releases/2.6.27.44/mbox - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From gregkh@mini.kroah.org Thu Jan 14 15:06:20 2010
 Message-Id: <20100114230620.830938718@mini.kroah.org>
 User-Agent: quilt/0.48-1
 Date: Thu, 14 Jan 2010 15:04:49 -0800
 From: Greg KH <gregkh@suse.de>
 To: linux-kernel@vger.kernel.org,
  stable@kernel.org
 Cc: stable-review@kernel.org,
  torvalds@linux-foundation.org,
  akpm@linux-foundation.org,
  alan@lxorguk.ukuu.org.uk,
  Andi Kleen <ak@linux.intel.com>,
  Ingo Molnar <mingo@elte.hu>,
  Oleg Nesterov <oleg@redhat.com>
 Subject: [1/6] kernel/signal.c: fix kernel information leak with print-fatal-signals=1

 2.6.27-stable review patch.  If anyone has any objections, please let us know.

 ------------------

 From: Andi Kleen <andi@firstfloor.org>

 commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream.

 When print-fatal-signals is enabled it's possible to dump any memory
 reachable by the kernel to the log by simply jumping to that address from
 user space.

 Or crash the system if there's some hardware with read side effects.

 The fatal signals handler will dump 16 bytes at the execution address,
 which is fully controlled by ring 3.

 In addition when something jumps to a unmapped address there will be up to
 16 additional useless page faults, which might be potentially slow (and at
 least is not very efficient)

 Fortunately this option is off by default and only there on i386.

 But fix it by checking for kernel addresses and also stopping when there's
 a page fault.

 Signed-off-by: Andi Kleen <ak@linux.intel.com>
 Cc: Ingo Molnar <mingo@elte.hu>
 Cc: Oleg Nesterov <oleg@redhat.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  kernel/signal.c |    3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -884,7 +884,8 @@ static void print_fatal_signal(struct pt
  		for (i = 0; i < 16; i++) {
  			unsigned char insn;

 -			__get_user(insn, (unsigned char *)(regs->ip + i));
 +			if (get_user(insn, (unsigned char *)(regs->ip + i)))
 +				break;
  			printk("%02x ", insn);
  		}
  	}


 From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
 Message-Id: <20100114230620.960894210@mini.kroah.org>
 User-Agent: quilt/0.48-1
 Date: Thu, 14 Jan 2010 15:04:50 -0800
 From: Greg KH <gregkh@suse.de>
 To: linux-kernel@vger.kernel.org,
  stable@kernel.org
 Cc: stable-review@kernel.org,
  torvalds@linux-foundation.org,
  akpm@linux-foundation.org,
  alan@lxorguk.ukuu.org.uk,
  Florian Westphal <fwestphal@astaro.com>,
  Patrick McHardy <kaber@trash.net>
 Subject: [2/6] netfilter: ebtables: enforce CAP_NET_ADMIN

 2.6.27-stable review patch.  If anyone has any objections, please let us know.

 ------------------

 From: Florian Westphal <fwestphal@astaro.com>

 commit dce766af541f6605fa9889892c0280bab31c66ab upstream.

 normal users are currently allowed to set/modify ebtables rules.
 Restrict it to processes with CAP_NET_ADMIN.

 Note that this cannot be reproduced with unmodified ebtables binary
 because it uses SOCK_RAW.

 Signed-off-by: Florian Westphal <fwestphal@astaro.com>
 Signed-off-by: Patrick McHardy <kaber@trash.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  net/bridge/netfilter/ebtables.c |    6 ++++++
  1 file changed, 6 insertions(+)

 --- a/net/bridge/netfilter/ebtables.c
 +++ b/net/bridge/netfilter/ebtables.c
 @@ -1436,6 +1436,9 @@ static int do_ebt_set_ctl(struct sock *s
  {
  	int ret;

 +	if (!capable(CAP_NET_ADMIN))
 +		return -EPERM;
 +
  	switch(cmd) {
  	case EBT_SO_SET_ENTRIES:
  		ret = do_replace(user, len);
 @@ -1455,6 +1458,9 @@ static int do_ebt_get_ctl(struct sock *s
  	struct ebt_replace tmp;
  	struct ebt_table *t;

 +	if (!capable(CAP_NET_ADMIN))
 +		return -EPERM;
 +
  	if (copy_from_user(&tmp, user, sizeof(tmp)))
  		return -EFAULT;


 From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
 Message-Id: <20100114230621.084598004@mini.kroah.org>
 User-Agent: quilt/0.48-1
 Date: Thu, 14 Jan 2010 15:04:51 -0800
 From: Greg KH <gregkh@suse.de>
 To: linux-kernel@vger.kernel.org,
  stable@kernel.org
 Cc: stable-review@kernel.org,
  torvalds@linux-foundation.org,
  akpm@linux-foundation.org,
  alan@lxorguk.ukuu.org.uk,
  Al Viro <viro@zeniv.linux.org.uk>
 Subject: [3/6] fix braindamage in audit_tree.c untag_chunk()

 2.6.27-stable review patch.  If anyone has any objections, please let us know.

