linux-stable.git/drivers/char, branch linux-2.6.38.y Linux kernel stable tree i8k: Avoid lahf in 64-bit code 2011-06-03T01:34:41+00:00 Luca Tettamanti kronos.it@gmail.com 2011-05-25T18:43:31+00:00 f48e373ba0df22c98e0d8e9d8888d888b845e061 commit bc1f419c76a2d6450413ce4349f4e4a07be011d5 upstream. i8k uses lahf to read the flag register in 64-bit code; early x86-64 CPUs, however, lack this instruction and we get an invalid opcode exception at runtime. Use pushf to load the flag register into the stack instead. Signed-off-by: Luca Tettamanti <kronos.it@gmail.com> Reported-by: Jeff Rickman <jrickman@myamigos.us> Tested-by: Jeff Rickman <jrickman@myamigos.us> Tested-by: Harry G McGavran Jr <w5pny@arrl.net> Cc: Massimo Dal Zotto <dz@debian.org> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit bc1f419c76a2d6450413ce4349f4e4a07be011d5 upstream.

i8k uses lahf to read the flag register in 64-bit code; early x86-64
CPUs, however, lack this instruction and we get an invalid opcode
exception at runtime.
Use pushf to load the flag register into the stack instead.

Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
Reported-by: Jeff Rickman <jrickman@myamigos.us>
Tested-by: Jeff Rickman <jrickman@myamigos.us>
Tested-by: Harry G McGavran Jr <w5pny@arrl.net>
Cc: Massimo Dal Zotto <dz@debian.org>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
agp: fix OOM and buffer overflow 2011-05-02T16:19:47+00:00 Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:19+00:00 767a7e6906bd2b31c14bd57df8834da0cc81606e commit b522f02184b413955f3bc952e3776ce41edc6355 upstream. page_count is copied from userspace. agp_allocate_memory() tries to check whether this number is too big, but doesn't take into account the wrap case. Also agp_create_user_memory() doesn't check whether alloc_size is calculated from num_agp_pages variable without overflow. This may lead to allocation of too small buffer with following buffer overflow. Another problem in agp code is not addressed in the patch - kernel memory exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). Each allocation is limited to 16KB, though, there is no per-process limit. This might lead to OOM situation, which is not even solved in case of the caller death by OOM killer - the memory is allocated for another (faked) process. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit b522f02184b413955f3bc952e3776ce41edc6355 upstream.

page_count is copied from userspace.  agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case.  Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
agp: fix arbitrary kernel memory writes 2011-05-02T16:19:47+00:00 Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:16+00:00 0b7c6323a28f3fde67a26bc6b2a889d3f23b12c3 commit 194b3da873fd334ef183806db751473512af29ce upstream. pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 194b3da873fd334ef183806db751473512af29ce upstream.

pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
virtio: console: Enable call to hvc_remove() on console port remove 2011-05-02T16:19:44+00:00 Amit Shah amit.shah@redhat.com 2011-03-14T12:15:48+00:00 960b9affa8645e9cfe669295f05a8cd9b8fe77a0 commit afa2689e19073cd2e762d0f2c1358fab1ab9f18c upstream. This call was disabled as hot-unplugging one virtconsole port led to another virtconsole port freezing. Upon testing it again, this now works, so enable it. In addition, a bug was found in qemu wherein removing a port of one type caused the guest output from another port to stop working. I doubt it was just this bug that caused it (since disabling the hvc_remove() call did allow other ports to continue working), but since it's all solved now, we're fine with hot-unplugging of virtconsole ports. Signed-off-by: Amit Shah <amit.shah@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit afa2689e19073cd2e762d0f2c1358fab1ab9f18c upstream.

This call was disabled as hot-unplugging one virtconsole port led to
another virtconsole port freezing.

Upon testing it again, this now works, so enable it.

In addition, a bug was found in qemu wherein removing a port of one type
caused the guest output from another port to stop working.  I doubt it
was just this bug that caused it (since disabling the hvc_remove() call
did allow other ports to continue working), but since it's all solved
now, we're fine with hot-unplugging of virtconsole ports.

Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
char/tpm: Fix unitialized usage of data buffer 2011-04-14T20:02:30+00:00 Peter Huewe huewe.external.infineon@googlemail.com 2011-03-29T11:31:25+00:00 fc50df845604fa6802b693fda447f598e23e12c2 commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream. This patch fixes information leakage to the userspace by initializing the data buffer to zero. Reported-by: Peter Huewe <huewe.external@infineon.com> Signed-off-by: Peter Huewe <huewe.external@infineon.com> Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com> [ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way deeper problems than a simple multiplication can fix. - Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream.

This patch fixes information leakage to the userspace by initializing
the data buffer to zero.

Reported-by: Peter Huewe <huewe.external@infineon.com>
Signed-off-by: Peter Huewe <huewe.external@infineon.com>
Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com>
[ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
  deeper problems than a simple multiplication can fix.   - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
ipmi: Fix IPMI errors due to timing problems 2011-03-10T21:21:16+00:00 Doe, YiCheng yicheng.doe@hp.com 2011-03-10T20:00:21+00:00 4c418ba9695a24917a1fcfa48f7db3fd76337eb7 This patch fixes an issue in OpenIPMI module where sometimes an ABORT command is sent after sending an IPMI request to BMC causing the IPMI request to fail. Signed-off-by: YiCheng Doe <yicheng.doe@hp.com> Signed-off-by: Corey Minyard <cminyard@mvista.com> Acked-by: Tom Mingarelli <thomas.mingarelli@hp.com> Tested-by: Andy Cress <andy.cress@us.kontron.com> Tested-by: Mika Lansirine <Mika.Lansirinne@stonesoft.com> Tested-by: Brian De Wolf <bldewolf@csupomona.edu> Cc: Jean Michel Audet <Jean-Michel.Audet@ca.Kontron.com> Cc: Jozef Sudelsky <jozef.sudolsky@elbiahosting.sk> Acked-by: Matthew Garrett <mjg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
This patch fixes an issue in OpenIPMI module where sometimes an ABORT command
is sent after sending an IPMI request to BMC causing the IPMI request to fail.

