rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.14 

- Disable debugging options.
This commit is contained in:
Josh Boyer 2014-03-31 08:32:46 -04:00
parent 700f6516bd
commit 58f19b149a
10 changed files with 73 additions and 442 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ clog
kernel-[23].*/
/perf-man.tar.gz
/perf-man-3.13.tar.gz
/perf-man-3.14.tar.gz

8
config-generic
View File

@ -1661,13 +1661,13 @@ CONFIG_B43_SDIO=y
CONFIG_B43_BCMA=y
# CONFIG_B43_BCMA_EXTRA is not set
CONFIG_B43_BCMA_PIO=y
CONFIG_B43_DEBUG=y
# CONFIG_B43_DEBUG is not set
CONFIG_B43_PHY_LP=y
CONFIG_B43_PHY_N=y
CONFIG_B43_PHY_HT=y
# CONFIG_B43_FORCE_PIO is not set
CONFIG_B43LEGACY=m
CONFIG_B43LEGACY_DEBUG=y
# CONFIG_B43LEGACY_DEBUG is not set
CONFIG_B43LEGACY_DMA=y
CONFIG_B43LEGACY_PIO=y
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
@ -3502,7 +3502,7 @@ CONFIG_USB_STORAGE_REALTEK=m
CONFIG_REALTEK_AUTOPM=y
CONFIG_USB_STORAGE_ENE_UB6250=m
# CONFIG_USB_LIBUSUAL is not set
CONFIG_USB_UAS=m
# CONFIG_USB_UAS is not set
#
@ -4570,7 +4570,7 @@ CONFIG_PM_DEBUG=y
# CONFIG_DPM_WATCHDOG is not set # revisit this in debug
CONFIG_PM_TRACE=y
CONFIG_PM_TRACE_RTC=y
CONFIG_PM_TEST_SUSPEND=y
# CONFIG_PM_TEST_SUSPEND is not set
CONFIG_PM_RUNTIME=y
# CONFIG_PM_OPP is not set
# CONFIG_PM_AUTOSLEEP is not set

