Merge branch 'f12/master' into f12/user/myoung/xendom0
Conflicts: kernel.spec
This commit is contained in:
commit
5bf54082f3
|
@ -1,198 +0,0 @@
|
|||
From f45716729488bd8263b06e7d672c8ff8f2ded8b7 Mon Sep 17 00:00:00 2001
|
||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Date: Tue, 7 Sep 2010 16:16:18 -0700
|
||||
Subject: [PATCH 1/4] compat: Make compat_alloc_user_space() incorporate the access_ok()
|
||||
|
||||
compat_alloc_user_space() expects the caller to independently call
|
||||
access_ok() to verify the returned area. A missing call could
|
||||
introduce problems on some architectures.
|
||||
|
||||
This patch incorporates the access_ok() check into
|
||||
compat_alloc_user_space() and also adds a sanity check on the length.
|
||||
The existing compat_alloc_user_space() implementations are renamed
|
||||
arch_compat_alloc_user_space() and are used as part of the
|
||||
implementation of the new global function.
|
||||
|
||||
This patch assumes NULL will cause __get_user()/__put_user() to either
|
||||
fail or access userspace on all architectures. This should be
|
||||
followed by checking the return value of compat_access_user_space()
|
||||
for NULL in the callers, at which time the access_ok() in the callers
|
||||
can also be removed.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
|
||||
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
|
||||
Acked-by: David S. Miller <davem@davemloft.net>
|
||||
Acked-by: Ingo Molnar <mingo@elte.hu>
|
||||
Acked-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Acked-by: Tony Luck <tony.luck@intel.com>
|
||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||
Cc: Arnd Bergmann <arnd@arndb.de>
|
||||
Cc: Fenghua Yu <fenghua.yu@intel.com>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
|
||||
Cc: Helge Deller <deller@gmx.de>
|
||||
Cc: James Bottomley <jejb@parisc-linux.org>
|
||||
Cc: Kyle McMartin <kyle@mcmartin.ca>
|
||||
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||
Cc: Paul Mackerras <paulus@samba.org>
|
||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
||||
Cc: <stable@kernel.org>
|
||||
---
|
||||
|
||||
[ edited to fix build on 2.6.32 ]
|
||||
|
||||
arch/ia64/include/asm/compat.h | 2 +-
|
||||
arch/mips/include/asm/compat.h | 2 +-
|
||||
arch/parisc/include/asm/compat.h | 2 +-
|
||||
arch/powerpc/include/asm/compat.h | 2 +-
|
||||
arch/s390/include/asm/compat.h | 2 +-
|
||||
arch/sparc/include/asm/compat.h | 2 +-
|
||||
arch/x86/include/asm/compat.h | 2 +-
|
||||
include/linux/compat.h | 2 ++
|
||||
kernel/compat.c | 22 +++++++++++++++++++++
|
||||
9 files changed, 30 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
|
||||
index dfcf75b..c8662cd 100644
|
||||
--- a/arch/ia64/include/asm/compat.h
|
||||
+++ b/arch/ia64/include/asm/compat.h
|
||||
@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr)
|
||||
}
|
||||
|
||||
static __inline__ void __user *
|
||||
-compat_alloc_user_space (long len)
|
||||
+arch_compat_alloc_user_space (long len)
|
||||
{
|
||||
struct pt_regs *regs = task_pt_regs(current);
|
||||
return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
|
||||
diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
|
||||
index f58aed3..27505bd 100644
|
||||
--- a/arch/mips/include/asm/compat.h
|
||||
+++ b/arch/mips/include/asm/compat.h
|
||||
@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = (struct pt_regs *)
|
||||
((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
|
||||
diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
|
||||
index 7f32611..7c77fa9 100644
|
||||
--- a/arch/parisc/include/asm/compat.h
|
||||
+++ b/arch/parisc/include/asm/compat.h
|
||||
@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static __inline__ void __user *compat_alloc_user_space(long len)
|
||||
+static __inline__ void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = ¤t->thread.regs;
|
||||
return (void __user *)regs->gr[30];
|
||||
diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
|
||||
index 4774c2f..8d0fff3 100644
|
||||
--- a/arch/powerpc/include/asm/compat.h
|
||||
+++ b/arch/powerpc/include/asm/compat.h
|
||||
@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = current->thread.regs;
|
||||
unsigned long usp = regs->gpr[1];
|
||||
diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
|
||||
index 01a0802..0c940d3 100644
|
||||
--- a/arch/s390/include/asm/compat.h
|
||||
+++ b/arch/s390/include/asm/compat.h
|
||||
@@ -180,7 +180,7 @@ static inline int is_compat_task(void)
|
||||
|
||||
#endif
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
unsigned long stack;
|
||||
|
||||
diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
|
||||
index 0e70625..612bb38 100644
|
||||
--- a/arch/sparc/include/asm/compat.h
|
||||
+++ b/arch/sparc/include/asm/compat.h
|
||||
@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = current_thread_info()->kregs;
|
||||
unsigned long usp = regs->u_regs[UREG_I6];
|
||||
diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
|
||||
index 9a9c7bd..c8c9a74 100644
|
||||
--- a/arch/x86/include/asm/compat.h
|
||||
+++ b/arch/x86/include/asm/compat.h
|
||||
@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = task_pt_regs(current);
