rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.14.4

This commit is contained in:
Justin M. Forbes 2014-05-13 07:57:20 -05:00
parent 8eb39ff3b7
commit 2555d62ee3
11 changed files with 5 additions and 556 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
View File

@ -1,33 +0,0 @@
From d1b9785eda70e7638927d294139c6d4796cb7ea6 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Tue, 22 Apr 2014 11:08:16 +0200
Subject: [PATCH v3] synaptics: Add min/max quirk for ThinkPad Edge E431
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/input/mouse/synaptics.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
index 7c9f509..93cc8fd 100644
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
.driver_data = (int []){1232, 5710, 1156, 4696},
},
{
+ /* Lenovo ThinkPad Edge E431 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Edge E431"),
+ },
+ .driver_data = (int []){1024, 5022, 2508, 4832},
+ },
+ {
/* Lenovo ThinkPad T431s */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
--
1.9.0

100
0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
View File

@ -1,100 +0,0 @@
From 46a2986ebbe18757c2d8c352f8fb6e0f4f0754e3 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Sat, 19 Apr 2014 22:31:18 -0700
Subject: [PATCH] Input: synaptics - add min/max quirk for ThinkPad T431s,
L440, L540, S1 Yoga and X1
We expect that all the Haswell series will need such quirks, sigh.
The T431s seems to be T430 hardware in a T440s case, using the T440s touchpad,
with the same min/max issue.
The X1 Carbon 3rd generation name says 2nd while it is a 3rd generation.
The X1 and T431s share a PnPID with the T540p, but the reported ranges are
closer to those of the T440s.
HdG: Squashed 5 quirk patches into one. T431s + L440 + L540 are written by me,
S1 Yoga and X1 are written by Benjamin Tissoires.
Hdg: Standardized S1 Yoga and X1 values, Yoga uses the same touchpad as the
X240, X1 uses the same touchpad as the T440.
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
drivers/input/mouse/synaptics.c | 42 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
index 9d75410..ef9f491 100644
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
.driver_data = (int []){1232, 5710, 1156, 4696},
},
{
+ /* Lenovo ThinkPad T431s */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T431"),
+ },
+ .driver_data = (int []){1024, 5112, 2024, 4832},
+ },
+ {
/* Lenovo ThinkPad T440s */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
@@ -1574,6 +1582,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
.driver_data = (int []){1024, 5112, 2024, 4832},
},
{
+ /* Lenovo ThinkPad L440 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L440"),
+ },
+ .driver_data = (int []){1024, 5112, 2024, 4832},
+ },
+ {
/* Lenovo ThinkPad T540p */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
@@ -1581,6 +1597,32 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
},
.driver_data = (int []){1024, 5056, 2058, 4832},
},
+ {
+ /* Lenovo ThinkPad L540 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L540"),
+ },
+ .driver_data = (int []){1024, 5112, 2024, 4832},
+ },
+ {
+ /* Lenovo Yoga S1 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
+ "ThinkPad S1 Yoga"),
+ },
+ .driver_data = (int []){1232, 5710, 1156, 4696},
+ },
+ {
+ /* Lenovo ThinkPad X1 Carbon Haswell (3rd generation) */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION,
+ "ThinkPad X1 Carbon 2nd"),
+ },
+ .driver_data = (int []){1024, 5112, 2024, 4832},
+ },
#endif
{ }
};
--
1.9.0

38
KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
View File

@ -1,38 +0,0 @@
Bugzilla: 1085016
Upstream-status: Queued for 3.15
From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri, 28 Mar 2014 20:41:50 +0100
Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi
(CVE-2014-0155)
QE reported that they got the BUG_ON in ioapic_service to trigger.
I cannot reproduce it, but there are two reasons why this could happen.
The less likely but also easiest one, is when kvm_irq_delivery_to_apic
does not deliver to any APIC and returns -1.
Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
function is never reached. However, you can target the similar loop in
kvm_irq_delivery_to_apic_fast; just program a zero logical destination
address into the IOAPIC, or an out-of-range physical destination address.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
index d4b6015..d98d107 100644
--- a/virt/kvm/ioapic.c
+++ b/virt/kvm/ioapic.c
@@ -356,7 +356,7 @@ static int ioapic_service(struct kvm_ioapic *ioapic, int irq, bool line_status)
BUG_ON(ioapic->rtc_status.pending_eoi != 0);
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe,
ioapic->rtc_status.dest_map);
- ioapic->rtc_status.pending_eoi = ret;
+ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
} else
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
--
cgit v0.10.1

