Merge changes from sid up to 3.2.32

svn path=/dists/trunk/linux/; revision=19452
2012-10-22 13:47:03 +00:00 · 2012-10-22 13:47:03 +00:00 · b5aba14e0d
parent 61990055a7 78fdfb1558
commit b5aba14e0d
8 changed files with 273 additions and 1 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -176,6 +176,110 @@ linux-2.6 (3.3~rc6-1~experimental.1) experimental; urgency=low

 -- Ben Hutchings <ben@decadent.org.uk>  Sun, 04 Mar 2012 20:27:42 +0000

+linux (3.2.32-1) unstable; urgency=low
+
+  * New upstream stable update:
+    http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.31
+    - target: Fix ->data_length re-assignment bug with SCSI overflow
+    - hpsa: fix handling of protocol error
+    - cifs: fix return value in cifsConvertToUTF16
+    - asix: Support DLink DUB-E100 H/W Ver C1 (Closes: #687567)
+    - dj: memory scribble in logi_dj
+    - dm: handle requests beyond end of device instead of using BUG_ON
+    - md/raid10: fix "enough" function for detecting if array is failed.
+    - libata: Prevent interface errors with Seagate FreeAgent GoFlex
+    - vfs: dcache: fix deadlock in tree traversal
+    - Revert "drm/radeon: rework pll selection (v3)" (regression in 3.2.30)
+    - HID: hidraw: don't deallocate memory when it is in use
+    - xfrm: Workaround incompatibility of ESN and async crypto
+    - xfrm_user: fix various information leaks
+    - xfrm_user: ensure user supplied esn replay window is valid
+    - net: guard tcp_set_keepalive() to tcp sockets
+    - ipv4: raw: fix icmp_filter()
+    - ipv6: raw: fix icmpv6_filter()
+    - ipv6: mip6: fix mip6_mh_filter()
+    - netrom: copy_datagram_iovec can fail
+    http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.32
+    - mtd: nand: Use the mirror BBT descriptor when reading its version
+    - TTY: ttyprintk, don't touch behind tty->write_buf
+    - n_gsm: fix various serious bugs
+    - hpsa: Use LUN reset instead of target reset
+    - staging: comedi: don't dereference user memory for INSN_INTTRIG
+    - ext4: fix potential deadlock in ext4_nonda_switch()
+    - staging: comedi: fix memory leak for saved channel list
+    - scsi_remove_target: fix softlockup regression on hot remove
+      (Closes: #690990)
+    - usb: host: xhci: Fix Null pointer dereferencing with 71c731a for
+      non-x86 systems (regression in 3.2.30)
+    - ext4: online defrag is not supported for journaled files
+    - staging: comedi: s626: don't dereference insn->data
+    - serial: pl011: handle corruption at high clock speeds
+    - ext4: always set i_op in ext4_mknod()
+    - ext4: fix fdatasync() for files with only i_size changes
+    - [x86] drm/i915: use adjusted_mode instead of mode for checking the
+      6bpc force flag (regression in 3.2.29)
+    - staging: comedi: jr3_pci: fix iomem dereference
+    - JFFS2: don't fail on bitflips in OOB
+    - mtd: nandsim: bugfix: fail if overridesize is too big
+    - pnfsblock: fix partial page buffer wirte
+    - target/file: Re-enable optional fd_buffered_io=1 operation
+    - iscsit: remove incorrect unlock in iscsit_build_sendtargets_resp
+    - rapidio/rionet: fix multicast packet transmit logic
+    - ALSA: aloop - add locking to timer access
+    - [armhf/omap] counter: add locking to read_persistent_clock
+    - mm: fix invalidate_complete_page2() lock ordering
+    - mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
+    - mm: hugetlb: fix pgoff computation when unmapping page from vma
+    - hugetlb: do not use vma_hugecache_offset() for vma_prio_tree_foreach
+    - [x86] firewire: cdev: fix user memory corruption (i386 userland on
+      amd64 kernel)
+    - udf: fix retun value on error path in udf_load_logicalvol
+    - eCryptfs: Unlink lower inode when ecryptfs_create() fails
+    - eCryptfs: Initialize empty lower files when opening them
+    - eCryptfs: Revert to a writethrough cache model
+    - eCryptfs: Write out all dirty pages just before releasing the lower file
+    - eCryptfs: Call lower ->flush() from ecryptfs_flush()
+    - mempolicy: remove mempolicy sharing
+    - mempolicy: fix a race in shared_policy_replace()
+    - mempolicy: fix refcount leak in mpol_set_shared_policy()
+    - mempolicy: fix a memory corruption by refcount imbalance in
+      alloc_pages_vma()
+    - hpsa: dial down lockup detection during firmware flash
+    - netfilter: nf_ct_ipv4: packets with wrong ihl are invalid
+    - netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP
+      expectation
+    - netfilter: nf_ct_expect: fix possible access to uninitialized timer
+    - ipvs: fix oops on NAT reply in br_nf context
+
+  [ Ben Hutchings ]
+  * codel: refine one condition to avoid a nul rec_inv_sqrt
+  * [mips,mipsel] Ignore NFS/SunRPC ABI changes in 3.2.30 (fixes FTBFS)
+  * tg3: Fix TSO CAP for 5704 devs w / ASF enabled
+  * SUNRPC: Set alloc_slot for backchannel tcp ops (regression in 3.2.30)
+  * iwlwifi: Do not request unreleased firmware for IWL6000 (Closes: #689416)
+  * aufs: Update to aufs3.2-20120827:
+    - Fix statfs() values when different block sizes are in use
+  * udeb: Add hid-logitech-dj to input-modules (Closes: #661379)
+  * connector: Make CONNECTOR built-in; enable PROC_EVENTS (Closes: #588200)
+  * e1000e: Change wthresh to 1 to avoid possible Tx stalls
+  * [x86] efi: Build EFI stub with EFI-appropriate options
+  * [rt] Update to 3.2.32-rt48:
+    - random: Make add_interrupt_randomness() work on rt
+    - softirq: Init softirq local lock after per cpu section is set up
+    - mm: slab: Fix potential deadlock
+    - mm: page_alloc: Use local_lock_on() instead of plain spinlock
+    - rt: rwsem/rwlock: lockdep annotations
+    - sched: Better debug output for might sleep
+    - stomp_machine: Use mutex_trylock when called from inactive cpu
+  * [x86] storvsc: Account for in-transit packets in the RESET path
+  * fs: handle failed audit_log_start properly
+  * fs: prevent use after free in auditing when symlink following was denied
+  * kernel/sys.c: fix stack memory content leak via UNAME26 (CVE-2012-0957)
+  * ALSA: hda: Fix oops caused by "Fix internal mic for Lenovo Ideapad U300s"
+    in 3.2.32
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Mon, 22 Oct 2012 06:25:37 +0100
+
 linux (3.2.30-1) unstable; urgency=low

