rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

clean up patches merged in -stable

This commit is contained in:
Chuck Ebbert 2010-09-27 13:44:47 -04:00
parent 05f615c82e
commit 4141bfc9b1
10 changed files with 0 additions and 436 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -3,4 +3,3 @@ patch-*.bz2
clog
*.rpm
kernel-2.6.*/
/patch-2.6.35.6.bz2

47
aio-check-for-multiplication-overflow-in-do_io_submit.patch
View File

@ -1,47 +0,0 @@
From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001
From: Jeff Moyer <jmoyer@redhat.com>
Date: Fri, 10 Sep 2010 14:16:00 -0700
Subject: [PATCH] aio: check for multiplication overflow in do_io_submit
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
Tavis Ormandy pointed out that do_io_submit does not do proper bounds
checking on the passed-in iocb array:
       if (unlikely(nr < 0))
               return -EINVAL;
       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^
The attached patch checks for overflow, and if it is detected, the
number of iocbs submitted is scaled down to a number that will fit in
the long.  This is an ok thing to do, as sys_io_submit is documented as
returning the number of iocbs submitted, so callers should handle a
return value of less than the 'nr' argument passed in.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
fs/aio.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c
index 3006b5b..1320b2a 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id, long nr,
if (unlikely(nr < 0))
return -EINVAL;
+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
+ nr = LONG_MAX/sizeof(*iocbpp);
+
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
return -EFAULT;
--
1.7.2.3

29
dell-wmi-add-support-for-eject-key-studio-1555.patch
View File

@ -1,29 +0,0 @@
From: Islam Amer <pharon@gmail.com>
Date: Thu, 24 Jun 2010 17:39:47 +0000 (-0400)
Subject: dell-wmi: Add support for eject key on Dell Studio 1555
X-Git-Tag: v2.6.36-rc1~579^2~64
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d5164dbf1f651d1e955b158fb70a9c844cc91cd1
dell-wmi: Add support for eject key on Dell Studio 1555
Fixes pressing the eject key on Dell Studio 1555 does not work and produces
message :
dell-wmi: Unknown key 0 pressed
Signed-off-by: Islam Amer <pharon@gmail.com>
---
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
index 66f53c3..12a8e6f 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -221,7 +221,7 @@ static void dell_wmi_notify(u32 value, void *context)
return;
}
- if (dell_new_hk_type)
+ if (dell_new_hk_type || buffer_entry[1] == 0x0)
reported_key = (int)buffer_entry[2];
else
reported_key = (int)buffer_entry[1] & 0xffff;

