Linux v3.11.2
This commit is contained in:
parent
b3c4f43a95
commit
b61169ac06
|
@ -1,118 +0,0 @@
|
|||
From 0adb9c2c5ed42f199cb2a630c37d18dee385fae2 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Mon, 15 Jul 2013 10:12:18 +0200
|
||||
Subject: [PATCH] HID: kye: Add report fixup for Genius Gx Imperator Keyboard
|
||||
|
||||
Genius Gx Imperator Keyboard presents the same problem in its report
|
||||
descriptors than Genius Gila Gaming Mouse.
|
||||
Use the same fixup for both.
|
||||
|
||||
Fixes:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=928561
|
||||
|
||||
Reported-and-tested-by: Honza Brazdil <jbrazdil@redhat.com>
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-core.c | 1 +
|
||||
drivers/hid/hid-ids.h | 1 +
|
||||
drivers/hid/hid-kye.c | 45 ++++++++++++++++++++++++++++-----------------
|
||||
3 files changed, 30 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||
index 8de5cb8..b0f2f45 100644
|
||||
--- a/drivers/hid/hid-core.c
|
||||
+++ b/drivers/hid/hid-core.c
|
||||
@@ -1594,6 +1594,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
|
||||
{ HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) },
|
||||
{ HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) },
|
||||
{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
|
||||
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GX_IMPERATOR) },
|
||||
{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) },
|
||||
{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) },
|
||||
{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
|
||||
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
|
||||
index c5aea29..0288531 100644
|
||||
--- a/drivers/hid/hid-ids.h
|
||||
+++ b/drivers/hid/hid-ids.h
|
||||
@@ -479,6 +479,7 @@
|
||||
#define USB_VENDOR_ID_KYE 0x0458
|
||||
#define USB_DEVICE_ID_KYE_ERGO_525V 0x0087
|
||||
#define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138
|
||||
+#define USB_DEVICE_ID_GENIUS_GX_IMPERATOR 0x4018
|
||||
#define USB_DEVICE_ID_KYE_GPEN_560 0x5003
|
||||
#define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010
|
||||
#define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011
|
||||
diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
|
||||
index 1e2ee2aa..7384512 100644
|
||||
--- a/drivers/hid/hid-kye.c
|
||||
+++ b/drivers/hid/hid-kye.c
|
||||
@@ -268,6 +268,26 @@ static __u8 easypen_m610x_rdesc_fixed[] = {
|
||||
0xC0 /* End Collection */
|
||||
};
|
||||
|
||||
+static __u8 *kye_consumer_control_fixup(struct hid_device *hdev, __u8 *rdesc,
|
||||
+ unsigned int *rsize, int offset, const char *device_name) {
|
||||
+ /*
|
||||
+ * the fixup that need to be done:
|
||||
+ * - change Usage Maximum in the Comsumer Control
|
||||
+ * (report ID 3) to a reasonable value
|
||||
+ */
|
||||
+ if (*rsize >= offset + 31 &&
|
||||
+ /* Usage Page (Consumer Devices) */
|
||||
+ rdesc[offset] == 0x05 && rdesc[offset + 1] == 0x0c &&
|
||||
+ /* Usage (Consumer Control) */
|
||||
+ rdesc[offset + 2] == 0x09 && rdesc[offset + 3] == 0x01 &&
|
||||
+ /* Usage Maximum > 12287 */
|
||||
+ rdesc[offset + 10] == 0x2a && rdesc[offset + 12] > 0x2f) {
|
||||
+ hid_info(hdev, "fixing up %s report descriptor\n", device_name);
|
||||
+ rdesc[offset + 12] = 0x2f;
|
||||
+ }
|
||||
+ return rdesc;
|
||||
+}
|
||||
+
|
||||
static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
|
||||
unsigned int *rsize)
|
||||
{
|
||||
@@ -315,23 +335,12 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
|
||||
}
|
||||
break;
|
||||
case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE:
|
||||
- /*
|
||||
- * the fixup that need to be done:
|
||||
- * - change Usage Maximum in the Comsumer Control
|
||||
- * (report ID 3) to a reasonable value
|
||||
- */
|
||||
- if (*rsize >= 135 &&
|
||||
- /* Usage Page (Consumer Devices) */
|
||||
- rdesc[104] == 0x05 && rdesc[105] == 0x0c &&
|
||||
- /* Usage (Consumer Control) */
|
||||
- rdesc[106] == 0x09 && rdesc[107] == 0x01 &&
|
||||
