Linux 3.6.4
This commit is contained in:
parent
1c1fad8242
commit
a0a8db50e5
|
@ -1,153 +0,0 @@
|
|||
From 5ff6b4cc64765e10df509a60e902561efdeb58d5 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Monakhov <dmonakhov@openvz.org>
|
||||
Date: Fri, 5 Oct 2012 11:32:04 -0400
|
||||
Subject: [PATCH 13/13] ext4: race-condition protection for
|
||||
ext4_convert_unwritten_extents_endio
|
||||
|
||||
We assumed that at the time we call ext4_convert_unwritten_extents_endio()
|
||||
extent in question is fully inside [map.m_lblk, map->m_len] because
|
||||
it was already split during submission. But this may not be true due to
|
||||
a race between writeback vs fallocate.
|
||||
|
||||
If extent in question is larger than requested we will split it again.
|
||||
Special precautions should being done if zeroout required because
|
||||
[map.m_lblk, map->m_len] already contains valid data.
|
||||
|
||||
Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
|
||||
(cherry picked from commit 0d4b4ff5282d07a4f83b87b3117cd898b0a3f673)
|
||||
---
|
||||
fs/ext4/extents.c | 57 ++++++++++++++++++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 46 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
|
||||
index ea2db86..ee0d61c 100644
|
||||
--- a/fs/ext4/extents.c
|
||||
+++ b/fs/ext4/extents.c
|
||||
@@ -52,6 +52,9 @@
|
||||
#define EXT4_EXT_MARK_UNINIT1 0x2 /* mark first half uninitialized */
|
||||
#define EXT4_EXT_MARK_UNINIT2 0x4 /* mark second half uninitialized */
|
||||
|
||||
+#define EXT4_EXT_DATA_VALID1 0x8 /* first half contains valid data */
|
||||
+#define EXT4_EXT_DATA_VALID2 0x10 /* second half contains valid data */
|
||||
+
|
||||
static __le32 ext4_extent_block_csum(struct inode *inode,
|
||||
struct ext4_extent_header *eh)
|
||||
{
|
||||
@@ -2897,6 +2900,9 @@ static int ext4_split_extent_at(handle_t *handle,
|
||||
unsigned int ee_len, depth;
|
||||
int err = 0;
|
||||
|
||||
+ BUG_ON((split_flag & (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2)) ==
|
||||
+ (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2));
|
||||
+
|
||||
ext_debug("ext4_split_extents_at: inode %lu, logical"
|
||||
"block %llu\n", inode->i_ino, (unsigned long long)split);
|
||||
|
||||
@@ -2955,7 +2961,14 @@ static int ext4_split_extent_at(handle_t *handle,
|
||||
|
||||
err = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
|
||||
if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) {
|
||||
- err = ext4_ext_zeroout(inode, &orig_ex);
|
||||
+ if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
|
||||
+ if (split_flag & EXT4_EXT_DATA_VALID1)
|
||||
+ err = ext4_ext_zeroout(inode, ex2);
|
||||
+ else
|
||||
+ err = ext4_ext_zeroout(inode, ex);
|
||||
+ } else
|
||||
+ err = ext4_ext_zeroout(inode, &orig_ex);
|
||||
+
|
||||
if (err)
|
||||
goto fix_extent_len;
|
||||
/* update the extent length and mark as initialized */
|
||||
@@ -3008,12 +3021,13 @@ static int ext4_split_extent(handle_t *handle,
|
||||
uninitialized = ext4_ext_is_uninitialized(ex);
|
||||
|
||||
if (map->m_lblk + map->m_len < ee_block + ee_len) {
|
||||
- split_flag1 = split_flag & EXT4_EXT_MAY_ZEROOUT ?