98
fix-unprotected-access-to-task-credentials-in-whatid.patch
View File

@ -1,98 +0,0 @@
From 2779f26ab085071a8a55d3cf31f31a7d3c3bfcd1 Mon Sep 17 00:00:00 2001
From: Daniel J Blueman <daniel.blueman@gmail.com>
Date: Tue, 17 Aug 2010 23:56:55 +0100
Subject: Fix unprotected access to task credentials in waitid()
Using a program like the following:
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
int main() {
id_t id;
siginfo_t infop;
pid_t res;
id = fork();
if (id == 0) { sleep(1); exit(0); }
kill(id, SIGSTOP);
alarm(1);
waitid(P_PID, id, &infop, WCONTINUED);
return 0;
}
to call waitid() on a stopped process results in access to the child task's
credentials without the RCU read lock being held - which may be replaced in the
meantime - eliciting the following warning:
===================================================
[ INFO: suspicious rcu_dereference_check() usage. ]
---------------------------------------------------
kernel/exit.c:1460 invoked rcu_dereference_check() without protection!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 1
2 locks held by waitid02/22252:
#0: (tasklist_lock){.?.?..}, at: [<ffffffff81061ce5>] do_wait+0xc5/0x310
#1: (&(&sighand->siglock)->rlock){-.-...}, at: [<ffffffff810611da>]
wait_consider_task+0x19a/0xbe0
stack backtrace:
Pid: 22252, comm: waitid02 Not tainted 2.6.35-323cd+ #3
Call Trace:
[<ffffffff81095da4>] lockdep_rcu_dereference+0xa4/0xc0
[<ffffffff81061b31>] wait_consider_task+0xaf1/0xbe0
[<ffffffff81061d15>] do_wait+0xf5/0x310
[<ffffffff810620b6>] sys_waitid+0x86/0x1f0
[<ffffffff8105fce0>] ? child_wait_callback+0x0/0x70
[<ffffffff81003282>] system_call_fastpath+0x16/0x1b
This is fixed by holding the RCU read lock in wait_task_continued() to ensure
that the task's current credentials aren't destroyed between us reading the
cred pointer and us reading the UID from those credentials.
Furthermore, protect wait_task_stopped() in the same way.
We don't need to keep holding the RCU read lock once we've read the UID from
the credentials as holding the RCU read lock doesn't stop the target task from
changing its creds under us - so the credentials may be outdated immediately
after we've read the pointer, lock or no lock.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
kernel/exit.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/exit.c b/kernel/exit.c
index ceffc67..ac90425 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1383,8 +1383,7 @@ static int wait_task_stopped(struct wait_opts *wo,
if (!unlikely(wo->wo_flags & WNOWAIT))
*p_code = 0;
- /* don't need the RCU readlock here as we're holding a spinlock */
- uid = __task_cred(p)->uid;
+ uid = task_uid(p);
unlock_sig:
spin_unlock_irq(&p->sighand->siglock);
if (!exit_code)
@@ -1457,7 +1456,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p)
}
if (!unlikely(wo->wo_flags & WNOWAIT))
p->signal->flags &= ~SIGNAL_STOP_CONTINUED;
- uid = __task_cred(p)->uid;
+ uid = task_uid(p);
spin_unlock_irq(&p->sighand->siglock);
pid = task_pid_vnr(p);
--
1.7.3

35
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
View File

@ -1,35 +0,0 @@
From: David S. Miller <davem@davemloft.net>
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
irda: Correctly clean up self->ias_obj on irda_bind() failure.
If irda_open_tsap() fails, the irda_bind() code tries to destroy
the ->ias_obj object by hand, but does so wrongly.
In particular, it fails to a) release the hashbin attached to the
object and b) reset the self->ias_obj pointer to NULL.
Fix both problems by using irias_delete_object() and explicitly
setting self->ias_obj to NULL, just as irda_release() does.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 79986a6..fd55b51 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
if (err < 0) {
- kfree(self->ias_obj->name);
- kfree(self->ias_obj);
+ irias_delete_object(self->ias_obj);
+ self->ias_obj = NULL;
goto out;
}

