Linux v3.10.2
This commit is contained in:
parent
62d0f1f3e3
commit
bab409e09b
|
@ -1,207 +0,0 @@
|
|||
From 93f6b57df5d9dd8c0327cebc01f6c00dbcd6d2ff Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Fri, 31 May 2013 19:33:42 -0400
|
||||
Subject: [PATCH 1/4] ext4: fix data offset overflow on 32-bit archs in
|
||||
ext4_inline_data_fiemap()
|
||||
|
||||
On 32-bit archs when sector_t is defined as 32-bit the logic computing
|
||||
data offset in ext4_inline_data_fiemap(). Fix that by properly typing
|
||||
the shifted value.
|
||||
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/inline.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
|
||||
index c0fd1a1..c46a01e 100644
|
||||
--- a/fs/ext4/inline.c
|
||||
+++ b/fs/ext4/inline.c
|
||||
@@ -1702,7 +1702,7 @@ int ext4_inline_data_fiemap(struct inode *inode,
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
- physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
|
||||
+ physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
|
||||
physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
|
||||
physical += offsetof(struct ext4_inode, i_block);
|
||||
length = i_size_read(inode);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From 4d2cedb535bae3ada76a335540657e948f99d9c0 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Fri, 31 May 2013 19:37:56 -0400
|
||||
Subject: [PATCH 2/4] ext4: fix overflows in SEEK_HOLE, SEEK_DATA
|
||||
implementations
|
||||
|
||||
ext4_lblk_t is just u32 so multiplying it by blocksize can easily
|
||||
overflow for files larger than 4 GB. Fix that by properly typing the
|
||||
block offsets before shifting.
|
||||
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
|
||||
---
|
||||
fs/ext4/file.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
|
||||
index 64848b5..b47ccf9 100644
|
||||
--- a/fs/ext4/file.c
|
||||
+++ b/fs/ext4/file.c
|
||||
@@ -311,7 +311,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
|
||||
blkbits = inode->i_sb->s_blocksize_bits;
|
||||
startoff = *offset;
|
||||
lastoff = startoff;
|
||||
- endoff = (map->m_lblk + map->m_len) << blkbits;
|
||||
+ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits;
|
||||
|
||||
index = startoff >> PAGE_CACHE_SHIFT;
|
||||
end = endoff >> PAGE_CACHE_SHIFT;
|
||||
@@ -456,7 +456,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
|
||||
ret = ext4_map_blocks(NULL, inode, &map, 0);
|
||||
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
|
||||
if (last != start)
|
||||
- dataoff = last << blkbits;
|
||||
+ dataoff = (loff_t)last << blkbits;
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -467,7 +467,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
|
||||
ext4_es_find_delayed_extent(inode, last, &es);
|
||||
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
|
||||
if (last != start)
|
||||
- dataoff = last << blkbits;
|
||||
+ dataoff = (loff_t)last << blkbits;
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -485,7 +485,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
|
||||
}
|
||||
|
||||
last++;
|
||||
- dataoff = last << blkbits;
|
||||
+ dataoff = (loff_t)last << blkbits;
|
||||
} while (last <= end);
|
||||
|
||||
mutex_unlock(&inode->i_mutex);
|
||||
@@ -539,7 +539,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
|
||||
ret = ext4_map_blocks(NULL, inode, &map, 0);
|
||||
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
|
||||
last += ret;
|
||||
- holeoff = last << blkbits;
|
||||
+ holeoff = (loff_t)last << blkbits;
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -550,7 +550,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
|
||||
ext4_es_find_delayed_extent(inode, last, &es);
|
||||
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
|
||||
last = es.es_lblk + es.es_len;
|
||||
- holeoff = last << blkbits;
|
||||
+ holeoff = (loff_t)last << blkbits;
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -565,7 +565,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
|
||||
&map, &holeoff);
|
||||
if (!unwritten) {
|
||||
last += ret;
|
||||
- holeoff = last << blkbits;
|
||||
+ holeoff = (loff_t)last << blkbits;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From 114fe3b7fc9ca3ca00f774dd8705e8c802f39f14 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Fri, 31 May 2013 19:38:56 -0400
|
||||
Subject: [PATCH 3/4] ext4: fix data offset overflow in ext4_xattr_fiemap() on
|
||||
32-bit archs
|
||||
|
||||
On 32-bit architectures with 32-bit sector_t computation of data offset
|
||||
in ext4_xattr_fiemap() can overflow resulting in reporting bogus data
|
||||
location. Fix the problem by typing block number to proper type before
|
||||
shifting.