  * New upstream stable update:
--- a/debian/config/config
+++ b/debian/config/config
@ -288,7 +288,8 @@ CONFIG_IPWIRELESS=m
 ##
 ## file: drivers/connector/Kconfig
 ##
-CONFIG_CONNECTOR=m
+CONFIG_CONNECTOR=y
+CONFIG_PROC_EVENTS=y

 ##
 ## file: drivers/cpufreq/Kconfig
--- a/debian/installer/modules/input-modules
+++ b/debian/installer/modules/input-modules
@ -4,6 +4,7 @@ hid-apple ?
 hid-belkin ?
 hid-microsoft ?
 hid-logitech ?
+hid-logitech-dj
 hid-monterey ?
 hid-sunplus ?
 hid-cherry ?
--- a/debian/patches/bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch
+++ b/debian/patches/bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch
@ -0,0 +1,45 @@
+From: Bryan Schumaker <bjschuma@netapp.com>
+Date: Mon, 24 Sep 2012 13:39:01 -0400
+Subject: SUNRPC: Set alloc_slot for backchannel tcp ops
+
+commit 84e28a307e376f271505af65a7b7e212dd6f61f4 upstream.
+
+f39c1bfb5a03e2d255451bff05be0d7255298fa4 (SUNRPC: Fix a UDP transport
+regression) introduced the "alloc_slot" function for xprt operations,
+but never created one for the backchannel operations.  This patch fixes
+a null pointer dereference when mounting NFS over v4.1.
+
+Call Trace:
+ [<ffffffffa0207957>] ? xprt_reserve+0x47/0x50 [sunrpc]
+ [<ffffffffa02023a4>] call_reserve+0x34/0x60 [sunrpc]
+ [<ffffffffa020e280>] __rpc_execute+0x90/0x400 [sunrpc]
+ [<ffffffffa020e61a>] rpc_async_schedule+0x2a/0x40 [sunrpc]
+ [<ffffffff81073589>] process_one_work+0x139/0x500
+ [<ffffffff81070e70>] ? alloc_worker+0x70/0x70
+ [<ffffffffa020e5f0>] ? __rpc_execute+0x400/0x400 [sunrpc]
+ [<ffffffff81073d1e>] worker_thread+0x15e/0x460
+ [<ffffffff8145c839>] ? preempt_schedule+0x49/0x70
+ [<ffffffff81073bc0>] ? rescuer_thread+0x230/0x230
+ [<ffffffff81079603>] kthread+0x93/0xa0
+ [<ffffffff81465d04>] kernel_thread_helper+0x4/0x10
+ [<ffffffff81079570>] ? kthread_freezable_should_stop+0x70/0x70
+ [<ffffffff81465d00>] ? gs_change+0x13/0x13
+
+Signed-off-by: Bryan Schumaker <bjschuma@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+---
+ net/sunrpc/xprtsock.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index d1988cf..97f8918 100644
+--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
+@@ -2539,6 +2539,7 @@ static struct rpc_xprt_ops xs_tcp_ops = {
+ static struct rpc_xprt_ops bc_tcp_ops = {
+ 	.reserve_xprt		= xprt_reserve_xprt,
+ 	.release_xprt		= xprt_release_xprt,
+	.alloc_slot		= xprt_alloc_slot,
+ 	.rpcbind		= xs_local_rpcbind,
+ 	.buf_alloc		= bc_malloc,
+ 	.buf_free		= bc_free,
--- a/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
+++ b/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
@ -0,0 +1,60 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 19 Oct 2012 13:56:51 -0700
+Subject: [1/2] kernel/sys.c: fix stack memory content leak via UNAME26
+
+commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream.
+
+Calling uname() with the UNAME26 personality set allows a leak of kernel
+stack contents.  This fixes it by defensively calculating the length of
+copy_to_user() call, making the len argument unsigned, and initializing
+the stack buffer to zero (now technically unneeded, but hey, overkill).
+
+CVE-2012-0957
+
+Reported-by: PaX Team <pageexec@freemail.hu>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: PaX Team <pageexec@freemail.hu>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ kernel/sys.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index c5cb5b9..01865c6 100644
+--- a/kernel/sys.c
+++ b/kernel/sys.c
+@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem);
+  * Work around broken programs that cannot handle "Linux 3.0".