|
||||
- EXT4_EXT_MAY_ZEROOUT : 0;
|
||||
+ split_flag1 = split_flag & EXT4_EXT_MAY_ZEROOUT;
|
||||
flags1 = flags | EXT4_GET_BLOCKS_PRE_IO;
|
||||
if (uninitialized)
|
||||
split_flag1 |= EXT4_EXT_MARK_UNINIT1 |
|
||||
EXT4_EXT_MARK_UNINIT2;
|
||||
+ if (split_flag & EXT4_EXT_DATA_VALID2)
|
||||
+ split_flag1 |= EXT4_EXT_DATA_VALID1;
|
||||
err = ext4_split_extent_at(handle, inode, path,
|
||||
map->m_lblk + map->m_len, split_flag1, flags1);
|
||||
if (err)
|
||||
@@ -3026,8 +3040,8 @@ static int ext4_split_extent(handle_t *handle,
|
||||
return PTR_ERR(path);
|
||||
|
||||
if (map->m_lblk >= ee_block) {
|
||||
- split_flag1 = split_flag & EXT4_EXT_MAY_ZEROOUT ?
|
||||
- EXT4_EXT_MAY_ZEROOUT : 0;
|
||||
+ split_flag1 = split_flag & (EXT4_EXT_MAY_ZEROOUT |
|
||||
+ EXT4_EXT_DATA_VALID2);
|
||||
if (uninitialized)
|
||||
split_flag1 |= EXT4_EXT_MARK_UNINIT1;
|
||||
if (split_flag & EXT4_EXT_MARK_UNINIT2)
|
||||
@@ -3305,26 +3319,47 @@ static int ext4_split_unwritten_extents(handle_t *handle,
|
||||
|
||||
split_flag |= ee_block + ee_len <= eof_block ? EXT4_EXT_MAY_ZEROOUT : 0;
|
||||
split_flag |= EXT4_EXT_MARK_UNINIT2;
|
||||
-
|
||||
+ if (flags & EXT4_GET_BLOCKS_CONVERT)
|
||||
+ split_flag |= EXT4_EXT_DATA_VALID2;
|
||||
flags |= EXT4_GET_BLOCKS_PRE_IO;
|
||||
return ext4_split_extent(handle, inode, path, map, split_flag, flags);
|
||||
}
|
||||
|
||||
static int ext4_convert_unwritten_extents_endio(handle_t *handle,
|
||||
- struct inode *inode,
|
||||
- struct ext4_ext_path *path)
|
||||
+ struct inode *inode,
|
||||
+ struct ext4_map_blocks *map,
|
||||
+ struct ext4_ext_path *path)
|
||||
{
|
||||
struct ext4_extent *ex;
|
||||
+ ext4_lblk_t ee_block;
|
||||
+ unsigned int ee_len;
|
||||
int depth;
|
||||
int err = 0;
|
||||
|
||||
depth = ext_depth(inode);
|
||||
ex = path[depth].p_ext;
|
||||
+ ee_block = le32_to_cpu(ex->ee_block);
|
||||
+ ee_len = ext4_ext_get_actual_len(ex);
|
||||
|
||||
ext_debug("ext4_convert_unwritten_extents_endio: inode %lu, logical"
|
||||
"block %llu, max_blocks %u\n", inode->i_ino,
|
||||
- (unsigned long long)le32_to_cpu(ex->ee_block),
|
||||
- ext4_ext_get_actual_len(ex));
|
||||
+ (unsigned long long)ee_block, ee_len);
|
||||
+
|
||||
+ /* If extent is larger than requested then split is required */
|
||||
+ if (ee_block != map->m_lblk || ee_len > map->m_len) {
|
||||
+ err = ext4_split_unwritten_extents(handle, inode, map, path,
|
||||
+ EXT4_GET_BLOCKS_CONVERT);
|
||||
+ if (err < 0)
|
||||
+ goto out;
|
||||
+ ext4_ext_drop_refs(path);
|
||||
+ path = ext4_ext_find_extent(inode, map->m_lblk, path);
|
||||
+ if (IS_ERR(path)) {
|
||||
+ err = PTR_ERR(path);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ depth = ext_depth(inode);
|
||||
+ ex = path[depth].p_ext;
|
||||
+ }
|
||||
|
||||
err = ext4_ext_get_access(handle, inode, path + depth);
|
||||
if (err)
|
||||
@@ -3634,7 +3669,7 @@ ext4_ext_handle_uninitialized_extents(handle_t *handle, struct inode *inode,
|
||||
}
|
||||
/* IO end_io complete, convert the filled extent to written */
|
||||
if ((flags & EXT4_GET_BLOCKS_CONVERT)) {
|
||||
- ret = ext4_convert_unwritten_extents_endio(handle, inode,
|
||||
+ ret = ext4_convert_unwritten_extents_endio(handle, inode, map,
|
||||
path);
|
||||
if (ret >= 0) {
|
||||
ext4_update_inode_fsync_trans(handle, inode, 1);
|
||||
--
|
||||
1.7.12.rc0.22.gcdd159b
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 504c7267a1e84b157cbd7e9c1b805e1bc0c2c846 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Date: Thu, 23 Aug 2012 13:12:52 +0100
|
||||
Subject: [PATCH] drm/i915: Use cpu relocations if the object is in the GTT
|
||||
but not mappable
|
||||
|
||||
This prevents the case of unbinding the object in order to process the
|
||||
relocations through the GTT and then rebinding it only to then proceed
|
||||
to use cpu relocations as the object is now in the CPU write domain. By
|
||||
choosing to use cpu relocations up front, we can therefore avoid the
|
||||
rebind penalty.
