From 2daa349ccc9f18091ea134a2a589cb2f6fff14f9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 29 Nov 2013 15:25:55 -0500 Subject: [PATCH] Linux v3.12.2 --- KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch | 53 ---------------- ...-prevent-invalid-pointer-dereference.patch | 42 ------------- ...-one-error-in-non-block-size-request.patch | 40 ------------- ...ate-csums-properly-with-prealloc-ext.patch | 60 ------------------- kernel.spec | 39 +----------- libertas-potential-oops-in-debugfs.patch | 50 ---------------- rt2800usb-slow-down-TX-status-polling.patch | 53 ---------------- sources | 2 +- 8 files changed, 3 insertions(+), 336 deletions(-) delete mode 100644 KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch delete mode 100644 aacraid-prevent-invalid-pointer-dereference.patch delete mode 100644 ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch delete mode 100644 btrfs-relocate-csums-properly-with-prealloc-ext.patch delete mode 100644 libertas-potential-oops-in-debugfs.patch delete mode 100644 rt2800usb-slow-down-TX-status-polling.patch diff --git a/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch b/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch deleted file mode 100644 index 65a48c349..000000000 --- a/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch +++ /dev/null @@ -1,53 +0,0 @@ -Bugzilla: 967652 -Upstream-status: 3.13 (should hit stable) - -From daf727225b8abfdfe424716abac3d15a3ac5626a Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Thu, 31 Oct 2013 23:05:24 +0100 -Subject: [PATCH] KVM: x86: fix emulation of "movzbl %bpl, %eax" - -When I was looking at RHEL5.9's failure to start with -unrestricted_guest=0/emulate_invalid_guest_state=1, I got it working with a -slightly older tree than kvm.git. I now debugged the remaining failure, -which was introduced by commit 660696d1 (KVM: X86 emulator: fix -source operand decoding for 8bit mov[zs]x instructions, 2013-04-24) -introduced a similar mis-emulation to the one in commit 8acb4207 (KVM: -fix sil/dil/bpl/spl in the mod/rm fields, 2013-05-30). The incorrect -decoding occurs in 8-bit movzx/movsx instructions whose 8-bit operand -is sil/dil/bpl/spl. - -Needless to say, "movzbl %bpl, %eax" does occur in RHEL5.9's decompression -prolog, just a handful of instructions before finally giving control to -the decompressed vmlinux and getting out of the invalid guest state. - -Because OpMem8 bypasses decode_modrm, the same handling of the REX prefix -must be applied to OpMem8. - -Reported-by: Michele Baldessari -Cc: stable@vger.kernel.org -Cc: Gleb Natapov -Signed-off-by: Paolo Bonzini -Signed-off-by: Gleb Natapov ---- - arch/x86/kvm/emulate.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 16c037e..282d28c 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -4117,7 +4117,10 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op, - case OpMem8: - ctxt->memop.bytes = 1; - if (ctxt->memop.type == OP_REG) { -- ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1); -+ int highbyte_regs = ctxt->rex_prefix == 0; -+ -+ ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, -+ highbyte_regs); - fetch_register_operand(&ctxt->memop); - } - goto mem_common; --- -1.8.3.1 - diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch deleted file mode 100644 index f5517aba9..000000000 --- a/aacraid-prevent-invalid-pointer-dereference.patch +++ /dev/null @@ -1,42 +0,0 @@ -Bugzilla: 1033593 -Upstream-status: 3.13 - -From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001 -From: Mahesh Rajashekhara -Date: Thu, 31 Oct 2013 14:01:02 +0530 -Subject: [PATCH] aacraid: prevent invalid pointer dereference - -It appears that driver runs into a problem here if fibsize is too small -because we allocate user_srbcmd with fibsize size only but later we -access it until user_srbcmd->sg.count to copy it over to srbcmd. - -It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this -structure already includes one sg element and this is not needed for -commands without data. So, we would recommend to add the following -(instead of test for fibsize == 0). - -Signed-off-by: Mahesh Rajashekhara -Reported-by: Nico Golde -Reported-by: Fabian Yamaguchi -Signed-off-by: Linus Torvalds ---- - drivers/scsi/aacraid/commctrl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c -index d85ac1a..fbcd48d 100644 ---- a/drivers/scsi/aacraid/commctrl.c -+++ b/drivers/scsi/aacraid/commctrl.c -@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) - goto cleanup; - } - -- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { -+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || -+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { - rcode = -EINVAL; - goto cleanup; - } --- -1.8.3.1 - diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch deleted file mode 100644 index c8d015491..000000000 --- a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch +++ /dev/null @@ -1,40 +0,0 @@ -Stephan Mueller reported to me recently a error in random number generation in -the ansi cprng. If several small requests are made that are less than the -instances block size, the remainder for loop code doesn't increment -rand_data_valid in the last iteration, meaning that the last bytes in the -rand_data buffer gets reused on the subsequent smaller-than-a-block request for -random data. - -The fix is pretty easy, just re-code the for loop to make sure that -rand_data_valid gets incremented appropriately - -Signed-off-by: Neil Horman -Reported-by: Stephan Mueller -CC: Stephan Mueller -CC: Petr Matousek -CC: Herbert Xu -CC: "David S. Miller" ---- - crypto/ansi_cprng.