[kernel] r18868 - in dists/squeeze/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/series

Dann Frazier dannf at alioth.debian.org
Tue Mar 20 07:39:04 UTC 2012


Author: dannf
Date: Tue Mar 20 07:39:02 2012
New Revision: 18868

Log:
merge 41squeeze1

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch
   dists/squeeze/linux-2.6/debian/patches/series/41squeeze1
      - copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/series/41squeeze1
Modified:
   dists/squeeze/linux-2.6/   (props changed)
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/42

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Tue Mar 20 06:51:05 2012	(r18867)
+++ dists/squeeze/linux-2.6/debian/changelog	Tue Mar 20 07:39:02 2012	(r18868)
@@ -6,7 +6,6 @@
 
   [ Ben Hutchings ]
   * Add longterm release 2.6.32.55, including:
-    - ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
     - x86: Fix mmap random address range
     - V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
     For the complete list of changes, see:
@@ -39,8 +38,6 @@
     - crypto: sha512 - Avoid stack bloat on i386
     - crypto: sha512 - use standard ror64()
     - Ban ecryptfs over ecryptfs
-    - ecryptfs: Add mount option to check uid of device being mounted =
-      expect uid (CVE-2011-1833)
     - cdrom: use copy_to_user() without the underscores
     - autofs: work around unhappy compat problem on x86-64 (Closes: #633423)
     For the complete list of changes, see:
@@ -60,6 +57,34 @@
 
  -- Uwe Kleine-König <u.kleine-koenig at pengutronix.de>  Mon, 16 Jan 2012 16:47:21 +0100
 
+linux-2.6 (2.6.32-41squeeze1) stable-security; urgency=high
+
+  [ dann frazier ]
+  * ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
+  * ecryptfs: Add mount option to check uid of device being mounted =
+    expect uid (CVE-2011-1833)
+  * KVM: Remove ability to assign devices without IOMMU support
+  * KVM: Check permissions before permitting device assignment (CVE-2011-4347)
+  * Fix CVE-2012-0045, with backport work from Ben Hutchings:
+    - KVM: extend "struct x86_emulate_ops" with "get_cpuid"
+    - KVM: syscall instruction induced guest panic
+
+  [ Ben Hutchings ]
+  * V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+  * drm: Fix authentication kernel crash
+  * relay: prevent integer overflow in relay_open()
+  * Further refine the fix for CVE-2011-4127:
+    - sd_compat_ioctl: Replace ENOTTY error with ENOIOCTLCMD
+    - kernel.h: fix wrong usage of __ratelimit()
+    - printk_ratelimited(): fix uninitialized spinlock
+  * cifs: fix dentry refcount leak when opening a FIFO on lookup (CVE-2012-1090)
+  * regset: Prevent null pointer reference on readonly regsets (CVE-2012-1097)
+  * eCryptfs: Make truncate path killable
+  * eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+  * cdrom: use copy_to_user() without the underscores
+
+ -- dann frazier <dannf at debian.org>  Thu, 15 Mar 2012 01:46:43 -0600
+
 linux-2.6 (2.6.32-41) stable; urgency=low
 
   [ Ben Hutchings ]

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch)
@@ -0,0 +1,136 @@
+commit 3d27e23b17010c668db311140b17bbbb70c78fb9
+Author: Alex Williamson <alex.williamson at redhat.com>
+Date:   Tue Dec 20 21:59:09 2011 -0700
+
+    KVM: Device assignment permission checks
+    
+    Only allow KVM device assignment to attach to devices which:
+    
+     - Are not bridges
+     - Have BAR resources (assume others are special devices)
+     - The user has permissions to use
+    
+    Assigning a bridge is a configuration error, it's not supported, and
+    typically doesn't result in the behavior the user is expecting anyway.
+    Devices without BAR resources are typically chipset components that
+    also don't have host drivers.  We don't want users to hold such devices
+    captive or cause system problems by fencing them off into an iommu
+    domain.  We determine "permission to use" by testing whether the user
+    has access to the PCI sysfs resource files.  By default a normal user
+    will not have access to these files, so it provides a good indication
+    that an administration agent has granted the user access to the device.
+    
+    [Yang Bai: add missing #include]
+    [avi: fix comment style]
+    
+    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
+    Signed-off-by: Yang Bai <hamo.by at gmail.com>
+    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 77288e2..311ec18 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -43,6 +43,8 @@
+ #include <linux/swap.h>
+ #include <linux/bitops.h>
+ #include <linux/spinlock.h>
++#include <linux/namei.h>
++#include <linux/fs.h>
+ 
+ #include <asm/processor.h>
+ #include <asm/io.h>
+@@ -575,12 +577,73 @@ out:
+ 	return r;
+ }
+ 
++/*
++ * We want to test whether the caller has been granted permissions to
++ * use this device.  To be able to configure and control the device,
++ * the user needs access to PCI configuration space and BAR resources.
++ * These are accessed through PCI sysfs.  PCI config space is often
++ * passed to the process calling this ioctl via file descriptor, so we
++ * can't rely on access to that file.  We can check for permissions
++ * on each of the BAR resource files, which is a pretty clear
++ * indicator that the user has been granted access to the device.
++ */
++static int probe_sysfs_permissions(struct pci_dev *dev)
++{
++#ifdef CONFIG_SYSFS
++	int i;
++	bool bar_found = false;
++
++	for (i = PCI_STD_RESOURCES; i <= PCI_STD_RESOURCE_END; i++) {
++		char *kpath, *syspath;
++		struct path path;
++		struct inode *inode;
++		int r;
++
++		if (!pci_resource_len(dev, i))
++			continue;
++
++		kpath = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
++		if (!kpath)
++			return -ENOMEM;
++
++		/* Per sysfs-rules, sysfs is always at /sys */
++		syspath = kasprintf(GFP_KERNEL, "/sys%s/resource%d", kpath, i);
++		kfree(kpath);
++		if (!syspath)
++			return -ENOMEM;
++
++		r = kern_path(syspath, LOOKUP_FOLLOW, &path);
++		kfree(syspath);
++		if (r)
++			return r;
++
++		inode = path.dentry->d_inode;
++
++		r = inode_permission(inode, MAY_READ | MAY_WRITE | MAY_ACCESS);
++		path_put(&path);
++		if (r)
++			return r;
++
++		bar_found = true;
++	}
++
++	/* If no resources, probably something special */
++	if (!bar_found)
++		return -EPERM;
++
++	return 0;
++#else
++	return -EINVAL; /* No way to control the device without sysfs */
++#endif
++}
++
+ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ 				      struct kvm_assigned_pci_dev *assigned_dev)
+ {
+ 	int r = 0;
+ 	struct kvm_assigned_dev_kernel *match;
+ 	struct pci_dev *dev;
++	u8 header_type;
+ 
+ 	if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
+ 		return -EINVAL;
+@@ -610,6 +673,18 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ 		r = -EINVAL;
+ 		goto out_free;
+ 	}
++
++	/* Don't allow bridges to be assigned */
++	pci_read_config_byte(dev, PCI_HEADER_TYPE, &header_type);
++	if ((header_type & PCI_HEADER_TYPE) != PCI_HEADER_TYPE_NORMAL) {
++		r = -EPERM;
++		goto out_put;
++	}
++
++	r = probe_sysfs_permissions(dev);
++	if (r)
++		goto out_put;
++
+ 	if (pci_enable_device(dev)) {
+ 		printk(KERN_INFO "%s: Could not enable PCI device\n", __func__);
+ 		r = -EBUSY;