|
||||
return (void __user *)regs->sp - len;
|
||||
diff --git a/include/linux/compat.h b/include/linux/compat.h
|
||||
index af931ee..cab23f2 100644
|
||||
--- a/include/linux/compat.h
|
||||
+++ b/include/linux/compat.h
|
||||
@@ -309,5 +309,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename,
|
||||
asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename,
|
||||
int flags, int mode);
|
||||
|
||||
+extern void __user *compat_alloc_user_space(unsigned long len);
|
||||
+
|
||||
#endif /* CONFIG_COMPAT */
|
||||
#endif /* _LINUX_COMPAT_H */
|
||||
diff a/kernel/compat.c b/kernel/compat.c
|
||||
--- a/kernel/compat.c
|
||||
+++ b/kernel/compat.c
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
#include <linux/linkage.h>
|
||||
#include <linux/compat.h>
|
||||
+#include <linux/module.h>
|
||||
#include <linux/errno.h>
|
||||
#include <linux/time.h>
|
||||
#include <linux/signal.h>
|
||||
@@ -1137,3 +1137,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Allocate user-space memory for the duration of a single system call,
|
||||
+ * in order to marshall parameters inside a compat thunk.
|
||||
+ */
|
||||
+void __user *compat_alloc_user_space(unsigned long len)
|
||||
+{
|
||||
+ void __user *ptr;
|
||||
+
|
||||
+ /* If len would occupy more than half of the entire compat space... */
|
||||
+ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
|
||||
+ return NULL;
|
||||
+
|
||||
+ ptr = arch_compat_alloc_user_space(len);
|
||||
+
|
||||
+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
|
||||
+ return NULL;
|
||||
+
|
||||
+ return ptr;
|
||||
+}
|
||||
+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
From aaeacea2992c28f1d355ff7cd4c4754131bdd831 Mon Sep 17 00:00:00 2001
|
||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Date: Tue, 14 Sep 2010 12:42:41 -0700
|
||||
Subject: [PATCH 2/4] x86-64, compat: Test %rax for the syscall number, not %eax
|
||||
|
||||
On 64 bits, we always, by necessity, jump through the system call
|
||||
table via %rax. For 32-bit system calls, in theory the system call
|
||||
number is stored in %eax, and the code was testing %eax for a valid
|
||||
system call number. At one point we loaded the stored value back from
|
||||
the stack to enforce zero-extension, but that was removed in checkin
|
||||
d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process
|
||||
will not be able to introduce a non-zero-extended number, but it can
|
||||
happen via ptrace.
|
||||
|
||||
Instead of re-introducing the zero-extension, test what we are
|
||||
actually going to use, i.e. %rax. This only adds a handful of REX
|
||||
prefixes to the code.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Cc: Roland McGrath <roland@redhat.com>
|
||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
arch/x86/ia32/ia32entry.S | 14 +++++++-------
|
||||
1 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
||||
index 5294d84..7f9eb54 100644
|
||||
--- a/arch/x86/ia32/ia32entry.S
|
||||
+++ b/arch/x86/ia32/ia32entry.S
|
||||
@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
CFI_REMEMBER_STATE
|
||||
jnz sysenter_tracesys
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
sysenter_do_call:
|
||||
IA32_ARG_FIXUP
|
||||
@@ -195,7 +195,7 @@ sysexit_from_sys_call:
|
||||
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
|
||||
call audit_syscall_entry
|
||||
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
movl %ebx,%edi /* reload 1st syscall arg */
|
||||
movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
|
||||
@@ -248,7 +248,7 @@ sysenter_tracesys:
|
||||
call syscall_trace_enter
|
||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
|
||||
jmp sysenter_do_call
|
||||
CFI_ENDPROC
|
||||
@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
CFI_REMEMBER_STATE
|
||||
jnz cstar_tracesys
|
||||
- cmpl $IA32_NR_syscalls-1,%eax
|
||||
+ cmpq $IA32_NR_syscalls-1,%rax
|
||||
ja ia32_badsys
|
||||
cstar_do_call:
|
||||
IA32_ARG_FIXUP 1
|
||||
@@ -367,7 +367,7 @@ cstar_tracesys:
|
||||
LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
xchgl %ebp,%r9d
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
|
||||
jmp cstar_do_call
|
||||
END(ia32_cstar_target)
|
||||
@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
|
||||
orl $TS_COMPAT,TI_status(%r10)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
jnz ia32_tracesys
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
ia32_do_call:
|
||||
IA32_ARG_FIXUP
|
||||
@@ -444,7 +444,7 @@ ia32_tracesys:
|
||||
call syscall_trace_enter
|
||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
|
||||
jmp ia32_do_call
|
||||
END(ia32_syscall)
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From 1fa16daaa76d1b132c8fee027c11bad5a5d25761 Mon Sep 17 00:00:00 2001
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Tue, 14 Sep 2010 12:22:58 -0700
|
||||
Subject: [PATCH 3/4] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
|
||||
|
||||
In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
|
||||
32-bit tracee in system call entry. A %rax value set via ptrace at the
|
||||
entry tracing stop gets used whole as a 32-bit syscall number, while we
|
||||
only check the low 32 bits for validity.
