[kernel] r20124 - in dists/squeeze-backports/linux: . debian debian/config debian/patches debian/patches/bugfix/all debian/patches/bugfix/x86

Ben Hutchings benh at alioth.debian.org
Thu May 16 17:02:17 UTC 2013


Author: benh
Date: Thu May 16 17:02:17 2013
New Revision: 20124

Log:
Merge changes from wheezy-security up to 3.2.41-2+deb7u2

Added:
   dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
      - copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
Modified:
   dists/squeeze-backports/linux/   (props changed)
   dists/squeeze-backports/linux/debian/changelog
   dists/squeeze-backports/linux/debian/config/defines
   dists/squeeze-backports/linux/debian/patches/series

Modified: dists/squeeze-backports/linux/debian/changelog
==============================================================================
--- dists/squeeze-backports/linux/debian/changelog	Thu May 16 04:53:15 2013	(r20123)
+++ dists/squeeze-backports/linux/debian/changelog	Thu May 16 17:02:17 2013	(r20124)
@@ -1,4 +1,4 @@
-linux (3.2.41-2~bpo60+1) squeeze-backports; urgency=low
+linux (3.2.41-2+deb7u2~bpo60+1) squeeze-backports; urgency=high
 
   * Rebuild for squeeze:
     - Use gcc-4.4 for all architectures
@@ -11,7 +11,45 @@
     - Make build target depend on build-arch only, so we don't redundantly
       build documentation on each architecture
 
- -- Ben Hutchings <ben at decadent.org.uk>  Mon, 08 Apr 2013 00:04:06 +0100
+ -- Ben Hutchings <ben at decadent.org.uk>  Thu, 16 May 2013 13:38:45 +0100
+
+linux (3.2.41-2+deb7u2) wheezy-security; urgency=high
+
+  * s390/kvm: Ignore ABI changes, it should not be used OOT
+
+ -- dann frazier <dannf at debian.org>  Wed, 15 May 2013 12:07:33 -0600
+
+linux (3.2.41-2+deb7u1) wheezy-security; urgency=high
+
+  [ dann frazier ]
+  * perf: Treat attr.config as u64 in perf_swevent_init() (CVE-2013-2094)
+  * TTY: fix timing leak with /dev/ptmx (CVE-2013-0160)
+  * ext4: avoid hang when mounting non-journal filesystems with orphan list
+    (CVE-2013-2015)
+  * crypto: algif - suppress sending source address information in recvmsg
+    (CVE-2013-3076)
+  * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
+  * ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
+  * Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
+  * Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
+    (CVE-2013-3225)
+  * caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
+    (CVE-2013-3227)
+  * irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
+  * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
+  * llc: Fix missing msg_namelen update in  llc_ui_recvmsg() (CVE-2013-3231)
+  * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
+  * tipc: fix info leaks via msg_name in  recv_msg/recv_stream (CVE-2013-3235)
+  * tracing: Fix possible NULL pointer dereferences (CVE-2013-3301)
+  
+  [ Ben Hutchings ]
+  * [x86] KVM: Allow cross page reads and writes from cached translations.
+    (fixes regression in fix for CVE-2013-1796)
+  * net: fix incorrect credentials passing (CVE-2013-1979)
+  * tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)
+  * kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
+
+ -- dann frazier <dannf at debian.org>  Tue, 14 May 2013 22:17:43 -0600
 
 linux (3.2.41-2) unstable; urgency=low
 

Modified: dists/squeeze-backports/linux/debian/config/defines
==============================================================================
--- dists/squeeze-backports/linux/debian/config/defines	Thu May 16 04:53:15 2013	(r20123)
+++ dists/squeeze-backports/linux/debian/config/defines	Thu May 16 17:02:17 2013	(r20124)
@@ -47,6 +47,8 @@
 # Only used by Google firmware module
  register_efivars
  unregister_efivars
+# Should not be used from OOT
+ module:arch/s390/kvm/kvm
 
 [base]
 arches:

