[kernel] r18868 - in dists/squeeze/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Mar 20 07:39:04 UTC 2012
Author: dannf
Date: Tue Mar 20 07:39:02 2012
New Revision: 18868
Log:
merge 41squeeze1
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch
dists/squeeze/linux-2.6/debian/patches/series/41squeeze1
- copied unchanged from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/series/41squeeze1
Modified:
dists/squeeze/linux-2.6/ (props changed)
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/42
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Tue Mar 20 06:51:05 2012 (r18867)
+++ dists/squeeze/linux-2.6/debian/changelog Tue Mar 20 07:39:02 2012 (r18868)
@@ -6,7 +6,6 @@
[ Ben Hutchings ]
* Add longterm release 2.6.32.55, including:
- - ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
- x86: Fix mmap random address range
- V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
For the complete list of changes, see:
@@ -39,8 +38,6 @@
- crypto: sha512 - Avoid stack bloat on i386
- crypto: sha512 - use standard ror64()
- Ban ecryptfs over ecryptfs
- - ecryptfs: Add mount option to check uid of device being mounted =
- expect uid (CVE-2011-1833)
- cdrom: use copy_to_user() without the underscores
- autofs: work around unhappy compat problem on x86-64 (Closes: #633423)
For the complete list of changes, see:
@@ -60,6 +57,34 @@
-- Uwe Kleine-König <u.kleine-koenig at pengutronix.de> Mon, 16 Jan 2012 16:47:21 +0100
+linux-2.6 (2.6.32-41squeeze1) stable-security; urgency=high
+
+ [ dann frazier ]
+ * ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
+ * ecryptfs: Add mount option to check uid of device being mounted =
+ expect uid (CVE-2011-1833)
+ * KVM: Remove ability to assign devices without IOMMU support
+ * KVM: Check permissions before permitting device assignment (CVE-2011-4347)
+ * Fix CVE-2012-0045, with backport work from Ben Hutchings:
+ - KVM: extend "struct x86_emulate_ops" with "get_cpuid"
+ - KVM: syscall instruction induced guest panic
+
+ [ Ben Hutchings ]
+ * V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+ * drm: Fix authentication kernel crash
+ * relay: prevent integer overflow in relay_open()
+ * Further refine the fix for CVE-2011-4127:
+ - sd_compat_ioctl: Replace ENOTTY error with ENOIOCTLCMD
+ - kernel.h: fix wrong usage of __ratelimit()
+ - printk_ratelimited(): fix uninitialized spinlock
+ * cifs: fix dentry refcount leak when opening a FIFO on lookup (CVE-2012-1090)
+ * regset: Prevent null pointer reference on readonly regsets (CVE-2012-1097)
+ * eCryptfs: Make truncate path killable
+ * eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+ * cdrom: use copy_to_user() without the underscores
+
+ -- dann frazier <dannf at debian.org> Thu, 15 Mar 2012 01:46:43 -0600
+
linux-2.6 (2.6.32-41) stable; urgency=low
[ Ben Hutchings ]
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Device-assignment-permission-checks.patch)
@@ -0,0 +1,136 @@
+commit 3d27e23b17010c668db311140b17bbbb70c78fb9
+Author: Alex Williamson <alex.williamson at redhat.com>
+Date: Tue Dec 20 21:59:09 2011 -0700
+
+ KVM: Device assignment permission checks
+
+ Only allow KVM device assignment to attach to devices which:
+
+ - Are not bridges
+ - Have BAR resources (assume others are special devices)
+ - The user has permissions to use
+
+ Assigning a bridge is a configuration error, it's not supported, and
+ typically doesn't result in the behavior the user is expecting anyway.
+ Devices without BAR resources are typically chipset components that
+ also don't have host drivers. We don't want users to hold such devices
+ captive or cause system problems by fencing them off into an iommu
+ domain. We determine "permission to use" by testing whether the user
+ has access to the PCI sysfs resource files. By default a normal user
+ will not have access to these files, so it provides a good indication
+ that an administration agent has granted the user access to the device.
+
+ [Yang Bai: add missing #include]
+ [avi: fix comment style]
+
+ Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
+ Signed-off-by: Yang Bai <hamo.by at gmail.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 77288e2..311ec18 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -43,6 +43,8 @@
+ #include <linux/swap.h>
+ #include <linux/bitops.h>
+ #include <linux/spinlock.h>
++#include <linux/namei.h>
++#include <linux/fs.h>
+
+ #include <asm/processor.h>
+ #include <asm/io.h>
+@@ -575,12 +577,73 @@ out:
+ return r;
+ }
+
++/*
++ * We want to test whether the caller has been granted permissions to
++ * use this device. To be able to configure and control the device,
++ * the user needs access to PCI configuration space and BAR resources.
++ * These are accessed through PCI sysfs. PCI config space is often
++ * passed to the process calling this ioctl via file descriptor, so we
++ * can't rely on access to that file. We can check for permissions
++ * on each of the BAR resource files, which is a pretty clear
++ * indicator that the user has been granted access to the device.