 ------------------

 From: Al Viro <viro@ZenIV.linux.org.uk>

 commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream.

 ... aka "Al had badly fscked up when writing that thing and nobody
 noticed until Eric had fixed leaks that used to mask the breakage".

 The function essentially creates a copy of old array sans one element
 and replaces the references to elements of original (they are on cyclic
 lists) with those to corresponding elements of new one.  After that the
 old one is fair game for freeing.

 First of all, there's a dumb braino: when we get to list_replace_init we
 use indices for wrong arrays - position in new one with the old array
 and vice versa.

 Another bug is more subtle - termination condition is wrong if the
 element to be excluded happens to be the last one.  We shouldn't go
 until we fill the new array, we should go until we'd finished the old
 one.  Otherwise the element we are trying to kill will remain on the
 cyclic lists...

 That crap used to be masked by several leaks, so it was not quite
 trivial to hit.  Eric had fixed some of those leaks a while ago and the
 shit had hit the fan...

 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  kernel/audit_tree.c |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

 --- a/kernel/audit_tree.c
 +++ b/kernel/audit_tree.c
 @@ -276,7 +276,7 @@ static void untag_chunk(struct node *p)
  		owner->root = NULL;
  	}

 -	for (i = j = 0; i < size; i++, j++) {
 +	for (i = j = 0; j <= size; i++, j++) {
  		struct audit_tree *s;
  		if (&chunk->owners[j] == p) {
  			list_del_init(&p->list);
 @@ -289,7 +289,7 @@ static void untag_chunk(struct node *p)
  		if (!s) /* result of earlier fallback */
  			continue;
  		get_tree(s);
 -		list_replace_init(&chunk->owners[i].list, &new->owners[j].list);
 +		list_replace_init(&chunk->owners[j].list, &new->owners[i].list);
  	}

  	list_replace_rcu(&chunk->hash, &new->hash);


 From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
 Message-Id: <20100114230621.214106296@mini.kroah.org>
 User-Agent: quilt/0.48-1
 Date: Thu, 14 Jan 2010 15:04:52 -0800
 From: Greg KH <gregkh@suse.de>
 To: linux-kernel@vger.kernel.org,
  stable@kernel.org
 Cc: stable-review@kernel.org,
  torvalds@linux-foundation.org,
  akpm@linux-foundation.org,
  alan@lxorguk.ukuu.org.uk,
  Al Viro <viro@zeniv.linux.org.uk>
 Subject: [4/6] fix more leaks in audit_tree.c tag_chunk()

 2.6.27-stable review patch.  If anyone has any objections, please let us know.

 ------------------

 From: Al Viro <viro@ZenIV.linux.org.uk>

 commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream.

 Several leaks in audit_tree didn't get caught by commit
 318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal
 exit in case of multiple rules refering to the same chunk.

 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  kernel/audit_tree.c |    9 ++++++---
  1 file changed, 6 insertions(+), 3 deletions(-)

 --- a/kernel/audit_tree.c
 +++ b/kernel/audit_tree.c
 @@ -372,15 +372,17 @@ static int tag_chunk(struct inode *inode
  	for (n = 0; n < old->count; n++) {
  		if (old->owners[n].owner == tree) {
  			spin_unlock(&hash_lock);
 -			put_inotify_watch(watch);
 +			put_inotify_watch(&old->watch);
  			return 0;
  		}
  	}
  	spin_unlock(&hash_lock);

  	chunk = alloc_chunk(old->count + 1);
 -	if (!chunk)
 +	if (!chunk) {
 +		put_inotify_watch(&old->watch);
  		return -ENOMEM;
 +	}

  	mutex_lock(&inode->inotify_mutex);
  	if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
 @@ -422,7 +424,8 @@ static int tag_chunk(struct inode *inode
  	spin_unlock(&hash_lock);
  	inotify_evict_watch(&old->watch);
  	mutex_unlock(&inode->inotify_mutex);
 -	put_inotify_watch(&old->watch);
 +	put_inotify_watch(&old->watch); /* pair to inotify_find_watch */
 +	put_inotify_watch(&old->watch); /* and kill it */
  	return 0;
  }


