Linux v3.14.4
This commit is contained in:
parent
8eb39ff3b7
commit
2555d62ee3
|
@ -1,33 +0,0 @@
|
|||
From d1b9785eda70e7638927d294139c6d4796cb7ea6 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Tue, 22 Apr 2014 11:08:16 +0200
|
||||
Subject: [PATCH v3] synaptics: Add min/max quirk for ThinkPad Edge E431
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
drivers/input/mouse/synaptics.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
|
||||
index 7c9f509..93cc8fd 100644
|
||||
--- a/drivers/input/mouse/synaptics.c
|
||||
+++ b/drivers/input/mouse/synaptics.c
|
||||
@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
|
||||
.driver_data = (int []){1232, 5710, 1156, 4696},
|
||||
},
|
||||
{
|
||||
+ /* Lenovo ThinkPad Edge E431 */
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Edge E431"),
|
||||
+ },
|
||||
+ .driver_data = (int []){1024, 5022, 2508, 4832},
|
||||
+ },
|
||||
+ {
|
||||
/* Lenovo ThinkPad T431s */
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -1,100 +0,0 @@
|
|||
From 46a2986ebbe18757c2d8c352f8fb6e0f4f0754e3 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Sat, 19 Apr 2014 22:31:18 -0700
|
||||
Subject: [PATCH] Input: synaptics - add min/max quirk for ThinkPad T431s,
|
||||
L440, L540, S1 Yoga and X1
|
||||
|
||||
We expect that all the Haswell series will need such quirks, sigh.
|
||||
|
||||
The T431s seems to be T430 hardware in a T440s case, using the T440s touchpad,
|
||||
with the same min/max issue.
|
||||
|
||||
The X1 Carbon 3rd generation name says 2nd while it is a 3rd generation.
|
||||
|
||||
The X1 and T431s share a PnPID with the T540p, but the reported ranges are
|
||||
closer to those of the T440s.
|
||||
|
||||
HdG: Squashed 5 quirk patches into one. T431s + L440 + L540 are written by me,
|
||||
S1 Yoga and X1 are written by Benjamin Tissoires.
|
||||
|
||||
Hdg: Standardized S1 Yoga and X1 values, Yoga uses the same touchpad as the
|
||||
X240, X1 uses the same touchpad as the T440.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
||||
---
|
||||
drivers/input/mouse/synaptics.c | 42 +++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 42 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
|
||||
index 9d75410..ef9f491 100644
|
||||
--- a/drivers/input/mouse/synaptics.c
|
||||
+++ b/drivers/input/mouse/synaptics.c
|
||||
@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
|
||||
.driver_data = (int []){1232, 5710, 1156, 4696},
|
||||
},
|
||||
{
|
||||
+ /* Lenovo ThinkPad T431s */
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T431"),
|
||||
+ },
|
||||
+ .driver_data = (int []){1024, 5112, 2024, 4832},
|
||||
+ },
|
||||
+ {
|
||||
/* Lenovo ThinkPad T440s */
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
@@ -1574,6 +1582,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
|
||||
.driver_data = (int []){1024, 5112, 2024, 4832},
|
||||
},
|
||||
{
|
||||
+ /* Lenovo ThinkPad L440 */
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L440"),
|
||||
+ },
|
||||
+ .driver_data = (int []){1024, 5112, 2024, 4832},
|
||||
+ },
|
||||
+ {
|
||||
/* Lenovo ThinkPad T540p */
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
@@ -1581,6 +1597,32 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
|
||||
},
|
||||
.driver_data = (int []){1024, 5056, 2058, 4832},
|
||||
},
|
||||
+ {
|
||||
+ /* Lenovo ThinkPad L540 */
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L540"),
|
||||
+ },
|
||||
+ .driver_data = (int []){1024, 5112, 2024, 4832},
|
||||
+ },
|
||||
+ {
|
||||
+ /* Lenovo Yoga S1 */
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
|
||||
+ "ThinkPad S1 Yoga"),
|
||||
+ },
|
||||
+ .driver_data = (int []){1232, 5710, 1156, 4696},
|
||||
+ },
|
||||
+ {
|
||||
+ /* Lenovo ThinkPad X1 Carbon Haswell (3rd generation) */
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
+ DMI_MATCH(DMI_PRODUCT_VERSION,
|
||||
+ "ThinkPad X1 Carbon 2nd"),
|
||||
+ },
|
||||
+ .driver_data = (int []){1024, 5112, 2024, 4832},
|
||||
+ },
|
||||
#endif
|
||||
{ }
|
||||
};
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
Bugzilla: 1085016
|
||||
Upstream-status: Queued for 3.15
|
||||
|
||||
From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Fri, 28 Mar 2014 20:41:50 +0100
|
||||
Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi
|
||||
(CVE-2014-0155)
|
||||
|
||||
QE reported that they got the BUG_ON in ioapic_service to trigger.
