Linux 2.6.32.22
Drop merged patches: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch 02-compat-test-rax-for-the-system-call-number-not-eax.patch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch hid-01-usbhid-initialize-interface-pointers-early-enough.patch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
This commit is contained in:
parent
55a7c987aa
commit
7eb61976f8
|
@ -1,198 +0,0 @@
|
|||
From f45716729488bd8263b06e7d672c8ff8f2ded8b7 Mon Sep 17 00:00:00 2001
|
||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Date: Tue, 7 Sep 2010 16:16:18 -0700
|
||||
Subject: [PATCH 1/4] compat: Make compat_alloc_user_space() incorporate the access_ok()
|
||||
|
||||
compat_alloc_user_space() expects the caller to independently call
|
||||
access_ok() to verify the returned area. A missing call could
|
||||
introduce problems on some architectures.
|
||||
|
||||
This patch incorporates the access_ok() check into
|
||||
compat_alloc_user_space() and also adds a sanity check on the length.
|
||||
The existing compat_alloc_user_space() implementations are renamed
|
||||
arch_compat_alloc_user_space() and are used as part of the
|
||||
implementation of the new global function.
|
||||
|
||||
This patch assumes NULL will cause __get_user()/__put_user() to either
|
||||
fail or access userspace on all architectures. This should be
|
||||
followed by checking the return value of compat_access_user_space()
|
||||
for NULL in the callers, at which time the access_ok() in the callers
|
||||
can also be removed.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
|
||||
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
|
||||
Acked-by: David S. Miller <davem@davemloft.net>
|
||||
Acked-by: Ingo Molnar <mingo@elte.hu>
|
||||
Acked-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Acked-by: Tony Luck <tony.luck@intel.com>
|
||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||
Cc: Arnd Bergmann <arnd@arndb.de>
|
||||
Cc: Fenghua Yu <fenghua.yu@intel.com>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
|
||||
Cc: Helge Deller <deller@gmx.de>
|
||||
Cc: James Bottomley <jejb@parisc-linux.org>
|
||||
Cc: Kyle McMartin <kyle@mcmartin.ca>
|
||||
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||
Cc: Paul Mackerras <paulus@samba.org>
|
||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
||||
Cc: <stable@kernel.org>
|
||||
---
|
||||
|
||||
[ edited to fix build on 2.6.32 ]
|
||||
|
||||
arch/ia64/include/asm/compat.h | 2 +-
|
||||
arch/mips/include/asm/compat.h | 2 +-
|
||||
arch/parisc/include/asm/compat.h | 2 +-
|
||||
arch/powerpc/include/asm/compat.h | 2 +-
|
||||
arch/s390/include/asm/compat.h | 2 +-
|
||||
arch/sparc/include/asm/compat.h | 2 +-
|
||||
arch/x86/include/asm/compat.h | 2 +-
|
||||
include/linux/compat.h | 2 ++
|
||||
kernel/compat.c | 22 +++++++++++++++++++++
|
||||
9 files changed, 30 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
|
||||
index dfcf75b..c8662cd 100644
|
||||
--- a/arch/ia64/include/asm/compat.h
|
||||
+++ b/arch/ia64/include/asm/compat.h
|
||||
@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr)
|
||||
}
|
||||
|
||||
static __inline__ void __user *
|
||||
-compat_alloc_user_space (long len)
|
||||
+arch_compat_alloc_user_space (long len)
|
||||
{
|
||||
struct pt_regs *regs = task_pt_regs(current);
|
||||
return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
|
||||
diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
|
||||
index f58aed3..27505bd 100644
|
||||
--- a/arch/mips/include/asm/compat.h
|
||||
+++ b/arch/mips/include/asm/compat.h
|
||||
@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = (struct pt_regs *)
|
||||
((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
|
||||
diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
|
||||
index 7f32611..7c77fa9 100644
|
||||
--- a/arch/parisc/include/asm/compat.h
|
||||
+++ b/arch/parisc/include/asm/compat.h
|
||||