++ */
++static int probe_sysfs_permissions(struct pci_dev *dev)
++{
++#ifdef CONFIG_SYSFS
++ int i;
++ bool bar_found = false;
++
++ for (i = PCI_STD_RESOURCES; i <= PCI_STD_RESOURCE_END; i++) {
++ char *kpath, *syspath;
++ struct path path;
++ struct inode *inode;
++ int r;
++
++ if (!pci_resource_len(dev, i))
++ continue;
++
++ kpath = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
++ if (!kpath)
++ return -ENOMEM;
++
++ /* Per sysfs-rules, sysfs is always at /sys */
++ syspath = kasprintf(GFP_KERNEL, "/sys%s/resource%d", kpath, i);
++ kfree(kpath);
++ if (!syspath)
++ return -ENOMEM;
++
++ r = kern_path(syspath, LOOKUP_FOLLOW, &path);
++ kfree(syspath);
++ if (r)
++ return r;
++
++ inode = path.dentry->d_inode;
++
++ r = inode_permission(inode, MAY_READ | MAY_WRITE | MAY_ACCESS);
++ path_put(&path);
++ if (r)
++ return r;
++
++ bar_found = true;
++ }
++
++ /* If no resources, probably something special */
++ if (!bar_found)
++ return -EPERM;
++
++ return 0;
++#else
++ return -EINVAL; /* No way to control the device without sysfs */
++#endif
++}
++
+ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ struct kvm_assigned_pci_dev *assigned_dev)
+ {
+ int r = 0;
+ struct kvm_assigned_dev_kernel *match;
+ struct pci_dev *dev;
++ u8 header_type;
+
+ if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
+ return -EINVAL;
+@@ -610,6 +673,18 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ r = -EINVAL;
+ goto out_free;
+ }
++
++ /* Don't allow bridges to be assigned */
++ pci_read_config_byte(dev, PCI_HEADER_TYPE, &header_type);
++ if ((header_type & PCI_HEADER_TYPE) != PCI_HEADER_TYPE_NORMAL) {
++ r = -EPERM;
++ goto out_put;
++ }
++
++ r = probe_sysfs_permissions(dev);
++ if (r)
++ goto out_put;
++
+ if (pci_enable_device(dev)) {
+ printk(KERN_INFO "%s: Could not enable PCI device\n", __func__);
+ r = -EBUSY;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch)
@@ -0,0 +1,58 @@
+commit 423873736b78f549fbfa2f715f2e4de7e6c5e1e9
+Author: Alex Williamson <alex.williamson at redhat.com>
+Date: Tue Dec 20 21:59:03 2011 -0700
+
+ KVM: Remove ability to assign a device without iommu support
+
+ This option has no users and it exposes a security hole that we
+ can allow devices to be assigned without iommu protection. Make
+ KVM_DEV_ASSIGN_ENABLE_IOMMU a mandatory option.
+
+ Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+ [dannf: backported to Debian's 2.6.32]
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -582,6 +582,9 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ struct kvm_assigned_dev_kernel *match;
+ struct pci_dev *dev;
+
++ if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
++ return -EINVAL;
++
+ down_read(&kvm->slots_lock);
+ mutex_lock(&kvm->lock);
+
+@@ -635,16 +638,14 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+
+ list_add(&match->list, &kvm->arch.assigned_dev_head);
+
+- if (assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU) {
+- if (!kvm->arch.iommu_domain) {
+- r = kvm_iommu_map_guest(kvm);
+- if (r)
+- goto out_list_del;
+- }
+- r = kvm_assign_device(kvm, match);
++ if (!kvm->arch.iommu_domain) {
++ r = kvm_iommu_map_guest(kvm);
+ if (r)
+ goto out_list_del;
+ }
++ r = kvm_assign_device(kvm, match);
++ if (r)
++ goto out_list_del;
+
+ out:
+ mutex_unlock(&kvm->lock);
+@@ -683,8 +684,7 @@ static int kvm_vm_ioctl_deassign_device(struct kvm *kvm,
+ goto out;
+ }
+
+- if (match->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU)
+- kvm_deassign_device(kvm, match);
++ kvm_deassign_device(kvm, match);
+
+ kvm_free_assigned_device(kvm, match);
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch)
@@ -0,0 +1,62 @@
+From 537400450bd43daf3f99efe35efd0ccaf16f38b1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu, 5 Jan 2012 02:27:57 -0300
+Subject: [PATCH] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+
+commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.
+
+If ctrls->count is too high the multiplication could overflow and
+array_size would be lower than expected. Mauro and Hans Verkuil
+suggested that we cap it at 1024. That comes from the maximum
+number of controls with lots of room for expantion.
+
+$ grep V4L2_CID include/linux/videodev2.h | wc -l
+211
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/media/video/v4l2-ioctl.c | 6 ++++++
+ include/linux/videodev2.h | 1 +
+ 2 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
+index 265bfb5..d7332c7 100644
+--- a/drivers/media/video/v4l2-ioctl.c
++++ b/drivers/media/video/v4l2-ioctl.c
+@@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
+ p->error_idx = p->count;
+ user_ptr = (void __user *)p->controls;
+ if (p->count) {
++ err = -EINVAL;
++ if (p->count > V4L2_CID_MAX_CTRLS)
++ goto out_ext_ctrl;
+ ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
+ /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
+ mbuf = kmalloc(ctrls_size, GFP_KERNEL);
+@@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file,
+ p->error_idx = p->count;
+ user_ptr = (void __user *)p->controls;
+ if (p->count) {
++ err = -EINVAL;
++ if (p->count > V4L2_CID_MAX_CTRLS)
++ goto out_ext_ctrl;
+ ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
+ /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
+ mbuf = kmalloc(ctrls_size, GFP_KERNEL);
+diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
+index b59e78c..9e2088c 100644
+--- a/include/linux/videodev2.h
++++ b/include/linux/videodev2.h
+@@ -858,6 +858,7 @@ struct v4l2_querymenu {
+ #define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
+
+ /* User-class control IDs defined by V4L2 */
++#define V4L2_CID_MAX_CTRLS 1024
+ #define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
+ #define V4L2_CID_USER_BASE V4L2_CID_BASE
+ /* IDs reserved for driver specific controls */
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch)
@@ -0,0 +1,134 @@
+From tim.gardner at canonical.com Wed Feb 15 14:06:11 2012
+From: Tim Gardner <tim.gardner at canonical.com>
+Date: Wed, 15 Feb 2012 14:14:06 -0700
+Subject: Add mount option to check uid of device being mounted = expect uid, CVE-2011-1833
+To: stable at vger.kernel.org, gregkh at linuxfoundation.org
+Cc: Tim Gardner <tim.gardner at canonical.com>, John Johansen <john.johansen at canonical.com>, <stable at kernel.org>, Tyler Hicks <tyler.hicks at canonical.com>
+Message-ID: <1329340446-126150-1-git-send-email-tim.gardner at canonical.com>
+
+From: John Johansen <john.johansen at canonical.com>
+
+(backported from commit 764355487ea220fdc2faf128d577d7f679b91f97)
+
+Close a TOCTOU race for mounts done via ecryptfs-mount-private. The mount
+source (device) can be raced when the ownership test is done in userspace.
+Provide Ecryptfs a means to force the uid check at mount time.
