[kernel] r22411 - in dists/squeeze-backports/linux: . debian debian/patches debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/debian
Ben Hutchings
benh at moszumanska.debian.org
Sun Feb 22 03:53:27 UTC 2015
Author: benh
Date: Sun Feb 22 03:53:27 2015
New Revision: 22411
Log:
Merge changes from wheezy-security up to 3.2.65-1+deb7u2
Added:
dists/squeeze-backports/linux/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-add-missing-crypto-module-aliases.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-add-missing-crypto-module-aliases.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-include-crypto-module-prefix-in-template.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-include-crypto-module-prefix-in-template.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/deal-with-deadlock-in-d_walk.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/deal-with-deadlock-in-d_walk.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/move-d_rcu-from-overlapping-d_child-to-overlapping-d_alias.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/move-d_rcu-from-overlapping-d_child-to-overlapping-d_alias.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/vfs-fix-vfsmount_lock-imbalance-in-path_init.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-fix-vfsmount_lock-imbalance-in-path_init.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/kvm-x86-emulator-reject-sysenter-in-compatibility-mo.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/kvm-x86-emulator-reject-sysenter-in-compatibility-mo.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch
dists/squeeze-backports/linux/debian/patches/debian/vfs-avoid-abi-change-for-dentry-union-changes.patch
- copied unchanged from r22408, dists/wheezy-security/linux/debian/patches/debian/vfs-avoid-abi-change-for-dentry-union-changes.patch
Modified:
dists/squeeze-backports/linux/ (props changed)
dists/squeeze-backports/linux/debian/changelog
dists/squeeze-backports/linux/debian/patches/series
Modified: dists/squeeze-backports/linux/debian/changelog
==============================================================================
--- dists/squeeze-backports/linux/debian/changelog Sun Feb 22 03:51:06 2015 (r22410)
+++ dists/squeeze-backports/linux/debian/changelog Sun Feb 22 03:53:27 2015 (r22411)
@@ -1,3 +1,49 @@
+linux (3.2.65-1+deb7u2~bpo60+1) UNRELEASED; urgency=medium
+
+ * Rebuild for squeeze:
+ - Use gcc-4.4 for all architectures
+ - Disable building of udebs
+ - Change ABI number to 0.bpo.4
+ - Monkey-patch Python collections module to add OrderedDict if necessary
+ - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to
+ reduce kernel size (as suggested by Arnaud Patard)
+ - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option
+ - Make build target depend on build-arch only, so we don't redundantly
+ build documentation on each architecture
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 22 Feb 2015 03:52:00 +0000
+
+linux (3.2.65-1+deb7u2) wheezy-security; urgency=medium
+
+ * splice: Apply generic position and size checks to each write
+ (CVE-2014-7822)
+ * crypto: Fix unprivileged arbitrary module loading (CVE-2013-7421,
+ CVE-2014-9644)
+ - prefix module autoloading with "crypto-"
+ - include crypto- module prefix in template
+ - add missing crypto module aliases
+ * netfilter: conntrack: disable generic tracking for known protocols
+ (CVE-2014-8160)
+ * [amd64] vdso: Fix the vdso address randomization algorithm (CVE-2014-9585)
+ * [x86] KVM: x86 emulator: reject SYSENTER in compatibility mode on AMD
+ guests
+ * [x86] KVM: SYSENTER emulation is broken (CVE-2015-0239)
+ * vfs: move d_rcu from overlapping d_child to overlapping d_alias
+ * aufs: move d_rcu from overlapping d_child to overlapping d_alias
+ * vfs: deal with deadlock in d_walk() (CVE-2014-8559)
+ * vfs: read file_handle only once in handle_to_path (CVE-2015-1420)
+ * ASLR: fix stack randomization on 64-bit systems (CVE-2015-1593)
+ * vfs: Fix vfsmount_lock imbalance in path_init() (regression in 3.2.64)
+ * net: sctp: fix slab corruption from use after free on INIT collisions
+ (CVE-2015-1421)
+ * Fix regressions caused by CVE-2014-8133 fix:
+ - [amd64] tls, ldt: Stop checking lm in LDT_empty
+ - [x86] tls: Interpret an all-zero struct user_desc as "no segment"
+ * eCryptfs: Remove buggy and unnecessary write in file name decode
+ routine (CVE-2014-9683)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 20 Feb 2015 02:39:08 +0000
+
linux (3.2.65-1+deb7u1~bpo60+1) squeeze-backports; urgency=medium
* Rebuild for squeeze:
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch)
@@ -0,0 +1,98 @@
+From: Hector Marco-Gisbert <hecmargi at upv.es>
+Date: Sat, 14 Feb 2015 09:33:50 -0800
+Subject: ASLR: fix stack randomization on 64-bit systems
+Origin: http://article.gmane.org/gmane.linux.kernel/1888210
+
+The issue is that the stack for processes is not properly randomized on 64 bit
+architectures due to an integer overflow.
+
+The affected function is randomize_stack_top() in file "fs/binfmt_elf.c":
+
+static unsigned long randomize_stack_top(unsigned long stack_top)
+{
+ unsigned int random_variable = 0;
+
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+ random_variable = get_random_int() & STACK_RND_MASK;
+ random_variable <<= PAGE_SHIFT;
+ }
+ return PAGE_ALIGN(stack_top) + random_variable;
+ return PAGE_ALIGN(stack_top) - random_variable;
+}
+
+Note that, it declares the "random_variable" variable as "unsigned int". Since
+the result of the shifting operation between STACK_RND_MASK (which is
+0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
+
+random_variable <<= PAGE_SHIFT;
+
+then the two leftmost bits are dropped when storing the result in the
+"random_variable". This variable shall be at least 34 bits long to hold the
+(22+12) result.
+
+These two dropped bits have an impact on the entropy of process stack.
+Concretely, the total stack entropy is reduced by four: from 2^28 to 2^30 (One
+fourth of expected entropy).
+
+This patch restores back the entropy by correcting the types involved in the
+operations in the functions randomize_stack_top() and stack_maxrandom_size().
+
+The successful fix can be tested with:
+$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
+7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack]
+7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack]
+7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack]
+7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack]
+...
+
+Once corrected, the leading bytes should be between 7ffc and 7fff, rather
+than always being 7fff.
+
+CVE-2015-1593
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi at upv.es>
+Signed-off-by: Ismael Ripoll <iripoll at upv.es>
+[kees: rebase, fix 80 char, clean up commit message, add test example, cve]
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+---
+ arch/x86/mm/mmap.c | 6 +++---
+ fs/binfmt_elf.c | 5 +++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_ali
+ .flags = -1,
+ };
+
+-static unsigned int stack_maxrandom_size(void)
++static unsigned long stack_maxrandom_size(void)
+ {
+- unsigned int max = 0;
++ unsigned long max = 0;
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
++ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
+ }
+
+ return max;
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -542,11 +542,12 @@ out:
+
+ static unsigned long randomize_stack_top(unsigned long stack_top)
+ {
+- unsigned int random_variable = 0;
++ unsigned long random_variable = 0;
+
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+- random_variable = get_random_int() & STACK_RND_MASK;
++ random_variable = (unsigned long) get_random_int();
++ random_variable &= STACK_RND_MASK;
+ random_variable <<= PAGE_SHIFT;
+ }
+ #ifdef CONFIG_STACK_GROWSUP
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch)
@@ -0,0 +1,71 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 12 Jan 2015 04:12:45 +0000
+Subject: aufs: move d_rcu from overlapping d_child to overlapping d_alias
+Forwarded: not-needed
+
+Apply the renaming from commit 946e51f2bf37f1656916eb75bd0742ba33983c28
+upstream to aufs.
+
+---
+--- a/fs/aufs/dcsub.c
++++ b/fs/aufs/dcsub.c
+@@ -134,7 +134,7 @@ resume:
+ while (next != &this_parent->d_subdirs) {
+ struct list_head *tmp = next;
+ struct dentry *dentry = list_entry(tmp, struct dentry,
+- d_u.d_child);
++ d_child);
+
+ next = tmp->next;
+ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+@@ -170,7 +170,7 @@ resume:
+ this_parent = tmp;
+ spin_lock(&this_parent->d_lock);
+ rcu_read_unlock();
+- next = child->d_u.d_child.next;
++ next = child->d_child.next;
+ goto resume;
+ }
+
+--- a/fs/aufs/debug.c
++++ b/fs/aufs/debug.c
+@@ -140,7 +140,7 @@ void au_dpri_dalias(struct inode *inode)
+ struct dentry *d;
+
+ spin_lock(&inode->i_lock);
+- list_for_each_entry(d, &inode->i_dentry, d_alias)
++ list_for_each_entry(d, &inode->i_dentry, d_u.d_alias)
+ au_dpri_dentry(d);
+ spin_unlock(&inode->i_lock);
+ }
+--- a/fs/aufs/export.c
++++ b/fs/aufs/export.c
+@@ -228,7 +228,7 @@ static struct dentry *decode_by_ino(stru
+ dentry = d_find_alias(inode);
+ else {
+ spin_lock(&inode->i_lock);
+- list_for_each_entry(d, &inode->i_dentry, d_alias) {
++ list_for_each_entry(d, &inode->i_dentry, d_u.d_alias) {
+ spin_lock(&d->d_lock);
+ if (!au_test_anon(d)
+ && d->d_parent->d_inode->i_ino == dir_ino) {
+--- a/fs/aufs/hnotify.c
++++ b/fs/aufs/hnotify.c
+@@ -212,7 +212,7 @@ static int hn_gen_by_inode(char *name, u
+ AuDebugOn(!name);
+ au_iigen_dec(inode);
+ spin_lock(&inode->i_lock);
+- list_for_each_entry(d, &inode->i_dentry, d_alias) {
++ list_for_each_entry(d, &inode->i_dentry, d_u.d_alias) {
+ spin_lock(&d->d_lock);
+ dname = &d->d_name;
+ if (dname->len != nlen
+@@ -378,7 +378,7 @@ static struct dentry *lookup_wlock_by_na
+
+ dentry = NULL;
+ spin_lock(&parent->d_lock);
+- list_for_each_entry(d, &parent->d_subdirs, d_u.d_child) {
++ list_for_each_entry(d, &parent->d_subdirs, d_child) {
+ /* AuDbg("%.*s\n", AuDLNPair(d)); */
+ spin_lock_nested(&d->d_lock, DENTRY_D_LOCK_NESTED);
+ dname = &d->d_name;
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-add-missing-crypto-module-aliases.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-add-missing-crypto-module-aliases.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-add-missing-crypto-module-aliases.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-add-missing-crypto-module-aliases.patch)
@@ -0,0 +1,168 @@
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 11 Jan 2015 18:17:42 +0100
+Subject: crypto: add missing crypto module aliases
+Origin: https://git.kernel.org/linus/3e14dcf7cb80b34a1f38b55bc96f02d23fdaaaaf
+
+Commit 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"")
+changed the automatic module loading when requesting crypto algorithms
+to prefix all module requests with "crypto-". This requires all crypto
+modules to have a crypto specific module alias even if their file name
+would otherwise match the requested crypto algorithm.
+
+Even though commit 5d26a105b5a7 added those aliases for a vast amount of
+modules, it was missing a few. Add the required MODULE_ALIAS_CRYPTO
+annotations to those files to make them get loaded automatically, again.
+This fixes, e.g., requesting 'ecb(blowfish-generic)', which used to work
+with kernels v3.18 and below.
+
+Also change MODULE_ALIAS() lines to MODULE_ALIAS_CRYPTO(). The former
+won't work for crypto modules any more.
+
+Fixes: 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"")
+Cc: Kees Cook <keescook at chromium.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+[bwh: Backported to 3.2:
+ - Adjust filenames
+ - Drop changes to algorithms and drivers we don't have]
+---
+ crypto/aes_generic.c | 1 +
+ crypto/ansi_cprng.c | 1 +
+ crypto/blowfish_generic.c | 1 +
+ crypto/camellia_generic.c | 1 +
+ crypto/des_generic.c | 7 ++++---
+ crypto/ghash-generic.c | 1 +
+ crypto/krng.c | 1 +
+ crypto/salsa20_generic.c | 1 +
+ crypto/sha1_generic.c | 1 +
+ crypto/sha256_generic.c | 2 ++
+ crypto/sha512_generic.c | 2 ++
+ crypto/tea.c | 1 +
+ crypto/tgr192.c | 1 +
+ crypto/twofish_generic.c | 1 +
+ crypto/wp512.c | 1 +
+
+--- a/crypto/aes_generic.c
++++ b/crypto/aes_generic.c
+@@ -1476,3 +1476,4 @@ module_exit(aes_fini);
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_ALIAS_CRYPTO("aes");
++MODULE_ALIAS_CRYPTO("aes-generic");
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -486,3 +486,4 @@ MODULE_PARM_DESC(dbg, "Boolean to enable
+ module_init(prng_mod_init);
+ module_exit(prng_mod_fini);
+ MODULE_ALIAS_CRYPTO("stdrng");
++MODULE_ALIAS_CRYPTO("ansi_cprng");
+--- a/crypto/blowfish_generic.c
++++ b/crypto/blowfish_generic.c
+@@ -140,3 +140,4 @@ module_exit(blowfish_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Blowfish Cipher Algorithm");
+ MODULE_ALIAS_CRYPTO("blowfish");
++MODULE_ALIAS_CRYPTO("blowfish-generic");
+--- a/crypto/des_generic.c
++++ b/crypto/des_generic.c
+@@ -975,8 +975,6 @@ static struct crypto_alg des3_ede_alg =
+ .cia_decrypt = des3_ede_decrypt } }
+ };
+
+-MODULE_ALIAS_CRYPTO("des3_ede");
+-
+ static int __init des_generic_mod_init(void)
+ {
+ int ret = 0;
+@@ -1004,4 +1002,7 @@ module_exit(des_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms");
+ MODULE_AUTHOR("Dag Arne Osvik <da at osvik.no>");
+-MODULE_ALIAS("des");
++MODULE_ALIAS_CRYPTO("des");
++MODULE_ALIAS_CRYPTO("des-generic");
++MODULE_ALIAS_CRYPTO("des3_ede");
++MODULE_ALIAS_CRYPTO("des3_ede-generic");
+--- a/crypto/ghash-generic.c
++++ b/crypto/ghash-generic.c
+@@ -174,3 +174,4 @@ module_exit(ghash_mod_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("GHASH Message Digest Algorithm");
+ MODULE_ALIAS_CRYPTO("ghash");
++MODULE_ALIAS_CRYPTO("ghash-generic");
+--- a/crypto/krng.c
++++ b/crypto/krng.c
+@@ -64,3 +64,4 @@ module_exit(krng_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Kernel Random Number Generator");
+ MODULE_ALIAS_CRYPTO("stdrng");
++MODULE_ALIAS_CRYPTO("krng");
+--- a/crypto/salsa20_generic.c
++++ b/crypto/salsa20_generic.c
+@@ -250,3 +250,4 @@ module_exit(salsa20_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
+ MODULE_ALIAS_CRYPTO("salsa20");
++MODULE_ALIAS_CRYPTO("salsa20-generic");
+--- a/crypto/sha1_generic.c
++++ b/crypto/sha1_generic.c
+@@ -154,3 +154,4 @@ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm");
+
+ MODULE_ALIAS_CRYPTO("sha1");
++MODULE_ALIAS_CRYPTO("sha1-generic");
+--- a/crypto/sha256_generic.c
++++ b/crypto/sha256_generic.c
+@@ -399,4 +399,6 @@ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA-224 and SHA-256 Secure Hash Algorithm");
+
+ MODULE_ALIAS_CRYPTO("sha224");
++MODULE_ALIAS_CRYPTO("sha224-generic");
+ MODULE_ALIAS_CRYPTO("sha256");
++MODULE_ALIAS_CRYPTO("sha256-generic");
+--- a/crypto/sha512_generic.c
++++ b/crypto/sha512_generic.c
+@@ -295,4 +295,6 @@ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA-512 and SHA-384 Secure Hash Algorithms");
+
+ MODULE_ALIAS_CRYPTO("sha384");
++MODULE_ALIAS_CRYPTO("sha384-generic");
+ MODULE_ALIAS_CRYPTO("sha512");
++MODULE_ALIAS_CRYPTO("sha512-generic");
+--- a/crypto/tea.c
++++ b/crypto/tea.c
+@@ -299,6 +299,7 @@ static void __exit tea_mod_fini(void)
+ crypto_unregister_alg(&xeta_alg);
+ }
+
++MODULE_ALIAS_CRYPTO("tea");
+ MODULE_ALIAS_CRYPTO("xtea");
+ MODULE_ALIAS_CRYPTO("xeta");
+
+--- a/crypto/tgr192.c
++++ b/crypto/tgr192.c
+@@ -702,6 +702,7 @@ static void __exit tgr192_mod_fini(void)
+ crypto_unregister_shash(&tgr128);
+ }
+
++MODULE_ALIAS_CRYPTO("tgr192");
+ MODULE_ALIAS_CRYPTO("tgr160");
+ MODULE_ALIAS_CRYPTO("tgr128");
+
+--- a/crypto/twofish_generic.c
++++ b/crypto/twofish_generic.c
+@@ -213,3 +213,4 @@ module_exit(twofish_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Twofish Cipher Algorithm");
+ MODULE_ALIAS_CRYPTO("twofish");
++MODULE_ALIAS_CRYPTO("twofish-generic");
+--- a/crypto/wp512.c
++++ b/crypto/wp512.c
+@@ -1194,6 +1194,7 @@ static void __exit wp512_mod_fini(void)
+ crypto_unregister_shash(&wp256);
+ }
+
++MODULE_ALIAS_CRYPTO("wp512");
+ MODULE_ALIAS_CRYPTO("wp384");
+ MODULE_ALIAS_CRYPTO("wp256");
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-include-crypto-module-prefix-in-template.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-include-crypto-module-prefix-in-template.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-include-crypto-module-prefix-in-template.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-include-crypto-module-prefix-in-template.patch)
@@ -0,0 +1,208 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Mon, 24 Nov 2014 16:32:38 -0800
+Subject: crypto: include crypto- module prefix in template
+Origin: https://git.kernel.org/linus/4943ba16bbc2db05115707b3ff7b4874e9e3c560
+
+This adds the module loading prefix "crypto-" to the template lookup
+as well.
