rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'f12/master' into f12/user/myoung/xendom0 

Conflicts:
	kernel.spec
This commit is contained in:
Michael Young 2010-10-06 21:55:06 +01:00
parent c52a0441d7 9d54ccf27d
commit 5bf54082f3
18 changed files with 42 additions and 893 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
View File

@ -1,198 +0,0 @@
From f45716729488bd8263b06e7d672c8ff8f2ded8b7 Mon Sep 17 00:00:00 2001
From: H. Peter Anvin <hpa@linux.intel.com>
Date: Tue, 7 Sep 2010 16:16:18 -0700
Subject: [PATCH 1/4] compat: Make compat_alloc_user_space() incorporate the access_ok()
compat_alloc_user_space() expects the caller to independently call
access_ok() to verify the returned area. A missing call could
introduce problems on some architectures.
This patch incorporates the access_ok() check into
compat_alloc_user_space() and also adds a sanity check on the length.
The existing compat_alloc_user_space() implementations are renamed
arch_compat_alloc_user_space() and are used as part of the
implementation of the new global function.
This patch assumes NULL will cause __get_user()/__put_user() to either
fail or access userspace on all architectures. This should be
followed by checking the return value of compat_access_user_space()
for NULL in the callers, at which time the access_ok() in the callers
can also be removed.
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Tony Luck <tony.luck@intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Helge Deller <deller@gmx.de>
Cc: James Bottomley <jejb@parisc-linux.org>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: <stable@kernel.org>
---
[ edited to fix build on 2.6.32 ]
arch/ia64/include/asm/compat.h | 2 +-
arch/mips/include/asm/compat.h | 2 +-
arch/parisc/include/asm/compat.h | 2 +-
arch/powerpc/include/asm/compat.h | 2 +-
arch/s390/include/asm/compat.h | 2 +-
arch/sparc/include/asm/compat.h | 2 +-
arch/x86/include/asm/compat.h | 2 +-
include/linux/compat.h | 2 ++
kernel/compat.c | 22 +++++++++++++++++++++
9 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
index dfcf75b..c8662cd 100644
--- a/arch/ia64/include/asm/compat.h
+++ b/arch/ia64/include/asm/compat.h
@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr)
}
static __inline__ void __user *
-compat_alloc_user_space (long len)
+arch_compat_alloc_user_space (long len)
{
struct pt_regs *regs = task_pt_regs(current);
return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
index f58aed3..27505bd 100644
--- a/arch/mips/include/asm/compat.h
+++ b/arch/mips/include/asm/compat.h
@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
return (u32)(unsigned long)uptr;
}
-static inline void __user *compat_alloc_user_space(long len)
+static inline void __user *arch_compat_alloc_user_space(long len)
{
struct pt_regs *regs = (struct pt_regs *)
((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
index 7f32611..7c77fa9 100644
--- a/arch/parisc/include/asm/compat.h
+++ b/arch/parisc/include/asm/compat.h
@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
return (u32)(unsigned long)uptr;
}
-static __inline__ void __user *compat_alloc_user_space(long len)
+static __inline__ void __user *arch_compat_alloc_user_space(long len)
{
struct pt_regs *regs = &current->thread.regs;
return (void __user *)regs->gr[30];
diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
index 4774c2f..8d0fff3 100644
--- a/arch/powerpc/include/asm/compat.h
+++ b/arch/powerpc/include/asm/compat.h
@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
return (u32)(unsigned long)uptr;
}
-static inline void __user *compat_alloc_user_space(long len)
+static inline void __user *arch_compat_alloc_user_space(long len)
{
struct pt_regs *regs = current->thread.regs;
unsigned long usp = regs->gpr[1];
diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
index 01a0802..0c940d3 100644
--- a/arch/s390/include/asm/compat.h
+++ b/arch/s390/include/asm/compat.h
@@ -180,7 +180,7 @@ static inline int is_compat_task(void)
#endif
-static inline void __user *compat_alloc_user_space(long len)
+static inline void __user *arch_compat_alloc_user_space(long len)
{
unsigned long stack;
diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
index 0e70625..612bb38 100644
--- a/arch/sparc/include/asm/compat.h
+++ b/arch/sparc/include/asm/compat.h
@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
return (u32)(unsigned long)uptr;
}
-static inline void __user *compat_alloc_user_space(long len)
+static inline void __user *arch_compat_alloc_user_space(long len)
{
struct pt_regs *regs = current_thread_info()->kregs;
unsigned long usp = regs->u_regs[UREG_I6];
diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
index 9a9c7bd..c8c9a74 100644
--- a/arch/x86/include/asm/compat.h
+++ b/arch/x86/include/asm/compat.h
@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
return (u32)(unsigned long)uptr;
}
-static inline void __user *compat_alloc_user_space(long len)
+static inline void __user *arch_compat_alloc_user_space(long len)
{
struct pt_regs *regs = task_pt_regs(current);
return (void __user *)regs->sp - len;
diff --git a/include/linux/compat.h b/include/linux/compat.h
index af931ee..cab23f2 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -309,5 +309,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename,
asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename,
int flags, int mode);
+extern void __user *compat_alloc_user_space(unsigned long len);
+
#endif /* CONFIG_COMPAT */
#endif /* _LINUX_COMPAT_H */
diff a/kernel/compat.c b/kernel/compat.c
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -13,6 +13,7 @@
#include <linux/linkage.h>
#include <linux/compat.h>
+#include <linux/module.h>
#include <linux/errno.h>
#include <linux/time.h>
#include <linux/signal.h>
@@ -1137,3 +1137,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
return 0;
}
+
+/*
+ * Allocate user-space memory for the duration of a single system call,
+ * in order to marshall parameters inside a compat thunk.
+ */
+void __user *compat_alloc_user_space(unsigned long len)
+{
+ void __user *ptr;
+
+ /* If len would occupy more than half of the entire compat space... */
+ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
+ return NULL;
+
+ ptr = arch_compat_alloc_user_space(len);
+
+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
+ return NULL;
+
+ return ptr;
+}
+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
--
1.7.2.3