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch)
@@ -0,0 +1,58 @@
+commit 423873736b78f549fbfa2f715f2e4de7e6c5e1e9
+Author: Alex Williamson <alex.williamson at redhat.com>
+Date:   Tue Dec 20 21:59:03 2011 -0700
+
+    KVM: Remove ability to assign a device without iommu support
+    
+    This option has no users and it exposes a security hole that we
+    can allow devices to be assigned without iommu protection.  Make
+    KVM_DEV_ASSIGN_ENABLE_IOMMU a mandatory option.
+    
+    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
+    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+    [dannf: backported to Debian's 2.6.32]
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -582,6 +582,9 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ 	struct kvm_assigned_dev_kernel *match;
+ 	struct pci_dev *dev;
+ 
++	if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
++		return -EINVAL;
++
+ 	down_read(&kvm->slots_lock);
+ 	mutex_lock(&kvm->lock);
+ 
+@@ -635,16 +638,14 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ 
+ 	list_add(&match->list, &kvm->arch.assigned_dev_head);
+ 
+-	if (assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU) {
+-		if (!kvm->arch.iommu_domain) {
+-			r = kvm_iommu_map_guest(kvm);
+-			if (r)
+-				goto out_list_del;
+-		}
+-		r = kvm_assign_device(kvm, match);
++	if (!kvm->arch.iommu_domain) {
++		r = kvm_iommu_map_guest(kvm);
+ 		if (r)
+ 			goto out_list_del;
+ 	}
++	r = kvm_assign_device(kvm, match);
++	if (r)
++		goto out_list_del;
+ 
+ out:
+ 	mutex_unlock(&kvm->lock);
+@@ -683,8 +684,7 @@ static int kvm_vm_ioctl_deassign_device(struct kvm *kvm,
+ 		goto out;
+ 	}
+ 
+-	if (match->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU)
+-		kvm_deassign_device(kvm, match);
++	kvm_deassign_device(kvm, match);
+ 
+ 	kvm_free_assigned_device(kvm, match);
+ 

