Linux 2.6.34.8
This commit is contained in:
parent
365577d418
commit
d9bdee82eb
@ -1,189 +0,0 @@
|
|||||||
From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
|
||||||
Date: Tue, 7 Sep 2010 16:16:18 -0700
|
|
||||||
Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok()
|
|
||||||
|
|
||||||
compat_alloc_user_space() expects the caller to independently call
|
|
||||||
access_ok() to verify the returned area. A missing call could
|
|
||||||
introduce problems on some architectures.
|
|
||||||
|
|
||||||
This patch incorporates the access_ok() check into
|
|
||||||
compat_alloc_user_space() and also adds a sanity check on the length.
|
|
||||||
The existing compat_alloc_user_space() implementations are renamed
|
|
||||||
arch_compat_alloc_user_space() and are used as part of the
|
|
||||||
implementation of the new global function.
|
|
||||||
|
|
||||||
This patch assumes NULL will cause __get_user()/__put_user() to either
|
|
||||||
fail or access userspace on all architectures. This should be
|
|
||||||
followed by checking the return value of compat_access_user_space()
|
|
||||||
for NULL in the callers, at which time the access_ok() in the callers
|
|
||||||
can also be removed.
|
|
||||||
|
|
||||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
|
||||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
|
||||||
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
|
|
||||||
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
|
|
||||||
Acked-by: David S. Miller <davem@davemloft.net>
|
|
||||||
Acked-by: Ingo Molnar <mingo@elte.hu>
|
|
||||||
Acked-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Acked-by: Tony Luck <tony.luck@intel.com>
|
|
||||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
|
||||||
Cc: Arnd Bergmann <arnd@arndb.de>
|
|
||||||
Cc: Fenghua Yu <fenghua.yu@intel.com>
|
|
||||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
|
||||||
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
|
|
||||||
Cc: Helge Deller <deller@gmx.de>
|
|
||||||
Cc: James Bottomley <jejb@parisc-linux.org>
|
|
||||||
Cc: Kyle McMartin <kyle@mcmartin.ca>
|
|
||||||
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
|
||||||
Cc: Paul Mackerras <paulus@samba.org>
|
|
||||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
|
||||||
Cc: <stable@kernel.org>
|
|
||||||
---
|
|
||||||
arch/ia64/include/asm/compat.h | 2 +-
|
|
||||||
arch/mips/include/asm/compat.h | 2 +-
|
|
||||||
arch/parisc/include/asm/compat.h | 2 +-
|
|
||||||
arch/powerpc/include/asm/compat.h | 2 +-
|
|
||||||
arch/s390/include/asm/compat.h | 2 +-
|
|
||||||
arch/sparc/include/asm/compat.h | 2 +-
|
|
||||||
arch/x86/include/asm/compat.h | 2 +-
|
|
||||||
include/linux/compat.h | 3 +++
|
|
||||||
kernel/compat.c | 21 +++++++++++++++++++++
|
|
||||||
10 files changed, 32 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
|
|
||||||
index f90edc8..9301a28 100644
|
|
||||||
--- a/arch/ia64/include/asm/compat.h
|
|
||||||
+++ b/arch/ia64/include/asm/compat.h
|
|
||||||
@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr)
|
|
||||||
}
|
|
||||||
|
|
||||||
static __inline__ void __user *
|
|
||||||
-compat_alloc_user_space (long len)
|
|
||||||
+arch_compat_alloc_user_space (long len)
|
|
||||||
{
|
|
||||||
struct pt_regs *regs = task_pt_regs(current);
|
|
||||||
return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
|
|
||||||
diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
|
|
||||||
index 613f691..dbc5106 100644
|
|
||||||
--- a/arch/mips/include/asm/compat.h
|
|
||||||
+++ b/arch/mips/include/asm/compat.h
|
|
||||||
@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
|
||||||
return (u32)(unsigned long)uptr;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static inline void __user *compat_alloc_user_space(long len)
|
|
||||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
|
||||||
{
|
|
||||||
struct pt_regs *regs = (struct pt_regs *)
|
|
||||||
((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
|
|
||||||
diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
|
|
||||||
index 02b77ba..efa0b60 100644
|
|
||||||
--- a/arch/parisc/include/asm/compat.h
|
|
||||||
+++ b/arch/parisc/include/asm/compat.h
|
|
||||||
@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
|
||||||
return (u32)(unsigned long)uptr;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static __inline__ void __user *compat_alloc_user_space(long len)
|
|
||||||
+static __inline__ void __user *arch_compat_alloc_user_space(long len)
|
|
||||||
{
|
|
||||||
struct pt_regs *regs = ¤t->thread.regs;
|
|
||||||
return (void __user *)regs->gr[30];
|
|
||||||
diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
|
|
||||||
index 396d21a..a11d4ea 100644
|
|
||||||
--- a/arch/powerpc/include/asm/compat.h
|
|
||||||
+++ b/arch/powerpc/include/asm/compat.h
|
|
||||||
@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
|
||||||
return (u32)(unsigned long)uptr;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static inline void __user *compat_alloc_user_space(long len)
|
|
||||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
|
||||||
{
|
|
||||||
struct pt_regs *regs = current->thread.regs;
|
|
||||||
unsigned long usp = regs->gpr[1];
|
|
||||||
diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
|
|
||||||
index 104f200..a875c2f 100644
|
|
||||||
--- a/arch/s390/include/asm/compat.h
|
|
||||||
+++ b/arch/s390/include/asm/compat.h
|
|
||||||
@@ -181,7 +181,7 @@ static inline int is_compat_task(void)
|
|
||||||
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-static inline void __user *compat_alloc_user_space(long len)
|
|
||||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
|
||||||
{
|
|
||||||
unsigned long stack;
|
|
||||||
|
|
||||||
diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
|
|
||||||
index 5016f76..6f57325 100644
|
|
||||||
--- a/arch/sparc/include/asm/compat.h
|
|
||||||
+++ b/arch/sparc/include/asm/compat.h
|
|
||||||
@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
|
||||||
return (u32)(unsigned long)uptr;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static inline void __user *compat_alloc_user_space(long len)
|
|
||||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
|
||||||
{
|
|
||||||
struct pt_regs *regs = current_thread_info()->kregs;
|
|
||||||
unsigned long usp = regs->u_regs[UREG_I6];
|
|
||||||
diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
|
|
||||||
index 306160e..1d9cd27 100644
|
|
||||||
--- a/arch/x86/include/asm/compat.h
|
|
||||||
+++ b/arch/x86/include/asm/compat.h
|
|
||||||
@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
|
||||||
return (u32)(unsigned long)uptr;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static inline void __user *compat_alloc_user_space(long len)
|
|