97
02-compat-test-rax-for-the-system-call-number-not-eax.patch
View File

@ -1,97 +0,0 @@
From aaeacea2992c28f1d355ff7cd4c4754131bdd831 Mon Sep 17 00:00:00 2001
From: H. Peter Anvin <hpa@linux.intel.com>
Date: Tue, 14 Sep 2010 12:42:41 -0700
Subject: [PATCH 2/4] x86-64, compat: Test %rax for the syscall number, not %eax
On 64 bits, we always, by necessity, jump through the system call
table via %rax. For 32-bit system calls, in theory the system call
number is stored in %eax, and the code was testing %eax for a valid
system call number. At one point we loaded the stored value back from
the stack to enforce zero-extension, but that was removed in checkin
d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process
will not be able to introduce a non-zero-extended number, but it can
happen via ptrace.
Instead of re-introducing the zero-extension, test what we are
actually going to use, i.e. %rax. This only adds a handful of REX
prefixes to the code.
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: <stable@kernel.org>
Cc: Roland McGrath <roland@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
---
arch/x86/ia32/ia32entry.S | 14 +++++++-------
1 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 5294d84..7f9eb54 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
CFI_REMEMBER_STATE
jnz sysenter_tracesys
- cmpl $(IA32_NR_syscalls-1),%eax
+ cmpq $(IA32_NR_syscalls-1),%rax
ja ia32_badsys
sysenter_do_call:
IA32_ARG_FIXUP
@@ -195,7 +195,7 @@ sysexit_from_sys_call:
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
call audit_syscall_entry
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
- cmpl $(IA32_NR_syscalls-1),%eax
+ cmpq $(IA32_NR_syscalls-1),%rax
ja ia32_badsys
movl %ebx,%edi /* reload 1st syscall arg */
movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
@@ -248,7 +248,7 @@ sysenter_tracesys:
call syscall_trace_enter
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
- cmpl $(IA32_NR_syscalls-1),%eax
+ cmpq $(IA32_NR_syscalls-1),%rax
ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
jmp sysenter_do_call
CFI_ENDPROC
@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
CFI_REMEMBER_STATE
jnz cstar_tracesys
- cmpl $IA32_NR_syscalls-1,%eax
+ cmpq $IA32_NR_syscalls-1,%rax
ja ia32_badsys
cstar_do_call:
IA32_ARG_FIXUP 1
@@ -367,7 +367,7 @@ cstar_tracesys:
LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
RESTORE_REST
xchgl %ebp,%r9d
- cmpl $(IA32_NR_syscalls-1),%eax
+ cmpq $(IA32_NR_syscalls-1),%rax
ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
jmp cstar_do_call
END(ia32_cstar_target)
@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
orl $TS_COMPAT,TI_status(%r10)
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
jnz ia32_tracesys
- cmpl $(IA32_NR_syscalls-1),%eax
+ cmpq $(IA32_NR_syscalls-1),%rax
ja ia32_badsys
ia32_do_call:
IA32_ARG_FIXUP
@@ -444,7 +444,7 @@ ia32_tracesys:
call syscall_trace_enter
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
- cmpl $(IA32_NR_syscalls-1),%eax
+ cmpq $(IA32_NR_syscalls-1),%rax
ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
jmp ia32_do_call
END(ia32_syscall)
--
1.7.2.3

