K2, 9);
+- ROUND(G, b, c, d, a, in[10] + K2, 13);
+-
+- /* Round 3 */
+- ROUND(H, a, b, c, d, in[ 3] + K3, 3);
+- ROUND(H, d, a, b, c, in[ 7] + K3, 9);
+- ROUND(H, c, d, a, b, in[11] + K3, 11);
+- ROUND(H, b, c, d, a, in[ 2] + K3, 15);
+- ROUND(H, a, b, c, d, in[ 6] + K3, 3);
+- ROUND(H, d, a, b, c, in[10] + K3, 9);
+- ROUND(H, c, d, a, b, in[ 1] + K3, 11);
+- ROUND(H, b, c, d, a, in[ 5] + K3, 15);
+- ROUND(H, a, b, c, d, in[ 9] + K3, 3);
+- ROUND(H, d, a, b, c, in[ 0] + K3, 9);
+- ROUND(H, c, d, a, b, in[ 4] + K3, 11);
+- ROUND(H, b, c, d, a, in[ 8] + K3, 15);
+-
+- return buf[1] + b; /* "most hashed" word */
+- /* Alternative: return sum of all words? */
+-}
+-#endif
+-
+-#undef ROUND
+-#undef F
+-#undef G
+-#undef H
+-#undef K1
+-#undef K2
+-#undef K3
+-
+-/* This should not be decreased so low that ISNs wrap too fast. */
+-#define REKEY_INTERVAL (300 * HZ)
+-/*
+- * Bit layout of the tcp sequence numbers (before adding current time):
+- * bit 24-31: increased after every key exchange
+- * bit 0-23: hash(source,dest)
+- *
+- * The implementation is similar to the algorithm described
+- * in the Appendix of RFC 1185, except that
+- * - it uses a 1 MHz clock instead of a 250 kHz clock
+- * - it performs a rekey every 5 minutes, which is equivalent
+- * to a (source,dest) tulple dependent forward jump of the
+- * clock by 0..2^(HASH_BITS+1)
+- *
+- * Thus the average ISN wraparound time is 68 minutes instead of
+- * 4.55 hours.
+- *
+- * SMP cleanup and lock avoidance with poor man's RCU.
+- * Manfred Spraul <manfred at colorfullife.com>
+- *
+- */
+-#define COUNT_BITS 8
+-#define COUNT_MASK ((1 << COUNT_BITS) - 1)
+-#define HASH_BITS 24
+-#define HASH_MASK ((1 << HASH_BITS) - 1)
+-
+-static struct keydata {
+- __u32 count; /* already shifted to the final position */
+- __u32 secret[12];
+-} ____cacheline_aligned ip_keydata[2];
+-
+-static unsigned int ip_cnt;
+-
+-static void rekey_seq_generator(struct work_struct *work);
+-
+-static DECLARE_DELAYED_WORK(rekey_work, rekey_seq_generator);
+-
+-/*
+- * Lock avoidance:
+- * The ISN generation runs lockless - it's just a hash over random data.
+- * State changes happen every 5 minutes when the random key is replaced.
+- * Synchronization is performed by having two copies of the hash function
+- * state and rekey_seq_generator always updates the inactive copy.
+- * The copy is then activated by updating ip_cnt.
+- * The implementation breaks down if someone blocks the thread
+- * that processes SYN requests for more than 5 minutes. Should never
+- * happen, and even if that happens only a not perfectly compliant
+- * ISN is generated, nothing fatal.
+- */
+-static void rekey_seq_generator(struct work_struct *work)
+-{
+- struct keydata *keyptr = &ip_keydata[1 ^ (ip_cnt & 1)];
+-
+- get_random_bytes(keyptr->secret, sizeof(keyptr->secret));
+- keyptr->count = (ip_cnt & COUNT_MASK) << HASH_BITS;
+- smp_wmb();
+- ip_cnt++;
+- schedule_delayed_work(&rekey_work,
+- round_jiffies_relative(REKEY_INTERVAL));
+-}
+-
+-static inline struct keydata *get_keyptr(void)
+-{
+- struct keydata *keyptr = &ip_keydata[ip_cnt & 1];
+-
+- smp_rmb();
+-
+- return keyptr;
+-}
+-
+-static __init int seqgen_init(void)
+-{
+- rekey_seq_generator(NULL);
++ get_random_bytes(random_int_secret, sizeof(random_int_secret));
+ return 0;
+ }
+-late_initcall(seqgen_init);
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+- __be16 sport, __be16 dport)
+-{
+- __u32 seq;
+- __u32 hash[12];
+- struct keydata *keyptr = get_keyptr();
+-
+- /* The procedure is the same as for IPv4, but addresses are longer.
+- * Thus we must use twothirdsMD4Transform.
+- */
+-
+- memcpy(hash, saddr, 16);
+- hash[4] = ((__force u16)sport << 16) + (__force u16)dport;
+- memcpy(&hash[5], keyptr->secret, sizeof(__u32) * 7);
+-
+- seq = twothirdsMD4Transform((const __u32 *)daddr, hash) & HASH_MASK;
+- seq += keyptr->count;
+-
+- seq += ktime_to_ns(ktime_get_real());
+-
+- return seq;
+-}
+-EXPORT_SYMBOL(secure_tcpv6_sequence_number);
+-#endif
+-
+-/* The code below is shamelessly stolen from secure_tcp_sequence_number().
+- * All blames to Andrey V. Savochkin <saw at msu.ru>.
+- */
+-__u32 secure_ip_id(__be32 daddr)
+-{
+- struct keydata *keyptr;
+- __u32 hash[4];
+-
+- keyptr = get_keyptr();
+-
+- /*
+- * Pick a unique starting offset for each IP destination.
+- * The dest ip address is placed in the starting vector,
+- * which is then hashed with random data.
+- */
+- hash[0] = (__force __u32)daddr;
+- hash[1] = keyptr->secret[9];
+- hash[2] = keyptr->secret[10];
+- hash[3] = keyptr->secret[11];
+-
+- return half_md4_transform(hash, keyptr->secret);
+-}
+-
+-#ifdef CONFIG_INET
+-
+-__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport)
+-{
+- __u32 seq;
+- __u32 hash[4];
+- struct keydata *keyptr = get_keyptr();
+-
+- /*
+- * Pick a unique starting offset for each TCP connection endpoints
+- * (saddr, daddr, sport, dport).
+- * Note that the words are placed into the starting vector, which is
+- * then mixed with a partial MD4 over random data.
+- */
+- hash[0] = (__force u32)saddr;
+- hash[1] = (__force u32)daddr;
+- hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+- hash[3] = keyptr->secret[11];
+-
+- seq = half_md4_transform(hash, keyptr->secret) & HASH_MASK;
+- seq += keyptr->count;
+- /*
+- * As close as possible to RFC 793, which
+- * suggests using a 250 kHz clock.
+- * Further reading shows this assumes 2 Mb/s networks.
+- * For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
+- * For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
+- * we also need to limit the resolution so that the u32 seq
+- * overlaps less than one time per MSL (2 minutes).
+- * Choosing a clock of 64 ns period is OK. (period of 274 s)
+- */
+- seq += ktime_to_ns(ktime_get_real()) >> 6;
+-
+- return seq;
+-}
+-
+-/* Generate secure starting point for ephemeral IPV4 transport port search */
+-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+-{
+- struct keydata *keyptr = get_keyptr();
+- u32 hash[4];
+-
+- /*
+- * Pick a unique starting offset for each ephemeral port search
+- * (saddr, daddr, dport) and 48bits of random data.
+- */
+- hash[0] = (__force u32)saddr;
+- hash[1] = (__force u32)daddr;
+- hash[2] = (__force u32)dport ^ keyptr->secret[10];
+- hash[3] = keyptr->secret[11];
+-
+- return half_md4_transform(hash, keyptr->secret);
+-}
+-EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+- __be16 dport)
+-{
+- struct keydata *keyptr = get_keyptr();
+- u32 hash[12];
+-
+- memcpy(hash, saddr, 16);
+- hash[4] = (__force u32)dport;
+- memcpy(&hash[5], keyptr->secret, sizeof(__u32) * 7);
+-
+- return twothirdsMD4Transform((const __u32 *)daddr, hash);
+-}
+-#endif
+-
+-#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
+-/* Similar to secure_tcp_sequence_number but generate a 48 bit value
+- * bit's 32-47 increase every key exchange
+- * 0-31 hash(source, dest)
+- */
+-u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport)
+-{
+- u64 seq;
+- __u32 hash[4];
+- struct keydata *keyptr = get_keyptr();
+-
+- hash[0] = (__force u32)saddr;
+- hash[1] = (__force u32)daddr;
+- hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+- hash[3] = keyptr->secret[11];
+-
+- seq = half_md4_transform(hash, keyptr->secret);
+- seq |= ((u64)keyptr->count) << (32 - HASH_BITS);
+-
+- seq += ktime_to_ns(ktime_get_real());
+- seq &= (1ull << 48) - 1;
+-
+- return seq;
+-}
+-EXPORT_SYMBOL(secure_dccp_sequence_number);
+-#endif
+-
+-#endif /* CONFIG_INET */
+-
++late_initcall(random_int_secret_init);
+
+ /*
+ * Get a random word for internal kernel use only. Similar to urandom but
+@@ -1670,17 +1354,15 @@
+ * value is not cryptographically secure but for several uses the cost of
+ * depleting entropy is too high
+ */
+-DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
++DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+- struct keydata *keyptr;
+ __u32 *hash = get_cpu_var(get_random_int_hash);
+- int ret;
++ unsigned int ret;
+
+- keyptr = get_keyptr();
+ hash[0] += current->pid + jiffies + get_cycles();
+-
+- ret = half_md4_transform(hash, keyptr->secret);
++ md5_transform(hash, random_int_secret);
++ ret = hash[0];
+ put_cpu_var(get_random_int_hash);
+
+ return ret;
+diff -u b/lib/Makefile b/lib/Makefile
+--- b/lib/Makefile
++++ b/lib/Makefile
+@@ -10,7 +10,7 @@
+ lib-y := ctype.o string.o vsprintf.o cmdline.o \
+ rbtree.o radix-tree.o dump_stack.o \
+ idr.o int_sqrt.o extable.o prio_tree.o \
+- sha1.o irq_regs.o reciprocal_div.o argv_split.o \
++ sha1.o md5.o irq_regs.o reciprocal_div.o argv_split.o \
+ proportions.o prio_heap.o ratelimit.o show_mem.o \
+ is_single_threaded.o plist.o decompress.o flex_array.o
+
+diff -u b/net/ipv4/route.c b/net/ipv4/route.c
+--- b/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -107,6 +107,7 @@
+ #ifdef CONFIG_SYSCTL
+ #include <linux/sysctl.h>
+ #endif
++#include <net/secure_seq.h>
+
+ #define RT_FL_TOS(oldflp) \
+ ((u32)(oldflp->fl4_tos & (IPTOS_RT_MASK | RTO_ONLINK)))
+only in patch2:
+unchanged:
+--- a/crypto/md5.c
++++ b/crypto/md5.c
+@@ -20,6 +20,7 @@
+ #include <linux/module.h>
+ #include <linux/string.h>
+ #include <linux/types.h>
++#include <linux/cryptohash.h>
+ #include <asm/byteorder.h>
+
+ #define MD5_DIGEST_SIZE 16
+@@ -27,103 +28,12 @@
+ #define MD5_BLOCK_WORDS 16
+ #define MD5_HASH_WORDS 4
+
+-#define F1(x, y, z) (z ^ (x & (y ^ z)))
+-#define F2(x, y, z) F1(z, x, y)
+-#define F3(x, y, z) (x ^ y ^ z)
+-#define F4(x, y, z) (y ^ (x | ~z))
+-
+-#define MD5STEP(f, w, x, y, z, in, s) \
+- (w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x)
+-
+ struct md5_ctx {
+ u32 hash[MD5_HASH_WORDS];
+ u32 block[MD5_BLOCK_WORDS];
+ u64 byte_count;
+ };
+
+-static void md5_transform(u32 *hash, u32 const *in)
+-{
+- u32 a, b, c, d;
+-
+- a = hash[0];
+- b = hash[1];
+- c = hash[2];
+- d = hash[3];
+-
+- MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
+- MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
+- MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
+- MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
+- MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
+- MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
+- MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
+- MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
+- MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
+- MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
+- MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
+- MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
+- MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
+- MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
+- MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
+- MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
+-
+- MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
+- MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
+- MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
+- MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
+- MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
+- MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
+- MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
+- MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
+- MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
+- MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
+- MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
+- MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
+- MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
+- MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
+- MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
+- MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
+-
+- MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
+- MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
+- MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
+- MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
+- MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
+- MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
+- MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
+- MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
+- MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
+- MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
+- MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
+- MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
+- MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
+- MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
+- MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
+- MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
+-
+- MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
+- MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
+- MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
+- MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
+- MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
+- MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
+- MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
+- MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
+- MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
+- MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
+- MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
+- MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
+- MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
+- MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
+- MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
+- MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
+-
+- hash[0] += a;
+- hash[1] += b;
+- hash[2] += c;
+- hash[3] += d;
+-}
+-
+ /* XXX: this stuff can be optimized */
+ static inline void le32_to_cpu_array(u32 *buf, unsigned int words)
+ {
+only in patch2:
+unchanged:
+--- a/include/linux/cryptohash.h
++++ b/include/linux/cryptohash.h
+@@ -7,6 +7,11 @@
+ void sha_init(__u32 *buf);
+ void sha_transform(__u32 *digest, const char *data, __u32 *W);
+
++#define MD5_DIGEST_WORDS 4
++#define MD5_MESSAGE_BYTES 64
++
++void md5_transform(__u32 *hash, __u32 const *in);
++
+ __u32 half_md4_transform(__u32 buf[4], __u32 const in[8]);
+
+ #endif
+only in patch2:
+unchanged:
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -53,17 +53,6 @@ extern void add_interrupt_randomness(int irq);
+ extern void get_random_bytes(void *buf, int nbytes);
+ void generate_random_uuid(unsigned char uuid_out[16]);
+
+-extern __u32 secure_ip_id(__be32 daddr);
+-extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
+-extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+- __be16 dport);
+-extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport);
+-extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+- __be16 sport, __be16 dport);
+-extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport);
+-
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+ #endif
+only in patch2:
+unchanged:
+--- /dev/null
++++ b/include/net/secure_seq.h
+@@ -0,0 +1,20 @@
++#ifndef _NET_SECURE_SEQ
++#define _NET_SECURE_SEQ
++
++#include <linux/types.h>
++
++extern __u32 secure_ip_id(__be32 daddr);
++extern __u32 secure_ipv6_id(const __be32 daddr[4]);
++extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
++extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++ __be16 dport);
++extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport);
++extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport);
++extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport);
++extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport);
++
++#endif /* _NET_SECURE_SEQ */
+only in patch2:
+unchanged:
+--- /dev/null
++++ b/lib/md5.c
+@@ -0,0 +1,95 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/cryptohash.h>
++
++#define F1(x, y, z) (z ^ (x & (y ^ z)))
++#define F2(x, y, z) F1(z, x, y)
++#define F3(x, y, z) (x ^ y ^ z)
++#define F4(x, y, z) (y ^ (x | ~z))
++
++#define MD5STEP(f, w, x, y, z, in, s) \
++ (w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x)
++
++void md5_transform(__u32 *hash, __u32 const *in)
++{
++ u32 a, b, c, d;
++
++ a = hash[0];
++ b = hash[1];
++ c = hash[2];
++ d = hash[3];
++
++ MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
++ MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
++ MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
++ MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
++ MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
++ MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
++ MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
++ MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
++ MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
++ MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
++ MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
++ MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
++ MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
++ MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
++ MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
++ MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
++
++ MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
++ MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
++ MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
++ MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
++ MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
++ MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
++ MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
++ MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
++ MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
++ MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
++ MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
++ MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
++ MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
++ MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
++ MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
++ MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
++
++ MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
++ MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
++ MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
++ MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
++ MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
++ MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
++ MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
++ MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
++ MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
++ MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
++ MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
++ MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
++ MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
++ MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
++ MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
++ MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
++
++ MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
++ MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
++ MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
++ MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
++ MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
++ MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
++ MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
++ MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
++ MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
++ MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
++ MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
++ MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
++ MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
++ MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
++ MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
++ MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
++
++ hash[0] += a;
++ hash[1] += b;
++ hash[2] += c;
++ hash[3] += d;
++}
++EXPORT_SYMBOL(md5_transform);
+only in patch2:
+unchanged:
+--- a/net/core/Makefile
++++ b/net/core/Makefile
+@@ -3,7 +3,7 @@
+ #
+
+ obj-y := sock.o request_sock.o skbuff.o iovec.o datagram.o stream.o scm.o \
+- gen_stats.o gen_estimator.o net_namespace.o
++ gen_stats.o gen_estimator.o net_namespace.o secure_seq.o
+
+ obj-$(CONFIG_SYSCTL) += sysctl_net_core.o
+ obj-$(CONFIG_HAS_DMA) += skb_dma_map.o
+only in patch2:
+unchanged:
+--- /dev/null
++++ b/net/core/secure_seq.c
+@@ -0,0 +1,184 @@
++#include <linux/kernel.h>
++#include <linux/init.h>
++#include <linux/cryptohash.h>
++#include <linux/module.h>
++#include <linux/cache.h>
++#include <linux/random.h>
++#include <linux/hrtimer.h>
++#include <linux/ktime.h>
++#include <linux/string.h>
++
++#include <net/secure_seq.h>
++
++static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
++
++static int __init net_secret_init(void)
++{
++ get_random_bytes(net_secret, sizeof(net_secret));
++ return 0;
++}
++late_initcall(net_secret_init);
++
++static u32 seq_scale(u32 seq)
++{
++ /*
++ * As close as possible to RFC 793, which
++ * suggests using a 250 kHz clock.
++ * Further reading shows this assumes 2 Mb/s networks.
++ * For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
++ * For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
++ * we also need to limit the resolution so that the u32 seq
++ * overlaps less than one time per MSL (2 minutes).
++ * Choosing a clock of 64 ns period is OK. (period of 274 s)
++ */
++ return seq + (ktime_to_ns(ktime_get_real()) >> 6);
++}
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 secret[MD5_MESSAGE_BYTES / 4];
++ u32 hash[MD5_DIGEST_WORDS];
++ u32 i;
++
++ memcpy(hash, saddr, 16);
++ for (i = 0; i < 4; i++)
++ secret[i] = net_secret[i] + daddr[i];
++ secret[4] = net_secret[4] +
++ (((__force u16)sport << 16) + (__force u16)dport);
++ for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++ secret[i] = net_secret[i];
++
++ md5_transform(hash, secret);
++
++ return seq_scale(hash[0]);
++}
++EXPORT_SYMBOL(secure_tcpv6_sequence_number);
++
++u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++ __be16 dport)
++{
++ u32 secret[MD5_MESSAGE_BYTES / 4];
++ u32 hash[MD5_DIGEST_WORDS];
++ u32 i;
++
++ memcpy(hash, saddr, 16);
++ for (i = 0; i < 4; i++)
++ secret[i] = net_secret[i] + (__force u32) daddr[i];
++ secret[4] = net_secret[4] + (__force u32)dport;
++ for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++ secret[i] = net_secret[i];
++
++ md5_transform(hash, secret);
++
++ return hash[0];
++}
++#endif
++
++#ifdef CONFIG_INET
++__u32 secure_ip_id(__be32 daddr)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++
++ hash[0] = (__force __u32) daddr;
++ hash[1] = net_secret[13];
++ hash[2] = net_secret[14];
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ return hash[0];
++}
++
++__u32 secure_ipv6_id(const __be32 daddr[4])
++{
++ __u32 hash[4];
++
++ memcpy(hash, daddr, 16);
++ md5_transform(hash, net_secret);
++
++ return hash[0];
++}
++
++__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++
++ hash[0] = (__force u32)saddr;
++ hash[1] = (__force u32)daddr;
++ hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ return seq_scale(hash[0]);
++}
++
++u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++
++ hash[0] = (__force u32)saddr;
++ hash[1] = (__force u32)daddr;
++ hash[2] = (__force u32)dport ^ net_secret[14];
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ return hash[0];
++}
++EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
++#endif
++
++#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
++u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++ u64 seq;
++
++ hash[0] = (__force u32)saddr;
++ hash[1] = (__force u32)daddr;
++ hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ seq = hash[0] | (((u64)hash[1]) << 32);
++ seq += ktime_to_ns(ktime_get_real());
++ seq &= (1ull << 48) - 1;
++
++ return seq;
++}
++EXPORT_SYMBOL(secure_dccp_sequence_number);
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 secret[MD5_MESSAGE_BYTES / 4];
++ u32 hash[MD5_DIGEST_WORDS];
++ u64 seq;
++ u32 i;
++
++ memcpy(hash, saddr, 16);
++ for (i = 0; i < 4; i++)
++ secret[i] = net_secret[i] + daddr[i];
++ secret[4] = net_secret[4] +
++ (((__force u16)sport << 16) + (__force u16)dport);
++ for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++ secret[i] = net_secret[i];
++
++ md5_transform(hash, secret);
++
++ seq = hash[0] | (((u64)hash[1]) << 32);
++ seq += ktime_to_ns(ktime_get_real());
++ seq &= (1ull << 48) - 1;
++
++ return seq;
++}
++EXPORT_SYMBOL(secure_dccpv6_sequence_number);
++#endif
++#endif
+only in patch2:
+unchanged:
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -25,6 +25,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/tcp_states.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+
+ #include "ackvec.h"
+ #include "ccid.h"
+only in patch2:
+unchanged:
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -28,6 +28,7 @@
+ #include <net/transp_v6.h>
+ #include <net/ip6_checksum.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+
+ #include "dccp.h"
+ #include "ipv6.h"
+@@ -69,13 +70,7 @@ static inline void dccp_v6_send_check(struct sock *sk, int unused_value,
+ dh->dccph_checksum = dccp_v6_csum_finish(skb, &np->saddr, &np->daddr);
+ }
+
+-static inline __u32 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+- __be16 sport, __be16 dport )
+-{
+- return secure_tcpv6_sequence_number(saddr, daddr, sport, dport);
+-}
+-
+-static inline __u32 dccp_v6_init_sequence(struct sk_buff *skb)
++static inline __u64 dccp_v6_init_sequence(struct sk_buff *skb)
+ {
+ return secure_dccpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
+ ipv6_hdr(skb)->saddr.s6_addr32,
+only in patch2:
+unchanged:
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -21,6 +21,7 @@
+
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+
+ /*
+only in patch2:
+unchanged:
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -19,6 +19,7 @@
+ #include <linux/net.h>
+ #include <net/ip.h>
+ #include <net/inetpeer.h>
++#include <net/secure_seq.h>
+
+ /*
+ * Theory of operations.