- /* Usage Maximum > 12287 */
|
||||
- rdesc[114] == 0x2a && rdesc[116] > 0x2f) {
|
||||
- hid_info(hdev,
|
||||
- "fixing up Genius Gila Gaming Mouse "
|
||||
- "report descriptor\n");
|
||||
- rdesc[116] = 0x2f;
|
||||
- }
|
||||
+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 104,
|
||||
+ "Genius Gila Gaming Mouse");
|
||||
+ break;
|
||||
+ case USB_DEVICE_ID_GENIUS_GX_IMPERATOR:
|
||||
+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 83,
|
||||
+ "Genius Gx Imperator Keyboard");
|
||||
break;
|
||||
}
|
||||
return rdesc;
|
||||
@@ -428,6 +437,8 @@ static const struct hid_device_id kye_devices[] = {
|
||||
USB_DEVICE_ID_KYE_EASYPEN_M610X) },
|
||||
{ HID_USB_DEVICE(USB_VENDOR_ID_KYE,
|
||||
USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
|
||||
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
|
||||
+ USB_DEVICE_ID_GENIUS_GX_IMPERATOR) },
|
||||
{ }
|
||||
};
|
||||
MODULE_DEVICE_TABLE(hid, kye_devices);
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -1,83 +1,3 @@
|
|||
From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:29:55 +0200
|
||||
Subject: [PATCH 01/16] HID: validate HID report id size
|
||||
|
||||
The "Report ID" field of a HID report is used to build indexes of
|
||||
reports. The kernel's index of these is limited to 256 entries, so any
|
||||
malicious device that sets a Report ID greater than 255 will trigger
|
||||
memory corruption on the host:
|
||||
|
||||
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
|
||||
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
|
||||
|
||||
CVE-2013-2888
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-core.c | 10 +++++++---
|
||||
include/linux/hid.h | 4 +++-
|
||||
2 files changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||
index 36668d1..5ea7d51 100644
|
||||
--- a/drivers/hid/hid-core.c
|
||||
+++ b/drivers/hid/hid-core.c
|
||||
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
|
||||
struct hid_report_enum *report_enum = device->report_enum + type;
|
||||
struct hid_report *report;
|
||||
|
||||
+ if (id >= HID_MAX_IDS)
|
||||
+ return NULL;
|
||||
if (report_enum->report_id_hash[id])
|
||||
return report_enum->report_id_hash[id];
|
||||
|
||||
@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
|
||||
|
||||
case HID_GLOBAL_ITEM_TAG_REPORT_ID:
|
||||
parser->global.report_id = item_udata(item);
|
||||
- if (parser->global.report_id == 0) {
|
||||
- hid_err(parser->device, "report_id 0 is invalid\n");
|
||||
+ if (parser->global.report_id == 0 ||
|
||||
+ parser->global.report_id >= HID_MAX_IDS) {
|
||||
+ hid_err(parser->device, "report_id %u is invalid\n",
|
||||
+ parser->global.report_id);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
|
||||
for (i = 0; i < HID_REPORT_TYPES; i++) {
|
||||
struct hid_report_enum *report_enum = device->report_enum + i;
|
||||
|
||||
- for (j = 0; j < 256; j++) {
|
||||
+ for (j = 0; j < HID_MAX_IDS; j++) {
|
||||
struct hid_report *report = report_enum->report_id_hash[j];
|
||||
if (report)
|
||||
hid_free_report(report);
|
||||
diff --git a/include/linux/hid.h b/include/linux/hid.h
|
||||
index 0c48991..ff545cc 100644
|
||||
--- a/include/linux/hid.h
|
||||
+++ b/include/linux/hid.h
|
||||
@@ -393,10 +393,12 @@ struct hid_report {
|
||||
struct hid_device *device; /* associated device */
|
||||
};
|
||||
|
||||
+#define HID_MAX_IDS 256
|
||||
+
|
||||
struct hid_report_enum {
|
||||
unsigned numbered;
|
||||
struct list_head report_list;
|
||||
- struct hid_report *report_id_hash[256];
|
||||
+ struct hid_report *report_id_hash[HID_MAX_IDS];
|
||||
};
|
||||
|
||||
#define HID_REPORT_TYPES 3
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 11 Sep 2013 21:56:50 +0200
|
||||
|
@ -906,214 +826,3 @@ index 762d988..31cf29a 100644
|
|||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:32:01 +0200
|
||||
Subject: [PATCH 12/16] HID: check for NULL field when setting values
|
||||
|
||||
Defensively check that the field to be worked on is not NULL.