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch)
@@ -0,0 +1,40 @@
+From bbad6f725f1d1b92e5eb3a7c6a8875eeec955747 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:50 +0000
+Subject: [PATCH] Bluetooth: RFCOMM - Fix missing msg_namelen update in 
+ rfcomm_sock_recvmsg()
+
+[ Upstream commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691 ]
+
+If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
+early with 0 without updating the possibly set msg_namelen member. This,
+in turn, leads to a 128 byte kernel stack leak in net/socket.c.
+
+Fix this by updating msg_namelen in this case. For all other cases it
+will be handled in bt_sock_stream_recvmsg().
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/bluetooth/rfcomm/sock.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 14c4864..82ce164 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -627,6 +627,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ 		rfcomm_dlc_accept(d);
++		msg->msg_namelen = 0;
+ 		return 0;
+ 	}
+ 
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch)
@@ -0,0 +1,50 @@
+From 95ee0fb7a014cdf80be37b329fa462ff3847f7c0 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:49 +0000
+Subject: [PATCH] Bluetooth: fix possible info leak in bt_sock_recvmsg()
+
+[ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ]
+
+In case the socket is already shutting down, bt_sock_recvmsg() returns
+with 0 without updating msg_namelen leading to net/socket.c leaking the
+local, uninitialized sockaddr_storage variable to userland -- 128 bytes
+of kernel stack memory.
+
+Fix this by moving the msg_namelen assignment in front of the shutdown
+test.
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/bluetooth/af_bluetooth.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 062124c..838f113 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -245,6 +245,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (flags & (MSG_OOB))
+ 		return -EOPNOTSUPP;
+ 
++	msg->msg_namelen = 0;
++
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb) {
+ 		if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -252,8 +254,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 		return err;
+ 	}
+ 
+-	msg->msg_namelen = 0;
+-
+ 	copied = skb->len;
+ 	if (len < copied) {
+ 		msg->msg_flags |= MSG_TRUNC;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch)
@@ -0,0 +1,57 @@
+From c29ad805df8c54a9f5d74c66bf5d4a2d449bd99a Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Fri, 15 Feb 2013 15:25:05 +0100
+Subject: [PATCH] TTY: do not update atime/mtime on read/write
+
+commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e upstream.
+
+On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
+out length of a password using timestamps of /dev/ptmx. It is
+documented in "Timing Analysis of Keystrokes and Timing Attacks on
+SSH". To avoid that problem, do not update time when reading
+from/writing to a TTY.
+
+I am afraid of regressions as this is a behavior we have since 0.97
+and apps may expect the time to be current, e.g. for monitoring
+whether there was a change on the TTY. Now, there is no change. So
+this would better have a lot of testing before it goes upstream.
+
+References: CVE-2013-0160
+
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/tty_io.c |    8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 05085be..f3ad3ec 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -976,8 +976,7 @@ static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
+ 	else
+ 		i = -EIO;
+ 	tty_ldisc_deref(ld);
+-	if (i > 0)
+-		inode->i_atime = current_fs_time(inode->i_sb);
++
+ 	return i;
+ }
+ 
+@@ -1078,11 +1077,8 @@ static inline ssize_t do_tty_write(
+ 			break;
+ 		cond_resched();
+ 	}
+-	if (written) {
+-		struct inode *inode = file->f_path.dentry->d_inode;
+-		inode->i_mtime = current_fs_time(inode->i_sb);
++	if (written)
+ 		ret = written;
+-	}
+ out:
+ 	tty_write_unlock(tty);
+ 	return ret;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch)
@@ -0,0 +1,71 @@
+From 0b28f5865ef23d2bcee122d75b4aea1e2f052624 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Fri, 26 Apr 2013 13:48:53 +0200
+Subject: [PATCH] TTY: fix atime/mtime regression
+
+commit 37b7f3c76595e23257f61bd80b223de8658617ee upstream.
+
+In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
+we removed timestamps from tty inodes to fix a security issue and waited
+if something breaks.  Well, 'w', the utility to find out logged users
+and their inactivity time broke.  It shows that users are inactive since
+the time they logged in.
+
+To revert to the old behaviour while still preventing attackers to
+guess the password length, we update the timestamps in one-minute
+intervals by this patch.
+
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: For 3.2, use Greg's backported version]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/tty_io.c |   16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index f3ad3ec..c7131a9 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -940,6 +940,14 @@ void start_tty(struct tty_struct *tty)
+ 
+ EXPORT_SYMBOL(start_tty);
+ 
++static void tty_update_time(struct timespec *time)
++{
++	unsigned long sec = get_seconds();
++	sec -= sec % 60;
++	if ((long)(sec - time->tv_sec) > 0)
++		time->tv_sec = sec;
++}
++
+ /**
+  *	tty_read	-	read method for tty device files
+  *	@file: pointer to tty file
+@@ -977,6 +985,9 @@ static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
+ 		i = -EIO;
+ 	tty_ldisc_deref(ld);
+ 
++	if (i > 0)
++		tty_update_time(&inode->i_atime);
++
+ 	return i;
+ }
+ 
+@@ -1077,8 +1088,11 @@ static inline ssize_t do_tty_write(
+ 			break;
+ 		cond_resched();
+ 	}
+-	if (written)
++	if (written) {
++               struct inode *inode = file->f_path.dentry->d_inode;
++		tty_update_time(&inode->i_mtime);
+ 		ret = written;
++	}
+ out:
+ 	tty_write_unlock(tty);
+ 	return ret;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch)
@@ -0,0 +1,38 @@
+From 2a8c07b253bac436358adb9eb96a37dd223ef120 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+[ Upstream commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/atm/common.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 0ca06e8..43b6bfe 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -500,6 +500,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ 	struct sk_buff *skb;
+ 	int copied, error = -EINVAL;
+ 
++	msg->msg_namelen = 0;
++
+ 	if (sock->state != SS_CONNECTED)
+ 		return -ENOTCONN;
+ 	if (flags & ~MSG_DONTWAIT)		/* only handle MSG_DONTWAIT */
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch)
@@ -0,0 +1,41 @@
