rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.6-rc2-400-g23dcfa6 

- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing
This commit is contained in:
Josh Boyer 2012-08-22 07:34:59 -04:00
parent 7051aa7c8d
commit 14f0cc6e63
4 changed files with 7 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
View File

@ -1,89 +0,0 @@
Delivered-To: jwboyer@gmail.com
Received: by 10.229.184.7 with SMTP id ci7csp32184qcb;
Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
Received: by 10.236.195.97 with SMTP id o61mr24210886yhn.17.1345531220620;
Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
Return-Path: <airlied@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28])
by mx.google.com with ESMTP id c5si239413anp.5.2012.08.20.23.40.20;
Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) smtp.mail=airlied@redhat.com
Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7L6eJ4K014799
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
Tue, 21 Aug 2012 02:40:19 -0400
Received: from prime.bne.redhat.com (dhcp-41-76.bne.redhat.com [10.64.41.76])
by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q7L6eFfB029177;
Tue, 21 Aug 2012 02:40:16 -0400
From: Dave Airlie <airlied@redhat.com>
To: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.sf.net, linux-kernel@vger.kernel.org,
Linus <torvalds@linux-foundation.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Randy Dunlap <rdunlap@xenotime.net>, Josh Boyer <jwboyer@gmail.com>,
Dave Airlie <airlied@redhat.com>
Subject: [PATCH] fbcon: fix race condition between console lock and cursor timer
Date: Tue, 21 Aug 2012 16:40:07 +1000
Message-Id: <1345531207-24926-1-git-send-email-airlied@redhat.com>
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
So we've had a fair few reports of fbcon handover breakage between
efi/vesafb and i915 surface recently, so I dedicated a couple of
days to finding the problem.
Essentially the last thing we saw was the conflicting framebuffer
message and that was all.
So after much tracing with direct netconsole writes (printks
under console_lock not so useful), I think I found the race.
Thread A (driver load) Thread B (timer thread)
unbind_con_driver -> |
bind_con_driver -> |
vc->vc_sw->con_deinit -> |
fbcon_deinit -> |
console_lock() |
| |
| fbcon_flashcursor timer fires
| console_lock() <- blocked for A
|
|
fbcon_del_cursor_timer ->
del_timer_sync
(BOOM)
Of course because all of this is under the console lock,
we never see anything, also since we also just unbound the active
console guess what we never see anything.
Hopefully this fixes the problem for anyone seeing vesafb->kms
driver handoff.
Signed-off-by: David Airlie <airlied@redhat.com>
---
drivers/video/console/fbcon.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
index 2e471c2..f8a79fc 100644
--- a/drivers/video/console/fbcon.c
+++ b/drivers/video/console/fbcon.c
@@ -372,8 +372,12 @@ static void fb_flashcursor(struct work_struct *work)
struct vc_data *vc = NULL;
int c;
int mode;
+ int ret;
+
+ ret = console_trylock();
+ if (ret == 0)
+ return;
- console_lock();
if (ops && ops->currcon != -1)
vc = vc_cons[ops->currcon].d;
--
1.7.10.2

18
kernel.spec
View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 2
%global baserelease 1
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 2
# The git snapshot level
%define gitrev 1
%define gitrev 2
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@ -744,11 +744,6 @@ Patch22000: weird-root-dentry-name-debug.patch
#selinux ptrace child permissions
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
#rhbz 836742
Patch22059: uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
Patch22065: fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
#rhbz 847548
Patch22066: virtio-scsi-Initialize-scatterlist-structure.patch
@ -1442,11 +1437,6 @@ ApplyPatch weird-root-dentry-name-debug.patch
#selinux ptrace child permissions
ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
#rhbz 836742
ApplyPatch uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
ApplyPatch fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
#rhbz 847548
ApplyPatch virtio-scsi-Initialize-scatterlist-structure.patch
@ -2315,6 +2305,10 @@ fi
# ||----w |
# || ||
%changelog
* Wed Aug 22 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc2.git2.1
- Linux v3.6-rc2-400-g23dcfa6
- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing
* Tue Aug 21 2012 Josh Boyer <jwboyer@redhat.com>
- Add patch from Dave Jones to fix suspicious RCU usage in SELinux (rhbz 846037)
- Add patch from Richard W.M. Jones to fix virtio scsi oops (rhbz 847548)

2
sources
View File

@ -1,3 +1,3 @@
24153eaaa81dedc9481ada8cd9c3b83d linux-3.5.tar.xz
5f0ec612b5364c18386c1b8155c271ac patch-3.6-rc2.xz
12edd20554fd9469c5d7fad9935ce0af patch-3.6-rc2-git1.xz
35f27ef57826c644eb014ecda8f22870 patch-3.6-rc2-git2.xz

36
uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
View File

@ -1,36 +0,0 @@
From 3771973542a4807b251352253ed22c50e688e573 Mon Sep 17 00:00:00 2001
From: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com>
Date: Sun, 15 Jul 2012 15:54:03 +0200
Subject: [PATCH] uvcvideo: Reset the bytesused field when recycling an erroneous buffer
Buffers marked as erroneous are recycled immediately by the driver if
the nodrop module parameter isn't set. The buffer payload size is reset
to 0, but the buffer bytesused field isn't. This results in the buffer
being immediately considered as complete, leading to an infinite loop in
interrupt context.
Fix the problem by resetting the bytesused field when recycling the
buffer.
Cc: <stable@vger.kernel.org>
Signed-off-by: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
drivers/media/video/uvc/uvc_queue.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/drivers/media/video/uvc/uvc_queue.c b/drivers/media/video/uvc/uvc_queue.c
index 9288fbd..5577381 100644
--- a/drivers/media/video/uvc/uvc_queue.c
+++ b/drivers/media/video/uvc/uvc_queue.c
@@ -338,6 +338,7 @@ struct uvc_buffer *uvc_queue_next_buffer(struct uvc_video_queue *queue,
if ((queue->flags & UVC_QUEUE_DROP_CORRUPTED) && buf->error) {
buf->error = 0;
buf->state = UVC_BUF_STATE_QUEUED;
+ buf->bytesused = 0;
vb2_set_plane_payload(&buf->buf, 0, 0);
return buf;
}
--
1.7.2.5