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch)
@@ -0,0 +1,62 @@
+From 537400450bd43daf3f99efe35efd0ccaf16f38b1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu, 5 Jan 2012 02:27:57 -0300
+Subject: [PATCH] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+
+commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.
+
+If ctrls->count is too high the multiplication could overflow and
+array_size would be lower than expected.  Mauro and Hans Verkuil
+suggested that we cap it at 1024.  That comes from the maximum
+number of controls with lots of room for expantion.
+
+$ grep V4L2_CID include/linux/videodev2.h | wc -l
+211
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/media/video/v4l2-ioctl.c |    6 ++++++
+ include/linux/videodev2.h        |    1 +
+ 2 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
+index 265bfb5..d7332c7 100644
+--- a/drivers/media/video/v4l2-ioctl.c
++++ b/drivers/media/video/v4l2-ioctl.c
+@@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
+ 		p->error_idx = p->count;
+ 		user_ptr = (void __user *)p->controls;
+ 		if (p->count) {
++			err = -EINVAL;
++			if (p->count > V4L2_CID_MAX_CTRLS)
++				goto out_ext_ctrl;
+ 			ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
+ 			/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
+ 			mbuf = kmalloc(ctrls_size, GFP_KERNEL);
+@@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file,
+ 		p->error_idx = p->count;
+ 		user_ptr = (void __user *)p->controls;
+ 		if (p->count) {
++			err = -EINVAL;
++			if (p->count > V4L2_CID_MAX_CTRLS)
++				goto out_ext_ctrl;
+ 			ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
+ 			/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
+ 			mbuf = kmalloc(ctrls_size, GFP_KERNEL);
+diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
+index b59e78c..9e2088c 100644
+--- a/include/linux/videodev2.h
++++ b/include/linux/videodev2.h
+@@ -858,6 +858,7 @@ struct v4l2_querymenu {
+ #define V4L2_CTRL_FLAG_NEXT_CTRL	0x80000000
+ 
+ /*  User-class control IDs defined by V4L2 */
++#define V4L2_CID_MAX_CTRLS		1024
+ #define V4L2_CID_BASE			(V4L2_CTRL_CLASS_USER | 0x900)
+ #define V4L2_CID_USER_BASE 		V4L2_CID_BASE
+ /*  IDs reserved for driver specific controls */
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch)
@@ -0,0 +1,134 @@
+From tim.gardner at canonical.com  Wed Feb 15 14:06:11 2012
+From: Tim Gardner <tim.gardner at canonical.com>
+Date: Wed, 15 Feb 2012 14:14:06 -0700
+Subject: Add mount option to check uid of device being mounted = expect uid, CVE-2011-1833
+To: stable at vger.kernel.org, gregkh at linuxfoundation.org
+Cc: Tim Gardner <tim.gardner at canonical.com>, John Johansen <john.johansen at canonical.com>, <stable at kernel.org>, Tyler Hicks <tyler.hicks at canonical.com>
+Message-ID: <1329340446-126150-1-git-send-email-tim.gardner at canonical.com>
+
+From: John Johansen <john.johansen at canonical.com>
+
+(backported from commit 764355487ea220fdc2faf128d577d7f679b91f97)
+
+Close a TOCTOU race for mounts done via ecryptfs-mount-private.  The mount
+source (device) can be raced when the ownership test is done in userspace.
+Provide Ecryptfs a means to force the uid check at mount time.
+
+BugLink: http://bugs.launchpad.net/bugs/732628
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Signed-off-by: Tyler Hicks <tyler.hicks at canonical.com>
+Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+[dannf: apply to Debian's 2.6.32]
+---
+ fs/ecryptfs/main.c |   30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
+index c6ac85d..f6cd392 100644
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -212,7 +212,8 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
+        ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata,
+        ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
+        ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
+-       ecryptfs_opt_unlink_sigs, ecryptfs_opt_err };
++       ecryptfs_opt_unlink_sigs, ecryptfs_opt_check_dev_ruid,
++       ecryptfs_opt_err };
+ 
+ static const match_table_t tokens = {
+ 	{ecryptfs_opt_sig, "sig=%s"},
+@@ -227,6 +228,7 @@ static const match_table_t tokens = {
+ 	{ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"},
+ 	{ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
+ 	{ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
++	{ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
+ 	{ecryptfs_opt_err, NULL}
+ };
+ 
+@@ -270,6 +272,7 @@ static void ecryptfs_init_mount_crypt_stat(
+  * ecryptfs_parse_options
+  * @sb: The ecryptfs super block
+  * @options: The options pased to the kernel
++ * @check_ruid: set to 1 if device uid should be checked against the ruid
+  *
+  * Parse mount options:
+  * debug=N 	   - ecryptfs_verbosity level for debug output
+@@ -285,7 +288,8 @@ static void ecryptfs_init_mount_crypt_stat(
+  *
+  * Returns zero on success; non-zero on error
+  */
+-static int ecryptfs_parse_options(struct super_block *sb, char *options)
++static int ecryptfs_parse_options(struct super_block *sb, char *options,
++					uid_t *check_ruid)
+ {
+ 	char *p;
+ 	int rc = 0;
+@@ -310,6 +314,8 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options)
+ 	char *cipher_key_bytes_src;
+ 	char *fn_cipher_key_bytes_src;
+ 
++	*check_ruid = 0;
++
+ 	if (!options) {
+ 		rc = -EINVAL;
+ 		goto out;
+@@ -410,6 +416,9 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options)
+ 		case ecryptfs_opt_unlink_sigs:
+ 			mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
+ 			break;
++		case ecryptfs_opt_check_dev_ruid:
++			*check_ruid = 1;
++			break;
+ 		case ecryptfs_opt_err:
+ 		default:
+ 			printk(KERN_WARNING
+@@ -551,7 +560,8 @@ out:
+  * ecryptfs_interpose to create our initial inode and super block
+  * struct.
+  */
+-static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
++static int ecryptfs_read_super(struct super_block *sb, const char *dev_name,
++				uid_t check_ruid)
+ {
+ 	struct path path;
+ 	int rc;
+@@ -561,6 +571,15 @@ static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
+ 		ecryptfs_printk(KERN_WARNING, "path_lookup() failed\n");
+ 		goto out;
+ 	}
++
++	if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
++		rc = -EPERM;
++		printk(KERN_ERR "Mount of device (uid: %d) not owned by "
++		       "requested user (uid: %d)\n",
++		       path.dentry->d_inode->i_uid, current_uid());
++		goto out_free;
++	}
++
+ 	ecryptfs_set_superblock_lower(sb, path.dentry->d_sb);
+ 	sb->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ 	sb->s_blocksize = path.dentry->d_sb->s_blocksize;
+@@ -599,6 +618,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
+ {
+ 	int rc;
+ 	struct super_block *sb;
++	uid_t check_ruid;
+ 
+ 	rc = get_sb_nodev(fs_type, flags, raw_data, ecryptfs_fill_super, mnt);
+ 	if (rc < 0) {
+@@ -606,12 +626,12 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
+ 		goto out;
+ 	}
+ 	sb = mnt->mnt_sb;
+-	rc = ecryptfs_parse_options(sb, raw_data);
++	rc = ecryptfs_parse_options(sb, raw_data, &check_ruid);
+ 	if (rc) {
+ 		printk(KERN_ERR "Error parsing options; rc = [%d]\n", rc);
+ 		goto out_abort;
+ 	}
+-	rc = ecryptfs_read_super(sb, dev_name);
++	rc = ecryptfs_read_super(sb, dev_name, check_ruid);
+ 	if (rc) {
+ 		printk(KERN_ERR "Reading sb failed; rc = [%d]\n", rc);
+ 		goto out_abort;