|
||||
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/extents.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
|
||||
index 9c6d06d..6bb303c 100644
|
||||
--- a/fs/ext4/extents.c
|
||||
+++ b/fs/ext4/extents.c
|
||||
@@ -4605,7 +4605,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
|
||||
error = ext4_get_inode_loc(inode, &iloc);
|
||||
if (error)
|
||||
return error;
|
||||
- physical = iloc.bh->b_blocknr << blockbits;
|
||||
+ physical = (__u64)iloc.bh->b_blocknr << blockbits;
|
||||
offset = EXT4_GOOD_OLD_INODE_SIZE +
|
||||
EXT4_I(inode)->i_extra_isize;
|
||||
physical += offset;
|
||||
@@ -4613,7 +4613,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
|
||||
flags |= FIEMAP_EXTENT_DATA_INLINE;
|
||||
brelse(iloc.bh);
|
||||
} else { /* external block */
|
||||
- physical = EXT4_I(inode)->i_file_acl << blockbits;
|
||||
+ physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits;
|
||||
length = inode->i_sb->s_blocksize;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From aeb72ff4b7fe084b4373d4a91d77d3bea8089627 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Fri, 31 May 2013 19:39:56 -0400
|
||||
Subject: [PATCH 4/4] ext4: fix overflow when counting used blocks on 32-bit
|
||||
architectures
|
||||
|
||||
The arithmetics adding delalloc blocks to the number of used blocks in
|
||||
ext4_getattr() can easily overflow on 32-bit archs as we first multiply
|
||||
number of blocks by blocksize and then divide back by 512. Make the
|
||||
arithmetics more clever and also use proper type (unsigned long long
|
||||
instead of unsigned long).
|
||||
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/inode.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
|
||||
index d69e954..e33e2d2 100644
|
||||
--- a/fs/ext4/inode.c
|
||||
+++ b/fs/ext4/inode.c
|
||||
@@ -4616,7 +4616,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
|
||||
struct kstat *stat)
|
||||
{
|
||||
struct inode *inode;
|
||||
- unsigned long delalloc_blocks;
|
||||
+ unsigned long long delalloc_blocks;
|
||||
|
||||
inode = dentry->d_inode;
|
||||
generic_fillattr(inode, stat);
|
||||
@@ -4634,7 +4634,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
|
||||
delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb),
|
||||
EXT4_I(inode)->i_reserved_data_blocks);
|
||||
|
||||
- stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9;
|
||||
+ stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9);
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
|
||||
When a queue is disabled, it frees all its entries. Later,
|
||||
the op_mode might still get notifications from the firmware
|
||||
that triggers to free entries in the tx queue. The transport
|
||||
should be prepared for these races and know to ignore
|
||||
reclaim calls on queues that have been disabled and whose
|
||||
entries have been freed.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
drivers/net/wireless/iwlwifi/pcie/tx.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
index cb5c679..faaf77c 100644
|
||||
--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
@@ -578,9 +578,12 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id)
|
||||
|
||||
spin_lock_bh(&txq->lock);
|
||||
while (q->write_ptr != q->read_ptr) {
|
||||
+ IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n",
|
||||
+ txq_id, q->read_ptr);
|
||||
iwl_pcie_txq_free_tfd(trans, txq);
|
||||
q->read_ptr = iwl_queue_inc_wrap(q->read_ptr, q->n_bd);
|
||||
}
|
||||
+ txq->active = false;
|
||||
spin_unlock_bh(&txq->lock);
|
||||
}
|
||||
|
||||
@@ -929,6 +932,12 @@ void iwl_trans_pcie_reclaim(struct iwl_trans *trans, int txq_id, int ssn,