+
+BugLink: http://bugs.launchpad.net/bugs/732628
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Signed-off-by: Tyler Hicks <tyler.hicks at canonical.com>
+Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+[dannf: apply to Debian's 2.6.32]
+---
+ fs/ecryptfs/main.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
+index c6ac85d..f6cd392 100644
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -212,7 +212,8 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
+ ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata,
+ ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
+ ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
+- ecryptfs_opt_unlink_sigs, ecryptfs_opt_err };
++ ecryptfs_opt_unlink_sigs, ecryptfs_opt_check_dev_ruid,
++ ecryptfs_opt_err };
+
+ static const match_table_t tokens = {
+ {ecryptfs_opt_sig, "sig=%s"},
+@@ -227,6 +228,7 @@ static const match_table_t tokens = {
+ {ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"},
+ {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
+ {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
++ {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
+ {ecryptfs_opt_err, NULL}
+ };
+
+@@ -270,6 +272,7 @@ static void ecryptfs_init_mount_crypt_stat(
+ * ecryptfs_parse_options
+ * @sb: The ecryptfs super block
+ * @options: The options pased to the kernel
++ * @check_ruid: set to 1 if device uid should be checked against the ruid
+ *
+ * Parse mount options:
+ * debug=N - ecryptfs_verbosity level for debug output
+@@ -285,7 +288,8 @@ static void ecryptfs_init_mount_crypt_stat(
+ *
+ * Returns zero on success; non-zero on error
+ */
+-static int ecryptfs_parse_options(struct super_block *sb, char *options)
++static int ecryptfs_parse_options(struct super_block *sb, char *options,
++ uid_t *check_ruid)
+ {
+ char *p;
+ int rc = 0;
+@@ -310,6 +314,8 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options)
+ char *cipher_key_bytes_src;
+ char *fn_cipher_key_bytes_src;
+
++ *check_ruid = 0;
++
+ if (!options) {
+ rc = -EINVAL;
+ goto out;
+@@ -410,6 +416,9 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options)
+ case ecryptfs_opt_unlink_sigs:
+ mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
+ break;
++ case ecryptfs_opt_check_dev_ruid:
++ *check_ruid = 1;
++ break;
+ case ecryptfs_opt_err:
+ default:
+ printk(KERN_WARNING
+@@ -551,7 +560,8 @@ out:
+ * ecryptfs_interpose to create our initial inode and super block
+ * struct.
+ */
+-static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
++static int ecryptfs_read_super(struct super_block *sb, const char *dev_name,
++ uid_t check_ruid)
+ {
+ struct path path;
+ int rc;
+@@ -561,6 +571,15 @@ static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
+ ecryptfs_printk(KERN_WARNING, "path_lookup() failed\n");
+ goto out;
+ }
++
++ if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
++ rc = -EPERM;
++ printk(KERN_ERR "Mount of device (uid: %d) not owned by "
++ "requested user (uid: %d)\n",
++ path.dentry->d_inode->i_uid, current_uid());
++ goto out_free;
++ }
++
+ ecryptfs_set_superblock_lower(sb, path.dentry->d_sb);
+ sb->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ sb->s_blocksize = path.dentry->d_sb->s_blocksize;
+@@ -599,6 +618,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
+ {
+ int rc;
+ struct super_block *sb;
++ uid_t check_ruid;
+
+ rc = get_sb_nodev(fs_type, flags, raw_data, ecryptfs_fill_super, mnt);
+ if (rc < 0) {
+@@ -606,12 +626,12 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
+ goto out;
+ }
+ sb = mnt->mnt_sb;
+- rc = ecryptfs_parse_options(sb, raw_data);
++ rc = ecryptfs_parse_options(sb, raw_data, &check_ruid);
+ if (rc) {
+ printk(KERN_ERR "Error parsing options; rc = [%d]\n", rc);
+ goto out_abort;
+ }
+- rc = ecryptfs_read_super(sb, dev_name);
++ rc = ecryptfs_read_super(sb, dev_name, check_ruid);
+ if (rc) {
+ printk(KERN_ERR "Reading sb failed; rc = [%d]\n", rc);
+ goto out_abort;
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch)
@@ -0,0 +1,56 @@
+From 3e9d6c33830beee43dc1b94bdbff41109455fa58 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Mon, 6 Feb 2012 10:20:45 +0100
+Subject: [PATCH] cdrom: use copy_to_user() without the underscores
+
+commit 822bfa51ce44f2c63c300fdb76dc99c4d5a5ca9f upstream.
+
+"nframes" comes from the user and "nframes * CD_FRAMESIZE_RAW" can wrap
+on 32 bit systems. That would have been ok if we used the same wrapped
+value for the copy, but we use a shifted value. We should just use the
+checked version of copy_to_user() because it's not going to make a
+difference to the speed.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/cdrom/cdrom.c | 8 +-------
+ 1 files changed, 1 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 59cccc9..a4592ec 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2057,11 +2057,6 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
+ if (!nr)
+ return -ENOMEM;
+
+- if (!access_ok(VERIFY_WRITE, ubuf, nframes * CD_FRAMESIZE_RAW)) {
+- ret = -EFAULT;
+- goto out;
+- }
+-
+ cgc.data_direction = CGC_DATA_READ;
+ while (nframes > 0) {
+ if (nr > nframes)
+@@ -2070,7 +2065,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
+ ret = cdrom_read_block(cdi, &cgc, lba, nr, 1, CD_FRAMESIZE_RAW);
+ if (ret)
+ break;
+- if (__copy_to_user(ubuf, cgc.buffer, CD_FRAMESIZE_RAW * nr)) {
++ if (copy_to_user(ubuf, cgc.buffer, CD_FRAMESIZE_RAW * nr)) {
+ ret = -EFAULT;
+ break;
+ }
+@@ -2078,7 +2073,6 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
+ nframes -= nr;
+ lba += nr;
+ }
+-out:
+ kfree(cgc.buffer);
+ return ret;
+ }
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch)
@@ -0,0 +1,62 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 23 Feb 2012 09:37:45 -0500
+Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
+
+commit 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream.
+
+The cifs code will attempt to open files on lookup under certain
+circumstances. What happens though if we find that the file we opened
+was actually a FIFO or other special file?
+
+Currently, the open filehandle just ends up being leaked leading to
+a dentry refcount mismatch and oops on umount. Fix this by having the
+code close the filehandle on the server if it turns out not to be a
+regular file. While we're at it, change this spaghetti if statement
+into a switch too.