|
||||
|
||||
Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
|
||||
in addition to testing the full 64 bits as has already been added.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
---
|
||||
arch/x86/ia32/ia32entry.S | 8 +++++++-
|
||||
1 files changed, 7 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
||||
index 7f9eb54..4edd8eb 100644
|
||||
--- a/arch/x86/ia32/ia32entry.S
|
||||
+++ b/arch/x86/ia32/ia32entry.S
|
||||
@@ -50,7 +50,12 @@
|
||||
/*
|
||||
* Reload arg registers from stack in case ptrace changed them.
|
||||
* We don't reload %eax because syscall_trace_enter() returned
|
||||
- * the value it wants us to use in the table lookup.
|
||||
+ * the %rax value we should see. Instead, we just truncate that
|
||||
+ * value to 32 bits again as we did on entry from user mode.
|
||||
+ * If it's a new value set by user_regset during entry tracing,
|
||||
+ * this matches the normal truncation of the user-mode value.
|
||||
+ * If it's -1 to make us punt the syscall, then (u32)-1 is still
|
||||
+ * an appropriately invalid value.
|
||||
*/
|
||||
.macro LOAD_ARGS32 offset, _r9=0
|
||||
.if \_r9
|
||||
@@ -60,6 +65,7 @@
|
||||
movl \offset+48(%rsp),%edx
|
||||
movl \offset+56(%rsp),%esi
|
||||
movl \offset+64(%rsp),%edi
|
||||
+ movl %eax,%eax /* zero extension */
|
||||
.endm
|
||||
|
||||
.macro CFI_STARTPROC32 simple
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
From be18992d0630149403bfae5882601cf01a7d4eea Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Moyer <jmoyer@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 14:16:00 -0700
|
||||
Subject: [PATCH 4/4] aio: check for multiplication overflow in do_io_submit
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Tavis Ormandy pointed out that do_io_submit does not do proper bounds
|
||||
checking on the passed-in iocb array:
|
||||
|
||||
if (unlikely(nr < 0))
|
||||
return -EINVAL;
|
||||
|
||||
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
|
||||
return -EFAULT; ^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The attached patch checks for overflow, and if it is detected, the
|
||||
number of iocbs submitted is scaled down to a number that will fit in
|
||||
the long. This is an ok thing to do, as sys_io_submit is documented as
|
||||
returning the number of iocbs submitted, so callers should handle a
|
||||
return value of less than the 'nr' argument passed in.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/aio.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/fs/aio.c b/fs/aio.c
|
||||
index 02a2c93..b84a769 100644
|
||||
--- a/fs/aio.c
|
||||
+++ b/fs/aio.c
|
||||
@@ -1639,6 +1639,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
|
||||
if (unlikely(nr < 0))
|
||||
return -EINVAL;
|
||||
|
||||
+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
|
||||
+ nr = LONG_MAX/sizeof(*iocbpp);
|
||||
+
|
||||
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
|
||||
return -EFAULT;
|
||||
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
|
||||
Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
|
||||
|
||||
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
|
||||
The error handling in snd_seq_oss_open() has several bad codes that
|
||||
do dereferecing released pointers and double-free of kmalloc'ed data.
|
||||
The object dp is release in free_devinfo() that is called via
|
||||
private_free callback. The rest shouldn't touch this object any more.
