rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux 2.6.35.14

This commit is contained in:
Chuck Ebbert 2011-08-03 17:54:26 -04:00
parent 398aba2d45
commit 7760c97dcd
17 changed files with 27 additions and 653 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -3,3 +3,4 @@ patch-*.bz2
clog
*.rpm
kernel-2.6.*/
kernel-3.*/

55
agp-fix-arbitrary-kernel-memory-writes.patch
View File

@ -1,55 +0,0 @@
From: Vasiliy Kulikov <segoon@openwall.com>
Date: Thu, 14 Apr 2011 16:55:16 +0000 (+0400)
Subject: agp: fix arbitrary kernel memory writes
X-Git-Tag: v2.6.39-rc5~29^2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=194b3da873fd334ef183806db751473512af29ce
agp: fix arbitrary kernel memory writes
pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND. As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index 850a643..b072648 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -1095,8 +1095,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type)
return -EINVAL;
}
- /* AK: could wrap */
- if ((pg_start + mem->page_count) > num_entries)
+ if (((pg_start + mem->page_count) > num_entries) ||
+ ((pg_start + mem->page_count) < pg_start))
return -EINVAL;
j = pg_start;
@@ -1130,7 +1130,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
{
size_t i;
struct agp_bridge_data *bridge;
- int mask_type;
+ int mask_type, num_entries;
bridge = mem->bridge;
if (!bridge)
@@ -1142,6 +1142,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
if (type != mem->type)
return -EINVAL;
+ num_entries = agp_num_entries();
+ if (((pg_start + mem->page_count) > num_entries) ||
+ ((pg_start + mem->page_count) < pg_start))
+ return -EINVAL;
+
mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
if (mask_type != 0) {
/* The generic routines know nothing of memory types */

56
agp-fix-oom-and-buffer-overflow.patch
View File

@ -1,56 +0,0 @@
From: Vasiliy Kulikov <segoon@openwall.com>
Date: Thu, 14 Apr 2011 16:55:19 +0000 (+0400)
Subject: agp: fix OOM and buffer overflow
X-Git-Tag: v2.6.39-rc5~29^2~1
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b522f02184b413955f3bc952e3776ce41edc6355
agp: fix OOM and buffer overflow
page_count is copied from userspace. agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case. Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.
Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index 012cba0..850a643 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -115,6 +115,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
struct agp_memory *new;
unsigned long alloc_size = num_agp_pages*sizeof(struct page *);
+ if (INT_MAX/sizeof(struct page *) < num_agp_pages)
+ return NULL;
+
new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
if (new == NULL)
return NULL;
@@ -234,11 +237,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
int scratch_pages;
struct agp_memory *new;
size_t i;
+ int cur_memory;
if (!bridge)
return NULL;
- if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
+ cur_memory = atomic_read(&bridge->current_memory_agp);
+ if ((cur_memory + page_count > bridge->max_memory_agp) ||
+ (cur_memory + page_count < page_count))
return NULL;
if (type >= AGP_USER_TYPES) {

41
btusb-macbookpro-6-2.patch
View File

@ -1,41 +0,0 @@
From kernel-bounces@lists.fedoraproject.org Fri Sep 17 17:09:15 2010
From: Will Woods <wwoods@redhat.com>
To: Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 2/2] bluetooth: add support for controller in MacBookPro6,2
Date: Fri, 17 Sep 2010 17:09:21 -0400
Once again the device class is ff(vend.) instead of e0(wlcon).
output from 'usb-devices':
T: Bus=01 Lev=03 Prnt=03 Port=02 Cnt=03 Dev#= 8 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=05ac ProdID=8218 Rev=00.22
S: Manufacturer=Apple Inc.
S: Product=Bluetooth USB Host Controller
C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
Signed-off-by: Will Woods <wwoods@redhat.com>
---
drivers/bluetooth/btusb.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index eac44e4..320e798 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -65,6 +65,9 @@ static struct usb_device_id btusb_table[] = {
/* Apple iMac11,1 */
{ USB_DEVICE(0x05ac, 0x8215) },
+ /* Apple MacBookPro6,2 */
+ { USB_DEVICE(0x05ac, 0x8218) },
+
/* Apple MacBookPro8,2 */
{ USB_DEVICE(0x05ac, 0x821a) },
--
1.7.2.3