+
+Cc: stable at vger.kernel.org
+Reported-by: CAI Qian <caiqian at redhat.com>
+Tested-by: CAI Qian <caiqian at redhat.com>
+Reviewed-by: Shirish Pargaonkar <shirishpargaonkar at gmail.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <smfrench at gmail.com>
+---
+ fs/cifs/dir.c | 20 ++++++++++++++++++--
+ 1 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 63a196b..bc7e2442 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
+ * If either that or op not supported returned, follow
+ * the normal lookup.
+ */
+- if ((rc == 0) || (rc == -ENOENT))
++ switch (rc) {
++ case 0:
++ /*
++ * The server may allow us to open things like
++ * FIFOs, but the client isn't set up to deal
++ * with that. If it's not a regular file, just
++ * close it and proceed as if it were a normal
++ * lookup.
++ */
++ if (newInode && !S_ISREG(newInode->i_mode)) {
++ CIFSSMBClose(xid, pTcon, fileHandle);
++ break;
++ }
++ case -ENOENT:
+ posix_open = true;
+- else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
++ case -EOPNOTSUPP:
++ break;
++ default:
+ pTcon->broken_posix_open = true;
++ }
+ }
+ if (!posix_open)
+ rc = cifs_get_inode_info_unix(&newInode, full_path,
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch)
@@ -0,0 +1,91 @@
+From 26487be3d861e50dcfd4b19199e3c206d3700678 Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom at vmware.com>
+Date: Tue, 24 Jan 2012 18:54:21 +0100
+Subject: [PATCH] drm: Fix authentication kernel crash
+
+commit 598781d71119827b454fd75d46f84755bca6f0c6 upstream.
+
+If the master tries to authenticate a client using drm_authmagic and
+that client has already closed its drm file descriptor,
+either wilfully or because it was terminated, the
+call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
+and corrupt it.
+
+Typically this results in a hard system hang.
+
+This patch fixes that problem by removing any authentication tokens
+(struct drm_magic_entry) open for a file descriptor when that file
+descriptor is closed.
+
+Signed-off-by: Thomas Hellstrom <thellstrom at vmware.com>
+Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_auth.c | 6 +++++-
+ drivers/gpu/drm/drm_fops.c | 5 +++++
+ include/drm/drmP.h | 1 +
+ 3 files changed, 11 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
+index 932b5aa..d676d49 100644
+--- a/drivers/gpu/drm/drm_auth.c
++++ b/drivers/gpu/drm/drm_auth.c
+@@ -102,7 +102,7 @@ static int drm_add_magic(struct drm_master *master, struct drm_file *priv,
+ * Searches and unlinks the entry in drm_device::magiclist with the magic
+ * number hash key, while holding the drm_device::struct_mutex lock.
+ */
+-static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
++int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
+ {
+ struct drm_magic_entry *pt;
+ struct drm_hash_item *hash;
+@@ -137,6 +137,8 @@ static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
+ * If there is a magic number in drm_file::magic then use it, otherwise
+ * searches an unique non-zero magic number and add it associating it with \p
+ * file_priv.
++ * This ioctl needs protection by the drm_global_mutex, which protects
++ * struct drm_file::magic and struct drm_magic_entry::priv.
+ */
+ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
+ {
+@@ -174,6 +176,8 @@ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
+ * \return zero if authentication successed, or a negative number otherwise.
+ *
+ * Checks if \p file_priv is associated with the magic number passed in \arg.
++ * This ioctl needs protection by the drm_global_mutex, which protects
++ * struct drm_file::magic and struct drm_magic_entry::priv.
+ */
+ int drm_authmagic(struct drm_device *dev, void *data,
+ struct drm_file *file_priv)
+diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
+index ba14553..519161e 100644
+--- a/drivers/gpu/drm/drm_fops.c
++++ b/drivers/gpu/drm/drm_fops.c
+@@ -449,6 +449,11 @@ int drm_release(struct inode *inode, struct file *filp)
+ (long)old_encode_dev(file_priv->minor->device),
+ dev->open_count);
+
++ /* Release any auth tokens that might point to this file_priv,
++ (do that under the drm_global_mutex) */
++ if (file_priv->magic)
++ (void) drm_remove_magic(file_priv->master, file_priv->magic);
++
+ /* if the master has gone away we can't do anything with the lock */
+ if (file_priv->minor->master)
+ drm_master_release(dev, filp);
+diff --git a/include/drm/drmP.h b/include/drm/drmP.h
+index 66713c6..ebab6a6 100644
+--- a/include/drm/drmP.h
++++ b/include/drm/drmP.h
+@@ -1221,6 +1221,7 @@ extern int drm_getmagic(struct drm_device *dev, void *data,
+ struct drm_file *file_priv);
+ extern int drm_authmagic(struct drm_device *dev, void *data,
+ struct drm_file *file_priv);
++extern int drm_remove_magic(struct drm_master *master, drm_magic_t magic);
+
+ /* Cache management (drm_cache.c) */
+ void drm_clflush_pages(struct page *pages[], unsigned long num_pages);
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch)
@@ -0,0 +1,50 @@
+From e065d6f4f4453db007d4fb22ebb937e38922cb4b Mon Sep 17 00:00:00 2001
+From: Li Wang <liwang at nudt.edu.cn>
+Date: Thu, 19 Jan 2012 09:44:36 +0800
+Subject: [PATCH] eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34 upstream.
+
+ecryptfs_write() can enter an infinite loop when truncating a file to a
+size larger than 4G. This only happens on architectures where size_t is
+represented by 32 bits.
+
+This was caused by a size_t overflow due to it incorrectly being used to
+store the result of a calculation which uses potentially large values of
+type loff_t.