+only in patch2:
+unchanged:
+--- a/net/ipv4/netfilter/nf_nat_proto_common.c
++++ b/net/ipv4/netfilter/nf_nat_proto_common.c
+@@ -12,6 +12,7 @@
+ #include <linux/ip.h>
+
+ #include <linux/netfilter.h>
++#include <net/secure_seq.h>
+ #include <net/netfilter/nf_nat.h>
+ #include <net/netfilter/nf_nat_core.h>
+ #include <net/netfilter/nf_nat_rule.h>
+only in patch2:
+unchanged:
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -71,6 +71,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/xfrm.h>
+ #include <net/netdma.h>
++#include <net/secure_seq.h>
+
+ #include <linux/inet.h>
+ #include <linux/ipv6.h>
+only in patch2:
+unchanged:
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -20,6 +20,7 @@
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
+ #include <net/inet6_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+
+ void __inet6_hash(struct sock *sk)
+only in patch2:
+unchanged:
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -60,6 +60,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/netdma.h>
+ #include <net/inet_common.h>
++#include <net/secure_seq.h>
+
+ #include <asm/uaccess.h>
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch)
@@ -0,0 +1,28 @@
+commit 2fadaef41283aad7100fa73f01998cddaca25833
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:52:11 2011 -0500
+
+ auxv: require the target to be tracable (or yourself)
+
+ same as for environ, except that we didn't do any checks to
+ prevent access after suid execve
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index fc471b8..e94b58b 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -281,9 +281,9 @@ out:
+
+ static int proc_pid_auxv(struct task_struct *task, char *buffer)
+ {
+- int res = 0;
+- struct mm_struct *mm = get_task_mm(task);
+- if (mm) {
++ struct mm_struct *mm = mm_for_maps(task);
++ int res = PTR_ERR(mm);
++ if (mm && !IS_ERR(mm)) {
+ unsigned int nwords = 0;
+ do {
+ nwords += 2;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch)
@@ -0,0 +1,45 @@
+commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Wed Aug 17 17:59:56 2011 +0200
+
+ befs: Validate length of long symbolic links.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index 54b8c28..720d885 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ befs_data_stream *data = &befs_ino->i_data.ds;
+ befs_off_t len = data->size;
+
+- befs_debug(sb, "Follow long symlink");
+-
+- link = kmalloc(len, GFP_NOFS);
+- if (!link) {
+- link = ERR_PTR(-ENOMEM);
+- } else if (befs_read_lsymlink(sb, data, link, len) != len) {
+- kfree(link);
+- befs_error(sb, "Failed to read entire long symlink");
++ if (len == 0) {
++ befs_error(sb, "Long symlink with illegal length");
+ link = ERR_PTR(-EIO);
+ } else {
+- link[len - 1] = '\0';
++ befs_debug(sb, "Follow long symlink");
++
++ link = kmalloc(len, GFP_NOFS);
++ if (!link) {
++ link = ERR_PTR(-ENOMEM);
++ } else if (befs_read_lsymlink(sb, data, link, len) != len) {
++ kfree(link);
++ befs_error(sb, "Failed to read entire long symlink");
++ link = ERR_PTR(-EIO);
++ } else {
++ link[len - 1] = '\0';
++ }
+ }
+ } else {
+ link = befs_ino->i_data.symlink;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch)
@@ -0,0 +1,38 @@
+commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f
+Author: Filip Palian <s3810 at pjwstk.edu.pl>
+Date: Thu May 12 19:32:46 2011 +0200
+
+ Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
+
+ Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
+ byte each. This byte in "cinfo" is copied to userspace uninitialized.
+
+ Signed-off-by: Filip Palian <filip.palian at pjwstk.edu.pl>
+ Acked-by: Marcel Holtmann <marcel at holtmann.org>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 8d1c4a9..514aa8f 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -1886,6 +1886,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
+ break;
+ }
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 30a3649..1ae3f80 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
+
+ l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
@@ -0,0 +1,30 @@
+commit 7ac28817536797fd40e9646452183606f9e17f71
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Jun 24 08:38:05 2011 -0400
+
+ Bluetooth: Prevent buffer overflow in l2cap config request
+
+ A remote user can provide a small value for the command size field in
+ the command header of an l2cap configuration request, resulting in an
+ integer underflow when subtracting the size of the configuration request
+ header. This results in copying a very large amount of data via
+ memcpy() and destroying the kernel heap. Check for underflow.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 514aa8f..71120ee 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2720,7 +2720,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch)
@@ -0,0 +1,41 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Tue, 23 Aug 2011 11:21:28 +0000 (-0400)
+Subject: cifs: fix possible memory corruption in CIFSFindNext
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fsfrench%2Fcifs-2.6.git;a=commitdiff_plain;h=c32dfffaf59f73bbcf4472141b851a4dc5db2bf0
+
+cifs: fix possible memory corruption in CIFSFindNext
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc: <stable at kernel.org>
+Reported-by: Darren Lavender <dcl at hppine99.gbr.hp.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <sfrench at us.ibm.com>
+[dannf: backported to Debian's 2.6.32]
+---
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 04b755a..665b128 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -3596,7 +3596,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
+ T2_FNEXT_RSP_PARMS *parms;
+ char *response_data;
+ int rc = 0;
+- int bytes_returned, name_len;
++ int bytes_returned;
++ unsigned int name_len;
+ __u16 params, byte_count;
+
+ cFYI(1, ("In FindNext"));
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch)
@@ -0,0 +1,40 @@
+commit d6f64b89d7ff22ce05896ab4a93a653e8d0b123d
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:26:01 2011 -0500
+
+ close race in /proc/*/environ
+
+ Switch to mm_for_maps(). Maybe we ought to make it r--r--r--,
+ since we do checks on IO anyway...
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index c282811..fc471b8 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -919,20 +919,18 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+ if (!task)
+ goto out_no_task;
+
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- goto out;
+-
+ ret = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+ goto out;
+
+- ret = 0;
+
+- mm = get_task_mm(task);
+- if (!mm)
++ mm = mm_for_maps(task);
++ ret = PTR_ERR(mm);
++ if (!mm || IS_ERR(mm))
+ goto out_free;
+
++ ret = 0;
+ while (count > 0) {
+ int this_len, retval, max_len;
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch)
@@ -0,0 +1,29 @@
+commit 819cbb120eaec7e014e5abd029260db1ca8c5735
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Sun Jun 26 12:56:22 2011 +0400
+
+ staging: comedi: fix infoleak to userspace
+
+ driver_name and board_name are pointers to strings, not buffers of size
+ COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing
+ less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
+index 15a209f..419976b 100644
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -383,8 +383,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev,
+ /* fill devinfo structure */
+ devinfo.version_code = COMEDI_VERSION_CODE;
+ devinfo.n_subdevs = dev->n_subdevices;
+- memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
+- memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
++ strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
++ strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
+
+ if (read_subdev)
+ devinfo.read_subdevice = read_subdev - dev->subdevices;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch)
@@ -0,0 +1,34 @@
+commit 17dd759c67f21e34f2156abcf415e1f60605a188
+Author: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Wed Jul 27 06:16:28 2011 -0700
+
+ gro: Only reset frag0 when skb can be pulled
+
+ Currently skb_gro_header_slow unconditionally resets frag0 and
+ frag0_len. However, when we can't pull on the skb this leaves
+ the GRO fields in an inconsistent state.
+
+ This patch fixes this by only resetting those fields after the
+ pskb_may_pull test.
+
+ Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 1d92acc0..661a077 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1649,9 +1649,12 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
+ static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
+ unsigned int offset)
+ {
++ if (!pskb_may_pull(skb, hlen))
++ return NULL;
++
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+- return pskb_may_pull(skb, hlen) ? skb->data + offset : NULL;
++ return skb->data + offset;
+ }
+
+ static inline void *skb_gro_mac_header(struct sk_buff *skb)
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch)
@@ -0,0 +1,30 @@
+This bug used to exist upstream as well, but was fixed when the
+VLAN code path was restructured in 2010.
+
+The approach here is different from upstream in order to minimise
+the effect on the code.
+
+net: Fix memory leak/corruption on VLAN GRO_DROP
+
+The function napi_reuse_skb is only meant to be used for packets
+merged by GRO. Using it on the VLAN path will lead to memory
+leaks/corruption. This patch is based on Jay Vosburgh's patch,
+and it fixes the problem by calling kfree_skb on the VLAN GRO_DROP
+path instead of napi_reuse_skb.
+
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+[dannf: backported to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/net/core/dev.c linux-source-2.6.32/net/core/dev.c
+--- linux-source-2.6.32.orig/net/core/dev.c 2011-06-11 13:10:41.000000000 -0600
++++ linux-source-2.6.32/net/core/dev.c 2011-08-03 22:42:37.774288259 -0600
+@@ -2650,6 +2650,9 @@ gro_result_t napi_frags_finish(struct na
+ break;
+
+ case GRO_DROP:
++ kfree_skb(skb);
++ break;
++
+ case GRO_MERGED_FREE:
+ napi_reuse_skb(napi, skb);
+ break;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch)
@@ -0,0 +1,64 @@
+commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Sat May 22 20:37:44 2010 +0000
+
+ net_sched: Fix qdisc_notify()
+
+ Ben Pfaff reported a kernel oops and provided a test program to
+ reproduce it.
+
+ https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805
+
+ tc_fill_qdisc() should not be called for builtin qdisc, or it
+ dereference a NULL pointer to get device ifindex.
+
+ Fix is to always use tc_qdisc_dump_ignore() before calling
+ tc_fill_qdisc().
+
+ Reported-by: Ben Pfaff <blp at nicira.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 903e418..7c8c4b1 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1195,6 +1195,11 @@ nla_put_failure:
+ return -1;
+ }
+
++static bool tc_qdisc_dump_ignore(struct Qdisc *q)
++{
++ return (q->flags & TCQ_F_BUILTIN) ? true : false;
++}
++
+ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ u32 clid, struct Qdisc *old, struct Qdisc *new)
+ {
+@@ -1205,11 +1210,11 @@ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ if (!skb)
+ return -ENOBUFS;
+
+- if (old && old->handle) {
++ if (old && !tc_qdisc_dump_ignore(old)) {
+ if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
+ goto err_out;
+ }
+- if (new) {
++ if (new && !tc_qdisc_dump_ignore(new)) {
+ if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
+ goto err_out;
+ }
+@@ -1222,11 +1227,6 @@ err_out:
+ return -EINVAL;
+ }
+
+-static bool tc_qdisc_dump_ignore(struct Qdisc *q)
+-{
+- return (q->flags & TCQ_F_BUILTIN) ? true : false;
+-}
+-
+ static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb,
+ struct netlink_callback *cb,
+ int *q_idx_p, int s_q_idx)
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch)
@@ -0,0 +1,39 @@
+commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03
+Author: Luciano Coelho <coelho at ti.com>
+Date: Thu May 19 00:43:38 2011 +0300
+
+ nl80211: fix check for valid SSID size in scan operations
+
+ In both trigger_scan and sched_scan operations, we were checking for
+ the SSID length before assigning the value correctly. Since the
+ memory was just kzalloc'ed, the check was always failing and SSID with
+ over 32 characters were allowed to go through.
