Linux v3.11.10
This commit is contained in:
parent
2ca6c5e549
commit
7a153f806f
|
@ -1,42 +0,0 @@
|
|||
Bugzilla: 1033593
|
||||
Upstream-status: 3.13
|
||||
|
||||
From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
|
||||
From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
||||
Date: Thu, 31 Oct 2013 14:01:02 +0530
|
||||
Subject: [PATCH] aacraid: prevent invalid pointer dereference
|
||||
|
||||
It appears that driver runs into a problem here if fibsize is too small
|
||||
because we allocate user_srbcmd with fibsize size only but later we
|
||||
access it until user_srbcmd->sg.count to copy it over to srbcmd.
|
||||
|
||||
It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
|
||||
structure already includes one sg element and this is not needed for
|
||||
commands without data. So, we would recommend to add the following
|
||||
(instead of test for fibsize == 0).
|
||||
|
||||
Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
drivers/scsi/aacraid/commctrl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
|
||||
index d85ac1a..fbcd48d 100644
|
||||
--- a/drivers/scsi/aacraid/commctrl.c
|
||||
+++ b/drivers/scsi/aacraid/commctrl.c
|
||||
@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
|
||||
+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
|
||||
+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
|
||||
rcode = -EINVAL;
|
||||
goto cleanup;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
Stephan Mueller reported to me recently a error in random number generation in
|
||||
the ansi cprng. If several small requests are made that are less than the
|
||||
instances block size, the remainder for loop code doesn't increment
|
||||
rand_data_valid in the last iteration, meaning that the last bytes in the
|
||||
rand_data buffer gets reused on the subsequent smaller-than-a-block request for
|
||||
random data.
|
||||
|
||||
The fix is pretty easy, just re-code the for loop to make sure that
|
||||
rand_data_valid gets incremented appropriately
|
||||
|
||||
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
|
||||
CC: Stephan Mueller <stephan.mueller@atsec.com>
|
||||
CC: Petr Matousek <pmatouse@redhat.com>
|
||||
CC: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
CC: "David S. Miller" <davem@davemloft.net>
|
||||
---
|
||||
crypto/ansi_cprng.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
|
||||
index c0bb377..666f196 100644
|
||||
--- a/crypto/ansi_cprng.c
|
||||
+++ b/crypto/ansi_cprng.c
|
||||
@@ -230,11 +230,11 @@ remainder:
|
||||
*/
|
||||
if (byte_count < DEFAULT_BLK_SZ) {
|
||||
empty_rbuf:
|
||||
- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
|
||||
- ctx->rand_data_valid++) {
|
||||
+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
|
||||
*ptr = ctx->rand_data[ctx->rand_data_valid];
|
||||
ptr++;
|
||||
byte_count--;
|
||||
+ ctx->rand_data_valid++;
|
||||
if (byte_count == 0)
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
|
@ -1,60 +0,0 @@
|
|||
A user reported a problem where they were getting csum errors when running a
|
||||
balance and running systemd's journal. This is because systemd is awesome and
|
||||
fallocate()'s its log space and writes into it. Unfortunately we assume that
|
||||
when we read in all the csums for an extent that they are sequential starting at
|
||||
the bytenr we care about. This obviously isn't the case for prealloc extents,
|
||||
where we could have written to the middle of the prealloc extent only, which
|
||||
means the csum would be for the bytenr in the middle of our range and not the
|
||||
front of our range. Fix this by offsetting the new bytenr we are logging to
|
||||
based on the original bytenr the csum was for. With this patch I no longer see
|
||||
the csum errors I was seeing. Thanks,
|
||||
|
||||
Cc: stable@xxxxxxxxxxxxxxx
|
||||
Reported-by: Chris Murphy <lists@xxxxxxxxxxxxxxxxx>
|
||||
Signed-off-by: Josef Bacik <jbacik@xxxxxxxxxxxx>
|
||||
---
|
||||
fs/btrfs/relocation.c | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
|
||||
index 5ca7ea9..b7afeaa 100644
|
||||
--- a/fs/btrfs/relocation.c
|
||||
+++ b/fs/btrfs/relocation.c
|
||||
@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
|
||||
struct btrfs_root *root = BTRFS_I(inode)->root;
|
||||
int ret;
|
||||
u64 disk_bytenr;
|
||||
+ u64 new_bytenr;
|
||||
LIST_HEAD(list);
|
||||
|
||||
ordered = btrfs_lookup_ordered_extent(inode, file_pos);
|
||||
@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
- disk_bytenr = ordered->start;
|
||||
while (!list_empty(&list)) {
|
||||
sums = list_entry(list.next, struct btrfs_ordered_sum, list);
|
||||
list_del_init(&sums->list);
|
||||
|
||||
- sums->bytenr = disk_bytenr;
|
||||
- disk_bytenr += sums->len;
|
||||
+ /*
|
||||
+ * We need to offset the new_bytenr based on where the csum is.