28
kernel.spec
View File

@ -611,8 +611,6 @@ Patch150: linux-2.6.29-sparc-IOC_TYPECHECK.patch
Patch160: linux-2.6-32bit-mmap-exec-randomization.patch
Patch161: linux-2.6-i386-nx-emulation.patch
Patch180: aio-check-for-multiplication-overflow-in-do_io_submit.patch
Patch200: linux-2.6-debug-sizeof-structs.patch
Patch201: linux-2.6-debug-nmi-timeout.patch
Patch202: linux-2.6-debug-taint-vm.patch
@ -654,7 +652,6 @@ Patch800: linux-2.6-crash-driver.patch
# virt + ksm patches
Patch1555: fix_xen_guest_on_old_EC2.patch
Patch1556: linux-2.6.35.4-virtio_console-fix-poll.patch
# DRM
Patch1801: drm-revert-drm-fbdev-rework-output-polling-to-be-back-in-core.patch
@ -724,10 +721,6 @@ Patch12080: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
# rhbz #622149
Patch12085: fix-rcu_deref_check-warning.patch
Patch12086: linux-2.6-cgroups-rcu.patch
Patch12087: fix-unprotected-access-to-task-credentials-in-whatid.patch
# rhbz #513530
Patch12090: dell-wmi-add-support-for-eject-key-studio-1555.patch
Patch12517: flexcop-fix-xlate_proc_name-warning.patch
@ -736,13 +729,6 @@ Patch12520: execve-improve-interactivity-with-large-arguments.patch
Patch12521: execve-make-responsive-to-sigkill-with-large-arguments.patch
Patch12522: setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-2954
Patch12540: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
# CVE-2010-2960
Patch12550: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
Patch12551: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
Patch12560: sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
Patch12565: sched-05-avoid-side-effect-of-tickless-idle-on-update_cpu_load.patch
Patch12570: sched-10-change-nohz-idle-load-balancing-logic-to-push-model.patch
Patch12575: sched-15-update-rq-clock-for-nohz-balanced-cpus.patch
@ -1208,8 +1194,6 @@ ApplyPatch linux-2.6-32bit-mmap-exec-randomization.patch
# bugfixes to drivers and filesystems
#
#ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
# ext4
# xfs
@ -1300,7 +1284,6 @@ ApplyPatch linux-2.6-crash-driver.patch
# Assorted Virt Fixes
ApplyPatch fix_xen_guest_on_old_EC2.patch
#ApplyPatch linux-2.6.35.4-virtio_console-fix-poll.patch
#ApplyPatch drm-revert-drm-fbdev-rework-output-polling-to-be-back-in-core.patch
#ApplyPatch revert-drm-kms-toggle-poll-around-switcheroo.patch
@ -1367,10 +1350,6 @@ ApplyPatch kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
# bz 622149
ApplyPatch fix-rcu_deref_check-warning.patch
ApplyPatch linux-2.6-cgroups-rcu.patch
#ApplyPatch fix-unprotected-access-to-task-credentials-in-whatid.patch
# bz 513530
#ApplyPatch dell-wmi-add-support-for-eject-key-studio-1555.patch
# bz #575873
ApplyPatch flexcop-fix-xlate_proc_name-warning.patch
@ -1380,14 +1359,7 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-2954
#ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
# CVE-2010-2960
#ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
#ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
# Scheduler fixes (#635813 and #633037)
#ApplyPatch sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
ApplyPatch sched-05-avoid-side-effect-of-tickless-idle-on-update_cpu_load.patch
ApplyPatch sched-10-change-nohz-idle-load-balancing-logic-to-push-model.patch
ApplyPatch sched-15-update-rq-clock-for-nohz-balanced-cpus.patch

50
keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
View File

@ -1,50 +0,0 @@
From: David Howells <dhowells@redhat.com>
Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].
This results in the following oops:
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
...
Call Trace:
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
if the parent process has no session keyring.
If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 3868c67..60924f6 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
goto not_permitted;
/* the keyrings must have the same UID */
- if (pcred->tgcred->session_keyring->uid != mycred->euid ||
+ if ((pcred->tgcred->session_keyring &&
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
mycred->tgcred->session_keyring->uid != mycred->euid)
goto not_permitted;

64
keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
View File

@ -1,64 +0,0 @@
From: David Howells <dhowells@redhat.com>
Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
There's an protected access to the parent process's credentials in the middle
of keyctl_session_to_parent(). This results in the following RCU warning:
===================================================
[ INFO: suspicious rcu_dereference_check() usage. ]
---------------------------------------------------
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
1 lock held by keyctl-session-/2137:
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
stack backtrace:
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
Call Trace:
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
The code should take the RCU read lock to make sure the parents credentials
don't go away, even though it's holding a spinlock and has IRQ disabled.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index b2b0998..3868c67 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
keyring_r = NULL;
me = current;
+ rcu_read_lock();
write_lock_irq(&tasklist_lock);
parent = me->real_parent;
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
write_unlock_irq(&tasklist_lock);
+ rcu_read_unlock();
if (oldcred)
put_cred(oldcred);
return 0;
@@ -1327,6 +1329,7 @@ already_same:
ret = 0;
not_permitted:
write_unlock_irq(&tasklist_lock);
+ rcu_read_unlock();
put_cred(cred);
return ret;