+
+For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly
+includes the "crypto-" prefix at every level, correctly rejecting "vfat":
+
+ net-pf-38
+ algif-hash
+ crypto-vfat(blowfish)
+ crypto-vfat(blowfish)-all
+ crypto-vfat
+
+Reported-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Acked-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+[bwh: Backported to 3.2: drop changes to cmac and mcryptd which we don't have]
+---
+ arch/x86/crypto/fpu.c | 3 +++
+ crypto/algapi.c | 4 ++--
+ crypto/authenc.c | 1 +
+ crypto/authencesn.c | 1 +
+ crypto/cbc.c | 1 +
+ crypto/ccm.c | 1 +
+ crypto/chainiv.c | 1 +
+ crypto/cryptd.c | 1 +
+ crypto/ctr.c | 1 +
+ crypto/cts.c | 1 +
+ crypto/ecb.c | 1 +
+ crypto/eseqiv.c | 1 +
+ crypto/gcm.c | 1 +
+ crypto/hmac.c | 1 +
+ crypto/lrw.c | 1 +
+ crypto/pcbc.c | 1 +
+ crypto/pcrypt.c | 1 +
+ crypto/seqiv.c | 1 +
+ crypto/vmac.c | 1 +
+ crypto/xcbc.c | 1 +
+ crypto/xts.c | 1 +
+
+--- a/arch/x86/crypto/fpu.c
++++ b/arch/x86/crypto/fpu.c
+@@ -17,6 +17,7 @@
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/crypto.h>
+ #include <asm/i387.h>
+
+ struct crypto_fpu_ctx {
+@@ -159,3 +160,5 @@ void __exit crypto_fpu_exit(void)
+ {
+ crypto_unregister_template(&crypto_fpu_tmpl);
+ }
++
++MODULE_ALIAS_CRYPTO("fpu");
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -477,8 +477,8 @@ static struct crypto_template *__crypto_
+
+ struct crypto_template *crypto_lookup_template(const char *name)
+ {
+- return try_then_request_module(__crypto_lookup_template(name), "%s",
+- name);
++ return try_then_request_module(__crypto_lookup_template(name),
++ "crypto-%s", name);
+ }
+ EXPORT_SYMBOL_GPL(crypto_lookup_template);
+
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -710,3 +710,4 @@ module_exit(crypto_authenc_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Simple AEAD wrapper for IPsec");
++MODULE_ALIAS_CRYPTO("authenc");
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -833,3 +833,4 @@ module_exit(crypto_authenc_esn_module_ex
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Steffen Klassert <steffen.klassert at secunet.com>");
+ MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
++MODULE_ALIAS_CRYPTO("authencesn");
+--- a/crypto/cbc.c
++++ b/crypto/cbc.c
+@@ -289,3 +289,4 @@ module_exit(crypto_cbc_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("CBC block cipher algorithm");
++MODULE_ALIAS_CRYPTO("cbc");
+--- a/crypto/ccm.c
++++ b/crypto/ccm.c
+@@ -890,3 +890,4 @@ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Counter with CBC MAC");
+ MODULE_ALIAS_CRYPTO("ccm_base");
+ MODULE_ALIAS_CRYPTO("rfc4309");
++MODULE_ALIAS_CRYPTO("ccm");
+--- a/crypto/chainiv.c
++++ b/crypto/chainiv.c
+@@ -360,3 +360,4 @@ module_exit(chainiv_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Chain IV Generator");
++MODULE_ALIAS_CRYPTO("chainiv");
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -955,3 +955,4 @@ module_exit(cryptd_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Software async crypto daemon");
++MODULE_ALIAS_CRYPTO("cryptd");
+--- a/crypto/ctr.c
++++ b/crypto/ctr.c
+@@ -422,3 +422,4 @@ module_exit(crypto_ctr_module_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("CTR Counter block mode");
+ MODULE_ALIAS_CRYPTO("rfc3686");
++MODULE_ALIAS_CRYPTO("ctr");
+--- a/crypto/cts.c
++++ b/crypto/cts.c
+@@ -351,3 +351,4 @@ module_exit(crypto_cts_module_exit);
+
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
++MODULE_ALIAS_CRYPTO("cts");
+--- a/crypto/ecb.c
++++ b/crypto/ecb.c
+@@ -185,3 +185,4 @@ module_exit(crypto_ecb_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("ECB block cipher algorithm");
++MODULE_ALIAS_CRYPTO("ecb");
+--- a/crypto/eseqiv.c
++++ b/crypto/eseqiv.c
+@@ -267,3 +267,4 @@ module_exit(eseqiv_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Encrypted Sequence Number IV Generator");
++MODULE_ALIAS_CRYPTO("eseqiv");
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -1377,3 +1377,4 @@ MODULE_AUTHOR("Mikko Herranen <mh1 at iki.f
+ MODULE_ALIAS_CRYPTO("gcm_base");
+ MODULE_ALIAS_CRYPTO("rfc4106");
+ MODULE_ALIAS_CRYPTO("rfc4543");
++MODULE_ALIAS_CRYPTO("gcm");
+--- a/crypto/hmac.c
++++ b/crypto/hmac.c
+@@ -271,3 +271,4 @@ module_exit(hmac_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("HMAC hash algorithm");
++MODULE_ALIAS_CRYPTO("hmac");
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -312,3 +312,4 @@ module_exit(crypto_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("LRW block cipher mode");
++MODULE_ALIAS_CRYPTO("lrw");
+--- a/crypto/pcbc.c
++++ b/crypto/pcbc.c
+@@ -295,3 +295,4 @@ module_exit(crypto_pcbc_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("PCBC block cipher algorithm");
++MODULE_ALIAS_CRYPTO("pcbc");
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -565,3 +565,4 @@ module_exit(pcrypt_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Steffen Klassert <steffen.klassert at secunet.com>");
+ MODULE_DESCRIPTION("Parallel crypto wrapper");
++MODULE_ALIAS_CRYPTO("pcrypt");
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -363,3 +363,4 @@ module_exit(seqiv_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Sequence Number IV Generator");
++MODULE_ALIAS_CRYPTO("seqiv");
+--- a/crypto/vmac.c
++++ b/crypto/vmac.c
+@@ -673,4 +673,5 @@ module_exit(vmac_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("VMAC hash algorithm");
++MODULE_ALIAS_CRYPTO("vmac");
+
+--- a/crypto/xcbc.c
++++ b/crypto/xcbc.c
+@@ -286,3 +286,4 @@ module_exit(crypto_xcbc_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("XCBC keyed hash algorithm");
++MODULE_ALIAS_CRYPTO("xcbc");
+--- a/crypto/xts.c
++++ b/crypto/xts.c
+@@ -289,3 +289,4 @@ module_exit(crypto_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("XTS block cipher mode");
++MODULE_ALIAS_CRYPTO("xts");
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch)
@@ -0,0 +1,622 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Thu, 20 Nov 2014 17:05:53 -0800
+Subject: crypto: prefix module autoloading with "crypto-"
+Origin: https://git.kernel.org/linus/5d26a105b5a73e5635eae0629b42fa0a90e07b7b
+
+This prefixes all crypto module loading with "crypto-" so we never run
+the risk of exposing module auto-loading to userspace via a crypto API,
+as demonstrated by Mathias Krause:
+
+https://lkml.org/lkml/2013/3/4/70
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+[bwh: Backported to 3.2:
+ - Adjust filenames
+ - Drop changes to algorithms and drivers we don't have
+ - Add aliases to generic C implementations that didn't need them before]
+---
+ arch/s390/crypto/aes_s390.c | 2 +-
+ arch/s390/crypto/des_s390.c | 4 ++--
+ arch/s390/crypto/ghash_s390.c | 2 +-
+ arch/s390/crypto/sha1_s390.c | 2 +-
+ arch/s390/crypto/sha256_s390.c | 4 ++--
+ arch/s390/crypto/sha512_s390.c | 4 ++--
+ arch/x86/crypto/aes_glue.c | 4 ++--
+ arch/x86/crypto/aesni-intel_glue.c | 2 +-
+ arch/x86/crypto/blowfish_glue.c | 4 ++--
+ arch/x86/crypto/crc32c-intel.c | 4 ++--
+ arch/x86/crypto/ghash-clmulni-intel_glue.c | 2 +-
+ arch/x86/crypto/salsa20_glue.c | 4 ++--
+ arch/x86/crypto/sha1_ssse3_glue.c | 2 +-
+ arch/x86/crypto/twofish_glue.c | 4 ++--
+ arch/x86/crypto/twofish_glue_3way.c | 4 ++--
+ crypto/aes_generic.c | 2 +-
+ crypto/ansi_cprng.c | 2 +-
+ crypto/anubis.c | 1 +
+ crypto/api.c | 4 ++--
+ crypto/arc4.c | 1 +
+ crypto/blowfish_generic.c | 2 +-
+ crypto/camellia.c | 2 +-
+ crypto/cast5.c | 2 +-
+ crypto/cast6.c | 2 +-
+ crypto/ccm.c | 4 ++--
+ crypto/crc32c.c | 2 +-
+ crypto/crypto_null.c | 6 +++---
+ crypto/ctr.c | 2 +-
+ crypto/deflate.c | 2 +-
+ crypto/des_generic.c | 2 +-
+ crypto/fcrypt.c | 1 +
+ crypto/gcm.c | 6 +++---
+ crypto/ghash-generic.c | 2 +-
+ crypto/khazad.c | 1 +
+ crypto/krng.c | 2 +-
+ crypto/lzo.c | 1 +
+ crypto/md4.c | 2 +-
+ crypto/md5.c | 1 +
+ crypto/michael_mic.c | 1 +
+ crypto/rmd128.c | 1 +
+ crypto/rmd160.c | 1 +
+ crypto/rmd256.c | 1 +
+ crypto/rmd320.c | 1 +
+ crypto/salsa20_generic.c | 2 +-
+ crypto/seed.c | 1 +
+ crypto/serpent.c | 4 ++--
+ crypto/sha1_generic.c | 2 +-
+ crypto/sha256_generic.c | 4 ++--
+ crypto/sha512_generic.c | 4 ++--
+ crypto/tea.c | 4 ++--
+ crypto/tgr192.c | 4 ++--
+ crypto/twofish_generic.c | 2 +-
+ crypto/wp512.c | 4 ++--
+ crypto/zlib.c | 1 +
+ drivers/crypto/padlock-aes.c | 2 +-
+ drivers/crypto/padlock-sha.c | 8 ++++----
+ drivers/s390/crypto/ap_bus.c | 3 ++-
+ include/linux/crypto.h | 13 +++++++++++++
+
+--- a/arch/s390/crypto/aes_s390.c
++++ b/arch/s390/crypto/aes_s390.c
+@@ -972,7 +972,7 @@ static void __exit aes_s390_fini(void)
+ module_init(aes_s390_init);
+ module_exit(aes_s390_fini);
+
+-MODULE_ALIAS("aes-all");
++MODULE_ALIAS_CRYPTO("aes-all");
+
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
+ MODULE_LICENSE("GPL");
+--- a/arch/s390/crypto/des_s390.c
++++ b/arch/s390/crypto/des_s390.c
+@@ -626,8 +626,8 @@ static void __exit des_s390_exit(void)
+ module_init(des_s390_init);
+ module_exit(des_s390_exit);
+
+-MODULE_ALIAS("des");
+-MODULE_ALIAS("des3_ede");
++MODULE_ALIAS_CRYPTO("des");
++MODULE_ALIAS_CRYPTO("des3_ede");
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms");
+--- a/arch/s390/crypto/ghash_s390.c
++++ b/arch/s390/crypto/ghash_s390.c
+@@ -161,7 +161,7 @@ static void __exit ghash_mod_exit(void)
+ module_init(ghash_mod_init);
+ module_exit(ghash_mod_exit);
+
+-MODULE_ALIAS("ghash");
++MODULE_ALIAS_CRYPTO("ghash");
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("GHASH Message Digest Algorithm, s390 implementation");
+--- a/arch/s390/crypto/sha1_s390.c
++++ b/arch/s390/crypto/sha1_s390.c
+@@ -103,6 +103,6 @@ static void __exit sha1_s390_fini(void)
+ module_init(sha1_s390_init);
+ module_exit(sha1_s390_fini);
+
+-MODULE_ALIAS("sha1");
++MODULE_ALIAS_CRYPTO("sha1");
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm");
+--- a/arch/s390/crypto/sha256_s390.c
++++ b/arch/s390/crypto/sha256_s390.c
+@@ -143,7 +143,7 @@ static void __exit sha256_s390_fini(void
+ module_init(sha256_s390_init);
+ module_exit(sha256_s390_fini);
+
+-MODULE_ALIAS("sha256");
+-MODULE_ALIAS("sha224");
++MODULE_ALIAS_CRYPTO("sha256");
++MODULE_ALIAS_CRYPTO("sha224");
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA256 and SHA224 Secure Hash Algorithm");
+--- a/arch/s390/crypto/sha512_s390.c
++++ b/arch/s390/crypto/sha512_s390.c
+@@ -86,7 +86,7 @@ static struct shash_alg sha512_alg = {
+ }
+ };
+
+-MODULE_ALIAS("sha512");
++MODULE_ALIAS_CRYPTO("sha512");
+
+ static int sha384_init(struct shash_desc *desc)
+ {
+@@ -126,7 +126,7 @@ static struct shash_alg sha384_alg = {
+ }
+ };
+
+-MODULE_ALIAS("sha384");
++MODULE_ALIAS_CRYPTO("sha384");
+
+ static int __init init(void)
+ {
+--- a/arch/x86/crypto/aes_glue.c
++++ b/arch/x86/crypto/aes_glue.c
+@@ -67,5 +67,5 @@ module_exit(aes_fini);
+
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm, asm optimized");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS("aes");
+-MODULE_ALIAS("aes-asm");
++MODULE_ALIAS_CRYPTO("aes");
++MODULE_ALIAS_CRYPTO("aes-asm");
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1386,4 +1386,4 @@ module_exit(aesni_exit);
+
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm, Intel AES-NI instructions optimized");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS("aes");
++MODULE_ALIAS_CRYPTO("aes");
+--- a/arch/x86/crypto/blowfish_glue.c
++++ b/arch/x86/crypto/blowfish_glue.c
+@@ -488,5 +488,5 @@ module_exit(fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Blowfish Cipher Algorithm, asm optimized");
+-MODULE_ALIAS("blowfish");
+-MODULE_ALIAS("blowfish-asm");
++MODULE_ALIAS_CRYPTO("blowfish");
++MODULE_ALIAS_CRYPTO("blowfish-asm");
+--- a/arch/x86/crypto/crc32c-intel.c
++++ b/arch/x86/crypto/crc32c-intel.c
+@@ -199,5 +199,5 @@ MODULE_AUTHOR("Austin Zhang <austin.zhan
+ MODULE_DESCRIPTION("CRC32c (Castagnoli) optimization using Intel Hardware.");
+ MODULE_LICENSE("GPL");
+
+-MODULE_ALIAS("crc32c");
+-MODULE_ALIAS("crc32c-intel");
++MODULE_ALIAS_CRYPTO("crc32c");
++MODULE_ALIAS_CRYPTO("crc32c-intel");
+--- a/arch/x86/crypto/ghash-clmulni-intel_glue.c
++++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c
+@@ -343,4 +343,4 @@ module_exit(ghash_pclmulqdqni_mod_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("GHASH Message Digest Algorithm, "
+ "acclerated by PCLMULQDQ-NI");
+-MODULE_ALIAS("ghash");
++MODULE_ALIAS_CRYPTO("ghash");
+--- a/arch/x86/crypto/salsa20_glue.c
++++ b/arch/x86/crypto/salsa20_glue.c
+@@ -125,5 +125,5 @@ module_exit(fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm (optimized assembly version)");
+-MODULE_ALIAS("salsa20");
+-MODULE_ALIAS("salsa20-asm");
++MODULE_ALIAS_CRYPTO("salsa20");
++MODULE_ALIAS_CRYPTO("salsa20-asm");
+--- a/arch/x86/crypto/sha1_ssse3_glue.c