49
03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
View File

@ -1,49 +0,0 @@
From 1fa16daaa76d1b132c8fee027c11bad5a5d25761 Mon Sep 17 00:00:00 2001
From: Roland McGrath <roland@redhat.com>
Date: Tue, 14 Sep 2010 12:22:58 -0700
Subject: [PATCH 3/4] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
32-bit tracee in system call entry. A %rax value set via ptrace at the
entry tracing stop gets used whole as a 32-bit syscall number, while we
only check the low 32 bits for validity.
Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
in addition to testing the full 64 bits as has already been added.
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
---
arch/x86/ia32/ia32entry.S | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 7f9eb54..4edd8eb 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -50,7 +50,12 @@
/*
* Reload arg registers from stack in case ptrace changed them.
* We don't reload %eax because syscall_trace_enter() returned
- * the value it wants us to use in the table lookup.
+ * the %rax value we should see. Instead, we just truncate that
+ * value to 32 bits again as we did on entry from user mode.
+ * If it's a new value set by user_regset during entry tracing,
+ * this matches the normal truncation of the user-mode value.
+ * If it's -1 to make us punt the syscall, then (u32)-1 is still
+ * an appropriately invalid value.
*/
.macro LOAD_ARGS32 offset, _r9=0
.if \_r9
@@ -60,6 +65,7 @@
movl \offset+48(%rsp),%edx
movl \offset+56(%rsp),%esi
movl \offset+64(%rsp),%edi
+ movl %eax,%eax /* zero extension */
.endm
.macro CFI_STARTPROC32 simple
--
1.7.2.3

47
aio-check-for-multiplication-overflow-in-do_io_submit.patch
View File

@ -1,47 +0,0 @@
From be18992d0630149403bfae5882601cf01a7d4eea Mon Sep 17 00:00:00 2001
From: Jeff Moyer <jmoyer@redhat.com>
Date: Fri, 10 Sep 2010 14:16:00 -0700
Subject: [PATCH 4/4] aio: check for multiplication overflow in do_io_submit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Tavis Ormandy pointed out that do_io_submit does not do proper bounds
checking on the passed-in iocb array:
       if (unlikely(nr < 0))
               return -EINVAL;
       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^
The attached patch checks for overflow, and if it is detected, the
number of iocbs submitted is scaled down to a number that will fit in
the long.  This is an ok thing to do, as sys_io_submit is documented as
returning the number of iocbs submitted, so callers should handle a
return value of less than the 'nr' argument passed in.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
fs/aio.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c
index 02a2c93..b84a769 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1639,6 +1639,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
if (unlikely(nr < 0))
return -EINVAL;
+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
+ nr = LONG_MAX/sizeof(*iocbpp);
+
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
return -EFAULT;
--
1.7.2.3