29
linux-2.6.35.4-virtio_console-fix-poll.patch
View File

@ -1,29 +0,0 @@
Subject: virtio_console: Fix poll blocking even though there is data to read
From: Hans de Goede <hdegoede@redhat.com>
I found this while working on a Linux agent for spice, the symptom I was
seeing was select blocking on the spice vdagent virtio serial port even
though there were messages queued up there.
virtio_console's port_fops_poll checks port->inbuf != NULL to determine if
read won't block. However if an application reads enough bytes from inbuf
through port_fops_read, to empty the current port->inbuf, port->inbuf
will be NULL even though there may be buffers left in the virtqueue.
This causes poll() to block even though there is data to be read, this patch
fixes this by using the alredy defined will_read_block utility function
instead of the port->inbuf != NULL check.
Signed-off-By: Hans de Goede <hdegoede@redhat.com>
diff -up linux-2.6.35.x86_64/drivers/char/virtio_console.c~ linux-2.6.35.x86_64/drivers/char/virtio_console.c
--- linux-2.6.35.x86_64/drivers/char/virtio_console.c~ 2010-08-02 00:11:14.000000000 +0200
+++ linux-2.6.35.x86_64/drivers/char/virtio_console.c 2010-09-15 13:39:29.043505000 +0200
@@ -642,7 +642,7 @@ static unsigned int port_fops_poll(struc
poll_wait(filp, &port->waitqueue, wait);
ret = 0;
- if (port->inbuf)
+ if (!will_read_block(port))
ret |= POLLIN | POLLRDNORM;
if (!will_write_block(port))
ret |= POLLOUT;

55
sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
View File

@ -1,55 +0,0 @@
From: Stanislaw Gruszka <sgruszka@redhat.com>
Date: Tue, 14 Sep 2010 14:35:14 +0000 (+0200)
Subject: sched: Fix user time incorrectly accounted as system time on 32-bit
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fx86%2Flinux-2.6-tip.git;a=commitdiff_plain;h=e75e863dd5c7d96b91ebbd241da5328fc38a78cc
sched: Fix user time incorrectly accounted as system time on 32-bit
We have 32-bit variable overflow possibility when multiply in
task_times() and thread_group_times() functions. When the
overflow happens then the scaled utime value becomes erroneously
small and the scaled stime becomes i erroneously big.
Reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=633037
https://bugzilla.kernel.org/show_bug.cgi?id=16559
Reported-by: Michael Chapman <redhat-bugzilla@very.puzzling.org>
Reported-by: Ciriaco Garcia de Celis <sysman@etherpilot.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Cc: <stable@kernel.org> # 2.6.32.19+ (partially) and 2.6.33+
LKML-Reference: <20100914143513.GB8415@redhat.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
diff --git a/kernel/sched.c b/kernel/sched.c
index ed09d4f..dc85ceb 100644
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -3513,9 +3513,9 @@ void task_times(struct task_struct *p, cputime_t *ut, cputime_t *st)
rtime = nsecs_to_cputime(p->se.sum_exec_runtime);
if (total) {
- u64 temp;
+ u64 temp = rtime;
- temp = (u64)(rtime * utime);
+ temp *= utime;
do_div(temp, total);
utime = (cputime_t)temp;
} else
@@ -3546,9 +3546,9 @@ void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *st)
rtime = nsecs_to_cputime(cputime.sum_exec_runtime);
if (total) {
- u64 temp;
+ u64 temp = rtime;
- temp = (u64)(rtime * cputime.utime);
+ temp *= cputime.utime;
do_div(temp, total);
utime = (cputime_t)temp;
} else