42
btusb-macbookpro-7-1.patch
View File

@ -1,42 +0,0 @@
From kernel-bounces@lists.fedoraproject.org Fri Sep 17 17:09:18 2010
From: Will Woods <wwoods@redhat.com>
To: Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 1/2] bluetooth: add support for controller in MacBookPro7,1
Date: Fri, 17 Sep 2010 17:09:20 -0400
As with iMac11,1 the device class is ff(vend.) instead of e0(wlcon).
output from 'usb-devices':
T: Bus=04 Lev=02 Prnt=04 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=05ac ProdID=8213 Rev=01.86
S: Manufacturer=Apple Inc.
S: Product=Bluetooth USB Host Controller
S: SerialNumber=58B0359C28ED
C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=00 Driver=(none)
Signed-off-by: Will Woods <wwoods@redhat.com>
---
drivers/bluetooth/btusb.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index d22ce3c..eac44e4 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -59,6 +59,9 @@ static struct usb_device_id btusb_table[] = {
/* Generic Bluetooth USB device */
{ USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
+ /* Apple MacBookPro7,1 */
+ { USB_DEVICE(0x05ac, 0x8213) },
+
/* Apple iMac11,1 */
{ USB_DEVICE(0x05ac, 0x8215) },
--
1.7.2.3

33
cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
View File

@ -1,33 +0,0 @@
From: Jeff Layton <jlayton@redhat.com>
Date: Tue, 17 May 2011 10:40:30 +0000 (-0400)
Subject: cifs: add fallback in is_path_accessible for old servers
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=221d1d797202984cb874e3ed9f1388593d34ee22
cifs: add fallback in is_path_accessible for old servers
The is_path_accessible check uses a QPathInfo call, which isn't
supported by ancient win9x era servers. Fall back to an older
SMBQueryInfo call if it fails with the magic error codes.
Cc: stable@kernel.org
Reported-and-Tested-by: Sandro Bonazzola <sandro.bonazzola@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
---
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 05f1dcf..277262a 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2673,6 +2673,11 @@ is_path_accessible(int xid, struct cifsTconInfo *tcon,
0 /* not legacy */, cifs_sb->local_nls,
cifs_sb->mnt_cifs_flags &
CIFS_MOUNT_MAP_SPECIAL_CHR);
+
+ if (rc == -EOPNOTSUPP || rc == -EINVAL)
+ rc = SMBQueryInformation(xid, tcon, full_path, pfile_info,
+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
kfree(pfile_info);
return rc;
}

35
dccp-handle-invalid-feature-options-length.patch
View File

@ -1,35 +0,0 @@
From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Fri, 6 May 2011 03:27:18 +0000
Subject: dccp: handle invalid feature options length
From: Dan Rosenberg <drosenberg@vsecurity.com>
commit a294865978b701e4d0d90135672749531b9a900d upstream.
A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction. The subsequent code may read past the end of the
options value buffer when parsing. I'm unsure of what the consequences
of this might be, but it's probably not good.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/dccp/options.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk,
case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */
break;
+ if (len == 0)
+ goto out_invalid_option;
rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
*value, value + 1, len - 1);
if (rc)