|
||||
|
||||
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
index f7346d8..dc87563 100644
|
||||
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
@@ -95,6 +95,7 @@ eb_destroy(struct eb_objects *eb)
|
||||
static inline int use_cpu_reloc(struct drm_i915_gem_object *obj)
|
||||
{
|
||||
return (obj->base.write_domain == I915_GEM_DOMAIN_CPU ||
|
||||
+ !obj->map_and_fenceable ||
|
||||
obj->cache_level != I915_CACHE_NONE);
|
||||
}
|
||||
|
||||
--
|
||||
1.7.12.1
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Fri, 19 Oct 2012 13:56:51 -0700
|
||||
Subject: [PATCH 1/2] kernel/sys.c: fix stack memory content leak via UNAME26
|
||||
|
||||
Calling uname() with the UNAME26 personality set allows a leak of kernel
|
||||
stack contents. This fixes it by defensively calculating the length of
|
||||
copy_to_user() call, making the len argument unsigned, and initializing
|
||||
the stack buffer to zero (now technically unneeded, but hey, overkill).
|
||||
|
||||
CVE-2012-0957
|
||||
|
||||
Reported-by: PaX Team <pageexec@freemail.hu>
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: Andi Kleen <ak@linux.intel.com>
|
||||
Cc: PaX Team <pageexec@freemail.hu>
|
||||
Cc: Brad Spengler <spender@grsecurity.net>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/sys.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/kernel/sys.c b/kernel/sys.c
|
||||
index c5cb5b9..01865c6 100644
|
||||
--- a/kernel/sys.c
|
||||
+++ b/kernel/sys.c
|
||||
@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem);
|
||||
* Work around broken programs that cannot handle "Linux 3.0".
|
||||
* Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
|
||||
*/
|
||||
-static int override_release(char __user *release, int len)
|
||||
+static int override_release(char __user *release, size_t len)
|
||||
{
|
||||
int ret = 0;
|
||||
- char buf[65];
|
||||
|
||||
if (current->personality & UNAME26) {
|
||||
- char *rest = UTS_RELEASE;
|
||||
+ const char *rest = UTS_RELEASE;
|
||||
+ char buf[65] = { 0 };
|
||||
int ndots = 0;
|
||||
unsigned v;
|
||||
+ size_t copy;
|
||||
|
||||
while (*rest) {
|
||||
if (*rest == '.' && ++ndots >= 3)
|
||||
@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len)
|
||||
rest++;
|
||||
}
|
||||
v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
|
||||
- snprintf(buf, len, "2.6.%u%s", v, rest);
|
||||
- ret = copy_to_user(release, buf, len);
|
||||
+ copy = min(sizeof(buf), max_t(size_t, 1, len));
|
||||
+ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
|
||||
+ ret = copy_to_user(release, buf, copy + 1);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
|
||||
From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Fri, 19 Oct 2012 18:45:53 -0700
|
||||
Subject: [PATCH 2/2] use clamp_t in UNAME26 fix
|
||||
|
||||
The min/max call needed to have explicit types on some architectures
|
||||
(e.g. mn10300). Use clamp_t instead to avoid the warning:
|
||||
|
||||
kernel/sys.c: In function 'override_release':
|
||||
kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
|
||||
|
||||
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/sys.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/sys.c b/kernel/sys.c
|
||||
index 01865c6..e6e0ece 100644