+
+ This was causing a buffer overflow when copying the actual SSID to the
+ proper place.
+
+ This bug has been there since 2.6.29-rc4.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Luciano Coelho <coelho at ti.com>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index b75e718..f0341e4 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2995,12 +2995,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
+ i = 0;
+ if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
++ request->ssids[i].ssid_len = nla_len(attr);
+ if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out_free;
+ }
+ memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+- request->ssids[i].ssid_len = nla_len(attr);
+ i++;
+ }
+ }
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch)
@@ -0,0 +1,41 @@
+commit 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
+Author: Luciano Coelho <coelho at ti.com>
+Date: Tue Jun 7 20:42:26 2011 +0300
+
+ nl80211: fix overflow in ssid_len
+
+ When one of the SSID's length passed in a scan or sched_scan request
+ is larger than 255, there will be an overflow in the u8 that is used
+ to store the length before checking. This causes the check to fail
+ and we overrun the buffer when copying the SSID.
+
+ Fix this by checking the nl80211 attribute length before copying it to
+ the struct.
+
+ This is a follow up for the previous commit
+ 208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
+ entirely.
+
+ Reported-by: Ido Yariv <ido at wizery.com>
+ Signed-off-by: Luciano Coelho <coelho at ti.com>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index f0341e4..f72387f 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2995,11 +2995,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
+ i = 0;
+ if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+- request->ssids[i].ssid_len = nla_len(attr);
+- if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
++ if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out_free;
+ }
++ request->ssids[i].ssid_len = nla_len(attr);
+ memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+ i++;
+ }
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch)
@@ -0,0 +1,71 @@
+commit 0b760113a3a155269a3fba93a409c640031dd68f
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Tue May 31 15:15:34 2011 -0400
+
+ NLM: Don't hang forever on NLM unlock requests
+
+ If the NLM daemon is killed on the NFS server, we can currently end up
+ hanging forever on an 'unlock' request, instead of aborting. Basically,
+ if the rpcbind request fails, or the server keeps returning garbage, we
+ really want to quit instead of retrying.
+
+ Tested-by: Vasily Averin <vvs at sw.ru>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Cc: stable at kernel.org
+
+diff -urpN linux-source-2.6.32.orig/fs/lockd/clntproc.c linux-source-2.6.32/fs/lockd/clntproc.c
+--- linux-source-2.6.32.orig/fs/lockd/clntproc.c 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/fs/lockd/clntproc.c 2011-08-03 23:36:15.028741583 -0600
+@@ -709,7 +709,13 @@ static void nlmclnt_unlock_callback(stru
+
+ if (task->tk_status < 0) {
+ dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status);
+- goto retry_rebind;
++ switch (task->tk_status) {
++ case -EACCES:
++ case -EIO:
++ goto die;
++ default:
++ goto retry_rebind;
++ }
+ }
+ if (status == NLM_LCK_DENIED_GRACE_PERIOD) {
+ rpc_delay(task, NLMCLNT_GRACE_WAIT);
+diff -urpN linux-source-2.6.32.orig/include/linux/sunrpc/sched.h linux-source-2.6.32/include/linux/sunrpc/sched.h
+--- linux-source-2.6.32.orig/include/linux/sunrpc/sched.h 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/include/linux/sunrpc/sched.h 2011-08-03 23:43:26.040758731 -0600
+@@ -84,8 +84,8 @@ struct rpc_task {
+ long tk_rtt; /* round-trip time (jiffies) */
+
+ pid_t tk_owner; /* Process id for batching tasks */
+- unsigned char tk_priority : 2;/* Task priority */
+-
++ unsigned char tk_priority : 2,/* Task priority */
++ tk_rebind_retry : 2;
+ #ifdef RPC_DEBUG
+ unsigned short tk_pid; /* debugging aid */
+ #endif
+diff -urpN linux-source-2.6.32.orig/net/sunrpc/clnt.c linux-source-2.6.32/net/sunrpc/clnt.c
+--- linux-source-2.6.32.orig/net/sunrpc/clnt.c 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/net/sunrpc/clnt.c 2011-08-03 23:36:15.036741657 -0600
+@@ -1052,6 +1052,9 @@ call_bind_status(struct rpc_task *task)
+ status = -EOPNOTSUPP;
+ break;
+ }
++ if (task->tk_rebind_retry == 0)
++ break;
++ task->tk_rebind_retry--;
+ rpc_delay(task, 3*HZ);
+ goto retry_timeout;
+ case -ETIMEDOUT:
+diff -urpN linux-source-2.6.32.orig/net/sunrpc/sched.c linux-source-2.6.32/net/sunrpc/sched.c
+--- linux-source-2.6.32.orig/net/sunrpc/sched.c 2011-06-11 13:10:38.000000000 -0600
++++ linux-source-2.6.32/net/sunrpc/sched.c 2011-08-03 23:36:15.044741731 -0600
+@@ -789,6 +789,7 @@ static void rpc_init_task(struct rpc_tas
+ /* Initialize retry counters */
+ task->tk_garb_retry = 2;
+ task->tk_cred_retry = 2;
++ task->tk_rebind_retry = 2;
+
+ task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW;
+ task->tk_owner = current->tgid;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch)
@@ -0,0 +1,58 @@
+commit ca6b0bf0e086513b9ee5efc0aa5770ecb57778af
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:04:37 2011 -0500
+
+ pagemap: close races with suid execve
+
+ just use mm_for_maps()
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index ae485ab..aca5390 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2552,7 +2552,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ #ifdef CONFIG_PROC_PAGE_MONITOR
+ REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
+ REG("smaps", S_IRUGO, proc_smaps_operations),
+- REG("pagemap", S_IRUSR, proc_pagemap_operations),
++ REG("pagemap", S_IRUGO, proc_pagemap_operations),
+ #endif
+ #ifdef CONFIG_SECURITY
+ DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
+@@ -2890,7 +2890,7 @@ static const struct pid_entry tid_base_stuff[] = {
+ #ifdef CONFIG_PROC_PAGE_MONITOR
+ REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
+ REG("smaps", S_IRUGO, proc_smaps_operations),
+- REG("pagemap", S_IRUSR, proc_pagemap_operations),
++ REG("pagemap", S_IRUGO, proc_pagemap_operations),
+ #endif
+ #ifdef CONFIG_SECURITY
+ DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 3b7b82a..6e7b065 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -682,7 +682,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ goto out;
+
+ ret = -EACCES;
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
++ mm = mm_for_maps(task);
++ if (!mm)
+ goto out_task;
+
+ ret = -EINVAL;
+@@ -695,10 +696,6 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ if (!count)
+ goto out_task;
+
+- mm = get_task_mm(task);
+- if (!mm)
+- goto out_task;
+-
+
+ uaddr = (unsigned long)buf & PAGE_MASK;
+ uend = (unsigned long)(buf + count);
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch)
@@ -0,0 +1,51 @@
+Date: Fri, 5 Aug 2011 18:58:38 +0200
+From: Jonathan Nieder <jrnieder at gmail.com>
+Subject: [PATCH] perf: do not look at ./config for configuration
+
+In addition to /etc/perfconfig and $HOME/.perfconfig, perf looks for
+configuration in the file ./config, imitating git which looks at
+$GIT_DIR/config. If ./config is not a perf configuration file, it
+fails, or worse, treats it as a configuration file and changes
+behavior in some unexpected way.
+
+"config" is not an unusual name for a file to be lying around and perf
+does not have a private directory dedicated for its own use, so let's
+just stop looking for configuration in the cwd. Callers needing
+context-sensitive configuration can use the PERF_CONFIG environment
+variable.
+
+Requested-by: Christian Ohm <chr.ohm at gmx.net>
+Signed-off-by: Jonathan Nieder <jrnieder at gmail.com>
+---
+ tools/perf/util/config.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/util/config.c b/tools/perf/util/config.c
+index e02d78ca..6c86eca8 100644
+--- a/tools/perf/util/config.c
++++ b/tools/perf/util/config.c
+@@ -399,7 +399,6 @@ static int perf_config_global(void)
+ int perf_config(config_fn_t fn, void *data)
+ {
+ int ret = 0, found = 0;
+- char *repo_config = NULL;
+ const char *home = NULL;
+
+ /* Setting $PERF_CONFIG makes perf read _only_ the given config file. */
+@@ -421,12 +420,6 @@ int perf_config(config_fn_t fn, void *data)
+ free(user_config);
+ }
+
+- repo_config = perf_pathdup("config");
+- if (!access(repo_config, R_OK)) {
+- ret += perf_config_from_file(fn, repo_config, data);
+- found += 1;
+- }
+- free(repo_config);
+ if (found == 0)
+ return -1;
+ return ret;
+--
+1.7.6
+
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/perf-remove-the-nmi-parameter-from-the-swevent-and-overflow-interface.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/perf-remove-the-nmi-parameter-from-the-swevent-and-overflow-interface.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/perf-remove-the-nmi-parameter-from-the-swevent-and-overflow-interface.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/perf-remove-the-nmi-parameter-from-the-swevent-and-overflow-interface.patch)
@@ -0,0 +1,581 @@
+commit a8b0ca17b80e92faab46ee7179ba9e99ccb61233
+Author: Peter Zijlstra <a.p.zijlstra at chello.nl>
+Date: Mon Jun 27 14:41:57 2011 +0200
+
+ perf: Remove the nmi parameter from the swevent and overflow interface
+
+ The nmi parameter indicated if we could do wakeups from the current
+ context, if not, we would set some state and self-IPI and let the
+ resulting interrupt do the wakeup.
+
+ For the various event classes:
+
+ - hardware: nmi=0; PMI is in fact an NMI or we run irq_work_run from
+ the PMI-tail (ARM etc.)
+ - tracepoint: nmi=0; since tracepoint could be from NMI context.
+ - software: nmi=[0,1]; some, like the schedule thing cannot
+ perform wakeups, and hence need 0.
+
+ As one can see, there is very little nmi=1 usage, and the down-side of
+ not using it is that on some platforms some software events can have a
+ jiffy delay in wakeup (when arch_irq_work_raise isn't implemented).
+
+ The up-side however is that we can remove the nmi parameter and save a
+ bunch of conditionals in fast paths.
+
+ Signed-off-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
+ Cc: Michael Cree <mcree at orcon.net.nz>
+ Cc: Will Deacon <will.deacon at arm.com>
+ Cc: Deng-Cheng Zhu <dengcheng.zhu at gmail.com>
+ Cc: Anton Blanchard <anton at samba.org>
+ Cc: Eric B Munson <emunson at mgebm.net>
+ Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+ Cc: Paul Mundt <lethal at linux-sh.org>
+ Cc: David S. Miller <davem at davemloft.net>
+ Cc: Frederic Weisbecker <fweisbec at gmail.com>
+ Cc: Jason Wessel <jason.wessel at windriver.com>
+ Cc: Don Zickus <dzickus at redhat.com>
+ Link: http://lkml.kernel.org/n/tip-agjev8eu666tvknpb3iaj0fg@git.kernel.org
+ Signed-off-by: Ingo Molnar <mingo at elte.hu>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/arch/powerpc/kernel/perf_event.c b/arch/powerpc/kernel/perf_event.c
+index c3f7ac7..c03672e 100644
+--- a/arch/powerpc/kernel/perf_event.c
++++ b/arch/powerpc/kernel/perf_event.c
+@@ -1132,7 +1132,7 @@ const struct pmu *hw_perf_event_init(struct perf_event *event)
+ * here so there is no possibility of being interrupted.