|
||||
I cannot reproduce it, but there are two reasons why this could happen.
|
||||
|
||||
The less likely but also easiest one, is when kvm_irq_delivery_to_apic
|
||||
does not deliver to any APIC and returns -1.
|
||||
|
||||
Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
|
||||
function is never reached. However, you can target the similar loop in
|
||||
kvm_irq_delivery_to_apic_fast; just program a zero logical destination
|
||||
address into the IOAPIC, or an out-of-range physical destination address.
|
||||
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
|
||||
index d4b6015..d98d107 100644
|
||||
--- a/virt/kvm/ioapic.c
|
||||
+++ b/virt/kvm/ioapic.c
|
||||
@@ -356,7 +356,7 @@ static int ioapic_service(struct kvm_ioapic *ioapic, int irq, bool line_status)
|
||||
BUG_ON(ioapic->rtc_status.pending_eoi != 0);
|
||||
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe,
|
||||
ioapic->rtc_status.dest_map);
|
||||
- ioapic->rtc_status.pending_eoi = ret;
|
||||
+ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
|
||||
} else
|
||||
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
|
||||
|
||||
--
|
||||
cgit v0.10.1
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
Bugzilla: 1096195
|
||||
Upstream-status: 3.15 and queued for stable
|
||||
|
||||
From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Daley <mattd@bugfuzz.com>
|
||||
Date: Mon, 28 Apr 2014 19:05:21 +1200
|
||||
Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
|
||||
|
||||
From: Matthew Daley <mattd@bugfuzz.com>
|
||||
|
||||
commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
|
||||
|
||||
Do not leak kernel-only floppy_raw_cmd structure members to userspace.
|
||||
This includes the linked-list pointer and the pointer to the allocated
|
||||
DMA space.
|
||||
|
||||
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
drivers/block/floppy.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/block/floppy.c
|
||||
+++ b/drivers/block/floppy.c
|
||||
@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void
|
||||
int ret;
|
||||
|
||||
while (ptr) {
|
||||
- ret = copy_to_user(param, ptr, sizeof(*ptr));
|
||||
+ struct floppy_raw_cmd cmd = *ptr;
|
||||
+ cmd.next = NULL;
|
||||
+ cmd.kernel_data = NULL;
|
||||
+ ret = copy_to_user(param, &cmd, sizeof(cmd));
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
param += sizeof(struct floppy_raw_cmd);
|
|
@ -1,48 +0,0 @@
|
|||
Bugzilla: 1096195
|
||||
Upstream-status: 3.15 and queued for stable
|
||||
|
||||
From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Daley <mattd@bugfuzz.com>
|
||||
Date: Mon, 28 Apr 2014 19:05:20 +1200
|
||||
Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
|
||||
|
||||
From: Matthew Daley <mattd@bugfuzz.com>
|
||||
|
||||
commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
|
||||
|
||||
Always clear out these floppy_raw_cmd struct members after copying the
|
||||
entire structure from userspace so that the in-kernel version is always
|
||||
valid and never left in an interdeterminate state.