++++ b/arch/x86/crypto/sha1_ssse3_glue.c
+@@ -237,4 +237,4 @@ module_exit(sha1_ssse3_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm, Supplemental SSE3 accelerated");
+
+-MODULE_ALIAS("sha1");
++MODULE_ALIAS_CRYPTO("sha1");
+--- a/arch/x86/crypto/twofish_glue.c
++++ b/arch/x86/crypto/twofish_glue.c
+@@ -97,5 +97,5 @@ module_exit(fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Twofish Cipher Algorithm, asm optimized");
+-MODULE_ALIAS("twofish");
+-MODULE_ALIAS("twofish-asm");
++MODULE_ALIAS_CRYPTO("twofish");
++MODULE_ALIAS_CRYPTO("twofish-asm");
+--- a/arch/x86/crypto/twofish_glue_3way.c
++++ b/arch/x86/crypto/twofish_glue_3way.c
+@@ -468,5 +468,5 @@ module_exit(fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Twofish Cipher Algorithm, 3-way parallel asm optimized");
+-MODULE_ALIAS("twofish");
+-MODULE_ALIAS("twofish-asm");
++MODULE_ALIAS_CRYPTO("twofish");
++MODULE_ALIAS_CRYPTO("twofish-asm");
+--- a/crypto/aes_generic.c
++++ b/crypto/aes_generic.c
+@@ -1475,4 +1475,4 @@ module_exit(aes_fini);
+
+ MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
+ MODULE_LICENSE("Dual BSD/GPL");
+-MODULE_ALIAS("aes");
++MODULE_ALIAS_CRYPTO("aes");
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -485,4 +485,4 @@ module_param(dbg, int, 0);
+ MODULE_PARM_DESC(dbg, "Boolean to enable debugging (0/1 == off/on)");
+ module_init(prng_mod_init);
+ module_exit(prng_mod_fini);
+-MODULE_ALIAS("stdrng");
++MODULE_ALIAS_CRYPTO("stdrng");
+--- a/crypto/anubis.c
++++ b/crypto/anubis.c
+@@ -705,3 +705,4 @@ module_exit(anubis_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Anubis Cryptographic Algorithm");
++MODULE_ALIAS_CRYPTO("anubis");
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -222,11 +222,11 @@ struct crypto_alg *crypto_larval_lookup(
+
+ alg = crypto_alg_lookup(name, type, mask);
+ if (!alg) {
+- request_module("%s", name);
++ request_module("crypto-%s", name);
+
+ if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask &
+ CRYPTO_ALG_NEED_FALLBACK))
+- request_module("%s-all", name);
++ request_module("crypto-%s-all", name);
+
+ alg = crypto_alg_lookup(name, type, mask);
+ }
+--- a/crypto/arc4.c
++++ b/crypto/arc4.c
+@@ -101,3 +101,4 @@ module_exit(arc4_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("ARC4 Cipher Algorithm");
+ MODULE_AUTHOR("Jon Oberheide <jon at oberheide.org>");
++MODULE_ALIAS_CRYPTO("arc4");
+--- a/crypto/blowfish_generic.c
++++ b/crypto/blowfish_generic.c
+@@ -139,4 +139,4 @@ module_exit(blowfish_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Blowfish Cipher Algorithm");
+-MODULE_ALIAS("blowfish");
++MODULE_ALIAS_CRYPTO("blowfish");
+--- a/crypto/camellia.c
++++ b/crypto/camellia.c
+@@ -1114,3 +1114,4 @@ module_exit(camellia_fini);
+
+ MODULE_DESCRIPTION("Camellia Cipher Algorithm");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_CRYPTO("camellia");
+--- a/crypto/cast5.c
++++ b/crypto/cast5.c
+@@ -806,4 +806,5 @@ module_exit(cast5_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Cast5 Cipher Algorithm");
++MODULE_ALIAS_CRYPTO("cast5");
+
+--- a/crypto/cast6.c
++++ b/crypto/cast6.c
+@@ -545,3 +545,4 @@ module_exit(cast6_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Cast6 Cipher Algorithm");
++MODULE_ALIAS_CRYPTO("cast6");
+--- a/crypto/ccm.c
++++ b/crypto/ccm.c
+@@ -888,5 +888,5 @@ module_exit(crypto_ccm_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Counter with CBC MAC");
+-MODULE_ALIAS("ccm_base");
+-MODULE_ALIAS("rfc4309");
++MODULE_ALIAS_CRYPTO("ccm_base");
++MODULE_ALIAS_CRYPTO("rfc4309");
+--- a/crypto/crc32c.c
++++ b/crypto/crc32c.c
+@@ -258,3 +258,4 @@ module_exit(crc32c_mod_fini);
+ MODULE_AUTHOR("Clay Haapala <chaapala at cisco.com>");
+ MODULE_DESCRIPTION("CRC32c (Castagnoli) calculations wrapper for lib/crc32c");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_CRYPTO("crc32c");
+--- a/crypto/crypto_null.c
++++ b/crypto/crypto_null.c
+@@ -156,9 +156,9 @@ static struct crypto_alg skcipher_null =
+ .decrypt = skcipher_null_crypt } }
+ };
+
+-MODULE_ALIAS("compress_null");
+-MODULE_ALIAS("digest_null");
+-MODULE_ALIAS("cipher_null");
++MODULE_ALIAS_CRYPTO("compress_null");
++MODULE_ALIAS_CRYPTO("digest_null");
++MODULE_ALIAS_CRYPTO("cipher_null");
+
+ static int __init crypto_null_mod_init(void)
+ {
+--- a/crypto/ctr.c
++++ b/crypto/ctr.c
+@@ -421,4 +421,4 @@ module_exit(crypto_ctr_module_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("CTR Counter block mode");
+-MODULE_ALIAS("rfc3686");
++MODULE_ALIAS_CRYPTO("rfc3686");
+--- a/crypto/deflate.c
++++ b/crypto/deflate.c
+@@ -223,4 +223,4 @@ module_exit(deflate_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Deflate Compression Algorithm for IPCOMP");
+ MODULE_AUTHOR("James Morris <jmorris at intercode.com.au>");
+-
++MODULE_ALIAS_CRYPTO("deflate");
+--- a/crypto/des_generic.c
++++ b/crypto/des_generic.c
+@@ -975,7 +975,7 @@ static struct crypto_alg des3_ede_alg =
+ .cia_decrypt = des3_ede_decrypt } }
+ };
+
+-MODULE_ALIAS("des3_ede");
++MODULE_ALIAS_CRYPTO("des3_ede");
+
+ static int __init des_generic_mod_init(void)
+ {
+--- a/crypto/fcrypt.c
++++ b/crypto/fcrypt.c
+@@ -421,3 +421,4 @@ module_exit(fcrypt_mod_fini);
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("FCrypt Cipher Algorithm");
+ MODULE_AUTHOR("David Howells <dhowells at redhat.com>");
++MODULE_ALIAS_CRYPTO("fcrypt");
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -1374,6 +1374,6 @@ module_exit(crypto_gcm_module_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Galois/Counter Mode");
+ MODULE_AUTHOR("Mikko Herranen <mh1 at iki.fi>");
+-MODULE_ALIAS("gcm_base");
+-MODULE_ALIAS("rfc4106");
+-MODULE_ALIAS("rfc4543");
++MODULE_ALIAS_CRYPTO("gcm_base");
++MODULE_ALIAS_CRYPTO("rfc4106");
++MODULE_ALIAS_CRYPTO("rfc4543");
+--- a/crypto/ghash-generic.c
++++ b/crypto/ghash-generic.c
+@@ -173,4 +173,4 @@ module_exit(ghash_mod_exit);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("GHASH Message Digest Algorithm");
+-MODULE_ALIAS("ghash");
++MODULE_ALIAS_CRYPTO("ghash");
+--- a/crypto/khazad.c
++++ b/crypto/khazad.c
+@@ -881,3 +881,4 @@ module_exit(khazad_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Khazad Cryptographic Algorithm");
++MODULE_ALIAS_CRYPTO("khazad");
+--- a/crypto/krng.c
++++ b/crypto/krng.c
+@@ -63,4 +63,4 @@ module_exit(krng_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Kernel Random Number Generator");
+-MODULE_ALIAS("stdrng");
++MODULE_ALIAS_CRYPTO("stdrng");
+--- a/crypto/lzo.c
++++ b/crypto/lzo.c
+@@ -104,3 +104,4 @@ module_exit(lzo_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("LZO Compression Algorithm");
++MODULE_ALIAS_CRYPTO("lzo");
+--- a/crypto/md4.c
++++ b/crypto/md4.c
+@@ -255,4 +255,4 @@ module_exit(md4_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("MD4 Message Digest Algorithm");
+-
++MODULE_ALIAS_CRYPTO("md4");
+--- a/crypto/md5.c
++++ b/crypto/md5.c
+@@ -168,3 +168,4 @@ module_exit(md5_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("MD5 Message Digest Algorithm");
++MODULE_ALIAS_CRYPTO("md5");
+--- a/crypto/michael_mic.c
++++ b/crypto/michael_mic.c
+@@ -184,3 +184,4 @@ module_exit(michael_mic_exit);
+ MODULE_LICENSE("GPL v2");
+ MODULE_DESCRIPTION("Michael MIC");
+ MODULE_AUTHOR("Jouni Malinen <j at w1.fi>");
++MODULE_ALIAS_CRYPTO("michael_mic");
+--- a/crypto/rmd128.c
++++ b/crypto/rmd128.c
+@@ -327,3 +327,4 @@ module_exit(rmd128_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken at codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-128 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd128");
+--- a/crypto/rmd160.c
++++ b/crypto/rmd160.c
+@@ -371,3 +371,4 @@ module_exit(rmd160_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken at codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-160 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd160");
+--- a/crypto/rmd256.c
++++ b/crypto/rmd256.c
+@@ -346,3 +346,4 @@ module_exit(rmd256_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken at codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-256 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd256");
+--- a/crypto/rmd320.c
++++ b/crypto/rmd320.c
+@@ -395,3 +395,4 @@ module_exit(rmd320_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken at codelabs.ch>");
+ MODULE_DESCRIPTION("RIPEMD-320 Message Digest");
++MODULE_ALIAS_CRYPTO("rmd320");
+--- a/crypto/salsa20_generic.c
++++ b/crypto/salsa20_generic.c
+@@ -249,4 +249,4 @@ module_exit(salsa20_generic_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
+-MODULE_ALIAS("salsa20");
++MODULE_ALIAS_CRYPTO("salsa20");
+--- a/crypto/seed.c
++++ b/crypto/seed.c
+@@ -477,3 +477,4 @@ module_exit(seed_fini);
+ MODULE_DESCRIPTION("SEED Cipher Algorithm");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Hye-Shik Chang <perky at FreeBSD.org>, Kim Hyun <hkim at kisa.or.kr>");
++MODULE_ALIAS_CRYPTO("seed");
+--- a/crypto/serpent.c
++++ b/crypto/serpent.c
+@@ -584,4 +584,5 @@ module_exit(serpent_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Serpent and tnepres (kerneli compatible serpent reversed) Cipher Algorithm");
+ MODULE_AUTHOR("Dag Arne Osvik <osvik at ii.uib.no>");
+-MODULE_ALIAS("tnepres");
++MODULE_ALIAS_CRYPTO("tnepres");
++MODULE_ALIAS_CRYPTO("serpent");
+--- a/crypto/sha1_generic.c
++++ b/crypto/sha1_generic.c
+@@ -153,4 +153,4 @@ module_exit(sha1_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm");
+
+-MODULE_ALIAS("sha1");
++MODULE_ALIAS_CRYPTO("sha1");
+--- a/crypto/sha256_generic.c
++++ b/crypto/sha256_generic.c
+@@ -398,5 +398,5 @@ module_exit(sha256_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA-224 and SHA-256 Secure Hash Algorithm");
+
+-MODULE_ALIAS("sha224");
+-MODULE_ALIAS("sha256");
++MODULE_ALIAS_CRYPTO("sha224");
++MODULE_ALIAS_CRYPTO("sha256");
+--- a/crypto/sha512_generic.c
++++ b/crypto/sha512_generic.c
+@@ -294,5 +294,5 @@ module_exit(sha512_generic_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("SHA-512 and SHA-384 Secure Hash Algorithms");
+
+-MODULE_ALIAS("sha384");
+-MODULE_ALIAS("sha512");
++MODULE_ALIAS_CRYPTO("sha384");
++MODULE_ALIAS_CRYPTO("sha512");
+--- a/crypto/tea.c
++++ b/crypto/tea.c
+@@ -299,8 +299,8 @@ static void __exit tea_mod_fini(void)
+ crypto_unregister_alg(&xeta_alg);
+ }
+
+-MODULE_ALIAS("xtea");
+-MODULE_ALIAS("xeta");
++MODULE_ALIAS_CRYPTO("xtea");
++MODULE_ALIAS_CRYPTO("xeta");
+
+ module_init(tea_mod_init);
+ module_exit(tea_mod_fini);
+--- a/crypto/tgr192.c
++++ b/crypto/tgr192.c
+@@ -702,8 +702,8 @@ static void __exit tgr192_mod_fini(void)
+ crypto_unregister_shash(&tgr128);
+ }
+
+-MODULE_ALIAS("tgr160");
+-MODULE_ALIAS("tgr128");
++MODULE_ALIAS_CRYPTO("tgr160");
++MODULE_ALIAS_CRYPTO("tgr128");
+
+ module_init(tgr192_mod_init);
+ module_exit(tgr192_mod_fini);
+--- a/crypto/twofish_generic.c
++++ b/crypto/twofish_generic.c
+@@ -212,4 +212,4 @@ module_exit(twofish_mod_fini);
+
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION ("Twofish Cipher Algorithm");
+-MODULE_ALIAS("twofish");
++MODULE_ALIAS_CRYPTO("twofish");
+--- a/crypto/wp512.c
++++ b/crypto/wp512.c
+@@ -1194,8 +1194,8 @@ static void __exit wp512_mod_fini(void)
+ crypto_unregister_shash(&wp256);
+ }
+
+-MODULE_ALIAS("wp384");
+-MODULE_ALIAS("wp256");
++MODULE_ALIAS_CRYPTO("wp384");
++MODULE_ALIAS_CRYPTO("wp256");
+
+ module_init(wp512_mod_init);
+ module_exit(wp512_mod_fini);
+--- a/crypto/zlib.c
++++ b/crypto/zlib.c
+@@ -378,3 +378,4 @@ module_exit(zlib_mod_fini);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Zlib Compression Algorithm");
+ MODULE_AUTHOR("Sony Corporation");
++MODULE_ALIAS_CRYPTO("zlib");
+--- a/drivers/crypto/padlock-aes.c
++++ b/drivers/crypto/padlock-aes.c
+@@ -566,4 +566,4 @@ MODULE_DESCRIPTION("VIA PadLock AES algo
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Michal Ludvig");
+
+-MODULE_ALIAS("aes");
++MODULE_ALIAS_CRYPTO("aes");
+--- a/drivers/crypto/padlock-sha.c
++++ b/drivers/crypto/padlock-sha.c
+@@ -593,7 +593,7 @@ MODULE_DESCRIPTION("VIA PadLock SHA1/SHA
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Michal Ludvig");
+
+-MODULE_ALIAS("sha1-all");
+-MODULE_ALIAS("sha256-all");
+-MODULE_ALIAS("sha1-padlock");
+-MODULE_ALIAS("sha256-padlock");
++MODULE_ALIAS_CRYPTO("sha1-all");
++MODULE_ALIAS_CRYPTO("sha256-all");
++MODULE_ALIAS_CRYPTO("sha1-padlock");
++MODULE_ALIAS_CRYPTO("sha256-padlock");
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -25,6 +25,19 @@
+ #include <linux/uaccess.h>
+
+ /*
++ * Autoloaded crypto modules should only use a prefixed name to avoid allowing
++ * arbitrary modules to be loaded. Loading from userspace may still need the
++ * unprefixed names, so retains those aliases as well.