38
floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
View File

@ -1,38 +0,0 @@
Bugzilla: 1096195
Upstream-status: 3.15 and queued for stable
From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattd@bugfuzz.com>
Date: Mon, 28 Apr 2014 19:05:21 +1200
Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
From: Matthew Daley <mattd@bugfuzz.com>
commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
Do not leak kernel-only floppy_raw_cmd structure members to userspace.
This includes the linked-list pointer and the pointer to the allocated
DMA space.
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/floppy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void
int ret;
while (ptr) {
- ret = copy_to_user(param, ptr, sizeof(*ptr));
+ struct floppy_raw_cmd cmd = *ptr;
+ cmd.next = NULL;
+ cmd.kernel_data = NULL;
+ ret = copy_to_user(param, &cmd, sizeof(cmd));
if (ret)
return -EFAULT;
param += sizeof(struct floppy_raw_cmd);

48
floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
View File

@ -1,48 +0,0 @@
Bugzilla: 1096195
Upstream-status: 3.15 and queued for stable
From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattd@bugfuzz.com>
Date: Mon, 28 Apr 2014 19:05:20 +1200
Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
From: Matthew Daley <mattd@bugfuzz.com>
commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
Always clear out these floppy_raw_cmd struct members after copying the
entire structure from userspace so that the in-kernel version is always
valid and never left in an interdeterminate state.
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/floppy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3107,10 +3107,11 @@ loop:
return -ENOMEM;
*rcmd = ptr;
ret = copy_from_user(ptr, param, sizeof(*ptr));
- if (ret)
- return -EFAULT;
ptr->next = NULL;
ptr->buffer_length = 0;
+ ptr->kernel_data = NULL;
+ if (ret)
+ return -EFAULT;
param += sizeof(struct floppy_raw_cmd);
if (ptr->cmd_count > 33)
/* the command may now also take up the space
@@ -3126,7 +3127,6 @@ loop:
for (i = 0; i < 16; i++)
ptr->reply[i] = 0;
ptr->resultcode = 0;
- ptr->kernel_data = NULL;
if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
if (ptr->length <= 0)

48
iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
View File

@ -1,48 +0,0 @@
Bugzilla: 1046495
Upstream-status: Sent for 3.14 http://marc.info/?l=linux-wireless&m=139453882510796&w=2
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
There is a flow in which we send the host command in SYNC
mode, but we don't take priv->mutex.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1046495
Cc: <stable@vger.kernel.org>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
---
drivers/net/wireless/iwlwifi/dvm/main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c
index ba1b1ea..ea7e70c 100644
--- a/drivers/net/wireless/iwlwifi/dvm/main.c
+++ b/drivers/net/wireless/iwlwifi/dvm/main.c
@@ -252,13 +252,17 @@ static void iwl_bg_bt_runtime_config(struct work_struct *work)
struct iwl_priv *priv =
container_of(work, struct iwl_priv, bt_runtime_config);
+ mutex_lock(&priv->mutex);
if (test_bit(STATUS_EXIT_PENDING, &priv->status))
- return;
+ goto out;
/* dont send host command if rf-kill is on */
if (!iwl_is_ready_rf(priv))
- return;
+ goto out;
+
iwlagn_send_advance_bt_config(priv);
+out:
+ mutex_unlock(&priv->mutex);
}
static void iwl_bg_bt_full_concurrency(struct work_struct *work)
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