 From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
 Message-Id: <20100114230621.341451387@mini.kroah.org>
 User-Agent: quilt/0.48-1
 Date: Thu, 14 Jan 2010 15:04:53 -0800
 From: Greg KH <gregkh@suse.de>
 To: linux-kernel@vger.kernel.org,
  stable@kernel.org
 Cc: stable-review@kernel.org,
  torvalds@linux-foundation.org,
  akpm@linux-foundation.org,
  alan@lxorguk.ukuu.org.uk,
  Michael Neuling <mikey@neuling.org>,
  Paul Mackerras <paulus@samba.org>
 Subject: [5/6] powerpc: Disable VSX or current process in giveup_fpu/altivec

 2.6.27-stable review patch.  If anyone has any objections, please let us know.

 ------------------

 From: Michael Neuling <mikey@neuling.org>

 commit 7e875e9dc8af70d126fa632446e967327ac3fdda upstream.

 When we call giveup_fpu, we need to need to turn off VSX for the
 current process.  If we don't, on return to userspace it may execute a
 VSX instruction before the next FP instruction, and not have its
 register state refreshed correctly from the thread_struct.  Ditto for
 altivec.

 This caused a bug where an unaligned lfs or stfs results in
 fix_alignment calling giveup_fpu so it can use the FPRs (in order to
 do a single <-> double conversion), and then returning to userspace
 with FP off but VSX on.  Then if a VSX instruction is executed, before
 another FP instruction, it will proceed without another exception and
 hence have the incorrect register state for VSX registers 0-31.

    lfs unaligned   <- alignment exception turns FP off but leaves VSX on

    VSX instruction <- no exception since VSX on, hence we get the
                       wrong VSX register values for VSX registers 0-31,
                       which overlap the FPRs.

 Signed-off-by: Michael Neuling <mikey@neuling.org>
 Signed-off-by: Paul Mackerras <paulus@samba.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  arch/powerpc/kernel/fpu.S     |    5 +++++
  arch/powerpc/kernel/misc_64.S |    8 ++++++++
  2 files changed, 13 insertions(+)

 --- a/arch/powerpc/kernel/fpu.S
 +++ b/arch/powerpc/kernel/fpu.S
 @@ -145,6 +145,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX)
  	beq	1f
  	PPC_LL	r4,_MSR-STACK_FRAME_OVERHEAD(r5)
  	li	r3,MSR_FP|MSR_FE0|MSR_FE1
 +#ifdef CONFIG_VSX
 +BEGIN_FTR_SECTION
 +	oris	r3,r3,MSR_VSX@h
 +END_FTR_SECTION_IFSET(CPU_FTR_VSX)
 +#endif
  	andc	r4,r4,r3		/* disable FP for previous task */
  	PPC_STL	r4,_MSR-STACK_FRAME_OVERHEAD(r5)
  1:
 --- a/arch/powerpc/kernel/misc_64.S
 +++ b/arch/powerpc/kernel/misc_64.S
 @@ -493,7 +493,15 @@ _GLOBAL(giveup_altivec)
  	stvx	vr0,r4,r3
  	beq	1f
  	ld	r4,_MSR-STACK_FRAME_OVERHEAD(r5)
 +#ifdef CONFIG_VSX
 +BEGIN_FTR_SECTION
 +	lis	r3,(MSR_VEC|MSR_VSX)@h
 +FTR_SECTION_ELSE
 +	lis	r3,MSR_VEC@h
 +ALT_FTR_SECTION_END_IFSET(CPU_FTR_VSX)
 +#else
  	lis	r3,MSR_VEC@h
 +#endif
  	andc	r4,r4,r3		/* disable FP for previous task */
  	std	r4,_MSR-STACK_FRAME_OVERHEAD(r5)
  1:


 From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
 Message-Id: <20100114230621.471041815@mini.kroah.org>
 User-Agent: quilt/0.48-1
 Date: Thu, 14 Jan 2010 15:04:54 -0800
 From: Greg KH <gregkh@suse.de>
 To: linux-kernel@vger.kernel.org,
  stable@kernel.org
 Cc: stable-review@kernel.org,
  torvalds@linux-foundation.org,
  akpm@linux-foundation.org,
  alan@lxorguk.ukuu.org.uk,
  Neil Campbell <neilc@linux.vnet.ibm.com>,
  Michael Neuling <mikey@neuling.org>,
  Benjamin Herrenschmidt <benh@kernel.crashing.org>
 Subject: [6/6] powerpc: Handle VSX alignment faults correctly in little-endian mode

 2.6.27-stable review patch.  If anyone has any objections, please let us know.