53
alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
View File

@ -1,53 +0,0 @@
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
The error handling in snd_seq_oss_open() has several bad codes that
do dereferecing released pointers and double-free of kmalloc'ed data.
The object dp is release in free_devinfo() that is called via
private_free callback. The rest shouldn't touch this object any more.
The patch changes delete_port() to call kfree() in any case, and gets
rid of unnecessary calls of destructors in snd_seq_oss_open().
Fixes CVE-2010-3080.
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
index 6857122..69cd7b3 100644
--- a/sound/core/seq/oss/seq_oss_init.c
+++ b/sound/core/seq/oss/seq_oss_init.c
@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
return 0;
_error:
- snd_seq_oss_writeq_delete(dp->writeq);
- snd_seq_oss_readq_delete(dp->readq);
snd_seq_oss_synth_cleanup(dp);
snd_seq_oss_midi_cleanup(dp);
- delete_port(dp);
delete_seq_queue(dp->queue);
- kfree(dp);
+ delete_port(dp);
return rc;
}
@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
static int
delete_port(struct seq_oss_devinfo *dp)
{
- if (dp->port < 0)
+ if (dp->port < 0) {
+ kfree(dp);
return 0;
+ }
debug_printk(("delete_port %i\n", dp->port));
return snd_seq_event_port_detach(dp->cseq, dp->port);

2
drm-upgrayedd.patch
View File

@ -10283,7 +10283,7 @@ index 601415d..b27202d 100644
+ dev_priv->pipe_to_crtc_mapping[intel_crtc->pipe] = &intel_crtc->base;
+
intel_crtc->cursor_addr = 0;
intel_crtc->dpms_mode = DRM_MODE_DPMS_OFF;
intel_crtc->dpms_mode = -1;
drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs);
@@ -4036,7 +4382,7 @@ static void intel_setup_outputs(struct drm_device *dev)
if (IS_MOBILE(dev) && !IS_I830(dev))

40
hid-01-usbhid-initialize-interface-pointers-early-enough.patch
View File

@ -1,40 +0,0 @@
commit 57ab12e418ec4fe24c11788bb1bbdabb29d05679
Author: Jiri Kosina <jkosina at suse.cz>
Date: Wed Feb 17 14:25:01 2010 +0100
HID: usbhid: initialize interface pointers early enough
Move the initialization of USB interface pointers from _start()
over to _probe() callback, which is where it belongs.
This fixes case where interface is NULL when parsing of report
descriptor fails.
LKML-Reference: <20100213135720.603e5f64 at neptune.home>
Reported-by: Alan Stern <stern at rowland.harvard.edu>
Tested-by: Bruno Prémont <bonbons at linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 74bd3ca..ceaf4a1 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1005,9 +1005,6 @@ static int usbhid_start(struct hid_device *hid)
spin_lock_init(&usbhid->lock);
- usbhid->intf = intf;
- usbhid->ifnum = interface->desc.bInterfaceNumber;
-
usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
if (!usbhid->urbctrl) {
ret = -ENOMEM;
@@ -1178,6 +1175,8 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
hid->driver_data = usbhid;
usbhid->hid = hid;
+ usbhid->intf = intf;
+ usbhid->ifnum = interface->desc.bInterfaceNumber;
ret = hid_add_device(hid);
if (ret) {

53
hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
View File

@ -1,53 +0,0 @@
commit fde4e2f73208b8f34f123791e39c0cb6bc74b32a
Author: Alan Stern <stern at rowland.harvard.edu>
Date: Fri May 7 10:41:10 2010 -0400
HID: fix suspend crash by moving initializations earlier
Although the usbhid driver allocates its usbhid structure in the probe
routine, several critical fields in that structure don't get
initialized until usbhid_start(). However if report descriptor
parsing fails then usbhid_start() is never called. This leads to
problems during system suspend -- the system will freeze.
This patch (as1378) fixes the bug by moving the initialization
statements up into usbhid_probe().
Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
Reported-by: Bruno Prémont <bonbons at linux-vserver.org>
Tested-By: Bruno Prémont <bonbons at linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 56d06cd..7b85b69 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -999,13 +999,6 @@ static int usbhid_start(struct hid_device *hid)
}
}
- init_waitqueue_head(&usbhid->wait);
- INIT_WORK(&usbhid->reset_work, hid_reset);
- INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
- setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
-
- spin_lock_init(&usbhid->lock);
-
usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
if (!usbhid->urbctrl) {
ret = -ENOMEM;
@@ -1179,6 +1172,12 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
usbhid->intf = intf;
usbhid->ifnum = interface->desc.bInterfaceNumber;
+ init_waitqueue_head(&usbhid->wait);
+ INIT_WORK(&usbhid->reset_work, hid_reset);
+ INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
+ setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
+ spin_lock_init(&usbhid->lock);
+
ret = hid_add_device(hid);
if (ret) {
if (ret != -ENODEV)