|
||||
--- a/kernel/sys.c
|
||||
+++ b/kernel/sys.c
|
||||
@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
|
||||
rest++;
|
||||
}
|
||||
v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
|
||||
- copy = min(sizeof(buf), max_t(size_t, 1, len));
|
||||
+ copy = clamp_t(size_t, len, 1, sizeof(buf));
|
||||
copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
|
||||
ret = copy_to_user(release, buf, copy + 1);
|
||||
}
|
||||
--
|
||||
1.7.12.1
|
||||
|
21
kernel.spec
21
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 4
|
||||
%global baserelease 1
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -770,15 +770,9 @@ Patch22073: mac80211_local_deauth_v3.6.patch
|
|||
#rhbz 866013
|
||||
Patch22074: mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch
|
||||
|
||||
#rhbz 862877 864824 CVE-2012-0957
|
||||
Patch22076: fix-stack-memory-content-leak-via-UNAME26.patch
|
||||
|
||||
#rhbz 867344
|
||||
Patch22077: dont-call-cifs_lookup-on-hashed-negative-dentry.patch
|
||||
|
||||
#rhbz 852210
|
||||
Patch22078: drm-i915-Use-cpu-relocations-if-the-object-is-in-the.patch
|
||||
|
||||
#rhbz 869904 869909 CVE-2012-4508
|
||||
Patch22080: 0001-ext4-ext4_inode_info-diet.patch
|
||||
Patch22081: 0002-ext4-give-i_aiodio_unwritten-a-more-appropriate-name.patch
|
||||
|
@ -792,7 +786,6 @@ Patch22088: 0009-ext4-punch_hole-should-wait-for-DIO-writers.patch
|
|||
Patch22089: 0010-ext4-fix-ext_remove_space-for-punch_hole-case.patch
|
||||
Patch22090: 0011-ext4-fix-ext4_flush_completed_IO-wait-semantics.patch
|
||||
Patch22091: 0012-ext4-serialize-fallocate-with-ext4_convert_unwritten.patch
|
||||
Patch22092: 0013-ext4-race-condition-protection-for-ext4_convert_unwr.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -1514,15 +1507,9 @@ ApplyPatch mac80211_local_deauth_v3.6.patch
|
|||
#rhbz 866013
|
||||
ApplyPatch mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch
|
||||
|
||||
#rhbz 862877 864824 CVE-2012-0957
|
||||
ApplyPatch fix-stack-memory-content-leak-via-UNAME26.patch
|
||||
|
||||
#rhbz 867344
|
||||
ApplyPatch dont-call-cifs_lookup-on-hashed-negative-dentry.patch
|
||||
|
||||
#rhbz 852210
|
||||
ApplyPatch drm-i915-Use-cpu-relocations-if-the-object-is-in-the.patch
|
||||
|
||||
#rhbz 869904 869909 CVE-2012-4508
|
||||
ApplyPatch 0001-ext4-ext4_inode_info-diet.patch
|
||||
ApplyPatch 0002-ext4-give-i_aiodio_unwritten-a-more-appropriate-name.patch
|
||||
|
@ -1536,7 +1523,6 @@ ApplyPatch 0009-ext4-punch_hole-should-wait-for-DIO-writers.patch
|
|||
ApplyPatch 0010-ext4-fix-ext_remove_space-for-punch_hole-case.patch
|
||||
ApplyPatch 0011-ext4-fix-ext4_flush_completed_IO-wait-semantics.patch
|
||||
ApplyPatch 0012-ext4-serialize-fallocate-with-ext4_convert_unwritten.patch
|
||||
ApplyPatch 0013-ext4-race-condition-protection-for-ext4_convert_unwr.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2390,6 +2376,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Oct 29 2012 Justin M. Forbes <jforbes@redhat.com> 3.6.4-1
|
||||
- Linux 3.6.4
|
||||
|
||||
* Thu Oct 25 2012 Justin M. Forbes <jforbes@redhat.com>
|
||||
- CVE-2012-4508: ext4: AIO vs fallocate stale data exposure (rhbz 869904 869909)
|
||||
|
||||
|
|
Loading…
Reference in New Issue