rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.13.9

This commit is contained in:
Justin M. Forbes 2014-04-03 19:28:52 -05:00
parent 0a005ac427
commit 89368f5bd2
5 changed files with 5 additions and 316 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
cgroup-fixes.patch
View File

@ -1,180 +0,0 @@
Bugzilla: 1045775
Upstream-status: queued for 3.14-rc3 and stable 3.12+
Path: news.gmane.org!not-for-mail
From: Michal Hocko <mhocko@suse.cz>
Newsgroups: gmane.linux.kernel,gmane.linux.kernel.cgroups
Subject: Re: [PATCH] cgroup: protect modifications to cgroup_idr with
cgroup_mutex
Date: Wed, 12 Feb 2014 10:12:38 +0100
Lines: 127
Approved: news@gmane.org
Message-ID: <20140212091238.GC28085@dhcp22.suse.cz>
References: <52F9D9DA.7040108@huawei.com>
<20140211102032.GA11946@dhcp22.suse.cz>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1392196376 529 80.91.229.3 (12 Feb 2014 09:12:56 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 12 Feb 2014 09:12:56 +0000 (UTC)
Cc: Tejun Heo <tj@kernel.org>, LKML <linux-kernel@vger.kernel.org>,
Cgroups <cgroups@vger.kernel.org>
To: Li Zefan <lizefan@huawei.com>
Original-X-From: linux-kernel-owner@vger.kernel.org Wed Feb 12 10:13:03 2014
Return-path: <linux-kernel-owner@vger.kernel.org>
Envelope-to: glk-linux-kernel-3@plane.gmane.org
Original-Received: from vger.kernel.org ([209.132.180.67])
by plane.gmane.org with esmtp (Exim 4.69)
(envelope-from <linux-kernel-owner@vger.kernel.org>)
id 1WDVsM-0003po-4o
for glk-linux-kernel-3@plane.gmane.org; Wed, 12 Feb 2014 10:13:02 +0100
Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1751758AbaBLJMs (ORCPT <rfc822;glk-linux-kernel-3@m.gmane.org>);
Wed, 12 Feb 2014 04:12:48 -0500
Original-Received: from cantor2.suse.de ([195.135.220.15]:34766 "EHLO mx2.suse.de"
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
id S1750890AbaBLJMk (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
Wed, 12 Feb 2014 04:12:40 -0500
Original-Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
by mx2.suse.de (Postfix) with ESMTP id 216F1ABB2;
Wed, 12 Feb 2014 09:12:39 +0000 (UTC)
Content-Disposition: inline
In-Reply-To: <20140211102032.GA11946@dhcp22.suse.cz>
User-Agent: Mutt/1.5.21 (2010-09-15)
Original-Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Xref: news.gmane.org gmane.linux.kernel:1646465 gmane.linux.kernel.cgroups:10357
Archived-At: <http://permalink.gmane.org/gmane.linux.kernel/1646465>
Li has pointed out that my previous backport was not correct because
err_unlock label releases a reference to supperblock which was not taken
before idr_alloc. I've also removed cgroup_mutex from free_css_id as per
Li.
Fixed in this version.
---
Date: Tue, 11 Feb 2014 16:05:46 +0800
From: Li Zefan <lizefan@huawei.com>
Subject: [PATCH - for 3.12] cgroup: protect modifications to cgroup_idr with cgroup_mutex
Setup cgroupfs like this:
# mount -t cgroup -o cpuacct xxx /cgroup
# mkdir /cgroup/sub1
# mkdir /cgroup/sub2
Then run these two commands:
# for ((; ;)) { mkdir /cgroup/sub1/tmp && rmdir /mnt/sub1/tmp; } &
# for ((; ;)) { mkdir /cgroup/sub2/tmp && rmdir /mnt/sub2/tmp; } &
After seconds you may see this warning:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 25243 at lib/idr.c:527 sub_remove+0x87/0x1b0()
idr_remove called for id=6 which is not allocated.
...
Call Trace:
[<ffffffff8156063c>] dump_stack+0x7a/0x96
[<ffffffff810591ac>] warn_slowpath_common+0x8c/0xc0
[<ffffffff81059296>] warn_slowpath_fmt+0x46/0x50
[<ffffffff81300aa7>] sub_remove+0x87/0x1b0
[<ffffffff810f3f02>] ? css_killed_work_fn+0x32/0x1b0
[<ffffffff81300bf5>] idr_remove+0x25/0xd0
[<ffffffff810f2bab>] cgroup_destroy_css_killed+0x5b/0xc0
[<ffffffff810f4000>] css_killed_work_fn+0x130/0x1b0
[<ffffffff8107cdbc>] process_one_work+0x26c/0x550
[<ffffffff8107eefe>] worker_thread+0x12e/0x3b0
[<ffffffff81085f96>] kthread+0xe6/0xf0
[<ffffffff81570bac>] ret_from_fork+0x7c/0xb0
---[ end trace 2d1577ec10cf80d0 ]---
It's because allocating/removing cgroup ID is not properly synchronized.
The bug was introduced when we converted cgroup_ida to cgroup_idr.
While synchronization is already done inside ida_simple_{get,remove}(),
users are responsible for concurrent calls to idr_{alloc,remove}().
[mhocko@suse.cz: ported to 3.12]
Fixes: 4e96ee8e981b ("cgroup: convert cgroup_ida to cgroup_idr")
Cc: <stable@vger.kernel.org> #3.12+
Reported-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Michal Hocko <mhocko@suse.cz>
---
include/linux/cgroup.h | 2 ++
kernel/cgroup.c | 23 ++++++++++++-----------
2 files changed, 14 insertions(+), 11 deletions(-)
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -169,6 +169,8 @@ struct cgroup {
*
* The ID of the root cgroup is always 0, and a new cgroup
* will be assigned with a smallest available ID.
+ *
+ * Allocating/Removing ID must be protected by cgroup_mutex.
*/
int id;
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4410,16 +4410,6 @@ static long cgroup_create(struct cgroup
rcu_assign_pointer(cgrp->name, name);
/*
- * Temporarily set the pointer to NULL, so idr_find() won't return
- * a half-baked cgroup.
- */
- cgrp->id = idr_alloc(&root->cgroup_idr, NULL, 1, 0, GFP_KERNEL);
- if (cgrp->id < 0) {
- err = -ENOMEM;
- goto err_free_name;
- }
-
- /*
* Only live parents can have children. Note that the liveliness
* check isn't strictly necessary because cgroup_mkdir() and
* cgroup_rmdir() are fully synchronized by i_mutex; however, do it
@@ -4426,7 +4418,7 @@ static long cgroup_create(struct cgroup
*/
if (!cgroup_lock_live_group(parent)) {
err = -ENODEV;
- goto err_free_id;
+ goto err_free_name;
}
/* Grab a reference on the superblock so the hierarchy doesn't
@@ -4436,6 +4428,14 @@ static long cgroup_create(struct cgroup
* fs */
atomic_inc(&sb->s_active);
+ /*
+ * Temporarily set the pointer to NULL, so idr_find() won't return
+ * a half-baked cgroup.
+ */
+ cgrp->id = idr_alloc(&root->cgroup_idr, NULL, 1, 0, GFP_KERNEL);
+ if (cgrp->id < 0)
+ goto err_unlock;
+
init_cgroup_housekeeping(cgrp);
dentry->d_fsdata = cgrp;
@@ -4542,11 +4542,11 @@ err_free_all:
ss->css_free(css);
}
}
+ idr_remove(&root->cgroup_idr, cgrp->id);
+err_unlock:
mutex_unlock(&cgroup_mutex);
/* Release the reference count that we took on the superblock */
deactivate_super(sb);
-err_free_id:
- idr_remove(&root->cgroup_idr, cgrp->id);
err_free_name:
kfree(rcu_dereference_raw(cgrp->name));
err_free_cgrp:
--
Michal Hocko
SUSE Labs