 ------------------

 From: Neil Campbell <neilc@linux.vnet.ibm.com>

 commit bb7f20b1c639606def3b91f4e4aca6daeee5d80a upstream.

 This patch fixes the handling of VSX alignment faults in little-endian
 mode (the current code assumes the processor is in big-endian mode).

 The patch also makes the handlers clear the top 8 bytes of the register
 when handling an 8 byte VSX load.

 This is based on 2.6.32.

 Signed-off-by: Neil Campbell <neilc@linux.vnet.ibm.com>
 Acked-by: Michael Neuling <mikey@neuling.org>
 Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  arch/powerpc/kernel/align.c |   63 ++++++++++++++++++++++++++++++++------------
  1 file changed, 46 insertions(+), 17 deletions(-)

 --- a/arch/powerpc/kernel/align.c
 +++ b/arch/powerpc/kernel/align.c
 @@ -641,10 +641,14 @@ static int emulate_spe(struct pt_regs *r
   */
  static int emulate_vsx(unsigned char __user *addr, unsigned int reg,
  		       unsigned int areg, struct pt_regs *regs,
 -		       unsigned int flags, unsigned int length)
 +		       unsigned int flags, unsigned int length,
 +		       unsigned int elsize)
  {
  	char *ptr;
 +	unsigned long *lptr;
  	int ret = 0;
 +	int sw = 0;
 +	int i, j;

  	flush_vsx_to_thread(current);

 @@ -653,19 +657,35 @@ static int emulate_vsx(unsigned char __u
  	else
  		ptr = (char *) &current->thread.vr[reg - 32];

 -	if (flags & ST)
 -		ret = __copy_to_user(addr, ptr, length);
 -        else {
 -		if (flags & SPLT){
 -			ret = __copy_from_user(ptr, addr, length);
 -			ptr += length;
 +	lptr = (unsigned long *) ptr;
 +
 +	if (flags & SW)
 +		sw = elsize-1;
 +
 +	for (j = 0; j < length; j += elsize) {
 +		for (i = 0; i < elsize; ++i) {
 +			if (flags & ST)
 +				ret |= __put_user(ptr[i^sw], addr + i);
 +			else
 +				ret |= __get_user(ptr[i^sw], addr + i);
  		}
 -		ret |= __copy_from_user(ptr, addr, length);
 +		ptr  += elsize;
 +		addr += elsize;
  	}
 -	if (flags & U)
 -		regs->gpr[areg] = regs->dar;
 -	if (ret)
 +
 +	if (!ret) {
 +		if (flags & U)
 +			regs->gpr[areg] = regs->dar;
 +
 +		/* Splat load copies the same data to top and bottom 8 bytes */
 +		if (flags & SPLT)
 +			lptr[1] = lptr[0];
 +		/* For 8 byte loads, zero the top 8 bytes */
 +		else if (!(flags & ST) && (8 == length))
 +			lptr[1] = 0;
 +	} else
  		return -EFAULT;
 +
  	return 1;
  }
  #endif
 @@ -764,16 +784,25 @@ int fix_alignment(struct pt_regs *regs)

  #ifdef CONFIG_VSX
  	if ((instruction & 0xfc00003e) == 0x7c000018) {
 -		/* Additional register addressing bit (64 VSX vs 32 FPR/GPR */
 +		unsigned int elsize;
 +
 +		/* Additional register addressing bit (64 VSX vs 32 FPR/GPR) */
  		reg |= (instruction & 0x1) << 5;
  		/* Simple inline decoder instead of a table */
 +		/* VSX has only 8 and 16 byte memory accesses */
 +		nb = 8;
  		if (instruction & 0x200)
  			nb = 16;
 -		else if (instruction & 0x080)
 -			nb = 8;
 -		else
 -			nb = 4;
 +
 +		/* Vector stores in little-endian mode swap individual
 +		   elements, so process them separately */
 +		elsize = 4;
 +		if (instruction & 0x80)
 +			elsize = 8;
 +
  		flags = 0;
 +		if (regs->msr & MSR_LE)
 +			flags |= SW;
  		if (instruction & 0x100)
  			flags |= ST;
  		if (instruction & 0x040)
 @@ -783,7 +812,7 @@ int fix_alignment(struct pt_regs *regs)
  			flags |= SPLT;
  			nb = 8;
  		}
 -		return emulate_vsx(addr, reg, areg, regs, flags, nb);
 +		return emulate_vsx(addr, reg, areg, regs, flags, nb, elsize);
  	}
  #endif
  	/* A size of 0 indicates an instruction we don't support, with
	From gregkh@mini.kroah.org Thu Jan 14 15:06:20 2010
	Message-Id: <20100114230620.830938718@mini.kroah.org>
	User-Agent: quilt/0.48-1
	Date: Thu, 14 Jan 2010 15:04:49 -0800
	From: Greg KH <gregkh@suse.de>
	To: linux-kernel@vger.kernel.org,
	stable@kernel.org
	Cc: stable-review@kernel.org,
	torvalds@linux-foundation.org,
	akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	Andi Kleen <ak@linux.intel.com>,
	Ingo Molnar <mingo@elte.hu>,
	Oleg Nesterov <oleg@redhat.com>
	Subject: [1/6] kernel/signal.c: fix kernel information leak with print-fatal-signals=1