+From e72f86d5b6602c86efb08443c58086c40228b81b Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:48 +0000
+Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()
+
+[ Upstream commit ef3313e84acbf349caecae942ab3ab731471f1a1 ]
+
+When msg_namelen is non-zero the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of struct
+sockaddr_ax25 inserted by the compiler for alignment. Additionally the
+msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
+not always filled up to this size.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ax25/af_ax25.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index b04a6ef..86ac37f 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1641,6 +1641,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 		ax25_address src;
+ 		const unsigned char *mac = skb_mac_header(skb);
+ 
++		memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ 		ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+ 				&digi, NULL, NULL);
+ 		sax->sax25_family = AF_AX25;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch)
@@ -0,0 +1,38 @@
+From 2d6fbfe733f35c6b355c216644e08e149c61b271 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:52 +0000
+Subject: [PATCH] caif: Fix missing msg_namelen update in
+ caif_seqpkt_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about caif_seqpkt_recvmsg() not filling the msg_name in case it was
+set.
+
+Cc: Sjur Braendeland <sjur.brandeland at stericsson.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/caif/caif_socket.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 095259f..ff2ff3c 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -286,6 +286,8 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (m->msg_flags&MSG_OOB)
+ 		goto read_error;
+ 
++	m->msg_namelen = 0;
++
+ 	skb = skb_recv_datagram(sk, flags, 0 , &ret);
+ 	if (!skb)
+ 		goto read_error;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch)
@@ -0,0 +1,48 @@
+From 419f4ba0f032c8d906153d24e017f4bee6df26f5 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 14:05:39 +0200
+Subject: [PATCH] crypto: algif - suppress sending source address information
+ in recvmsg
+
+commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe upstream.
+
+The current code does not set the msg_namelen member to 0 and therefore
+makes net/socket.c leak the local sockaddr_storage variable to userland
+-- 128 bytes of kernel stack memory. Fix that.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ crypto/algif_hash.c     |    2 ++
+ crypto/algif_skcipher.c |    1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
+index ef5356c..0262210 100644
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	else if (len < ds)
+ 		msg->msg_flags |= MSG_TRUNC;
+ 
++	msg->msg_namelen = 0;
++
+ 	lock_sock(sk);
+ 	if (ctx->more) {
+ 		ctx->more = 0;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 6a6dfc0..a1c4f0a 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	long copied = 0;
+ 
+ 	lock_sock(sk);
++	msg->msg_namelen = 0;
+ 	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
+ 	     iovlen--, iov++) {
+ 		unsigned long seglen = iov->iov_len;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch)
@@ -0,0 +1,46 @@
+From 0e9a9a1ad619e7e987815d20262d36a2f95717ca Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso at mit.edu>
+Date: Thu, 27 Dec 2012 01:42:50 -0500
+Subject: [PATCH] ext4: avoid hang when mounting non-journal filesystems with
+ orphan list
+
+When trying to mount a file system which does not contain a journal,
+but which does have a orphan list containing an inode which needs to
+be truncated, the mount call with hang forever in
+ext4_orphan_cleanup() because ext4_orphan_del() will return
+immediately without removing the inode from the orphan list, leading
+to an uninterruptible loop in kernel code which will busy out one of
+the CPU's on the system.
+
+This can be trivially reproduced by trying to mount the file system
+found in tests/f_orphan_extents_inode/image.gz from the e2fsprogs
+source tree.  If a malicious user were to put this on a USB stick, and
+mount it on a Linux desktop which has automatic mounts enabled, this
+could be considered a potential denial of service attack.  (Not a big
+deal in practice, but professional paranoids worry about such things,
+and have even been known to allocate CVE numbers for such problems.)
+
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Reviewed-by: Zheng Liu <wenqing.lz at taobao.com>
+Cc: stable at vger.kernel.org
+---
+ fs/ext4/namei.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index cac4482..8990165 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2648,7 +2648,8 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ 	struct ext4_iloc iloc;
+ 	int err = 0;
+ 
+-	if (!EXT4_SB(inode->i_sb)->s_journal)
++	if ((!EXT4_SB(inode->i_sb)->s_journal) &&
++	    !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
+ 		return 0;
+ 
+ 	mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch)
@@ -0,0 +1,50 @@
+From c9b92530a723ac5ef8e352885a1862b18f31b2f5 Mon Sep 17 00:00:00 2001
+From: Anatol Pomozov <anatol.pomozov at gmail.com>
+Date: Tue, 18 Sep 2012 13:38:59 -0400
+Subject: [PATCH] ext4: make orphan functions be no-op in no-journal mode
+
+Instead of checking whether the handle is valid, we check if journal
+is enabled. This avoids taking the s_orphan_lock mutex in all cases
+when there is no journal in use, including the error paths where
+ext4_orphan_del() is called with a handle set to NULL.
+
+Signed-off-by: Anatol Pomozov <anatol.pomozov at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+---
+ fs/ext4/namei.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 37c03b3..8f4bda7 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2369,7 +2369,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
+ 	struct ext4_iloc iloc;
+ 	int err = 0, rc;
+ 
+-	if (!ext4_handle_valid(handle))
++	if (!EXT4_SB(sb)->s_journal)
+ 		return 0;
+ 
+ 	mutex_lock(&EXT4_SB(sb)->s_orphan_lock);
+@@ -2443,8 +2443,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ 	struct ext4_iloc iloc;
+ 	int err = 0;
+ 
+-	/* ext4_handle_valid() assumes a valid handle_t pointer */
+-	if (handle && !ext4_handle_valid(handle))
++	if (!EXT4_SB(inode->i_sb)->s_journal)
+ 		return 0;
+ 
+ 	mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
+@@ -2463,7 +2462,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ 	 * transaction handle with which to update the orphan list on
+ 	 * disk, but we still need to remove the inode from the linked
+ 	 * list in memory. */
+-	if (sbi->s_journal && !handle)
++	if (!handle)
+ 		goto out;
+ 
+ 	err = ext4_reserve_inode_write(handle, inode, &iloc);
+-- 
+1.7.10.4