|
||||
+ * We need to do this because we will read in entire prealloc
|
||||
+ * extents but we may have written to say the middle of the
|
||||
+ * prealloc extent, so we need to make sure the csum goes with
|
||||
+ * the right disk offset.
|
||||
+ *
|
||||
+ * We can do this because the data reloc inode refers strictly
|
||||
+ * to the on disk bytes, so we don't have to worry about
|
||||
+ * disk_len vs real len like with real inodes since it's all
|
||||
+ * disk length.
|
||||
+ */
|
||||
+ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr);
|
||||
+ sums->bytenr = new_bytenr;
|
||||
|
||||
btrfs_add_ordered_sum(inode, ordered, sums);
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
29
kernel.spec
29
kernel.spec
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 9
|
||||
%define stable_update 10
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -726,9 +726,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch
|
|||
#rhbz 963715
|
||||
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
#rhbz 985522
|
||||
Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch
|
||||
|
||||
|
@ -765,9 +762,6 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
|
|||
Patch25130: fix-radeon-sound.patch
|
||||
Patch25149: drm-radeon-24hz-audio-fixes.patch
|
||||
|
||||
#rhbz 1011714
|
||||
Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch
|
||||
|
||||
#rhbz 984696
|
||||
Patch25132: rt2800usb-slow-down-TX-status-polling.patch
|
||||
|
||||
|
@ -806,12 +800,6 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
|
|||
Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
||||
Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
|
||||
|
||||
#CVE-2013-6378 rhbz 1033578 1034183
|
||||
Patch25155: libertas-potential-oops-in-debugfs.patch
|
||||
|
||||
#CVE-2013-6380 rhbz 1033593 1034304
|
||||
Patch25156: aacraid-prevent-invalid-pointer-dereference.patch
|
||||
|
||||
#CVE-2013-6382 rhbz 1033603 1034670
|
||||
Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
|
@ -1495,9 +1483,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
|
|||
#rhbz 963715
|
||||
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
#rhbz 985522
|
||||
ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch
|
||||
|
||||
|
@ -1534,9 +1519,6 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
|
|||
ApplyPatch fix-radeon-sound.patch
|
||||
ApplyPatch drm-radeon-24hz-audio-fixes.patch
|
||||
|
||||
#rhbz 1011714
|
||||
ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch
|
||||
|
||||
#rhbz 984696
|
||||
ApplyPatch rt2800usb-slow-down-TX-status-polling.patch
|
||||
|
||||
|
@ -1575,12 +1557,6 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
|
|||
ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
||||
ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
|
||||
|
||||
#CVE-2013-6378 rhbz 1033578 1034183
|
||||
ApplyPatch libertas-potential-oops-in-debugfs.patch
|
||||
|
||||
#CVE-2013-6380 rhbz 1033593 1034304
|
||||
ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch
|
||||
|
||||
#CVE-2013-6382 rhbz 1033603 1034670
|
||||
ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
|
@ -2402,7 +2378,8 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Fri Nov 29 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
* Fri Nov 29 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.10-200
|
||||
- Linux v3.11.10
|
||||
- Fix memory leak in qxl (from Dave Airlie)
|
||||
|
||||
* Tue Nov 26 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
|
|
|
@ -1,50 +0,0 @@
|
|||
Bugzilla: 1034183
|
||||
Upstream-status: 3.13
|
||||
|
||||
From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Wed, 30 Oct 2013 20:12:51 +0300
|
||||
Subject: [PATCH] libertas: potential oops in debugfs
|
||||
|
||||
If we do a zero size allocation then it will oops. Also we can't be
|
||||
sure the user passes us a NUL terminated string so I've added a
|
||||
terminator.
|
||||
|
||||
This code can only be triggered by root.
|
||||
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Acked-by: Dan Williams <dcbw@redhat.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
drivers/net/wireless/libertas/debugfs.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
|
||||
index 668dd27..cc6a0a5 100644
|
||||
--- a/drivers/net/wireless/libertas/debugfs.c
|
||||
+++ b/drivers/net/wireless/libertas/debugfs.c
|
||||
@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
|
||||
char *p2;
|
||||
struct debug_data *d = f->private_data;
|
||||
|
||||
- pdata = kmalloc(cnt, GFP_KERNEL);
|
||||
+ if (cnt == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ pdata = kmalloc(cnt + 1, GFP_KERNEL);
|
||||
if (pdata == NULL)
|
||||
return 0;
|
||||
|
||||
@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
|
||||
kfree(pdata);
|
||||
return 0;
|
||||
}
|
||||
+ pdata[cnt] = '\0';
|
||||
|
||||
p0 = pdata;
|
||||
for (i = 0; i < num_of_items; i++) {
|
||||
--
|
||||
1.8.3.1
|
||||
|
Loading…
Reference in New Issue