	2.6.27-stable review patch. If anyone has any objections, please let us know.

	------------------

	From: Andi Kleen <andi@firstfloor.org>

	commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream.

	When print-fatal-signals is enabled it's possible to dump any memory
	reachable by the kernel to the log by simply jumping to that address from
	user space.

	Or crash the system if there's some hardware with read side effects.

	The fatal signals handler will dump 16 bytes at the execution address,
	which is fully controlled by ring 3.

	In addition when something jumps to a unmapped address there will be up to
	16 additional useless page faults, which might be potentially slow (and at
	least is not very efficient)

	Fortunately this option is off by default and only there on i386.

	But fix it by checking for kernel addresses and also stopping when there's
	a page fault.

	Signed-off-by: Andi Kleen <ak@linux.intel.com>
	Cc: Ingo Molnar <mingo@elte.hu>
	Cc: Oleg Nesterov <oleg@redhat.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	kernel/signal.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	--- a/kernel/signal.c
	+++ b/kernel/signal.c
	@@ -884,7 +884,8 @@ static void print_fatal_signal(struct pt
	for (i = 0; i < 16; i++) {
	unsigned char insn;

	- __get_user(insn, (unsigned char *)(regs->ip + i));
	+ if (get_user(insn, (unsigned char *)(regs->ip + i)))
	+ break;
	printk("%02x ", insn);
	}
	}


	From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
	Message-Id: <20100114230620.960894210@mini.kroah.org>
	User-Agent: quilt/0.48-1
	Date: Thu, 14 Jan 2010 15:04:50 -0800
	From: Greg KH <gregkh@suse.de>
	To: linux-kernel@vger.kernel.org,
	stable@kernel.org
	Cc: stable-review@kernel.org,
	torvalds@linux-foundation.org,
	akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	Florian Westphal <fwestphal@astaro.com>,
	Patrick McHardy <kaber@trash.net>
	Subject: [2/6] netfilter: ebtables: enforce CAP_NET_ADMIN

	2.6.27-stable review patch. If anyone has any objections, please let us know.

	------------------

	From: Florian Westphal <fwestphal@astaro.com>

	commit dce766af541f6605fa9889892c0280bab31c66ab upstream.

	normal users are currently allowed to set/modify ebtables rules.
	Restrict it to processes with CAP_NET_ADMIN.

	Note that this cannot be reproduced with unmodified ebtables binary
	because it uses SOCK_RAW.

	Signed-off-by: Florian Westphal <fwestphal@astaro.com>
	Signed-off-by: Patrick McHardy <kaber@trash.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	net/bridge/netfilter/ebtables.c \| 6 ++++++
	1 file changed, 6 insertions(+)

	--- a/net/bridge/netfilter/ebtables.c
	+++ b/net/bridge/netfilter/ebtables.c
	@@ -1436,6 +1436,9 @@ static int do_ebt_set_ctl(struct sock *s
	{
	int ret;

	+ if (!capable(CAP_NET_ADMIN))
	+ return -EPERM;
	+
	switch(cmd) {
	case EBT_SO_SET_ENTRIES:
	ret = do_replace(user, len);
	@@ -1455,6 +1458,9 @@ static int do_ebt_get_ctl(struct sock *s
	struct ebt_replace tmp;
	struct ebt_table *t;

	+ if (!capable(CAP_NET_ADMIN))
	+ return -EPERM;
	+
	if (copy_from_user(&tmp, user, sizeof(tmp)))
	return -EFAULT;



	From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
	Message-Id: <20100114230621.084598004@mini.kroah.org>
	User-Agent: quilt/0.48-1
	Date: Thu, 14 Jan 2010 15:04:51 -0800
	From: Greg KH <gregkh@suse.de>
	To: linux-kernel@vger.kernel.org,
	stable@kernel.org
	Cc: stable-review@kernel.org,
	torvalds@linux-foundation.org,
	akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	Al Viro <viro@zeniv.linux.org.uk>
	Subject: [3/6] fix braindamage in audit_tree.c untag_chunk()

	2.6.27-stable review patch. If anyone has any objections, please let us know.