|
||||
|
||||
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
drivers/block/floppy.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/drivers/block/floppy.c
|
||||
+++ b/drivers/block/floppy.c
|
||||
@@ -3107,10 +3107,11 @@ loop:
|
||||
return -ENOMEM;
|
||||
*rcmd = ptr;
|
||||
ret = copy_from_user(ptr, param, sizeof(*ptr));
|
||||
- if (ret)
|
||||
- return -EFAULT;
|
||||
ptr->next = NULL;
|
||||
ptr->buffer_length = 0;
|
||||
+ ptr->kernel_data = NULL;
|
||||
+ if (ret)
|
||||
+ return -EFAULT;
|
||||
param += sizeof(struct floppy_raw_cmd);
|
||||
if (ptr->cmd_count > 33)
|
||||
/* the command may now also take up the space
|
||||
@@ -3126,7 +3127,6 @@ loop:
|
||||
for (i = 0; i < 16; i++)
|
||||
ptr->reply[i] = 0;
|
||||
ptr->resultcode = 0;
|
||||
- ptr->kernel_data = NULL;
|
||||
|
||||
if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
|
||||
if (ptr->length <= 0)
|
|
@ -1,48 +0,0 @@
|
|||
Bugzilla: 1046495
|
||||
Upstream-status: Sent for 3.14 http://marc.info/?l=linux-wireless&m=139453882510796&w=2
|
||||
|
||||
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
|
||||
There is a flow in which we send the host command in SYNC
|
||||
mode, but we don't take priv->mutex.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1046495
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
---
|
||||
drivers/net/wireless/iwlwifi/dvm/main.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c
|
||||
index ba1b1ea..ea7e70c 100644
|
||||
--- a/drivers/net/wireless/iwlwifi/dvm/main.c
|
||||
+++ b/drivers/net/wireless/iwlwifi/dvm/main.c
|
||||
@@ -252,13 +252,17 @@ static void iwl_bg_bt_runtime_config(struct work_struct *work)
|
||||
struct iwl_priv *priv =
|
||||
container_of(work, struct iwl_priv, bt_runtime_config);
|
||||
|
||||
+ mutex_lock(&priv->mutex);
|
||||
if (test_bit(STATUS_EXIT_PENDING, &priv->status))
|
||||
- return;
|
||||
+ goto out;
|
||||
|
||||
/* dont send host command if rf-kill is on */
|
||||
if (!iwl_is_ready_rf(priv))
|
||||
- return;
|
||||
+ goto out;
|
||||
+
|
||||
iwlagn_send_advance_bt_config(priv);
|
||||
+out:
|
||||
+ mutex_unlock(&priv->mutex);
|
||||
}
|
||||
|
||||
static void iwl_bg_bt_full_concurrency(struct work_struct *work)
|
||||
--
|
||||
1.8.3.2
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
55
kernel.spec
55
kernel.spec
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -709,21 +709,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
|||
#rhbz 1051748
|
||||
Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch
|
||||
|
||||
#rhbz 1046495
|
||||
Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
|
||||
|
||||
#CVE-2014-0155 rhbz 1081589 1085016
|
||||
Patch25036: KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
|
||||
|
||||
#rhbz 1074235
|
||||
Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
|
||||
|
||||
#CVE-2014-2851 rhbz 1086730 1087420
|
||||
Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch
|
||||
|
||||
#rhbz 1085582 1085697 1088588
|
||||
Patch25060: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
|
||||
|
||||
#rhbz 1074710
|
||||
Patch25061: mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
|
||||
|
||||
|
@ -742,9 +730,6 @@ Patch25072: HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
|
|||
#rhbz 1013466
|
||||
Patch25065: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
|
||||
|
||||
#rhbz 1089689
|
||||
Patch25066: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
|
||||
|
||||
#rhbz 1090746
|
||||
Patch25067: ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
|
||||
|
||||
|
@ -763,12 +748,6 @@ Patch25073: net-Start-with-correct-mac_len-in-skb_network_protoc.patch
|
|||
#rhbz 1089545
|
||||
Patch25074: 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
|
||||
|
||||
#rhbz 1082586
|
||||
Patch25075: locks-allow-__break_lease-to-sleep-even-when-break_t.patch
|
||||
|
||||
#CVE-2014-0196 rhbz 1094232 1094240
|
||||
Patch25076: n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
|
||||
|
||||
#misc input fixes
|
||||