||||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
|
||||||
{
|
|
||||||
struct pt_regs *regs = task_pt_regs(current);
|
|
||||||
return (void __user *)regs->sp - len;
|
|
||||||
diff --git a/include/linux/compat.h b/include/linux/compat.h
|
|
||||||
index 9ddc878..5778b55 100644
|
|
||||||
--- a/include/linux/compat.h
|
|
||||||
+++ b/include/linux/compat.h
|
|
||||||
@@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvector(int type,
|
|
||||||
const struct compat_iovec __user *uvector, unsigned long nr_segs,
|
|
||||||
unsigned long fast_segs, struct iovec *fast_pointer,
|
|
||||||
struct iovec **ret_pointer);
|
|
||||||
+
|
|
||||||
+extern void __user *compat_alloc_user_space(unsigned long len);
|
|
||||||
+
|
|
||||||
#endif /* CONFIG_COMPAT */
|
|
||||||
#endif /* _LINUX_COMPAT_H */
|
|
||||||
diff --git a/kernel/compat.c b/kernel/compat.c
|
|
||||||
index e167efc..c9e2ec0 100644
|
|
||||||
--- a/kernel/compat.c
|
|
||||||
+++ b/kernel/compat.c
|
|
||||||
@@ -1126,3 +1126,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Allocate user-space memory for the duration of a single system call,
|
|
||||||
+ * in order to marshall parameters inside a compat thunk.
|
|
||||||
+ */
|
|
||||||
+void __user *compat_alloc_user_space(unsigned long len)
|
|
||||||
+{
|
|
||||||
+ void __user *ptr;
|
|
||||||
+
|
|
||||||
+ /* If len would occupy more than half of the entire compat space... */
|
|
||||||
+ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ ptr = arch_compat_alloc_user_space(len);
|
|
||||||
+
|
|
||||||
+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ return ptr;
|
|
||||||
+}
|
|
||||||
+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
|
|
||||||
--
|
|
||||||
1.7.2.3
|
|
||||||
|
|
@ -1,97 +0,0 @@
|
|||||||
From 36d001c70d8a0144ac1d038f6876c484849a74de Mon Sep 17 00:00:00 2001
|
|
||||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
|
||||||
Date: Tue, 14 Sep 2010 12:42:41 -0700
|
|
||||||
Subject: [PATCH] x86-64, compat: Test %rax for the syscall number, not %eax
|
|
||||||
|
|
||||||
On 64 bits, we always, by necessity, jump through the system call
|
|
||||||
table via %rax. For 32-bit system calls, in theory the system call
|
|
||||||
number is stored in %eax, and the code was testing %eax for a valid
|
|
||||||
system call number. At one point we loaded the stored value back from
|
|
||||||
the stack to enforce zero-extension, but that was removed in checkin
|
|
||||||
d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process
|
|
||||||
will not be able to introduce a non-zero-extended number, but it can
|
|
||||||
happen via ptrace.
|
|
||||||
|
|
||||||
Instead of re-introducing the zero-extension, test what we are
|
|
||||||
actually going to use, i.e. %rax. This only adds a handful of REX
|
|
||||||
prefixes to the code.
|
|
||||||
|
|
||||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
|
||||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
|
||||||
Cc: <stable@kernel.org>
|
|
||||||
Cc: Roland McGrath <roland@redhat.com>
|
|
||||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/ia32/ia32entry.S | 14 +++++++-------
|
|
||||||
1 files changed, 7 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
|
||||||
index b86feab..84e3a4e 100644
|
|
||||||
--- a/arch/x86/ia32/ia32entry.S
|
|
||||||
+++ b/arch/x86/ia32/ia32entry.S
|
|
||||||
@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
|
|
||||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
|
||||||
CFI_REMEMBER_STATE
|
|
||||||
jnz sysenter_tracesys
|
|
||||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
|
||||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
|
||||||
ja ia32_badsys
|
|
||||||
sysenter_do_call:
|
|
||||||
IA32_ARG_FIXUP
|
|
||||||
@@ -195,7 +195,7 @@ sysexit_from_sys_call:
|
|
||||||
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
|
|
||||||
call audit_syscall_entry
|
|
||||||
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
|
|
||||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
|
||||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
|
||||||
ja ia32_badsys
|
|
||||||
movl %ebx,%edi /* reload 1st syscall arg */
|
|
||||||
movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
|
|
||||||
@@ -248,7 +248,7 @@ sysenter_tracesys:
|
|
||||||
call syscall_trace_enter
|
|
||||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
|
||||||
RESTORE_REST
|
|
||||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
|
||||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
|
||||||
ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
|
|
||||||
jmp sysenter_do_call
|
|
||||||
CFI_ENDPROC
|
|
||||||
@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
|
|
||||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
|
||||||
CFI_REMEMBER_STATE
|
|
||||||
jnz cstar_tracesys
|
|
||||||
- cmpl $IA32_NR_syscalls-1,%eax
|
|
||||||
+ cmpq $IA32_NR_syscalls-1,%rax
|
|
||||||
ja ia32_badsys
|
|
||||||
cstar_do_call:
|
|
||||||
IA32_ARG_FIXUP 1
|
|
||||||
@@ -367,7 +367,7 @@ cstar_tracesys:
|
|
||||||
LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
|
|
||||||
RESTORE_REST
|
|
||||||
xchgl %ebp,%r9d
|
|
||||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
|
||||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
|
||||||
ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
|
|
||||||
jmp cstar_do_call
|
|
||||||
END(ia32_cstar_target)
|
|
||||||
@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
|
|
||||||
orl $TS_COMPAT,TI_status(%r10)
|
|
||||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
|
||||||
jnz ia32_tracesys
|
|
||||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
|
||||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
|
||||||
ja ia32_badsys
|
|
||||||
ia32_do_call:
|
|
||||||
IA32_ARG_FIXUP
|
|
||||||
@@ -444,7 +444,7 @@ ia32_tracesys:
|
|
||||||
call syscall_trace_enter
|
|
||||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
|
||||||
RESTORE_REST
|
|
||||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
|
||||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
|
||||||
ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
|
|
||||||
jmp ia32_do_call
|
|
||||||
END(ia32_syscall)
|
|
||||||
--
|
|
||||||
1.7.2.3
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From eefdca043e8391dcd719711716492063030b55ac Mon Sep 17 00:00:00 2001
|
|
||||||
From: Roland McGrath <roland@redhat.com>
|
|
||||||
Date: Tue, 14 Sep 2010 12:22:58 -0700
|
|
||||||
Subject: [PATCH] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
|
|
||||||
|
|
||||||
In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
|
|
||||||
32-bit tracee in system call entry. A %rax value set via ptrace at the
|
|
||||||
entry tracing stop gets used whole as a 32-bit syscall number, while we
|
|
||||||
only check the low 32 bits for validity.