84
fix-i8k-inline-asm.patch
View File

@ -1,84 +0,0 @@
commit 22d3243de86bc92d874abb7c5b185d5c47aba323
Author: Jim Bos <jim876@xs4all.nl>
Date: Mon Nov 15 21:22:37 2010 +0100
Fix gcc 4.5.1 miscompiling drivers/char/i8k.c (again)
The fix in commit 6b4e81db2552 ("i8k: Tell gcc that *regs gets
clobbered") to work around the gcc miscompiling i8k.c to add "+m
(*regs)" caused register pressure problems and a build failure.
Changing the 'asm' statement to 'asm volatile' instead should prevent
that and works around the gcc bug as well, so we can remove the "+m".
[ Background on the gcc bug: a memory clobber fails to mark the function
the asm resides in as non-pure (aka "__attribute__((const))"), so if
the function does nothing else that triggers the non-pure logic, gcc
will think that that function has no side effects at all. As a result,
callers will be mis-compiled.
Adding the "+m" made gcc see that it's not a pure function, and so
does "asm volatile". The problem was never really the need to mark
"*regs" as changed, since the memory clobber did that part - the
problem was just a bug in the gcc "pure" function analysis - Linus ]
Signed-off-by: Jim Bos <jim876@xs4all.nl>
Acked-by: Jakub Jelinek <jakub@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
commit 6b4e81db2552bad04100e7d5ddeed7e848f53b48
Author: Jim Bos <jim876@xs4all.nl>
Date: Sat Nov 13 12:13:53 2010 +0100
i8k: Tell gcc that *regs gets clobbered
More recent GCC caused the i8k driver to stop working, on Slackware
compiler was upgraded from gcc-4.4.4 to gcc-4.5.1 after which it didn't
work anymore, meaning the driver didn't load or gave total nonsensical
output.
As it turned out the asm(..) statement forgot to mention it modifies the
*regs variable.
Credits to Andi Kleen and Andreas Schwab for providing the fix.
Signed-off-by: Jim Bos <jim876@xs4all.nl>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c
index 3bc0eef..d72433f 100644
--- a/drivers/char/i8k.c
+++ b/drivers/char/i8k.c
@@ -120,7 +120,7 @@ static int i8k_smm(struct smm_regs *regs)
int eax = regs->eax;
#if defined(CONFIG_X86_64)
- asm("pushq %%rax\n\t"
+ asm volatile("pushq %%rax\n\t"
"movl 0(%%rax),%%edx\n\t"
"pushq %%rdx\n\t"
"movl 4(%%rax),%%ebx\n\t"
@@ -146,7 +146,7 @@ static int i8k_smm(struct smm_regs *regs)
: "a"(regs)
: "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory");
#else
- asm("pushl %%eax\n\t"
+ asm volatile("pushl %%eax\n\t"
"movl 0(%%eax),%%edx\n\t"
"push %%edx\n\t"
"movl 4(%%eax),%%ebx\n\t"
@@ -167,7 +167,8 @@ static int i8k_smm(struct smm_regs *regs)
"movl %%edx,0(%%eax)\n\t"
"lahf\n\t"
"shrl $8,%%eax\n\t"
- "andl $1,%%eax\n":"=a"(rc)
+ "andl $1,%%eax\n"
+ :"=a"(rc)
: "a"(regs)
: "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory");
#endif

30
flexcop-fix-xlate_proc_name-warning.patch
View File

@ -1,30 +0,0 @@
diff --git a/drivers/media/dvb/b2c2/flexcop-pci.c b/drivers/media/dvb/b2c2/flexcop-pci.c
index 227c020..7465308 100644
--- a/drivers/media/dvb/b2c2/flexcop-pci.c
+++ b/drivers/media/dvb/b2c2/flexcop-pci.c
@@ -39,6 +39,7 @@ MODULE_PARM_DESC(debug,
#define DRIVER_VERSION "0.1"
#define DRIVER_NAME "Technisat/B2C2 FlexCop II/IIb/III Digital TV PCI Driver"
+#define FLEXCOP_MODULE_NAME "b2c2-flexcop"
#define DRIVER_AUTHOR "Patrick Boettcher <patrick.boettcher@desy.de>"
struct flexcop_pci {
@@ -299,7 +300,7 @@ static int flexcop_pci_init(struct flexcop_pci *fc_pci)
return ret;
pci_set_master(fc_pci->pdev);
- if ((ret = pci_request_regions(fc_pci->pdev, DRIVER_NAME)) != 0)
+ if ((ret = pci_request_regions(fc_pci->pdev, FLEXCOP_MODULE_NAME)) != 0)
goto err_pci_disable_device;
fc_pci->io_mem = pci_iomap(fc_pci->pdev, 0, 0x800);
@@ -313,7 +314,7 @@ static int flexcop_pci_init(struct flexcop_pci *fc_pci)
pci_set_drvdata(fc_pci->pdev, fc_pci);
spin_lock_init(&fc_pci->irq_lock);
if ((ret = request_irq(fc_pci->pdev->irq, flexcop_pci_isr,
- IRQF_SHARED, DRIVER_NAME, fc_pci)) != 0)
+ IRQF_SHARED, FLEXCOP_MODULE_NAME, fc_pci)) != 0)
goto err_pci_iounmap;
fc_pci->init_state |= FC_PCI_INIT;