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c -index c0bb377..666f196 100644 ---- a/crypto/ansi_cprng.c -+++ b/crypto/ansi_cprng.c -@@ -230,11 +230,11 @@ remainder: - */ - if (byte_count < DEFAULT_BLK_SZ) { - empty_rbuf: -- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; -- ctx->rand_data_valid++) { -+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { - *ptr = ctx->rand_data[ctx->rand_data_valid]; - ptr++; - byte_count--; -+ ctx->rand_data_valid++; - if (byte_count == 0) - goto done; - } --- -1.8.3.1 diff --git a/btrfs-relocate-csums-properly-with-prealloc-ext.patch b/btrfs-relocate-csums-properly-with-prealloc-ext.patch deleted file mode 100644 index e103f703a..000000000 --- a/btrfs-relocate-csums-properly-with-prealloc-ext.patch +++ /dev/null @@ -1,60 +0,0 @@ -A user reported a problem where they were getting csum errors when running a -balance and running systemd's journal. This is because systemd is awesome and -fallocate()'s its log space and writes into it. Unfortunately we assume that -when we read in all the csums for an extent that they are sequential starting at -the bytenr we care about. This obviously isn't the case for prealloc extents, -where we could have written to the middle of the prealloc extent only, which -means the csum would be for the bytenr in the middle of our range and not the -front of our range. Fix this by offsetting the new bytenr we are logging to -based on the original bytenr the csum was for. With this patch I no longer see -the csum errors I was seeing. Thanks, - -Cc: stable@xxxxxxxxxxxxxxx -Reported-by: Chris Murphy -Signed-off-by: Josef Bacik ---- - fs/btrfs/relocation.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c -index 5ca7ea9..b7afeaa 100644 ---- a/fs/btrfs/relocation.c -+++ b/fs/btrfs/relocation.c -@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) - struct btrfs_root *root = BTRFS_I(inode)->root; - int ret; - u64 disk_bytenr; -+ u64 new_bytenr; - LIST_HEAD(list); - - ordered = btrfs_lookup_ordered_extent(inode, file_pos); -@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) - if (ret) - goto out; - -- disk_bytenr = ordered->start; - while (!list_empty(&list)) { - sums = list_entry(list.next, struct btrfs_ordered_sum, list); - list_del_init(&sums->list); - -- sums->bytenr = disk_bytenr; -- disk_bytenr += sums->len; -+ /* -+ * We need to offset the new_bytenr based on where the csum is. -+ * We need to do this because we will read in entire prealloc -+ * extents but we may have written to say the middle of the -+ * prealloc extent, so we need to make sure the csum goes with -+ * the right disk offset. -+ * -+ * We can do this because the data reloc inode refers strictly -+ * to the on disk bytes, so we don't have to worry about -+ * disk_len vs real len like with real inodes since it's all -+ * disk length. -+ */ -+ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr); -+ sums->bytenr = new_bytenr; - - btrfs_add_ordered_sum(inode, ordered, sums); - } --- -1.8.3.1 diff --git a/kernel.spec b/kernel.spec index 36d2d3b9e..80cbe67bf 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 1 +%define stable_update 2 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -701,9 +701,6 @@ Patch22000: weird-root-dentry-name-debug.patch Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -#CVE-2013-4345 rhbz 1007690 1009136 -Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch - #rhbz 985522 Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch @@ -729,12 +726,6 @@ Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch -#rhbz 1011714 -Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch - -#rhbz 984696 -Patch25132: rt2800usb-slow-down-TX-status-polling.patch - Patch25140: drm-qxl-backport-fixes-for-Fedora.patch Patch25160: drm-qxl-fix-memory-leak-in-release-list-handling.patch @@ -753,20 +744,11 @@ Patch25148: alx-Reset-phy-speed-after-resume.patch #rhbz 1010679 Patch25149: drm-radeon-24hz-audio-fixes.patch -#rhbz 967652 -Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch - # Fix 15sec NFS mount delay Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch -#CVE-2013-6378 rhbz 1033578 1034183 -Patch25155: libertas-potential-oops-in-debugfs.patch - -#CVE-2013-6380 rhbz 1033593 1034304 -Patch25156: aacraid-prevent-invalid-pointer-dereference.patch - #CVE-2013-6382 rhbz 1033603 1034670 Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -1445,9 +1427,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -#CVE-2013-4345 rhbz 