Linux 3.3.7
This commit is contained in:
parent
af7453a806
commit
763835f054
|
@ -1,120 +0,0 @@
|
|||
From 1bb57e940e1958e40d51f2078f50c3a96a9b2d75 Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Date: Wed, 25 Apr 2012 14:32:09 +0000
|
||||
Subject: [PATCH] dl2k: Clean up rio_ioctl
|
||||
|
||||
The dl2k driver's rio_ioctl call has a few issues:
|
||||
- No permissions checking
|
||||
- Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers
|
||||
- Has a few ioctls that may have been used for debugging at one point
|
||||
but have no place in the kernel proper.
|
||||
|
||||
This patch removes all but the MII ioctls, renumbers them to use the
|
||||
standard ones, and adds the proper permission check for SIOCSMIIREG.
|
||||
|
||||
We can also get rid of the dl2k-specific struct mii_data in favor of
|
||||
the generic struct mii_ioctl_data.
|
||||
|
||||
Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too.
|
||||
|
||||
Most of the MII code for the driver could probably be converted to use
|
||||
the generic MII library but I don't have a device to test the results.
|
||||
|
||||
Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/ethernet/dlink/dl2k.c | 52 ++++++------------------------------
|
||||
drivers/net/ethernet/dlink/dl2k.h | 7 -----
|
||||
2 files changed, 9 insertions(+), 50 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
|
||||
index b2dc2c8..2e09edb 100644
|
||||
--- a/drivers/net/ethernet/dlink/dl2k.c
|
||||
+++ b/drivers/net/ethernet/dlink/dl2k.c
|
||||
@@ -1259,55 +1259,21 @@ rio_ioctl (struct net_device *dev, struct ifreq *rq, int cmd)
|
||||
{
|
||||
int phy_addr;
|
||||
struct netdev_private *np = netdev_priv(dev);
|
||||
- struct mii_data *miidata = (struct mii_data *) &rq->ifr_ifru;
|
||||
-
|
||||
- struct netdev_desc *desc;
|
||||
- int i;
|
||||
+ struct mii_ioctl_data *miidata = if_mii(rq);
|
||||
|
||||
phy_addr = np->phy_addr;
|
||||
switch (cmd) {
|
||||
- case SIOCDEVPRIVATE:
|
||||
- break;
|
||||
-
|
||||
- case SIOCDEVPRIVATE + 1:
|
||||
- miidata->out_value = mii_read (dev, phy_addr, miidata->reg_num);
|
||||
+ case SIOCGMIIPHY:
|
||||
+ miidata->phy_id = phy_addr;
|
||||
break;
|
||||
- case SIOCDEVPRIVATE + 2:
|
||||
- mii_write (dev, phy_addr, miidata->reg_num, miidata->in_value);
|
||||
+ case SIOCGMIIREG:
|
||||
+ miidata->val_out = mii_read (dev, phy_addr, miidata->reg_num);
|
||||
break;
|
||||
- case SIOCDEVPRIVATE + 3:
|
||||
- break;
|
||||
- case SIOCDEVPRIVATE + 4:
|
||||
- break;
|
||||
- case SIOCDEVPRIVATE + 5:
|
||||
- netif_stop_queue (dev);
|
||||
+ case SIOCSMIIREG:
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+ mii_write (dev, phy_addr, miidata->reg_num, miidata->val_in);
|
||||
break;
|
||||
- case SIOCDEVPRIVATE + 6:
|
||||
- netif_wake_queue (dev);
|
||||
- break;
|
||||
- case SIOCDEVPRIVATE + 7:
|
||||
- printk
|
||||
- ("tx_full=%x cur_tx=%lx old_tx=%lx cur_rx=%lx old_rx=%lx\n",
|
||||
- netif_queue_stopped(dev), np->cur_tx, np->old_tx, np->cur_rx,
|
||||
- np->old_rx);
|
||||
- break;
|
||||
- case SIOCDEVPRIVATE + 8:
|
||||
- printk("TX ring:\n");
|
||||
- for (i = 0; i < TX_RING_SIZE; i++) {
|
||||
- desc = &np->tx_ring[i];
|
||||
- printk
|
||||
- ("%02x:cur:%08x next:%08x status:%08x frag1:%08x frag0:%08x",
|
||||
- i,
|
||||
- (u32) (np->tx_ring_dma + i * sizeof (*desc)),
|
||||
- (u32)le64_to_cpu(desc->next_desc),
|
||||
- (u32)le64_to_cpu(desc->status),
|
||||
- (u32)(le64_to_cpu(desc->fraginfo) >> 32),
|
||||
- (u32)le64_to_cpu(desc->fraginfo));
|
||||
- printk ("\n");
|
||||
- }
|
||||
- printk ("\n");
|
||||
- break;
|
||||
-
|
||||
default:
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
diff --git a/drivers/net/ethernet/dlink/dl2k.h b/drivers/net/ethernet/dlink/dl2k.h
|
||||
index ba0adca..30c2da3 100644
|
||||
--- a/drivers/net/ethernet/dlink/dl2k.h
|
||||
+++ b/drivers/net/ethernet/dlink/dl2k.h
|
||||
@@ -365,13 +365,6 @@ struct ioctl_data {
|
||||
char *data;
|
||||
};
|
||||
|
||||
-struct mii_data {
|
||||
- __u16 reserved;
|
||||
- __u16 reg_num;
|
||||
- __u16 in_value;
|
||||
- __u16 out_value;
|
||||
-};
|
||||
-
|
||||
/* The Rx and Tx buffer descriptors. */
|
||||
struct netdev_desc {
|
||||
__le64 next_desc;
|
||||
--
|
||||
1.7.7.6
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c
|
||||
index 39696c6..de7dc29 100644
|
||||
--- a/drivers/media/dvb/dvb-core/dvb_frontend.c
|
||||
+++ b/drivers/media/dvb/dvb-core/dvb_frontend.c
|
||||
@@ -1898,6 +1898,10 @@ static int dtv_set_frontend(struct dvb_frontend *fe)
|
||||
} else {
|
||||
/* default values */
|
||||
switch (c->delivery_system) {
|
||||
+ case SYS_DVBS:
|
||||
+ case SYS_DVBS2:
|
||||
+ case SYS_ISDBS:
|
||||
+ case SYS_TURBO:
|
||||
case SYS_DVBC_ANNEX_A:
|
||||
case SYS_DVBC_ANNEX_C:
|
||||
fepriv->min_delay = HZ / 20;
|
22
kernel.spec
22
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# When changing real_sublevel below, reset this by hand to 1
|
||||
# (or to 0 and then use rpmdev-bumpspec).
|
||||
#
|
||||
%global baserelease 5
|
||||
%global baserelease 1
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# real_sublevel is the 3.x kernel version we're starting with
|
||||
|
@ -51,7 +51,7 @@ Summary: The Linux kernel
|
|||
%define fake_sublevel %(echo $((40 + %{real_sublevel})))
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 6
|
||||
%define stable_update 7
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -630,7 +630,6 @@ Patch2802: linux-2.6-silence-acpi-blacklist.patch
|
|||
# media patches
|
||||
Patch2900: add-poll-requested-events.patch
|
||||
Patch2901: drivers-media-update.patch
|
||||
Patch2902: dvbs-fix-zigzag.patch
|
||||
|
||||