Signed-off-by: YiCheng Doe <yicheng.doe@hp.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Acked-by: Tom Mingarelli <thomas.mingarelli@hp.com>
Tested-by: Andy Cress <andy.cress@us.kontron.com>
Tested-by: Mika Lansirine <Mika.Lansirinne@stonesoft.com>
Tested-by: Brian De Wolf <bldewolf@csupomona.edu>
Cc: Jean Michel Audet <Jean-Michel.Audet@ca.Kontron.com>
Cc: Jozef Sudelsky <jozef.sudolsky@elbiahosting.sk>
Acked-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
virtio: console: Don't access vqs if device was unplugged 2011-03-06T18:44:13+00:00 Amit Shah amit.shah@redhat.com 2011-03-04T03:34:33+00:00 d7a62cd0332115d4c7c4689abea0d889a30d8349 If a virtio-console device gets unplugged while a port is open, a subsequent close() call on the port accesses vqs to free up buffers. This can lead to a crash. The buffers are already freed up as a result of the call to unplug_ports() from virtcons_remove(). The fix is to simply not access vq information if port->portdev is NULL. Reported-by: juzhang <juzhang@redhat.com> CC: stable@kernel.org Signed-off-by: Amit Shah <amit.shah@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
If a virtio-console device gets unplugged while a port is open, a
subsequent close() call on the port accesses vqs to free up buffers.
This can lead to a crash.

The buffers are already freed up as a result of the call to
unplug_ports() from virtcons_remove().  The fix is to simply not access
vq information if port->portdev is NULL.

Reported-by: juzhang <juzhang@redhat.com>
CC: stable@kernel.org
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Revert "TPM: Long default timeout fix" 2011-03-01T21:23:27+00:00 Linus Torvalds torvalds@linux-foundation.org 2011-03-01T21:23:27+00:00 8d1dc20e8d689c7e6a0a4d2c94e36a99d5793ecb This reverts commit c4ff4b829ef9e6353c0b133b7adb564a68054979. Ted Ts'o reports: "TPM is working for me so I can log into employer's network in 2.6.37. It broke when I tried 2.6.38-rc6, with the following relevant lines from my dmesg: [ 11.081627] tpm_tis 00:0b: 1.2 TPM (device-id 0x0, rev-id 78) [ 25.734114] tpm_tis 00:0b: Operation Timed out [ 78.040949] tpm_tis 00:0b: Operation Timed out This caused me to get suspicious, especially since the _other_ TPM commit in 2.6.38 had already been reverted, so I tried reverting commit c4ff4b829e: "TPM: Long default timeout fix". With this commit reverted, my TPM on my Lenovo T410 is once again working." Requested-and-tested-by: Theodore Ts'o <tytso@mit.edu> Acked-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
This reverts commit c4ff4b829ef9e6353c0b133b7adb564a68054979.

Ted Ts'o reports:

 "TPM is working for me so I can log into employer's network in 2.6.37.
  It broke when I tried 2.6.38-rc6, with the following relevant lines
  from my dmesg:

  [   11.081627] tpm_tis 00:0b: 1.2 TPM (device-id 0x0, rev-id 78)
  [   25.734114] tpm_tis 00:0b: Operation Timed out
  [   78.040949] tpm_tis 00:0b: Operation Timed out

  This caused me to get suspicious, especially since the _other_ TPM
  commit in 2.6.38 had already been reverted, so I tried reverting
  commit c4ff4b829e: "TPM: Long default timeout fix".  With this commit
  reverted, my TPM on my Lenovo T410 is once again working."

Requested-and-tested-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge branch 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel into drm-fixes 2011-02-24T02:19:43+00:00 Dave Airlie airlied@redhat.com 2011-02-24T02:19:43+00:00 fbf92bea68830c12da9099d7c8a60812194efc4e * 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel: drm/i915: fix corruptions on i8xx due to relaxed fencing drm/i915: skip FDI & PCH enabling for DP_A agp/intel: Experiment with a 855GM GWB bit drm/i915: don't enable FDI & transcoder interrupts after all drm/i915: Ignore a hung GPU when flushing the framebuffer prior to a switch 
* 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel:
  drm/i915: fix corruptions on i8xx due to relaxed fencing
  drm/i915: skip FDI & PCH enabling for DP_A
  agp/intel: Experiment with a 855GM GWB bit
  drm/i915: don't enable FDI & transcoder interrupts after all
  drm/i915: Ignore a hung GPU when flushing the framebuffer prior to a switch
amd64-agp: fix crash at second module load 2011-02-23T08:29:17+00:00 Florian Mickler florian@mickler.org 2011-02-07T22:29:31+00:00 49495d44dfa4ba76cf7d1ed8fe84746dd9552255 The module forgot to sometimes unregister some resources. This fixes Bug #22882. [Patch updated to 2.6.38-rc3 by Randy Dunlap.] Tested-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Florian Mickler <florian@mickler.org> Signed-off-by: Dave Airlie <airlied@redhat.com> 
The module forgot to sometimes unregister some resources.

This fixes Bug #22882.

[Patch updated to 2.6.38-rc3 by Randy Dunlap.]
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Florian Mickler <florian@mickler.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>