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-core.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||
index 08500bc..e331cb1 100644
|
||||
--- a/drivers/hid/hid-core.c
|
||||
+++ b/drivers/hid/hid-core.c
|
||||
@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
|
||||
|
||||
int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
|
||||
{
|
||||
- unsigned size = field->report_size;
|
||||
+ unsigned size;
|
||||
+
|
||||
+ if (!field)
|
||||
+ return -1;
|
||||
+
|
||||
+ size = field->report_size;
|
||||
|
||||
hid_dump_input(field->report->device, field->usage + offset, value);
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:30:49 +0200
|
||||
Subject: [PATCH 13/16] HID: pantherlord: validate output report details
|
||||
|
||||
A HID device could send a malicious output report that would cause the
|
||||
pantherlord HID driver to write beyond the output report allocation
|
||||
during initialization, causing a heap overflow:
|
||||
|
||||
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
|
||||
...
|
||||
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
||||
|
||||
CVE-2013-2892
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-pl.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
|
||||
index d29112f..2dcd7d9 100644
|
||||
--- a/drivers/hid/hid-pl.c
|
||||
+++ b/drivers/hid/hid-pl.c
|
||||
@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
|
||||
strong = &report->field[0]->value[2];
|
||||
weak = &report->field[0]->value[3];
|
||||
debug("detected single-field device");
|
||||
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
|
||||
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
|
||||
+ } else if (report->field[0]->maxusage == 1 &&
|
||||
+ report->field[0]->usage[0].hid ==
|
||||
+ (HID_UP_LED | 0x43) &&
|
||||
+ report->maxfield >= 4 &&
|
||||
+ report->field[0]->report_count >= 1 &&
|
||||
+ report->field[1]->report_count >= 1 &&
|
||||
+ report->field[2]->report_count >= 1 &&
|
||||
+ report->field[3]->report_count >= 1) {
|
||||
report->field[0]->value[0] = 0x00;
|
||||
report->field[1]->value[0] = 0x00;
|
||||
strong = &report->field[2]->value[0];
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:28 +0200
|
||||
Subject: [PATCH 14/16] HID: ntrig: validate feature report details
|
||||
|
||||
A HID device could send a malicious feature report that would cause the
|
||||
ntrig HID driver to trigger a NULL dereference during initialization:
|
||||
|
||||
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
|
||||
...
|
||||
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
|
||||
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
|
||||
|
||||
CVE-2013-2896
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-ntrig.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
|
||||
index ef95102..5482156 100644
|
||||
--- a/drivers/hid/hid-ntrig.c
|
||||
+++ b/drivers/hid/hid-ntrig.c
|
||||
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
|
||||
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
|
||||
report_id_hash[0x0d];
|
||||
|
||||
- if (!report)
|
||||
+ if (!report || report->maxfield < 1 ||
|
||||
+ report->field[0]->report_count < 1)
|
||||
return -EINVAL;
|
||||
|
||||
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:44 +0200
|
||||
Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details
|
||||
|
||||
A HID device could send a malicious feature report that would cause the
|
||||
sensor-hub HID driver to read past the end of heap allocation, leaking
|
||||
kernel memory contents to the caller.
