commit dd156c8db2ba5e40718fa7adfd25b3e846e6e83b Author: Greg Kroah-Hartman Date: Sat Jul 13 11:03:57 2013 -0700 Linux 3.4.53 commit 6d96e9394365dfddf5d418d8178ce2a503448c29 Author: Greg Kroah-Hartman Date: Thu Jul 11 14:04:48 2013 -0700 Revert "sched: Add missing call to calc_load_exit_idle()" This reverts commit 48f0f14ffb6ff4852922994d11fbda418d40100e which was commit 749c8814f08f12baa4a9c2812a7c6ede7d69507d upstream. It seems to be misapplied, and not needed for 3.4-stable Reported-by: Paul Gortmaker Cc: Charles Wang Cc: Peter Zijlstra Cc: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 36c982c1c71b5bb35d06d46ffb82593bf8dbe8c7 Author: Ben Hutchings Date: Mon May 27 19:07:19 2013 +0100 SCSI: sd: Fix parsing of 'temporary ' cache mode prefix commit 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 upstream. Commit 39c60a0948cc '[SCSI] sd: fix array cache flushing bug causing performance problems' added temp as a pointer to "temporary " and used sizeof(temp) - 1 as its length. But sizeof(temp) is the size of the pointer, not the size of the string constant. Change temp to a static array so that sizeof() does what was intended. Signed-off-by: Ben Hutchings Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit ffdae5d98228dfbf7479cb777853ca031fbdfd3d Author: J. Bruce Fields Date: Fri Jun 21 11:48:11 2013 -0400 nfsd4: fix decoding of compounds across page boundaries commit 247500820ebd02ad87525db5d9b199e5b66f6636 upstream. A freebsd NFSv4.0 client was getting rare IO errors expanding a tarball. A network trace showed the server returning BAD_XDR on the final getattr of a getattr+write+getattr compound. The final getattr started on a page boundary. I believe the Linux client ignores errors on the post-write getattr, and that that's why we haven't seen this before. Reported-by: Rick Macklem Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 6d2698aa29a15559b89c54b86523632ea4110b6c Author: Greg Kroah-Hartman Date: Sun Jun 30 09:03:06 2013 -0700 Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller" commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream. This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366. As reported by Stefan, this device already works with the parport_serial driver, so the 8250_pci driver should not also try to grab it as well. Reported-by: Stefan Seyfried Cc: Wang YanQing Signed-off-by: Greg Kroah-Hartman commit cf0d5b307e09f38ccaffa9790e712168d6397f79 Author: Greg Kroah-Hartman Date: Tue Jun 18 12:58:12 2013 -0700 MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream. This hopefully will help point developers to the proper way that patches should be submitted for inclusion in the stable kernel releases. Reported-by: David Howells Acked-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 5898d863f236b4850ff564cca8e128369655a3f5 Author: Kees Cook Date: Wed Jul 3 15:01:15 2013 -0700 crypto: sanitize argument for format string commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream. The template lookup interface does not provide a way to use format strings, so make sure that the interface cannot be abused accidentally. Signed-off-by: Kees Cook Cc: Herbert Xu Cc: "David S. Miller" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a8139b5b8b1355c4909d90afa58b055aabe1a272 Author: Kees Cook Date: Wed Jul 3 15:01:14 2013 -0700 block: do not pass disk names as format strings commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream. Disk names may contain arbitrary strings, so they must not be interpreted as format strings. It seems that only md allows arbitrary strings to be used for disk names, but this could allow for a local memory corruption from uid 0 into ring 0. CVE-2013-2851 Signed-off-by: Kees Cook Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5f855daf6487b64eae1f201483b5830f42b2e9bb Author: Mikulas Patocka Date: Thu Jul 4 18:42:29 2013 +0200 hpfs: better test for errors commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream. The test if bitmap access is out of bound could errorneously pass if the device size is divisible by 16384 sectors and we are asking for one bitmap after the end. Check for invalid size in the superblock. Invalid size could cause integer overflows in the rest of the code. Signed-off-by: Mikulas Patocka Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 46796ed300f4f9ffa297ff548f0e2f08b7614f3b Author: Kees Cook Date: Thu Jun 6 13:52:21 2013 -0700 charger-manager: Ensure event is not used as format string commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream. The exposed interface for cm_notify_event() could result in the event msg string being parsed as a format string. Make sure it is only used as a literal string. Signed-off-by: Kees Cook Cc: Anton Vorontsov Cc: David Woodhouse Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman commit 3e6778af21da9f305f59da098b3e137b8ff72d46 Author: Jonathan Salwan Date: Wed Jul 3 15:01:13 2013 -0700 drivers/cdrom/cdrom.c: use kzalloc() for failing hardware commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream. In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory area with kmalloc in line 2885. 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); 2886 if (cgc->buffer == NULL) 2887 return -ENOMEM; In line 2908 we can find the copy_to_user function: 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) The cgc->buffer is never cleaned and initialized before this function. If ret = 0 with the previous basic block, it's possible to display some memory bytes in kernel space from userspace. When we read a block from the disk it normally fills the ->buffer but if the drive is malfunctioning there is a chance that it would only be partially filled. The result is an leak information to userspace. Signed-off-by: Dan Carpenter Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Jonathan Salwan Cc: Luis Henriques Signed-off-by: Greg Kroah-Hartman commit a0d7384148e8e828f71f46ab10698daca41e64d8 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 libceph: Fix NULL pointer dereference in auth client code commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream. A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Signed-off-by: Greg Kroah-Hartman