|
|
||||||
|
|
||||||
Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
|
|
||||||
in addition to testing the full 64 bits as has already been added.
|
|
||||||
|
|
||||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
|
||||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
|
||||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
|
||||||
---
|
|
||||||
arch/x86/ia32/ia32entry.S | 8 +++++++-
|
|
||||||
1 files changed, 7 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
|
||||||
index 84e3a4e..518bb99 100644
|
|
||||||
--- a/arch/x86/ia32/ia32entry.S
|
|
||||||
+++ b/arch/x86/ia32/ia32entry.S
|
|
||||||
@@ -50,7 +50,12 @@
|
|
||||||
/*
|
|
||||||
* Reload arg registers from stack in case ptrace changed them.
|
|
||||||
* We don't reload %eax because syscall_trace_enter() returned
|
|
||||||
- * the value it wants us to use in the table lookup.
|
|
||||||
+ * the %rax value we should see. Instead, we just truncate that
|
|
||||||
+ * value to 32 bits again as we did on entry from user mode.
|
|
||||||
+ * If it's a new value set by user_regset during entry tracing,
|
|
||||||
+ * this matches the normal truncation of the user-mode value.
|
|
||||||
+ * If it's -1 to make us punt the syscall, then (u32)-1 is still
|
|
||||||
+ * an appropriately invalid value.
|
|
||||||
*/
|
|
||||||
.macro LOAD_ARGS32 offset, _r9=0
|
|
||||||
.if \_r9
|
|
||||||
@@ -60,6 +65,7 @@
|
|
||||||
movl \offset+48(%rsp),%edx
|
|
||||||
movl \offset+56(%rsp),%esi
|
|
||||||
movl \offset+64(%rsp),%edi
|
|
||||||
+ movl %eax,%eax /* zero extension */
|
|
||||||
.endm
|
|
||||||
|
|
||||||
.macro CFI_STARTPROC32 simple
|
|
||||||
--
|
|
||||||
1.7.2.3
|
|
||||||
|
|
@ -1,47 +0,0 @@
|
|||||||
From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeff Moyer <jmoyer@redhat.com>
|
|
||||||
Date: Fri, 10 Sep 2010 14:16:00 -0700
|
|
||||||
Subject: [PATCH] aio: check for multiplication overflow in do_io_submit
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=utf8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Tavis Ormandy pointed out that do_io_submit does not do proper bounds
|
|
||||||
checking on the passed-in iocb array:
|
|
||||||
|
|
||||||
    if (unlikely(nr < 0))
|
|
||||||
        return -EINVAL;
|
|
||||||
|
|
||||||
    if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
|
|
||||||
        return -EFAULT;            ^^^^^^^^^^^^^^^^^^
|
|
||||||
|
|
||||||
The attached patch checks for overflow, and if it is detected, the
|
|
||||||
number of iocbs submitted is scaled down to a number that will fit in
|
|
||||||
the long. Â This is an ok thing to do, as sys_io_submit is documented as
|
|
||||||
returning the number of iocbs submitted, so callers should handle a
|
|
||||||
return value of less than the 'nr' argument passed in.
