rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.10.2

This commit is contained in:
Justin M. Forbes 2013-07-22 12:33:25 -05:00
parent 62d0f1f3e3
commit bab409e09b
5 changed files with 6 additions and 312 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

207
fix-ext4-overflows.patch
View File

@ -1,207 +0,0 @@
From 93f6b57df5d9dd8c0327cebc01f6c00dbcd6d2ff Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Fri, 31 May 2013 19:33:42 -0400
Subject: [PATCH 1/4] ext4: fix data offset overflow on 32-bit archs in
ext4_inline_data_fiemap()
On 32-bit archs when sector_t is defined as 32-bit the logic computing
data offset in ext4_inline_data_fiemap(). Fix that by properly typing
the shifted value.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
fs/ext4/inline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index c0fd1a1..c46a01e 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1702,7 +1702,7 @@ int ext4_inline_data_fiemap(struct inode *inode,
if (error)
goto out;
- physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
+ physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
physical += offsetof(struct ext4_inode, i_block);
length = i_size_read(inode);
--
1.8.3.1
From 4d2cedb535bae3ada76a335540657e948f99d9c0 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Fri, 31 May 2013 19:37:56 -0400
Subject: [PATCH 2/4] ext4: fix overflows in SEEK_HOLE, SEEK_DATA
implementations
ext4_lblk_t is just u32 so multiplying it by blocksize can easily
overflow for files larger than 4 GB. Fix that by properly typing the
block offsets before shifting.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
---
fs/ext4/file.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index 64848b5..b47ccf9 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -311,7 +311,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
blkbits = inode->i_sb->s_blocksize_bits;
startoff = *offset;
lastoff = startoff;
- endoff = (map->m_lblk + map->m_len) << blkbits;
+ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits;
index = startoff >> PAGE_CACHE_SHIFT;
end = endoff >> PAGE_CACHE_SHIFT;
@@ -456,7 +456,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -467,7 +467,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
ext4_es_find_delayed_extent(inode, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -485,7 +485,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
}
last++;
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
} while (last <= end);
mutex_unlock(&inode->i_mutex);
@@ -539,7 +539,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -550,7 +550,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
ext4_es_find_delayed_extent(inode, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
last = es.es_lblk + es.es_len;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -565,7 +565,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
&map, &holeoff);
if (!unwritten) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
}
--
1.8.3.1
From 114fe3b7fc9ca3ca00f774dd8705e8c802f39f14 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Fri, 31 May 2013 19:38:56 -0400
Subject: [PATCH 3/4] ext4: fix data offset overflow in ext4_xattr_fiemap() on
32-bit archs
On 32-bit architectures with 32-bit sector_t computation of data offset
in ext4_xattr_fiemap() can overflow resulting in reporting bogus data
location. Fix the problem by typing block number to proper type before
shifting.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
fs/ext4/extents.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 9c6d06d..6bb303c 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4605,7 +4605,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
error = ext4_get_inode_loc(inode, &iloc);
if (error)
return error;
- physical = iloc.bh->b_blocknr << blockbits;
+ physical = (__u64)iloc.bh->b_blocknr << blockbits;
offset = EXT4_GOOD_OLD_INODE_SIZE +
EXT4_I(inode)->i_extra_isize;
physical += offset;
@@ -4613,7 +4613,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
flags |= FIEMAP_EXTENT_DATA_INLINE;
brelse(iloc.bh);
} else { /* external block */
- physical = EXT4_I(inode)->i_file_acl << blockbits;
+ physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits;
length = inode->i_sb->s_blocksize;
}
--
1.8.3.1
From aeb72ff4b7fe084b4373d4a91d77d3bea8089627 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Fri, 31 May 2013 19:39:56 -0400
Subject: [PATCH 4/4] ext4: fix overflow when counting used blocks on 32-bit
architectures
The arithmetics adding delalloc blocks to the number of used blocks in
ext4_getattr() can easily overflow on 32-bit archs as we first multiply
number of blocks by blocksize and then divide back by 512. Make the
arithmetics more clever and also use proper type (unsigned long long
instead of unsigned long).
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
fs/ext4/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index d69e954..e33e2d2 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4616,7 +4616,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
struct kstat *stat)
{
struct inode *inode;
- unsigned long delalloc_blocks;
+ unsigned long long delalloc_blocks;
inode = dentry->d_inode;
generic_fillattr(inode, stat);
@@ -4634,7 +4634,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb),
EXT4_I(inode)->i_reserved_data_blocks);
- stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9;
+ stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9);
return 0;
}
--
1.8.3.1