+  * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+  */
+-static int override_release(char __user *release, int len)
+static int override_release(char __user *release, size_t len)
+ {
+ 	int ret = 0;
+-	char buf[65];
+ 
+ 	if (current->personality & UNAME26) {
+-		char *rest = UTS_RELEASE;
+		const char *rest = UTS_RELEASE;
+		char buf[65] = { 0 };
+ 		int ndots = 0;
+ 		unsigned v;
+		size_t copy;
+ 
+ 		while (*rest) {
+ 			if (*rest == '.' && ++ndots >= 3)
+@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len)
+ 			rest++;
+ 		}
+ 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+-		snprintf(buf, len, "2.6.%u%s", v, rest);
+-		ret = copy_to_user(release, buf, len);
+		copy = min(sizeof(buf), max_t(size_t, 1, len));
+		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+		ret = copy_to_user(release, buf, copy + 1);
+ 	}
+ 	return ret;
+ }
--- a/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch
+++ b/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch
@ -0,0 +1,32 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 19 Oct 2012 18:45:53 -0700
+Subject: [2/2] use clamp_t in UNAME26 fix
+
+commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream.
+
+The min/max call needed to have explicit types on some architectures
+(e.g. mn10300). Use clamp_t instead to avoid the warning:
+
+  kernel/sys.c: In function 'override_release':
+  kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ kernel/sys.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 01865c6..e6e0ece 100644
+--- a/kernel/sys.c
+++ b/kernel/sys.c
+@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
+ 			rest++;
+ 		}
+ 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+-		copy = min(sizeof(buf), max_t(size_t, 1, len));
+		copy = clamp_t(size_t, len, 1, sizeof(buf));
+ 		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+ 		ret = copy_to_user(release, buf, copy + 1);
+ 	}
--- a/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch
+++ b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch
@ -0,0 +1,25 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: iwlwifi: Do not request unreleased firmware for IWL6000
+Bug-Debian: http://bugs.debian.org/689416
+
+The iwlwifi driver currently supports firmware API versions 4-6 for
+these devices.  It will request the file for the latest supported
+version and then fall back to earlier versions.  However, the latest
+version that has actually been released is 4, so we expect the
+requests for versions 6 and then 5 to fail.
+
+The installer appears to report any failed request, and it is probably
+not easy to detect that this particular failure is harmless.  So stop
+requesting the unreleased firmware.
+
+--- a/drivers/net/wireless/iwlwifi/pcie/6000.c
+++ b/drivers/net/wireless/iwlwifi/pcie/6000.c
+@@ -32,7 +32,7 @@
+ #include "dvm/commands.h" /* needed for BT for now */
+ 
+ /* Highest firmware API version supported */
+-#define IWL6000_UCODE_API_MAX 6
+#define IWL6000_UCODE_API_MAX 4 /* v5-6 are supported but not released */
+ #define IWL6050_UCODE_API_MAX 5
+ #define IWL6000G2_UCODE_API_MAX 6
+ #define IWL6035_UCODE_API_MAX 6
--- a/debian/patches/series
+++ b/debian/patches/series
@ -45,3 +45,7 @@ debian/debugfs-set-default-mode-to-700.patch

 bugfix/alpha/alpha-use-large-data-model.diff
 bugfix/all/speakup-lower-default-software-speech-rate.patch
+bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch
+debian/iwlwifi-do-not-request-unreleased-firmware.patch
+bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch
+bugfix/all/use-clamp_t-in-UNAME26-fix.patch