+
+[tyhicks at canonical.com: rewrite subject and commit message]
+Signed-off-by: Li Wang <liwang at nudt.edu.cn>
+Signed-off-by: Yunchuan Wen <wenyunchuan at kylinos.com.cn>
+Reviewed-by: Cong Wang <xiyou.wangcong at gmail.com>
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ fs/ecryptfs/read_write.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
+index 6b78546..0404659 100644
+--- a/fs/ecryptfs/read_write.c
++++ b/fs/ecryptfs/read_write.c
+@@ -134,7 +134,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
+ size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
+ size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
+- size_t total_remaining_bytes = ((offset + size) - pos);
++ loff_t total_remaining_bytes = ((offset + size) - pos);
+
+ if (fatal_signal_pending(current)) {
+ rc = -EINTR;
+@@ -145,7 +145,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ num_bytes = total_remaining_bytes;
+ if (pos < offset) {
+ /* remaining zeros to write, up to destination offset */
+- size_t total_remaining_zeros = (offset - pos);
++ loff_t total_remaining_zeros = (offset - pos);
+
+ if (num_bytes > total_remaining_zeros)
+ num_bytes = total_remaining_zeros;
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch)
@@ -0,0 +1,71 @@
+From bd8f0a46a1d92470b88ae53e8282dc4edf4f0ba9 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks at canonical.com>
+Date: Wed, 18 Jan 2012 18:30:04 -0600
+Subject: [PATCH] eCryptfs: Make truncate path killable
+
+commit 5e6f0d769017cc49207ef56996e42363ec26c1f0 upstream.
+
+ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+page, zeroes out the appropriate portions, and then encrypts the page
+before writing it to the lower filesystem. It was unkillable and due to
+the lack of sparse file support could result in tying up a large portion
+of system resources, while encrypting pages of zeros, with no way for
+the truncate operation to be stopped from userspace.
+
+This patch adds the ability for ecryptfs_write() to detect a pending
+fatal signal and return as gracefully as possible. The intent is to
+leave the lower file in a useable state, while still allowing a user to
+break out of the encryption loop. If a pending fatal signal is detected,
+the eCryptfs inode size is updated to reflect the modified inode size
+and then -EINTR is returned.
+
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ fs/ecryptfs/read_write.c | 19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
+index 0cc4faf..6b78546 100644
+--- a/fs/ecryptfs/read_write.c
++++ b/fs/ecryptfs/read_write.c
+@@ -136,6 +136,11 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
+ size_t total_remaining_bytes = ((offset + size) - pos);
+
++ if (fatal_signal_pending(current)) {
++ rc = -EINTR;
++ break;
++ }
++
+ if (num_bytes > total_remaining_bytes)
+ num_bytes = total_remaining_bytes;
+ if (pos < offset) {
+@@ -197,15 +202,19 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ }
+ pos += num_bytes;
+ }
+- if ((offset + size) > ecryptfs_file_size) {
+- i_size_write(ecryptfs_inode, (offset + size));
++ if (pos > ecryptfs_file_size) {
++ i_size_write(ecryptfs_inode, pos);
+ if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
+- rc = ecryptfs_write_inode_size_to_metadata(
++ int rc2;
++
++ rc2 = ecryptfs_write_inode_size_to_metadata(
+ ecryptfs_inode);
+- if (rc) {
++ if (rc2) {
+ printk(KERN_ERR "Problem with "
+ "ecryptfs_write_inode_size_to_metadata; "
+- "rc = [%d]\n", rc);
++ "rc = [%d]\n", rc2);
++ if (!rc)
++ rc = rc2;
+ goto out;
+ }
+ }
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch)
@@ -0,0 +1,71 @@
+From d50f2ab6f050311dbf7b8f5501b25f0bf64a439b Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang at gmail.com>
+Date: Tue, 10 Jan 2012 11:51:10 -0500
+Subject: ext4: fix undefined behavior in ext4_fill_flex_info()
+
+From: Xi Wang <xi.wang at gmail.com>
+
+commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.
+
+Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
+zero when trying to mount a corrupted file system") fixes CVE-2009-4307
+by performing a sanity check on s_log_groups_per_flex, since it can be
+set to a bogus value by an attacker.
+
+ sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+ if (groups_per_flex < 2) { ... }
+
+This patch fixes two potential issues in the previous commit.
+
+1) The sanity check might only work on architectures like PowerPC.
+On x86, 5 bits are used for the shifting amount. That means, given a
+large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
+is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
+leaving s_log_groups_per_flex and groups_per_flex inconsistent.
+
+2) The sanity check relies on undefined behavior, i.e., oversized shift.
+A standard-confirming C compiler could rewrite the check in unexpected
+ways. Consider the following equivalent form, assuming groups_per_flex
+is unsigned for simplicity.
+
+ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+ if (groups_per_flex == 0 || groups_per_flex == 1) {
+
+We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
+completely optimize away the check groups_per_flex == 0, leaving the
+patched code as vulnerable as the original. GCC keeps the check, but
+there is no guarantee that future versions will do the same.
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/ext4/super.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1705,17 +1705,16 @@ static int ext4_fill_flex_info(struct su
+ struct ext4_group_desc *gdp = NULL;
+ ext4_group_t flex_group_count;
+ ext4_group_t flex_group;
+- int groups_per_flex = 0;
++ unsigned int groups_per_flex = 0;
+ size_t size;
+ int i;
+
+ sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+- groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+-
+- if (groups_per_flex < 2) {
++ if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
+ sbi->s_log_groups_per_flex = 0;
+ return 1;
+ }
++ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+ /* We allocate both existing and potentially added groups */
+ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch)
@@ -0,0 +1,35 @@
+From 3aee4081eee4987bbf2dd00c7267a8b2ea7386a0 Mon Sep 17 00:00:00 2001
+From: Yong Zhang <yong.zhang at windriver.com>
+Date: Tue, 6 Apr 2010 14:35:02 -0700
+Subject: [PATCH] kernel.h: fix wrong usage of __ratelimit()
+
+commit bb1dc0bacb8ddd7ba6a5906c678a5a5a110cf695 upstream.
+
+When __ratelimit() returns 1 this means that we can go ahead.
+
+Signed-off-by: Yong Zhang <yong.zhang at windriver.com>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Joe Perches <joe at perches.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ include/linux/kernel.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 1221fe4..f963c1b 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -417,7 +417,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
+ .burst = DEFAULT_RATELIMIT_BURST, \
+ }; \
+ \
+- if (!__ratelimit(&_rs)) \
++ if (__ratelimit(&_rs)) \
+ printk(fmt, ##__VA_ARGS__); \
+ })
+ #else
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch)
@@ -0,0 +1,168 @@
+From ddd80d112479aaa16e3b82c5729451dcbeafe00c Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Tue, 17 Jan 2012 04:07:02 +0000
+Subject: [PATCH] block: fail SCSI passthrough ioctls on partition devices
+
+commit 0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream.