+ */
+ static void record_and_restart(struct perf_event *event, unsigned long val,
+- struct pt_regs *regs, int nmi)
++ struct pt_regs *regs)
+ {
+ u64 period = event->hw.sample_period;
+ s64 prev, delta, left;
+@@ -1172,7 +1172,7 @@ static void record_and_restart(struct perf_event *event, unsigned long val,
+ if (event->attr.sample_type & PERF_SAMPLE_ADDR)
+ perf_get_data_addr(regs, &data.addr);
+
+- if (perf_event_overflow(event, nmi, &data, regs)) {
++ if (perf_event_overflow(event, &data, regs)) {
+ /*
+ * Interrupts are coming too fast - throttle them
+ * by setting the event to 0, so it will be
+@@ -1274,7 +1274,7 @@ static void perf_event_interrupt(struct pt_regs *regs)
+ if ((int)val < 0) {
+ /* event has overflowed */
+ found = 1;
+- record_and_restart(event, val, regs, nmi);
++ record_and_restart(event, val, regs);
+ }
+ }
+
+diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
+index e7dae82..fc2a628 100644
+--- a/arch/powerpc/mm/fault.c
++++ b/arch/powerpc/mm/fault.c
+@@ -171,7 +171,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address,
+ die("Weird page fault", regs, SIGSEGV);
+ }
+
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, 0, regs, address);
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
+
+ /* When running in the kernel we expect faults to occur only to
+ * addresses in user space. All other faults represent errors in the
+@@ -312,7 +312,7 @@ good_area:
+ }
+ if (ret & VM_FAULT_MAJOR) {
+ current->maj_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1,
+ regs, address);
+ #ifdef CONFIG_PPC_SMLPAR
+ if (firmware_has_feature(FW_FEATURE_CMO)) {
+@@ -323,7 +323,7 @@ good_area:
+ #endif
+ } else {
+ current->min_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1,
+ regs, address);
+ }
+ up_read(&mm->mmap_sem);
+diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
+index 6d50746..5d71b29 100644
+--- a/arch/s390/mm/fault.c
++++ b/arch/s390/mm/fault.c
+@@ -306,7 +306,7 @@ do_exception(struct pt_regs *regs, unsigned long error_code, int write)
+ * interrupts again and then search the VMAs
+ */
+ local_irq_enable();
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, 0, regs, address);
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
+ down_read(&mm->mmap_sem);
+
+ si_code = SEGV_MAPERR;
+@@ -366,11 +366,11 @@ good_area:
+ }
+ if (fault & VM_FAULT_MAJOR) {
+ tsk->maj_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1,
+ regs, address);
+ } else {
+ tsk->min_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1,
+ regs, address);
+ }
+ up_read(&mm->mmap_sem);
+diff --git a/arch/sh/mm/fault_32.c b/arch/sh/mm/fault_32.c
+index 4753010..a281bb0 100644
+--- a/arch/sh/mm/fault_32.c
++++ b/arch/sh/mm/fault_32.c
+@@ -157,7 +157,7 @@ asmlinkage void __kprobes do_page_fault(struct pt_regs *regs,
+ if ((regs->sr & SR_IMASK) != SR_IMASK)
+ local_irq_enable();
+
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, 0, regs, address);
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
+
+ /*
+ * If we're in an interrupt, have no user context or are running
+@@ -208,11 +208,11 @@ survive:
+ }
+ if (fault & VM_FAULT_MAJOR) {
+ tsk->maj_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1,
+ regs, address);
+ } else {
+ tsk->min_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1,
+ regs, address);
+ }
+
+diff --git a/arch/sh/mm/tlbflush_64.c b/arch/sh/mm/tlbflush_64.c
+index de0b0e8..5a329f4 100644
+--- a/arch/sh/mm/tlbflush_64.c
++++ b/arch/sh/mm/tlbflush_64.c
+@@ -116,7 +116,7 @@ asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long writeaccess,
+ /* Not an IO address, so reenable interrupts */
+ local_irq_enable();
+
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, 0, regs, address);
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
+
+ /*
+ * If we're in an interrupt or have no user
+@@ -201,11 +201,11 @@ survive:
+
+ if (fault & VM_FAULT_MAJOR) {
+ tsk->maj_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1,
+ regs, address);
+ } else {
+ tsk->min_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1,
+ regs, address);
+ }
+
+diff --git a/arch/sparc/kernel/perf_event.c b/arch/sparc/kernel/perf_event.c
+index 198fb4e..1ae7abb 100644
+--- a/arch/sparc/kernel/perf_event.c
++++ b/arch/sparc/kernel/perf_event.c
+@@ -1013,7 +1013,7 @@ static int __kprobes perf_event_nmi_handler(struct notifier_block *self,
+ if (!sparc_perf_event_set_period(event, hwc, idx))
+ continue;
+
+- if (perf_event_overflow(event, 1, &data, regs))
++ if (perf_event_overflow(event, &data, regs))
+ sparc_pmu_disable_event(cpuc, hwc, idx);
+ }
+
+diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
+index 0ff02ca..b2b36b1 100644
+--- a/arch/x86/kernel/cpu/perf_event.c
++++ b/arch/x86/kernel/cpu/perf_event.c
+@@ -1624,7 +1624,7 @@ static void intel_pmu_drain_bts_buffer(struct cpu_hw_events *cpuc)
+ perf_prepare_sample(&header, &data, event, ®s);
+
+ if (perf_output_begin(&handle, event,
+- header.size * (top - at), 1, 1))
++ header.size * (top - at), 1))
+ return;
+
+ for (; at < top; at++) {
+@@ -1754,7 +1754,7 @@ static int p6_pmu_handle_irq(struct pt_regs *regs)
+ if (!x86_perf_event_set_period(event, hwc, idx))
+ continue;
+
+- if (perf_event_overflow(event, 1, &data, regs))
++ if (perf_event_overflow(event, &data, regs))
+ p6_pmu_disable_event(hwc, idx);
+ }
+
+@@ -1811,7 +1811,7 @@ again:
+
+ data.period = event->hw.last_period;
+
+- if (perf_event_overflow(event, 1, &data, regs))
++ if (perf_event_overflow(event, &data, regs))
+ intel_pmu_disable_event(&event->hw, bit);
+ }
+
+@@ -1862,7 +1862,7 @@ static int amd_pmu_handle_irq(struct pt_regs *regs)
+ if (!x86_perf_event_set_period(event, hwc, idx))
+ continue;
+
+- if (perf_event_overflow(event, 1, &data, regs))
++ if (perf_event_overflow(event, &data, regs))
+ amd_pmu_disable_event(hwc, idx);
+ }
+
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 8ac0d76..9d0812f 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -1037,7 +1037,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
+ if (unlikely(error_code & PF_RSVD))
+ pgtable_bad(regs, error_code, address);
+
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, 0, regs, address);
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
+
+ /*
+ * If we're in an interrupt, have no user context or are running
+@@ -1134,11 +1134,11 @@ good_area:
+
+ if (fault & VM_FAULT_MAJOR) {
+ tsk->maj_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MAJ, 1,
+ regs, address);
+ } else {
+ tsk->min_flt++;
+- perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1, 0,
++ perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS_MIN, 1,
+ regs, address);
+ }
+
+diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
+index 81c9689..d4fa762 100644
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -703,7 +703,6 @@ struct perf_output_handle {
+ struct perf_mmap_data *data;
+ unsigned long head;
+ unsigned long offset;
+- int nmi;
+ int sample;
+ int locked;
+ unsigned long flags;
+@@ -769,7 +768,7 @@ extern void perf_prepare_sample(struct perf_event_header *header,
+ struct perf_event *event,
+ struct pt_regs *regs);
+
+-extern int perf_event_overflow(struct perf_event *event, int nmi,
++extern int perf_event_overflow(struct perf_event *event,
+ struct perf_sample_data *data,
+ struct pt_regs *regs);
+
+@@ -785,13 +784,13 @@ static inline int is_software_event(struct perf_event *event)
+
+ extern atomic_t perf_swevent_enabled[PERF_COUNT_SW_MAX];
+
+-extern void __perf_sw_event(u32, u64, int, struct pt_regs *, u64);
++extern void __perf_sw_event(u32, u64, struct pt_regs *, u64);
+
+ static inline void
+-perf_sw_event(u32 event_id, u64 nr, int nmi, struct pt_regs *regs, u64 addr)
++perf_sw_event(u32 event_id, u64 nr, struct pt_regs *regs, u64 addr)
+ {
+ if (atomic_read(&perf_swevent_enabled[event_id]))
+- __perf_sw_event(event_id, nr, nmi, regs, addr);
++ __perf_sw_event(event_id, nr, regs, addr);
+ }
+
+ extern void __perf_event_mmap(struct vm_area_struct *vma);
+@@ -823,7 +822,7 @@ extern void perf_tp_event(int event_id, u64 addr, u64 count,
+
+ extern int perf_output_begin(struct perf_output_handle *handle,
+ struct perf_event *event, unsigned int size,
+- int nmi, int sample);
++ int sample);
+ extern void perf_output_end(struct perf_output_handle *handle);
+ extern void perf_output_copy(struct perf_output_handle *handle,
+ const void *buf, unsigned int len);
+@@ -846,7 +845,7 @@ static inline int perf_event_task_disable(void) { return -EINVAL; }
+ static inline int perf_event_task_enable(void) { return -EINVAL; }
+
+ static inline void
+-perf_sw_event(u32 event_id, u64 nr, int nmi,
++perf_sw_event(u32 event_id, u64 nr,
+ struct pt_regs *regs, u64 addr) { }
+
+ static inline void perf_event_mmap(struct vm_area_struct *vma) { }
+diff --git a/kernel/perf_event.c b/kernel/perf_event.c
+index fc5ab8e..62450ac 100644
+--- a/kernel/perf_event.c
++++ b/kernel/perf_event.c
+@@ -1157,7 +1157,7 @@ void perf_event_task_sched_out(struct task_struct *task,
+ int do_switch = 1;
+
+ regs = task_pt_regs(task);
+- perf_sw_event(PERF_COUNT_SW_CONTEXT_SWITCHES, 1, 1, regs, 0);
++ perf_sw_event(PERF_COUNT_SW_CONTEXT_SWITCHES, 1, regs, 0);
+
+ if (likely(!ctx || !cpuctx->task_ctx))
+ return;
+@@ -2773,7 +2773,7 @@ void perf_output_copy(struct perf_output_handle *handle,
+
+ int perf_output_begin(struct perf_output_handle *handle,
+ struct perf_event *event, unsigned int size,
+- int nmi, int sample)
++ int sample)
+ {
+ struct perf_event *output_event;
+ struct perf_mmap_data *data;
+@@ -2802,7 +2802,6 @@ int perf_output_begin(struct perf_output_handle *handle,
+
+ handle->data = data;
+ handle->event = event;
+- handle->nmi = nmi;
+ handle->sample = sample;
+
+ if (!data->nr_pages)
+@@ -3126,7 +3125,7 @@ void perf_prepare_sample(struct perf_event_header *header,
+ }
+ }
+
+-static void perf_event_output(struct perf_event *event, int nmi,
++static void perf_event_output(struct perf_event *event,
+ struct perf_sample_data *data,
+ struct pt_regs *regs)
+ {
+@@ -3135,7 +3134,7 @@ static void perf_event_output(struct perf_event *event, int nmi,
+
+ perf_prepare_sample(&header, data, event, regs);
+
+- if (perf_output_begin(&handle, event, header.size, nmi, 1))
++ if (perf_output_begin(&handle, event, header.size, 1))
+ return;
+
+ perf_output_sample(&handle, &header, data, event);
+@@ -3170,7 +3169,7 @@ perf_event_read_event(struct perf_event *event,
+ };
+ int ret;
+
+- ret = perf_output_begin(&handle, event, read_event.header.size, 0, 0);
++ ret = perf_output_begin(&handle, event, read_event.header.size, 0);
+ if (ret)
+ return;
+
+@@ -3210,7 +3209,7 @@ static void perf_event_task_output(struct perf_event *event,
+ int ret;
+
+ size = task_event->event_id.header.size;
+- ret = perf_output_begin(&handle, event, size, 0, 0);
++ ret = perf_output_begin(&handle, event, size, 0);
+
+ if (ret)
+ return;
+@@ -3332,7 +3331,7 @@ static void perf_event_comm_output(struct perf_event *event,
+ {
+ struct perf_output_handle handle;
+ int size = comm_event->event_id.header.size;
+- int ret = perf_output_begin(&handle, event, size, 0, 0);
++ int ret = perf_output_begin(&handle, event, size, 0);
+
+ if (ret)
+ return;
+@@ -3461,7 +3460,7 @@ static void perf_event_mmap_output(struct perf_event *event,
+ {
+ struct perf_output_handle handle;
+ int size = mmap_event->event_id.header.size;
+- int ret = perf_output_begin(&handle, event, size, 0, 0);
++ int ret = perf_output_begin(&handle, event, size, 0);
+
+ if (ret)
+ return;
+@@ -3632,7 +3631,7 @@ static void perf_log_throttle(struct perf_event *event, int enable)
+ if (enable)
+ throttle_event.header.type = PERF_RECORD_UNTHROTTLE;
+
+- ret = perf_output_begin(&handle, event, sizeof(throttle_event), 1, 0);
++ ret = perf_output_begin(&handle, event, sizeof(throttle_event), 0);
+ if (ret)
+ return;
+
+@@ -3644,7 +3643,7 @@ static void perf_log_throttle(struct perf_event *event, int enable)
+ * Generic event overflow handling, sampling.