|
||||
|
||||
CVE-2013-2898
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-sensor-hub.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
|
||||
index ca749810..aa34755 100644
|
||||
--- a/drivers/hid/hid-sensor-hub.c
|
||||
+++ b/drivers/hid/hid-sensor-hub.c
|
||||
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
|
||||
|
||||
mutex_lock(&data->mutex);
|
||||
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
|
||||
- if (!report || (field_index >= report->maxfield)) {
|
||||
+ if (!report || (field_index >= report->maxfield) ||
|
||||
+ report->field[field_index]->report_count < 1) {
|
||||
ret = -EINVAL;
|
||||
goto done_proc;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:52 +0200
|
||||
Subject: [PATCH 16/16] HID: picolcd_core: validate output report details
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
A HID device could send a malicious output report that would cause the
|
||||
picolcd HID driver to trigger a NULL dereference during attr file writing.
|
||||
|
||||
[jkosina@suse.cz: changed
|
||||
|
||||
report->maxfield < 1
|
||||
|
||||
to
|
||||
|
||||
report->maxfield != 1
|
||||
|
||||
as suggested by Bruno].
|
||||
|
||||
CVE-2013-2899
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-picolcd_core.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
|
||||
index b48092d..acbb0210 100644
|
||||
--- a/drivers/hid/hid-picolcd_core.c
|
||||
+++ b/drivers/hid/hid-picolcd_core.c
|
||||
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
|
||||
buf += 10;
|
||||
cnt -= 10;
|
||||
}
|
||||
- if (!report)
|
||||
+ if (!report || report->maxfield != 1)
|
||||
return -EINVAL;
|
||||
|
||||
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
|
|
@ -1,149 +0,0 @@
|
|||
commit 3dc48af310709b85d07c8b0d3aa8f1ead02829d3
|
||||
Author: Neil Horman <nhorman@tuxdriver.com>
|
||||
Date: Thu Aug 29 16:17:05 2013 -0400
|
||||
|
||||
PCI/ACPI: Fix _OSC ordering to allow PCIe hotplug use when available
|
||||
|
||||
This fixes the problem of acpiphp claiming slots that should be managed
|
||||
by pciehp, which may keep ExpressCard slots from working.
|
||||
|
||||
The acpiphp driver claims PCIe slots unless the BIOS has granted us
|
||||
control of PCIe native hotplug via _OSC. Prior to v3.10, the acpiphp
|
||||
.add method (add_bridge()) was always called *after* we had requested
|
||||
native hotplug control with _OSC.
|
||||
|
||||
But after 3b63aaa70e ("PCI: acpiphp: Do not use ACPI PCI subdriver
|
||||
mechanism"), which appeared in v3.10, acpiphp initialization is done
|
||||
during the bus scan via the pcibios_add_bus() hook, and this happens
|
||||
*before* we request native hotplug control.
|
||||
|
||||
Therefore, acpiphp doesn't know yet whether the BIOS will grant control,
|
||||
and it claims slots that we should be handling with native hotplug.
|
||||
|
||||
This patch requests native hotplug control earlier, so we know whether
|
||||
the BIOS granted it to us before we initialize acpiphp.
|
||||
|
||||
To avoid reintroducing the ASPM issue fixed by b8178f130e ('Revert
|
||||
"PCI/ACPI: Request _OSC control before scanning PCI root bus"'), we run
|
||||
_OSC earlier but defer the actual ASPM calls until after the bus scan is
|
||||
complete.
|
||||
|
||||
Tested successfully by myself.
|
||||
|
||||
[bhelgaas: changelog, mark for stable]
|
||||
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=60736
|
||||
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
||||
Acked-by: Yinghai Lu <yinghai@kernel.org>
|
||||
CC: stable@vger.kernel.org # v3.10+
|
||||
CC: Len Brown <lenb@kernel.org>
|
||||
CC: "Rafael J. Wysocki" <rjw@sisk.pl>
|
||||
|
||||
diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c
|
||||
index 5917839..a67853e 100644
|
||||
--- a/drivers/acpi/pci_root.c
|
||||
+++ b/drivers/acpi/pci_root.c
|
||||
@@ -378,6 +378,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
|
||||
struct acpi_pci_root *root;
|
||||
u32 flags, base_flags;
|
||||
acpi_handle handle = device->handle;
|
||||
+ bool no_aspm = false, clear_aspm = false;
|
||||
|
||||
root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL);
|
||||
if (!root)
|
||||
@@ -437,27 +438,6 @@ static int acpi_pci_root_add(struct acpi_device *device,
|
||||
flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT;
|
||||
acpi_pci_osc_support(root, flags);
|
||||
|
||||
- /*
|
||||
- * TBD: Need PCI interface for enumeration/configuration of roots.