+
+[ Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
+ and -ENOIOCTLCMD from sd_compat_ioctl. ]
+
+Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+will pass the command to the underlying block device. This is
+well-known, but it is also a large security problem when (via Unix
+permissions, ACLs, SELinux or a combination thereof) a program or user
+needs to be granted access only to part of the disk.
+
+This patch lets partitions forward a small set of harmless ioctls;
+others are logged with printk so that we can see which ioctls are
+actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+Of course it was being sent to a (partition on a) hard disk, so it would
+have failed with ENOTTY and the patch isn't changing anything in
+practice. Still, I'm treating it specially to avoid spamming the logs.
+
+In principle, this restriction should include programs running with
+CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+/dev/sdb, it still should not be able to read/write outside the
+boundaries of /dev/sda2 independent of the capabilities. However, for
+now programs with CAP_SYS_RAWIO will still be allowed to send the
+ioctls. Their actions will still be logged.
+
+This patch does not affect the non-libata IDE driver. That driver
+however already tests for bd != bd->bd_contains before issuing some
+ioctl; it could be restricted further to forbid these ioctls even for
+programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+Cc: linux-scsi at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+Cc: James Bottomley <JBottomley at parallels.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[ Make it also print the command name when warning - Linus ]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.32 - ENOIOCTLCMD does not get converted to
+ ENOTTY, so we must return ENOTTY directly]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ block/scsi_ioctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ drivers/scsi/sd.c | 11 +++++++++--
+ include/linux/blkdev.h | 1 +
+ 3 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 114ee29..2be0a97 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -24,6 +24,7 @@
+ #include <linux/capability.h>
+ #include <linux/completion.h>
+ #include <linux/cdrom.h>
++#include <linux/ratelimit.h>
+ #include <linux/slab.h>
+ #include <linux/times.h>
+ #include <asm/uaccess.h>
+@@ -689,9 +690,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+ }
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+
++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
++{
++ if (bd && bd == bd->bd_contains)
++ return 0;
++
++ /* Actually none of these is particularly useful on a partition,
++ * but they are safe.
++ */
++ switch (cmd) {
++ case SCSI_IOCTL_GET_IDLUN:
++ case SCSI_IOCTL_GET_BUS_NUMBER:
++ case SCSI_IOCTL_GET_PCI:
++ case SCSI_IOCTL_PROBE_HOST:
++ case SG_GET_VERSION_NUM:
++ case SG_SET_TIMEOUT:
++ case SG_GET_TIMEOUT:
++ case SG_GET_RESERVED_SIZE:
++ case SG_SET_RESERVED_SIZE:
++ case SG_EMULATED_HOST:
++ return 0;
++ case CDROM_GET_CAPABILITY:
++ /* Keep this until we remove the printk below. udev sends it
++ * and we do not want to spam dmesg about it. CD-ROMs do
++ * not have partitions, so we get here only for disks.
++ */
++ return -ENOTTY;
++ default:
++ break;
++ }
++
++ /* In particular, rule out all resets and host-specific ioctls. */
++ printk_ratelimited(KERN_WARNING
++ "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
++
++ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
++}
++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
++
+ int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
+ unsigned int cmd, void __user *arg)
+ {
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bd, cmd);
++ if (ret < 0)
++ return ret;
++
+ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
+ }
+ EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 2dd1b73..a5b55fe 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -817,6 +817,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
+ disk->disk_name, cmd));
+
++ error = scsi_verify_blk_ioctl(bdev, cmd);
++ if (error < 0)
++ return error;
++
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+ * else try and use this device. Also, if error recovery fails, it
+@@ -996,6 +1000,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bdev, cmd);
++ if (ret < 0)
++ return -ENOIOCTLCMD;
+
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+@@ -1007,8 +1016,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ return -ENODEV;
+
+ if (sdev->host->hostt->compat_ioctl) {
+- int ret;
+-
+ ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
+
+ return ret;
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 63070ad..5eb6cb0 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -777,6 +777,7 @@ extern void blk_plug_device(struct request_queue *);
+ extern void blk_plug_device_unlocked(struct request_queue *);
+ extern int blk_remove_plug(struct request_queue *);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
+ extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
+ unsigned int, void __user *);
+ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch)
@@ -0,0 +1,50 @@
+From 3a86cda406c00df3a1c207ba26406847d8e53bba Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi at mail.parknet.co.jp>
+Date: Mon, 24 May 2010 14:33:11 -0700
+Subject: [PATCH] printk_ratelimited(): fix uninitialized spinlock
+
+commit d8521fcc5e0ad3e79bbc4231bb20a6cdc2b50164 upstream.
+
+ratelimit_state initialization of printk_ratelimited() seems broken. This
+fixes it by using DEFINE_RATELIMIT_STATE() to initialize spinlock
+properly.
+
+Signed-off-by: OGAWA Hirofumi <hirofumi at mail.parknet.co.jp>
+Cc: Joe Perches <joe at perches.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Sven-Haegar Koch <haegar at sdinet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ include/linux/kernel.h | 15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index f963c1b..9acb92d 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -411,14 +411,13 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
+ * no local ratelimit_state used in the !PRINTK case
+ */
+ #ifdef CONFIG_PRINTK
+-#define printk_ratelimited(fmt, ...) ({ \
+- static struct ratelimit_state _rs = { \
+- .interval = DEFAULT_RATELIMIT_INTERVAL, \
+- .burst = DEFAULT_RATELIMIT_BURST, \
+- }; \
+- \
+- if (__ratelimit(&_rs)) \
+- printk(fmt, ##__VA_ARGS__); \
++#define printk_ratelimited(fmt, ...) ({ \
++ static DEFINE_RATELIMIT_STATE(_rs, \
++ DEFAULT_RATELIMIT_INTERVAL, \
++ DEFAULT_RATELIMIT_BURST); \
++ \
++ if (__ratelimit(&_rs)) \
++ printk(fmt, ##__VA_ARGS__); \
+ })
+ #else
+ /* No effect, but we still get type checking even in the !PRINTK case: */
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch)
@@ -0,0 +1,63 @@
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:48 -0800
+Subject: [PATCH] regset: Prevent null pointer reference on readonly regsets
+
+commit c8e252586f8d5de906385d8cf6385fee289a825e upstream.
