Linux v3.12.2
This commit is contained in:
Josh Boyer
parent
d791273b5d
commit
2daa349ccc
|
|
@ -1,53 +0,0 @@
|
|||
Bugzilla: 967652
|
||||
Upstream-status: 3.13 (should hit stable)
|
||||
|
||||
From daf727225b8abfdfe424716abac3d15a3ac5626a Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Thu, 31 Oct 2013 23:05:24 +0100
|
||||
Subject: [PATCH] KVM: x86: fix emulation of "movzbl %bpl, %eax"
|
||||
|
||||
When I was looking at RHEL5.9's failure to start with
|
||||
unrestricted_guest=0/emulate_invalid_guest_state=1, I got it working with a
|
||||
slightly older tree than kvm.git. I now debugged the remaining failure,
|
||||
which was introduced by commit 660696d1 (KVM: X86 emulator: fix
|
||||
source operand decoding for 8bit mov[zs]x instructions, 2013-04-24)
|
||||
introduced a similar mis-emulation to the one in commit 8acb4207 (KVM:
|
||||
fix sil/dil/bpl/spl in the mod/rm fields, 2013-05-30). The incorrect
|
||||
decoding occurs in 8-bit movzx/movsx instructions whose 8-bit operand
|
||||
is sil/dil/bpl/spl.
|
||||
|
||||
Needless to say, "movzbl %bpl, %eax" does occur in RHEL5.9's decompression
|
||||
prolog, just a handful of instructions before finally giving control to
|
||||
the decompressed vmlinux and getting out of the invalid guest state.
|
||||
|
||||
Because OpMem8 bypasses decode_modrm, the same handling of the REX prefix
|
||||
must be applied to OpMem8.
|
||||
|
||||
Reported-by: Michele Baldessari <michele@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Gleb Natapov <gleb@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Gleb Natapov <gleb@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
|
||||
index 16c037e..282d28c 100644
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -4117,7 +4117,10 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
|
||||
case OpMem8:
|
||||
ctxt->memop.bytes = 1;
|
||||
if (ctxt->memop.type == OP_REG) {
|
||||
- ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1);
|
||||
+ int highbyte_regs = ctxt->rex_prefix == 0;
|
||||
+
|
||||
+ ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm,
|
||||
+ highbyte_regs);
|
||||
fetch_register_operand(&ctxt->memop);
|
||||
}
|
||||
goto mem_common;
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
Bugzilla: 1033593
|
||||
Upstream-status: 3.13
|
||||
|
||||
From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
|
||||
From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
||||
Date: Thu, 31 Oct 2013 14:01:02 +0530
|
||||
Subject: [PATCH] aacraid: prevent invalid pointer dereference
|
||||
|
||||
It appears that driver runs into a problem here if fibsize is too small
|
||||
because we allocate user_srbcmd with fibsize size only but later we
|
||||
access it until user_srbcmd->sg.count to copy it over to srbcmd.
|
||||
|
||||
It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
|
||||
structure already includes one sg element and this is not needed for
|
||||
commands without data. So, we would recommend to add the following
|
||||
(instead of test for fibsize == 0).
|
||||
|
||||
Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
drivers/scsi/aacraid/commctrl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
|
||||
index d85ac1a..fbcd48d 100644
|
||||
--- a/drivers/scsi/aacraid/commctrl.c
|
||||
+++ b/drivers/scsi/aacraid/commctrl.c
|
||||
@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
|
||||
+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
|
||||
+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
|
||||
rcode = -EINVAL;
|
||||
goto cleanup;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
Stephan Mueller reported to me recently a error in random number generation in
|
||||
the ansi cprng. If several small requests are made that are less than the
|
||||
instances block size, the remainder for loop code doesn't increment
|
||||
rand_data_valid in the last iteration, meaning that the last bytes in the
|
||||
rand_data buffer gets reused on the subsequent smaller-than-a-block request for
|
||||
random data.