|
||||
- */
|
||||
-
|
||||
- /*
|
||||
- * Scan the Root Bridge
|
||||
- * --------------------
|
||||
- * Must do this prior to any attempt to bind the root device, as the
|
||||
- * PCI namespace does not get created until this call is made (and
|
||||
- * thus the root bridge's pci_dev does not exist).
|
||||
- */
|
||||
- root->bus = pci_acpi_scan_root(root);
|
||||
- if (!root->bus) {
|
||||
- dev_err(&device->dev,
|
||||
- "Bus %04x:%02x not present in PCI namespace\n",
|
||||
- root->segment, (unsigned int)root->secondary.start);
|
||||
- result = -ENODEV;
|
||||
- goto end;
|
||||
- }
|
||||
-
|
||||
- /* Indicate support for various _OSC capabilities. */
|
||||
if (pci_ext_cfg_avail())
|
||||
flags |= OSC_EXT_PCI_CONFIG_SUPPORT;
|
||||
if (pcie_aspm_support_enabled()) {
|
||||
@@ -471,7 +451,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
|
||||
if (ACPI_FAILURE(status)) {
|
||||
dev_info(&device->dev, "ACPI _OSC support "
|
||||
"notification failed, disabling PCIe ASPM\n");
|
||||
- pcie_no_aspm();
|
||||
+ no_aspm = true;
|
||||
flags = base_flags;
|
||||
}
|
||||
}
|
||||
@@ -503,7 +483,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
|
||||
* We have ASPM control, but the FADT indicates
|
||||
* that it's unsupported. Clear it.
|
||||
*/
|
||||
- pcie_clear_aspm(root->bus);
|
||||
+ clear_aspm = true;
|
||||
}
|
||||
} else {
|
||||
dev_info(&device->dev,
|
||||
@@ -512,7 +492,14 @@ static int acpi_pci_root_add(struct acpi_device *device,
|
||||
acpi_format_exception(status), flags);
|
||||
dev_info(&device->dev,
|
||||
"ACPI _OSC control for PCIe not granted, disabling ASPM\n");
|
||||
- pcie_no_aspm();
|
||||
+ /*
|
||||
+ * We want to disable ASPM here, but aspm_disabled
|
||||
+ * needs to remain in its state from boot so that we
|
||||
+ * properly handle PCIe 1.1 devices. So we set this
|
||||
+ * flag here, to defer the action until after the ACPI
|
||||
+ * root scan.
|
||||
+ */
|
||||
+ no_aspm = true;
|
||||
}
|
||||
} else {
|
||||
dev_info(&device->dev,
|
||||
@@ -520,6 +507,33 @@ static int acpi_pci_root_add(struct acpi_device *device,
|
||||
"(_OSC support mask: 0x%02x)\n", flags);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * TBD: Need PCI interface for enumeration/configuration of roots.
|
||||
+ */
|
||||
+
|
||||
+ /*
|
||||
+ * Scan the Root Bridge
|
||||
+ * --------------------
|
||||
+ * Must do this prior to any attempt to bind the root device, as the
|
||||
+ * PCI namespace does not get created until this call is made (and
|
||||
+ * thus the root bridge's pci_dev does not exist).