|
||||
|
||||
The patch changes delete_port() to call kfree() in any case, and gets
|
||||
rid of unnecessary calls of destructors in snd_seq_oss_open().
|
||||
|
||||
Fixes CVE-2010-3080.
|
||||
|
||||
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
|
||||
index 6857122..69cd7b3 100644
|
||||
--- a/sound/core/seq/oss/seq_oss_init.c
|
||||
+++ b/sound/core/seq/oss/seq_oss_init.c
|
||||
@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
|
||||
return 0;
|
||||
|
||||
_error:
|
||||
- snd_seq_oss_writeq_delete(dp->writeq);
|
||||
- snd_seq_oss_readq_delete(dp->readq);
|
||||
snd_seq_oss_synth_cleanup(dp);
|
||||
snd_seq_oss_midi_cleanup(dp);
|
||||
- delete_port(dp);
|
||||
delete_seq_queue(dp->queue);
|
||||
- kfree(dp);
|
||||
+ delete_port(dp);
|
||||
|
||||
return rc;
|
||||
}
|
||||
@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
|
||||
static int
|
||||
delete_port(struct seq_oss_devinfo *dp)
|
||||
{
|
||||
- if (dp->port < 0)
|
||||
+ if (dp->port < 0) {
|
||||
+ kfree(dp);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
debug_printk(("delete_port %i\n", dp->port));
|
||||
return snd_seq_event_port_detach(dp->cseq, dp->port);
|
|
@ -10283,7 +10283,7 @@ index 601415d..b27202d 100644
|
|||
+ dev_priv->pipe_to_crtc_mapping[intel_crtc->pipe] = &intel_crtc->base;
|
||||
+
|
||||
intel_crtc->cursor_addr = 0;
|
||||
intel_crtc->dpms_mode = DRM_MODE_DPMS_OFF;
|
||||
intel_crtc->dpms_mode = -1;
|
||||
drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs);
|
||||
@@ -4036,7 +4382,7 @@ static void intel_setup_outputs(struct drm_device *dev)
|
||||
if (IS_MOBILE(dev) && !IS_I830(dev))
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
commit 57ab12e418ec4fe24c11788bb1bbdabb29d05679
|
||||
Author: Jiri Kosina <jkosina at suse.cz>
|
||||
Date: Wed Feb 17 14:25:01 2010 +0100
|
||||
|
||||
HID: usbhid: initialize interface pointers early enough
|
||||
|
||||
Move the initialization of USB interface pointers from _start()
|
||||
over to _probe() callback, which is where it belongs.
|
||||
|
||||
This fixes case where interface is NULL when parsing of report
|
||||
descriptor fails.
|
||||
|
||||
LKML-Reference: <20100213135720.603e5f64 at neptune.home>
|
||||
Reported-by: Alan Stern <stern at rowland.harvard.edu>
|
||||
Tested-by: Bruno Prémont <bonbons at linux-vserver.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
|
||||
|
||||
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
|
||||
index 74bd3ca..ceaf4a1 100644
|
||||
--- a/drivers/hid/usbhid/hid-core.c
|
||||
+++ b/drivers/hid/usbhid/hid-core.c
|
||||
@@ -1005,9 +1005,6 @@ static int usbhid_start(struct hid_device *hid)
|
||||
|
||||
spin_lock_init(&usbhid->lock);
|
||||
|
||||
- usbhid->intf = intf;
|
||||
- usbhid->ifnum = interface->desc.bInterfaceNumber;
|
||||
-
|
||||
usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
|
||||
if (!usbhid->urbctrl) {
|
||||
ret = -ENOMEM;
|
||||
@@ -1178,6 +1175,8 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
|
||||
|
||||
hid->driver_data = usbhid;
|
||||
usbhid->hid = hid;
|
||||
+ usbhid->intf = intf;
|
||||
+ usbhid->ifnum = interface->desc.bInterfaceNumber;
|
||||
|
||||
ret = hid_add_device(hid);
|
||||
if (ret) {
|
|
@ -1,53 +0,0 @@
|
|||
commit fde4e2f73208b8f34f123791e39c0cb6bc74b32a
|
||||
Author: Alan Stern <stern at rowland.harvard.edu>
|
||||
Date: Fri May 7 10:41:10 2010 -0400
|
||||
|
||||
HID: fix suspend crash by moving initializations earlier
|
||||
|
||||
Although the usbhid driver allocates its usbhid structure in the probe
|
||||
routine, several critical fields in that structure don't get
|
||||
initialized until usbhid_start(). However if report descriptor
|
||||
parsing fails then usbhid_start() is never called. This leads to
|
||||
problems during system suspend -- the system will freeze.