|
||||
|
||||
The fix is pretty easy, just re-code the for loop to make sure that
|
||||
rand_data_valid gets incremented appropriately
|
||||
|
||||
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
|
||||
CC: Stephan Mueller <stephan.mueller@atsec.com>
|
||||
CC: Petr Matousek <pmatouse@redhat.com>
|
||||
CC: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
CC: "David S. Miller" <davem@davemloft.net>
|
||||
---
|
||||
crypto/ansi_cprng.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
|
||||
index c0bb377..666f196 100644
|
||||
--- a/crypto/ansi_cprng.c
|
||||
+++ b/crypto/ansi_cprng.c
|
||||
@@ -230,11 +230,11 @@ remainder:
|
||||
*/
|
||||
if (byte_count < DEFAULT_BLK_SZ) {
|
||||
empty_rbuf:
|
||||
- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
|
||||
- ctx->rand_data_valid++) {
|
||||
+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
|
||||
*ptr = ctx->rand_data[ctx->rand_data_valid];
|
||||
ptr++;
|
||||
byte_count--;
|
||||
+ ctx->rand_data_valid++;
|
||||
if (byte_count == 0)
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -1,60 +0,0 @@
|
|||
A user reported a problem where they were getting csum errors when running a
|
||||
balance and running systemd's journal. This is because systemd is awesome and
|
||||
fallocate()'s its log space and writes into it. Unfortunately we assume that
|
||||
when we read in all the csums for an extent that they are sequential starting at
|
||||
the bytenr we care about. This obviously isn't the case for prealloc extents,
|
||||
where we could have written to the middle of the prealloc extent only, which
|
||||
means the csum would be for the bytenr in the middle of our range and not the
|
||||
front of our range. Fix this by offsetting the new bytenr we are logging to
|
||||
based on the original bytenr the csum was for. With this patch I no longer see
|
||||
the csum errors I was seeing. Thanks,
|
||||
|
||||
Cc: stable@xxxxxxxxxxxxxxx
|
||||
Reported-by: Chris Murphy <lists@xxxxxxxxxxxxxxxxx>
|
||||
Signed-off-by: Josef Bacik <jbacik@xxxxxxxxxxxx>
|
||||
---
|
||||
fs/btrfs/relocation.c | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
|
||||
index 5ca7ea9..b7afeaa 100644
|
||||
--- a/fs/btrfs/relocation.c
|
||||
+++ b/fs/btrfs/relocation.c
|
||||
@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
|
||||
struct btrfs_root *root = BTRFS_I(inode)->root;
|
||||
int ret;
|
||||
u64 disk_bytenr;
|
||||
+ u64 new_bytenr;
|
||||
LIST_HEAD(list);
|
||||
|
||||
ordered = btrfs_lookup_ordered_extent(inode, file_pos);
|
||||
@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
- disk_bytenr = ordered->start;
|
||||
while (!list_empty(&list)) {
|
||||
sums = list_entry(list.next, struct btrfs_ordered_sum, list);
|
||||
list_del_init(&sums->list);
|
||||
|
||||
- sums->bytenr = disk_bytenr;
|
||||
- disk_bytenr += sums->len;
|
||||
+ /*
|
||||
+ * We need to offset the new_bytenr based on where the csum is.
|
||||
+ * We need to do this because we will read in entire prealloc
|
||||
+ * extents but we may have written to say the middle of the
|
||||
+ * prealloc extent, so we need to make sure the csum goes with
|
||||
+ * the right disk offset.
|
||||
+ *
|
||||
+ * We can do this because the data reloc inode refers strictly
|
||||
+ * to the on disk bytes, so we don't have to worry about
|
||||
+ * disk_len vs real len like with real inodes since it's all
|
||||
+ * disk length.
|
||||
+ */
|
||||
+ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr);
|
||||
+ sums->bytenr = new_bytenr;
|
||||
|
||||
btrfs_add_ordered_sum(inode, ordered, sums);
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
39
kernel.spec
39
kernel.spec
|
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 1
|
||||
%define stable_update 2
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
|
@ -701,9 +701,6 @@ Patch22000: weird-root-dentry-name-debug.patch
|
|||
|
||||
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
|
||||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
#rhbz 985522
|
||||
Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch
|
||||
|
||||
|
|
@ -729,12 +726,6 @@ Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch
|
|||
#rhbz 1000439
|
||||
Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
|
||||
|
||||
#rhbz 1011714
|
||||
Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch
|
||||
|
||||
#rhbz 984696
|
||||
Patch25132: rt2800usb-slow-down-TX-status-polling.patch
|
||||
|
||||
Patch25140: drm-qxl-backport-fixes-for-Fedora.patch
|
||||
Patch25160: drm-qxl-fix-memory-leak-in-release-list-handling.patch
|
||||
|
||||
|
|
@ -753,20 +744,11 @@ Patch25148: alx-Reset-phy-speed-after-resume.patch
|
|||
#rhbz 1010679
|
||||
Patch25149: drm-radeon-24hz-audio-fixes.patch
|
||||
|
||||
#rhbz 967652
|
||||
Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
|
||||
|
||||
# Fix 15sec NFS mount delay
|
||||
Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
|
||||
Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
||||
Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
|
||||
|
||||
#CVE-2013-6378 rhbz 1033578 1034183
|
||||
Patch25155: libertas-potential-oops-in-debugfs.patch
|
||||
|
||||
#CVE-2013-6380 rhbz 1033593 1034304
|
||||
Patch25156: aacraid-prevent-invalid-pointer-dereference.patch
|
||||
|
||||
#CVE-2013-6382 rhbz 1033603 1034670
|
||||
Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
|
|
@ -1445,9 +1427,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
|
|||
|
||||
ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
|
||||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
#rhbz 985522
|
||||
ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch
|
||||
|
||||
|
|
@ -1473,12 +1452,6 @@ ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch
|
|||
#rhbz 1000439
|
||||
ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
|
||||
|
||||
#rhbz 1011714
|
||||
ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch
|
||||
|
||||
#rhbz 984696
|
||||
ApplyPatch rt2800usb-slow-down-TX-status-polling.patch
|
||||
|
||||
ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
|
||||
ApplyPatch drm-qxl-fix-memory-leak-in-release-list-handling.patch
|
||||
|
||||
|
|
@ -1497,20 +1470,11 @@ ApplyPatch alx-Reset-phy-speed-after-resume.patch
|
|||
#rhbz 1010679
|
||||
ApplyPatch drm-radeon-24hz-audio-fixes.patch
|
||||
|
||||
#rhbz 967652
|
||||
ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
|
||||
|
||||
# Fix 15sec NFS mount delay
|
||||
ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
|
||||
ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
||||
ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
|
||||
|
||||
#CVE-2013-6378 rhbz 1033578 1034183
|
||||
ApplyPatch libertas-potential-oops-in-debugfs.patch
|
||||
|
||||
#CVE-2013-6380 rhbz 1033593 1034304
|
||||
ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch
|
||||
|
||||
#CVE-2013-6382 rhbz 1033603 1034670
|
||||
ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
|
|
@ -2324,6 +2288,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Fri Nov 29 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Linux v3.12.2
|
||||
- Fix memory leak in qxl (from Dave Airlie)
|
||||
|
||||
* Tue Nov 26 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
|
|
|
|||
|
|
@ -1,50 +0,0 @@
|
|||
Bugzilla: 1034183
|
||||
Upstream-status: 3.13
|
||||
|
||||
From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Wed, 30 Oct 2013 20:12:51 +0300
|
||||
Subject: [PATCH] libertas: potential oops in debugfs
|
||||
|
||||
If we do a zero size allocation then it will oops. Also we can't be
|
||||
sure the user passes us a NUL terminated string so I've added a
|
||||
terminator.
|
||||
|
||||
This code can only be triggered by root.
|
||||
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Acked-by: Dan Williams <dcbw@redhat.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
drivers/net/wireless/libertas/debugfs.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
|
||||
index 668dd27..cc6a0a5 100644
|
||||
--- a/drivers/net/wireless/libertas/debugfs.c
|
||||
+++ b/drivers/net/wireless/libertas/debugfs.c
|
||||
@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
|
||||
char *p2;
|
||||
struct debug_data *d = f->private_data;
|
||||
|
||||
- pdata = kmalloc(cnt, GFP_KERNEL);
|
||||
+ if (cnt == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ pdata = kmalloc(cnt + 1, GFP_KERNEL);
|
||||
if (pdata == NULL)
|
||||
return 0;
|
||||
|
||||
@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
|
||||
kfree(pdata);
|
||||
return 0;
|
||||
}
|
||||
+ pdata[cnt] = '\0';
|
||||
|
||||
p0 = pdata;
|
||||
for (i = 0; i < num_of_items; i++) {
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
Polling TX statuses too frequently has two negative effects. First is
|
||||
randomly peek CPU usage, causing overall system functioning delays.
|
||||
Second bad effect is that device is not able to fill TX statuses in
|
||||
H/W register on some workloads and we get lot of timeouts like below:
|
||||
|
||||
ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2
|
||||
ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2
|
||||
ieee80211 phy4: rt2800usb_txdone: Warning - Got TX status for an empty queue 2, dropping
|
||||
|
||||
This not only cause flood of messages in dmesg, but also bad throughput,
|
||||
since rate scaling algorithm can not work optimally.
|
||||
|
||||
In the future, we should probably make polling interval be adjusted
|
||||
automatically, but for now just increase values, this make mentioned
|
||||
problems gone.
|
||||
|
||||
Resolve:
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=62781
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
---
|
||||
drivers/net/wireless/rt2x00/rt2800usb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
|
||||
index 96677ce5..e095e61 100644
|
||||
--- a/drivers/net/wireless/rt2x00/rt2800usb.c
|
||||
+++ b/drivers/net/wireless/rt2x00/rt2800usb.c
|
||||
@@ -176,8 +176,8 @@ static bool rt2800usb_tx_sta_fifo_read_completed(struct rt2x00_dev *rt2x00dev,
|
||||
queue_work(rt2x00dev->workqueue, &rt2x00dev->txdone_work);
|
||||
|
||||
if (rt2800usb_txstatus_pending(rt2x00dev)) {
|
||||
- /* Read register after 250 us */
|
||||
- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 250000),
|
||||
+ /* Read register after 1 ms */
|
||||
+ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 1000000),
|
||||
HRTIMER_MODE_REL);
|
||||
return false;
|
||||
}
|
||||
@@ -202,8 +202,8 @@ static void rt2800usb_async_read_tx_status(struct rt2x00_dev *rt2x00dev)
|
||||
if (test_and_set_bit(TX_STATUS_READING, &rt2x00dev->flags))
|
||||
return;
|
||||
|
||||
- /* Read TX_STA_FIFO register after 500 us */
|
||||
- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 500000),
|
||||
+ /* Read TX_STA_FIFO register after 2 ms */
|
||||
+ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 2000000),
|
||||
HRTIMER_MODE_REL);
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
Loading…
Reference in New Issue