|
||||
|
||||
spin_lock_bh(&txq->lock);
|
||||
|
||||
+ if (!txq->active) {
|
||||
+ IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n",
|
||||
+ txq_id, ssn);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
if (txq->q.read_ptr == tfd_num)
|
||||
goto out;
|
||||
|
||||
@@ -1105,6 +1114,7 @@ void iwl_trans_pcie_txq_enable(struct iwl_trans *trans, int txq_id, int fifo,
|
||||
(fifo << SCD_QUEUE_STTS_REG_POS_TXF) |
|
||||
(1 << SCD_QUEUE_STTS_REG_POS_WSL) |
|
||||
SCD_QUEUE_STTS_REG_MSK);
|
||||
+ trans_pcie->txq[txq_id].active = true;
|
||||
IWL_DEBUG_TX_QUEUES(trans, "Activate queue %d on FIFO %d WrPtr: %d\n",
|
||||
txq_id, fifo, ssn & 0xff);
|
||||
}
|
||||
--
|
||||
1.7.11.7
|
|
@ -1,35 +0,0 @@
|
|||
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
|
||||
When the queue is unmapped while it was so loaded that
|
||||
mac80211's was stopped, we need to wake the queue after
|
||||
having freed all the packets in the queue.
|
||||
Not doing so can result in weird stuff like:
|
||||
|
||||
* run lots of traffic (mac80211's queue gets stopped)
|
||||
* RFKILL
|
||||
* de-assert RFKILL
|
||||
* no traffic
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
drivers/net/wireless/iwlwifi/pcie/tx.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
index faaf77c..4e7b8d4 100644
|
||||
--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
@@ -585,6 +585,9 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id)
|
||||
}
|
||||
txq->active = false;
|
||||
spin_unlock_bh(&txq->lock);
|
||||
+
|
||||
+ /* just in case - this queue may have been stopped */
|
||||
+ iwl_wake_queue(trans, txq);
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
1.7.11.7
|
19
kernel.spec
19
kernel.spec
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 1
|
||||
%define stable_update 2
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -747,9 +747,6 @@ Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
|
|||
|
||||
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
|
||||
Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch
|
||||
Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch
|
||||
|
||||
#rhbz 903741
|
||||
Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
|
||||
|
||||
|
@ -775,10 +772,7 @@ Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
|
|||
#rhbz 885407
|
||||
Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
|
||||
|
||||
#rhbz 976837
|
||||
Patch25065: fix-ext4-overflows.patch
|
||||
|
||||
Patch26000: cve-2013-4125.patch
|
||||
Patch26000: cve-2013-4125.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -1475,9 +1469,6 @@ ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
|
|||
|
||||
ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
|
||||
ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch
|
||||
ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch
|
||||
|
||||
#rhbz 903741
|
||||
ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
|
||||
|
||||
|
@ -1502,9 +1493,6 @@ ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
|
|||
#rhbz 885407
|
||||
ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
|
||||
|
||||
#rhbz 976837
|
||||
ApplyPatch fix-ext4-overflows.patch
|
||||
|
||||
ApplyPatch cve-2013-4125.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
@ -2315,6 +2303,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Jul 22 2013 Justin M. Forbes <jforbes@redhat.com> 3.10.2-300
|
||||
- Linux v3.10.2
|
||||
|
||||
* Fri Jul 19 2013 Dave Jones <davej@redhat.com>
|
||||
- CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)
|
||||
|
||||
|
|
Loading…
Reference in New Issue