@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static __inline__ void __user *compat_alloc_user_space(long len)
|
||||
+static __inline__ void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = ¤t->thread.regs;
|
||||
return (void __user *)regs->gr[30];
|
||||
diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
|
||||
index 4774c2f..8d0fff3 100644
|
||||
--- a/arch/powerpc/include/asm/compat.h
|
||||
+++ b/arch/powerpc/include/asm/compat.h
|
||||
@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = current->thread.regs;
|
||||
unsigned long usp = regs->gpr[1];
|
||||
diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
|
||||
index 01a0802..0c940d3 100644
|
||||
--- a/arch/s390/include/asm/compat.h
|
||||
+++ b/arch/s390/include/asm/compat.h
|
||||
@@ -180,7 +180,7 @@ static inline int is_compat_task(void)
|
||||
|
||||
#endif
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
unsigned long stack;
|
||||
|
||||
diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
|
||||
index 0e70625..612bb38 100644
|
||||
--- a/arch/sparc/include/asm/compat.h
|
||||
+++ b/arch/sparc/include/asm/compat.h
|
||||
@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = current_thread_info()->kregs;
|
||||
unsigned long usp = regs->u_regs[UREG_I6];
|
||||
diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
|
||||
index 9a9c7bd..c8c9a74 100644
|
||||
--- a/arch/x86/include/asm/compat.h
|
||||
+++ b/arch/x86/include/asm/compat.h
|
||||
@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = task_pt_regs(current);
|
||||
return (void __user *)regs->sp - len;
|
||||
diff --git a/include/linux/compat.h b/include/linux/compat.h
|
||||
index af931ee..cab23f2 100644
|
||||
--- a/include/linux/compat.h
|
||||
+++ b/include/linux/compat.h
|
||||
@@ -309,5 +309,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename,
|
||||
asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename,
|
||||
int flags, int mode);
|
||||
|
||||
+extern void __user *compat_alloc_user_space(unsigned long len);
|
||||
+
|
||||
#endif /* CONFIG_COMPAT */
|
||||
#endif /* _LINUX_COMPAT_H */
|
||||
diff a/kernel/compat.c b/kernel/compat.c
|
||||
--- a/kernel/compat.c
|
||||
+++ b/kernel/compat.c
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
#include <linux/linkage.h>
|
||||
#include <linux/compat.h>
|
||||
+#include <linux/module.h>
|
||||
#include <linux/errno.h>
|
||||
#include <linux/time.h>
|
||||
#include <linux/signal.h>
|
||||
@@ -1137,3 +1137,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Allocate user-space memory for the duration of a single system call,
|
||||
+ * in order to marshall parameters inside a compat thunk.
|
||||
+ */
|
||||
+void __user *compat_alloc_user_space(unsigned long len)
|
||||
+{
|
||||
+ void __user *ptr;
|
||||
+
|
||||
+ /* If len would occupy more than half of the entire compat space... */
|
||||
+ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
|
||||
+ return NULL;
|
||||
+
|
||||
+ ptr = arch_compat_alloc_user_space(len);
|
||||
+
|
||||
+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
|
||||
+ return NULL;
|
||||
+
|
||||
+ return ptr;
|
||||
+}
|
||||
+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
From aaeacea2992c28f1d355ff7cd4c4754131bdd831 Mon Sep 17 00:00:00 2001
|
||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Date: Tue, 14 Sep 2010 12:42:41 -0700
|
||||
Subject: [PATCH 2/4] x86-64, compat: Test %rax for the syscall number, not %eax
|
||||
|
||||
On 64 bits, we always, by necessity, jump through the system call
|
||||
table via %rax. For 32-bit system calls, in theory the system call
|
||||
number is stored in %eax, and the code was testing %eax for a valid
|
||||
system call number. At one point we loaded the stored value back from
|
||||
the stack to enforce zero-extension, but that was removed in checkin
|
||||
d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process
|
||||
will not be able to introduce a non-zero-extended number, but it can
|
||||
happen via ptrace.