50
input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
View File

@ -1,50 +0,0 @@
From c4aa64b54ecc029579b0c62e976d747a0e567dfc Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Fri, 21 Mar 2014 10:55:11 +0100
Subject: [PATCH] input: cypress_ps2: Don't report the cypress PS/2 trackpads
as a button pad
The cypress PS/2 trackpad models supported by the cypress_ps2 driver emulate
BTN_RIGHT events in firmware based on the finger position, as part of this
no motion events are sent when the finger is in the button area.
The INPUT_PROP_BUTTONPAD property is there to indicate to userspace that
BTN_RIGHT events should be emulated in userspace, which is not necessary
in this case.
When INPUT_PROP_BUTTONPAD is advertised userspace will wait for a motion event
before propagating the button event higher up the stack, as it needs current
abs x + y data for its BTN_RIGHT emulation. Since in the cypress_ps2 pads
don't report motion events in the button area, this means that clicks in the
button area end up being ignored, so INPUT_PROP_BUTTONPAD actually causes
problems for these touchpads, and removing it fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=76341
Reported-by: Adam Williamson <awilliam@redhat.com>
Tested-by: Adam Williamson <awilliam@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Cc: Adam Williamson <awilliam@redhat.com>
Cc: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: stable@vger.kernel.org
---
drivers/input/mouse/cypress_ps2.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/input/mouse/cypress_ps2.c b/drivers/input/mouse/cypress_ps2.c
index 87095e2..8af34ff 100644
--- a/drivers/input/mouse/cypress_ps2.c
+++ b/drivers/input/mouse/cypress_ps2.c
@@ -409,7 +409,6 @@ static int cypress_set_input_params(struct input_dev *input,
__clear_bit(REL_X, input->relbit);
__clear_bit(REL_Y, input->relbit);
- __set_bit(INPUT_PROP_BUTTONPAD, input->propbit);
__set_bit(EV_KEY, input->evbit);
__set_bit(BTN_LEFT, input->keybit);
__set_bit(BTN_RIGHT, input->keybit);
--
1.9.0