112
config-nodebug
View File

@ -2,98 +2,98 @@ CONFIG_SND_VERBOSE_PRINTK=y
CONFIG_SND_DEBUG=y
CONFIG_SND_PCM_XRUN_DEBUG=y
CONFIG_DEBUG_ATOMIC_SLEEP=y
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
CONFIG_DEBUG_MUTEXES=y
CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
CONFIG_DEBUG_RT_MUTEXES=y
CONFIG_DEBUG_LOCK_ALLOC=y
CONFIG_PROVE_LOCKING=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_PROVE_RCU=y
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
# CONFIG_DEBUG_RT_MUTEXES is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
# CONFIG_PROVE_LOCKING is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_PROVE_RCU is not set
# CONFIG_PROVE_RCU_REPEATEDLY is not set
CONFIG_DEBUG_PER_CPU_MAPS=y
# CONFIG_DEBUG_PER_CPU_MAPS is not set
CONFIG_CPUMASK_OFFSTACK=y
CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
CONFIG_FAULT_INJECTION=y
CONFIG_FAILSLAB=y
CONFIG_FAIL_PAGE_ALLOC=y
CONFIG_FAIL_MAKE_REQUEST=y
CONFIG_FAULT_INJECTION_DEBUG_FS=y
CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
CONFIG_FAIL_IO_TIMEOUT=y
CONFIG_FAIL_MMC_REQUEST=y
# CONFIG_FAULT_INJECTION is not set
# CONFIG_FAILSLAB is not set
# CONFIG_FAIL_PAGE_ALLOC is not set
# CONFIG_FAIL_MAKE_REQUEST is not set
# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
# CONFIG_FAIL_IO_TIMEOUT is not set
# CONFIG_FAIL_MMC_REQUEST is not set
CONFIG_LOCK_STAT=y
# CONFIG_LOCK_STAT is not set
CONFIG_DEBUG_STACK_USAGE=y
# CONFIG_DEBUG_STACK_USAGE is not set
CONFIG_ACPI_DEBUG=y
# CONFIG_ACPI_DEBUG is not set
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
CONFIG_DEBUG_SG=y
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_PAGEALLOC is not set
CONFIG_DEBUG_WRITECOUNT=y
CONFIG_DEBUG_OBJECTS=y
# CONFIG_DEBUG_WRITECOUNT is not set
# CONFIG_DEBUG_OBJECTS is not set
# CONFIG_DEBUG_OBJECTS_SELFTEST is not set
CONFIG_DEBUG_OBJECTS_FREE=y
CONFIG_DEBUG_OBJECTS_TIMERS=y
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
# CONFIG_DEBUG_OBJECTS_FREE is not set
# CONFIG_DEBUG_OBJECTS_TIMERS is not set
# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
CONFIG_X86_PTDUMP=y
# CONFIG_X86_PTDUMP is not set
CONFIG_CAN_DEBUG_DEVICES=y
# CONFIG_CAN_DEBUG_DEVICES is not set
CONFIG_MODULE_FORCE_UNLOAD=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
CONFIG_SYSCTL_SYSCALL_CHECK=y
# CONFIG_SYSCTL_SYSCALL_CHECK is not set
CONFIG_DEBUG_NOTIFIERS=y
# CONFIG_DEBUG_NOTIFIERS is not set
CONFIG_DMA_API_DEBUG=y
# CONFIG_DMA_API_DEBUG is not set
CONFIG_MMIOTRACE=y
# CONFIG_MMIOTRACE is not set
CONFIG_DEBUG_CREDENTIALS=y
# CONFIG_DEBUG_CREDENTIALS is not set
# off in both production debug and nodebug builds,
# on in rawhide nodebug builds
CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
CONFIG_EXT4_DEBUG=y
# CONFIG_EXT4_DEBUG is not set
# CONFIG_XFS_WARN is not set
CONFIG_DEBUG_PERF_USE_VMALLOC=y
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
CONFIG_JBD2_DEBUG=y
# CONFIG_JBD2_DEBUG is not set
CONFIG_NFSD_FAULT_INJECTION=y
# CONFIG_NFSD_FAULT_INJECTION is not set
CONFIG_DEBUG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_DRBD_FAULT_INJECTION=y
# CONFIG_DRBD_FAULT_INJECTION is not set
CONFIG_ATH_DEBUG=y
CONFIG_CARL9170_DEBUGFS=y
CONFIG_IWLWIFI_DEVICE_TRACING=y
# CONFIG_ATH_DEBUG is not set
# CONFIG_CARL9170_DEBUGFS is not set
# CONFIG_IWLWIFI_DEVICE_TRACING is not set
# CONFIG_RTLWIFI_DEBUG is not set
CONFIG_DEBUG_OBJECTS_WORK=y
# CONFIG_DEBUG_OBJECTS_WORK is not set
CONFIG_DMADEVICES_DEBUG=y
CONFIG_DMADEVICES_VDEBUG=y
# CONFIG_DMADEVICES_DEBUG is not set
# CONFIG_DMADEVICES_VDEBUG is not set
CONFIG_PM_ADVANCED_DEBUG=y
CONFIG_CEPH_LIB_PRETTYDEBUG=y
CONFIG_QUOTA_DEBUG=y
# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
# CONFIG_QUOTA_DEBUG is not set
CONFIG_PCI_DEFAULT_USE_CRS=y
@ -101,18 +101,18 @@ CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
CONFIG_KDB_CONTINUE_CATASTROPHIC=0
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
# CONFIG_PERCPU_TEST is not set
CONFIG_TEST_LIST_SORT=y
# CONFIG_TEST_LIST_SORT is not set
# CONFIG_TEST_STRING_HELPERS is not set
CONFIG_DETECT_HUNG_TASK=y
# CONFIG_DETECT_HUNG_TASK is not set
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
CONFIG_DEBUG_KMEMLEAK=y
# CONFIG_DEBUG_KMEMLEAK is not set
CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
# CONFIG_DEBUG_KMEMLEAK_TEST is not set
CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
@ -123,7 +123,7 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
# CONFIG_SPI_DEBUG is not set
CONFIG_X86_DEBUG_STATIC_CPU_HAS=y
# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
# CONFIG_SCHEDSTATS is not set
# CONFIG_LATENCYTOP is not set

2
config-x86-generic
View File

@ -334,7 +334,7 @@ CONFIG_SP5100_TCO=m
# CONFIG_MEMTEST is not set
# CONFIG_DEBUG_TLBFLUSH is not set
CONFIG_MAXSMP=y
# CONFIG_MAXSMP is not set
CONFIG_HP_ILO=m