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch)
@@ -0,0 +1,41 @@
+From 402fb9f974f158d747e6c6944336cd9af7f349b2 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:53 +0000
+Subject: [PATCH] irda: Fix missing msg_namelen update in 
+ irda_recvmsg_dgram()
+
+[ Upstream commit 5ae94c0d2f0bed41d6718be743985d61b7f5c47d ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about irda_recvmsg_dgram() not filling the msg_name in case it was
+set.
+
+Cc: Samuel Ortiz <samuel at sortiz.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/irda/af_irda.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index f4b49c5..91821e9 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
+ 
+ 	IRDA_DEBUG(4, "%s()\n", __func__);
+ 
++	msg->msg_namelen = 0;
++
+ 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ 				flags & MSG_DONTWAIT, &err);
+ 	if (!skb)
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch)
@@ -0,0 +1,39 @@
+From 40c157ba78681c45cc62dabde406b44ca3c76c2b Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:54 +0000
+Subject: [PATCH] iucv: Fix missing msg_namelen update in  iucv_sock_recvmsg()
+
+[ Upstream commit a5598bd9c087dc0efc250a5221e5d0e6f584ee88 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about iucv_sock_recvmsg() not filling the msg_name in case it was set.
+
+Cc: Ursula Braun <ursula.braun at de.ibm.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/iucv/af_iucv.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index cf98d62..e836140 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1356,6 +1356,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	int blen;
+ 	int err = 0;
+ 
++	msg->msg_namelen = 0;
++
+ 	if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) &&
+ 	    skb_queue_empty(&iucv->backlog_skb_q) &&
+ 	    skb_queue_empty(&sk->sk_receive_queue) &&
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch)
@@ -0,0 +1,53 @@
+From ffe1341edbe2878134f3083625d5c916670d0fca Mon Sep 17 00:00:00 2001
+From: Emese Revfy <re.emese at gmail.com>
+Date: Wed, 17 Apr 2013 15:58:36 -0700
+Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill
+ syscalls
+
+commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.
+
+This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+for compat processes.
+
+This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+when handling signals delivered from tkill.
+
+The place of the infoleak:
+
+int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+{
+        ...
+        put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+        ...
+}
+
+Signed-off-by: Emese Revfy <re.emese at gmail.com>
+Reviewed-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: "Eric W. Biederman" <ebiederm at xmission.com>
+Cc: Serge Hallyn <serge.hallyn at canonical.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/signal.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index ea76d30..3ecf574 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2790,7 +2790,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+ 
+ static int do_tkill(pid_t tgid, pid_t pid, int sig)
+ {
+-	struct siginfo info;
++	struct siginfo info = {};
+ 
+ 	info.si_signo = sig;
+ 	info.si_errno = 0;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch)
@@ -0,0 +1,40 @@
+From d0dd0a3d5d31807eea0d54bd561cf178c45a24ca Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:56 +0000
+Subject: [PATCH] llc: Fix missing msg_namelen update in  llc_ui_recvmsg()
+
+[ Upstream commit c77a4b9cffb6215a15196ec499490d116dfad181 ]
+
+For stream sockets the code misses to update the msg_namelen member
+to 0 and therefore makes net/socket.c leak the local, uninitialized
+sockaddr_storage variable to userland -- 128 bytes of kernel stack
+memory. The msg_namelen update is also missing for datagram sockets
+in case the socket is shutting down during receive.
+
+Fix both issues by setting msg_namelen to 0 early. It will be
+updated later if we're going to fill the msg_name member.
+
+Cc: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/llc/af_llc.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index 99a60d5..e5565c7 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -720,6 +720,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	int target;	/* Read at least this many bytes */