|
||||
|
||||
Instead of re-introducing the zero-extension, test what we are
|
||||
actually going to use, i.e. %rax. This only adds a handful of REX
|
||||
prefixes to the code.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Cc: Roland McGrath <roland@redhat.com>
|
||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
arch/x86/ia32/ia32entry.S | 14 +++++++-------
|
||||
1 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
||||
index 5294d84..7f9eb54 100644
|
||||
--- a/arch/x86/ia32/ia32entry.S
|
||||
+++ b/arch/x86/ia32/ia32entry.S
|
||||
@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
CFI_REMEMBER_STATE
|
||||
jnz sysenter_tracesys
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
sysenter_do_call:
|
||||
IA32_ARG_FIXUP
|
||||
@@ -195,7 +195,7 @@ sysexit_from_sys_call:
|
||||
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
|
||||
call audit_syscall_entry
|
||||
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
movl %ebx,%edi /* reload 1st syscall arg */
|
||||
movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
|
||||
@@ -248,7 +248,7 @@ sysenter_tracesys:
|
||||
call syscall_trace_enter
|
||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
|
||||
jmp sysenter_do_call
|
||||
CFI_ENDPROC
|
||||
@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
CFI_REMEMBER_STATE
|
||||
jnz cstar_tracesys
|
||||
- cmpl $IA32_NR_syscalls-1,%eax
|
||||
+ cmpq $IA32_NR_syscalls-1,%rax
|
||||
ja ia32_badsys
|
||||
cstar_do_call:
|
||||
IA32_ARG_FIXUP 1
|
||||
@@ -367,7 +367,7 @@ cstar_tracesys:
|
||||
LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
xchgl %ebp,%r9d
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
|
||||
jmp cstar_do_call
|
||||
END(ia32_cstar_target)
|
||||
@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
|
||||
orl $TS_COMPAT,TI_status(%r10)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
jnz ia32_tracesys
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
ia32_do_call:
|
||||
IA32_ARG_FIXUP
|
||||
@@ -444,7 +444,7 @@ ia32_tracesys:
|
||||
call syscall_trace_enter
|
||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
|
||||
jmp ia32_do_call
|
||||
END(ia32_syscall)
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From 1fa16daaa76d1b132c8fee027c11bad5a5d25761 Mon Sep 17 00:00:00 2001
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Tue, 14 Sep 2010 12:22:58 -0700
|
||||
Subject: [PATCH 3/4] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
|
||||
|
||||
In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
|
||||
32-bit tracee in system call entry. A %rax value set via ptrace at the
|
||||
entry tracing stop gets used whole as a 32-bit syscall number, while we
|
||||
only check the low 32 bits for validity.
|
||||
|
||||
Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
|
||||
in addition to testing the full 64 bits as has already been added.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
---
|
||||
arch/x86/ia32/ia32entry.S | 8 +++++++-
|
||||
1 files changed, 7 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
||||
index 7f9eb54..4edd8eb 100644
|
||||
--- a/arch/x86/ia32/ia32entry.S
|
||||
+++ b/arch/x86/ia32/ia32entry.S
|
||||
@@ -50,7 +50,12 @@
|
||||
/*
|
||||
* Reload arg registers from stack in case ptrace changed them.
|
||||
* We don't reload %eax because syscall_trace_enter() returned
|
||||
- * the value it wants us to use in the table lookup.
|
||||
+ * the %rax value we should see. Instead, we just truncate that
|
||||
+ * value to 32 bits again as we did on entry from user mode.
|
||||
+ * If it's a new value set by user_regset during entry tracing,
|
||||
+ * this matches the normal truncation of the user-mode value.
|
||||
+ * If it's -1 to make us punt the syscall, then (u32)-1 is still
|
||||
+ * an appropriately invalid value.
|
||||
*/
|
||||
.macro LOAD_ARGS32 offset, _r9=0
|
||||
.if \_r9
|
||||
@@ -60,6 +65,7 @@
|
||||
movl \offset+48(%rsp),%edx
|
||||
movl \offset+56(%rsp),%esi
|
||||
movl \offset+64(%rsp),%edi
|
||||
+ movl %eax,%eax /* zero extension */
|
||||
.endm
|
||||
|
||||
.macro CFI_STARTPROC32 simple
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
|
||||
Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
|
||||
|
||||
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
|
||||
The error handling in snd_seq_oss_open() has several bad codes that
|
||||
do dereferecing released pointers and double-free of kmalloc'ed data.