1007690 1009136 -ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch - #rhbz 985522 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch @@ -1473,12 +1452,6 @@ ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch -#rhbz 1011714 -ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch - -#rhbz 984696 -ApplyPatch rt2800usb-slow-down-TX-status-polling.patch - ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch ApplyPatch drm-qxl-fix-memory-leak-in-release-list-handling.patch @@ -1497,20 +1470,11 @@ ApplyPatch alx-Reset-phy-speed-after-resume.patch #rhbz 1010679 ApplyPatch drm-radeon-24hz-audio-fixes.patch -#rhbz 967652 -ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch - # Fix 15sec NFS mount delay ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch -#CVE-2013-6378 rhbz 1033578 1034183 -ApplyPatch libertas-potential-oops-in-debugfs.patch - -#CVE-2013-6380 rhbz 1033593 1034304 -ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch - #CVE-2013-6382 rhbz 1033603 1034670 ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -2324,6 +2288,7 @@ fi # || || %changelog * Fri Nov 29 2013 Josh Boyer +- Linux v3.12.2 - Fix memory leak in qxl (from Dave Airlie) * Tue Nov 26 2013 Josh Boyer diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch deleted file mode 100644 index 02e72d8f9..000000000 --- a/libertas-potential-oops-in-debugfs.patch +++ /dev/null @@ -1,50 +0,0 @@ -Bugzilla: 1034183 -Upstream-status: 3.13 - -From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Wed, 30 Oct 2013 20:12:51 +0300 -Subject: [PATCH] libertas: potential oops in debugfs - -If we do a zero size allocation then it will oops. Also we can't be -sure the user passes us a NUL terminated string so I've added a -terminator. - -This code can only be triggered by root. - -Reported-by: Nico Golde -Reported-by: Fabian Yamaguchi -Signed-off-by: Dan Carpenter -Acked-by: Dan Williams -Signed-off-by: John W. Linville ---- - drivers/net/wireless/libertas/debugfs.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c -index 668dd27..cc6a0a5 100644 ---- a/drivers/net/wireless/libertas/debugfs.c -+++ b/drivers/net/wireless/libertas/debugfs.c -@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - char *p2; - struct debug_data *d = f->private_data; - -- pdata = kmalloc(cnt, GFP_KERNEL); -+ if (cnt == 0) -+ return 0; -+ -+ pdata = kmalloc(cnt + 1, GFP_KERNEL); - if (pdata == NULL) - return 0; - -@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - kfree(pdata); - return 0; - } -+ pdata[cnt] = '\0'; - - p0 = pdata; - for (i = 0; i < num_of_items; i++) { --- -1.8.3.1 - diff --git a/rt2800usb-slow-down-TX-status-polling.patch b/rt2800usb-slow-down-TX-status-polling.patch deleted file mode 100644 index a76f9b847..000000000 --- a/rt2800usb-slow-down-TX-status-polling.patch +++ /dev/null @@ -1,53 +0,0 @@ -Polling TX statuses too frequently has two negative effects. First is -randomly peek CPU usage, causing overall system functioning delays. -Second bad effect is that device is not able to fill TX statuses in -H/W register on some workloads and we get lot of timeouts like below: - -ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2 -ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2 -ieee80211 phy4: rt2800usb_txdone: Warning - Got TX status for an empty queue 2, dropping - -This not only cause flood of messages in dmesg, but also bad throughput, -since rate scaling algorithm can not work optimally. - -In the future, we should probably make polling interval be adjusted -automatically, but for now just increase values, this make mentioned -problems gone. - -Resolve: -https://bugzilla.kernel.org/show_bug.cgi?id=62781 - -Cc: stable@vger.kernel.org -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/rt2x00/rt2800usb.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c -index 96677ce5..e095e61 100644 ---- a/drivers/net/wireless/rt2x00/rt2800usb.c -+++ b/drivers/net/wireless/rt2x00/rt2800usb.c -@@ -176,8 +176,8 @@ static bool rt2800usb_tx_sta_fifo_read_completed(struct rt2x00_dev *rt2x00dev, - queue_work(rt2x00dev->workqueue, &rt2x00dev->txdone_work); - - if (rt2800usb_txstatus_pending(rt2x00dev)) { -- /* Read register after 250 us */ -- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 250000), -+ /* Read register after 1 ms */ -+ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 1000000), - HRTIMER_MODE_REL); - return false; - } -@@ -202,8 +202,8 @@ static void rt2800usb_async_read_tx_status(struct rt2x00_dev *rt2x00dev) - if (test_and_set_bit(TX_STATUS_READING, &rt2x00dev->flags)) - return; - -- /* Read TX_STA_FIFO register after 500 us */ -- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 500000), -+ /* Read TX_STA_FIFO register after 2 ms */ -+ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 2000000), - HRTIMER_MODE_REL); - } - --- -1.8.3.1 diff --git a/sources b/sources index effa65788..89882616a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz -5a8cb5a659baeeb6df3fe22de8d32df6 patch-3.12.1.xz +97453b56d6a999b5a4b0899b4e28fabe patch-3.12.2.xz