25
inotify-fix-inotify-oneshot-support.patch
View File

@ -1,25 +0,0 @@
#607327
During the large inotify rewrite to fsnotify I completely dropped support
for IN_ONESHOT. Reimplement that support.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
fs/notify/inotify/inotify_fsnotify.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
index daa666a..388a150 100644
--- a/fs/notify/inotify/inotify_fsnotify.c
+++ b/fs/notify/inotify/inotify_fsnotify.c
@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
ret = 0;
}
+ if (entry->mask & IN_ONESHOT)
+ fsnotify_destroy_mark_by_entry(entry);
+
/*
* If we hold the entry until after the event is on the queue
* IN_IGNORED won't be able to pass this event in the queue

29
inotify-send-IN_UNMOUNT-events.patch
View File

@ -1,29 +0,0 @@
#607327 ?
Since the .31 or so notify rewrite inotify has not sent events about
inodes which are unmounted. This patch restores those events.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
fs/notify/inotify/inotify_user.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
index 44aeb0f..f381daf 100644
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
{
__u32 mask;
- /* everything should accept their own ignored and cares about children */
- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
+ /*
+ * everything should accept their own ignored, cares about children,
+ * and should receive events when the inode is unmounted
+ */
+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
/* mask off the flags used to open the fd */
mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));

35
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
View File

@ -1,35 +0,0 @@
From: David S. Miller <davem@davemloft.net>
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
irda: Correctly clean up self->ias_obj on irda_bind() failure.
If irda_open_tsap() fails, the irda_bind() code tries to destroy
the ->ias_obj object by hand, but does so wrongly.
In particular, it fails to a) release the hashbin attached to the
object and b) reset the self->ias_obj pointer to NULL.
Fix both problems by using irias_delete_object() and explicitly
setting self->ias_obj to NULL, just as irda_release() does.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 79986a6..fd55b51 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
if (err < 0) {
- kfree(self->ias_obj->name);
- kfree(self->ias_obj);
+ irias_delete_object(self->ias_obj);
+ self->ias_obj = NULL;
return err;
}