++ * This uses __MODULE_INFO directly instead of MODULE_ALIAS because pre-4.3
++ * gcc (e.g. avr32 toolchain) uses __LINE__ for uniqueness, and this macro
++ * expands twice on the same line. Instead, use a separate base name for the
++ * alias.
++ */
++#define MODULE_ALIAS_CRYPTO(name) \
++ __MODULE_INFO(alias, alias_userspace, name); \
++ __MODULE_INFO(alias, alias_crypto, "crypto-" name)
++
++/*
+ * Algorithm masks and types.
+ */
+ #define CRYPTO_ALG_TYPE_MASK 0x0000000f
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch)
@@ -0,0 +1,103 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 11 Feb 2015 03:16:35 +0000
+Subject: dcache: Fix locking bugs in backported "deal with deadlock in d_walk()"
+
+Steven Rostedt reported:
+> Porting -rt to the latest 3.2 stable tree I triggered this bug:
+>
+> =====================================
+> [ BUG: bad unlock balance detected! ]
+> -------------------------------------
+> rm/1638 is trying to release lock (rcu_read_lock) at:
+> [<c04fde6c>] rcu_read_unlock+0x0/0x23
+> but there are no more locks to release!
+>
+> other info that might help us debug this:
+> 2 locks held by rm/1638:
+> #0: (&sb->s_type->i_mutex_key#9/1){+.+.+.}, at: [<c04f93eb>] do_rmdir+0x5f/0xd2
+> #1: (&sb->s_type->i_mutex_key#9){+.+.+.}, at: [<c04f9329>] vfs_rmdir+0x49/0xac
+>
+> stack backtrace:
+> Pid: 1638, comm: rm Not tainted 3.2.66-test-rt96+ #2
+> Call Trace:
+> [<c083f390>] ? printk+0x1d/0x1f
+> [<c0463cdf>] print_unlock_inbalance_bug+0xc3/0xcd
+> [<c04653a8>] lock_release_non_nested+0x98/0x1ec
+> [<c046228d>] ? trace_hardirqs_off_caller+0x18/0x90
+> [<c0456f1c>] ? local_clock+0x2d/0x50
+> [<c04fde6c>] ? d_hash+0x2f/0x2f
+> [<c04fde6c>] ? d_hash+0x2f/0x2f
+> [<c046568e>] lock_release+0x192/0x1ad
+> [<c04fde83>] rcu_read_unlock+0x17/0x23
+> [<c04ff344>] shrink_dcache_parent+0x227/0x270
+> [<c04f9348>] vfs_rmdir+0x68/0xac
+> [<c04f9424>] do_rmdir+0x98/0xd2
+> [<c04f03ad>] ? fput+0x1a3/0x1ab
+> [<c084dd42>] ? sysenter_exit+0xf/0x1a
+> [<c0465b58>] ? trace_hardirqs_on_caller+0x118/0x149
+> [<c04fa3e0>] sys_unlinkat+0x2b/0x35
+> [<c084dd13>] sysenter_do_call+0x12/0x12
+>
+>
+>
+>
+> There's a path to calling rcu_read_unlock() without calling
+> rcu_read_lock() in have_submounts().
+>
+> goto positive;
+>
+> positive:
+> if (!locked && read_seqretry(&rename_lock, seq))
+> goto rename_retry;
+>
+> rename_retry:
+> rcu_read_unlock();
+>
+> in the above path, rcu_read_lock() is never done before calling
+> rcu_read_unlock();
+
+I reviewed locking contexts in all three functions that I changed when
+backporting "deal with deadlock in d_walk()". It's actually worse
+than this:
+
+- We don't hold this_parent->d_lock at the 'positive' label in
+ have_submounts(), but it is unlocked after 'rename_retry'.
+- There is an rcu_read_unlock() after the 'out' label in
+ select_parent(), but it's not held at the 'goto out'.
+
+Fix all three lock imbalances.
+
+Reported-by: Steven Rostedt <rostedt at goodmis.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Tested-by: Steven Rostedt <rostedt at goodmis.org>
+---
+ fs/dcache.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1035,7 +1035,7 @@ ascend:
+ return 0; /* No mount points found in tree */
+ positive:
+ if (!locked && read_seqretry(&rename_lock, seq))
+- goto rename_retry;
++ goto rename_retry_unlocked;
+ if (locked)
+ write_sequnlock(&rename_lock);
+ return 1;
+@@ -1045,6 +1045,7 @@ rename_retry:
+ rcu_read_unlock();
+ if (locked)
+ goto again;
++rename_retry_unlocked:
+ locked = 1;
+ write_seqlock(&rename_lock);
+ goto again;
+@@ -1109,6 +1110,7 @@ resume:
+ */
+ if (found && need_resched()) {
+ spin_unlock(&dentry->d_lock);
++ rcu_read_lock();
+ goto out;
+ }
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/deal-with-deadlock-in-d_walk.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/deal-with-deadlock-in-d_walk.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/deal-with-deadlock-in-d_walk.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/deal-with-deadlock-in-d_walk.patch)
@@ -0,0 +1,206 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sun, 26 Oct 2014 19:31:10 -0400
+Subject: deal with deadlock in d_walk()
+
+commit ca5358ef75fc69fee5322a38a340f5739d997c10 upstream.
+
+... by not hitting rename_retry for reasons other than rename having
+happened. In other words, do _not_ restart when finding that
+between unlocking the child and locking the parent the former got
+into __dentry_kill(). Skip the killed siblings instead...
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: Backported to 3.2:
+ - As we only have try_to_ascend() and not d_walk(), apply this
+ change to all callers of try_to_ascend()
+ - Adjust context to make __dentry_kill() apply to d_kill()]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/dcache.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -306,9 +306,9 @@ static struct dentry *d_kill(struct dent
+ __releases(parent->d_lock)
+ __releases(dentry->d_inode->i_lock)
+ {
+- list_del(&dentry->d_child);
++ __list_del_entry(&dentry->d_child);
+ /*
+- * Inform try_to_ascend() that we are no longer attached to the
++ * Inform ascending readers that we are no longer attached to the
+ * dentry tree
+ */
+ dentry->d_flags |= DCACHE_DENTRY_KILLED;
+@@ -949,34 +949,6 @@ void shrink_dcache_for_umount(struct sup
+ }
+ }
+
+-/*
+- * This tries to ascend one level of parenthood, but
+- * we can race with renaming, so we need to re-check
+- * the parenthood after dropping the lock and check
+- * that the sequence number still matches.
+- */
+-static struct dentry *try_to_ascend(struct dentry *old, int locked, unsigned seq)
+-{
+- struct dentry *new = old->d_parent;
+-
+- rcu_read_lock();
+- spin_unlock(&old->d_lock);
+- spin_lock(&new->d_lock);
+-
+- /*
+- * might go back up the wrong parent if we have had a rename
+- * or deletion
+- */
+- if (new != old->d_parent ||
+- (old->d_flags & DCACHE_DENTRY_KILLED) ||
+- (!locked && read_seqretry(&rename_lock, seq))) {
+- spin_unlock(&new->d_lock);
+- new = NULL;
+- }
+- rcu_read_unlock();
+- return new;
+-}
+-
+
+ /*
+ * Search for at least 1 mount point in the dentry's subdirs.
+@@ -1032,17 +1004,32 @@ resume:
+ /*
+ * All done at this level ... ascend and resume the search.
+ */
++ rcu_read_lock();
++ascend:
+ if (this_parent != parent) {
+ struct dentry *child = this_parent;
+- this_parent = try_to_ascend(this_parent, locked, seq);
+- if (!this_parent)
++ this_parent = child->d_parent;
++
++ spin_unlock(&child->d_lock);
++ spin_lock(&this_parent->d_lock);
++
++ /* might go back up the wrong parent if we have had a rename */
++ if (!locked && read_seqretry(&rename_lock, seq))
+ goto rename_retry;
+ next = child->d_child.next;
++ while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)) {
++ if (next == &this_parent->d_subdirs)
++ goto ascend;
++ child = list_entry(next, struct dentry, d_child);
++ next = next->next;
++ }
++ rcu_read_unlock();
+ goto resume;
+ }
+- spin_unlock(&this_parent->d_lock);
+ if (!locked && read_seqretry(&rename_lock, seq))
+ goto rename_retry;
++ spin_unlock(&this_parent->d_lock);
++ rcu_read_unlock();
+ if (locked)
+ write_sequnlock(&rename_lock);
+ return 0; /* No mount points found in tree */
+@@ -1054,6 +1041,8 @@ positive:
+ return 1;
+
+ rename_retry:
++ spin_unlock(&this_parent->d_lock);
++ rcu_read_unlock();
+ if (locked)
+ goto again;
+ locked = 1;
+@@ -1139,23 +1128,40 @@ resume:
+ /*
+ * All done at this level ... ascend and resume the search.