	------------------

	From: Al Viro <viro@ZenIV.linux.org.uk>

	commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream.

	... aka "Al had badly fscked up when writing that thing and nobody
	noticed until Eric had fixed leaks that used to mask the breakage".

	The function essentially creates a copy of old array sans one element
	and replaces the references to elements of original (they are on cyclic
	lists) with those to corresponding elements of new one. After that the
	old one is fair game for freeing.

	First of all, there's a dumb braino: when we get to list_replace_init we
	use indices for wrong arrays - position in new one with the old array
	and vice versa.

	Another bug is more subtle - termination condition is wrong if the
	element to be excluded happens to be the last one. We shouldn't go
	until we fill the new array, we should go until we'd finished the old
	one. Otherwise the element we are trying to kill will remain on the
	cyclic lists...

	That crap used to be masked by several leaks, so it was not quite
	trivial to hit. Eric had fixed some of those leaks a while ago and the
	shit had hit the fan...

	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	kernel/audit_tree.c \| 4 ++--
	1 file changed, 2 insertions(+), 2 deletions(-)

	--- a/kernel/audit_tree.c
	+++ b/kernel/audit_tree.c
	@@ -276,7 +276,7 @@ static void untag_chunk(struct node *p)
	owner->root = NULL;
	}

	- for (i = j = 0; i < size; i++, j++) {
	+ for (i = j = 0; j <= size; i++, j++) {
	struct audit_tree *s;
	if (&chunk->owners[j] == p) {
	list_del_init(&p->list);
	@@ -289,7 +289,7 @@ static void untag_chunk(struct node *p)
	if (!s) /* result of earlier fallback */
	continue;
	get_tree(s);
	- list_replace_init(&chunk->owners[i].list, &new->owners[j].list);
	+ list_replace_init(&chunk->owners[j].list, &new->owners[i].list);
	}

	list_replace_rcu(&chunk->hash, &new->hash);


	From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
	Message-Id: <20100114230621.214106296@mini.kroah.org>
	User-Agent: quilt/0.48-1
	Date: Thu, 14 Jan 2010 15:04:52 -0800
	From: Greg KH <gregkh@suse.de>
	To: linux-kernel@vger.kernel.org,
	stable@kernel.org
	Cc: stable-review@kernel.org,
	torvalds@linux-foundation.org,
	akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	Al Viro <viro@zeniv.linux.org.uk>
	Subject: [4/6] fix more leaks in audit_tree.c tag_chunk()

	2.6.27-stable review patch. If anyone has any objections, please let us know.

	------------------

	From: Al Viro <viro@ZenIV.linux.org.uk>

	commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream.

	Several leaks in audit_tree didn't get caught by commit
	318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal
	exit in case of multiple rules refering to the same chunk.

	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	kernel/audit_tree.c \| 9 ++++++---
	1 file changed, 6 insertions(+), 3 deletions(-)

	--- a/kernel/audit_tree.c
	+++ b/kernel/audit_tree.c
	@@ -372,15 +372,17 @@ static int tag_chunk(struct inode *inode
	for (n = 0; n < old->count; n++) {
	if (old->owners[n].owner == tree) {
	spin_unlock(&hash_lock);
	- put_inotify_watch(watch);
	+ put_inotify_watch(&old->watch);
	return 0;
	}
	}
	spin_unlock(&hash_lock);

	chunk = alloc_chunk(old->count + 1);
	- if (!chunk)
	+ if (!chunk) {
	+ put_inotify_watch(&old->watch);
	return -ENOMEM;
	+ }

	mutex_lock(&inode->inotify_mutex);
	if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
	@@ -422,7 +424,8 @@ static int tag_chunk(struct inode *inode
	spin_unlock(&hash_lock);
	inotify_evict_watch(&old->watch);
	mutex_unlock(&inode->inotify_mutex);
	- put_inotify_watch(&old->watch);
	+ put_inotify_watch(&old->watch); /* pair to inotify_find_watch */
	+ put_inotify_watch(&old->watch); /* and kill it */
	return 0;
	}