# fs fixes
|
||||
|
||||
|
@ -643,10 +642,6 @@ Patch4001: NFSv4-Further-reduce-the-footprint-of-the-idmapper.patch
|
|||
Patch4107: NFSv4-Minor-cleanups-for-nfs4_handle_exception-and-n.patch
|
||||
Patch4115: NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
|
||||
|
||||
#rhbz 822874
|
||||
Patch4116: nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch
|
||||
Patch4117: nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch
|
||||
|
||||
# patches headed upstream
|
||||
|
||||
Patch12016: disable-i8042-check-on-apple-mac.patch
|
||||
|
@ -702,9 +697,6 @@ Patch22007: macvtap-zerocopy-validate-vector-length.patch
|
|||
#rhbz 817298
|
||||
Patch22013: ipw2x00-add-supported-cipher-suites-to-wiphy-initialization.patch
|
||||
|
||||
#rhbz 818820
|
||||
Patch22016: dl2k-Clean-up-rio_ioctl.patch
|
||||
|
||||
#rhbz 749276
|
||||
Patch22018: atl1c_net_next_update-3.3.patch
|
||||
|
||||
|
@ -1170,9 +1162,6 @@ ApplyPatch NFSv4-Further-reduce-the-footprint-of-the-idmapper.patch
|
|||
ApplyPatch NFSv4-Minor-cleanups-for-nfs4_handle_exception-and-n.patch
|
||||
ApplyPatch NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
|
||||
|
||||
ApplyPatch nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch
|
||||
ApplyPatch nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch
|
||||
|
||||
# USB
|
||||
|
||||
# WMI
|
||||
|
@ -1257,7 +1246,6 @@ ApplyPatch quite-apm.patch
|
|||
# Media (V4L/DVB/IR) updates/fixes/experimental drivers
|
||||
# apply if non-empty
|
||||
ApplyPatch add-poll-requested-events.patch
|
||||
ApplyPatch dvbs-fix-zigzag.patch
|
||||
ApplyOptionalPatch drivers-media-update.patch
|
||||
|
||||
# Patches headed upstream
|
||||
|
@ -1306,9 +1294,6 @@ ApplyPatch macvtap-zerocopy-validate-vector-length.patch
|
|||
#rhbz 817298
|
||||
ApplyPatch ipw2x00-add-supported-cipher-suites-to-wiphy-initialization.patch
|
||||
|
||||
#rhbz 818820
|
||||
ApplyPatch dl2k-Clean-up-rio_ioctl.patch
|
||||
|
||||
#rhbz 749276
|
||||
ApplyPatch atl1c_net_next_update-3.3.patch
|
||||
|
||||
|
@ -1970,6 +1955,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon May 21 2012 Justin M. Forbes <jforbes@redhat.com> 3.3.7-1
|
||||
- Linux 3.3.7
|
||||
|
||||
* Fri May 18 2012 Josh Boyer <jwboyer@redhat.com>
|
||||
- Additional fixes for CVE-2011-4131 (rhbz 822874 822869)
|
||||
|
||||
|
|
|
@ -1,85 +0,0 @@
|
|||
From 5794d21ef4639f0e33440927bb903f9598c21e92 Mon Sep 17 00:00:00 2001
|
||||
From: Sachin Prabhu <sprabhu@redhat.com>
|
||||
Date: Tue, 17 Apr 2012 14:36:40 +0100
|
||||
Subject: [PATCH] Avoid beyond bounds copy while caching ACL
|
||||
|
||||
When attempting to cache ACLs returned from the server, if the bitmap
|
||||
size + the ACL size is greater than a PAGE_SIZE but the ACL size itself
|
||||
is smaller than a PAGE_SIZE, we can read past the buffer page boundary.