+ */
+
+-static int __perf_event_overflow(struct perf_event *event, int nmi,
++static int __perf_event_overflow(struct perf_event *event,
+ int throttle, struct perf_sample_data *data,
+ struct pt_regs *regs)
+ {
+@@ -3694,23 +3693,20 @@ static int __perf_event_overflow(struct perf_event *event, int nmi,
+ if (events && atomic_dec_and_test(&event->event_limit)) {
+ ret = 1;
+ event->pending_kill = POLL_HUP;
+- if (nmi) {
+- event->pending_disable = 1;
+- perf_pending_queue(&event->pending,
+- perf_pending_event);
+- } else
+- perf_event_disable(event);
++ event->pending_disable = 1;
++ perf_pending_queue(&event->pending,
++ perf_pending_event);
+ }
+
+- perf_event_output(event, nmi, data, regs);
++ perf_event_output(event, data, regs);
+ return ret;
+ }
+
+-int perf_event_overflow(struct perf_event *event, int nmi,
++int perf_event_overflow(struct perf_event *event,
+ struct perf_sample_data *data,
+ struct pt_regs *regs)
+ {
+- return __perf_event_overflow(event, nmi, 1, data, regs);
++ return __perf_event_overflow(event, 1, data, regs);
+ }
+
+ /*
+@@ -3748,7 +3744,7 @@ again:
+ }
+
+ static void perf_swevent_overflow(struct perf_event *event,
+- int nmi, struct perf_sample_data *data,
++ struct perf_sample_data *data,
+ struct pt_regs *regs)
+ {
+ struct hw_perf_event *hwc = &event->hw;
+@@ -3762,7 +3758,7 @@ static void perf_swevent_overflow(struct perf_event *event,
+ return;
+
+ for (; overflow; overflow--) {
+- if (__perf_event_overflow(event, nmi, throttle,
++ if (__perf_event_overflow(event, throttle,
+ data, regs)) {
+ /*
+ * We inhibit the overflow from happening when
+@@ -3782,7 +3778,7 @@ static void perf_swevent_unthrottle(struct perf_event *event)
+ }
+
+ static void perf_swevent_add(struct perf_event *event, u64 nr,
+- int nmi, struct perf_sample_data *data,
++ struct perf_sample_data *data,
+ struct pt_regs *regs)
+ {
+ struct hw_perf_event *hwc = &event->hw;
+@@ -3796,7 +3792,7 @@ static void perf_swevent_add(struct perf_event *event, u64 nr,
+ return;
+
+ if (!atomic64_add_negative(nr, &hwc->period_left))
+- perf_swevent_overflow(event, nmi, data, regs);
++ perf_swevent_overflow(event, data, regs);
+ }
+
+ static int perf_swevent_is_counting(struct perf_event *event)
+@@ -3857,7 +3853,7 @@ static int perf_swevent_match(struct perf_event *event,
+
+ static void perf_swevent_ctx_event(struct perf_event_context *ctx,
+ enum perf_type_id type,
+- u32 event_id, u64 nr, int nmi,
++ u32 event_id, u64 nr,
+ struct perf_sample_data *data,
+ struct pt_regs *regs)
+ {
+@@ -3869,7 +3865,7 @@ static void perf_swevent_ctx_event(struct perf_event_context *ctx,
+ rcu_read_lock();
+ list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
+ if (perf_swevent_match(event, type, event_id, regs))
+- perf_swevent_add(event, nr, nmi, data, regs);
++ perf_swevent_add(event, nr, data, regs);
+ }
+ rcu_read_unlock();
+ }
+@@ -3889,7 +3885,7 @@ static int *perf_swevent_recursion_context(struct perf_cpu_context *cpuctx)
+ }
+
+ static void do_perf_sw_event(enum perf_type_id type, u32 event_id,
+- u64 nr, int nmi,
++ u64 nr,
+ struct perf_sample_data *data,
+ struct pt_regs *regs)
+ {
+@@ -3904,7 +3900,7 @@ static void do_perf_sw_event(enum perf_type_id type, u32 event_id,
+ barrier();
+
+ perf_swevent_ctx_event(&cpuctx->ctx, type, event_id,
+- nr, nmi, data, regs);
++ nr, data, regs);
+ rcu_read_lock();
+ /*
+ * doesn't really matter which of the child contexts the
+@@ -3912,7 +3908,7 @@ static void do_perf_sw_event(enum perf_type_id type, u32 event_id,
+ */
+ ctx = rcu_dereference(current->perf_event_ctxp);
+ if (ctx)
+- perf_swevent_ctx_event(ctx, type, event_id, nr, nmi, data, regs);
++ perf_swevent_ctx_event(ctx, type, event_id, nr, data, regs);
+ rcu_read_unlock();
+
+ barrier();
+@@ -3922,14 +3918,14 @@ out:
+ put_cpu_var(perf_cpu_context);
+ }
+
+-void __perf_sw_event(u32 event_id, u64 nr, int nmi,
++void __perf_sw_event(u32 event_id, u64 nr,
+ struct pt_regs *regs, u64 addr)
+ {
+ struct perf_sample_data data = {
+ .addr = addr,
+ };
+
+- do_perf_sw_event(PERF_TYPE_SOFTWARE, event_id, nr, nmi,
++ do_perf_sw_event(PERF_TYPE_SOFTWARE, event_id, nr,
+ &data, regs);
+ }
+
+@@ -3987,7 +3983,7 @@ static enum hrtimer_restart perf_swevent_hrtimer(struct hrtimer *hrtimer)
+
+ if (regs) {
+ if (!(event->attr.exclude_idle && current->pid == 0))
+- if (perf_event_overflow(event, 0, &data, regs))
++ if (perf_event_overflow(event, &data, regs))
+ ret = HRTIMER_NORESTART;
+ }
+
+@@ -4153,7 +4149,7 @@ void perf_tp_event(int event_id, u64 addr, u64 count, void *record,
+ if (!regs)
+ regs = task_pt_regs(current);
+
+- do_perf_sw_event(PERF_TYPE_TRACEPOINT, event_id, count, 1,
++ do_perf_sw_event(PERF_TYPE_TRACEPOINT, event_id, count,
+ &data, regs);
+ }
+ EXPORT_SYMBOL_GPL(perf_tp_event);
+diff --git a/kernel/sched.c b/kernel/sched.c
+index 2829d09..4a32d5d 100644
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -2148,7 +2148,7 @@ void set_task_cpu(struct task_struct *p, unsigned int new_cpu)
+ if (old_cpu != new_cpu) {
+ p->se.nr_migrations++;
+ perf_sw_event(PERF_COUNT_SW_CPU_MIGRATIONS,
+- 1, 1, NULL, 0);
++ 1, NULL, 0);
+ }
+
+ __set_task_cpu(p, new_cpu);
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch)
@@ -0,0 +1,72 @@
+commit 293eb1e7772b25a93647c798c7b89bf26c2da2e0
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Tue Jul 26 16:08:38 2011 -0700
+
+ proc: fix a race in do_io_accounting()
+
+ If an inode's mode permits opening /proc/PID/io and the resulting file
+ descriptor is kept across execve() of a setuid or similar binary, the
+ ptrace_may_access() check tries to prevent using this fd against the
+ task with escalated privileges.
+
+ Unfortunately, there is a race in the check against execve(). If
+ execve() is processed after the ptrace check, but before the actual io
+ information gathering, io statistics will be gathered from the
+ privileged process. At least in theory this might lead to gathering
+ sensible information (like ssh/ftp password length) that wouldn't be
+ available otherwise.
+
+ Holding task->signal->cred_guard_mutex while gathering the io
+ information should protect against the race.
+
+ The order of locking is similar to the one inside of ptrace_attach():
+ first goes cred_guard_mutex, then lock_task_sighand().