|
|
||||||
|
|
||||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
|
||||||
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
fs/aio.c | 3 +++
|
|
||||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/fs/aio.c b/fs/aio.c
|
|
||||||
index 3006b5b..1320b2a 100644
|
|
||||||
--- a/fs/aio.c
|
|
||||||
+++ b/fs/aio.c
|
|
||||||
@@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id, long nr,
|
|
||||||
if (unlikely(nr < 0))
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
|
|
||||||
+ nr = LONG_MAX/sizeof(*iocbpp);
|
|
||||||
+
|
|
||||||
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
|
|
||||||
return -EFAULT;
|
|
||||||
|
|
||||||
--
|
|
||||||
1.7.2.3
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
|
||||||
Date: Tue, 28 Sep 2010 18:18:20 +0000 (-0400)
|
|
||||||
Subject: ALSA: prevent heap corruption in snd_ctl_new()
|
|
||||||
X-Git-Tag: v2.6.36-rc7~12^2~1
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftiwai%2Fsound-2.6.git;a=commitdiff_plain;h=5591bf07225523600450edd9e6ad258bb877b779
|
|
||||||
|
|
||||||
ALSA: prevent heap corruption in snd_ctl_new()
|
|
||||||
|
|
||||||
The snd_ctl_new() function in sound/core/control.c allocates space for a
|
|
||||||
snd_kcontrol struct by performing arithmetic operations on a
|
|
||||||
user-provided size without checking for integer overflow. If a user
|
|
||||||
provides a large enough size, an overflow will occur, the allocated
|
|
||||||
chunk will be too small, and a second user-influenced value will be
|
|
||||||
written repeatedly past the bounds of this chunk. This code is
|
|
||||||
reachable by unprivileged users who have permission to open
|
|
||||||
a /dev/snd/controlC* device (on many distros, this is group "audio") via
|
|
||||||
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
|
|
||||||
|
|
||||||
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
|
||||||
Cc: <stable@kernel.org>
|
|
||||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/sound/core/control.c b/sound/core/control.c
|
|
||||||
index 070aab4..45a8180 100644
|
|
||||||
--- a/sound/core/control.c
|
|
||||||
+++ b/sound/core/control.c
|
|
||||||
@@ -31,6 +31,7 @@
|
|
||||||
|
|
||||||
/* max number of user-defined controls */
|
|
||||||
#define MAX_USER_CONTROLS 32
|
|
||||||
+#define MAX_CONTROL_COUNT 1028
|
|
||||||
|
|
||||||
struct snd_kctl_ioctl {
|
|
||||||
struct list_head list; /* list of all ioctls */
|
|
||||||
@@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
|
|
||||||
|
|
||||||
if (snd_BUG_ON(!control || !control->count))
|
|
||||||
return NULL;
|
|
||||||
+
|
|
||||||
+ if (control->count > MAX_CONTROL_COUNT)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
|
|
||||||
if (kctl == NULL) {
|
|
||||||
snd_printk(KERN_ERR "Cannot allocate control instance\n");
|
|
@ -1,53 +0,0 @@
|
|||||||
From: Takashi Iwai <tiwai@suse.de>
|
|
||||||
Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
|
|
||||||
Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
|
|
||||||
|
|
||||||
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
|
||||||
|
|
||||||
The error handling in snd_seq_oss_open() has several bad codes that
|
|
||||||
do dereferecing released pointers and double-free of kmalloc'ed data.
|
|
||||||
The object dp is release in free_devinfo() that is called via
|
|
||||||
private_free callback. The rest shouldn't touch this object any more.
|
|
||||||
|
|
||||||
The patch changes delete_port() to call kfree() in any case, and gets
|
|
||||||
rid of unnecessary calls of destructors in snd_seq_oss_open().
|
|
||||||
|
|
||||||
Fixes CVE-2010-3080.
|
|
||||||
|
|
||||||
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
|
||||||
Cc: <stable@kernel.org>
|
|
||||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
|
|
||||||
index 6857122..69cd7b3 100644
|
|
||||||
--- a/sound/core/seq/oss/seq_oss_init.c
|
|
||||||
+++ b/sound/core/seq/oss/seq_oss_init.c
|
|
||||||
@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
_error:
|
|
||||||
- snd_seq_oss_writeq_delete(dp->writeq);
|
|
||||||
- snd_seq_oss_readq_delete(dp->readq);
|
|
||||||
snd_seq_oss_synth_cleanup(dp);
|
|
||||||
snd_seq_oss_midi_cleanup(dp);
|
|
||||||
- delete_port(dp);
|
|
||||||
delete_seq_queue(dp->queue);
|
|
||||||
- kfree(dp);
|
|
||||||
+ delete_port(dp);
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
|
|
||||||
static int
|
|
||||||
delete_port(struct seq_oss_devinfo *dp)
|
|
||||||
{
|
|
||||||
- if (dp->port < 0)
|
|
||||||
+ if (dp->port < 0) {
|
|
||||||
+ kfree(dp);
|
|
||||||
return 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
debug_printk(("delete_port %i\n", dp->port));
|
|
||||||
return snd_seq_event_port_detach(dp->cseq, dp->port);
|
|
@ -1,47 +0,0 @@
|
|||||||
From: Chuck Ebbert <cebbert@redhat.com>
|
|
||||||
|
|
||||||
CIFS: Fix DNS resolver build
|
|
||||||
|
|
||||||
In file included from fs/cifs/dns_resolve.c:29:
|
|
||||||
fs/cifs/dns_resolve.h:27: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cifs_init_dns_resolver'
|
|
||||||
|
|
||||||
Just remove the __init and __exit attributes from the init and exit
|
|
||||||
functions. __exit was removed upstream in 51c20fcced5badee0e2021c6c89f44aa3cbd72aa
|
|
||||||
anyway, and there's no point trying to save every byte by fixing
|
|
||||||
this properly.
|
|
||||||
|
|
||||||
Signed-Off-By: Chuck Ebbert <cebbert@redhat.com>
|
|
||||||
|
|
||||||
--- a/fs/cifs/dns_resolve.c
|
|
||||||
+++ b/fs/cifs/dns_resolve.c
|
|
||||||
@@ -176,7 +176,7 @@ out:
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int __init cifs_init_dns_resolver(void)
|
|
||||||
+int cifs_init_dns_resolver(void)
|
|
||||||
{
|
|
||||||
struct cred *cred;
|
|
||||||
struct key *keyring;
|
|
||||||
@@ -226,7 +226,7 @@ failed_put_cred:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-void __exit cifs_exit_dns_resolver(void)
|
|
||||||
+void cifs_exit_dns_resolver(void)
|
|
||||||
{
|
|
||||||
key_revoke(dns_resolver_cache->thread_keyring);
|
|
||||||
unregister_key_type(&key_type_dns_resolver);
|
|
||||||
--- a/fs/cifs/dns_resolve.h
|
|
||||||
+++ b/fs/cifs/dns_resolve.h
|
|
||||||
@@ -24,8 +24,8 @@
|
|
||||||
#define _DNS_RESOLVE_H
|
|
||||||
|
|
||||||
#ifdef __KERNEL__
|
|
||||||
-extern int __init cifs_init_dns_resolver(void);
|
|
||||||
-extern void __exit cifs_exit_dns_resolver(void);
|
|
||||||
+extern int cifs_init_dns_resolver(void);
|
|
||||||
+extern void cifs_exit_dns_resolver(void);
|
|
||||||
extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr);
|
|
||||||
#endif /* KERNEL */
|
|
||||||
|
|
@ -1,78 +0,0 @@
|
|||||||
From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Date: Fri, 15 Oct 2010 11:09:28 -0700
|
|
||||||
Subject: [PATCH] De-pessimize rds_page_copy_user
|
|
||||||
|
|
||||||
Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and
|
|
||||||
the unsafe atomic user mode accessor functions. It's actually slower
|
|
||||||
than the straightforward code on any reasonable modern CPU.