|
||||
|
||||
This patch (as1378) fixes the bug by moving the initialization
|
||||
statements up into usbhid_probe().
|
||||
|
||||
Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
|
||||
Reported-by: Bruno Prémont <bonbons at linux-vserver.org>
|
||||
Tested-By: Bruno Prémont <bonbons at linux-vserver.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
|
||||
|
||||
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
|
||||
index 56d06cd..7b85b69 100644
|
||||
--- a/drivers/hid/usbhid/hid-core.c
|
||||
+++ b/drivers/hid/usbhid/hid-core.c
|
||||
@@ -999,13 +999,6 @@ static int usbhid_start(struct hid_device *hid)
|
||||
}
|
||||
}
|
||||
|
||||
- init_waitqueue_head(&usbhid->wait);
|
||||
- INIT_WORK(&usbhid->reset_work, hid_reset);
|
||||
- INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
|
||||
- setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
|
||||
-
|
||||
- spin_lock_init(&usbhid->lock);
|
||||
-
|
||||
usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
|
||||
if (!usbhid->urbctrl) {
|
||||
ret = -ENOMEM;
|
||||
@@ -1179,6 +1172,12 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
|
||||
usbhid->intf = intf;
|
||||
usbhid->ifnum = interface->desc.bInterfaceNumber;
|
||||
|
||||
+ init_waitqueue_head(&usbhid->wait);
|
||||
+ INIT_WORK(&usbhid->reset_work, hid_reset);
|
||||
+ INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
|
||||
+ setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
|
||||
+ spin_lock_init(&usbhid->lock);
|
||||
+
|
||||
ret = hid_add_device(hid);
|
||||
if (ret) {
|
||||
if (ret != -ENODEV)
|
||||
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
#607327
|
||||
|
||||
During the large inotify rewrite to fsnotify I completely dropped support
|
||||
for IN_ONESHOT. Reimplement that support.
|
||||
|
||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
||||
---
|
||||
|
||||
fs/notify/inotify/inotify_fsnotify.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
|
||||
index daa666a..388a150 100644
|
||||
--- a/fs/notify/inotify/inotify_fsnotify.c
|
||||
+++ b/fs/notify/inotify/inotify_fsnotify.c
|
||||
@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
+ if (entry->mask & IN_ONESHOT)
|
||||
+ fsnotify_destroy_mark_by_entry(entry);
|
||||
+
|
||||
/*
|
||||
* If we hold the entry until after the event is on the queue
|
||||
* IN_IGNORED won't be able to pass this event in the queue
|
|
@ -1,29 +0,0 @@
|
|||
#607327 ?
|
||||
|
||||
Since the .31 or so notify rewrite inotify has not sent events about
|
||||
inodes which are unmounted. This patch restores those events.
|
||||
|
||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
||||
---
|
||||
|
||||
fs/notify/inotify/inotify_user.c | 7 +++++--
|
||||
1 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
|
||||
index 44aeb0f..f381daf 100644
|
||||
--- a/fs/notify/inotify/inotify_user.c
|
||||
+++ b/fs/notify/inotify/inotify_user.c
|
||||
@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
|
||||
{
|
||||
__u32 mask;
|
||||
|
||||
- /* everything should accept their own ignored and cares about children */
|
||||
- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
|
||||
+ /*
|
||||
+ * everything should accept their own ignored, cares about children,
|
||||
+ * and should receive events when the inode is unmounted
|
||||
+ */
|
||||
+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
|
||||
|
||||
/* mask off the flags used to open the fd */
|
||||
mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));
|
|
@ -1,35 +0,0 @@
|
|||
From: David S. Miller <davem@davemloft.net>
|
||||
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
|
||||
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
|
||||
|
||||
irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
|
||||
If irda_open_tsap() fails, the irda_bind() code tries to destroy
|
||||
the ->ias_obj object by hand, but does so wrongly.
|
||||
|
||||
In particular, it fails to a) release the hashbin attached to the
|
||||
object and b) reset the self->ias_obj pointer to NULL.