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch)
@@ -0,0 +1,56 @@
+From 3e9d6c33830beee43dc1b94bdbff41109455fa58 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Mon, 6 Feb 2012 10:20:45 +0100
+Subject: [PATCH] cdrom: use copy_to_user() without the underscores
+
+commit 822bfa51ce44f2c63c300fdb76dc99c4d5a5ca9f upstream.
+
+"nframes" comes from the user and "nframes * CD_FRAMESIZE_RAW" can wrap
+on 32 bit systems.  That would have been ok if we used the same wrapped
+value for the copy, but we use a shifted value.  We should just use the
+checked version of copy_to_user() because it's not going to make a
+difference to the speed.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/cdrom/cdrom.c |    8 +-------
+ 1 files changed, 1 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 59cccc9..a4592ec 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2057,11 +2057,6 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
+ 	if (!nr)
+ 		return -ENOMEM;
+ 
+-	if (!access_ok(VERIFY_WRITE, ubuf, nframes * CD_FRAMESIZE_RAW)) {
+-		ret = -EFAULT;
+-		goto out;
+-	}
+-
+ 	cgc.data_direction = CGC_DATA_READ;
+ 	while (nframes > 0) {
+ 		if (nr > nframes)
+@@ -2070,7 +2065,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
+ 		ret = cdrom_read_block(cdi, &cgc, lba, nr, 1, CD_FRAMESIZE_RAW);
+ 		if (ret)
+ 			break;
+-		if (__copy_to_user(ubuf, cgc.buffer, CD_FRAMESIZE_RAW * nr)) {
++		if (copy_to_user(ubuf, cgc.buffer, CD_FRAMESIZE_RAW * nr)) {
+ 			ret = -EFAULT;
+ 			break;
+ 		}
+@@ -2078,7 +2073,6 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
+ 		nframes -= nr;
+ 		lba += nr;
+ 	}
+-out:
+ 	kfree(cgc.buffer);
+ 	return ret;
+ }
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch)
@@ -0,0 +1,62 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 23 Feb 2012 09:37:45 -0500
+Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
+
+commit 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream.
+
+The cifs code will attempt to open files on lookup under certain
+circumstances. What happens though if we find that the file we opened
+was actually a FIFO or other special file?
+
+Currently, the open filehandle just ends up being leaked leading to
+a dentry refcount mismatch and oops on umount. Fix this by having the
+code close the filehandle on the server if it turns out not to be a
+regular file. While we're at it, change this spaghetti if statement
+into a switch too.
+
+Cc: stable at vger.kernel.org
+Reported-by: CAI Qian <caiqian at redhat.com>
+Tested-by: CAI Qian <caiqian at redhat.com>
+Reviewed-by: Shirish Pargaonkar <shirishpargaonkar at gmail.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <smfrench at gmail.com>
+---
+ fs/cifs/dir.c |   20 ++++++++++++++++++--
+ 1 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 63a196b..bc7e2442 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
+ 			 * If either that or op not supported returned, follow
+ 			 * the normal lookup.
+ 			 */
+-			if ((rc == 0) || (rc == -ENOENT))
++			switch (rc) {
++			case 0:
++				/*
++				 * The server may allow us to open things like
++				 * FIFOs, but the client isn't set up to deal
++				 * with that. If it's not a regular file, just
++				 * close it and proceed as if it were a normal
++				 * lookup.
++				 */
++				if (newInode && !S_ISREG(newInode->i_mode)) {
++					CIFSSMBClose(xid, pTcon, fileHandle);
++					break;
++				}
++			case -ENOENT:
+ 				posix_open = true;
+-			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
++			case -EOPNOTSUPP:
++				break;
++			default:
+ 				pTcon->broken_posix_open = true;
++			}
+ 		}
+ 		if (!posix_open)
+ 			rc = cifs_get_inode_info_unix(&newInode, full_path,
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch)
@@ -0,0 +1,91 @@
+From 26487be3d861e50dcfd4b19199e3c206d3700678 Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom at vmware.com>
+Date: Tue, 24 Jan 2012 18:54:21 +0100
+Subject: [PATCH] drm: Fix authentication kernel crash
+
+commit 598781d71119827b454fd75d46f84755bca6f0c6 upstream.
+
+If the master tries to authenticate a client using drm_authmagic and
+that client has already closed its drm file descriptor,
+either wilfully or because it was terminated, the
+call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
+and corrupt it.
+
+Typically this results in a hard system hang.
+
+This patch fixes that problem by removing any authentication tokens
+(struct drm_magic_entry) open for a file descriptor when that file
+descriptor is closed.
+
+Signed-off-by: Thomas Hellstrom <thellstrom at vmware.com>
+Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_auth.c |    6 +++++-
+ drivers/gpu/drm/drm_fops.c |    5 +++++
+ include/drm/drmP.h         |    1 +
+ 3 files changed, 11 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
+index 932b5aa..d676d49 100644
+--- a/drivers/gpu/drm/drm_auth.c
++++ b/drivers/gpu/drm/drm_auth.c
+@@ -102,7 +102,7 @@ static int drm_add_magic(struct drm_master *master, struct drm_file *priv,
+  * Searches and unlinks the entry in drm_device::magiclist with the magic
+  * number hash key, while holding the drm_device::struct_mutex lock.
+  */
+-static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
++int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
+ {
+ 	struct drm_magic_entry *pt;
+ 	struct drm_hash_item *hash;
+@@ -137,6 +137,8 @@ static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
+  * If there is a magic number in drm_file::magic then use it, otherwise
+  * searches an unique non-zero magic number and add it associating it with \p
+  * file_priv.
++ * This ioctl needs protection by the drm_global_mutex, which protects
++ * struct drm_file::magic and struct drm_magic_entry::priv.
+  */
+ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
+ {
+@@ -174,6 +176,8 @@ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
+  * \return zero if authentication successed, or a negative number otherwise.
+  *
+  * Checks if \p file_priv is associated with the magic number passed in \arg.
++ * This ioctl needs protection by the drm_global_mutex, which protects
++ * struct drm_file::magic and struct drm_magic_entry::priv.
+  */
+ int drm_authmagic(struct drm_device *dev, void *data,
+ 		  struct drm_file *file_priv)
+diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
+index ba14553..519161e 100644
+--- a/drivers/gpu/drm/drm_fops.c
++++ b/drivers/gpu/drm/drm_fops.c
+@@ -449,6 +449,11 @@ int drm_release(struct inode *inode, struct file *filp)
+ 		  (long)old_encode_dev(file_priv->minor->device),
+ 		  dev->open_count);
+ 
++	/* Release any auth tokens that might point to this file_priv,
++	   (do that under the drm_global_mutex) */
++	if (file_priv->magic)
++		(void) drm_remove_magic(file_priv->master, file_priv->magic);
++
+ 	/* if the master has gone away we can't do anything with the lock */
+ 	if (file_priv->minor->master)
+ 		drm_master_release(dev, filp);
+diff --git a/include/drm/drmP.h b/include/drm/drmP.h
+index 66713c6..ebab6a6 100644
+--- a/include/drm/drmP.h
++++ b/include/drm/drmP.h
+@@ -1221,6 +1221,7 @@ extern int drm_getmagic(struct drm_device *dev, void *data,
+ 			struct drm_file *file_priv);
+ extern int drm_authmagic(struct drm_device *dev, void *data,
+ 			 struct drm_file *file_priv);
++extern int drm_remove_magic(struct drm_master *master, drm_magic_t magic);
+ 
+ /* Cache management (drm_cache.c) */
+ void drm_clflush_pages(struct page *pages[], unsigned long num_pages);
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch)
@@ -0,0 +1,50 @@
+From e065d6f4f4453db007d4fb22ebb937e38922cb4b Mon Sep 17 00:00:00 2001
+From: Li Wang <liwang at nudt.edu.cn>
+Date: Thu, 19 Jan 2012 09:44:36 +0800
+Subject: [PATCH] eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34 upstream.
+
+ecryptfs_write() can enter an infinite loop when truncating a file to a
+size larger than 4G. This only happens on architectures where size_t is
+represented by 32 bits.
+
+This was caused by a size_t overflow due to it incorrectly being used to
+store the result of a calculation which uses potentially large values of
+type loff_t.
+
+[tyhicks at canonical.com: rewrite subject and commit message]
+Signed-off-by: Li Wang <liwang at nudt.edu.cn>
+Signed-off-by: Yunchuan Wen <wenyunchuan at kylinos.com.cn>
+Reviewed-by: Cong Wang <xiyou.wangcong at gmail.com>
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ fs/ecryptfs/read_write.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
+index 6b78546..0404659 100644
+--- a/fs/ecryptfs/read_write.c
++++ b/fs/ecryptfs/read_write.c
+@@ -134,7 +134,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 		pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
+ 		size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
+ 		size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
+-		size_t total_remaining_bytes = ((offset + size) - pos);
++		loff_t total_remaining_bytes = ((offset + size) - pos);
+ 
+ 		if (fatal_signal_pending(current)) {
+ 			rc = -EINTR;
+@@ -145,7 +145,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 			num_bytes = total_remaining_bytes;
+ 		if (pos < offset) {
+ 			/* remaining zeros to write, up to destination offset */
+-			size_t total_remaining_zeros = (offset - pos);
++			loff_t total_remaining_zeros = (offset - pos);
+ 
+ 			if (num_bytes > total_remaining_zeros)
+ 				num_bytes = total_remaining_zeros;
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch)
@@ -0,0 +1,71 @@
+From bd8f0a46a1d92470b88ae53e8282dc4edf4f0ba9 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks at canonical.com>
+Date: Wed, 18 Jan 2012 18:30:04 -0600