	From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
	Message-Id: <20100114230621.341451387@mini.kroah.org>
	User-Agent: quilt/0.48-1
	Date: Thu, 14 Jan 2010 15:04:53 -0800
	From: Greg KH <gregkh@suse.de>
	To: linux-kernel@vger.kernel.org,
	stable@kernel.org
	Cc: stable-review@kernel.org,
	torvalds@linux-foundation.org,
	akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	Michael Neuling <mikey@neuling.org>,
	Paul Mackerras <paulus@samba.org>
	Subject: [5/6] powerpc: Disable VSX or current process in giveup_fpu/altivec

	2.6.27-stable review patch. If anyone has any objections, please let us know.

	------------------

	From: Michael Neuling <mikey@neuling.org>

	commit 7e875e9dc8af70d126fa632446e967327ac3fdda upstream.

	When we call giveup_fpu, we need to need to turn off VSX for the
	current process. If we don't, on return to userspace it may execute a
	VSX instruction before the next FP instruction, and not have its
	register state refreshed correctly from the thread_struct. Ditto for
	altivec.

	This caused a bug where an unaligned lfs or stfs results in
	fix_alignment calling giveup_fpu so it can use the FPRs (in order to
	do a single <-> double conversion), and then returning to userspace
	with FP off but VSX on. Then if a VSX instruction is executed, before
	another FP instruction, it will proceed without another exception and
	hence have the incorrect register state for VSX registers 0-31.

	lfs unaligned <- alignment exception turns FP off but leaves VSX on

	VSX instruction <- no exception since VSX on, hence we get the
	wrong VSX register values for VSX registers 0-31,
	which overlap the FPRs.

	Signed-off-by: Michael Neuling <mikey@neuling.org>
	Signed-off-by: Paul Mackerras <paulus@samba.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	arch/powerpc/kernel/fpu.S \| 5 +++++
	arch/powerpc/kernel/misc_64.S \| 8 ++++++++
	2 files changed, 13 insertions(+)

	--- a/arch/powerpc/kernel/fpu.S
	+++ b/arch/powerpc/kernel/fpu.S
	@@ -145,6 +145,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX)
	beq 1f
	PPC_LL r4,_MSR-STACK_FRAME_OVERHEAD(r5)
	li r3,MSR_FP\|MSR_FE0\|MSR_FE1
	+#ifdef CONFIG_VSX
	+BEGIN_FTR_SECTION
	+ oris r3,r3,MSR_VSX@h
	+END_FTR_SECTION_IFSET(CPU_FTR_VSX)
	+#endif
	andc r4,r4,r3 /* disable FP for previous task */
	PPC_STL r4,_MSR-STACK_FRAME_OVERHEAD(r5)
	1:
	--- a/arch/powerpc/kernel/misc_64.S
	+++ b/arch/powerpc/kernel/misc_64.S
	@@ -493,7 +493,15 @@ _GLOBAL(giveup_altivec)
	stvx vr0,r4,r3
	beq 1f
	ld r4,_MSR-STACK_FRAME_OVERHEAD(r5)
	+#ifdef CONFIG_VSX
	+BEGIN_FTR_SECTION
	+ lis r3,(MSR_VEC\|MSR_VSX)@h
	+FTR_SECTION_ELSE
	+ lis r3,MSR_VEC@h
	+ALT_FTR_SECTION_END_IFSET(CPU_FTR_VSX)
	+#else
	lis r3,MSR_VEC@h
	+#endif
	andc r4,r4,r3 /* disable FP for previous task */
	std r4,_MSR-STACK_FRAME_OVERHEAD(r5)
	1:


	From gregkh@mini.kroah.org Thu Jan 14 15:06:21 2010
	Message-Id: <20100114230621.471041815@mini.kroah.org>
	User-Agent: quilt/0.48-1
	Date: Thu, 14 Jan 2010 15:04:54 -0800
	From: Greg KH <gregkh@suse.de>
	To: linux-kernel@vger.kernel.org,
	stable@kernel.org
	Cc: stable-review@kernel.org,
	torvalds@linux-foundation.org,
	akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	Neil Campbell <neilc@linux.vnet.ibm.com>,
	Michael Neuling <mikey@neuling.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>
	Subject: [6/6] powerpc: Handle VSX alignment faults correctly in little-endian mode

	2.6.27-stable review patch. If anyone has any objections, please let us know.