+ 	long timeo;
+ 
++	msg->msg_namelen = 0;
++
+ 	lock_sock(sk);
+ 	copied = -ENOTCONN;
+ 	if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch)
@@ -0,0 +1,87 @@
+From 5428146ebea24b916eb9e3684449699cb6a5c8c0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 19 Apr 2013 15:32:32 +0000
+Subject: [PATCH] net: fix incorrect credentials passing
+
+commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 upstream.
+
+Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+sender") changed the credentials passing code to pass in the effective
+uid/gid instead of the real uid/gid.
+
+Obviously this doesn't matter most of the time (since normally they are
+the same), but it results in differences for suid binaries when the wrong
+uid/gid ends up being used.
+
+This just undoes that (presumably unintentional) part of the commit.
+
+Reported-by: Andy Lutomirski <luto at amacapital.net>
+Cc: Eric W. Biederman <ebiederm at xmission.com>
+Cc: Serge E. Hallyn <serge at hallyn.com>
+Cc: David S. Miller <davem at davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: scm_set_cred() does user namespace conversion
+ of euid/egid using cred_to_ucred().  Add and use cred_real_to_ucred() to
+ do the same thing for real uid/gid.]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ include/linux/socket.h |    1 +
+ include/net/scm.h      |    2 +-
+ net/core/sock.c        |   14 ++++++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index ad919e0..2acd2e2 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -317,6 +317,7 @@ struct ucred {
+ #define IPX_TYPE	1
+ 
+ extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
++extern void cred_real_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
+ 
+ extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
+ extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 0c0017c..5da0a7b 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
+ {
+ 	scm->pid  = get_pid(pid);
+ 	scm->cred = cred ? get_cred(cred) : NULL;
+-	cred_to_ucred(pid, cred, &scm->creds);
++	cred_real_to_ucred(pid, cred, &scm->creds);
+ }
+ 
+ static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1e8a882..2c73adf 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -761,6 +761,20 @@ void cred_to_ucred(struct pid *pid, const struct cred *cred,
+ }
+ EXPORT_SYMBOL_GPL(cred_to_ucred);
+ 
++void cred_real_to_ucred(struct pid *pid, const struct cred *cred,
++			struct ucred *ucred)
++{
++	ucred->pid = pid_vnr(pid);
++	ucred->uid = ucred->gid = -1;
++	if (cred) {
++		struct user_namespace *current_ns = current_user_ns();
++
++		ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid);
++		ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid);
++	}
++}
++EXPORT_SYMBOL_GPL(cred_real_to_ucred);
++
+ int sock_getsockopt(struct socket *sock, int level, int optname,
+ 		    char __user *optval, int __user *optlen)
+ {
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch)
@@ -0,0 +1,39 @@
+From 3fc8fc1cc2d585c1f695f7de914063258aafe50e Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tt.rantala at gmail.com>
+Date: Sat, 13 Apr 2013 19:49:14 +0000
+Subject: perf: Treat attr.config as u64 in perf_swevent_init()
+
+commit 8176cced706b5e5d15887584150764894e94e02f upstream.
+
+Trinity discovered that we fail to check all 64 bits of
+attr.config passed by user space, resulting to out-of-bounds
+access of the perf_swevent_enabled array in
+sw_perf_event_destroy().
+
+Introduced in commit b0a873ebb ("perf: Register PMU
+implementations").
+
+Signed-off-by: Tommi Rantala <tt.rantala at gmail.com>
+Cc: Peter Zijlstra <a.p.zijlstra at chello.nl>
+Cc: davej at redhat.com
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+Link: http://lkml.kernel.org/r/1365882554-30259-1-git-send-email-tt.rantala@gmail.com
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index d23dfa7..9f21915 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5164,7 +5164,7 @@ static void sw_perf_event_destroy(struct perf_event *event)
+ 
+ static int perf_swevent_init(struct perf_event *event)
+ {
+-	int event_id = event->attr.config;
++	u64 event_id = event->attr.config;
+ 
+ 	if (event->attr.type != PERF_TYPE_SOFTWARE)
+ 		return -ENOENT;
+--
+cgit v0.9.1