+Subject: [PATCH] eCryptfs: Make truncate path killable
+
+commit 5e6f0d769017cc49207ef56996e42363ec26c1f0 upstream.
+
+ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+page, zeroes out the appropriate portions, and then encrypts the page
+before writing it to the lower filesystem. It was unkillable and due to
+the lack of sparse file support could result in tying up a large portion
+of system resources, while encrypting pages of zeros, with no way for
+the truncate operation to be stopped from userspace.
+
+This patch adds the ability for ecryptfs_write() to detect a pending
+fatal signal and return as gracefully as possible. The intent is to
+leave the lower file in a useable state, while still allowing a user to
+break out of the encryption loop. If a pending fatal signal is detected,
+the eCryptfs inode size is updated to reflect the modified inode size
+and then -EINTR is returned.
+
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ fs/ecryptfs/read_write.c |   19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
+index 0cc4faf..6b78546 100644
+--- a/fs/ecryptfs/read_write.c
++++ b/fs/ecryptfs/read_write.c
+@@ -136,6 +136,11 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 		size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
+ 		size_t total_remaining_bytes = ((offset + size) - pos);
+ 
++		if (fatal_signal_pending(current)) {
++			rc = -EINTR;
++			break;
++		}
++
+ 		if (num_bytes > total_remaining_bytes)
+ 			num_bytes = total_remaining_bytes;
+ 		if (pos < offset) {
+@@ -197,15 +202,19 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 		}
+ 		pos += num_bytes;
+ 	}
+-	if ((offset + size) > ecryptfs_file_size) {
+-		i_size_write(ecryptfs_inode, (offset + size));
++	if (pos > ecryptfs_file_size) {
++		i_size_write(ecryptfs_inode, pos);
+ 		if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
+-			rc = ecryptfs_write_inode_size_to_metadata(
++			int rc2;
++
++			rc2 = ecryptfs_write_inode_size_to_metadata(
+ 								ecryptfs_inode);
+-			if (rc) {
++			if (rc2) {
+ 				printk(KERN_ERR	"Problem with "
+ 				       "ecryptfs_write_inode_size_to_metadata; "
+-				       "rc = [%d]\n", rc);
++				       "rc = [%d]\n", rc2);
++				if (!rc)
++					rc = rc2;
+ 				goto out;
+ 			}
+ 		}
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch)
@@ -0,0 +1,71 @@
+From d50f2ab6f050311dbf7b8f5501b25f0bf64a439b Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang at gmail.com>
+Date: Tue, 10 Jan 2012 11:51:10 -0500
+Subject: ext4: fix undefined behavior in ext4_fill_flex_info()
+
+From: Xi Wang <xi.wang at gmail.com>
+
+commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.
+
+Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
+zero when trying to mount a corrupted file system") fixes CVE-2009-4307
+by performing a sanity check on s_log_groups_per_flex, since it can be
+set to a bogus value by an attacker.
+
+	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+	if (groups_per_flex < 2) { ... }
+
+This patch fixes two potential issues in the previous commit.
+
+1) The sanity check might only work on architectures like PowerPC.
+On x86, 5 bits are used for the shifting amount.  That means, given a
+large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
+is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
+leaving s_log_groups_per_flex and groups_per_flex inconsistent.
+
+2) The sanity check relies on undefined behavior, i.e., oversized shift.
+A standard-confirming C compiler could rewrite the check in unexpected
+ways.  Consider the following equivalent form, assuming groups_per_flex
+is unsigned for simplicity.
+
+	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+	if (groups_per_flex == 0 || groups_per_flex == 1) {
+
+We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
+completely optimize away the check groups_per_flex == 0, leaving the
+patched code as vulnerable as the original.  GCC keeps the check, but
+there is no guarantee that future versions will do the same.
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/ext4/super.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1705,17 +1705,16 @@ static int ext4_fill_flex_info(struct su
+ 	struct ext4_group_desc *gdp = NULL;
+ 	ext4_group_t flex_group_count;
+ 	ext4_group_t flex_group;
+-	int groups_per_flex = 0;
++	unsigned int groups_per_flex = 0;
+ 	size_t size;
+ 	int i;
+ 
+ 	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+-	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+-
+-	if (groups_per_flex < 2) {
++	if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
+ 		sbi->s_log_groups_per_flex = 0;
+ 		return 1;
+ 	}
++	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+ 
+ 	/* We allocate both existing and potentially added groups */
+ 	flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch)
@@ -0,0 +1,35 @@
+From 3aee4081eee4987bbf2dd00c7267a8b2ea7386a0 Mon Sep 17 00:00:00 2001
+From: Yong Zhang <yong.zhang at windriver.com>
+Date: Tue, 6 Apr 2010 14:35:02 -0700
+Subject: [PATCH] kernel.h: fix wrong usage of __ratelimit()
+
+commit bb1dc0bacb8ddd7ba6a5906c678a5a5a110cf695 upstream.
+
+When __ratelimit() returns 1 this means that we can go ahead.
+
+Signed-off-by: Yong Zhang <yong.zhang at windriver.com>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Joe Perches <joe at perches.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ include/linux/kernel.h |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 1221fe4..f963c1b 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -417,7 +417,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
+ 		.burst = DEFAULT_RATELIMIT_BURST,       \
+ 	};                                              \
+ 							\
+-	if (!__ratelimit(&_rs))                         \
++	if (__ratelimit(&_rs))                          \
+ 		printk(fmt, ##__VA_ARGS__);		\
+ })
+ #else
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch)
@@ -0,0 +1,168 @@
+From ddd80d112479aaa16e3b82c5729451dcbeafe00c Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Tue, 17 Jan 2012 04:07:02 +0000
+Subject: [PATCH] block: fail SCSI passthrough ioctls on partition devices
+
+commit 0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream.
+
+[ Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
+  and -ENOIOCTLCMD from sd_compat_ioctl. ]
+
+Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+will pass the command to the underlying block device.  This is
+well-known, but it is also a large security problem when (via Unix
+permissions, ACLs, SELinux or a combination thereof) a program or user
+needs to be granted access only to part of the disk.
+
+This patch lets partitions forward a small set of harmless ioctls;
+others are logged with printk so that we can see which ioctls are
+actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
+Of course it was being sent to a (partition on a) hard disk, so it would
+have failed with ENOTTY and the patch isn't changing anything in
+practice.  Still, I'm treating it specially to avoid spamming the logs.
+
+In principle, this restriction should include programs running with
+CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
+/dev/sdb, it still should not be able to read/write outside the
+boundaries of /dev/sda2 independent of the capabilities.  However, for
+now programs with CAP_SYS_RAWIO will still be allowed to send the
+ioctls.  Their actions will still be logged.
+
+This patch does not affect the non-libata IDE driver.  That driver
+however already tests for bd != bd->bd_contains before issuing some
+ioctl; it could be restricted further to forbid these ioctls even for
+programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+Cc: linux-scsi at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+Cc: James Bottomley <JBottomley at parallels.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[ Make it also print the command name when warning - Linus ]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.32 - ENOIOCTLCMD does not get converted to
+ ENOTTY, so we must return ENOTTY directly]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ block/scsi_ioctl.c     |   45 +++++++++++++++++++++++++++++++++++++++++++++
+ drivers/scsi/sd.c      |   11 +++++++++--
+ include/linux/blkdev.h |    1 +
+ 3 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 114ee29..2be0a97 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -24,6 +24,7 @@
+ #include <linux/capability.h>
+ #include <linux/completion.h>
+ #include <linux/cdrom.h>
++#include <linux/ratelimit.h>
+ #include <linux/slab.h>
+ #include <linux/times.h>
+ #include <asm/uaccess.h>
+@@ -689,9 +690,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+ }
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+ 
++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
++{
++	if (bd && bd == bd->bd_contains)
++		return 0;
++
++	/* Actually none of these is particularly useful on a partition,
++	 * but they are safe.
++	 */
++	switch (cmd) {
++	case SCSI_IOCTL_GET_IDLUN:
++	case SCSI_IOCTL_GET_BUS_NUMBER:
++	case SCSI_IOCTL_GET_PCI:
++	case SCSI_IOCTL_PROBE_HOST:
++	case SG_GET_VERSION_NUM:
++	case SG_SET_TIMEOUT:
++	case SG_GET_TIMEOUT:
++	case SG_GET_RESERVED_SIZE:
++	case SG_SET_RESERVED_SIZE:
++	case SG_EMULATED_HOST:
++		return 0;
++	case CDROM_GET_CAPABILITY:
++		/* Keep this until we remove the printk below.  udev sends it
++		 * and we do not want to spam dmesg about it.   CD-ROMs do
++		 * not have partitions, so we get here only for disks.
++		 */
++		return -ENOTTY;
++	default:
++		break;
++	}
++
++	/* In particular, rule out all resets and host-specific ioctls.  */