+ */
++ rcu_read_lock();
++ascend:
+ if (this_parent != parent) {
+ struct dentry *child = this_parent;
+- this_parent = try_to_ascend(this_parent, locked, seq);
+- if (!this_parent)
++ this_parent = child->d_parent;
++
++ spin_unlock(&child->d_lock);
++ spin_lock(&this_parent->d_lock);
++
++ /* might go back up the wrong parent if we have had a rename */
++ if (!locked && read_seqretry(&rename_lock, seq))
+ goto rename_retry;
+ next = child->d_child.next;
++ while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)) {
++ if (next == &this_parent->d_subdirs)
++ goto ascend;
++ child = list_entry(next, struct dentry, d_child);
++ next = next->next;
++ }
++ rcu_read_unlock();
+ goto resume;
+ }
+ out:
+- spin_unlock(&this_parent->d_lock);
+ if (!locked && read_seqretry(&rename_lock, seq))
+ goto rename_retry;
++ spin_unlock(&this_parent->d_lock);
++ rcu_read_unlock();
+ if (locked)
+ write_sequnlock(&rename_lock);
+ return found;
+
+ rename_retry:
++ spin_unlock(&this_parent->d_lock);
++ rcu_read_unlock();
+ if (found)
+ return found;
+ if (locked)
+@@ -2914,26 +2920,43 @@ resume:
+ }
+ spin_unlock(&dentry->d_lock);
+ }
++ rcu_read_lock();
++ascend:
+ if (this_parent != root) {
+ struct dentry *child = this_parent;
+ if (!(this_parent->d_flags & DCACHE_GENOCIDE)) {
+ this_parent->d_flags |= DCACHE_GENOCIDE;
+ this_parent->d_count--;
+ }
+- this_parent = try_to_ascend(this_parent, locked, seq);
+- if (!this_parent)
++ this_parent = child->d_parent;
++
++ spin_unlock(&child->d_lock);
++ spin_lock(&this_parent->d_lock);
++
++ /* might go back up the wrong parent if we have had a rename */
++ if (!locked && read_seqretry(&rename_lock, seq))
+ goto rename_retry;
+ next = child->d_child.next;
++ while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)) {
++ if (next == &this_parent->d_subdirs)
++ goto ascend;
++ child = list_entry(next, struct dentry, d_child);
++ next = next->next;
++ }
++ rcu_read_unlock();
+ goto resume;
+ }
+- spin_unlock(&this_parent->d_lock);
+ if (!locked && read_seqretry(&rename_lock, seq))
+ goto rename_retry;
++ spin_unlock(&this_parent->d_lock);
++ rcu_read_unlock();
+ if (locked)
+ write_sequnlock(&rename_lock);
+ return;
+
+ rename_retry:
++ spin_unlock(&this_parent->d_lock);
++ rcu_read_unlock();
+ if (locked)
+ goto again;
+ locked = 1;
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch)
@@ -0,0 +1,31 @@
+From: Michael Halcrow <mhalcrow at google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
+ routine
+
+commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
+
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+
+Signed-off-by: Michael Halcrow <mhalcrow at google.com>
+Reported-by: Dmitry Chernenkov <dmitryc at google.com>
+Suggested-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned c
+ break;
+ case 2:
+ dst[dst_byte_offset++] |= (src_byte);
+- dst[dst_byte_offset] = 0;
+ current_bit_offset = 0;
+ break;
+ }
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/move-d_rcu-from-overlapping-d_child-to-overlapping-d_alias.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/move-d_rcu-from-overlapping-d_child-to-overlapping-d_alias.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/move-d_rcu-from-overlapping-d_child-to-overlapping-d_alias.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/move-d_rcu-from-overlapping-d_child-to-overlapping-d_alias.patch)
@@ -0,0 +1,754 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sun, 26 Oct 2014 19:19:16 -0400
+Subject: move d_rcu from overlapping d_child to overlapping d_alias
+
+commit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: Backported to 3.2:
+ - Apply name changes in all the different places we use d_alias and d_child
+ - Move the WARN_ON() in __d_free() to d_free() as we don't have dentry_free()]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/arch/powerpc/platforms/cell/spufs/inode.c
++++ b/arch/powerpc/platforms/cell/spufs/inode.c
+@@ -165,7 +165,7 @@ static void spufs_prune_dir(struct dentr
+ struct dentry *dentry, *tmp;
+
+ mutex_lock(&dir->d_inode->i_mutex);
+- list_for_each_entry_safe(dentry, tmp, &dir->d_subdirs, d_u.d_child) {
++ list_for_each_entry_safe(dentry, tmp, &dir->d_subdirs, d_child) {
+ spin_lock(&dentry->d_lock);
+ if (!(d_unhashed(dentry)) && dentry->d_inode) {
+ dget_dlock(dentry);
+@@ -223,7 +223,7 @@ out:
+ * - free child's inode if possible
+ * - free child
+ */
+- list_for_each_entry_safe(dentry, tmp, &dir->d_subdirs, d_u.d_child) {
++ list_for_each_entry_safe(dentry, tmp, &dir->d_subdirs, d_child) {
+ dput(dentry);
+ }
+
+--- a/drivers/usb/core/inode.c
++++ b/drivers/usb/core/inode.c
+@@ -212,7 +212,7 @@ static void update_bus(struct dentry *bu
+
+ mutex_lock(&bus->d_inode->i_mutex);
+
+- list_for_each_entry(dev, &bus->d_subdirs, d_u.d_child)
++ list_for_each_entry(dev, &bus->d_subdirs, d_child)
+ if (dev->d_inode)
+ update_dev(dev);
+
+@@ -229,7 +229,7 @@ static void update_sb(struct super_block
+
+ mutex_lock_nested(&root->d_inode->i_mutex, I_MUTEX_PARENT);
+
+- list_for_each_entry(bus, &root->d_subdirs, d_u.d_child) {
++ list_for_each_entry(bus, &root->d_subdirs, d_child) {
+ if (bus->d_inode) {
+ switch (S_IFMT & bus->d_inode->i_mode) {
+ case S_IFDIR:
+@@ -345,7 +345,7 @@ static int usbfs_empty (struct dentry *d
+
+ spin_lock(&dentry->d_lock);
+ list_for_each(list, &dentry->d_subdirs) {
+- struct dentry *de = list_entry(list, struct dentry, d_u.d_child);
++ struct dentry *de = list_entry(list, struct dentry, d_child);
+
+ spin_lock_nested(&de->d_lock, DENTRY_D_LOCK_NESTED);
+ if (usbfs_positive(de)) {
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -81,7 +81,7 @@ static struct dentry *v9fs_dentry_from_d
+ spin_lock(&inode->i_lock);
+ /* Directory should have only one entry. */
+ BUG_ON(S_ISDIR(inode->i_mode) && !list_is_singular(&inode->i_dentry));
+- dentry = list_entry(inode->i_dentry.next, struct dentry, d_alias);
++ dentry = list_entry(inode->i_dentry.next, struct dentry, d_u.d_alias);
+ spin_unlock(&inode->i_lock);
+ return dentry;
+ }
+--- a/fs/affs/amigaffs.c
++++ b/fs/affs/amigaffs.c
+@@ -132,7 +132,7 @@ affs_fix_dcache(struct dentry *dentry, u
+ head = &inode->i_dentry;
+ next = head->next;
+ while (next != head) {
+- dentry = list_entry(next, struct dentry, d_alias);
++ dentry = list_entry(next, struct dentry, d_u.d_alias);
+ if (entry_ino == (u32)(long)dentry->d_fsdata) {
+ dentry->d_fsdata = data;
+ break;
+--- a/fs/autofs4/expire.c
++++ b/fs/autofs4/expire.c
+@@ -100,7 +100,7 @@ static struct dentry *get_next_positive_
+ p = prev;
+ spin_lock(&p->d_lock);
+ again:
+- next = p->d_u.d_child.next;
++ next = p->d_child.next;
+ start:
+ if (next == &root->d_subdirs) {
+ spin_unlock(&p->d_lock);
+@@ -109,7 +109,7 @@ start:
+ return NULL;
+ }
+
+- q = list_entry(next, struct dentry, d_u.d_child);
++ q = list_entry(next, struct dentry, d_child);
+
+ spin_lock_nested(&q->d_lock, DENTRY_D_LOCK_NESTED);
+ /* Negative dentry - try next */
+@@ -165,13 +165,13 @@ again:
+ goto relock;
+ }
+ spin_unlock(&p->d_lock);
+- next = p->d_u.d_child.next;
++ next = p->d_child.next;
+ p = parent;
+ if (next != &parent->d_subdirs)
+ break;
+ }
+ }
+- ret = list_entry(next, struct dentry, d_u.d_child);
++ ret = list_entry(next, struct dentry, d_child);
+
+ spin_lock_nested(&ret->d_lock, DENTRY_D_LOCK_NESTED);
+ /* Negative dentry - try next */
+@@ -455,7 +455,7 @@ found:
+ spin_lock(&sbi->lookup_lock);
+ spin_lock(&expired->d_parent->d_lock);
+ spin_lock_nested(&expired->d_lock, DENTRY_D_LOCK_NESTED);
+- list_move(&expired->d_parent->d_subdirs, &expired->d_u.d_child);
++ list_move(&expired->d_parent->d_subdirs, &expired->d_child);
+ spin_unlock(&expired->d_lock);
+ spin_unlock(&expired->d_parent->d_lock);
+ spin_unlock(&sbi->lookup_lock);
+--- a/fs/autofs4/root.c
++++ b/fs/autofs4/root.c
+@@ -651,7 +651,7 @@ static void autofs_clear_leaf_automount_
+ /* only consider parents below dentrys in the root */
+ if (IS_ROOT(parent->d_parent))
+ return;
+- d_child = &dentry->d_u.d_child;
++ d_child = &dentry->d_child;
+ /* Set parent managed if it's becoming empty */
+ if (d_child->next == &parent->d_subdirs &&
+ d_child->prev == &parent->d_subdirs)
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -104,7 +104,7 @@ static unsigned fpos_off(loff_t p)
+ /*
+ * When possible, we try to satisfy a readdir by peeking at the
+ * dcache. We make this work by carefully ordering dentries on
+- * d_u.d_child when we initially get results back from the MDS, and
++ * d_child when we initially get results back from the MDS, and
+ * falling back to a "normal" sync readdir if any dentries in the dir
+ * are dropped.
+ *
+@@ -140,11 +140,11 @@ static int __dcache_readdir(struct file
+ p = parent->d_subdirs.prev;
+ dout(" initial p %p/%p\n", p->prev, p->next);
+ } else {
+- p = last->d_u.d_child.prev;
++ p = last->d_child.prev;
+ }
+
+ more:
+- dentry = list_entry(p, struct dentry, d_u.d_child);
++ dentry = list_entry(p, struct dentry, d_child);
+ di = ceph_dentry(dentry);
+ while (1) {
+ dout(" p %p/%p %s d_subdirs %p/%p\n", p->prev, p->next,
+@@ -166,7 +166,7 @@ more:
+ !dentry->d_inode ? " null" : "");
+ spin_unlock(&dentry->d_lock);
+ p = p->prev;
+- dentry = list_entry(p, struct dentry, d_u.d_child);
++ dentry = list_entry(p, struct dentry, d_child);
+ di = ceph_dentry(dentry);
+ }
+
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -868,9 +868,9 @@ static void ceph_set_dentry_offset(struc
+
+ spin_lock(&dir->d_lock);
+ spin_lock_nested(&dn->d_lock, DENTRY_D_LOCK_NESTED);
+- list_move(&dn->d_u.d_child, &dir->d_subdirs);
++ list_move(&dn->d_child, &dir->d_subdirs);
+ dout("set_dentry_offset %p %lld (%p %p)\n", dn, di->offset,
+- dn->d_u.d_child.prev, dn->d_u.d_child.next);
++ dn->d_child.prev, dn->d_child.next);
+ spin_unlock(&dn->d_lock);
+ spin_unlock(&dir->d_lock);
+ }
+@@ -1256,7 +1256,7 @@ retry_lookup:
+ /* reorder parent's d_subdirs */
+ spin_lock(&parent->d_lock);
+ spin_lock_nested(&dn->d_lock, DENTRY_D_LOCK_NESTED);
+- list_move(&dn->d_u.d_child, &parent->d_subdirs);
++ list_move(&dn->d_child, &parent->d_subdirs);
+ spin_unlock(&dn->d_lock);
+ spin_unlock(&parent->d_lock);
+ }
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -823,7 +823,7 @@ inode_has_hashed_dentries(struct inode *
+ struct dentry *dentry;
+
+ spin_lock(&inode->i_lock);
+- list_for_each_entry(dentry, &inode->i_dentry, d_alias) {
++ list_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
+ if (!d_unhashed(dentry) || IS_ROOT(dentry)) {
+ spin_unlock(&inode->i_lock);
+ return true;
+--- a/fs/coda/cache.c
++++ b/fs/coda/cache.c
+@@ -95,7 +95,7 @@ static void coda_flag_children(struct de
+ spin_lock(&parent->d_lock);
+ list_for_each(child, &parent->d_subdirs)
+ {
+- de = list_entry(child, struct dentry, d_u.d_child);
++ de = list_entry(child, struct dentry, d_child);
+ /* don't know what to do with negative dentries */
+ if ( ! de->d_inode )
+ continue;
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -42,7 +42,7 @@
+ /*
+ * Usage:
+ * dcache->d_inode->i_lock protects:
+- * - i_dentry, d_alias, d_inode of aliases
++ * - i_dentry, d_u.d_alias, d_inode of aliases
+ * dcache_hash_bucket lock protects:
+ * - the dcache hash table
+ * s_anon bl list spinlock protects:
+@@ -57,7 +57,7 @@
+ * - d_unhashed()
+ * - d_parent and d_subdirs
+ * - childrens' d_child and d_parent
+- * - d_alias, d_inode
++ * - d_u.d_alias, d_inode
+ *
+ * Ordering:
+ * dentry->d_inode->i_lock
+@@ -140,7 +140,6 @@ static void __d_free(struct rcu_head *he
+ {
+ struct dentry *dentry = container_of(head, struct dentry, d_u.d_rcu);
+
+- WARN_ON(!list_empty(&dentry->d_alias));
+ if (dname_external(dentry))
+ kfree(dentry->d_name.name);
+ kmem_cache_free(dentry_cache, dentry);
+@@ -151,6 +150,7 @@ static void __d_free(struct rcu_head *he
+ */
+ static void d_free(struct dentry *dentry)
+ {
++ WARN_ON(!list_empty(&dentry->d_u.d_alias));
+ BUG_ON(dentry->d_count);
+ this_cpu_dec(nr_dentry);
+ if (dentry->d_op && dentry->d_op->d_release)
+@@ -189,7 +189,7 @@ static void dentry_iput(struct dentry *
+ struct inode *inode = dentry->d_inode;
+ if (inode) {
+ dentry->d_inode = NULL;
+- list_del_init(&dentry->d_alias);
++ list_del_init(&dentry->d_u.d_alias);
+ spin_unlock(&dentry->d_lock);
+ spin_unlock(&inode->i_lock);
+ if (!inode->i_nlink)
+@@ -213,7 +213,7 @@ static void dentry_unlink_inode(struct d
+ {
+ struct inode *inode = dentry->d_inode;
+ dentry->d_inode = NULL;
+- list_del_init(&dentry->d_alias);
++ list_del_init(&dentry->d_u.d_alias);
+ dentry_rcuwalk_barrier(dentry);
+ spin_unlock(&dentry->d_lock);
+ spin_unlock(&inode->i_lock);
+@@ -306,7 +306,7 @@ static struct dentry *d_kill(struct dent
+ __releases(parent->d_lock)
+ __releases(dentry->d_inode->i_lock)
+ {
+- list_del(&dentry->d_u.d_child);
++ list_del(&dentry->d_child);
+ /*
+ * Inform try_to_ascend() that we are no longer attached to the
+ * dentry tree
+@@ -624,7 +624,7 @@ static struct dentry *__d_find_alias(str
+
+ again:
+ discon_alias = NULL;
+- list_for_each_entry(alias, &inode->i_dentry, d_alias) {
++ list_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) {
+ spin_lock(&alias->d_lock);
+ if (S_ISDIR(inode->i_mode) || !d_unhashed(alias)) {
+ if (IS_ROOT(alias) &&
+@@ -677,7 +677,7 @@ void d_prune_aliases(struct inode *inode
+ struct dentry *dentry;
+ restart:
+ spin_lock(&inode->i_lock);
+- list_for_each_entry(dentry, &inode->i_dentry, d_alias) {
++ list_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
+ spin_lock(&dentry->d_lock);
+ if (!dentry->d_count) {
+ __dget_dlock(dentry);
+@@ -857,7 +857,7 @@ static void shrink_dcache_for_umount_sub
+ /* descend to the first leaf in the current subtree */
+ while (!list_empty(&dentry->d_subdirs))
+ dentry = list_entry(dentry->d_subdirs.next,
+- struct dentry, d_u.d_child);
++ struct dentry, d_child);
+
+ /* consume the dentries from this leaf up through its parents
+ * until we find one with children or run out altogether */
+@@ -889,17 +889,17 @@ static void shrink_dcache_for_umount_sub
+
+ if (IS_ROOT(dentry)) {
+ parent = NULL;
+- list_del(&dentry->d_u.d_child);
++ list_del(&dentry->d_child);
+ } else {
+ parent = dentry->d_parent;
+ parent->d_count--;
+- list_del(&dentry->d_u.d_child);
++ list_del(&dentry->d_child);
+ }
+
+ inode = dentry->d_inode;
+ if (inode) {
+ dentry->d_inode = NULL;
+- list_del_init(&dentry->d_alias);
++ list_del_init(&dentry->d_u.d_alias);
+ if (dentry->d_op && dentry->d_op->d_iput)
+ dentry->d_op->d_iput(dentry, inode);
+ else
+@@ -917,7 +917,7 @@ static void shrink_dcache_for_umount_sub
+ } while (list_empty(&dentry->d_subdirs));
+
+ dentry = list_entry(dentry->d_subdirs.next,
+- struct dentry, d_u.d_child);
++ struct dentry, d_child);
+ }
+ }
+
+@@ -1010,7 +1010,7 @@ repeat:
+ resume:
+ while (next != &this_parent->d_subdirs) {
+ struct list_head *tmp = next;