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Cc: Al Viro <viro at zeniv.linux.org.uk>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index c9e3f65..08e3ecc 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2706,9 +2706,16 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ {
+ struct task_io_accounting acct = task->ioac;
+ unsigned long flags;
++ int result;
+
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- return -EACCES;
++ result = mutex_lock_killable(&task->cred_guard_mutex);
++ if (result)
++ return result;
++
++ if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
++ result = -EACCES;
++ goto out_unlock;
++ }
+
+ if (whole && lock_task_sighand(task, &flags)) {
+ struct task_struct *t = task;
+@@ -2719,7 +2726,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+
+ unlock_task_sighand(task, &flags);
+ }
+- return sprintf(buffer,
++ result = sprintf(buffer,
+ "rchar: %llu\n"
+ "wchar: %llu\n"
+ "syscr: %llu\n"
+@@ -2734,6 +2741,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ (unsigned long long)acct.read_bytes,
+ (unsigned long long)acct.write_bytes,
+ (unsigned long long)acct.cancelled_write_bytes);
++out_unlock:
++ mutex_unlock(&task->cred_guard_mutex);
++ return result;
+ }
+
+ static int proc_tid_io_accounting(struct task_struct *task, char *buffer)
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch)
@@ -0,0 +1,86 @@
+commit ec6fd8a4355cda81cd9f06bebc048e83eb514ac7
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:22:54 2011 -0500
+
+ report errors in /proc/*/*map* sanely
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index aca5390..b7567b2 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -235,15 +235,17 @@ static int check_mem_permission(struct task_struct *task)
+ struct mm_struct *mm_for_maps(struct task_struct *task)
+ {
+ struct mm_struct *mm;
++ int err;
+
+- if (mutex_lock_killable(&task->cred_guard_mutex))
+- return NULL;
++ err = mutex_lock_killable(&task->cred_guard_mutex);
++ if (err)
++ return ERR_PTR(err);
+
+ mm = get_task_mm(task);
+ if (mm && mm != current->mm &&
+ !ptrace_may_access(task, PTRACE_MODE_READ)) {
+ mmput(mm);
+- mm = NULL;
++ mm = ERR_PTR(-EACCES);
+ }
+ mutex_unlock(&task->cred_guard_mutex);
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 6e7b065..e62af9b 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -114,11 +114,11 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+
+ priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
+ if (!priv->task)
+- return NULL;
++ return ERR_PTR(-ESRCH);
+
+ mm = mm_for_maps(priv->task);
+- if (!mm)
+- return NULL;
++ if (!mm || IS_ERR(mm))
++ return mm;
+ down_read(&mm->mmap_sem);
+
+ tail_vma = get_gate_vma(priv->task);
+@@ -681,9 +681,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ if (!task)
+ goto out;
+
+- ret = -EACCES;
+ mm = mm_for_maps(task);
+- if (!mm)
++ ret = PTR_ERR(mm);
++ if (!mm || IS_ERR(mm))
+ goto out_task;
+
+ ret = -EINVAL;
+diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
+index 8f5c05d..522c1e1 100644
+--- a/fs/proc/task_nommu.c
++++ b/fs/proc/task_nommu.c
+@@ -181,13 +181,13 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ /* pin the task and mm whilst we play with them */
+ priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
+ if (!priv->task)
+- return NULL;
++ return ERR_PTR(-ESRCH);
+
+ mm = mm_for_maps(priv->task);
+- if (!mm) {
++ if (!mm || IS_ERR(mm)) {
+ put_task_struct(priv->task);
+ priv->task = NULL;
+- return NULL;
++ return mm;
+ }
+ down_read(&mm->mmap_sem);
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch)
@@ -0,0 +1,51 @@
+commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Fri Jun 24 16:08:38 2011 +0400
+
+ proc: restrict access to /proc/PID/io
+
+ /proc/PID/io may be used for gathering private information. E.g. for
+ openssh and vsftpd daemons wchars/rchars may be used to learn the
+ precise password length. Restrict it to processes being able to ptrace
+ the target process.
+
+ ptrace_may_access() is needed to prevent keeping open file descriptor of
+ "io" file, executing setuid binary and gathering io information of the
+ setuid'ed process.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 3d09a10..7b5819c 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2454,6 +2454,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ struct task_io_accounting acct = task->ioac;
+ unsigned long flags;
+
++ if (!ptrace_may_access(task, PTRACE_MODE_READ))
++ return -EACCES;
++
+ if (whole && lock_task_sighand(task, &flags)) {
+ struct task_struct *t = task;
+
+@@ -2575,7 +2578,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+- INF("io", S_IRUGO, proc_tgid_io_accounting),
++ INF("io", S_IRUSR, proc_tgid_io_accounting),
+ #endif
+ };
+
+@@ -2910,7 +2913,7 @@ static const struct pid_entry tid_base_stuff[] = {
+ REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+- INF("io", S_IRUGO, proc_tid_io_accounting),
++ INF("io", S_IRUSR, proc_tid_io_accounting),
+ #endif
+ };
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-syscall-stack-personality-races.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-syscall-stack-personality-races.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/proc-syscall-stack-personality-races.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-syscall-stack-personality-races.patch)
@@ -0,0 +1,172 @@
+commit a9712bc12c40c172e393f85a9b2ba8db4bf59509
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Wed Mar 23 15:52:50 2011 -0400
+
+ deal with races in /proc/*/{syscall,stack,personality}
+
+ All of those are rw-r--r-- and all are broken for suid - if you open
+ a file before the target does suid-root exec, you'll be still able
+ to access it. For personality it's not a big deal, but for syscall
+ and stack it's a real problem.
+
+ Fix: check that task is tracable for you at the time of read().
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 1be8cb2..8dad8fd 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -330,6 +330,23 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer)
+ }
+ #endif /* CONFIG_KALLSYMS */
+
++static int lock_trace(struct task_struct *task)
++{
++ int err = mutex_lock_killable(&task->cred_guard_mutex);
++ if (err)
++ return err;
++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) {
++ mutex_unlock(&task->cred_guard_mutex);
++ return -EPERM;
++ }
++ return 0;
++}
++
++static void unlock_trace(struct task_struct *task)
++{
++ mutex_unlock(&task->cred_guard_mutex);
++}
++
+ #ifdef CONFIG_STACKTRACE
+
+ #define MAX_STACK_TRACE_DEPTH 64
+@@ -339,6 +356,7 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
+ {
+ struct stack_trace trace;
+ unsigned long *entries;
++ int err;
+ int i;
+
+ entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+@@ -349,15 +367,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
+ trace.max_entries = MAX_STACK_TRACE_DEPTH;
+ trace.entries = entries;
+ trace.skip = 0;
+- save_stack_trace_tsk(task, &trace);
+
+- for (i = 0; i < trace.nr_entries; i++) {
+- seq_printf(m, "[<%p>] %pS\n",
+- (void *)entries[i], (void *)entries[i]);
++ err = lock_trace(task);
++ if (!err) {
++ save_stack_trace_tsk(task, &trace);
++
++ for (i = 0; i < trace.nr_entries; i++) {
++ seq_printf(m, "[<%p>] %pS\n",
++ (void *)entries[i], (void *)entries[i]);
++ }
++ unlock_trace(task);
+ }
+ kfree(entries);
+
+- return 0;
++ return err;
+ }
+ #endif
+
+@@ -529,18 +552,22 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer)
+ {
+ long nr;
+ unsigned long args[6], sp, pc;
++ int res = lock_trace(task);
++ if (res)
++ return res;
+
+ if (task_current_syscall(task, &nr, args, 6, &sp, &pc))
+- return sprintf(buffer, "running\n");
+-
+- if (nr < 0)
+- return sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc);
+-
+- return sprintf(buffer,
++ res = sprintf(buffer, "running\n");
++ else if (nr < 0)
++ res = sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc);
++ else
++ res = sprintf(buffer,
+ "%ld 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx\n",
+ nr,
+ args[0], args[1], args[2], args[3], args[4], args[5],
+ sp, pc);
++ unlock_trace(task);
++ return res;
+ }
+ #endif /* CONFIG_HAVE_ARCH_TRACEHOOK */
+
+@@ -2507,8 +2534,12 @@ static int proc_tgid_io_accounting(struct task_struct *task, char *buffer)
+ static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task)
+ {
+- seq_printf(m, "%08x\n", task->personality);
+- return 0;
++ int err = lock_trace(task);
++ if (!err) {
++ seq_printf(m, "%08x\n", task->personality);
++ unlock_trace(task);
++ }
++ return err;
+ }
+
+ /*
+@@ -2527,13 +2558,13 @@ static const struct pid_entry tgid_base_stuff[] = {
+ REG("environ", S_IRUSR, proc_environ_operations),
+ INF("auxv", S_IRUSR, proc_pid_auxv),
+ ONE("status", S_IRUGO, proc_pid_status),
+- ONE("personality", S_IRUSR, proc_pid_personality),
++ ONE("personality", S_IRUGO, proc_pid_personality),
+ INF("limits", S_IRUSR, proc_pid_limits),
+ #ifdef CONFIG_SCHED_DEBUG
+ REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
+ #endif
+ #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
+- INF("syscall", S_IRUSR, proc_pid_syscall),
++ INF("syscall", S_IRUGO, proc_pid_syscall),
+ #endif
+ INF("cmdline", S_IRUGO, proc_pid_cmdline),
+ ONE("stat", S_IRUGO, proc_tgid_stat),
+@@ -2561,7 +2592,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ INF("wchan", S_IRUGO, proc_pid_wchan),
+ #endif
+ #ifdef CONFIG_STACKTRACE
+- ONE("stack", S_IRUSR, proc_pid_stack),
++ ONE("stack", S_IRUGO, proc_pid_stack),
+ #endif
+ #ifdef CONFIG_SCHEDSTATS
+ INF("schedstat", S_IRUGO, proc_pid_schedstat),
+@@ -2866,13 +2897,13 @@ static const struct pid_entry tid_base_stuff[] = {
+ REG("environ", S_IRUSR, proc_environ_operations),
+ INF("auxv", S_IRUSR, proc_pid_auxv),
+ ONE("status", S_IRUGO, proc_pid_status),
+- ONE("personality", S_IRUSR, proc_pid_personality),
++ ONE("personality", S_IRUGO, proc_pid_personality),
+ INF("limits", S_IRUSR, proc_pid_limits),
+ #ifdef CONFIG_SCHED_DEBUG
+ REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
+ #endif
+ #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
+- INF("syscall", S_IRUSR, proc_pid_syscall),
++ INF("syscall", S_IRUGO, proc_pid_syscall),
+ #endif
+ INF("cmdline", S_IRUGO, proc_pid_cmdline),
+ ONE("stat", S_IRUGO, proc_tid_stat),
+@@ -2899,7 +2930,7 @@ static const struct pid_entry tid_base_stuff[] = {
+ INF("wchan", S_IRUGO, proc_pid_wchan),
+ #endif
+ #ifdef CONFIG_STACKTRACE
+- ONE("stack", S_IRUSR, proc_pid_stack),
++ ONE("stack", S_IRUGO, proc_pid_stack),
+ #endif
+ #ifdef CONFIG_SCHEDSTATS
+ INF("schedstat", S_IRUGO, proc_pid_schedstat),
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch)
@@ -0,0 +1,43 @@
+From: Mauro Carvalho Chehab <mchehab at redhat.com>
+Date: Sun, 17 Jul 2011 03:24:37 +0000 (-0300)
+Subject: si4713-i2c: avoid potential buffer overflow on si4713
+X-Git-Tag: v3.0~16
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6
+
+si4713-i2c: avoid potential buffer overflow on si4713
+
+While compiling it with Fedora 15, I noticed this issue:
+
+ inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24:
+ arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct
+
+Cc: stable at kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Acked-by: Sakari Ailus <sakari.ailus at maxwell.research.nokia.com>
+Acked-by: Eduardo Valentin <edubezval at gmail.com>
+Reviewed-by: Eugene Teo <eugeneteo at kernel.sg>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c
+index deca2e0..c9f4a8e 100644
+--- a/drivers/media/radio/si4713-i2c.c
++++ b/drivers/media/radio/si4713-i2c.c
+@@ -1033,7 +1033,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
+ char ps_name[MAX_RDS_PS_NAME + 1];
+
+ len = control->size - 1;
+- if (len > MAX_RDS_PS_NAME) {
++ if (len < 0 || len > MAX_RDS_PS_NAME) {
+ rval = -ERANGE;
+ goto exit;
+ }
+@@ -1057,7 +1057,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
+ char radio_text[MAX_RDS_RADIO_TEXT + 1];
+
+ len = control->size - 1;
+- if (len > MAX_RDS_RADIO_TEXT) {
++ if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
+ rval = -ERANGE;
+ goto exit;
+ }
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch)
@@ -0,0 +1,80 @@
+From 26c4caea9d697043cc5a458b96411b86d7f6babd Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon, 27 Jun 2011 16:18:11 -0700
+Subject: taskstats: don't allow duplicate entries in listener mode
+
+From: Vasiliy Kulikov <segoon at openwall.com>
+
+commit 26c4caea9d697043cc5a458b96411b86d7f6babd upstream.