|
|
||||||
|
|
||||||
Back when the code was written (although probably not by the time it was
|
|
||||||
actually merged, though), 32-bit x86 may have been the dominant
|
|
||||||
architecture. And there kmap_atomic() can be a lot faster than kmap()
|
|
||||||
(unless you have very good locality, in which case the virtual address
|
|
||||||
caching by kmap() can overcome all the downsides).
|
|
||||||
|
|
||||||
But these days, x86-64 may not be more populous, but it's getting there
|
|
||||||
(and if you care about performance, it's definitely already there -
|
|
||||||
you'd have upgraded your CPU's already in the last few years). And on
|
|
||||||
x86-64, the non-kmap_atomic() version is faster, simply because the code
|
|
||||||
is simpler and doesn't have the "re-try page fault" case.
|
|
||||||
|
|
||||||
People with old hardware are not likely to care about RDS anyway, and
|
|
||||||
the optimization for the 32-bit case is simply buggy, since it doesn't
|
|
||||||
verify the user addresses properly.
|
|
||||||
|
|
||||||
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
|
||||||
Acked-by: Andrew Morton <akpm@linux-foundation.org>
|
|
||||||
Cc: stable@kernel.org
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
net/rds/page.c | 27 +++++++--------------------
|
|
||||||
1 files changed, 7 insertions(+), 20 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/rds/page.c b/net/rds/page.c
|
|
||||||
index 595a952..1dfbfea 100644
|
|
||||||
--- a/net/rds/page.c
|
|
||||||
+++ b/net/rds/page.c
|
|
||||||
@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset,
|
|
||||||
unsigned long ret;
|
|
||||||
void *addr;
|
|
||||||
|
|
||||||
- if (to_user)
|
|
||||||
+ addr = kmap(page);
|
|
||||||
+ if (to_user) {
|
|
||||||
rds_stats_add(s_copy_to_user, bytes);
|
|
||||||
- else
|
|
||||||
+ ret = copy_to_user(ptr, addr + offset, bytes);
|
|
||||||
+ } else {
|
|
||||||
rds_stats_add(s_copy_from_user, bytes);
|
|
||||||
-
|
|
||||||
- addr = kmap_atomic(page, KM_USER0);
|
|
||||||
- if (to_user)
|
|
||||||
- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
|
|
||||||
- else
|
|
||||||
- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
|
|
||||||
- kunmap_atomic(addr, KM_USER0);
|
|
||||||
-
|
|
||||||
- if (ret) {
|
|
||||||
- addr = kmap(page);
|
|
||||||
- if (to_user)
|
|
||||||
- ret = copy_to_user(ptr, addr + offset, bytes);
|
|
||||||
- else
|
|
||||||
- ret = copy_from_user(addr + offset, ptr, bytes);
|
|
||||||
- kunmap(page);
|
|
||||||
- if (ret)
|
|
||||||
- return -EFAULT;
|
|
||||||
+ ret = copy_from_user(addr + offset, ptr, bytes);
|
|
||||||
}
|
|
||||||
+ kunmap(page);
|
|
||||||
|
|
||||||
- return 0;
|
|
||||||
+ return ret ? -EFAULT : 0;
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(rds_page_copy_user);
|
|
||||||
|
|
||||||
--
|
|
||||||
1.7.3.2
|
|
||||||
|
|
@ -202,7 +202,6 @@ Date: Fri May 21 11:14:52 2010 -0700
|
|||||||
8e36ed0 drm/radeon/kms: hpd cleanup
|
8e36ed0 drm/radeon/kms: hpd cleanup
|
||||||
2bfcc0f drm/radeon/kms: reset ddc_bus in object header parsing
|
2bfcc0f drm/radeon/kms: reset ddc_bus in object header parsing
|
||||||
6fd0248 amd64-agp: Probe unknown AGP devices the right way
|
6fd0248 amd64-agp: Probe unknown AGP devices the right way
|
||||||
d831692 sis-agp: Remove SIS 760, handled by amd64-agp
|
|
||||||
26481fb drm/radeon/pm: fix device_create_file return value checks.
|
26481fb drm/radeon/pm: fix device_create_file return value checks.