+
+The regset common infrastructure assumed that regsets would always
+have .get and .set methods, but not necessarily .active methods.
+Unfortunately people have since written regsets without .set methods.
+
+Rather than putting in stub functions everywhere, handle regsets with
+null .get or .set methods explicitly.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/binfmt_elf.c | 2 +-
+ include/linux/regset.h | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index bcb884e..07d096c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1421,7 +1421,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
+ for (i = 1; i < view->n; ++i) {
+ const struct user_regset *regset = &view->regsets[i];
+ do_thread_regset_writeback(t->task, regset);
+- if (regset->core_note_type &&
++ if (regset->core_note_type && regset->get &&
+ (!regset->active || regset->active(t->task, regset))) {
+ int ret;
+ size_t size = regset->n * regset->size;
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 8abee65..5150fd1 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ {
+ const struct user_regset *regset = &view->regsets[setno];
+
++ if (!regset->get)
++ return -EOPNOTSUPP;
++
+ if (!access_ok(VERIFY_WRITE, data, size))
+ return -EIO;
+
+@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ {
+ const struct user_regset *regset = &view->regsets[setno];
+
++ if (!regset->set)
++ return -EOPNOTSUPP;
++
+ if (!access_ok(VERIFY_READ, data, size))
+ return -EIO;
+
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch)
@@ -0,0 +1,50 @@
+From e871c96c42ff9c08d856a757c0176f9381ac67cd Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Fri, 10 Feb 2012 09:03:58 +0100
+Subject: [PATCH] relay: prevent integer overflow in relay_open()
+
+commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream.
+
+"subbuf_size" and "n_subbufs" come from the user and they need to be
+capped to prevent an integer overflow.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ kernel/relay.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/relay.c b/kernel/relay.c
+index 760c262..bf343f5 100644
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -171,10 +171,14 @@ depopulate:
+ */
+ static struct rchan_buf *relay_create_buf(struct rchan *chan)
+ {
+- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
+- if (!buf)
++ struct rchan_buf *buf;
++
++ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+ return NULL;
+
++ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
++ if (!buf)
++ return NULL;
+ buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
+ if (!buf->padding)
+ goto free_buf;
+@@ -581,6 +585,8 @@ struct rchan *relay_open(const char *base_filename,
+
+ if (!(subbuf_size && n_subbufs))
+ return NULL;
++ if (subbuf_size > UINT_MAX / n_subbufs)
++ return NULL;
+
+ chan = kzalloc(sizeof(struct rchan), GFP_KERNEL);
+ if (!chan)
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch)
@@ -0,0 +1,82 @@
+From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf at tu-ilmenau.de>
+Date: Thu, 12 Jan 2012 16:43:03 +0100
+Subject: [PATCH 1/2] KVM: x86: extend "struct x86_emulate_ops" with
+ "get_cpuid"
+
+commit 0769c5de24621141c953fbe1f943582d37cb4244 upstream.
+
+In order to be able to proceed checks on CPU-specific properties
+within the emulator, function "get_cpuid" is introduced.
+With "get_cpuid" it is possible to virtually call the guests
+"cpuid"-opcode without changing the VM's context.
+
+[mtosatti: cleanup/beautify code]
+
+[bwh: Backport to 2.6.32:
+ - Don't use emul_to_vcpu
+ - Adjust context]
+
+Signed-off-by: Stephan Baerwolf <stephan.baerwolf at tu-ilmenau.de>
+Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/include/asm/kvm_emulate.h | 2 ++
+ arch/x86/kvm/x86.c | 23 +++++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 0 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
+index 5ed59ec..61bf2eb 100644
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -109,6 +109,8 @@ struct x86_emulate_ops {
+ unsigned int bytes,
+ struct kvm_vcpu *vcpu);
+
++ bool (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
++ u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
+ };
+
+ /* Type, address-of, and value of an instruction's operand. */
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 7cb2a58..5fab056 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2998,12 +2998,35 @@ void kvm_report_emulation_failure(struct kvm_vcpu *vcpu, const char *context)
+ }
+ EXPORT_SYMBOL_GPL(kvm_report_emulation_failure);
+
++static bool emulator_get_cpuid(struct x86_emulate_ctxt *ctxt,
++ u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
++{
++ struct kvm_cpuid_entry2 *cpuid = NULL;
++
++ if (eax && ecx)
++ cpuid = kvm_find_cpuid_entry(ctxt->vcpu,
++ *eax, *ecx);
++
++ if (cpuid) {
++ *eax = cpuid->eax;
++ *ecx = cpuid->ecx;
++ if (ebx)
++ *ebx = cpuid->ebx;
++ if (edx)
++ *edx = cpuid->edx;
++ return true;
++ }
++
++ return false;
++}
++
+ static struct x86_emulate_ops emulate_ops = {
+ .read_std = kvm_read_guest_virt_system,
+ .fetch = kvm_fetch_guest_virt,
+ .read_emulated = emulator_read_emulated,
+ .write_emulated = emulator_write_emulated,
+ .cmpxchg_emulated = emulator_cmpxchg_emulated,
++ .get_cpuid = emulator_get_cpuid,
+ };
+
+ static void cache_all_regs(struct kvm_vcpu *vcpu)
+--
+1.7.9.1
+
Copied: dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch)
@@ -0,0 +1,166 @@
+From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf at tu-ilmenau.de>
+Date: Thu, 12 Jan 2012 16:43:04 +0100
+Subject: [PATCH 2/2] KVM: x86: fix missing checks in syscall emulation
+
+commit bdb42f5afebe208eae90406959383856ae2caf2b upstream.
+
+On hosts without this patch, 32bit guests will crash (and 64bit guests
+may behave in a wrong way) for example by simply executing following
+nasm-demo-application:
+
+ [bits 32]
+ global _start
+ SECTION .text
+ _start: syscall
+
+(I tested it with winxp and linux - both always crashed)
+
+ Disassembly of section .text:
+
+ 00000000 <_start>:
+ 0: 0f 05 syscall
+
+The reason seems a missing "invalid opcode"-trap (int6) for the
+syscall opcode "0f05", which is not available on Intel CPUs
+within non-longmodes, as also on some AMD CPUs within legacy-mode.
+(depending on CPU vendor, MSR_EFER and cpuid)
+
+Because previous mentioned OSs may not engage corresponding
+syscall target-registers (STAR, LSTAR, CSTAR), they remain
+NULL and (non trapping) syscalls are leading to multiple
+faults and finally crashs.