|
||||
|
||||
Fix both problems by using irias_delete_object() and explicitly
|
||||
setting self->ias_obj to NULL, just as irda_release() does.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index 79986a6..fd55b51 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
|
||||
|
||||
err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
|
||||
if (err < 0) {
|
||||
- kfree(self->ias_obj->name);
|
||||
- kfree(self->ias_obj);
|
||||
+ irias_delete_object(self->ias_obj);
|
||||
+ self->ias_obj = NULL;
|
||||
return err;
|
||||
}
|
||||
|
77
kernel.spec
77
kernel.spec
|
@ -48,7 +48,7 @@ Summary: The Linux kernel
|
|||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||
# scripts/rebase.sh should be made to do that for you, actually.
|
||||
#
|
||||
%global baserelease 168
|
||||
%global baserelease 170
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -60,7 +60,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 21
|
||||
%define stable_update 23
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -640,11 +640,6 @@ Patch21: linux-2.6-tracehook.patch
|
|||
Patch22: linux-2.6-utrace.patch
|
||||
Patch23: linux-2.6-utrace-ptrace.patch
|
||||
|
||||
Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
Patch141: linux-2.6-ps3-storage-alias.patch
|
||||
Patch143: linux-2.6-g5-therm-shutdown.patch
|
||||
Patch144: linux-2.6-vio-modalias.patch
|
||||
|
@ -783,7 +778,6 @@ Patch11010: via-hwmon-temp-sensor.patch
|
|||
|
||||
# patches headed upstream
|
||||
Patch12010: linux-2.6-dell-laptop-rfkill-fix.patch
|
||||
Patch12011: linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
|
||||
Patch12013: linux-2.6-rfkill-all.patch
|
||||
Patch12020: linux-2.6-cantiga-iommu-gfx.patch
|
||||
|
||||
|
@ -834,19 +828,11 @@ Patch12923: mac80211-explicitly-disable-enable-QoS.patch
|
|||
# l2tp: fix oops in pppol2tp_xmit (#607054)
|
||||
Patch13030: l2tp-fix-oops-in-pppol2tp_xmit.patch
|
||||
|
||||
Patch14020: inotify-fix-inotify-oneshot-support.patch
|
||||
Patch14030: inotify-send-IN_UNMOUNT-events.patch
|
||||
|
||||
Patch14050: crypto-add-async-hash-testing.patch
|
||||
|
||||
# Red Hat Bugzilla #610911
|
||||
Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch
|
||||
Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
|
||||
|
||||
Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
Patch14200: net-do-not-check-capable-if-kernel.patch
|
||||
|
||||
# Mitigate DOS with large argument lists
|
||||
|
@ -854,13 +840,7 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch
|
|||
Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
Patch14220: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
# CVE-2010-2960
|
||||
Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
# CVE-2010-3079
|
||||
Patch14240: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
Patch14220: xen-fix-typo-in-xen-irq-fix.patch
|
||||
|
||||
Patch19997: xen.pvops.pre.patch
|
||||
Patch19998: xen.pvops.patch
|
||||
|
@ -1306,11 +1286,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
|
|||
ApplyPatch via-hwmon-temp-sensor.patch
|
||||
ApplyPatch linux-2.6-dell-laptop-rfkill-fix.patch
|
||||
|
||||
ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
|
||||
|
||||
#
|
||||
# Intel IOMMU
|
||||
#
|
||||
|
@ -1344,7 +1319,6 @@ ApplyPatch linux-2.6-execshield.patch
|
|||
#
|
||||
# bugfixes to drivers and filesystems
|
||||
#
|
||||
ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
# ext4
|
||||
|
||||
|
@ -1475,9 +1449,6 @@ ApplyPatch crystalhd-2.6.34-staging.patch
|
|||
|
||||
# Assorted Virt Fixes
|
||||
|
||||
# Fix block I/O errors in KVM
|
||||
#ApplyPatch linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
|
||||
|
||||
ApplyPatch linux-2.6-e1000-ich9.patch
|
||||
|
||||
ApplyPatch linux-2.6-phylib-autoload.patch
|
||||
|
@ -1566,22 +1537,11 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch
|
|||
# l2tp: fix oops in pppol2tp_xmit (#607054)
|
||||
ApplyPatch l2tp-fix-oops-in-pppol2tp_xmit.patch
|
||||
|
||||
# fix broken oneshot support and missing umount events (F13#607327)
|
||||
ApplyPatch inotify-fix-inotify-oneshot-support.patch
|
||||
ApplyPatch inotify-send-IN_UNMOUNT-events.patch
|
||||
|
||||
# add tests for crypto async hashing (#571577)
|
||||
ApplyPatch crypto-add-async-hash-testing.patch
|
||||
|
||||
ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
# RHBZ #592785
|
||||
ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch
|
||||
ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
|
||||
|
||||
# CVE-2010-2954
|
||||
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
# rhbz #598796
|
||||
ApplyPatch net-do-not-check-capable-if-kernel.patch
|
||||
|
||||
|
@ -1590,13 +1550,8 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
|||
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
# CVE-2010-2960
|
||||
ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
# CVE-2010-3079
|
||||
ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
# Fix typo in Xen patch from 2.6.22 that causes hang on boot.
|
||||
ApplyPatch xen-fix-typo-in-xen-irq-fix.patch
|
||||
|
||||
ApplyPatch xen.pvops.pre.patch
|
||||
ApplyPatch xen.pvops.patch