|
||||||
4bff517 drm/radeon/kms/pm: fix r6xx+ profile setup
|
4bff517 drm/radeon/kms/pm: fix r6xx+ profile setup
|
||||||
ce8a3eb drm/radeon/kms/pm: make pm spam debug only
|
ce8a3eb drm/radeon/kms/pm: make pm spam debug only
|
||||||
@ -5815,21 +5814,6 @@ index 6c3837a..29aacd8 100644
|
|||||||
.configure = sis_configure,
|
.configure = sis_configure,
|
||||||
.fetch_size = sis_fetch_size,
|
.fetch_size = sis_fetch_size,
|
||||||
.cleanup = sis_cleanup,
|
.cleanup = sis_cleanup,
|
||||||
@@ -415,14 +416,6 @@ static struct pci_device_id agp_sis_pci_table[] = {
|
|
||||||
.subvendor = PCI_ANY_ID,
|
|
||||||
.subdevice = PCI_ANY_ID,
|
|
||||||
},
|
|
||||||
- {
|
|
||||||
- .class = (PCI_CLASS_BRIDGE_HOST << 8),
|
|
||||||
- .class_mask = ~0,
|
|
||||||
- .vendor = PCI_VENDOR_ID_SI,
|
|
||||||
- .device = PCI_DEVICE_ID_SI_760,
|
|
||||||
- .subvendor = PCI_ANY_ID,
|
|
||||||
- .subdevice = PCI_ANY_ID,
|
|
||||||
- },
|
|
||||||
{ }
|
|
||||||
};
|
|
||||||
|
|
||||||
diff --git a/drivers/char/agp/uninorth-agp.c b/drivers/char/agp/uninorth-agp.c
|
diff --git a/drivers/char/agp/uninorth-agp.c b/drivers/char/agp/uninorth-agp.c
|
||||||
index 6f48931..95db713 100644
|
index 6f48931..95db713 100644
|
||||||
--- a/drivers/char/agp/uninorth-agp.c
|
--- a/drivers/char/agp/uninorth-agp.c
|
||||||
|
@ -1,36 +0,0 @@
|
|||||||
From: Roland McGrath <roland@redhat.com>
|
|
||||||
Date: Wed, 8 Sep 2010 02:36:28 +0000 (-0700)
|
|
||||||
Subject: execve: improve interactivity with large arguments
|
|
||||||
X-Git-Tag: v2.6.36-rc4~13
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7993bc1f4663c0db67bb8f0d98e6678145b387cd
|
|
||||||
|
|
||||||
execve: improve interactivity with large arguments
|
|
||||||
|
|
||||||
This adds a preemption point during the copying of the argument and
|
|
||||||
environment strings for execve, in copy_strings(). There is already
|
|
||||||
a preemption point in the count() loop, so this doesn't add any new
|
|
||||||
points in the abstract sense.
|
|
||||||
|
|
||||||
When the total argument+environment strings are very large, the time
|
|
||||||
spent copying them can be much more than a normal user time slice.
|
|
||||||
So this change improves the interactivity of the rest of the system
|
|
||||||
when one process is doing an execve with very large arguments.
|
|
||||||
|
|
||||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
|
||||||
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/fs/exec.c b/fs/exec.c
|
|
||||||
index 1b63237..6f2d777 100644
|
|
||||||
--- a/fs/exec.c
|
|
||||||
+++ b/fs/exec.c
|
|
||||||
@@ -419,6 +419,8 @@ static int copy_strings(int argc, const char __user *const __user *argv,
|
|
||||||
while (len > 0) {
|
|
||||||
int offset, bytes_to_copy;
|
|
||||||
|
|
||||||
+ cond_resched();
|
|
||||||
+
|
|
||||||
offset = pos % PAGE_SIZE;
|
|
||||||
if (offset == 0)
|
|
||||||
offset = PAGE_SIZE;
|
|
@ -1,51 +0,0 @@
|
|||||||
From: Roland McGrath <roland@redhat.com>
|
|
||||||
Date: Wed, 8 Sep 2010 02:37:06 +0000 (-0700)
|
|
||||||
Subject: execve: make responsive to SIGKILL with large arguments
|
|
||||||
X-Git-Tag: v2.6.36-rc4~12
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9aea5a65aa7a1af9a4236dfaeb0088f1624f9919
|
|
||||||
|
|
||||||
execve: make responsive to SIGKILL with large arguments
|
|
||||||
|
|
||||||
An execve with a very large total of argument/environment strings
|
|
||||||
can take a really long time in the execve system call. It runs
|
|
||||||
uninterruptibly to count and copy all the strings. This change
|
|
||||||
makes it abort the exec quickly if sent a SIGKILL.
|
|
||||||
|
|
||||||
Note that this is the conservative change, to interrupt only for
|
|
||||||
SIGKILL, by using fatal_signal_pending(). It would be perfectly
|
|
||||||
correct semantics to let any signal interrupt the string-copying in
|
|
||||||
execve, i.e. use signal_pending() instead of fatal_signal_pending().
|
|
||||||
We'll save that change for later, since it could have user-visible
|
|
||||||
consequences, such as having a timer set too quickly make it so that
|
|
||||||
an execve can never complete, though it always happened to work before.
|
|
||||||
|
|
||||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
|
||||||
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/fs/exec.c b/fs/exec.c
|
|
||||||
index 6f2d777..828dd24 100644
|
|
||||||
--- a/fs/exec.c
|
|
||||||
+++ b/fs/exec.c
|
|
||||||
@@ -376,6 +376,9 @@ static int count(const char __user * const __user * argv, int max)
|
|
||||||
argv++;
|
|
||||||
if (i++ >= max)
|
|
||||||
return -E2BIG;
|
|
||||||
+
|
|
||||||
+ if (fatal_signal_pending(current))
|
|
||||||
+ return -ERESTARTNOHAND;
|
|
||||||
cond_resched();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -419,6 +422,10 @@ static int copy_strings(int argc, const char __user *const __user *argv,
|
|
||||||
while (len > 0) {
|
|
||||||
int offset, bytes_to_copy;
|
|
||||||
|
|
||||||
+ if (fatal_signal_pending(current)) {
|
|
||||||
+ ret = -ERESTARTNOHAND;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
cond_resched();
|
|
||||||
|
|
||||||
offset = pos % PAGE_SIZE;
|
|
@ -1,41 +0,0 @@
|
|||||||
From: Dan Carpenter <error27@gmail.com>
|
|
||||||
Date: Fri, 8 Oct 2010 07:03:07 +0000 (+0200)
|
|
||||||
Subject: [SCSI] gdth: integer overflow in ioctl
|
|
||||||
X-Git-Tag: v2.6.37-rc1~6^2~48
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f63ae56e4e97fb12053590e41a4fa59e7daa74a4
|
|
||||||
|
|
||||||
[SCSI] gdth: integer overflow in ioctl
|
|
||||||
|
|
||||||
gdth_ioctl_alloc() takes the size variable as an int.
|
|
||||||
copy_from_user() takes the size variable as an unsigned long.
|
|
||||||
gen.data_len and gen.sense_len are unsigned longs.
|
|
||||||
On x86_64 longs are 64 bit and ints are 32 bit.
|
|
||||||
|
|
||||||
We could pass in a very large number and the allocation would truncate
|
|
||||||
the size to 32 bits and allocate a small buffer. Then when we do the
|
|
||||||
copy_from_user(), it would result in a memory corruption.