77
kernel.spec
View File

@ -48,7 +48,7 @@ Summary: The Linux kernel
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
# scripts/rebase.sh should be made to do that for you, actually.
#
%global baserelease 168
%global baserelease 170
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -60,7 +60,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 21
%define stable_update 23
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -640,11 +640,6 @@ Patch21: linux-2.6-tracehook.patch
Patch22: linux-2.6-utrace.patch
Patch23: linux-2.6-utrace-ptrace.patch
Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
Patch141: linux-2.6-ps3-storage-alias.patch
Patch143: linux-2.6-g5-therm-shutdown.patch
Patch144: linux-2.6-vio-modalias.patch
@ -783,7 +778,6 @@ Patch11010: via-hwmon-temp-sensor.patch
# patches headed upstream
Patch12010: linux-2.6-dell-laptop-rfkill-fix.patch
Patch12011: linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
Patch12013: linux-2.6-rfkill-all.patch
Patch12020: linux-2.6-cantiga-iommu-gfx.patch
@ -834,19 +828,11 @@ Patch12923: mac80211-explicitly-disable-enable-QoS.patch
# l2tp: fix oops in pppol2tp_xmit (#607054)
Patch13030: l2tp-fix-oops-in-pppol2tp_xmit.patch
Patch14020: inotify-fix-inotify-oneshot-support.patch
Patch14030: inotify-send-IN_UNMOUNT-events.patch
Patch14050: crypto-add-async-hash-testing.patch
# Red Hat Bugzilla #610911
Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch
Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
Patch14200: net-do-not-check-capable-if-kernel.patch
# Mitigate DOS with large argument lists
@ -854,13 +840,7 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch
Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch
Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-3080
Patch14220: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
# CVE-2010-2960
Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
# CVE-2010-3079
Patch14240: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
Patch14220: xen-fix-typo-in-xen-irq-fix.patch
Patch19997: xen.pvops.pre.patch
Patch19998: xen.pvops.patch
@ -1306,11 +1286,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
ApplyPatch via-hwmon-temp-sensor.patch
ApplyPatch linux-2.6-dell-laptop-rfkill-fix.patch
ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
#
# Intel IOMMU
#
@ -1344,7 +1319,6 @@ ApplyPatch linux-2.6-execshield.patch
#
# bugfixes to drivers and filesystems
#
ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
# ext4
@ -1475,9 +1449,6 @@ ApplyPatch crystalhd-2.6.34-staging.patch
# Assorted Virt Fixes
# Fix block I/O errors in KVM
#ApplyPatch linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
ApplyPatch linux-2.6-e1000-ich9.patch
ApplyPatch linux-2.6-phylib-autoload.patch
@ -1566,22 +1537,11 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch
# l2tp: fix oops in pppol2tp_xmit (#607054)
ApplyPatch l2tp-fix-oops-in-pppol2tp_xmit.patch
# fix broken oneshot support and missing umount events (F13#607327)
ApplyPatch inotify-fix-inotify-oneshot-support.patch
ApplyPatch inotify-send-IN_UNMOUNT-events.patch
# add tests for crypto async hashing (#571577)
ApplyPatch crypto-add-async-hash-testing.patch
ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
# RHBZ #592785
ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch
ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
# CVE-2010-2954
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
# rhbz #598796
ApplyPatch net-do-not-check-capable-if-kernel.patch
@ -1590,13 +1550,8 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-3080
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
# CVE-2010-2960
ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
# CVE-2010-3079
ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
# Fix typo in Xen patch from 2.6.22 that causes hang on boot.
ApplyPatch xen-fix-typo-in-xen-irq-fix.patch
ApplyPatch xen.pvops.pre.patch
ApplyPatch xen.pvops.patch
@ -2254,6 +2209,28 @@ fi
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
* Mon Sep 27 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.23-170
- Linux 2.6.32.23
- Drop merged patches:
aio-check-for-multiplication-overflow-in-do_io_submit.patch
inotify-fix-inotify-oneshot-support.patch
inotify-send-IN_UNMOUNT-events.patch
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
- Fix typo in Xen patch from 2.6.32.22.
* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.22-169
- Linux 2.6.32.22
- Drop merged patches:
01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
02-compat-test-rax-for-the-system-call-number-not-eax.patch
03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
hid-01-usbhid-initialize-interface-pointers-early-enough.patch
hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
* Mon Sep 20 2010 Michael Young <m.a.young@durham.ac.uk>
- update pvops

52
keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
View File

@ -1,52 +0,0 @@
From: David Howells <dhowells@redhat.com>
Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].
This results in the following oops:
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
...
Call Trace:
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
if the parent process has no session keyring.
If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
[ 2.6.32 backport ]
diff a/security/keys/keyctl.c b/security/keys/keyctl.c
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void)
goto not_permitted;
/* the keyrings must have the same UID */
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
+ if ((pcred->tgcred->session_keyring &&
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
mycred->tgcred->session_keyring->uid != mycred->euid)
goto not_permitted;

64
keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
View File

@ -1,64 +0,0 @@
From: David Howells <dhowells@redhat.com>
Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
There's an protected access to the parent process's credentials in the middle
of keyctl_session_to_parent(). This results in the following RCU warning:
===================================================
[ INFO: suspicious rcu_dereference_check() usage. ]
---------------------------------------------------
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
1 lock held by keyctl-session-/2137:
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
stack backtrace:
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
Call Trace:
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
The code should take the RCU read lock to make sure the parents credentials
don't go away, even though it's holding a spinlock and has IRQ disabled.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index b2b0998..3868c67 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
keyring_r = NULL;
me = current;
+ rcu_read_lock();
write_lock_irq(&tasklist_lock);
parent = me->real_parent;
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
write_unlock_irq(&tasklist_lock);
+ rcu_read_unlock();
if (oldcred)
put_cred(oldcred);
return 0;
@@ -1327,6 +1329,7 @@ already_same:
ret = 0;
not_permitted:
write_unlock_irq(&tasklist_lock);
+ rcu_read_unlock();
put_cred(cred);
return ret;