|
||||
|
||||
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
|
||||
Reported-by: Jian Li <jiali@redhat.com>
|
||||
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
|
||||
---
|
||||
fs/nfs/nfs4proc.c | 12 +++++-------
|
||||
fs/nfs/nfs4xdr.c | 2 +-
|
||||
2 files changed, 6 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
|
||||
index f5f125f..2ce0698 100644
|
||||
--- a/fs/nfs/nfs4proc.c
|
||||
+++ b/fs/nfs/nfs4proc.c
|
||||
@@ -3628,16 +3628,16 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static void nfs4_write_cached_acl(struct inode *inode, const char *buf, size_t acl_len)
|
||||
+static void nfs4_write_cached_acl(struct inode *inode, struct page **pages, size_t pgbase, size_t acl_len)
|
||||
{
|
||||
struct nfs4_cached_acl *acl;
|
||||
|
||||
- if (buf && acl_len <= PAGE_SIZE) {
|
||||
+ if (pages && acl_len <= PAGE_SIZE) {
|
||||
acl = kmalloc(sizeof(*acl) + acl_len, GFP_KERNEL);
|
||||
if (acl == NULL)
|
||||
goto out;
|
||||
acl->cached = 1;
|
||||
- memcpy(acl->data, buf, acl_len);
|
||||
+ _copy_from_pages(acl->data, pages, pgbase, acl_len);
|
||||
} else {
|
||||
acl = kmalloc(sizeof(*acl), GFP_KERNEL);
|
||||
if (acl == NULL)
|
||||
@@ -3670,7 +3670,6 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
|
||||
struct nfs_getaclres res = {
|
||||
.acl_len = buflen,
|
||||
};
|
||||
- void *resp_buf;
|
||||
struct rpc_message msg = {
|
||||
.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GETACL],
|
||||
.rpc_argp = &args,
|
||||
@@ -3705,7 +3704,6 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
|
||||
* the page we send as a guess */
|
||||
if (buf == NULL)
|
||||
res.acl_flags |= NFS4_ACL_LEN_REQUEST;
|
||||
- resp_buf = page_address(pages[0]);
|
||||
|
||||
dprintk("%s buf %p buflen %zu npages %d args.acl_len %zu\n",
|
||||
__func__, buf, buflen, npages, args.acl_len);
|
||||
@@ -3716,9 +3714,9 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
|
||||
|
||||
acl_len = res.acl_len - res.acl_data_offset;
|
||||
if (acl_len > args.acl_len)
|
||||
- nfs4_write_cached_acl(inode, NULL, acl_len);
|
||||
+ nfs4_write_cached_acl(inode, NULL, 0, acl_len);
|
||||
else
|
||||
- nfs4_write_cached_acl(inode, resp_buf + res.acl_data_offset,
|
||||
+ nfs4_write_cached_acl(inode, pages, res.acl_data_offset,
|
||||
acl_len);
|
||||
if (buf) {
|
||||
ret = -ERANGE;
|
||||
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
|
||||
index 9312dd7..203c096 100644
|
||||
--- a/fs/nfs/nfs4xdr.c
|
||||
+++ b/fs/nfs/nfs4xdr.c
|
||||
@@ -4940,7 +4940,7 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
|
||||
res->acl_len = attrlen;
|
||||
goto out;
|
||||
}
|
||||
- dprintk("NFS: acl reply: attrlen %zu > page_len %u\n",
|
||||
+ dprintk("NFS: acl reply: attrlen %u > page_len %zu\n",
|
||||
attrlen, page_len);
|
||||
return -EINVAL;
|
||||
}
|
||||
--
|
||||
1.7.7.6
|
||||
|
|
@ -1,120 +0,0 @@
|
|||
From 5a00689930ab975fdd1b37b034475017e460cf2a Mon Sep 17 00:00:00 2001
|
||||
From: Sachin Prabhu <sprabhu@redhat.com>
|
||||
Date: Tue, 17 Apr 2012 14:35:39 +0100
|
||||
Subject: [PATCH] Avoid reading past buffer when calling GETACL
|
||||
|
||||
Bug noticed in commit
|
||||
bf118a342f10dafe44b14451a1392c3254629a1f
|
||||
|
||||
When calling GETACL, if the size of the bitmap array, the length
|
||||
attribute and the acl returned by the server is greater than the
|
||||
allocated buffer(args.acl_len), we can Oops with a General Protection
|
||||
fault at _copy_from_pages() when we attempt to read past the pages
|
||||
allocated.
|
||||
|
||||
This patch allocates an extra PAGE for the bitmap and checks to see that
|
||||
the bitmap + attribute_length + ACLs don't exceed the buffer space
|
||||
allocated to it.