Patch25077: 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
|
||||
Patch25078: 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
|
||||
|
@ -790,10 +769,6 @@ Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-m
|
|||
#rhbz 1082266
|
||||
Patch25087: jme-fix-dma-unmap-error.patch
|
||||
|
||||
#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
|
||||
Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
|
||||
Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
|
||||
|
||||
# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
|
||||
Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
|
||||
|
||||
|
@ -1461,12 +1436,6 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
|||
#rhbz 1051748
|
||||
ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch
|
||||
|
||||
#rhbz 1046495
|
||||
ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
|
||||
|
||||
#CVE-2014-0155 rhbz 1081589 1085016
|
||||
ApplyPatch KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
|
||||
|
||||
#rhbz 1048314
|
||||
ApplyPatch 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch
|
||||
#rhbz 1089583
|
||||
|
@ -1474,15 +1443,9 @@ ApplyPatch 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch
|
|||
#rhbz 1090161
|
||||
ApplyPatch HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
|
||||
|
||||
#rhbz 1074235
|
||||
ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
|
||||
|
||||
#CVE-2014-2851 rhbz 1086730 1087420
|
||||
ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch
|
||||
|
||||
#rhbz 1085582 1085697
|
||||
ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
|
||||
|
||||
#rhbz 1074710
|
||||
ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
|
||||
|
||||
|
@ -1492,9 +1455,6 @@ ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch
|
|||
#rhbz 1013466
|
||||
ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
|
||||
|
||||
#rhbz 1089689
|
||||
ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
|
||||
|
||||
#rhbz 1090746
|
||||
ApplyPatch ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
|
||||
|
||||
|
@ -1513,12 +1473,6 @@ ApplyPatch net-Start-with-correct-mac_len-in-skb_network_protoc.patch
|
|||
#rhbz 1089545
|
||||
ApplyPatch 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
|
||||
|
||||
#rhbz 1082586
|
||||
ApplyPatch locks-allow-__break_lease-to-sleep-even-when-break_t.patch
|
||||
|
||||
#CVE-2014-0196 rhbz 1094232 1094240
|
||||
ApplyPatch n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
|
||||
|
||||
#misc input fixes
|
||||
ApplyPatch 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
|
||||
ApplyPatch 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
|
||||
|
@ -1540,10 +1494,6 @@ ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-me
|
|||
#rhbz 1082266
|
||||
ApplyPatch jme-fix-dma-unmap-error.patch
|
||||
|
||||
#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
|
||||
ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
|
||||
ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
|
||||
|
||||
# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
|
||||
ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
|
||||
|
||||
|
@ -2358,6 +2308,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Tue May 13 2014 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Linux v3.14.4
|
||||
|
||||
* Mon May 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
|
||||
|
||||
|
|
|
@ -1,63 +0,0 @@
|
|||
Bugzilla: 1074235
|
||||
Upstream-status: 3.15 and CC'd to stable
|
||||
|
||||
From e39435ce68bb4685288f78b1a7e24311f7ef939f Mon Sep 17 00:00:00 2001
|
||||
From: Jens Axboe <axboe@fb.com>
|
||||
Date: Tue, 8 Apr 2014 16:04:12 -0700
|
||||
Subject: [PATCH] lib/percpu_counter.c: fix bad percpu counter state during
|
||||
suspend
|
||||
|
||||
I got a bug report yesterday from Laszlo Ersek in which he states that
|
||||
his kvm instance fails to suspend. Laszlo bisected it down to this
|
||||
commit 1cf7e9c68fe8 ("virtio_blk: blk-mq support") where virtio-blk is
|
||||
converted to use the blk-mq infrastructure.