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch)
@@ -0,0 +1,39 @@
+From f05503a9ef115c505b36fcd75f77b341811e9169 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
+
+[ Upstream commit 4a184233f21645cf0b719366210ed445d1024d72 ]
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/rose/af_rose.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f9ea925..1f96fb9 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1258,6 +1258,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ 
+ 	if (srose != NULL) {
++		memset(srose, 0, msg->msg_namelen);
+ 		srose->srose_family = AF_ROSE;
+ 		srose->srose_addr   = rose->dest_addr;
+ 		srose->srose_call   = rose->dest_call;
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch)
@@ -0,0 +1,49 @@
+From 2b79fa8fddde2d070ca28a2d94394c39bfd8d741 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: [PATCH] tg3: fix length overflow in VPD firmware parsing
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Oded Horovitz <oded at privatecore.com>
+Reported-by: Brad Spengler <spender at grsecurity.net>
+Cc: Matt Carlson <mcarlson at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/ethernet/broadcom/tg3.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index c86fa50..c6b9903 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -13433,8 +13433,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp)
+ 		if (j + len > block_end)
+ 			goto partno;
+ 
+-		memcpy(tp->fw_ver, &vpd_data[j], len);
+-		strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
++		if (len >= sizeof(tp->fw_ver))
++			len = sizeof(tp->fw_ver) - 1;
++		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++			 &vpd_data[j]);
+ 	}
+ 
+ partno:
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch)
@@ -0,0 +1,66 @@
+From 1ae38900523eaf11a77c73827c096d7e7eade3a4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:52:00 +0000
+Subject: [PATCH] tipc: fix info leaks via msg_name in  recv_msg/recv_stream
+
+[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]
+
+The code in set_orig_addr() does not initialize all of the members of
+struct sockaddr_tipc when filling the sockaddr info -- namely the union
+is only partly filled. This will make recv_msg() and recv_stream() --
+the only users of this function -- leak kernel stack memory as the
+msg_name member is a local variable in net/socket.c.
+
+Additionally to that both recv_msg() and recv_stream() fail to update
+the msg_namelen member to 0 while otherwise returning with 0, i.e.
+"success". This is the case for, e.g., non-blocking sockets. This will
+lead to a 128 byte kernel stack leak in net/socket.c.
+
+Fix the first issue by initializing the memory of the union with
+memset(0). Fix the second one by setting msg_namelen to 0 early as it
+will be updated later if we're going to fill the msg_name member.
+
+Cc: Jon Maloy <jon.maloy at ericsson.com>
+Cc: Allan Stephens <allan.stephens at windriver.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/tipc/socket.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 42b8324..fdf34af 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -829,6 +829,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
+ 	if (addr) {
+ 		addr->family = AF_TIPC;
+ 		addr->addrtype = TIPC_ADDR_ID;
++		memset(&addr->addr, 0, sizeof(addr->addr));
+ 		addr->addr.id.ref = msg_origport(msg);
+ 		addr->addr.id.node = msg_orignode(msg);
+ 		addr->addr.name.domain = 0;	/* could leave uninitialized */
+@@ -948,6 +949,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
++	/* will be updated in set_orig_addr() if needed */
++	m->msg_namelen = 0;
++
+ 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+ 
+@@ -1074,6 +1078,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
++	/* will be updated in set_orig_addr() if needed */
++	m->msg_namelen = 0;
++
+ 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch)
@@ -0,0 +1,86 @@
+From ee3c9aabb636fcfc21d53c506362620b55fdd8c6 Mon Sep 17 00:00:00 2001
+From: Namhyung Kim <namhyung.kim at lge.com>
+Date: Thu, 11 Apr 2013 15:55:01 +0900
+Subject: [PATCH] tracing: Fix possible NULL pointer dereferences
+
+commit 6a76f8c0ab19f215af2a3442870eeb5f0e81998d upstream.
+
+Currently set_ftrace_pid and set_graph_function files use seq_lseek
+for their fops.  However seq_open() is called only for FMODE_READ in
+the fops->open() so that if an user tries to seek one of those file
+when she open it for writing, it sees NULL seq_file and then panic.
+
+It can be easily reproduced with following command:
+