++	printk_ratelimited(KERN_WARNING
++			   "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
++
++	return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
++}
++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
++
+ int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
+ 		       unsigned int cmd, void __user *arg)
+ {
++	int ret;
++
++	ret = scsi_verify_blk_ioctl(bd, cmd);
++	if (ret < 0)
++		return ret;
++
+ 	return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
+ }
+ EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 2dd1b73..a5b55fe 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -817,6 +817,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ 	SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
+ 						disk->disk_name, cmd));
+ 
++	error = scsi_verify_blk_ioctl(bdev, cmd);
++	if (error < 0)
++		return error;
++
+ 	/*
+ 	 * If we are in the middle of error recovery, don't let anyone
+ 	 * else try and use this device.  Also, if error recovery fails, it
+@@ -996,6 +1000,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ 			   unsigned int cmd, unsigned long arg)
+ {
+ 	struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
++	int ret;
++
++	ret = scsi_verify_blk_ioctl(bdev, cmd);
++	if (ret < 0)
++		return -ENOIOCTLCMD;
+ 
+ 	/*
+ 	 * If we are in the middle of error recovery, don't let anyone
+@@ -1007,8 +1016,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ 		return -ENODEV;
+ 	       
+ 	if (sdev->host->hostt->compat_ioctl) {
+-		int ret;
+-
+ 		ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
+ 
+ 		return ret;
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 63070ad..5eb6cb0 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -777,6 +777,7 @@ extern void blk_plug_device(struct request_queue *);
+ extern void blk_plug_device_unlocked(struct request_queue *);
+ extern int blk_remove_plug(struct request_queue *);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
+ extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
+ 			      unsigned int, void __user *);
+ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch)
@@ -0,0 +1,50 @@
+From 3a86cda406c00df3a1c207ba26406847d8e53bba Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi at mail.parknet.co.jp>
+Date: Mon, 24 May 2010 14:33:11 -0700
+Subject: [PATCH] printk_ratelimited(): fix uninitialized spinlock
+
+commit d8521fcc5e0ad3e79bbc4231bb20a6cdc2b50164 upstream.
+
+ratelimit_state initialization of printk_ratelimited() seems broken.  This
+fixes it by using DEFINE_RATELIMIT_STATE() to initialize spinlock
+properly.
+
+Signed-off-by: OGAWA Hirofumi <hirofumi at mail.parknet.co.jp>
+Cc: Joe Perches <joe at perches.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Sven-Haegar Koch <haegar at sdinet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ include/linux/kernel.h |   15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index f963c1b..9acb92d 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -411,14 +411,13 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
+  * no local ratelimit_state used in the !PRINTK case
+  */
+ #ifdef CONFIG_PRINTK
+-#define printk_ratelimited(fmt, ...)  ({		\
+-	static struct ratelimit_state _rs = {		\
+-		.interval = DEFAULT_RATELIMIT_INTERVAL, \
+-		.burst = DEFAULT_RATELIMIT_BURST,       \
+-	};                                              \
+-							\
+-	if (__ratelimit(&_rs))                          \
+-		printk(fmt, ##__VA_ARGS__);		\
++#define printk_ratelimited(fmt, ...)  ({				\
++	static DEFINE_RATELIMIT_STATE(_rs,				\
++				      DEFAULT_RATELIMIT_INTERVAL,	\
++				      DEFAULT_RATELIMIT_BURST);		\
++									\
++	if (__ratelimit(&_rs))						\
++		printk(fmt, ##__VA_ARGS__);				\
+ })
+ #else
+ /* No effect, but we still get type checking even in the !PRINTK case: */
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch)
@@ -0,0 +1,63 @@
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:48 -0800
+Subject: [PATCH] regset: Prevent null pointer reference on readonly regsets
+
+commit c8e252586f8d5de906385d8cf6385fee289a825e upstream.
+
+The regset common infrastructure assumed that regsets would always
+have .get and .set methods, but not necessarily .active methods.
+Unfortunately people have since written regsets without .set methods.
+
+Rather than putting in stub functions everywhere, handle regsets with
+null .get or .set methods explicitly.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/binfmt_elf.c        |    2 +-
+ include/linux/regset.h |    6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index bcb884e..07d096c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1421,7 +1421,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
+ 	for (i = 1; i < view->n; ++i) {
+ 		const struct user_regset *regset = &view->regsets[i];
+ 		do_thread_regset_writeback(t->task, regset);
+-		if (regset->core_note_type &&
++		if (regset->core_note_type && regset->get &&
+ 		    (!regset->active || regset->active(t->task, regset))) {
+ 			int ret;
+ 			size_t size = regset->n * regset->size;
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 8abee65..5150fd1 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ {
+ 	const struct user_regset *regset = &view->regsets[setno];
+ 
++	if (!regset->get)
++		return -EOPNOTSUPP;
++
+ 	if (!access_ok(VERIFY_WRITE, data, size))
+ 		return -EIO;
+ 
+@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ {
+ 	const struct user_regset *regset = &view->regsets[setno];
+ 
++	if (!regset->set)
++		return -EOPNOTSUPP;
++
+ 	if (!access_ok(VERIFY_READ, data, size))
+ 		return -EIO;
+ 
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch)
@@ -0,0 +1,50 @@
+From e871c96c42ff9c08d856a757c0176f9381ac67cd Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Fri, 10 Feb 2012 09:03:58 +0100
+Subject: [PATCH] relay: prevent integer overflow in relay_open()
+
+commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream.
+
+"subbuf_size" and "n_subbufs" come from the user and they need to be
+capped to prevent an integer overflow.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ kernel/relay.c |   10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/relay.c b/kernel/relay.c
+index 760c262..bf343f5 100644
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -171,10 +171,14 @@ depopulate:
+  */
+ static struct rchan_buf *relay_create_buf(struct rchan *chan)
+ {
+-	struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
+-	if (!buf)
++	struct rchan_buf *buf;
++
++	if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+ 		return NULL;
+ 
++	buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
++	if (!buf)
++		return NULL;
+ 	buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
+ 	if (!buf->padding)
+ 		goto free_buf;
+@@ -581,6 +585,8 @@ struct rchan *relay_open(const char *base_filename,
+ 
+ 	if (!(subbuf_size && n_subbufs))
+ 		return NULL;
++	if (subbuf_size > UINT_MAX / n_subbufs)
++		return NULL;
+ 
+ 	chan = kzalloc(sizeof(struct rchan), GFP_KERNEL);
+ 	if (!chan)
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch)
@@ -0,0 +1,82 @@
+From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf at tu-ilmenau.de>
+Date: Thu, 12 Jan 2012 16:43:03 +0100
+Subject: [PATCH 1/2] KVM: x86: extend "struct x86_emulate_ops" with
+ "get_cpuid"
+
+commit 0769c5de24621141c953fbe1f943582d37cb4244 upstream.
+
+In order to be able to proceed checks on CPU-specific properties
+within the emulator, function "get_cpuid" is introduced.
+With "get_cpuid" it is possible to virtually call the guests
+"cpuid"-opcode without changing the VM's context.
+
+[mtosatti: cleanup/beautify code]
+
+[bwh: Backport to 2.6.32:
+ - Don't use emul_to_vcpu
+ - Adjust context]
+
+Signed-off-by: Stephan Baerwolf <stephan.baerwolf at tu-ilmenau.de>
+Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/include/asm/kvm_emulate.h |    2 ++
+ arch/x86/kvm/x86.c                 |   23 +++++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 0 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
+index 5ed59ec..61bf2eb 100644
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -109,6 +109,8 @@ struct x86_emulate_ops {
+ 				unsigned int bytes,
+ 				struct kvm_vcpu *vcpu);
+ 
++	bool (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
++			 u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
+ };
+ 
+ /* Type, address-of, and value of an instruction's operand. */
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 7cb2a58..5fab056 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2998,12 +2998,35 @@ void kvm_report_emulation_failure(struct kvm_vcpu *vcpu, const char *context)
+ }
+ EXPORT_SYMBOL_GPL(kvm_report_emulation_failure);
+ 
++static bool emulator_get_cpuid(struct x86_emulate_ctxt *ctxt,
++			       u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
++{
++	struct kvm_cpuid_entry2 *cpuid = NULL;
++
++	if (eax && ecx)
++		cpuid = kvm_find_cpuid_entry(ctxt->vcpu,
++					    *eax, *ecx);
++
++	if (cpuid) {
++		*eax = cpuid->eax;
++		*ecx = cpuid->ecx;
++		if (ebx)
++			*ebx = cpuid->ebx;
++		if (edx)
++			*edx = cpuid->edx;
++		return true;
++	}
++
++	return false;
++}
++
+ static struct x86_emulate_ops emulate_ops = {
+ 	.read_std            = kvm_read_guest_virt_system,
+ 	.fetch               = kvm_fetch_guest_virt,
+ 	.read_emulated       = emulator_read_emulated,
+ 	.write_emulated      = emulator_write_emulated,
+ 	.cmpxchg_emulated    = emulator_cmpxchg_emulated,
++	.get_cpuid           = emulator_get_cpuid,
+ };
+ 
+ static void cache_all_regs(struct kvm_vcpu *vcpu)
+-- 
+1.7.9.1
+

Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch)
@@ -0,0 +1,166 @@
+From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf at tu-ilmenau.de>
+Date: Thu, 12 Jan 2012 16:43:04 +0100
+Subject: [PATCH 2/2] KVM: x86: fix missing checks in syscall emulation
+
+commit bdb42f5afebe208eae90406959383856ae2caf2b upstream.
+
+On hosts without this patch, 32bit guests will crash (and 64bit guests
+may behave in a wrong way) for example by simply executing following
+nasm-demo-application:
+
+    [bits 32]
+    global _start
+    SECTION .text
+    _start: syscall
+
+(I tested it with winxp and linux - both always crashed)
+
+    Disassembly of section .text:
+
+    00000000 <_start>:
+       0:   0f 05                   syscall
+
+The reason seems a missing "invalid opcode"-trap (int6) for the
+syscall opcode "0f05", which is not available on Intel CPUs
+within non-longmodes, as also on some AMD CPUs within legacy-mode.
+(depending on CPU vendor, MSR_EFER and cpuid)
+
+Because previous mentioned OSs may not engage corresponding
+syscall target-registers (STAR, LSTAR, CSTAR), they remain
+NULL and (non trapping) syscalls are leading to multiple
+faults and finally crashs.
+
+Depending on the architecture (AMD or Intel) pretended by
+guests, various checks according to vendor's documentation
+are implemented to overcome the current issue and behave
+like the CPUs physical counterparts.
+
+[mtosatti: cleanup/beautify code]
+
+[bwh: Backport to 2.6.32:
+ - Add the prerequisite read of EFER
+ - Return -1 in the error cases rather than invoking emulate_ud()
+   directly
+ - Adjust context]
+[dannf: fix build by passing x86_emulate_ops through each call]
+
+Signed-off-by: Stephan Baerwolf <stephan.baerwolf at tu-ilmenau.de>
+Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/include/asm/kvm_emulate.h |   13 +++++++++
+ arch/x86/kvm/emulate.c             |   53 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 66 insertions(+), 0 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
+index 61bf2eb..cc44e3d 100644
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -192,6 +192,19 @@ struct x86_emulate_ctxt {
+ #define X86EMUL_MODE_HOST X86EMUL_MODE_PROT64
+ #endif
+ 
++/* CPUID vendors */
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
++
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
++
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
++
+ int x86_decode_insn(struct x86_emulate_ctxt *ctxt,
+ 		    struct x86_emulate_ops *ops);
+ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt,
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 1350e43..aa2d905 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1495,20 +1495,73 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
+ 	ss->present = 1;
+ }
+ 
++static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt,
++				  struct x86_emulate_ops *ops)
++{
++	u32 eax, ebx, ecx, edx;
++
++	/*
++	 * syscall should always be enabled in longmode - so only become
++	 * vendor specific (cpuid) if other modes are active...
++	 */
++	if (ctxt->mode == X86EMUL_MODE_PROT64)
++		return true;
++
++	eax = 0x00000000;
++	ecx = 0x00000000;
++	if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
++		/*
++		 * Intel ("GenuineIntel")
++		 * remark: Intel CPUs only support "syscall" in 64bit
++		 * longmode. Also an 64bit guest with a
++		 * 32bit compat-app running will #UD !! While this
++		 * behaviour can be fixed (by emulating) into AMD
++		 * response - CPUs of AMD can't behave like Intel.
++		 */
++		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
++		    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
++		    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
++			return false;
++
++		/* AMD ("AuthenticAMD") */
++		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
++		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
++		    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
++			return true;
++
++		/* AMD ("AMDisbetter!") */
++		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
++		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
++		    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
++			return true;
++	}
++
++	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
++	return false;
++}
++
+ static int
+-emulate_syscall(struct x86_emulate_ctxt *ctxt)
++emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
+ {
+ 	struct decode_cache *c = &ctxt->decode;
+ 	struct kvm_segment cs, ss;
+ 	u64 msr_data;
++	u64 efer = 0;
+ 
+ 	/* syscall is not available in real mode */
+ 	if (c->lock_prefix || ctxt->mode == X86EMUL_MODE_REAL
+ 	    || ctxt->mode == X86EMUL_MODE_VM86)
+ 		return -1;
+ 
++	if (!(em_syscall_is_enabled(ctxt, ops)))
++		return -1;
++
++	kvm_x86_ops->get_msr(ctxt->vcpu, MSR_EFER, &efer);
+ 	setup_syscalls_segments(ctxt, &cs, &ss);
+ 
++	if (!(efer & EFER_SCE))
++		return -1;
++
+ 	kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
+ 	msr_data >>= 32;
+ 	cs.selector = (u16)(msr_data & 0xfffc);
+@@ -2342,7 +2395,7 @@ twobyte_insn:
+ 		}
+ 		break;
+ 	case 0x05: 		/* syscall */
+-		if (emulate_syscall(ctxt) == -1)
++		if (emulate_syscall(ctxt, ops) == -1)
+ 			goto cannot_emulate;
+ 		else
+ 			goto writeback;