73
kernel.spec
View File

@ -48,7 +48,7 @@ Summary: The Linux kernel
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
# scripts/rebase.sh should be made to do that for you, actually.
#
%global baserelease 93
%global baserelease 94
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -60,7 +60,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 13
%define stable_update 14
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -757,17 +757,12 @@ Patch12080: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
Patch12085: fix-rcu_deref_check-warning.patch
Patch12086: linux-2.6-cgroups-rcu.patch
Patch12517: flexcop-fix-xlate_proc_name-warning.patch
Patch12565: sched-05-avoid-side-effect-of-tickless-idle-on-update_cpu_load.patch
Patch12570: sched-10-change-nohz-idle-load-balancing-logic-to-push-model.patch
Patch12575: sched-15-update-rq-clock-for-nohz-balanced-cpus.patch
Patch12580: sched-20-fix-rq-clock-synchronization-when-migrating-tasks.patch
Patch12590: sched-30-sched-fix-nohz-balance-kick.patch
Patch13600: btusb-macbookpro-6-2.patch
Patch13601: btusb-macbookpro-7-1.patch
Patch13610: libata-it821x-dump-stack-on-cache-flush.patch
Patch13630: dm-allow-setting-of-uuid-via-rename-if-not-already-set.patch
@ -782,8 +777,6 @@ Patch13642: mmc-add-ricoh-e822-pci-id.patch
Patch13645: tpm-autodetect-itpm-devices.patch
Patch13652: fix-i8k-inline-asm.patch
Patch13660: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
Patch13661: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
@ -830,31 +823,12 @@ Patch13710: linux-2.6-bonding-sysfs-warning.patch
# rhbz#680791
Patch13711: md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch
Patch13713: virtio_net-add-schedule-check-to-napi_enable-call.patch
# cve-2011-1745
Patch13957: agp-fix-arbitrary-kernel-memory-writes.patch
# cve-2011-1746
Patch13958: agp-fix-oom-and-buffer-overflow.patch
# CVE-2011-1494, CVE-2011-1495
Patch13960: scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
# fix credentials leakage regression (#700637)
Patch13961: revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
Patch13962: af_netlink-add-needed-scm_destroy-after-scm_send.patch
# fix regression causing stalls on AMD processors in 2.6.35.13
Patch13963: x86-amd-fix-arat-feature-setting-again.patch
Patch13964: x86-amd-arat-bug-on-sempron-workaround.patch
Patch13969: scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
# fix bug in 2.6.35.13 with old windows servers
Patch13970: cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
# cve-2011-1770
Patch13980: dccp-handle-invalid-feature-options-length.patch
# the rest of the pgoff wrap fix
Patch13990: vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
@ -1493,9 +1467,6 @@ ApplyPatch linux-2.6-v4l-dvb-build-lirc.patch
# own patch
ApplyPatch linux-2.6-v4l-dvb-backport-reverts.patch
# bz #575873
ApplyPatch flexcop-fix-xlate_proc_name-warning.patch
# Fix DMA bug on via-velocity
ApplyPatch linux-2.6-via-velocity-dma-fix.patch
@ -1528,9 +1499,6 @@ ApplyPatch sched-15-update-rq-clock-for-nohz-balanced-cpus.patch
ApplyPatch sched-20-fix-rq-clock-synchronization-when-migrating-tasks.patch
ApplyPatch sched-30-sched-fix-nohz-balance-kick.patch
ApplyPatch btusb-macbookpro-7-1.patch
ApplyPatch btusb-macbookpro-6-2.patch
# temporary patch, dump stack on failed it821x commands
ApplyPatch libata-it821x-dump-stack-on-cache-flush.patch
@ -1549,8 +1517,6 @@ ApplyPatch mmc-add-ricoh-e822-pci-id.patch
ApplyPatch tpm-autodetect-itpm-devices.patch
ApplyPatch fix-i8k-inline-asm.patch
ApplyPatch rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
ApplyPatch rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
@ -1592,31 +1558,12 @@ ApplyPatch linux-2.6-bonding-sysfs-warning.patch
# rhbz#680791
ApplyPatch md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch
ApplyPatch virtio_net-add-schedule-check-to-napi_enable-call.patch
# cve-2011-1745
ApplyPatch agp-fix-arbitrary-kernel-memory-writes.patch
# cve-2011-1746
ApplyPatch agp-fix-oom-and-buffer-overflow.patch
# CVE-2011-1494, CVE-2011-1495
ApplyPatch scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
# fix credentials leakage regression (#700637)
ApplyPatch revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
ApplyPatch af_netlink-add-needed-scm_destroy-after-scm_send.patch
# fix regression causing stalls on AMD processors in 2.6.35.13
ApplyPatch x86-amd-fix-arat-feature-setting-again.patch
ApplyPatch x86-amd-arat-bug-on-sempron-workaround.patch
ApplyPatch scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
# fix bug in 2.6.35.13 with old windows servers
ApplyPatch cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
# cve-2011-1770
ApplyPatch dccp-handle-invalid-feature-options-length.patch
# the rest of the pgoff wrap fix
ApplyPatch vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
@ -2211,6 +2158,22 @@ fi
# and build.
%changelog
* Wed Aug 03 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.14-94
- Linux 2.6.35.14
- Drop merged patches:
flexcop-fix-xlate_proc_name-warning.patch
btusb-macbookpro-6-2.patch
btusb-macbookpro-7-1.patch
fix-i8k-inline-asm.patch
virtio_net-add-schedule-check-to-napi_enable-call.patch
agp-fix-arbitrary-kernel-memory-writes.patch
agp-fix-oom-and-buffer-overflow.patch
scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
x86-amd-arat-bug-on-sempron-workaround.patch
x86-amd-fix-arat-feature-setting-again.patch
cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
dccp-handle-invalid-feature-options-length.patch
* Mon Jun 20 2011 Kyle McMartin <kmcmartin@redhat.com> 2.6.35.13-93
- [sgruszka@] iwlwifi: fix general 11n instability (#648732,#666646)