|
||||
|
||||
After digging a bit, it became clear that the issue was with the queue
|
||||
drain. blk-mq tracks queue usage in a percpu counter, which is
|
||||
incremented on request alloc and decremented when the request is freed.
|
||||
The initial hunt was for an inconsistency in blk-mq, but everything
|
||||
seemed fine. In fact, the counter only returned crazy values when
|
||||
suspend was in progress.
|
||||
|
||||
When a CPU is unplugged, the percpu counters merges that CPU state with
|
||||
the general state. blk-mq takes care to register a hotcpu notifier with
|
||||
the appropriate priority, so we know it runs after the percpu counter
|
||||
notifier. However, the percpu counter notifier only merges the state
|
||||
when the CPU is fully gone. This leaves a state transition where the
|
||||
CPU going away is no longer in the online mask, yet it still holds
|
||||
private values. This means that in this state, percpu_counter_sum()
|
||||
returns invalid results, and the suspend then hangs waiting for
|
||||
abs(dead-cpu-value) requests to complete which of course will never
|
||||
happen.
|
||||
|
||||
Fix this by clearing the state earlier, so we never have a case where
|
||||
the CPU isn't in online mask but still holds private state. This bug
|
||||
has been there since forever, I guess we don't have a lot of users where
|
||||
percpu counters needs to be reliable during the suspend cycle.
|
||||
|
||||
Signed-off-by: Jens Axboe <axboe@fb.com>
|
||||
Reported-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Tested-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
lib/percpu_counter.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/percpu_counter.c b/lib/percpu_counter.c
|
||||
index 8280a5dd1727..7dd33577b905 100644
|
||||
--- a/lib/percpu_counter.c
|
||||
+++ b/lib/percpu_counter.c
|
||||
@@ -169,7 +169,7 @@ static int percpu_counter_hotcpu_callback(struct notifier_block *nb,
|
||||
struct percpu_counter *fbc;
|
||||
|
||||
compute_batch_value();
|
||||
- if (action != CPU_DEAD)
|
||||
+ if (action != CPU_DEAD && action != CPU_DEAD_FROZEN)
|
||||
return NOTIFY_OK;
|
||||
|
||||
cpu = (unsigned long)hcpu;
|
||||
--
|
||||
1.8.5.3
|
||||
|
|
@ -1,50 +0,0 @@
|
|||
Bugzilla: 1082586
|
||||
Upstream-status: 3.15 and sent for stable
|
||||
|
||||
From f1c6bb2cb8b81013e8979806f8e15e3d53efb96d Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Layton <jlayton@redhat.com>
|
||||
Date: Tue, 15 Apr 2014 06:17:49 -0400
|
||||
Subject: [PATCH] locks: allow __break_lease to sleep even when break_time is 0
|
||||
|
||||
A fl->fl_break_time of 0 has a special meaning to the lease break code
|
||||
that basically means "never break the lease". knfsd uses this to ensure
|
||||
that leases don't disappear out from under it.
|
||||
|
||||
Unfortunately, the code in __break_lease can end up passing this value
|
||||
to wait_event_interruptible as a timeout, which prevents it from going
|
||||
to sleep at all. This makes __break_lease to spin in a tight loop and
|
||||
causes soft lockups.