Copied: dists/squeeze/linux-2.6/debian/patches/series/41squeeze1 (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/series/41squeeze1)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/series/41squeeze1	Tue Mar 20 07:39:02 2012	(r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/series/41squeeze1)
@@ -0,0 +1,18 @@
++ bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
++ bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
++ bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
++ bugfix/all/drm-Fix-authentication-kernel-crash.patch
++ bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
+- bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-2.patch
++ bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
++ bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
++ bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
++ bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
++ bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
++ bugfix/all/eCryptfs-Make-truncate-path-killable.patch
++ bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
++ bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
++ bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
++ bugfix/all/KVM-Device-assignment-permission-checks.patch
++ bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
++ bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch

Modified: dists/squeeze/linux-2.6/debian/patches/series/42
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/42	Tue Mar 20 06:51:05 2012	(r18867)
+++ dists/squeeze/linux-2.6/debian/patches/series/42	Tue Mar 20 07:39:02 2012	(r18868)
@@ -1,15 +1,26 @@
 + features/all/Input-synaptics-relax-capability-ID-checks-on-newer-hardware.patch
 
+- bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
+- bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
+- bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
 - bugfix/all/treat-lvs-on-one-pv-like-a-partition-2.patch
-- bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-2.patch
 - bugfix/all/add-scsi_cmd_blk_ioctl-wrapper-2.patch
 - features/all/kernel.h-add-printk_ratelimited-and-pr_-level-_rl.patch
+- bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
+- bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
 + bugfix/all/stable/2.6.32.55.patch
+- bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
+- bugfix/all/eCryptfs-Make-truncate-path-killable.patch
 + bugfix/all/stable/2.6.32.56.patch
 + bugfix/all/stable/2.6.32.57.patch
 + bugfix/all/appletalk-da.s_net-not-copied-but-assigned-to-itself.patch
+- bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
+- bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
+- bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
 + bugfix/all/stable/2.6.32.58.patch
 + debian/ia64-Define-is_compat_task.patch
 + bugfix/all/e1000e-workaround-for-packet-drop-on-82579-at-100Mbp.patch
+- bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
+- bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
 + bugfix/all/stable/2.6.32.59.patch
 + debian/revert-IA64-Remove-COMPAT_IA32-support.patch



More information about the Kernel-svn-changes mailing list