+  $ cd /sys/kernel/debug/tracing
+  $ echo 1234 | sudo tee -a set_ftrace_pid
+
+In this example, GNU coreutils' tee opens the file with fopen(, "a")
+and then the fopen() internally calls lseek().
+
+Link: http://lkml.kernel.org/r/1365663302-2170-1-git-send-email-namhyung@kernel.org
+
+Cc: Frederic Weisbecker <fweisbec at gmail.com>
+Cc: Ingo Molnar <mingo at kernel.org>
+Cc: Namhyung Kim <namhyung.kim at lge.com>
+Signed-off-by: Namhyung Kim <namhyung at kernel.org>
+Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
+[bwh: Backported to 3.2: ftrace_regex_lseek() is static]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/trace/ftrace.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index bed7991..5527211 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -2316,7 +2316,7 @@ ftrace_notrace_open(struct inode *inode, struct file *file)
+ }
+ 
+ static loff_t
+-ftrace_regex_lseek(struct file *file, loff_t offset, int origin)
++ftrace_filter_lseek(struct file *file, loff_t offset, int origin)
+ {
+ 	loff_t ret;
+ 
+@@ -3134,7 +3134,7 @@ static const struct file_operations ftrace_filter_fops = {
+ 	.open = ftrace_filter_open,
+ 	.read = seq_read,
+ 	.write = ftrace_filter_write,
+-	.llseek = ftrace_regex_lseek,
++	.llseek = ftrace_filter_lseek,
+ 	.release = ftrace_regex_release,
+ };
+ 
+@@ -3142,7 +3142,7 @@ static const struct file_operations ftrace_notrace_fops = {
+ 	.open = ftrace_notrace_open,
+ 	.read = seq_read,
+ 	.write = ftrace_notrace_write,
+-	.llseek = ftrace_regex_lseek,
++	.llseek = ftrace_filter_lseek,
+ 	.release = ftrace_regex_release,
+ };
+ 
+@@ -3350,8 +3350,8 @@ static const struct file_operations ftrace_graph_fops = {
+ 	.open		= ftrace_graph_open,
+ 	.read		= seq_read,
+ 	.write		= ftrace_graph_write,
++	.llseek		= ftrace_filter_lseek,
+ 	.release	= ftrace_graph_release,
+-	.llseek		= seq_lseek,
+ };
+ #endif /* CONFIG_FUNCTION_GRAPH_TRACER */
+ 
+@@ -3843,7 +3843,7 @@ static const struct file_operations ftrace_pid_fops = {
+ 	.open		= ftrace_pid_open,
+ 	.write		= ftrace_pid_write,
+ 	.read		= seq_read,
+-	.llseek		= seq_lseek,
++	.llseek		= ftrace_filter_lseek,
+ 	.release	= ftrace_pid_release,
+ };
+ 
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch)
@@ -0,0 +1,68 @@
+From cd945654552d978b84c0825c7206b2d0667a1272 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed, 1 May 2013 07:32:21 -0700
+Subject: [PATCH] tty: fix up atime/mtime mess, take three
+
+commit b0b885657b6c8ef63a46bc9299b2a7715d19acde upstream.
+
+We first tried to avoid updating atime/mtime entirely (commit
+b0de59b5733d: "TTY: do not update atime/mtime on read/write"), and then
+limited it to only update it occasionally (commit 37b7f3c76595: "TTY:
+fix atime/mtime regression"), but it turns out that this was both
+insufficient and overkill.
+
+It was insufficient because we let people attach to the shared ptmx node
+to see activity without even reading atime/mtime, and it was overkill
+because the "only once a minute" means that you can't really tell an
+idle person from an active one with 'w'.
+
+So this tries to fix the problem properly.  It marks the shared ptmx
+node as un-notifiable, and it lowers the "only once a minute" to a few
+seconds instead - still long enough that you can't time individual
+keystrokes, but short enough that you can tell whether somebody is
+active or not.
+
+Reported-by: Simon Kirby <sim at hostway.ca>
+Acked-by: Jiri Slaby <jslaby at suse.cz>
+Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/pty.c    |    3 +++
+ drivers/tty/tty_io.c |    4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index d19b879..4735928 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -669,6 +669,9 @@ static int ptmx_open(struct inode *inode, struct file *filp)
+ 
+ 	nonseekable_open(inode, filp);
+ 
++	/* We refuse fsnotify events on ptmx, since it's a shared resource */
++	filp->f_mode |= FMODE_NONOTIFY;
++
+ 	retval = tty_alloc_file(filp);
+ 	if (retval)
+ 		return retval;
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index c7131a9..3f35e42 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -940,10 +940,10 @@ void start_tty(struct tty_struct *tty)
+ 
+ EXPORT_SYMBOL(start_tty);
+ 
++/* We limit tty time update visibility to every 8 seconds or so. */
+ static void tty_update_time(struct timespec *time)
+ {
+-	unsigned long sec = get_seconds();
+-	sec -= sec % 60;
++	unsigned long sec = get_seconds() & ~7;
+ 	if ((long)(sec - time->tv_sec) > 0)
+ 		time->tv_sec = sec;
+ }
+-- 
+1.7.10.4
+