	------------------

	From: Neil Campbell <neilc@linux.vnet.ibm.com>

	commit bb7f20b1c639606def3b91f4e4aca6daeee5d80a upstream.

	This patch fixes the handling of VSX alignment faults in little-endian
	mode (the current code assumes the processor is in big-endian mode).

	The patch also makes the handlers clear the top 8 bytes of the register
	when handling an 8 byte VSX load.

	This is based on 2.6.32.

	Signed-off-by: Neil Campbell <neilc@linux.vnet.ibm.com>
	Acked-by: Michael Neuling <mikey@neuling.org>
	Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	arch/powerpc/kernel/align.c \| 63 ++++++++++++++++++++++++++++++++------------
	1 file changed, 46 insertions(+), 17 deletions(-)

	--- a/arch/powerpc/kernel/align.c
	+++ b/arch/powerpc/kernel/align.c
	@@ -641,10 +641,14 @@ static int emulate_spe(struct pt_regs *r
	*/
	static int emulate_vsx(unsigned char __user *addr, unsigned int reg,
	unsigned int areg, struct pt_regs *regs,
	- unsigned int flags, unsigned int length)
	+ unsigned int flags, unsigned int length,
	+ unsigned int elsize)
	{
	char *ptr;
	+ unsigned long *lptr;
	int ret = 0;
	+ int sw = 0;
	+ int i, j;

	flush_vsx_to_thread(current);

	@@ -653,19 +657,35 @@ static int emulate_vsx(unsigned char __u
	else
	ptr = (char *) &current->thread.vr[reg - 32];

	- if (flags & ST)
	- ret = __copy_to_user(addr, ptr, length);
	- else {
	- if (flags & SPLT){
	- ret = __copy_from_user(ptr, addr, length);
	- ptr += length;
	+ lptr = (unsigned long *) ptr;
	+
	+ if (flags & SW)
	+ sw = elsize-1;
	+
	+ for (j = 0; j < length; j += elsize) {
	+ for (i = 0; i < elsize; ++i) {
	+ if (flags & ST)
	+ ret \|= __put_user(ptr[i^sw], addr + i);
	+ else
	+ ret \|= __get_user(ptr[i^sw], addr + i);
	}
	- ret \|= __copy_from_user(ptr, addr, length);
	+ ptr += elsize;
	+ addr += elsize;
	}
	- if (flags & U)
	- regs->gpr[areg] = regs->dar;
	- if (ret)
	+
	+ if (!ret) {
	+ if (flags & U)
	+ regs->gpr[areg] = regs->dar;
	+
	+ /* Splat load copies the same data to top and bottom 8 bytes */
	+ if (flags & SPLT)
	+ lptr[1] = lptr[0];
	+ /* For 8 byte loads, zero the top 8 bytes */
	+ else if (!(flags & ST) && (8 == length))
	+ lptr[1] = 0;
	+ } else
	return -EFAULT;
	+
	return 1;
	}
	#endif
	@@ -764,16 +784,25 @@ int fix_alignment(struct pt_regs *regs)

	#ifdef CONFIG_VSX
	if ((instruction & 0xfc00003e) == 0x7c000018) {
	- /* Additional register addressing bit (64 VSX vs 32 FPR/GPR */
	+ unsigned int elsize;
	+
	+ /* Additional register addressing bit (64 VSX vs 32 FPR/GPR) */
	reg \|= (instruction & 0x1) << 5;
	/* Simple inline decoder instead of a table */
	+ /* VSX has only 8 and 16 byte memory accesses */
	+ nb = 8;
	if (instruction & 0x200)
	nb = 16;
	- else if (instruction & 0x080)
	- nb = 8;
	- else
	- nb = 4;
	+
	+ /* Vector stores in little-endian mode swap individual
	+ elements, so process them separately */
	+ elsize = 4;
	+ if (instruction & 0x80)
	+ elsize = 8;
	+
	flags = 0;
	+ if (regs->msr & MSR_LE)
	+ flags \|= SW;
	if (instruction & 0x100)
	flags \|= ST;
	if (instruction & 0x040)
	@@ -783,7 +812,7 @@ int fix_alignment(struct pt_regs *regs)
	flags \|= SPLT;
	nb = 8;
	}
	- return emulate_vsx(addr, reg, areg, regs, flags, nb);
	+ return emulate_vsx(addr, reg, areg, regs, flags, nb, elsize);
	}
	#endif
	/* A size of 0 indicates an instruction we don't support, with