55
kernel.spec
View File

@ -74,7 +74,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 3
%define stable_update 4
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -709,21 +709,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
#rhbz 1051748
Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch
#rhbz 1046495
Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-0155 rhbz 1081589 1085016
Patch25036: KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
#rhbz 1074235
Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
#CVE-2014-2851 rhbz 1086730 1087420
Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch
#rhbz 1085582 1085697 1088588
Patch25060: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
#rhbz 1074710
Patch25061: mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
@ -742,9 +730,6 @@ Patch25072: HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
#rhbz 1013466
Patch25065: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
#rhbz 1089689
Patch25066: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
#rhbz 1090746
Patch25067: ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
@ -763,12 +748,6 @@ Patch25073: net-Start-with-correct-mac_len-in-skb_network_protoc.patch
#rhbz 1089545
Patch25074: 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
#rhbz 1082586
Patch25075: locks-allow-__break_lease-to-sleep-even-when-break_t.patch
#CVE-2014-0196 rhbz 1094232 1094240
Patch25076: n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
#misc input fixes
Patch25077: 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
Patch25078: 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
@ -790,10 +769,6 @@ Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-m
#rhbz 1082266
Patch25087: jme-fix-dma-unmap-error.patch
#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
@ -1461,12 +1436,6 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
#rhbz 1051748
ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch
#rhbz 1046495
ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-0155 rhbz 1081589 1085016
ApplyPatch KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
#rhbz 1048314
ApplyPatch 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch
#rhbz 1089583
@ -1474,15 +1443,9 @@ ApplyPatch 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch
#rhbz 1090161
ApplyPatch HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
#rhbz 1074235
ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
#CVE-2014-2851 rhbz 1086730 1087420
ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch
#rhbz 1085582 1085697
ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
#rhbz 1074710
ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
@ -1492,9 +1455,6 @@ ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch
#rhbz 1013466
ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
#rhbz 1089689
ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
#rhbz 1090746
ApplyPatch ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
@ -1513,12 +1473,6 @@ ApplyPatch net-Start-with-correct-mac_len-in-skb_network_protoc.patch
#rhbz 1089545
ApplyPatch 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
#rhbz 1082586
ApplyPatch locks-allow-__break_lease-to-sleep-even-when-break_t.patch
#CVE-2014-0196 rhbz 1094232 1094240
ApplyPatch n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
#misc input fixes
ApplyPatch 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
ApplyPatch 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
@ -1540,10 +1494,6 @@ ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-me
#rhbz 1082266
ApplyPatch jme-fix-dma-unmap-error.patch
#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
@ -2358,6 +2308,9 @@ fi
# ||----w |
# || ||
%changelog
* Tue May 13 2014 Justin M. Forbes <jforbes@fedoraproject.org>
- Linux v3.14.4
* Mon May 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)

63
lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
View File

@ -1,63 +0,0 @@
Bugzilla: 1074235
Upstream-status: 3.15 and CC'd to stable
From e39435ce68bb4685288f78b1a7e24311f7ef939f Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@fb.com>
Date: Tue, 8 Apr 2014 16:04:12 -0700
Subject: [PATCH] lib/percpu_counter.c: fix bad percpu counter state during
suspend
I got a bug report yesterday from Laszlo Ersek in which he states that
his kvm instance fails to suspend. Laszlo bisected it down to this
commit 1cf7e9c68fe8 ("virtio_blk: blk-mq support") where virtio-blk is
converted to use the blk-mq infrastructure.
After digging a bit, it became clear that the issue was with the queue
drain. blk-mq tracks queue usage in a percpu counter, which is
incremented on request alloc and decremented when the request is freed.
The initial hunt was for an inconsistency in blk-mq, but everything
seemed fine. In fact, the counter only returned crazy values when
suspend was in progress.
When a CPU is unplugged, the percpu counters merges that CPU state with
the general state. blk-mq takes care to register a hotcpu notifier with
the appropriate priority, so we know it runs after the percpu counter
notifier. However, the percpu counter notifier only merges the state
when the CPU is fully gone. This leaves a state transition where the
CPU going away is no longer in the online mask, yet it still holds
private values. This means that in this state, percpu_counter_sum()
returns invalid results, and the suspend then hangs waiting for
abs(dead-cpu-value) requests to complete which of course will never
happen.
Fix this by clearing the state earlier, so we never have a case where
the CPU isn't in online mask but still holds private state. This bug
has been there since forever, I guess we don't have a lot of users where
percpu counters needs to be reliable during the suspend cycle.
Signed-off-by: Jens Axboe <axboe@fb.com>
Reported-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
lib/percpu_counter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/percpu_counter.c b/lib/percpu_counter.c
index 8280a5dd1727..7dd33577b905 100644
--- a/lib/percpu_counter.c
+++ b/lib/percpu_counter.c
@@ -169,7 +169,7 @@ static int percpu_counter_hotcpu_callback(struct notifier_block *nb,
struct percpu_counter *fbc;
compute_batch_value();
- if (action != CPU_DEAD)
+ if (action != CPU_DEAD && action != CPU_DEAD_FROZEN)
return NOTIFY_OK;
cpu = (unsigned long)hcpu;
--
1.8.5.3