2
linux-2.6-i386-nx-emulation.patch
View File

@ -141,8 +141,8 @@
set_user_gs(regs, 0);
+
regs->fs = 0;
set_fs(USER_DS);
regs->ds = __USER_DS;
regs->es = __USER_DS;
@@ -252,6 +255,11 @@ start_thread(struct pt_regs *regs, unsigned long new_ip, unsigned long new_sp)
regs->cs = __USER_CS;
regs->ip = new_ip;

8
linux-2.6-v4l-dvb-update.patch
View File

@ -187072,7 +187072,7 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -78,16 +78,51 @@
@@ -78,16 +78,53 @@
*
*/
@ -187103,6 +187103,8 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/
+ }
+
+ if (queue->count) {
+ uvc_queue_cancel(queue, 0);
+ INIT_LIST_HEAD(&queue->mainqueue);
+ vfree(queue->mem);
+ queue->count = 0;
+ }
@ -187142,7 +187144,7 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/
queue->buffer[i].buf.field = V4L2_FIELD_NONE;
queue->buffer[i].buf.memory = V4L2_MEMORY_MMAP;
queue->buffer[i].buf.flags = 0;
@@ -151,28 +185,6 @@ done:
@@ -151,30 +185,6 @@ done:
}
/*
@ -187160,6 +187162,8 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/
- }
-
- if (queue->count) {
- uvc_queue_cancel(queue, 0);
- INIT_LIST_HEAD(&queue->mainqueue);
- vfree(queue->mem);
- queue->count = 0;
- }