48
linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
View File

@ -1,48 +0,0 @@
From: Mark McLoughlin <markmc@redhat.com>
Subject: [PATCH] block: silently error unsupported empty barriers too
With 2.6.31-rc5 in a KVM guest using dm and virtio_blk, we see the
following errors:
end_request: I/O error, dev vda, sector 0
end_request: I/O error, dev vda, sector 0
The errors go away if dm stops submitting empty barriers, by reverting:
commit 52b1fd5a27c625c78373e024bf570af3c9d44a79
Author: Mikulas Patocka <mpatocka@redhat.com>
dm: send empty barriers to targets in dm_flush
We should error all barriers, even empty barriers, on devices like
virtio_blk which don't support them.
See also:
https://bugzilla.redhat.com/514901
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Alasdair G Kergon <agk@redhat.com>
Cc: Neil Brown <neilb@suse.de>
---
block/blk-core.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/block/blk-core.c b/block/blk-core.c
index e3299a7..35ad2bb 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -1163,8 +1163,7 @@ static int __make_request(struct request_queue *q, struct bio *bio)
const int unplug = bio_unplug(bio);
int rw_flags;
- if (bio_barrier(bio) && bio_has_data(bio) &&
- (q->next_ordered == QUEUE_ORDERED_NONE)) {
+ if (bio_barrier(bio) && (q->next_ordered == QUEUE_ORDERED_NONE)) {
bio_endio(bio, -EOPNOTSUPP);
return 0;
}
--
1.6.4

2
sources
View File

@ -1,2 +1,2 @@
260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2
29aa10a231882a6e52908642b572326f patch-2.6.32.21.bz2
6eac9aebbf9e74546b7c44c0fb9348a7 patch-2.6.32.23.bz2

51
tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
View File

@ -1,51 +0,0 @@
From: Steven Rostedt <srostedt@redhat.com>
Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
Subject: tracing: Do not allow llseek to set_ftrace_filter
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
tracing: Do not allow llseek to set_ftrace_filter
Reading the file set_ftrace_filter does three things.
1) shows whether or not filters are set for the function tracer
2) shows what functions are set for the function tracer
3) shows what triggers are set on any functions
3 is independent from 1 and 2.
The way this file currently works is that it is a state machine,
and as you read it, it may change state. But this assumption breaks
when you use lseek() on the file. The state machine gets out of sync
and the t_show() may use the wrong pointer and cause a kernel oops.
Luckily, this will only kill the app that does the lseek, but the app
dies while holding a mutex. This prevents anyone else from using the
set_ftrace_filter file (or any other function tracing file for that matter).
A real fix for this is to rewrite the code, but that is too much for
a -rc release or stable. This patch simply disables llseek on the
set_ftrace_filter() file for now, and we can do the proper fix for the
next major release.
Reported-by: Robert Swiecki <swiecki@google.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Tavis Ormandy <taviso@google.com>
Cc: Eugene Teo <eugene@redhat.com>
Cc: vendor-sec@lst.de
Cc: <stable@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 7cb1f45..83a16e9 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
.open = ftrace_filter_open,
.read = seq_read,
.write = ftrace_filter_write,
- .llseek = ftrace_regex_lseek,
+ .llseek = no_llseek,
.release = ftrace_filter_release,
};

13
xen-fix-typo-in-xen-irq-fix.patch Normal file
View File

@ -0,0 +1,13 @@
Fix typo in Xen patch from 2.6.35.5
--- linux-2.6.35.noarch.orig/drivers/xen/events.c
+++ linux-2.6.35.noarch/drivers/xen/events.c
@@ -935,7 +935,7 @@ static struct irq_chip xen_dynamic_chip
.retrigger = retrigger_dynirq,
};
-static struct irq_chip en_percpu_chip __read_mostly = {
+static struct irq_chip xen_percpu_chip __read_mostly = {
.name = "xen-percpu",
.disable = disable_dynirq,