50
locks-allow-__break_lease-to-sleep-even-when-break_t.patch
View File

@ -1,50 +0,0 @@
Bugzilla: 1082586
Upstream-status: 3.15 and sent for stable
From f1c6bb2cb8b81013e8979806f8e15e3d53efb96d Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@redhat.com>
Date: Tue, 15 Apr 2014 06:17:49 -0400
Subject: [PATCH] locks: allow __break_lease to sleep even when break_time is 0
A fl->fl_break_time of 0 has a special meaning to the lease break code
that basically means "never break the lease". knfsd uses this to ensure
that leases don't disappear out from under it.
Unfortunately, the code in __break_lease can end up passing this value
to wait_event_interruptible as a timeout, which prevents it from going
to sleep at all. This makes __break_lease to spin in a tight loop and
causes soft lockups.
Fix this by ensuring that we pass a minimum value of 1 as a timeout
instead.
Cc: <stable@vger.kernel.org>
Cc: J. Bruce Fields <bfields@fieldses.org>
Reported-by: Terry Barnaby <terry1@beam.ltd.uk>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
---
fs/locks.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/locks.c b/fs/locks.c
index 13fc7a6d380a..b380f5543614 100644
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -1391,11 +1391,10 @@ int __break_lease(struct inode *inode, unsigned int mode, unsigned int type)
restart:
break_time = flock->fl_break_time;
- if (break_time != 0) {
+ if (break_time != 0)
break_time -= jiffies;
- if (break_time == 0)
- break_time++;
- }
+ if (break_time == 0)
+ break_time++;
locks_insert_block(flock, new_fl);
spin_unlock(&inode->i_lock);
error = wait_event_interruptible_timeout(new_fl->fl_wait,
--
1.9.0

86
n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
View File

@ -1,86 +0,0 @@
Bugzilla: 1094240
Upstream-status: 3.15 and CC'd to stable
From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001
From: Peter Hurley <peter@hurleysoftware.com>
Date: Sat, 3 May 2014 14:04:59 +0200
Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode
The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST. And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.
If we look into tty_insert_flip_string_fixed_flag, there is:
int space = __tty_buffer_request_room(port, goal, flags);
struct tty_buffer *tb = port->buf.tail;
...
memcpy(char_buf_ptr(tb, tb->used), chars, space);
...
tb->used += space;
so the race of the two can result in something like this:
A B
__tty_buffer_request_room
__tty_buffer_request_room
memcpy(buf(tb->used), ...)
tb->used += space;
memcpy(buf(tb->used), ...) ->BOOM
B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.
Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes. This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.
Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.
js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call
References: CVE-2014-0196
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/n_tty.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 41fe8a047d37..fe9d129c8735 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
if (tty->ops->flush_chars)
tty->ops->flush_chars(tty);
} else {
+ struct n_tty_data *ldata = tty->disc_data;
+
while (nr > 0) {
+ mutex_lock(&ldata->output_lock);
c = tty->ops->write(tty, b, nr);
+ mutex_unlock(&ldata->output_lock);
if (c < 0) {
retval = c;
goto break_out;
--
1.9.0

2
sources
View File

@ -1,2 +1,2 @@
b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
92a784cdb150c798e122ac080dc0f455 patch-3.14.3.xz
116f27cf17c3522716b6678b17516067 patch-3.14.4.xz