|
||||
The object dp is release in free_devinfo() that is called via
|
||||
private_free callback. The rest shouldn't touch this object any more.
|
||||
|
||||
The patch changes delete_port() to call kfree() in any case, and gets
|
||||
rid of unnecessary calls of destructors in snd_seq_oss_open().
|
||||
|
||||
Fixes CVE-2010-3080.
|
||||
|
||||
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
|
||||
index 6857122..69cd7b3 100644
|
||||
--- a/sound/core/seq/oss/seq_oss_init.c
|
||||
+++ b/sound/core/seq/oss/seq_oss_init.c
|
||||
@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
|
||||
return 0;
|
||||
|
||||
_error:
|
||||
- snd_seq_oss_writeq_delete(dp->writeq);
|
||||
- snd_seq_oss_readq_delete(dp->readq);
|
||||
snd_seq_oss_synth_cleanup(dp);
|
||||
snd_seq_oss_midi_cleanup(dp);
|
||||
- delete_port(dp);
|
||||
delete_seq_queue(dp->queue);
|
||||
- kfree(dp);
|
||||
+ delete_port(dp);
|
||||
|
||||
return rc;
|
||||
}
|
||||
@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
|
||||
static int
|
||||
delete_port(struct seq_oss_devinfo *dp)
|
||||
{
|
||||
- if (dp->port < 0)
|
||||
+ if (dp->port < 0) {
|
||||
+ kfree(dp);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
debug_printk(("delete_port %i\n", dp->port));
|
||||
return snd_seq_event_port_detach(dp->cseq, dp->port);
|
|
@ -10283,7 +10283,7 @@ index 601415d..b27202d 100644
|
|||
+ dev_priv->pipe_to_crtc_mapping[intel_crtc->pipe] = &intel_crtc->base;
|
||||
+
|
||||
intel_crtc->cursor_addr = 0;
|
||||
intel_crtc->dpms_mode = DRM_MODE_DPMS_OFF;
|
||||
intel_crtc->dpms_mode = -1;
|
||||
drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs);
|
||||
@@ -4036,7 +4382,7 @@ static void intel_setup_outputs(struct drm_device *dev)
|
||||
if (IS_MOBILE(dev) && !IS_I830(dev))
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
commit 57ab12e418ec4fe24c11788bb1bbdabb29d05679
|
||||
Author: Jiri Kosina <jkosina at suse.cz>
|
||||
Date: Wed Feb 17 14:25:01 2010 +0100
|
||||
|
||||
HID: usbhid: initialize interface pointers early enough
|
||||
|
||||
Move the initialization of USB interface pointers from _start()
|
||||
over to _probe() callback, which is where it belongs.
|
||||
|
||||
This fixes case where interface is NULL when parsing of report
|
||||
descriptor fails.
|
||||
|
||||
LKML-Reference: <20100213135720.603e5f64 at neptune.home>
|
||||
Reported-by: Alan Stern <stern at rowland.harvard.edu>
|
||||
Tested-by: Bruno Prémont <bonbons at linux-vserver.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
|
||||
|
||||
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
|
||||
index 74bd3ca..ceaf4a1 100644
|
||||
--- a/drivers/hid/usbhid/hid-core.c
|
||||
+++ b/drivers/hid/usbhid/hid-core.c
|
||||
@@ -1005,9 +1005,6 @@ static int usbhid_start(struct hid_device *hid)
|
||||
|
||||
spin_lock_init(&usbhid->lock);
|
||||
|
||||
- usbhid->intf = intf;
|
||||
- usbhid->ifnum = interface->desc.bInterfaceNumber;
|
||||
-
|
||||
usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
|
||||
if (!usbhid->urbctrl) {
|
||||
ret = -ENOMEM;
|
||||
@@ -1178,6 +1175,8 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
|
||||
|
||||
hid->driver_data = usbhid;
|
||||
usbhid->hid = hid;
|
||||
+ usbhid->intf = intf;
|
||||
+ usbhid->ifnum = interface->desc.bInterfaceNumber;
|
||||
|
||||
ret = hid_add_device(hid);
|
||||
if (ret) {
|
|
@ -1,53 +0,0 @@
|
|||
commit fde4e2f73208b8f34f123791e39c0cb6bc74b32a
|
||||
Author: Alan Stern <stern at rowland.harvard.edu>
|
||||
Date: Fri May 7 10:41:10 2010 -0400
|
||||
|
||||
HID: fix suspend crash by moving initializations earlier
|
||||
|
||||
Although the usbhid driver allocates its usbhid structure in the probe
|
||||
routine, several critical fields in that structure don't get
|
||||
initialized until usbhid_start(). However if report descriptor
|
||||
parsing fails then usbhid_start() is never called. This leads to
|
||||
problems during system suspend -- the system will freeze.