+- struct dentry *dentry = list_entry(tmp, struct dentry, d_u.d_child);
++ struct dentry *dentry = list_entry(tmp, struct dentry, d_child);
+ next = tmp->next;
+
+ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+@@ -1037,7 +1037,7 @@ resume:
+ this_parent = try_to_ascend(this_parent, locked, seq);
+ if (!this_parent)
+ goto rename_retry;
+- next = child->d_u.d_child.next;
++ next = child->d_child.next;
+ goto resume;
+ }
+ spin_unlock(&this_parent->d_lock);
+@@ -1093,7 +1093,7 @@ repeat:
+ resume:
+ while (next != &this_parent->d_subdirs) {
+ struct list_head *tmp = next;
+- struct dentry *dentry = list_entry(tmp, struct dentry, d_u.d_child);
++ struct dentry *dentry = list_entry(tmp, struct dentry, d_child);
+ next = tmp->next;
+
+ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+@@ -1144,7 +1144,7 @@ resume:
+ this_parent = try_to_ascend(this_parent, locked, seq);
+ if (!this_parent)
+ goto rename_retry;
+- next = child->d_u.d_child.next;
++ next = child->d_child.next;
+ goto resume;
+ }
+ out:
+@@ -1230,8 +1230,8 @@ struct dentry *__d_alloc(struct super_bl
+ INIT_HLIST_BL_NODE(&dentry->d_hash);
+ INIT_LIST_HEAD(&dentry->d_lru);
+ INIT_LIST_HEAD(&dentry->d_subdirs);
+- INIT_LIST_HEAD(&dentry->d_alias);
+- INIT_LIST_HEAD(&dentry->d_u.d_child);
++ INIT_LIST_HEAD(&dentry->d_u.d_alias);
++ INIT_LIST_HEAD(&dentry->d_child);
+ d_set_d_op(dentry, dentry->d_sb->s_d_op);
+
+ this_cpu_inc(nr_dentry);
+@@ -1261,7 +1261,7 @@ struct dentry *d_alloc(struct dentry * p
+ */
+ __dget_dlock(parent);
+ dentry->d_parent = parent;
+- list_add(&dentry->d_u.d_child, &parent->d_subdirs);
++ list_add(&dentry->d_child, &parent->d_subdirs);
+ spin_unlock(&parent->d_lock);
+
+ return dentry;
+@@ -1318,7 +1318,7 @@ static void __d_instantiate(struct dentr
+ if (inode) {
+ if (unlikely(IS_AUTOMOUNT(inode)))
+ dentry->d_flags |= DCACHE_NEED_AUTOMOUNT;
+- list_add(&dentry->d_alias, &inode->i_dentry);
++ list_add(&dentry->d_u.d_alias, &inode->i_dentry);
+ }
+ dentry->d_inode = inode;
+ dentry_rcuwalk_barrier(dentry);
+@@ -1343,7 +1343,7 @@ static void __d_instantiate(struct dentr
+
+ void d_instantiate(struct dentry *entry, struct inode * inode)
+ {
+- BUG_ON(!list_empty(&entry->d_alias));
++ BUG_ON(!list_empty(&entry->d_u.d_alias));
+ if (inode)
+ spin_lock(&inode->i_lock);
+ __d_instantiate(entry, inode);
+@@ -1382,7 +1382,7 @@ static struct dentry *__d_instantiate_un
+ return NULL;
+ }
+
+- list_for_each_entry(alias, &inode->i_dentry, d_alias) {
++ list_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) {
+ struct qstr *qstr = &alias->d_name;
+
+ /*
+@@ -1408,7 +1408,7 @@ struct dentry *d_instantiate_unique(stru
+ {
+ struct dentry *result;
+
+- BUG_ON(!list_empty(&entry->d_alias));
++ BUG_ON(!list_empty(&entry->d_u.d_alias));
+
+ if (inode)
+ spin_lock(&inode->i_lock);
+@@ -1458,7 +1458,7 @@ static struct dentry * __d_find_any_alia
+
+ if (list_empty(&inode->i_dentry))
+ return NULL;
+- alias = list_first_entry(&inode->i_dentry, struct dentry, d_alias);
++ alias = list_first_entry(&inode->i_dentry, struct dentry, d_u.d_alias);
+ __dget(alias);
+ return alias;
+ }
+@@ -1525,7 +1525,7 @@ struct dentry *d_obtain_alias(struct ino
+ spin_lock(&tmp->d_lock);
+ tmp->d_inode = inode;
+ tmp->d_flags |= DCACHE_DISCONNECTED;
+- list_add(&tmp->d_alias, &inode->i_dentry);
++ list_add(&tmp->d_u.d_alias, &inode->i_dentry);
+ hlist_bl_lock(&tmp->d_sb->s_anon);
+ hlist_bl_add_head(&tmp->d_hash, &tmp->d_sb->s_anon);
+ hlist_bl_unlock(&tmp->d_sb->s_anon);
+@@ -1931,7 +1931,7 @@ int d_validate(struct dentry *dentry, st
+ struct dentry *child;
+
+ spin_lock(&dparent->d_lock);
+- list_for_each_entry(child, &dparent->d_subdirs, d_u.d_child) {
++ list_for_each_entry(child, &dparent->d_subdirs, d_child) {
+ if (dentry == child) {
+ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+ __dget_dlock(dentry);
+@@ -2178,8 +2178,8 @@ static void __d_move(struct dentry * den
+ /* Unhash the target: dput() will then get rid of it */
+ __d_drop(target);
+
+- list_del(&dentry->d_u.d_child);
+- list_del(&target->d_u.d_child);
++ list_del(&dentry->d_child);
++ list_del(&target->d_child);
+
+ /* Switch the names.. */
+ switch_names(dentry, target);
+@@ -2189,15 +2189,15 @@ static void __d_move(struct dentry * den
+ if (IS_ROOT(dentry)) {
+ dentry->d_parent = target->d_parent;
+ target->d_parent = target;
+- INIT_LIST_HEAD(&target->d_u.d_child);
++ INIT_LIST_HEAD(&target->d_child);
+ } else {
+ swap(dentry->d_parent, target->d_parent);
+
+ /* And add them back to the (new) parent lists */
+- list_add(&target->d_u.d_child, &target->d_parent->d_subdirs);
++ list_add(&target->d_child, &target->d_parent->d_subdirs);
+ }
+
+- list_add(&dentry->d_u.d_child, &dentry->d_parent->d_subdirs);
++ list_add(&dentry->d_child, &dentry->d_parent->d_subdirs);
+
+ write_seqcount_end(&target->d_seq);
+ write_seqcount_end(&dentry->d_seq);
+@@ -2304,18 +2304,18 @@ static void __d_materialise_dentry(struc
+ swap(dentry->d_name.hash, anon->d_name.hash);
+
+ dentry->d_parent = (aparent == anon) ? dentry : aparent;
+- list_del(&dentry->d_u.d_child);
++ list_del(&dentry->d_child);
+ if (!IS_ROOT(dentry))
+- list_add(&dentry->d_u.d_child, &dentry->d_parent->d_subdirs);
++ list_add(&dentry->d_child, &dentry->d_parent->d_subdirs);
+ else
+- INIT_LIST_HEAD(&dentry->d_u.d_child);
++ INIT_LIST_HEAD(&dentry->d_child);
+
+ anon->d_parent = (dparent == dentry) ? anon : dparent;
+- list_del(&anon->d_u.d_child);
++ list_del(&anon->d_child);
+ if (!IS_ROOT(anon))
+- list_add(&anon->d_u.d_child, &anon->d_parent->d_subdirs);
++ list_add(&anon->d_child, &anon->d_parent->d_subdirs);
+ else
+- INIT_LIST_HEAD(&anon->d_u.d_child);
++ INIT_LIST_HEAD(&anon->d_child);
+
+ write_seqcount_end(&dentry->d_seq);
+ write_seqcount_end(&anon->d_seq);
+@@ -2893,7 +2893,7 @@ repeat:
+ resume:
+ while (next != &this_parent->d_subdirs) {
+ struct list_head *tmp = next;
+- struct dentry *dentry = list_entry(tmp, struct dentry, d_u.d_child);
++ struct dentry *dentry = list_entry(tmp, struct dentry, d_child);
+ next = tmp->next;
+
+ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+@@ -2923,7 +2923,7 @@ resume:
+ this_parent = try_to_ascend(this_parent, locked, seq);
+ if (!this_parent)
+ goto rename_retry;
+- next = child->d_u.d_child.next;
++ next = child->d_child.next;
+ goto resume;
+ }
+ spin_unlock(&this_parent->d_lock);
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -546,7 +546,7 @@ void debugfs_remove_recursive(struct den
+ * use the d_u.d_child as the rcu head and corrupt this list.
+ */
+ spin_lock(&parent->d_lock);
+- list_for_each_entry(child, &parent->d_subdirs, d_u.d_child) {
++ list_for_each_entry(child, &parent->d_subdirs, d_child) {
+ if (!debugfs_positive(child))
+ continue;
+
+--- a/fs/exportfs/expfs.c
++++ b/fs/exportfs/expfs.c
+@@ -50,7 +50,7 @@ find_acceptable_alias(struct dentry *res
+
+ inode = result->d_inode;
+ spin_lock(&inode->i_lock);
+- list_for_each_entry(dentry, &inode->i_dentry, d_alias) {
++ list_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
+ dget(dentry);
+ spin_unlock(&inode->i_lock);
+ if (toput)
+--- a/fs/ext4/fsync.c
++++ b/fs/ext4/fsync.c
+@@ -139,7 +139,7 @@ static int ext4_sync_parent(struct inode
+ spin_lock(&inode->i_lock);
+ if (!list_empty(&inode->i_dentry)) {
+ dentry = list_first_entry(&inode->i_dentry,
+- struct dentry, d_alias);
++ struct dentry, d_u.d_alias);
+ dget(dentry);
+ }
+ spin_unlock(&inode->i_lock);
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -104,18 +104,18 @@ loff_t dcache_dir_lseek(struct file *fil
+
+ spin_lock(&dentry->d_lock);
+ /* d_lock not required for cursor */
+- list_del(&cursor->d_u.d_child);
++ list_del(&cursor->d_child);
+ p = dentry->d_subdirs.next;
+ while (n && p != &dentry->d_subdirs) {
+ struct dentry *next;
+- next = list_entry(p, struct dentry, d_u.d_child);
++ next = list_entry(p, struct dentry, d_child);
+ spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
+ if (simple_positive(next))
+ n--;
+ spin_unlock(&next->d_lock);
+ p = p->next;
+ }
+- list_add_tail(&cursor->d_u.d_child, p);
++ list_add_tail(&cursor->d_child, p);
+ spin_unlock(&dentry->d_lock);
+ }
+ }
+@@ -139,7 +139,7 @@ int dcache_readdir(struct file * filp, v
+ {
+ struct dentry *dentry = filp->f_path.dentry;
+ struct dentry *cursor = filp->private_data;
+- struct list_head *p, *q = &cursor->d_u.d_child;
++ struct list_head *p, *q = &cursor->d_child;
+ ino_t ino;
+ int i = filp->f_pos;
+
+@@ -165,7 +165,7 @@ int dcache_readdir(struct file * filp, v
+
+ for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
+ struct dentry *next;
+- next = list_entry(p, struct dentry, d_u.d_child);
++ next = list_entry(p, struct dentry, d_child);
+ spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
+ if (!simple_positive(next)) {
+ spin_unlock(&next->d_lock);
+@@ -282,7 +282,7 @@ int simple_empty(struct dentry *dentry)
+ int ret = 0;
+
+ spin_lock(&dentry->d_lock);
+- list_for_each_entry(child, &dentry->d_subdirs, d_u.d_child) {
++ list_for_each_entry(child, &dentry->d_subdirs, d_child) {
+ spin_lock_nested(&child->d_lock, DENTRY_D_LOCK_NESTED);
+ if (simple_positive(child)) {
+ spin_unlock(&child->d_lock);
+--- a/fs/ncpfs/dir.c
++++ b/fs/ncpfs/dir.c
+@@ -391,7 +391,7 @@ ncp_dget_fpos(struct dentry *dentry, str
+ spin_lock(&parent->d_lock);
+ next = parent->d_subdirs.next;
+ while (next != &parent->d_subdirs) {
+- dent = list_entry(next, struct dentry, d_u.d_child);
++ dent = list_entry(next, struct dentry, d_child);
+ if ((unsigned long)dent->d_fsdata == fpos) {
+ if (dent->d_inode)
+ dget(dent);
+--- a/fs/ncpfs/ncplib_kernel.h
++++ b/fs/ncpfs/ncplib_kernel.h
+@@ -194,7 +194,7 @@ ncp_renew_dentries(struct dentry *parent
+ spin_lock(&parent->d_lock);
+ next = parent->d_subdirs.next;
+ while (next != &parent->d_subdirs) {
+- dentry = list_entry(next, struct dentry, d_u.d_child);
++ dentry = list_entry(next, struct dentry, d_child);
+
+ if (dentry->d_fsdata == NULL)
+ ncp_age_dentry(server, dentry);
+@@ -216,7 +216,7 @@ ncp_invalidate_dircache_entries(struct d
+ spin_lock(&parent->d_lock);
+ next = parent->d_subdirs.next;
+ while (next != &parent->d_subdirs) {
+- dentry = list_entry(next, struct dentry, d_u.d_child);
++ dentry = list_entry(next, struct dentry, d_child);
+ dentry->d_fsdata = NULL;
+ ncp_age_dentry(server, dentry);
+ next = next->next;
+--- a/fs/nfs/getroot.c
++++ b/fs/nfs/getroot.c
+@@ -65,7 +65,7 @@ static int nfs_superblock_set_dummy_root
+ */
+ spin_lock(&sb->s_root->d_inode->i_lock);
+ spin_lock(&sb->s_root->d_lock);
+- list_del_init(&sb->s_root->d_alias);
++ list_del_init(&sb->s_root->d_u.d_alias);
+ spin_unlock(&sb->s_root->d_lock);
+ spin_unlock(&sb->s_root->d_inode->i_lock);
+ }
+--- a/fs/notify/fsnotify.c
++++ b/fs/notify/fsnotify.c
+@@ -62,14 +62,14 @@ void __fsnotify_update_child_dentry_flag
+ spin_lock(&inode->i_lock);
+ /* run all of the dentries associated with this inode. Since this is a
+ * directory, there damn well better only be one item on this list */
+- list_for_each_entry(alias, &inode->i_dentry, d_alias) {
++ list_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) {
+ struct dentry *child;
+
+ /* run all of the children of the original inode and fix their
+ * d_flags to indicate parental interest (their parent is the
+ * original inode) */
+ spin_lock(&alias->d_lock);
+- list_for_each_entry(child, &alias->d_subdirs, d_u.d_child) {
++ list_for_each_entry(child, &alias->d_subdirs, d_child) {
+ if (!child->d_inode)
+ continue;
+
+--- a/fs/ocfs2/dcache.c
++++ b/fs/ocfs2/dcache.c
+@@ -175,7 +175,7 @@ struct dentry *ocfs2_find_local_alias(st
+
+ spin_lock(&inode->i_lock);
+ list_for_each(p, &inode->i_dentry) {
+- dentry = list_entry(p, struct dentry, d_alias);
++ dentry = list_entry(p, struct dentry, d_u.d_alias);
+
+ spin_lock(&dentry->d_lock);
+ if (ocfs2_match_dentry(dentry, parent_blkno, skip_unhashed)) {
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -133,15 +133,15 @@ struct dentry {
+ void *d_fsdata; /* fs-specific data */
+
+ struct list_head d_lru; /* LRU list */
++ struct list_head d_child; /* child of parent list */
++ struct list_head d_subdirs; /* our children */
+ /*
+- * d_child and d_rcu can share memory
++ * d_alias and d_rcu can share memory
+ */
+ union {
+- struct list_head d_child; /* child of parent list */
++ struct list_head d_alias; /* inode alias list */
+ struct rcu_head d_rcu;
+ } d_u;
+- struct list_head d_subdirs; /* our children */
+- struct list_head d_alias; /* inode alias list */
+ };
+
+ /*
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -881,7 +881,7 @@ static void cgroup_clear_directory(struc
+ spin_lock(&dentry->d_lock);
+ node = dentry->d_subdirs.next;
+ while (node != &dentry->d_subdirs) {
+- struct dentry *d = list_entry(node, struct dentry, d_u.d_child);
++ struct dentry *d = list_entry(node, struct dentry, d_child);
+
+ spin_lock_nested(&d->d_lock, DENTRY_D_LOCK_NESTED);
+ list_del_init(node);
+@@ -915,7 +915,7 @@ static void cgroup_d_remove_dir(struct d
+ parent = dentry->d_parent;
+ spin_lock(&parent->d_lock);
+ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+- list_del_init(&dentry->d_u.d_child);
++ list_del_init(&dentry->d_child);
+ spin_unlock(&dentry->d_lock);
+ spin_unlock(&parent->d_lock);
+ remove_dir(dentry);
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -1197,7 +1197,7 @@ static void sel_remove_entries(struct de
+ spin_lock(&de->d_lock);
+ node = de->d_subdirs.next;
+ while (node != &de->d_subdirs) {
+- struct dentry *d = list_entry(node, struct dentry, d_u.d_child);
++ struct dentry *d = list_entry(node, struct dentry, d_child);
+
+ spin_lock_nested(&d->d_lock, DENTRY_D_LOCK_NESTED);
+ list_del_init(node);
+@@ -1704,12 +1704,12 @@ static void sel_remove_classes(void)
+
+ list_for_each(class_node, &class_dir->d_subdirs) {
+ struct dentry *class_subdir = list_entry(class_node,
+- struct dentry, d_u.d_child);
++ struct dentry, d_child);
+ struct list_head *class_subdir_node;
+
+ list_for_each(class_subdir_node, &class_subdir->d_subdirs) {
+ struct dentry *d = list_entry(class_subdir_node,
+- struct dentry, d_u.d_child);
++ struct dentry, d_child);
+
+ if (d->d_inode)
+ if (d->d_inode->i_mode & S_IFDIR)
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch)
@@ -0,0 +1,127 @@
+From: Daniel Borkmann <dborkman at redhat.com>
+Date: Thu, 22 Jan 2015 18:26:54 +0100
+Subject: net: sctp: fix slab corruption from use after free on INIT collisions
+Origin: https://git.kernel.org/linus/600ddd6825543962fb807884169e57b580dba208
+
+When hitting an INIT collision case during the 4WHS with AUTH enabled, as
+already described in detail in commit 1be9a950c646 ("net: sctp: inherit
+auth_capable on INIT collisions"), it can happen that we occasionally
+still remotely trigger the following panic on server side which seems to
+have been uncovered after the fix from commit 1be9a950c646 ...