|
||||
|
@ -2254,6 +2209,28 @@ fi
|
|||
%kernel_variant_files -k vmlinux %{with_kdump} kdump
|
||||
|
||||
%changelog
|
||||
* Mon Sep 27 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.23-170
|
||||
- Linux 2.6.32.23
|
||||
- Drop merged patches:
|
||||
aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
inotify-fix-inotify-oneshot-support.patch
|
||||
inotify-send-IN_UNMOUNT-events.patch
|
||||
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
- Fix typo in Xen patch from 2.6.32.22.
|
||||
|
||||
* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.22-169
|
||||
- Linux 2.6.32.22
|
||||
- Drop merged patches:
|
||||
01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
hid-01-usbhid-initialize-interface-pointers-early-enough.patch
|
||||
hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
|
||||
alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
|
||||
* Mon Sep 20 2010 Michael Young <m.a.young@durham.ac.uk>
|
||||
- update pvops
|
||||
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
|
||||
Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
|
||||
|
||||
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
|
||||
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
|
||||
of the parent process's session keyring whether or not the parent has a session
|
||||
keyring [CVE-2010-2960].
|
||||
|
||||
This results in the following oops:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
|
||||
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
|
||||
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
|
||||
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
if the parent process has no session keyring.
|
||||
|
||||
If the system is using pam_keyinit then it mostly protected against this as all
|
||||
processes derived from a login will have inherited the session keyring created
|
||||
by pam_keyinit during the log in procedure.
|
||||
|
||||
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
[ 2.6.32 backport ]
|
||||
|
||||
diff a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void)
|
||||
goto not_permitted;
|
||||
|
||||
/* the keyrings must have the same UID */
|
||||
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
|
||||
+ if ((pcred->tgcred->session_keyring &&
|
||||
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
|
||||
mycred->tgcred->session_keyring->uid != mycred->euid)
|
||||
goto not_permitted;
|
||||
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
|
||||
Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
|
||||
|
||||
KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
|
||||
There's an protected access to the parent process's credentials in the middle
|
||||
of keyctl_session_to_parent(). This results in the following RCU warning:
|
||||
|
||||
===================================================
|
||||
[ INFO: suspicious rcu_dereference_check() usage. ]
|
||||
---------------------------------------------------
|
||||
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
|
||||
|
||||
other info that might help us debug this:
|
||||
|
||||
rcu_scheduler_active = 1, debug_locks = 0
|
||||
1 lock held by keyctl-session-/2137:
|
||||
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
|
||||
|
||||
stack backtrace:
|
||||
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
|
||||
Call Trace:
|
||||
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
|
||||
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
|
||||
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
The code should take the RCU read lock to make sure the parents credentials
|
||||
don't go away, even though it's holding a spinlock and has IRQ disabled.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index b2b0998..3868c67 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
|
||||
keyring_r = NULL;
|
||||
|
||||
me = current;
|
||||
+ rcu_read_lock();
|
||||
write_lock_irq(&tasklist_lock);
|
||||
|
||||
parent = me->real_parent;
|
||||
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
|
||||
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
|
||||
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
if (oldcred)
|
||||
put_cred(oldcred);
|
||||
return 0;
|
||||
@@ -1327,6 +1329,7 @@ already_same:
|
||||
ret = 0;
|
||||
not_permitted:
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
put_cred(cred);
|
||||
return ret;
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
From: Mark McLoughlin <markmc@redhat.com>
|
||||
Subject: [PATCH] block: silently error unsupported empty barriers too
|
||||
|
||||
With 2.6.31-rc5 in a KVM guest using dm and virtio_blk, we see the
|
||||
following errors:
|
||||
|
||||
end_request: I/O error, dev vda, sector 0
|
||||
end_request: I/O error, dev vda, sector 0
|
||||
|
||||
The errors go away if dm stops submitting empty barriers, by reverting:
|
||||
|
||||
commit 52b1fd5a27c625c78373e024bf570af3c9d44a79
|
||||
Author: Mikulas Patocka <mpatocka@redhat.com>
|
||||
dm: send empty barriers to targets in dm_flush
|
||||
|
||||
We should error all barriers, even empty barriers, on devices like
|
||||
virtio_blk which don't support them.