|
||||
|
||||
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
|
||||
Reported-by: Jian Li <jiali@redhat.com>
|
||||
[Trond: Fixed a size_t vs unsigned int printk() warning]
|
||||
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
|
||||
---
|
||||
fs/nfs/nfs4proc.c | 16 ++++++++++------
|
||||
fs/nfs/nfs4xdr.c | 18 +++++++++++-------
|
||||
2 files changed, 21 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
|
||||
index 60d5f4c..f5f125f 100644
|
||||
--- a/fs/nfs/nfs4proc.c
|
||||
+++ b/fs/nfs/nfs4proc.c
|
||||
@@ -3684,19 +3684,23 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
|
||||
if (npages == 0)
|
||||
npages = 1;
|
||||
|
||||
+ /* Add an extra page to handle the bitmap returned */
|
||||
+ npages++;
|
||||
+
|
||||
for (i = 0; i < npages; i++) {
|
||||
pages[i] = alloc_page(GFP_KERNEL);
|
||||
if (!pages[i])
|
||||
goto out_free;
|
||||
}
|
||||
- if (npages > 1) {
|
||||
- /* for decoding across pages */
|
||||
- res.acl_scratch = alloc_page(GFP_KERNEL);
|
||||
- if (!res.acl_scratch)
|
||||
- goto out_free;
|
||||
- }
|
||||
+
|
||||
+ /* for decoding across pages */
|
||||
+ res.acl_scratch = alloc_page(GFP_KERNEL);
|
||||
+ if (!res.acl_scratch)
|
||||
+ goto out_free;
|
||||
+
|
||||
args.acl_len = npages * PAGE_SIZE;
|
||||
args.acl_pgbase = 0;
|
||||
+
|
||||
/* Let decode_getfacl know not to fail if the ACL data is larger than
|
||||
* the page we send as a guess */
|
||||
if (buf == NULL)
|
||||
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
|
||||
index 77fc5f9..9312dd7 100644
|
||||
--- a/fs/nfs/nfs4xdr.c
|
||||
+++ b/fs/nfs/nfs4xdr.c
|
||||
@@ -4902,11 +4902,19 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
|
||||
bitmap[3] = {0};
|
||||
struct kvec *iov = req->rq_rcv_buf.head;
|
||||
int status;
|
||||
+ size_t page_len = xdr->buf->page_len;
|
||||
|
||||
res->acl_len = 0;
|
||||
if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)
|
||||
goto out;
|
||||
+
|
||||
bm_p = xdr->p;
|
||||
+ res->acl_data_offset = be32_to_cpup(bm_p) + 2;
|
||||
+ res->acl_data_offset <<= 2;
|
||||
+ /* Check if the acl data starts beyond the allocated buffer */
|
||||
+ if (res->acl_data_offset > page_len)
|
||||
+ return -ERANGE;
|
||||
+
|
||||
if ((status = decode_attr_bitmap(xdr, bitmap)) != 0)
|
||||
goto out;
|
||||
if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)
|
||||
@@ -4916,28 +4924,24 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
|
||||
return -EIO;
|
||||
if (likely(bitmap[0] & FATTR4_WORD0_ACL)) {
|
||||
size_t hdrlen;
|
||||
- u32 recvd;
|
||||
|
||||
/* The bitmap (xdr len + bitmaps) and the attr xdr len words
|
||||
* are stored with the acl data to handle the problem of
|
||||
* variable length bitmaps.*/
|
||||
xdr->p = bm_p;
|
||||
- res->acl_data_offset = be32_to_cpup(bm_p) + 2;
|
||||
- res->acl_data_offset <<= 2;
|
||||
|
||||
/* We ignore &savep and don't do consistency checks on
|
||||
* the attr length. Let userspace figure it out.... */
|
||||
hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base;
|
||||
attrlen += res->acl_data_offset;
|
||||
- recvd = req->rq_rcv_buf.len - hdrlen;
|
||||
- if (attrlen > recvd) {
|
||||
+ if (attrlen > page_len) {
|
||||
if (res->acl_flags & NFS4_ACL_LEN_REQUEST) {
|
||||
/* getxattr interface called with a NULL buf */
|
||||
res->acl_len = attrlen;
|
||||
goto out;
|
||||
}
|
||||
- dprintk("NFS: acl reply: attrlen %u > recvd %u\n",
|
||||
- attrlen, recvd);
|
||||
+ dprintk("NFS: acl reply: attrlen %zu > page_len %u\n",
|
||||
+ attrlen, page_len);
|
||||
return -EINVAL;
|
||||
}
|
||||
xdr_read_pages(xdr, attrlen);
|
||||
--
|
||||
1.7.7.6
|
||||
|
Loading…
Reference in New Issue