+
+[ 533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
+[ 533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
+[ 533.940559] PGD 5030f2067 PUD 0
+[ 533.957104] Oops: 0000 [#1] SMP
+[ 533.974283] Modules linked in: sctp mlx4_en [...]
+[ 534.939704] Call Trace:
+[ 534.951833] [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
+[ 534.984213] [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
+[ 535.015025] [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
+[ 535.045661] [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
+[ 535.074593] [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
+[ 535.105239] [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
+[ 535.138606] [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
+[ 535.166848] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
+
+... or depending on the the application, for example this one:
+
+[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
+[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
+[ 1370.054568] PGD 633c94067 PUD 0
+[ 1370.070446] Oops: 0000 [#1] SMP
+[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
+[ 1370.963431] Call Trace:
+[ 1370.974632] [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
+[ 1371.000863] [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
+[ 1371.027154] [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
+[ 1371.054679] [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
+[ 1371.080183] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
+
+With slab debugging enabled, we can see that the poison has been overwritten:
+
+[ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten
+[ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
+[ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
+[ 669.826424] __slab_alloc+0x4bf/0x566
+[ 669.826433] __kmalloc+0x280/0x310
+[ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp]
+[ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
+[ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
+[ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...]
+[ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
+[ 669.826635] __slab_free+0x39/0x2a8
+[ 669.826643] kfree+0x1d6/0x230
+[ 669.826650] kzfree+0x31/0x40
+[ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp]
+[ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp]
+[ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp]
+
+Since this only triggers in some collision-cases with AUTH, the problem at
+heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
+when having refcnt 1, once directly in sctp_assoc_update() and yet again
+from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
+the already kzfree'd memory, which is also consistent with the observation
+of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
+at a later point in time when poison is checked on new allocation).
+
+Reference counting of auth keys revisited:
+
+Shared keys for AUTH chunks are being stored in endpoints and associations
+in endpoint_shared_keys list. On endpoint creation, a null key is being
+added; on association creation, all endpoint shared keys are being cached
+and thus cloned over to the association. struct sctp_shared_key only holds
+a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
+keeps track of users internally through refcounting. Naturally, on assoc
+or enpoint destruction, sctp_shared_key are being destroyed directly and
+the reference on sctp_auth_bytes dropped.
+
+User space can add keys to either list via setsockopt(2) through struct
+sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
+adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
+with refcount 1 and in case of replacement drops the reference on the old
+sctp_auth_bytes. A key can be set active from user space through setsockopt()
+on the id via sctp_auth_set_active_key(), which iterates through either
+endpoint_shared_keys and in case of an assoc, invokes (one of various places)
+sctp_auth_asoc_init_active_key().
+
+sctp_auth_asoc_init_active_key() computes the actual secret from local's
+and peer's random, hmac and shared key parameters and returns a new key
+directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
+the reference if there was a previous one. The secret, which where we
+eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
+intitial refcount of 1, which also stays unchanged eventually in
+sctp_assoc_update(). This key is later being used for crypto layer to
+set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
+
+To close the loop: asoc->asoc_shared_key is freshly allocated secret
+material and independant of the sctp_shared_key management keeping track
+of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
+("net: sctp: fix memory leak in auth key management") is independant of
+this bug here since it concerns a different layer (though same structures
+being used eventually). asoc->asoc_shared_key is reference dropped correctly
+on assoc destruction in sctp_association_free() and when active keys are
+being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
+of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
+to remove that sctp_auth_key_put() from there which fixes these panics.
+
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Acked-by: Vlad Yasevich <vyasevich at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/sctp/associola.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -1272,7 +1272,6 @@ void sctp_assoc_update(struct sctp_assoc
+ asoc->peer.peer_hmacs = new->peer.peer_hmacs;
+ new->peer.peer_hmacs = NULL;
+
+- sctp_auth_key_put(asoc->asoc_shared_key);
+ sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
+ }
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch)
@@ -0,0 +1,88 @@
+From: Florian Westphal <fw at strlen.de>
+Date: Fri, 26 Sep 2014 11:35:42 +0200
+Subject: netfilter: conntrack: disable generic tracking for known protocols
+Origin: https://git.kernel.org/linus/db29a9508a9246e77087c5531e45b2c88ec6988b
+
+Given following iptables ruleset:
+
+-P FORWARD DROP
+-A FORWARD -m sctp --dport 9 -j ACCEPT
+-A FORWARD -p tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
+
+One would assume that this allows SCTP on port 9 and TCP on port 80.
+Unfortunately, if the SCTP conntrack module is not loaded, this allows
+*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
+which we think is a security issue.
+
+This is because on the first SCTP packet on port 9, we create a dummy
+"generic l4" conntrack entry without any port information (since
+conntrack doesn't know how to extract this information).
+
+All subsequent packets that are unknown will then be in established
+state since they will fallback to proto_generic and will match the
+'generic' entry.
+
+Our originally proposed version [1] completely disabled generic protocol
+tracking, but Jozsef suggests to not track protocols for which a more
+suitable helper is available, hence we now mitigate the issue for in
+tree known ct protocol helpers only, so that at least NAT and direction
+information will still be preserved for others.
+
+ [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
+
+Joint work with Daniel Borkmann.
+
+Signed-off-by: Florian Westphal <fw at strlen.de>
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Acked-by: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+[bwh: Backported to 2.6.32: adjust context]
+---
+ net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
+index d25f293..957c1db 100644
+--- a/net/netfilter/nf_conntrack_proto_generic.c
++++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+
++static bool nf_generic_should_process(u8 proto)
++{
++ switch (proto) {
++#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
++ case IPPROTO_SCTP:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
++ case IPPROTO_DCCP:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
++ case IPPROTO_GRE:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
++ case IPPROTO_UDPLITE:
++ return false;
++#endif
++ default:
++ return true;
++ }
++}
++
+ static bool generic_pkt_to_tuple(const struct sk_buff *skb,
+ unsigned int dataoff,
+ struct nf_conntrack_tuple *tuple)
+@@ -56,7 +80,7 @@ static int generic_packet(struct nf_conn *ct,
+ static bool new(struct nf_conn *ct, const struct sk_buff *skb,
+ unsigned int dataoff)
+ {
+- return true;
++ return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+
+ #ifdef CONFIG_SYSCTL
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch)
@@ -0,0 +1,64 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check(). This was not being done for
+the splice write path. It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c | 8 ++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2468,9 +2468,7 @@ static ssize_t ocfs2_file_splice_write(s
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+
+@@ -2480,6 +2478,12 @@ static ssize_t ocfs2_file_splice_write(s
+ out->f_path.dentry->d_name.len,
+ out->f_path.dentry->d_name.name, len);
+
++ ret = generic_write_checks(out, ppos, &len, 0);
++ if (ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
++
+ if (pipe->inode)
+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1013,13 +1013,17 @@ generic_file_splice_write(struct pipe_in
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+ ssize_t ret;
+
++ ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++ if (ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
++
+ pipe_lock(pipe);
+
+ splice_from_pipe_begin(&sd);
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/vfs-fix-vfsmount_lock-imbalance-in-path_init.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-fix-vfsmount_lock-imbalance-in-path_init.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/vfs-fix-vfsmount_lock-imbalance-in-path_init.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-fix-vfsmount_lock-imbalance-in-path_init.patch)
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 16 Feb 2015 03:21:17 +0000
+Subject: vfs: Fix vfsmount_lock imbalance in path_init()
+
+When backporting commit 4023bfc9f351 ("be careful with nd->inode in
+path_init() and follow_dotdot_rcu()"), I failed to account for the
+vfsmount_lock that is used in 3.2 but not upstream. path_init() takes
+the lock if performing RCU lookup, but must drop it if (and only if)
+it subsequently fails.
+
+Reported-by: nuxi at vault24.org
+References: https://bugzilla.kernel.org/show_bug.cgi?id=92531
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Tested-by: nuxi at vault24.org
+---
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1682,6 +1682,7 @@ static int path_init(int dfd, const char
+ if (!(nd->flags & LOOKUP_ROOT))
+ nd->root.mnt = NULL;
+ rcu_read_unlock();
++ br_read_unlock(vfsmount_lock);
+ return -ECHILD;
+
+ fput_fail:
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch)
@@ -0,0 +1,37 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Subject: vfs: read file_handle only once in handle_to_path
+Date: Wed, 28 Jan 2015 15:30:43 -0500
+Origin: http://article.gmane.org/gmane.linux.file-systems/92438
+
+We used to read file_handle twice. Once to get the amount of extra bytes, and
+once to fetch the entire structure.
+
+This may be problematic since we do size verifications only after the first
+read, so if the number of extra bytes changes in userspace between the first
+and second calls, we'll have an incoherent view of file_handle.
+
+Instead, read the constant size once, and copy that over to the final
+structure without having to re-read it again.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+---
+Change in v2:
+ - Use the f_handle pointer rather than size of struct
+
+ fs/fhandle.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/fhandle.c
++++ b/fs/fhandle.c
+@@ -196,8 +196,9 @@ static int handle_to_path(int mountdirfd
+ goto out_err;
+ }
+ /* copy the full handle */
+- if (copy_from_user(handle, ufh,
+- sizeof(struct file_handle) +
++ *handle = f_handle;
++ if (copy_from_user(&handle->f_handle,
++ &ufh->f_handle,
+ f_handle.handle_bytes)) {
+ retval = -EFAULT;
+ goto out_handle;
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/kvm-x86-emulator-reject-sysenter-in-compatibility-mo.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/kvm-x86-emulator-reject-sysenter-in-compatibility-mo.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/kvm-x86-emulator-reject-sysenter-in-compatibility-mo.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/kvm-x86-emulator-reject-sysenter-in-compatibility-mo.patch)
@@ -0,0 +1,51 @@
+From: Avi Kivity <avi at redhat.com>
+Date: Wed, 1 Feb 2012 12:23:21 +0200
+Subject: KVM: x86 emulator: reject SYSENTER in compatibility mode on AMD
+ guests
+Origin: https://git.kernel.org/linus/1a18a69b762374c423305772500f36eb8984ca52
+
+If the guest thinks it's an AMD, it will not have prepared the SYSENTER MSRs,
+and if the guest executes SYSENTER in compatibility mode, it will fails.
+
+Detect this condition and #UD instead, like the spec says.
+
+Signed-off-by: Avi Kivity <avi at redhat.com>
+---
+ arch/x86/kvm/emulate.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1952,6 +1952,17 @@ setup_syscalls_segments(struct x86_emula
+ ss->p = 1;
+ }
+
++static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
++{
++ u32 eax, ebx, ecx, edx;
++
++ eax = ecx = 0;
++ return ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)
++ && ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
++ && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
++ && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
++}
++
+ static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
+ {
+ struct x86_emulate_ops *ops = ctxt->ops;
+@@ -2068,6 +2079,14 @@ static int em_sysenter(struct x86_emulat
+ if (ctxt->mode == X86EMUL_MODE_REAL)
+ return emulate_gp(ctxt, 0);
+
++ /*
++ * Not recognized on AMD in compat mode (but is recognized in legacy
++ * mode).
++ */
++ if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
++ && !vendor_intel(ctxt))
++ return emulate_ud(ctxt);
++
+ /* XXX sysenter/sysexit have not been tested in 64bit mode.
+ * Therefore, we inject an #UD.
+ */
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch)
@@ -0,0 +1,76 @@
+From: Nadav Amit <namit at cs.technion.ac.il>
+Date: Thu, 1 Jan 2015 23:11:11 +0200
+Subject: KVM: x86: SYSENTER emulation is broken
+Origin: https://git.kernel.org/linus/f3747379accba8e95d70cec0eae0582c8c182050
+
+SYSENTER emulation is broken in several ways:
+1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
+2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
+ still be set without causing #GP).
+3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
+ legacy-mode.
+4. There is some unneeded code.
+
+Fix it.
+
+Cc: stable at vger.linux.org
+Signed-off-by: Nadav Amit <namit at cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.2: adjust context]
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2083,7 +2083,7 @@ static int em_sysenter(struct x86_emulat
+ * Not recognized on AMD in compat mode (but is recognized in legacy
+ * mode).