163
core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
View File

@ -1,163 +0,0 @@
Bugzilla: 1079013
Upstream-status: Queued in netdev tree
From 36d5fe6a000790f56039afe26834265db0a3ad4c Mon Sep 17 00:00:00 2001
From: Zoltan Kiss <zoltan.kiss@citrix.com>
Date: Wed, 26 Mar 2014 22:37:45 +0000
Subject: core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle
errors
skb_zerocopy can copy elements of the frags array between skbs, but it doesn't
orphan them. Also, it doesn't handle errors, so this patch takes care of that
as well, and modify the callers accordingly. skb_tx_error() is also added to
the callers so they will signal the failed delivery towards the creator of the
skb.
Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 5e1e6f2..15ede6a 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2451,8 +2451,8 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
unsigned int flags);
void skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to);
unsigned int skb_zerocopy_headlen(const struct sk_buff *from);
-void skb_zerocopy(struct sk_buff *to, const struct sk_buff *from,
- int len, int hlen);
+int skb_zerocopy(struct sk_buff *to, struct sk_buff *from,
+ int len, int hlen);
void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len);
int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
void skb_scrub_packet(struct sk_buff *skb, bool xnet);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 869c7af..97e5a2c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2127,25 +2127,31 @@ EXPORT_SYMBOL_GPL(skb_zerocopy_headlen);
*
* The `hlen` as calculated by skb_zerocopy_headlen() specifies the
* headroom in the `to` buffer.
+ *
+ * Return value:
+ * 0: everything is OK
+ * -ENOMEM: couldn't orphan frags of @from due to lack of memory
+ * -EFAULT: skb_copy_bits() found some problem with skb geometry
*/
-void
-skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
+int
+skb_zerocopy(struct sk_buff *to, struct sk_buff *from, int len, int hlen)
{
int i, j = 0;
int plen = 0; /* length of skb->head fragment */
+ int ret;
struct page *page;
unsigned int offset;
BUG_ON(!from->head_frag && !hlen);
/* dont bother with small payloads */
- if (len <= skb_tailroom(to)) {
- skb_copy_bits(from, 0, skb_put(to, len), len);
- return;
- }
+ if (len <= skb_tailroom(to))
+ return skb_copy_bits(from, 0, skb_put(to, len), len);
if (hlen) {
- skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
+ ret = skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
+ if (unlikely(ret))
+ return ret;
len -= hlen;
} else {
plen = min_t(int, skb_headlen(from), len);
@@ -2163,6 +2169,11 @@ skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
to->len += len + plen;
to->data_len += len + plen;
+ if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
+ skb_tx_error(from);
+ return -ENOMEM;
+ }
+
for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
if (!len)
break;
@@ -2173,6 +2184,8 @@ skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
j++;
}
skb_shinfo(to)->nr_frags = j;
+
+ return 0;
}
EXPORT_SYMBOL_GPL(skb_zerocopy);
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index f072fe8..108120f 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -354,13 +354,16 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
skb = nfnetlink_alloc_skb(net, size, queue->peer_portid,
GFP_ATOMIC);
- if (!skb)
+ if (!skb) {
+ skb_tx_error(entskb);
return NULL;
+ }
nlh = nlmsg_put(skb, 0, 0,
NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
sizeof(struct nfgenmsg), 0);
if (!nlh) {
+ skb_tx_error(entskb);
kfree_skb(skb);
return NULL;
}
@@ -488,13 +491,15 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
nla->nla_type = NFQA_PAYLOAD;
nla->nla_len = nla_attr_size(data_len);
- skb_zerocopy(skb, entskb, data_len, hlen);
+ if (skb_zerocopy(skb, entskb, data_len, hlen))
+ goto nla_put_failure;
}
nlh->nlmsg_len = skb->len;
return skb;
nla_put_failure:
+ skb_tx_error(entskb);
kfree_skb(skb);
net_err_ratelimited("nf_queue: error creating packet message\n");
return NULL;
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 8601b32..270b77d 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -464,7 +464,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
}
nla->nla_len = nla_attr_size(skb->len);
- skb_zerocopy(user_skb, skb, skb->len, hlen);
+ err = skb_zerocopy(user_skb, skb, skb->len, hlen);
+ if (err)
+ goto out;
/* Pad OVS_PACKET_ATTR_PACKET if linear copy was performed */
if (!(dp->user_features & OVS_DP_F_UNALIGNED)) {
@@ -478,6 +480,8 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
err = genlmsg_unicast(ovs_dp_get_net(dp), user_skb, upcall_info->portid);
out:
+ if (err)
+ skb_tx_error(skb);
kfree_skb(nskb);
return err;
}
--
cgit v0.10.1

