Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.4.53 2013-07-13T18:03:57Z 2013-07-13T18:03:57Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-07-13T18:03:57Z urn:sha1:dd156c8db2ba5e40718fa7adfd25b3e846e6e83b 2013-07-13T18:03:41Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-07-11T21:04:48Z urn:sha1:6d96e9394365dfddf5d418d8178ce2a503448c29 This reverts commit 48f0f14ffb6ff4852922994d11fbda418d40100e which was commit 749c8814f08f12baa4a9c2812a7c6ede7d69507d upstream. It seems to be misapplied, and not needed for 3.4-stable Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com> Cc: Charles Wang <muming.wq@taobao.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Ingo Molnar <mingo@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:41Z Ben Hutchings ben@decadent.org.uk 2013-05-27T18:07:19Z urn:sha1:36c982c1c71b5bb35d06d46ffb82593bf8dbe8c7 commit 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 upstream. Commit 39c60a0948cc '[SCSI] sd: fix array cache flushing bug causing performance problems' added temp as a pointer to "temporary " and used sizeof(temp) - 1 as its length. But sizeof(temp) is the size of the pointer, not the size of the string constant. Change temp to a static array so that sizeof() does what was intended. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: James Bottomley <JBottomley@Parallels.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:41Z J. Bruce Fields bfields@redhat.com 2013-06-21T15:48:11Z urn:sha1:ffdae5d98228dfbf7479cb777853ca031fbdfd3d commit 247500820ebd02ad87525db5d9b199e5b66f6636 upstream. A freebsd NFSv4.0 client was getting rare IO errors expanding a tarball. A network trace showed the server returning BAD_XDR on the final getattr of a getattr+write+getattr compound. The final getattr started on a page boundary. I believe the Linux client ignores errors on the post-write getattr, and that that's why we haven't seen this before. Reported-by: Rick Macklem <rmacklem@uoguelph.ca> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:41Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-06-30T16:03:06Z urn:sha1:6d2698aa29a15559b89c54b86523632ea4110b6c commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream. This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366. As reported by Stefan, this device already works with the parport_serial driver, so the 8250_pci driver should not also try to grab it as well. Reported-by: Stefan Seyfried <stefan.seyfried@googlemail.com> Cc: Wang YanQing <udknight@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:41Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-06-18T19:58:12Z urn:sha1:cf0d5b307e09f38ccaffa9790e712168d6397f79 commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream. This hopefully will help point developers to the proper way that patches should be submitted for inclusion in the stable kernel releases. Reported-by: David Howells <dhowells@redhat.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:41Z Kees Cook keescook@chromium.org 2013-07-03T22:01:15Z urn:sha1:5898d863f236b4850ff564cca8e128369655a3f5 commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream. The template lookup interface does not provide a way to use format strings, so make sure that the interface cannot be abused accidentally. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:41Z Kees Cook keescook@chromium.org 2013-07-03T22:01:14Z urn:sha1:a8139b5b8b1355c4909d90afa58b055aabe1a272 commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream. Disk names may contain arbitrary strings, so they must not be interpreted as format strings. It seems that only md allows arbitrary strings to be used for disk names, but this could allow for a local memory corruption from uid 0 into ring 0. CVE-2013-2851 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:40Z Mikulas Patocka mikulas@artax.karlin.mff.cuni.cz 2013-07-04T16:42:29Z urn:sha1:5f855daf6487b64eae1f201483b5830f42b2e9bb commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream. The test if bitmap access is out of bound could errorneously pass if the device size is divisible by 16384 sectors and we are asking for one bitmap after the end. Check for invalid size in the superblock. Invalid size could cause integer overflows in the rest of the code. Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-13T18:03:40Z Kees Cook keescook@chromium.org 2013-06-06T20:52:21Z urn:sha1:46796ed300f4f9ffa297ff548f0e2f08b7614f3b commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream. The exposed interface for cm_notify_event() could result in the event msg string being parsed as a format string. Make sure it is only used as a literal string. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Anton Vorontsov <cbou@mail.ru> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Anton Vorontsov <anton@enomsg.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>