|
|
||||||
|
|
||||||
CC: stable@kernel.org
|
|
||||||
Signed-off-by: Dan Carpenter <error27@gmail.com>
|
|
||||||
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
|
|
||||||
index 5a3f931..8411018 100644
|
|
||||||
--- a/drivers/scsi/gdth.c
|
|
||||||
+++ b/drivers/scsi/gdth.c
|
|
||||||
@@ -4177,6 +4177,14 @@ static int ioc_general(void __user *arg, char *cmnd)
|
|
||||||
ha = gdth_find_ha(gen.ionode);
|
|
||||||
if (!ha)
|
|
||||||
return -EFAULT;
|
|
||||||
+
|
|
||||||
+ if (gen.data_len > INT_MAX)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ if (gen.sense_len > INT_MAX)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ if (gen.data_len + gen.sense_len > INT_MAX)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
if (gen.data_len + gen.sense_len != 0) {
|
|
||||||
if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
|
|
||||||
FALSE, &paddr)))
|
|
@ -1,25 +0,0 @@
|
|||||||
#607327
|
|
||||||
|
|
||||||
During the large inotify rewrite to fsnotify I completely dropped support
|
|
||||||
for IN_ONESHOT. Reimplement that support.
|
|
||||||
|
|
||||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
fs/notify/inotify/inotify_fsnotify.c | 3 +++
|
|
||||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
|
|
||||||
index daa666a..388a150 100644
|
|
||||||
--- a/fs/notify/inotify/inotify_fsnotify.c
|
|
||||||
+++ b/fs/notify/inotify/inotify_fsnotify.c
|
|
||||||
@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
|
|
||||||
ret = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (entry->mask & IN_ONESHOT)
|
|
||||||
+ fsnotify_destroy_mark_by_entry(entry);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* If we hold the entry until after the event is on the queue
|
|
||||||
* IN_IGNORED won't be able to pass this event in the queue
|
|
@ -1,29 +0,0 @@
|
|||||||
#607327 ?
|
|
||||||
|
|
||||||
Since the .31 or so notify rewrite inotify has not sent events about
|
|
||||||
inodes which are unmounted. This patch restores those events.
|
|
||||||
|
|
||||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
fs/notify/inotify/inotify_user.c | 7 +++++--
|
|
||||||
1 files changed, 5 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
|
|
||||||
index 44aeb0f..f381daf 100644
|
|
||||||
--- a/fs/notify/inotify/inotify_user.c
|
|
||||||
+++ b/fs/notify/inotify/inotify_user.c
|
|
||||||
@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
|
|
||||||
{
|
|
||||||
__u32 mask;
|
|
||||||
|
|
||||||
- /* everything should accept their own ignored and cares about children */
|
|
||||||
- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
|
|
||||||
+ /*
|
|
||||||
+ * everything should accept their own ignored, cares about children,
|
|
||||||
+ * and should receive events when the inode is unmounted
|
|
||||||
+ */
|
|
||||||
+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
|
|
||||||
|
|
||||||
/* mask off the flags used to open the fd */
|
|
||||||
mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));
|
|
@ -1,35 +0,0 @@
|
|||||||
From: David S. Miller <davem@davemloft.net>
|
|
||||||
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
|
|
||||||
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
|
|
||||||
|
|
||||||
irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
|
||||||
|
|
||||||
If irda_open_tsap() fails, the irda_bind() code tries to destroy
|
|
||||||
the ->ias_obj object by hand, but does so wrongly.
|
|
||||||
|
|
||||||
In particular, it fails to a) release the hashbin attached to the
|
|
||||||
object and b) reset the self->ias_obj pointer to NULL.
|
|
||||||
|
|
||||||
Fix both problems by using irias_delete_object() and explicitly
|
|
||||||
setting self->ias_obj to NULL, just as irda_release() does.
|
|
||||||
|
|
||||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
|
||||||
index 79986a6..fd55b51 100644
|
|
||||||
--- a/net/irda/af_irda.c
|
|
||||||
+++ b/net/irda/af_irda.c
|
|
||||||
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
|
|
||||||
|
|
||||||
err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
|
|
||||||
if (err < 0) {
|
|
||||||
- kfree(self->ias_obj->name);
|
|
||||||
- kfree(self->ias_obj);
|
|
||||||
+ irias_delete_object(self->ias_obj);