50
input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
View File

@ -1,50 +0,0 @@
From c4aa64b54ecc029579b0c62e976d747a0e567dfc Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Fri, 21 Mar 2014 10:55:11 +0100
Subject: [PATCH] input: cypress_ps2: Don't report the cypress PS/2 trackpads
as a button pad
The cypress PS/2 trackpad models supported by the cypress_ps2 driver emulate
BTN_RIGHT events in firmware based on the finger position, as part of this
no motion events are sent when the finger is in the button area.
The INPUT_PROP_BUTTONPAD property is there to indicate to userspace that
BTN_RIGHT events should be emulated in userspace, which is not necessary
in this case.
When INPUT_PROP_BUTTONPAD is advertised userspace will wait for a motion event
before propagating the button event higher up the stack, as it needs current
abs x + y data for its BTN_RIGHT emulation. Since in the cypress_ps2 pads
don't report motion events in the button area, this means that clicks in the
button area end up being ignored, so INPUT_PROP_BUTTONPAD actually causes
problems for these touchpads, and removing it fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=76341
Reported-by: Adam Williamson <awilliam@redhat.com>
Tested-by: Adam Williamson <awilliam@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Cc: Adam Williamson <awilliam@redhat.com>
Cc: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: stable@vger.kernel.org
---
drivers/input/mouse/cypress_ps2.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/input/mouse/cypress_ps2.c b/drivers/input/mouse/cypress_ps2.c
index 87095e2..8af34ff 100644
--- a/drivers/input/mouse/cypress_ps2.c
+++ b/drivers/input/mouse/cypress_ps2.c
@@ -409,7 +409,6 @@ static int cypress_set_input_params(struct input_dev *input,
__clear_bit(REL_X, input->relbit);
__clear_bit(REL_Y, input->relbit);
- __set_bit(INPUT_PROP_BUTTONPAD, input->propbit);
__set_bit(EV_KEY, input->evbit);
__set_bit(BTN_LEFT, input->keybit);
__set_bit(BTN_RIGHT, input->keybit);
--
1.9.0

38
kernel.spec
View File

@ -6,7 +6,7 @@ Summary: The Linux kernel
# For a stable, released kernel, released_kernel should be 1. For rawhide
# and/or a kernel built from an rc or git snapshot, released_kernel should
# be 0.
%global released_kernel 0
%global released_kernel 1
# Sign modules on x86. Make sure the config files match this setting if more
# architectures are added.
@ -40,7 +40,7 @@ Summary: The Linux kernel
# base_sublevel is the kernel version we're starting with and patching
# on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base,
# which yields a base_sublevel of 0.
%define base_sublevel 13
%define base_sublevel 14
## If this is a released kernel ##
%if 0%{?released_kernel}
@ -59,9 +59,9 @@ Summary: The Linux kernel
# The next upstream release sublevel (base_sublevel+1)
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
# The rc snapshot level
%define rcrev 8
%define rcrev 0
# The git snapshot level
%define gitrev 1
%define gitrev 0
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@ -122,7 +122,7 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
# and 0 for rawhide (all kernels are debug kernels).
# See also 'make debug' and 'make release'.
%define debugbuildsenabled 0
%define debugbuildsenabled 1
# Want to build a vanilla kernel build without any non-upstream patches?
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
@ -642,21 +642,9 @@ Patch25036: ppc64le_module_fix.patch
#rhbz 1046495
Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-2568 rhbz 1079012 1079013
Patch25049: core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
#CVE-2014-0055 rhbz 1062577 1081503
Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
#CVE-2014-0077 rhbz 1064440 1081504
Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch
#CVE-2014-2580 rhbz 1080084 1080086
Patch25052: net-xen-netback-disable-rogue-vif-in-kthread-context.patch
#https://bugs.freedesktop.org/show_bug.cgi?id=76341
#included in the input tree for-linux branch, will go upstream for 3.15
Patch25053: input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
# END OF PATCH DEFINITIONS
%endif
@ -1304,21 +1292,9 @@ ApplyPatch ppc64le_module_fix.patch
#rhbz 1046495
ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-2568 rhbz 1079012 1079013
ApplyPatch core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
#CVE-2014-0055 rhbz 1062577 1081503
ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
#CVE-2014-0077 rhbz 1064440 1081504
ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch
#CVE-2014-2580 rhbz 1080084 1080086
ApplyPatch net-xen-netback-disable-rogue-vif-in-kthread-context.patch
#https://bugs.freedesktop.org/show_bug.cgi?id=76341
ApplyPatch input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
# END OF PATCH APPLICATIONS
%endif
@ -2098,6 +2074,10 @@ fi
# ||----w |
# || ||
%changelog
* Mon Mar 31 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-1
- Linux v3.14
- Disable debugging options.
* Mon Mar 31 2014 Hans de Goede <hdegoede@redhat.com>
- Fix clicks getting lost with cypress_ps2 touchpads with recent
xorg-x11-drv-synaptics versions (bfdo#76341)