85
scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
View File

@ -1,85 +0,0 @@
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Tue, 5 Apr 2011 16:45:59 +0000 (-0400)
Subject: [SCSI] mpt2sas: prevent heap overflows and unchecked reads
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a1f74ae82d133ebb2aabb19d181944b4e83e9960
[trivial backport to 2.6.34]
[SCSI] mpt2sas: prevent heap overflows and unchecked reads
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.
Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
---
diff --git a/drivers/scsi/mpt2sas/mpt2sas_ctl.c b/drivers/scsi/mpt2sas/mpt2sas_ctl.c
index 1c6d2b4..d72f1f2 100644
--- a/drivers/scsi/mpt2sas/mpt2sas_ctl.c
+++ b/drivers/scsi/mpt2sas/mpt2sas_ctl.c
@@ -688,6 +688,13 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc,
data_out_sz = karg.data_out_size;
data_in_sz = karg.data_in_size;
+ /* Check for overflow and wraparound */
+ if (karg.data_sge_offset * 4 > ioc->request_sz ||
+ karg.data_sge_offset > (UINT_MAX / 4)) {
+ ret = -EINVAL;
+ goto out;
+ }
+
/* copy in request message frame from user */
if (copy_from_user(mpi_request, mf, karg.data_sge_offset*4)) {
printk(KERN_ERR "failure at %s:%d/%s()!\n", __FILE__, __LINE__,
@@ -1963,7 +1970,7 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state)
Mpi2DiagBufferPostReply_t *mpi_reply;
int rc, i;
u8 buffer_type;
- unsigned long timeleft;
+ unsigned long timeleft, request_size, copy_size;
u16 smid;
u16 ioc_status;
u8 issue_reset = 0;
@@ -1999,6 +2006,8 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state)
return -ENOMEM;
}
+ request_size = ioc->diag_buffer_sz[buffer_type];
+
if ((karg.starting_offset % 4) || (karg.bytes_to_read % 4)) {
printk(MPT2SAS_ERR_FMT "%s: either the starting_offset "
"or bytes_to_read are not 4 byte aligned\n", ioc->name,
@@ -2006,13 +2015,23 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state)
return -EINVAL;
}
+ if (karg.starting_offset > request_size)
+ return -EINVAL;
+
diag_data = (void *)(request_data + karg.starting_offset);
dctlprintk(ioc, printk(MPT2SAS_DEBUG_FMT "%s: diag_buffer(%p), "
"offset(%d), sz(%d)\n", ioc->name, __func__,
diag_data, karg.starting_offset, karg.bytes_to_read));
+ /* Truncate data on requests that are too large */
+ if ((diag_data + karg.bytes_to_read < diag_data) ||
+ (diag_data + karg.bytes_to_read > request_data + request_size))
+ copy_size = request_size - karg.starting_offset;
+ else
+ copy_size = karg.bytes_to_read;
+
if (copy_to_user((void __user *)uarg->diagnostic_data,
- diag_data, karg.bytes_to_read)) {
+ diag_data, copy_size)) {
printk(MPT2SAS_ERR_FMT "%s: Unable to write "
"mpt_diag_read_buffer_t data @ %p\n", ioc->name,
__func__, diag_data);

2
sources
View File

@ -1,2 +1,2 @@
091abeb4684ce03d1d936851618687b6 linux-2.6.35.tar.bz2
017e8564c850d950b91bb4ce94974c07 patch-2.6.35.13.bz2
1f540c6bb638e1fff9de25648d063e4c patch-2.6.35.14.bz2