24
kernel.spec
View File

@ -74,7 +74,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 8
%define stable_update 9
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -725,9 +725,6 @@ Patch25168: rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails
#rhbz 953211
Patch25184: Input-ALPS-add-support-for-Dolphin-devices.patch
#rhbz 1045755
Patch25195: cgroup-fixes.patch
#rhbz 1064430 1056711
Patch25196: ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
Patch25197: ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
@ -765,9 +762,6 @@ Patch25041: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
#rhbz 1046495
Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-2523 rhbz 1077343 1077350
Patch25045: netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
#CVE-2014-0131 rhbz 1074589 1079006
Patch25048: skbuff-zero-copy.patch
@ -783,10 +777,6 @@ Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch
#CVE-2014-2580 rhbz 1080084 1080086
Patch25052: net-xen-netback-disable-rogue-vif-in-kthread-context.patch
#https://bugs.freedesktop.org/show_bug.cgi?id=76341
#will go upstream for 3.15, and will be backported to stable releases
Patch25053: input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
#CVE-2014-2678 rhbz 1083274 1083280
Patch25054: rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
@ -1462,9 +1452,6 @@ ApplyPatch rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.
#rhbz 953211
ApplyPatch Input-ALPS-add-support-for-Dolphin-devices.patch
#rhbz 1045755
ApplyPatch cgroup-fixes.patch
#rhbz 1064430 1056711
ApplyPatch ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
ApplyPatch ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
@ -1502,9 +1489,6 @@ ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
#rhbz 1046495
ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-2523 rhbz 1077343 1077350
ApplyPatch netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
#CVE-2014-0131 rhbz 1074589 1079006
ApplyPatch skbuff-zero-copy.patch
@ -1520,9 +1504,6 @@ ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch
#CVE-2014-2580 rhbz 1080084 1080086
ApplyPatch net-xen-netback-disable-rogue-vif-in-kthread-context.patch
#https://bugs.freedesktop.org/show_bug.cgi?id=76341
ApplyPatch input-cypress_ps2-Don-t-report-the-cypress-PS-2-trac.patch
#CVE-2014-2678 rhbz 1083274 1083280
ApplyPatch rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
@ -2338,6 +2319,9 @@ fi
# and build.
%changelog
* Thu Apr 03 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.9-100
- Linux v3.13.9
* Tue Apr 01 2014 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2014-2678 net: rds: deref of NULL dev in rds_iw_laddr_check (rhbz 1083274 1083280)

65
netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
View File

@ -1,65 +0,0 @@
Bugzilla: 1077350
Upstream-status: 3.14-rc1
From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <dborkman@redhat.com>
Date: Mon, 6 Jan 2014 00:57:54 +0100
Subject: [PATCH] netfilter: nf_conntrack_dccp: fix skb_header_pointer API
usages
Some occurences in the netfilter tree use skb_header_pointer() in
the following way ...
struct dccp_hdr _dh, *dh;
...
skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
... where dh itself is a pointer that is being passed as the copy
buffer. Instead, we need to use &_dh as the forth argument so that
we're copying the data into an actual buffer that sits on the stack.
Currently, we probably could overwrite memory on the stack (e.g.
with a possibly mal-formed DCCP packet), but unintentionally, as
we only want the buffer to be placed into _dh variable.
Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 3841268..cb372f9 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
const char *msg;
u_int8_t state;
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
BUG_ON(dh == NULL);
state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
u_int8_t type, old_state, new_state;
enum ct_dccp_roles role;
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
BUG_ON(dh == NULL);
type = dh->dccph_type;
@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
unsigned int cscov;
const char *msg;
- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
if (dh == NULL) {
msg = "nf_ct_dccp: short packet ";
goto out_invalid;
--
1.8.5.3

2
sources
View File

@ -1,2 +1,2 @@
0ecbaf65c00374eb4a826c2f9f37606f linux-3.13.tar.xz
72b911bfc50de88c67bd0e8732978deb patch-3.13.8.xz
d1b35dfc218d54e6a443bb5fe22d5a7b patch-3.13.9.xz