|
||||
|
||||
Fix this by ensuring that we pass a minimum value of 1 as a timeout
|
||||
instead.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Cc: J. Bruce Fields <bfields@fieldses.org>
|
||||
Reported-by: Terry Barnaby <terry1@beam.ltd.uk>
|
||||
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
||||
---
|
||||
fs/locks.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/fs/locks.c b/fs/locks.c
|
||||
index 13fc7a6d380a..b380f5543614 100644
|
||||
--- a/fs/locks.c
|
||||
+++ b/fs/locks.c
|
||||
@@ -1391,11 +1391,10 @@ int __break_lease(struct inode *inode, unsigned int mode, unsigned int type)
|
||||
|
||||
restart:
|
||||
break_time = flock->fl_break_time;
|
||||
- if (break_time != 0) {
|
||||
+ if (break_time != 0)
|
||||
break_time -= jiffies;
|
||||
- if (break_time == 0)
|
||||
- break_time++;
|
||||
- }
|
||||
+ if (break_time == 0)
|
||||
+ break_time++;
|
||||
locks_insert_block(flock, new_fl);
|
||||
spin_unlock(&inode->i_lock);
|
||||
error = wait_event_interruptible_timeout(new_fl->fl_wait,
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
Bugzilla: 1094240
|
||||
Upstream-status: 3.15 and CC'd to stable
|
||||
|
||||
From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hurley <peter@hurleysoftware.com>
|
||||
Date: Sat, 3 May 2014 14:04:59 +0200
|
||||
Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode
|
||||
|
||||
The tty atomic_write_lock does not provide an exclusion guarantee for
|
||||
the tty driver if the termios settings are LECHO & !OPOST. And since
|
||||
it is unexpected and not allowed to call TTY buffer helpers like
|
||||
tty_insert_flip_string concurrently, this may lead to crashes when
|
||||
concurrect writers call pty_write. In that case the following two
|
||||
writers:
|
||||
* the ECHOing from a workqueue and
|
||||
* pty_write from the process
|
||||
race and can overflow the corresponding TTY buffer like follows.
|
||||
|
||||
If we look into tty_insert_flip_string_fixed_flag, there is:
|
||||
int space = __tty_buffer_request_room(port, goal, flags);
|
||||
struct tty_buffer *tb = port->buf.tail;
|
||||
...
|
||||
memcpy(char_buf_ptr(tb, tb->used), chars, space);
|
||||
...
|
||||
tb->used += space;
|
||||
|
||||
so the race of the two can result in something like this:
|
||||
A B
|
||||
__tty_buffer_request_room
|
||||
__tty_buffer_request_room
|
||||
memcpy(buf(tb->used), ...)
|
||||
tb->used += space;
|
||||
memcpy(buf(tb->used), ...) ->BOOM
|
||||
|
||||
B's memcpy is past the tty_buffer due to the previous A's tb->used
|
||||
increment.
|
||||
|
||||
Since the N_TTY line discipline input processing can output
|
||||
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
|
||||
serialize echo output with normal tty writes. This ensures the tty
|
||||
buffer helper tty_insert_flip_string is not called concurrently and
|
||||
everything is fine.
|
||||
|
||||
Note that this is nicely reproducible by an ordinary user using
|
||||
forkpty and some setup around that (raw termios + ECHO). And it is
|
||||
present in kernels at least after commit
|
||||
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
|
||||
use the normal buffering logic) in 2.6.31-rc3.
|
||||
|
||||
js: add more info to the commit log
|
||||
js: switch to bool
|
||||
js: lock unconditionally
|
||||
js: lock only the tty->ops->write call
|
||||
|
||||
References: CVE-2014-0196
|
||||
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
|
||||
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|
||||
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/tty/n_tty.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
|
||||
index 41fe8a047d37..fe9d129c8735 100644
|
||||
--- a/drivers/tty/n_tty.c
|
||||
+++ b/drivers/tty/n_tty.c
|
||||
@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
|
||||
if (tty->ops->flush_chars)
|
||||
tty->ops->flush_chars(tty);
|
||||
} else {
|
||||
+ struct n_tty_data *ldata = tty->disc_data;
|
||||
+
|
||||
while (nr > 0) {
|
||||
+ mutex_lock(&ldata->output_lock);
|
||||
c = tty->ops->write(tty, b, nr);
|
||||
+ mutex_unlock(&ldata->output_lock);
|
||||
if (c < 0) {
|
||||
retval = c;
|
||||
goto break_out;
|
||||
--
|
||||
1.9.0
|
||||
|
Loading…
Reference in New Issue