|
||||
|
||||
This patch (as1378) fixes the bug by moving the initialization
|
||||
statements up into usbhid_probe().
|
||||
|
||||
Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
|
||||
Reported-by: Bruno Prémont <bonbons at linux-vserver.org>
|
||||
Tested-By: Bruno Prémont <bonbons at linux-vserver.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
|
||||
|
||||
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
|
||||
index 56d06cd..7b85b69 100644
|
||||
--- a/drivers/hid/usbhid/hid-core.c
|
||||
+++ b/drivers/hid/usbhid/hid-core.c
|
||||
@@ -999,13 +999,6 @@ static int usbhid_start(struct hid_device *hid)
|
||||
}
|
||||
}
|
||||
|
||||
- init_waitqueue_head(&usbhid->wait);
|
||||
- INIT_WORK(&usbhid->reset_work, hid_reset);
|
||||
- INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
|
||||
- setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
|
||||
-
|
||||
- spin_lock_init(&usbhid->lock);
|
||||
-
|
||||
usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
|
||||
if (!usbhid->urbctrl) {
|
||||
ret = -ENOMEM;
|
||||
@@ -1179,6 +1172,12 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
|
||||
usbhid->intf = intf;
|
||||
usbhid->ifnum = interface->desc.bInterfaceNumber;
|
||||
|
||||
+ init_waitqueue_head(&usbhid->wait);
|
||||
+ INIT_WORK(&usbhid->reset_work, hid_reset);
|
||||
+ INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
|
||||
+ setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
|
||||
+ spin_lock_init(&usbhid->lock);
|
||||
+
|
||||
ret = hid_add_device(hid);
|
||||
if (ret) {
|
||||
if (ret != -ENODEV)