56
iwlwifi-pcie-fix-race-in-queue-unmapping.patch
View File

@ -1,56 +0,0 @@
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
When a queue is disabled, it frees all its entries. Later,
the op_mode might still get notifications from the firmware
that triggers to free entries in the tx queue. The transport
should be prepared for these races and know to ignore
reclaim calls on queues that have been disabled and whose
entries have been freed.
Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
drivers/net/wireless/iwlwifi/pcie/tx.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c
index cb5c679..faaf77c 100644
--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
@@ -578,9 +578,12 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id)
spin_lock_bh(&txq->lock);
while (q->write_ptr != q->read_ptr) {
+ IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n",
+ txq_id, q->read_ptr);
iwl_pcie_txq_free_tfd(trans, txq);
q->read_ptr = iwl_queue_inc_wrap(q->read_ptr, q->n_bd);
}
+ txq->active = false;
spin_unlock_bh(&txq->lock);
}
@@ -929,6 +932,12 @@ void iwl_trans_pcie_reclaim(struct iwl_trans *trans, int txq_id, int ssn,
spin_lock_bh(&txq->lock);
+ if (!txq->active) {
+ IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n",
+ txq_id, ssn);
+ goto out;
+ }
+
if (txq->q.read_ptr == tfd_num)
goto out;
@@ -1105,6 +1114,7 @@ void iwl_trans_pcie_txq_enable(struct iwl_trans *trans, int txq_id, int fifo,
(fifo << SCD_QUEUE_STTS_REG_POS_TXF) |
(1 << SCD_QUEUE_STTS_REG_POS_WSL) |
SCD_QUEUE_STTS_REG_MSK);
+ trans_pcie->txq[txq_id].active = true;
IWL_DEBUG_TX_QUEUES(trans, "Activate queue %d on FIFO %d WrPtr: %d\n",
txq_id, fifo, ssn & 0xff);
}
--
1.7.11.7

35
iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch
View File

@ -1,35 +0,0 @@
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
When the queue is unmapped while it was so loaded that
mac80211's was stopped, we need to wake the queue after
having freed all the packets in the queue.
Not doing so can result in weird stuff like:
* run lots of traffic (mac80211's queue gets stopped)
* RFKILL
* de-assert RFKILL
* no traffic
Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
drivers/net/wireless/iwlwifi/pcie/tx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c
index faaf77c..4e7b8d4 100644
--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
@@ -585,6 +585,9 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id)
}
txq->active = false;
spin_unlock_bh(&txq->lock);
+
+ /* just in case - this queue may have been stopped */
+ iwl_wake_queue(trans, txq);
}
/*
--
1.7.11.7

19
kernel.spec
View File

@ -74,7 +74,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 1
%define stable_update 2
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -747,9 +747,6 @@ Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch
Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch
#rhbz 903741
Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
@ -775,10 +772,7 @@ Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
#rhbz 885407
Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
#rhbz 976837
Patch25065: fix-ext4-overflows.patch
Patch26000: cve-2013-4125.patch
Patch26000: cve-2013-4125.patch
# END OF PATCH DEFINITIONS
@ -1475,9 +1469,6 @@ ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch
ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch
#rhbz 903741
ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
@ -1502,9 +1493,6 @@ ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
#rhbz 885407
ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
#rhbz 976837
ApplyPatch fix-ext4-overflows.patch
ApplyPatch cve-2013-4125.patch
# END OF PATCH APPLICATIONS
@ -2315,6 +2303,9 @@ fi
# and build.
%changelog
* Mon Jul 22 2013 Justin M. Forbes <jforbes@redhat.com> 3.10.2-300
- Linux v3.10.2
* Fri Jul 19 2013 Dave Jones <davej@redhat.com>
- CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)

1
sources
View File

@ -1,2 +1,3 @@
4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz
0e7f2a767ef3b3643856c96af3409af3 patch-3.10.1.xz
0c94fa440515e289495909749d04aae4 patch-3.10.2.xz