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch	Thu May 16 17:02:17 2013	(r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch)
@@ -0,0 +1,177 @@
+From c471da1e3f5c6e43397dccf47cefd8edc86aa9f0 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig at google.com>
+Date: Fri, 29 Mar 2013 09:35:21 -0700
+Subject: [PATCH] KVM: Allow cross page reads and writes from cached
+ translations.
+
+commit 8f964525a121f2ff2df948dac908dcc65be21b5b upstream.
+
+This patch adds support for kvm_gfn_to_hva_cache_init functions for
+reads and writes that will cross a page.  If the range falls within
+the same memslot, then this will be a fast operation.  If the range
+is split between two memslots, then the slower kvm_read_guest and
+kvm_write_guest are used.
+
+Tested: Test against kvm_clock unit tests.
+
+Signed-off-by: Andrew Honig <ahonig at google.com>
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+[bwh: Backported to 3.2:
+ - Drop change in lapic.c
+ - Keep using __gfn_to_memslot() in kvm_gfn_to_hva_cache_init()]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kvm/x86.c        |   13 ++++++-------
+ include/linux/kvm_host.h  |    2 +-
+ include/linux/kvm_types.h |    1 +
+ virt/kvm/kvm_main.c       |   47 +++++++++++++++++++++++++++++++++++----------
+ 4 files changed, 45 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 2dd2e4e..e82a53a 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1480,7 +1480,8 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
+ 		return 0;
+ 	}
+ 
+-	if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.apf.data, gpa))
++	if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.apf.data, gpa,
++					sizeof(u32)))
+ 		return 1;
+ 
+ 	vcpu->arch.apf.send_user_only = !(data & KVM_ASYNC_PF_SEND_ALWAYS);
+@@ -1594,12 +1595,9 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+ 
+ 		gpa_offset = data & ~(PAGE_MASK | 1);
+ 
+-		/* Check that the address is 32-byte aligned. */
+-		if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1))
+-			break;
+-
+ 		if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
+-		     &vcpu->arch.pv_time, data & ~1ULL))
++		     &vcpu->arch.pv_time, data & ~1ULL,
++		     sizeof(struct pvclock_vcpu_time_info)))
+ 			vcpu->arch.pv_time_enabled = false;
+ 		else
+ 			vcpu->arch.pv_time_enabled = true;
+@@ -1618,7 +1616,8 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+ 			return 1;
+ 
+ 		if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime,
+-							data & KVM_STEAL_VALID_BITS))
++						data & KVM_STEAL_VALID_BITS,
++						sizeof(struct kvm_steal_time)))
+ 			return 1;
+ 
+ 		vcpu->arch.st.msr_val = data;
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index 6136821..e6796c1 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -396,7 +396,7 @@ int kvm_write_guest(struct kvm *kvm, gpa_t gpa, const void *data,
+ int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ 			   void *data, unsigned long len);
+ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+-			      gpa_t gpa);
++			      gpa_t gpa, unsigned long len);
+ int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len);
+ int kvm_clear_guest(struct kvm *kvm, gpa_t gpa, unsigned long len);
+ struct kvm_memory_slot *gfn_to_memslot(struct kvm *kvm, gfn_t gfn);
+diff --git a/include/linux/kvm_types.h b/include/linux/kvm_types.h
+index fa7cc72..b0bcce0 100644
+--- a/include/linux/kvm_types.h
++++ b/include/linux/kvm_types.h
+@@ -71,6 +71,7 @@ struct gfn_to_hva_cache {
+ 	u64 generation;
+ 	gpa_t gpa;
+ 	unsigned long hva;
++	unsigned long len;
+ 	struct kvm_memory_slot *memslot;
+ };
+ 
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index ec747dc..8bf05f0 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1401,21 +1401,38 @@ int kvm_write_guest(struct kvm *kvm, gpa_t gpa, const void *data,
+ }
+ 
+ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+-			      gpa_t gpa)
++			      gpa_t gpa, unsigned long len)
+ {
+ 	struct kvm_memslots *slots = kvm_memslots(kvm);
+ 	int offset = offset_in_page(gpa);
+-	gfn_t gfn = gpa >> PAGE_SHIFT;
++	gfn_t start_gfn = gpa >> PAGE_SHIFT;
++	gfn_t end_gfn = (gpa + len - 1) >> PAGE_SHIFT;
++	gfn_t nr_pages_needed = end_gfn - start_gfn + 1;
++	gfn_t nr_pages_avail;
+ 
+ 	ghc->gpa = gpa;
+ 	ghc->generation = slots->generation;
+-	ghc->memslot = __gfn_to_memslot(slots, gfn);
+-	ghc->hva = gfn_to_hva_many(ghc->memslot, gfn, NULL);
+-	if (!kvm_is_error_hva(ghc->hva))
++	ghc->len = len;
++	ghc->memslot = __gfn_to_memslot(slots, start_gfn);
++	ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, &nr_pages_avail);
++	if (!kvm_is_error_hva(ghc->hva) && nr_pages_avail >= nr_pages_needed) {
+ 		ghc->hva += offset;
+-	else
+-		return -EFAULT;
+-
++	} else {
++		/*
++		 * If the requested region crosses two memslots, we still
++		 * verify that the entire region is valid here.
++		 */
++		while (start_gfn <= end_gfn) {
++			ghc->memslot = __gfn_to_memslot(slots, start_gfn);
++			ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn,
++						   &nr_pages_avail);
++			if (kvm_is_error_hva(ghc->hva))
++				return -EFAULT;
++			start_gfn += nr_pages_avail;
++		}
++		/* Use the slow path for cross page reads and writes. */
++		ghc->memslot = NULL;
++	}
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(kvm_gfn_to_hva_cache_init);
+@@ -1426,8 +1443,13 @@ int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ 	struct kvm_memslots *slots = kvm_memslots(kvm);
+ 	int r;
+ 
++	BUG_ON(len > ghc->len);
++
+ 	if (slots->generation != ghc->generation)
+-		kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa);
++		kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
++
++	if (unlikely(!ghc->memslot))
++		return kvm_write_guest(kvm, ghc->gpa, data, len);
+ 
+ 	if (kvm_is_error_hva(ghc->hva))
+ 		return -EFAULT;
+@@ -1447,8 +1469,13 @@ int kvm_read_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ 	struct kvm_memslots *slots = kvm_memslots(kvm);
+ 	int r;
+ 
++	BUG_ON(len > ghc->len);
++
+ 	if (slots->generation != ghc->generation)
+-		kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa);
++		kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
++
++	if (unlikely(!ghc->memslot))
++		return kvm_read_guest(kvm, ghc->gpa, data, len);
+ 
+ 	if (kvm_is_error_hva(ghc->hva))
+ 		return -EFAULT;
+-- 
+1.7.10.4
+

Modified: dists/squeeze-backports/linux/debian/patches/series
==============================================================================
--- dists/squeeze-backports/linux/debian/patches/series	Thu May 16 04:53:15 2013	(r20123)
+++ dists/squeeze-backports/linux/debian/patches/series	Thu May 16 17:02:17 2013	(r20124)
@@ -639,3 +639,25 @@
 bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch
 bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch
 bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch
+bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch
+bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
+bugfix/all/TTY-fix-atime-mtime-regression.patch
+bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
+bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
+bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
+bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
+bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
+bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
+bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
+bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
+bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
+bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
+bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
+bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
+bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
+bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
+bugfix/all/net-fix-incorrect-credentials-passing.patch
+bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
+bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch



More information about the Kernel-svn-changes mailing list