|
||||
|
||||
See also:
|
||||
|
||||
https://bugzilla.redhat.com/514901
|
||||
|
||||
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
|
||||
Cc: Rusty Russell <rusty@rustcorp.com.au>
|
||||
Cc: Mikulas Patocka <mpatocka@redhat.com>
|
||||
Cc: Alasdair G Kergon <agk@redhat.com>
|
||||
Cc: Neil Brown <neilb@suse.de>
|
||||
---
|
||||
block/blk-core.c | 3 +--
|
||||
1 files changed, 1 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/block/blk-core.c b/block/blk-core.c
|
||||
index e3299a7..35ad2bb 100644
|
||||
--- a/block/blk-core.c
|
||||
+++ b/block/blk-core.c
|
||||
@@ -1163,8 +1163,7 @@ static int __make_request(struct request_queue *q, struct bio *bio)
|
||||
const int unplug = bio_unplug(bio);
|
||||
int rw_flags;
|
||||
|
||||
- if (bio_barrier(bio) && bio_has_data(bio) &&
|
||||
- (q->next_ordered == QUEUE_ORDERED_NONE)) {
|
||||
+ if (bio_barrier(bio) && (q->next_ordered == QUEUE_ORDERED_NONE)) {
|
||||
bio_endio(bio, -EOPNOTSUPP);
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
1.6.4
|
||||
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2
|
||||
29aa10a231882a6e52908642b572326f patch-2.6.32.21.bz2
|
||||
6eac9aebbf9e74546b7c44c0fb9348a7 patch-2.6.32.23.bz2
|
||||
|
|
|
@ -1,51 +0,0 @@
|
|||
From: Steven Rostedt <srostedt@redhat.com>
|
||||
Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
|
||||
Subject: tracing: Do not allow llseek to set_ftrace_filter
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
|
||||
|
||||
tracing: Do not allow llseek to set_ftrace_filter
|
||||
|
||||
Reading the file set_ftrace_filter does three things.
|
||||
|
||||
1) shows whether or not filters are set for the function tracer
|
||||
2) shows what functions are set for the function tracer
|
||||
3) shows what triggers are set on any functions
|
||||
|
||||
3 is independent from 1 and 2.
|
||||
|
||||
The way this file currently works is that it is a state machine,
|
||||
and as you read it, it may change state. But this assumption breaks
|
||||
when you use lseek() on the file. The state machine gets out of sync
|
||||
and the t_show() may use the wrong pointer and cause a kernel oops.
|
||||
|
||||
Luckily, this will only kill the app that does the lseek, but the app
|
||||
dies while holding a mutex. This prevents anyone else from using the
|
||||
set_ftrace_filter file (or any other function tracing file for that matter).
|
||||
|
||||
A real fix for this is to rewrite the code, but that is too much for
|
||||
a -rc release or stable. This patch simply disables llseek on the
|
||||
set_ftrace_filter() file for now, and we can do the proper fix for the
|
||||
next major release.
|
||||
|
||||
Reported-by: Robert Swiecki <swiecki@google.com>
|
||||
Cc: Chris Wright <chrisw@sous-sol.org>
|
||||
Cc: Tavis Ormandy <taviso@google.com>
|
||||
Cc: Eugene Teo <eugene@redhat.com>
|
||||
Cc: vendor-sec@lst.de
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
|
||||
---
|
||||
|
||||
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
|
||||
index 7cb1f45..83a16e9 100644
|
||||
--- a/kernel/trace/ftrace.c
|
||||
+++ b/kernel/trace/ftrace.c
|
||||
@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
|
||||
.open = ftrace_filter_open,
|
||||
.read = seq_read,
|
||||
.write = ftrace_filter_write,
|
||||
- .llseek = ftrace_regex_lseek,
|
||||
+ .llseek = no_llseek,
|
||||
.release = ftrace_filter_release,
|
||||
};
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
Fix typo in Xen patch from 2.6.35.5
|
||||
|
||||
--- linux-2.6.35.noarch.orig/drivers/xen/events.c
|
||||
+++ linux-2.6.35.noarch/drivers/xen/events.c
|
||||
@@ -935,7 +935,7 @@ static struct irq_chip xen_dynamic_chip
|
||||
.retrigger = retrigger_dynirq,
|
||||
};
|
||||
|
||||
-static struct irq_chip en_percpu_chip __read_mostly = {
|
||||
+static struct irq_chip xen_percpu_chip __read_mostly = {
|
||||
.name = "xen-percpu",
|
||||
|
||||
.disable = disable_dynirq,
|
Loading…
Reference in New Issue