76
virtio_net-add-schedule-check-to-napi_enable-call.patch
View File

@ -1,76 +0,0 @@
From b5740f0377e4fb924517b68f9a7ad7f5647fe8ac Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@novell.com>
Date: Thu, 10 Feb 2011 11:03:31 -0800
Subject: [PATCH] virtio_net: Add schedule check to napi_enable call
Under harsh testing conditions, including low memory, the guest would
stop receiving packets. With this patch applied we no longer see any
problems in the driver while performing these tests for extended periods
of time.
Make sure napi is scheduled subsequent to each napi_enable.
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Olaf Kirch <okir@suse.de>
Cc: stable@kernel.org
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/virtio_net.c | 27 ++++++++++++++++-----------
1 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index bb6b67f..1cf8da8 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -446,6 +446,20 @@ static void skb_recv_done(struct virtqueue *rvq)
}
}
+static void virtnet_napi_enable(struct virtnet_info *vi)
+{
+ napi_enable(&vi->napi);
+
+ /* If all buffers were filled by other side before we napi_enabled, we
+ * won't get another interrupt, so process any outstanding packets
+ * now. virtnet_poll wants re-enable the queue, so we disable here.
+ * We synchronize against interrupts via NAPI_STATE_SCHED */
+ if (napi_schedule_prep(&vi->napi)) {
+ virtqueue_disable_cb(vi->rvq);
+ __napi_schedule(&vi->napi);
+ }
+}
+
static void refill_work(struct work_struct *work)
{
struct virtnet_info *vi;
@@ -454,7 +468,7 @@ static void refill_work(struct work_struct *work)
vi = container_of(work, struct virtnet_info, refill.work);
napi_disable(&vi->napi);
still_empty = !try_fill_recv(vi, GFP_KERNEL);
- napi_enable(&vi->napi);
+ virtnet_napi_enable(vi);
/* In theory, this can happen: if we don't get any buffers in
* we will *never* try to fill again. */
@@ -638,16 +652,7 @@ static int virtnet_open(struct net_device *dev)
{
struct virtnet_info *vi = netdev_priv(dev);
- napi_enable(&vi->napi);
-
- /* If all buffers were filled by other side before we napi_enabled, we
- * won't get another interrupt, so process any outstanding packets
- * now. virtnet_poll wants re-enable the queue, so we disable here.
- * We synchronize against interrupts via NAPI_STATE_SCHED */
- if (napi_schedule_prep(&vi->napi)) {
- virtqueue_disable_cb(vi->rvq);
- __napi_schedule(&vi->napi);
- }
+ virtnet_napi_enable(vi);
return 0;
}
--
1.7.4.1

18
x86-amd-arat-bug-on-sempron-workaround.patch
View File

@ -1,18 +0,0 @@
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -724,6 +724,15 @@ bool cpu_has_amd_erratum(const int *erra
if (cpu->x86_vendor != X86_VENDOR_AMD)
return false;
+ /*
+ * Temporary workaround for ARAT bug on Sempron.
+ * The BIOS clears the bit in OSVW, so the check
+ * fails, then ARAT gets set and when the processor
+ * uses C3 it hangs. Always return true for that CPU.
+ */
+ if (cpu->x86 == 0x10 && cpu->x86_model == 6 && cpu->x86_mask == 2)
+ return true;
+
if (osvw_id >= 0 && osvw_id < 65536 &&
cpu_has(cpu, X86_FEATURE_OSVW)) {
u64 osvw_len;

39
x86-amd-fix-arat-feature-setting-again.patch
View File

@ -1,39 +0,0 @@
From: Borislav Petkov <borislav.petkov@amd.com>
Date: Tue, 17 May 2011 12:55:19 +0000 (+0200)
Subject: x86, AMD: Fix ARAT feature setting again
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=14fb57dccb6e1defe9f89a66f548fcb24c374c1d
x86, AMD: Fix ARAT feature setting again
Trying to enable the local APIC timer on early K8 revisions
uncovers a number of other issues with it, in conjunction with
the C1E enter path on AMD. Fixing those causes much more churn
and troubles than the benefit of using that timer brings so
don't enable it on K8 at all, falling back to the original
functionality the kernel had wrt to that.
Reported-and-bisected-by: Nick Bowler <nbowler@elliptictech.com>
Cc: Boris Ostrovsky <Boris.Ostrovsky@amd.com>
Cc: Andreas Herrmann <andreas.herrmann3@amd.com>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Cc: Hans Rosenfeld <hans.rosenfeld@amd.com>
Cc: Nick Bowler <nbowler@elliptictech.com>
Cc: Joerg-Volker-Peetz <jvpeetz@web.de>
Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Link: http://lkml.kernel.org/r/1305636919-31165-3-git-send-email-bp@amd64.org
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 3532d3b..6f9d1f6 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -613,7 +613,7 @@ static void __cpuinit init_amd(struct cpuinfo_x86 *c)
#endif
/* As a rule processors have APIC timer running in deep C states */
- if (c->x86 >= 0xf && !cpu_has_amd_erratum(amd_erratum_400))
+ if (c->x86 > 0xf && !cpu_has_amd_erratum(amd_erratum_400))
set_cpu_cap(c, X86_FEATURE_ARAT);
/*