+
+Currently a single process may register exit handlers unlimited times.
+It may lead to a bloated listeners chain and very slow process
+terminations.
+
+Eg after 10KK sent TASKSTATS_CMD_ATTR_REGISTER_CPUMASKs ~300 Mb of
+kernel memory is stolen for the handlers chain and "time id" shows 2-7
+seconds instead of normal 0.003. It makes it possible to exhaust all
+kernel memory and to eat much of CPU time by triggerring numerous exits
+on a single CPU.
+
+The patch limits the number of times a single process may register
+itself on a single CPU to one.
+
+One little issue is kept unfixed - as taskstats_exit() is called before
+exit_files() in do_exit(), the orphaned listener entry (if it was not
+explicitly deregistered) is kept until the next someone's exit() and
+implicit deregistration in send_cpu_listeners(). So, if a process
+registered itself as a listener exits and the next spawned process gets
+the same pid, it would inherit taskstats attributes.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Cc: Balbir Singh <bsingharora at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ kernel/taskstats.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -293,16 +293,18 @@ ret:
+ static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
+ {
+ struct listener_list *listeners;
+- struct listener *s, *tmp;
++ struct listener *s, *tmp, *s2;
+ unsigned int cpu;
+
+ if (!cpumask_subset(mask, cpu_possible_mask))
+ return -EINVAL;
+
++ s = NULL;
+ if (isadd == REGISTER) {
+ for_each_cpu(cpu, mask) {
+- s = kmalloc_node(sizeof(struct listener), GFP_KERNEL,
+- cpu_to_node(cpu));
++ if (!s)
++ s = kmalloc_node(sizeof(struct listener),
++ GFP_KERNEL, cpu_to_node(cpu));
+ if (!s)
+ goto cleanup;
+ s->pid = pid;
+@@ -311,9 +313,16 @@ static int add_del_listener(pid_t pid, c
+
+ listeners = &per_cpu(listener_array, cpu);
+ down_write(&listeners->sem);
++ list_for_each_entry_safe(s2, tmp, &listeners->list, list) {
++ if (s2->pid == pid)
++ goto next_cpu;
++ }
+ list_add(&s->list, &listeners->list);
++ s = NULL;
++next_cpu:
+ up_write(&listeners->sem);
+ }
++ kfree(s);
+ return 0;
+ }
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch)
@@ -0,0 +1,12 @@
+diff -urpN linux-source-2.6.32.orig/net/ipv6/ip6_tunnel.c linux-source-2.6.32/net/ipv6/ip6_tunnel.c
+--- linux-source-2.6.32.orig/net/ipv6/ip6_tunnel.c 2011-06-11 13:10:52.000000000 -0600
++++ linux-source-2.6.32/net/ipv6/ip6_tunnel.c 2011-07-21 00:23:41.002857909 -0600
+@@ -1465,7 +1465,7 @@ static int __init ip6_tunnel_init(void)
+ {
+ int err;
+
+- err = register_pernet_device(&ip6_tnl_net_ops);
++ err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
+ if (err < 0)
+ goto out_pernet;
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
@@ -0,0 +1,43 @@
+commit a626ca6a656450e9f4df91d0dda238fff23285f4
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed Apr 13 08:07:28 2011 -0700
+
+ vm: fix vm_pgoff wrap in stack expansion
+
+ Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+ the case of a expanding mapping causing vm_pgoff wrapping when you used
+ mremap. But there was another case where we expand mappings hiding in
+ plain sight: the automatic stack expansion.
+
+ This fixes that case too.
+
+ This one also found by Robert Święcki, using his nasty system call
+ fuzzer tool. Good job.
+
+ Reported-and-tested-by: Robert Święcki <robert at swiecki.net>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 292afec..537b365 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1680,10 +1680,13 @@ static int expand_downwards(struct vm_area_struct *vma,
+ size = vma->vm_end - address;
+ grow = (vma->vm_start - address) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error) {
+- vma->vm_start = address;
+- vma->vm_pgoff -= grow;
++ error = -ENOMEM;
++ if (grow <= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_start = address;
++ vma->vm_pgoff -= grow;
++ }
+ }
+ }
+ anon_vma_unlock(vma);
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
@@ -0,0 +1,37 @@
+commit 42c36f63ac1366ab0ecc2d5717821362c259f517
+Author: Hugh Dickins <hughd at google.com>
+Date: Mon May 9 17:44:42 2011 -0700
+
+ vm: fix vm_pgoff wrap in upward expansion
+
+ Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
+ the case of an expanding mapping causing vm_pgoff wrapping when you had
+ downward stack expansion. But there was another case where IA64 and
+ PA-RISC expand mappings: upward expansion.
+
+ This fixes that case too.
+
+ Signed-off-by: Hugh Dickins <hughd at google.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff -urpN a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c 2011-08-24 22:41:35.414475071 -0600
++++ b/mm/mmap.c 2011-08-24 22:43:55.639860464 -0600
+@@ -1636,9 +1636,12 @@ int expand_upwards(struct vm_area_struct
+ size = address - vma->vm_start;
+ grow = (address - vma->vm_end) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error)
+- vma->vm_end = address;
++ error = -ENOMEM;
++ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error)
++ vma->vm_end = address;
++ }
+ }
+ anon_vma_unlock(vma);
+ return error;
Copied: dists/squeeze/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch (from r18009, dists/squeeze-security/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch)
@@ -0,0 +1,23 @@
+commit 613006cb46d1931bf7331fd3951efd7a0a0bb118
+Author: dann frazier <dannf at debian.org>
+Date: Mon Aug 8 21:43:14 2011 -0600
+
+ Avoid ABI change in fix for CVE-2011-2491
+
+diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h
+index 67f63dd..b5e54f3 100644
+--- a/include/linux/sunrpc/sched.h
++++ b/include/linux/sunrpc/sched.h
+@@ -84,8 +84,10 @@ struct rpc_task {
+ long tk_rtt; /* round-trip time (jiffies) */
+
+ pid_t tk_owner; /* Process id for batching tasks */
+- unsigned char tk_priority : 2,/* Task priority */
+- tk_rebind_retry : 2;
++ unsigned char tk_priority : 2;/* Task priority */
++#ifndef __GENKSYMS__
++ unsigned char tk_rebind_retry : 2;
++#endif
+ #ifdef RPC_DEBUG
+ unsigned short tk_pid; /* debugging aid */
+ #endif
Modified: dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch Thu Aug 25 10:25:03 2011 (r18009)
+++ dists/squeeze/linux-2.6/debian/patches/features/all/openvz/openvz.patch Fri Aug 26 03:51:39 2011 (r18010)
@@ -85813,9 +85813,9 @@
index 7cda24b..e360965 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
-@@ -72,6 +72,8 @@
- #include <net/xfrm.h>
+@@ -73,6 +73,8 @@
#include <net/netdma.h>
+ #include <net/secure_seq.h>
+#include <bc/tcp.h>
+
@@ -87812,9 +87812,9 @@
index 21d100b..1c534b7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
-@@ -61,6 +61,8 @@
- #include <net/netdma.h>
+@@ -62,6 +62,8 @@
#include <net/inet_common.h>
+ #include <net/secure_seq.h>
+#include <bc/tcp.h>
+
Modified: dists/squeeze/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.7.patch
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.7.patch Thu Aug 25 10:25:03 2011 (r18009)
+++ dists/squeeze/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.7.patch Fri Aug 26 03:51:39 2011 (r18010)
@@ -6695,7 +6695,7 @@
#ifdef CONFIG_AUDITSYSCALL
@@ -2577,6 +2598,7 @@ static const struct pid_entry tgid_base_
#ifdef CONFIG_TASK_IO_ACCOUNTING
- INF("io", S_IRUGO, proc_tgid_io_accounting),
+ INF("io", S_IRUSR, proc_tgid_io_accounting),
#endif
+ ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
};
@@ -27036,10 +27036,10 @@
if (r->id.idiag_sport != tw->tw_sport &&
--- a/net/ipv4/inet_hashtables.c 2009-06-11 17:13:29.000000000 +0200
+++ a/net/ipv4/inet_hashtables.c 2011-06-10 13:03:02.000000000 +0200
-@@ -21,6 +21,7 @@
-
+@@ -22,6 +22,7 @@
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
+ #include <net/secure_seq.h>
+#include <net/route.h>
#include <net/ip.h>
Copied: dists/squeeze/linux-2.6/debian/patches/series/35squeeze1 (from r18009, dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 26 03:51:39 2011 (r18010, copy of r18009, dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1)
@@ -0,0 +1,27 @@
++ bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
++ bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch
++ bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
++ bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
++ debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
++ bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
++ bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
++ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
++ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
++ bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
++ bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
++ bugfix/all/net_sched-Fix-qdisc_notify.patch
++ bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
++ bugfix/all/comedi-fix-infoleak-to-userspace.patch
++ bugfix/all/CVE-2011-3188.patch
++ bugfix/all/pagemap-close-races-with-suid-execve.patch
++ bugfix/all/proc-map-report-errors-sanely.patch
++ bugfix/all/close-race-in-proc-pid-environ.patch
++ bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
++ bugfix/all/proc-syscall-stack-personality-races.patch
++ bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
++ bugfix/all/befs-validate-length-of-long-symbolic-links.patch
++ bugfix/all/perf-remove-the-nmi-parameter-from-the-swevent-and-overflow-interface.patch
++ bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
Modified: dists/squeeze/linux-2.6/debian/patches/series/36
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/36 Thu Aug 25 10:25:03 2011 (r18009)
+++ dists/squeeze/linux-2.6/debian/patches/series/36 Fri Aug 26 03:51:39 2011 (r18010)
@@ -1,8 +1,11 @@
+ bugfix/all/drm-radeon-kms-fix-bad-shift-atom-iio-parser.patch
+- bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
+- bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
- bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch
- bugfix/x86/x86-amd-do-not-enable-arat-feature-on-amd-processors-below.patch
+ bugfix/all/stable/2.6.32.42.patch
++ bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
+ bugfix/all/drm_mm-extract-check_free_mm_node.patch
+ bugfix/all/drm-implement-helper-functions-for-scanning-lru-list.patch
@@ -14,6 +17,7 @@
+ bugfix/all/drm-i915-Periodically-flush-the-active-lists-and-req.patch
+ bugfix/all/drm-i915-Add-a-no-lvds-quirk-for-the-Asus-EeeBox-PC-.patch
+ bugfix/all/drm-radeon-kms-fix-for-radeon-on-systems-4GB-without.patch
+- bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
+ bugfix/all/stable/2.6.32.43.patch
# Networking
More information about the Kernel-svn-changes
mailing list