+ */
+- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
+ && !vendor_intel(ctxt))
+ return emulate_ud(ctxt);
+
+@@ -2096,23 +2096,13 @@ static int em_sysenter(struct x86_emulat
+ setup_syscalls_segments(ctxt, &cs, &ss);
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+- switch (ctxt->mode) {
+- case X86EMUL_MODE_PROT32:
+- if ((msr_data & 0xfffc) == 0x0)
+- return emulate_gp(ctxt, 0);
+- break;
+- case X86EMUL_MODE_PROT64:
+- if (msr_data == 0x0)
+- return emulate_gp(ctxt, 0);
+- break;
+- }
++ if ((msr_data & 0xfffc) == 0x0)
++ return emulate_gp(ctxt, 0);
+
+ ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+- cs_sel = (u16)msr_data;
+- cs_sel &= ~SELECTOR_RPL_MASK;
++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
+ ss_sel = cs_sel + 8;
+- ss_sel &= ~SELECTOR_RPL_MASK;
+- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
++ if (efer & EFER_LMA) {
+ cs.d = 0;
+ cs.l = 1;
+ }
+@@ -2121,10 +2111,11 @@ static int em_sysenter(struct x86_emulat
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
+- ctxt->_eip = msr_data;
++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
+- ctxt->regs[VCPU_REGS_RSP] = msr_data;
++ ctxt->regs[VCPU_REGS_RSP] = (efer & EFER_LMA) ? msr_data :
++ (u32)msr_data;
+
+ return X86EMUL_CONTINUE;
+ }
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch)
@@ -0,0 +1,108 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Thu, 22 Jan 2015 11:27:59 -0800
+Subject: x86, tls: Interpret an all-zero struct user_desc as "no segment"
+Origin: https://git.kernel.org/linus/3669ef9fa7d35f573ec9c0e0341b29251c2734a7
+
+The Witcher 2 did something like this to allocate a TLS segment index:
+
+ struct user_desc u_info;
+ bzero(&u_info, sizeof(u_info));
+ u_info.entry_number = (uint32_t)-1;
+
+ syscall(SYS_set_thread_area, &u_info);
+
+Strictly speaking, this code was never correct. It should have set
+read_exec_only and seg_not_present to 1 to indicate that it wanted
+to find a free slot without putting anything there, or it should
+have put something sensible in the TLS slot if it wanted to allocate
+a TLS entry for real. The actual effect of this code was to
+allocate a bogus segment that could be used to exploit espfix.
+
+The set_thread_area hardening patches changed the behavior, causing
+set_thread_area to return -EINVAL and crashing the game.
+
+This changes set_thread_area to interpret this as a request to find
+a free slot and to leave it empty, which isn't *quite* what the game
+expects but should be close enough to keep it working. In
+particular, using the code above to allocate two segments will
+allocate the same segment both times.
+
+According to FrostbittenKing on Github, this fixes The Witcher 2.
+
+If this somehow still causes problems, we could instead allocate
+a limit==0 32-bit data segment, but that seems rather ugly to me.
+
+Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Cc: torvalds at linux-foundation.org
+Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/include/asm/desc.h | 13 +++++++++++++
+ arch/x86/kernel/tls.c | 25 +++++++++++++++++++++++--
+ 2 files changed, 36 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/desc.h
++++ b/arch/x86/include/asm/desc.h
+@@ -259,6 +259,19 @@ static inline void native_load_tls(struc
+ (info)->seg_not_present == 1 && \
+ (info)->useable == 0)
+
++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */
++static inline bool LDT_zero(const struct user_desc *info)
++{
++ return (info->base_addr == 0 &&
++ info->limit == 0 &&
++ info->contents == 0 &&
++ info->read_exec_only == 0 &&
++ info->seg_32bit == 0 &&
++ info->limit_in_pages == 0 &&
++ info->seg_not_present == 0 &&
++ info->useable == 0);
++}
++
+ static inline void clear_LDT(void)
+ {
+ set_ldt(NULL, 0);
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -30,7 +30,28 @@ static int get_free_idx(void)
+
+ static bool tls_desc_okay(const struct user_desc *info)
+ {
+- if (LDT_empty(info))
++ /*
++ * For historical reasons (i.e. no one ever documented how any
++ * of the segmentation APIs work), user programs can and do
++ * assume that a struct user_desc that's all zeros except for
++ * entry_number means "no segment at all". This never actually
++ * worked. In fact, up to Linux 3.19, a struct user_desc like
++ * this would create a 16-bit read-write segment with base and
++ * limit both equal to zero.
++ *
++ * That was close enough to "no segment at all" until we
++ * hardened this function to disallow 16-bit TLS segments. Fix
++ * it up by interpreting these zeroed segments the way that they
++ * were almost certainly intended to be interpreted.
++ *
++ * The correct way to ask for "no segment at all" is to specify
++ * a user_desc that satisfies LDT_empty. To keep everything
++ * working, we accept both.
++ *
++ * Note that there's a similar kludge in modify_ldt -- look at
++ * the distinction between modes 1 and 0x11.
++ */
++ if (LDT_empty(info) || LDT_zero(info))
+ return true;
+
+ /*
+@@ -56,7 +77,7 @@ static void set_tls_desc(struct task_str
+ cpu = get_cpu();
+
+ while (n-- > 0) {
+- if (LDT_empty(info))
++ if (LDT_empty(info) || LDT_zero(info))
+ desc->a = desc->b = 0;
+ else
+ fill_ldt(desc, info);
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch)
@@ -0,0 +1,47 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Thu, 22 Jan 2015 11:27:58 -0800
+Subject: x86, tls, ldt: Stop checking lm in LDT_empty
+Origin: https://git.kernel.org/linus/e30ab185c490e9a9381385529e0fd32f0a399495
+
+32-bit programs don't have an lm bit in their ABI, so they can't
+reliably cause LDT_empty to return true without resorting to memset.
+They shouldn't need to do this.
+
+This should fix a longstanding, if minor, issue in all 64-bit kernels
+as well as a potential regression in the TLS hardening code.
+
+Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Cc: torvalds at linux-foundation.org
+Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/include/asm/desc.h | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/include/asm/desc.h
++++ b/arch/x86/include/asm/desc.h
+@@ -248,7 +248,8 @@ static inline void native_load_tls(struc
+ gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
+ }
+
+-#define _LDT_empty(info) \
++/* This intentionally ignores lm, since 32-bit apps don't have that field. */
++#define LDT_empty(info) \
+ ((info)->base_addr == 0 && \
+ (info)->limit == 0 && \
+ (info)->contents == 0 && \
+@@ -258,12 +259,6 @@ static inline void native_load_tls(struc
+ (info)->seg_not_present == 1 && \
+ (info)->useable == 0)
+
+-#ifdef CONFIG_X86_64
+-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
+-#else
+-#define LDT_empty(info) (_LDT_empty(info))
+-#endif
+-
+ static inline void clear_LDT(void)
+ {
+ set_ldt(NULL, 0);
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch (from r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch)
@@ -0,0 +1,117 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Fri, 19 Dec 2014 16:04:11 -0800
+Subject: x86_64, vdso: Fix the vdso address randomization algorithm
+Origin: https://git.kernel.org/linus/394f56fe480140877304d342dec46d50dc823d46
+
+The theory behind vdso randomization is that it's mapped at a random
+offset above the top of the stack. To avoid wasting a page of
+memory for an extra page table, the vdso isn't supposed to extend
+past the lowest PMD into which it can fit. Other than that, the
+address should be a uniformly distributed address that meets all of
+the alignment requirements.
+
+The current algorithm is buggy: the vdso has about a 50% probability
+of being at the very end of a PMD. The current algorithm also has a
+decent chance of failing outright due to incorrect handling of the
+case where the top of the stack is near the top of its PMD.
+
+This fixes the implementation. The paxtest estimate of vdso
+"randomisation" improves from 11 bits to 18 bits. (Disclaimer: I
+don't know what the paxtest code is actually calculating.)
+
+It's worth noting that this algorithm is inherently biased: the vdso
+is more likely to end up near the end of its PMD than near the
+beginning. Ideally we would either nix the PMD sharing requirement
+or jointly randomize the vdso and the stack to reduce the bias.
+
+In the mean time, this is a considerable improvement with basically
+no risk of compatibility issues, since the allowed outputs of the
+algorithm are unchanged.
+
+As an easy test, doing this:
+
+for i in `seq 10000`
+ do grep -P vdso /proc/self/maps |cut -d- -f1
+done |sort |uniq -d
+
+used to produce lots of output (1445 lines on my most recent run).
+A tiny subset looks like this:
+
+7fffdfffe000
+7fffe01fe000
+7fffe05fe000
+7fffe07fe000
+7fffe09fe000
+7fffe0bfe000
+7fffe0dfe000
+
+Note the suspicious fe000 endings. With the fix, I get a much more
+palatable 76 repeated addresses.
+
+Reviewed-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+[bwh: Backported to 2.6.32:
+ - Adjust context
+ - The whole file is only built for x86_64; adjust comment for this]
+---
+--- a/arch/x86/vdso/vma.c
++++ b/arch/x86/vdso/vma.c
+@@ -72,30 +72,43 @@ subsys_initcall(init_vdso);
+
+ struct linux_binprm;
+
+-/* Put the vdso above the (randomized) stack with another randomized offset.
+- This way there is no hole in the middle of address space.
+- To save memory make sure it is still in the same PTE as the stack top.
+- This doesn't give that many random bits */
++/*
++ * Put the vdso above the (randomized) stack with another randomized
++ * offset. This way there is no hole in the middle of address space.
++ * To save memory make sure it is still in the same PTE as the stack
++ * top. This doesn't give that many random bits.
++ *
++ * Note that this algorithm is imperfect: the distribution of the vdso
++ * start address within a PMD is biased toward the end.
++ */
+ static unsigned long vdso_addr(unsigned long start, unsigned len)
+ {
+ unsigned long addr, end;
+ unsigned offset;
+- end = (start + PMD_SIZE - 1) & PMD_MASK;
++
++ /*
++ * Round up the start address. It can start out unaligned as a result
++ * of stack start randomization.
++ */
++ start = PAGE_ALIGN(start);
++
++ /* Round the lowest possible end address up to a PMD boundary. */
++ end = (start + len + PMD_SIZE - 1) & PMD_MASK;
+ if (end >= TASK_SIZE_MAX)
+ end = TASK_SIZE_MAX;
+ end -= len;
+- /* This loses some more bits than a modulo, but is cheaper */
+- offset = get_random_int() & (PTRS_PER_PTE - 1);
+- addr = start + (offset << PAGE_SHIFT);
+- if (addr >= end)
+- addr = end;
++
++ if (end > start) {
++ offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1);
++ addr = start + (offset << PAGE_SHIFT);
++ } else {
++ addr = start;
++ }
+
+ /*
+- * page-align it here so that get_unmapped_area doesn't
+- * align it wrongfully again to the next page. addr can come in 4K
+- * unaligned here as a result of stack start randomization.
++ * Forcibly align the final address in case we have a hardware
++ * issue that requires alignment for performance reasons.
+ */
+- addr = PAGE_ALIGN(addr);
+ addr = align_addr(addr, NULL, ALIGN_VDSO);
+
+ return addr;
Copied: dists/squeeze-backports/linux/debian/patches/debian/vfs-avoid-abi-change-for-dentry-union-changes.patch (from r22408, dists/wheezy-security/linux/debian/patches/debian/vfs-avoid-abi-change-for-dentry-union-changes.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/debian/vfs-avoid-abi-change-for-dentry-union-changes.patch Sun Feb 22 03:53:27 2015 (r22411, copy of r22408, dists/wheezy-security/linux/debian/patches/debian/vfs-avoid-abi-change-for-dentry-union-changes.patch)
@@ -0,0 +1,76 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 12 Jan 2015 04:54:59 +0000
+Subject: vfs: Avoid ABI change for dentry union changes
+Forwarded: not-needed
+
+Commit 946e51f2bf37f1656916eb75bd0742ba33983c28 ("move d_rcu from
+overlapping d_child to overlapping d_alias") looks disruptive and
+it is an API change since the union is named. However, it doesn't
+actually move anything that modules need, so it is not an ABI
+change and we can safely hide it from genksysms.
+
+Verify this by adding an unused function with some BUILD_BUG_ONs
+to assert the size and alignment of fields remain the same.
+
+---
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -133,15 +133,31 @@ struct dentry {
+ void *d_fsdata; /* fs-specific data */
+
+ struct list_head d_lru; /* LRU list */
++#ifdef __GENKSYMS__
++ /*
++ * bwh: The union changes here don't move anything other than
++ * d_rcu (which modules definitely should not touch). This is
++ * checked by dcache_abi_check().
++ */
++ union {
++#endif
+ struct list_head d_child; /* child of parent list */
++#ifdef __GENKSYMS__
++ struct rcu_head d_rcu;
++ } d_u;
++#endif
+ struct list_head d_subdirs; /* our children */
+ /*
+ * d_alias and d_rcu can share memory
+ */
++#ifndef __GENKSYMS__
+ union {
++#endif
+ struct list_head d_alias; /* inode alias list */
++#ifndef __GENKSYMS__
+ struct rcu_head d_rcu;
+ } d_u;
++#endif
+ };
+
+ /*
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -163,6 +163,24 @@ static void d_free(struct dentry *dentry
+ call_rcu(&dentry->d_u.d_rcu, __d_free);
+ }
+
++/*
++ * bwh: Assert that dentry union changes didn't change the structure
++ * layout other than to move d_rcu.
++ */
++static void __always_unused dcache_abi_check(void)
++{
++ struct dentry dentry;
++ union {
++ struct list_head d_child;
++ struct rcu_head d_rcu;
++ } old_d_u;
++ BUILD_BUG_ON(sizeof(dentry.d_child) != sizeof(old_d_u) ||
++ __alignof__(dentry.d_child) != __alignof__(old_d_u));
++ BUILD_BUG_ON(sizeof(dentry.d_u.d_alias) != sizeof(dentry.d_u) ||
++ __alignof__(dentry.d_u.d_alias) !=
++ __alignof__(dentry.d_u));
++}
++
+ /**
+ * dentry_rcuwalk_barrier - invalidate in-progress rcu-walk lookups
+ * @dentry: the target dentry
Modified: dists/squeeze-backports/linux/debian/patches/series
==============================================================================
--- dists/squeeze-backports/linux/debian/patches/series Sun Feb 22 03:51:06 2015 (r22410)
+++ dists/squeeze-backports/linux/debian/patches/series Sun Feb 22 03:53:27 2015 (r22411)
@@ -1153,3 +1153,23 @@
bugfix/x86/x86_64-switch_to-load-tls-descriptors-before-switchi.patch
bugfix/all/keys-close-race-between-key-lookup-and-freeing.patch
bugfix/all/isofs-fix-unchecked-printing-of-er-records.patch
+bugfix/all/splice-apply-generic-position-and-size-checks-to-eac.patch
+bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch
+bugfix/all/crypto-include-crypto-module-prefix-in-template.patch
+bugfix/all/crypto-add-missing-crypto-module-aliases.patch
+bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
+bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch
+bugfix/x86/kvm-x86-emulator-reject-sysenter-in-compatibility-mo.patch
+bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch
+bugfix/all/move-d_rcu-from-overlapping-d_child-to-overlapping-d_alias.patch
+bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
+bugfix/all/deal-with-deadlock-in-d_walk.patch
+bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch
+debian/vfs-avoid-abi-change-for-dentry-union-changes.patch
+bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
+bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch
+bugfix/all/vfs-fix-vfsmount_lock-imbalance-in-path_init.patch
+bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch
+bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch
+bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch
+bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch
More information about the Kernel-svn-changes
mailing list