+
+Depending on the architecture (AMD or Intel) pretended by
+guests, various checks according to vendor's documentation
+are implemented to overcome the current issue and behave
+like the CPUs physical counterparts.
+
+[mtosatti: cleanup/beautify code]
+
+[bwh: Backport to 2.6.32:
+ - Add the prerequisite read of EFER
+ - Return -1 in the error cases rather than invoking emulate_ud()
+ directly
+ - Adjust context]
+[dannf: fix build by passing x86_emulate_ops through each call]
+
+Signed-off-by: Stephan Baerwolf <stephan.baerwolf at tu-ilmenau.de>
+Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/include/asm/kvm_emulate.h | 13 +++++++++
+ arch/x86/kvm/emulate.c | 53 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 66 insertions(+), 0 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
+index 61bf2eb..cc44e3d 100644
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -192,6 +192,19 @@ struct x86_emulate_ctxt {
+ #define X86EMUL_MODE_HOST X86EMUL_MODE_PROT64
+ #endif
+
++/* CPUID vendors */
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
++
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
++
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
++
+ int x86_decode_insn(struct x86_emulate_ctxt *ctxt,
+ struct x86_emulate_ops *ops);
+ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt,
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 1350e43..aa2d905 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1495,20 +1495,73 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
+ ss->present = 1;
+ }
+
++static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt,
++ struct x86_emulate_ops *ops)
++{
++ u32 eax, ebx, ecx, edx;
++
++ /*
++ * syscall should always be enabled in longmode - so only become
++ * vendor specific (cpuid) if other modes are active...
++ */
++ if (ctxt->mode == X86EMUL_MODE_PROT64)
++ return true;
++
++ eax = 0x00000000;
++ ecx = 0x00000000;
++ if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
++ /*
++ * Intel ("GenuineIntel")
++ * remark: Intel CPUs only support "syscall" in 64bit
++ * longmode. Also an 64bit guest with a
++ * 32bit compat-app running will #UD !! While this
++ * behaviour can be fixed (by emulating) into AMD
++ * response - CPUs of AMD can't behave like Intel.
++ */
++ if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
++ ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
++ edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
++ return false;
++
++ /* AMD ("AuthenticAMD") */
++ if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
++ ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
++ edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
++ return true;
++
++ /* AMD ("AMDisbetter!") */
++ if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
++ ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
++ edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
++ return true;
++ }
++
++ /* default: (not Intel, not AMD), apply Intel's stricter rules... */
++ return false;
++}
++
+ static int
+-emulate_syscall(struct x86_emulate_ctxt *ctxt)
++emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
+ {
+ struct decode_cache *c = &ctxt->decode;
+ struct kvm_segment cs, ss;
+ u64 msr_data;
++ u64 efer = 0;
+
+ /* syscall is not available in real mode */
+ if (c->lock_prefix || ctxt->mode == X86EMUL_MODE_REAL
+ || ctxt->mode == X86EMUL_MODE_VM86)
+ return -1;
+
++ if (!(em_syscall_is_enabled(ctxt, ops)))
++ return -1;
++
++ kvm_x86_ops->get_msr(ctxt->vcpu, MSR_EFER, &efer);
+ setup_syscalls_segments(ctxt, &cs, &ss);
+
++ if (!(efer & EFER_SCE))
++ return -1;
++
+ kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
+ msr_data >>= 32;
+ cs.selector = (u16)(msr_data & 0xfffc);
+@@ -2342,7 +2395,7 @@ twobyte_insn:
+ }
+ break;
+ case 0x05: /* syscall */
+- if (emulate_syscall(ctxt) == -1)
++ if (emulate_syscall(ctxt, ops) == -1)
+ goto cannot_emulate;
+ else
+ goto writeback;
Copied: dists/squeeze/linux-2.6/debian/patches/series/41squeeze1 (from r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/series/41squeeze1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/series/41squeeze1 Tue Mar 20 07:39:02 2012 (r18868, copy of r18867, releases/linux-2.6/2.6.32-41squeeze1/debian/patches/series/41squeeze1)
@@ -0,0 +1,18 @@
++ bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
++ bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
++ bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
++ bugfix/all/drm-Fix-authentication-kernel-crash.patch
++ bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
+- bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-2.patch
++ bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
++ bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
++ bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
++ bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
++ bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
++ bugfix/all/eCryptfs-Make-truncate-path-killable.patch
++ bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
++ bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
++ bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
++ bugfix/all/KVM-Device-assignment-permission-checks.patch
++ bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
++ bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch
Modified: dists/squeeze/linux-2.6/debian/patches/series/42
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/42 Tue Mar 20 06:51:05 2012 (r18867)
+++ dists/squeeze/linux-2.6/debian/patches/series/42 Tue Mar 20 07:39:02 2012 (r18868)
@@ -1,15 +1,26 @@
+ features/all/Input-synaptics-relax-capability-ID-checks-on-newer-hardware.patch
+- bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
+- bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
+- bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
- bugfix/all/treat-lvs-on-one-pv-like-a-partition-2.patch
-- bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-2.patch
- bugfix/all/add-scsi_cmd_blk_ioctl-wrapper-2.patch
- features/all/kernel.h-add-printk_ratelimited-and-pr_-level-_rl.patch
+- bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
+- bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
+ bugfix/all/stable/2.6.32.55.patch
+- bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
+- bugfix/all/eCryptfs-Make-truncate-path-killable.patch
+ bugfix/all/stable/2.6.32.56.patch
+ bugfix/all/stable/2.6.32.57.patch
+ bugfix/all/appletalk-da.s_net-not-copied-but-assigned-to-itself.patch
+- bugfix/all/cdrom-use-copy_to_user-without-the-underscores.patch
+- bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
+- bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
+ bugfix/all/stable/2.6.32.58.patch
+ debian/ia64-Define-is_compat_task.patch
+ bugfix/all/e1000e-workaround-for-packet-drop-on-82579-at-100Mbp.patch
+- bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
+- bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
+ bugfix/all/stable/2.6.32.59.patch
+ debian/revert-IA64-Remove-COMPAT_IA32-support.patch
More information about the Kernel-svn-changes
mailing list