|
||||
+ */
|
||||
+ root->bus = pci_acpi_scan_root(root);
|
||||
+ if (!root->bus) {
|
||||
+ dev_err(&device->dev,
|
||||
+ "Bus %04x:%02x not present in PCI namespace\n",
|
||||
+ root->segment, (unsigned int)root->secondary.start);
|
||||
+ result = -ENODEV;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if (clear_aspm) {
|
||||
+ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n");
|
||||
+ pcie_clear_aspm(root->bus);
|
||||
+ }
|
||||
+ if (no_aspm)
|
||||
+ pcie_no_aspm();
|
||||
+
|
||||
pci_acpi_add_bus_pm_notifier(device, root->bus);
|
||||
if (device->wakeup.flags.run_wake)
|
||||
device_set_run_wake(root->bus->bridge, true);
|
|
@ -1,44 +0,0 @@
|
|||
commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
|
||||
Author: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Sun Sep 8 14:33:50 2013 +1000
|
||||
|
||||
crypto: api - Fix race condition in larval lookup
|
||||
|
||||
crypto_larval_lookup should only return a larval if it created one.
|
||||
Any larval created by another entity must be processed through
|
||||
crypto_larval_wait before being returned.
|
||||
|
||||
Otherwise this will lead to a larval being killed twice, which
|
||||
will most likely lead to a crash.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Kees Cook <keescook@chromium.org>
|
||||
Tested-by: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
diff --git a/crypto/api.c b/crypto/api.c
|
||||
index 320ea4d..a2b39c5 100644
|
||||
--- a/crypto/api.c
|
||||
+++ b/crypto/api.c
|
||||
@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
|
||||
BLOCKING_NOTIFIER_HEAD(crypto_chain);
|
||||
EXPORT_SYMBOL_GPL(crypto_chain);
|
||||
|
||||
+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
|
||||
+
|
||||
struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
|
||||
{
|
||||
return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
|
||||
@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
|
||||
}
|
||||
up_write(&crypto_alg_sem);
|
||||
|
||||
- if (alg != &larval->alg)
|
||||
+ if (alg != &larval->alg) {
|
||||
kfree(larval);
|
||||
+ if (crypto_is_larval(alg))
|
||||
+ alg = crypto_larval_wait(alg);
|
||||
+ }
|
||||
|
||||
return alg;
|
||||
}
|
23
kernel.spec
23
kernel.spec
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 1
|
||||
%define stable_update 2
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -779,12 +779,6 @@ Patch25078: rt2800-rearrange-bbp-rfcsr-initialization.patch
|
|||
#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
|
||||
Patch25099: HID-CVE-fixes-3.11.patch
|
||||
|
||||
#rhbz 963991
|
||||
Patch26000: acpi-pcie-hotplug-conflict.patch
|
||||
|
||||
#rhbz 1002351
|
||||
Patch25100: crypto-fix-race-in-larval-lookup.patch
|
||||
|
||||
#CVE-2013-4343 rhbz 1007733 1007741
|
||||
Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
|
||||
|
||||
|
@ -794,9 +788,6 @@ Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
|||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
#rhbz 928561
|
||||
Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
|
||||
|
||||
#rhbz 1008323
|
||||
Patch25106: 0001-skge-fix-broken-driver.patch
|
||||
Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch
|
||||
|
@ -1553,12 +1544,6 @@ ApplyPatch HID-CVE-fixes-3.11.patch
|
|||
#rhbz 1000679
|
||||
ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch
|
||||
|
||||
#rhbz 963991
|
||||
ApplyPatch acpi-pcie-hotplug-conflict.patch
|
||||
|
||||
#rhbz1002351
|
||||
ApplyPatch crypto-fix-race-in-larval-lookup.patch
|
||||
|
||||
#CVE-2013-4343 rhbz 1007733 1007741
|
||||
ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
|
||||
|
||||
|
@ -1568,9 +1553,6 @@ ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
|||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
#rhbz 928561
|
||||
ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
|
||||
|
||||
#rhbz 985522
|
||||
ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch
|
||||
|
||||
|
@ -2392,6 +2374,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Sep 27 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.2-300
|
||||
- Linux v3.11.2
|
||||
|
||||
* Wed Sep 25 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix debuginfo_args regex for + separator (rhbz 1009751)
|
||||
- Add another fix for skge (rhbz 1008323)
|
||||
|
|
Loading…
Reference in New Issue