|
||||
|
||||
|
39
kernel.spec
39
kernel.spec
|
@ -47,7 +47,7 @@ Summary: The Linux kernel
|
|||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||
# scripts/rebase.sh should be made to do that for you, actually.
|
||||
#
|
||||
%global baserelease 168
|
||||
%global baserelease 169
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -59,7 +59,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 21
|
||||
%define stable_update 22
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -638,9 +638,6 @@ Patch21: linux-2.6-tracehook.patch
|
|||
Patch22: linux-2.6-utrace.patch
|
||||
Patch23: linux-2.6-utrace-ptrace.patch
|
||||
|
||||
Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
Patch141: linux-2.6-ps3-storage-alias.patch
|
||||
|
@ -840,9 +837,6 @@ Patch14050: crypto-add-async-hash-testing.patch
|
|||
# Red Hat Bugzilla #610911
|
||||
Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch
|
||||
Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
|
||||
|
||||
Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
Patch14200: net-do-not-check-capable-if-kernel.patch
|
||||
|
@ -852,13 +846,9 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch
|
|||
Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
Patch14220: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
# CVE-2010-2960
|
||||
Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
# CVE-2010-3079
|
||||
Patch14240: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
|
||||
# ==============================================================================
|
||||
%endif
|
||||
|
@ -1300,11 +1290,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
|
|||
ApplyPatch via-hwmon-temp-sensor.patch
|
||||
ApplyPatch linux-2.6-dell-laptop-rfkill-fix.patch
|
||||
|
||||
ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
|
||||
|
||||
#
|
||||
# Intel IOMMU
|
||||
#
|
||||
|
@ -1338,6 +1323,7 @@ ApplyPatch linux-2.6-execshield.patch
|
|||
#
|
||||
# bugfixes to drivers and filesystems
|
||||
#
|
||||
# CVE-2010-3067
|
||||
ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
# ext4
|
||||
|
@ -1569,10 +1555,6 @@ ApplyPatch crypto-add-async-hash-testing.patch
|
|||
|
||||
ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
# RHBZ #592785
|
||||
ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch
|
||||
ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
|
||||
|
||||
# CVE-2010-2954
|
||||
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
|
@ -1584,13 +1566,9 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
|||
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
# CVE-2010-2960
|
||||
ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
# CVE-2010-3079
|
||||
ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS ====================================================
|
||||
%endif
|
||||
|
@ -2244,6 +2222,17 @@ fi
|
|||
%kernel_variant_files -k vmlinux %{with_kdump} kdump
|
||||
|
||||
%changelog
|
||||
* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.21-169
|
||||
- Linux 2.6.32.22
|
||||
- Drop merged patches:
|
||||
01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
hid-01-usbhid-initialize-interface-pointers-early-enough.patch
|
||||
hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
|
||||
alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
|
||||
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.21-168
|
||||
- Fix three CVEs:
|
||||
CVE-2010-3080: /dev/sequencer open failure is not handled correctly
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2
|
||||
29aa10a231882a6e52908642b572326f patch-2.6.32.21.bz2
|
||||
da1431a1d659298c6bd11714416c840f patch-2.6.32.22.bz2
|
||||
|
|
|
@ -1,51 +0,0 @@
|
|||
From: Steven Rostedt <srostedt@redhat.com>
|
||||
Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
|
||||
Subject: tracing: Do not allow llseek to set_ftrace_filter
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
|
||||
|
||||
tracing: Do not allow llseek to set_ftrace_filter
|
||||
|
||||
Reading the file set_ftrace_filter does three things.
|
||||
|
||||
1) shows whether or not filters are set for the function tracer
|
||||
2) shows what functions are set for the function tracer
|
||||
3) shows what triggers are set on any functions
|
||||
|
||||
3 is independent from 1 and 2.
|
||||
|
||||
The way this file currently works is that it is a state machine,
|
||||
and as you read it, it may change state. But this assumption breaks
|
||||
when you use lseek() on the file. The state machine gets out of sync
|
||||
and the t_show() may use the wrong pointer and cause a kernel oops.
|
||||
|
||||
Luckily, this will only kill the app that does the lseek, but the app
|
||||
dies while holding a mutex. This prevents anyone else from using the
|
||||
set_ftrace_filter file (or any other function tracing file for that matter).
|
||||
|
||||
A real fix for this is to rewrite the code, but that is too much for
|
||||
a -rc release or stable. This patch simply disables llseek on the
|
||||
set_ftrace_filter() file for now, and we can do the proper fix for the
|
||||
next major release.
|
||||
|
||||
Reported-by: Robert Swiecki <swiecki@google.com>
|
||||
Cc: Chris Wright <chrisw@sous-sol.org>
|
||||
Cc: Tavis Ormandy <taviso@google.com>
|
||||
Cc: Eugene Teo <eugene@redhat.com>
|
||||
Cc: vendor-sec@lst.de
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
|
||||
---
|
||||
|
||||
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
|
||||
index 7cb1f45..83a16e9 100644
|
||||
--- a/kernel/trace/ftrace.c
|
||||
+++ b/kernel/trace/ftrace.c
|
||||
@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
|
||||
.open = ftrace_filter_open,
|
||||
.read = seq_read,
|
||||
.write = ftrace_filter_write,
|
||||
- .llseek = ftrace_regex_lseek,
|
||||
+ .llseek = no_llseek,
|
||||
.release = ftrace_filter_release,
|
||||
};
|
||||
|
Loading…
Reference in New Issue