80
net-vhost-fix-total-length-when-packets-are-too-short.patch
View File

@ -1,80 +0,0 @@
Bugzilla: 1081504
Upstream-status: Sent to netdev list
From patchwork Thu Mar 27 10:00:26 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [PATCHv2,net] vhost: fix total length when packets are too short
From: "Michael S. Tsirkin" <mst@redhat.com>
X-Patchwork-Id: 334283
Message-Id: <20140327100026.GA30715@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org,
virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
Jason Wang <jasowang@redhat.com>, David Miller <davem@davemloft.net>
Date: Thu, 27 Mar 2014 12:00:26 +0200
When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.
This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.
Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.
Fix this up by detecting this overrun and doing packet drop
immediately.
CVE-2014-0077
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
Changes from v1:
Fix CVE# in the commit log.
Patch is unchanged.
Note: this is needed for -stable.
I wonder if this can still make the release.
drivers/vhost/net.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index a0fa5de..026be58 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
*iovcount = seg;
if (unlikely(log))
*log_num = nlogs;
+
+ /* Detect overrun */
+ if (unlikely(datalen > 0)) {
+ r = UIO_MAXIOV + 1;
+ goto err;
+ }
return headcount;
err:
vhost_discard_vq_desc(vq, headcount);
@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net)
/* On error, stop handling until the next kick. */
if (unlikely(headcount < 0))
break;
+ /* On overrun, truncate and discard */
+ if (unlikely(headcount > UIO_MAXIOV)) {
+ msg.msg_iovlen = 1;
+ err = sock->ops->recvmsg(NULL, sock, &msg,
+ 1, MSG_DONTWAIT | MSG_TRUNC);
+ pr_debug("Discarded rx packet: len %zd\n", sock_len);
+ continue;
+ }
/* OK, now we need to know about added descriptors. */
if (!headcount) {
if (unlikely(vhost_enable_notify(&net->dev, vq))) {

55
net-vhost-validate-vhost_get_vq_desc-return-value.patch
View File

@ -1,55 +0,0 @@
Bugzilla: 1081503
Upstream-status: Sent to netdev
From patchwork Thu Mar 27 10:53:37 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [net] vhost: validate vhost_get_vq_desc return value
From: "Michael S. Tsirkin" <mst@redhat.com>
X-Patchwork-Id: 334291
Message-Id: <1395917517-30937-1-git-send-email-mst@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org,
virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
David Miller <davem@davemloft.net>, Jason Wang <jasowang@redhat.com>
Date: Thu, 27 Mar 2014 12:53:37 +0200
vhost fails to validate negative error code
from vhost_get_vq_desc causing
a crash: we are using -EFAULT which is 0xfffffff2
as vector size, which exceeds the allocated size.
The code in question was introduced in commit
8dd014adfea6f173c1ef6378f7e5e7924866c923
vhost-net: mergeable buffers support
CVE-2014-0055
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
This is needed in -stable.
drivers/vhost/net.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 026be58..e1e22e0 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -505,9 +505,13 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
r = -ENOBUFS;
goto err;
}
- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
+ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
ARRAY_SIZE(vq->iov) - seg, &out,
&in, log, log_num);
+ if (unlikely(r < 0))
+ goto err;
+
+ d = r;
if (d == vq->num) {
r = 0;
goto err;

6
sources
View File

@ -1,4 +1,2 @@
0ecbaf65c00374eb4a826c2f9f37606f linux-3.13.tar.xz
732d1952898b28d5ccc264cad77b0619 perf-man-3.13.tar.gz
625e757abc795d92e4bf23247df3fb31 patch-3.14-rc8.xz
59b9c6c53a6ef15c591ea47b723385eb patch-3.14-rc8-git1.xz
b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
d36baf2d62de5aa61f10a976d00d2d2a perf-man-3.14.tar.gz