|
|
||||||
+ self->ias_obj = NULL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
170
kernel.spec
170
kernel.spec
@ -48,7 +48,7 @@ Summary: The Linux kernel
|
|||||||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||||
# scripts/rebase.sh should be made to do that for you, actually.
|
# scripts/rebase.sh should be made to do that for you, actually.
|
||||||
#
|
#
|
||||||
%global baserelease 66
|
%global baserelease 67
|
||||||
%global fedora_build %{baserelease}
|
%global fedora_build %{baserelease}
|
||||||
|
|
||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
@ -60,7 +60,7 @@ Summary: The Linux kernel
|
|||||||
%if 0%{?released_kernel}
|
%if 0%{?released_kernel}
|
||||||
|
|
||||||
# Do we have a -stable update to apply?
|
# Do we have a -stable update to apply?
|
||||||
%define stable_update 7
|
%define stable_update 8
|
||||||
# Is it a -stable RC?
|
# Is it a -stable RC?
|
||||||
%define stable_rc 0
|
%define stable_rc 0
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
@ -611,13 +611,6 @@ Patch23: linux-2.6-utrace-ptrace.patch
|
|||||||
|
|
||||||
Patch50: linux-2.6-x86-cfi_sections.patch
|
Patch50: linux-2.6-x86-cfi_sections.patch
|
||||||
|
|
||||||
# CVE-2010-3301, CVE-2010-3081
|
|
||||||
Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
|
||||||
Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
|
||||||
Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
|
||||||
# CVE-2010-3067
|
|
||||||
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
|
||||||
|
|
||||||
Patch144: linux-2.6-vio-modalias.patch
|
Patch144: linux-2.6-vio-modalias.patch
|
||||||
|
|
||||||
Patch150: linux-2.6.29-sparc-IOC_TYPECHECK.patch
|
Patch150: linux-2.6.29-sparc-IOC_TYPECHECK.patch
|
||||||
@ -772,14 +765,10 @@ Patch12035: quiet-prove_RCU-in-cgroups.patch
|
|||||||
Patch12040: iwlwifi-manage-QoS-by-mac-stack.patch
|
Patch12040: iwlwifi-manage-QoS-by-mac-stack.patch
|
||||||
Patch12042: mac80211-explicitly-disable-enable-QoS.patch
|
Patch12042: mac80211-explicitly-disable-enable-QoS.patch
|
||||||
|
|
||||||
Patch12250: inotify-fix-inotify-oneshot-support.patch
|
|
||||||
Patch12260: inotify-send-IN_UNMOUNT-events.patch
|
|
||||||
|
|
||||||
Patch12270: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
Patch12270: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||||
|
|
||||||
Patch12400: input-synaptics-relax-capability-id-checks-on-new-hardware.patch
|
Patch12400: input-synaptics-relax-capability-id-checks-on-new-hardware.patch
|
||||||
|
|
||||||
Patch12410: cifs-fix-dns-resolver.patch
|
|
||||||
Patch12430: cred-dont-resurrect-dead-credentials.patch
|
Patch12430: cred-dont-resurrect-dead-credentials.patch
|
||||||
|
|
||||||
Patch12440: direct-io-move-aio_complete-into-end_io.patch
|
Patch12440: direct-io-move-aio_complete-into-end_io.patch
|
||||||
@ -790,42 +779,11 @@ Patch12470: drivers-hwmon-coretemp-c-detect-the-thermal-sensors-by-cpuid.patch
|
|||||||
Patch12480: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
|
Patch12480: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
|
||||||
|
|
||||||
Patch12490: dell-wmi-add-support-for-eject-key.patch
|
Patch12490: dell-wmi-add-support-for-eject-key.patch
|
||||||
Patch12500: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
|
||||||
Patch12510: wireless-extensions-fix-kernel-heap-content-leak.patch
|
|
||||||
|
|
||||||
Patch12517: flexcop-fix-xlate_proc_name-warning.patch
|
Patch12517: flexcop-fix-xlate_proc_name-warning.patch
|
||||||
|
|
||||||
Patch12520: acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
|
Patch12520: acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
|
||||||
Patch12521: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
Patch12521: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
||||||
Patch12522: keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
|
||||||
Patch12523: keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
|
||||||
|
|
||||||
Patch12530: pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch
|
|
||||||
Patch12531: pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch
|
|
||||||
|
|
||||||
Patch12532: x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch
|
|
||||||
# fix bug caused by above patch
|
|
||||||
Patch12533: x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch
|
|
||||||
|
|
||||||
# Mitigate DOS with large argument lists.
|
|
||||||
Patch12540: execve-improve-interactivity-with-large-arguments.patch
|
|
||||||
Patch12541: execve-make-responsive-to-sigkill-with-large-arguments.patch
|
|
||||||
Patch12542: setup_arg_pages-diagnose-excessive-argument-size.patch
|
|
||||||
|
|
||||||
# CVE-2010-3080
|
|
||||||
Patch12550: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
|
||||||
|
|
||||||
# CVE-2010-3079
|
|
||||||
Patch12560: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
|
||||||
|
|
||||||
Patch12570: sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
|
|
||||||
|
|
||||||
# bz 636534
|
|
||||||
Patch12580: xen-handle-events-as-edge-triggered.patch
|
|
||||||
Patch12581: xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
|
||||||
|
|
||||||
# CVE-2010-3432
|
|
||||||
Patch12590: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
|
||||||
|
|
||||||
#Bonding sysfs WARN_ON (bz 604630)
|
#Bonding sysfs WARN_ON (bz 604630)
|
||||||
Patch12591: linux-2.6-bonding-sysfs-warning.patch
|
Patch12591: linux-2.6-bonding-sysfs-warning.patch
|
||||||
@ -833,9 +791,6 @@ Patch12591: linux-2.6-bonding-sysfs-warning.patch
|
|||||||
#twsock rcu warning fix (bz 642905)
|
#twsock rcu warning fix (bz 642905)
|
||||||
Patch12592: linux-2.6-twsock-rcu-lockdep-warn.patch
|
Patch12592: linux-2.6-twsock-rcu-lockdep-warn.patch
|
||||||
|
|
||||||
Patch13635: r8169-fix-dma-allocations.patch
|
|
||||||
Patch13636: skge-quirk-to-4gb-dma.patch
|
|
||||||
|
|
||||||
Patch13637: dmar-disable-when-ricoh-multifunction.patch
|
Patch13637: dmar-disable-when-ricoh-multifunction.patch
|
||||||
|
|
||||||
Patch13640: mmc-SDHCI_INT_DATA_MASK-typo-error.patch
|
Patch13640: mmc-SDHCI_INT_DATA_MASK-typo-error.patch
|
||||||
@ -843,9 +798,6 @@ Patch13641: mmc-add-ricoh-e822-pci-id.patch
|
|||||||
Patch13642: mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
|
Patch13642: mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
|
||||||
Patch13643: sdhci-8-bit-data-transfer-width-support.patch
|
Patch13643: sdhci-8-bit-data-transfer-width-support.patch
|
||||||
|
|
||||||
# CVE-2010-3904
|
|
||||||
Patch13645: depessimize-rds_copy_page_user.patch
|
|
||||||
|
|
||||||
Patch13646: rt2x00-disable-auto-wakeup-before-waking-up-device.patch
|
Patch13646: rt2x00-disable-auto-wakeup-before-waking-up-device.patch
|
||||||
Patch13647: rt2x00-fix-failed-SLEEP-AWAKE-and-AWAKE-SLEEP-transitions.patch
|
Patch13647: rt2x00-fix-failed-SLEEP-AWAKE-and-AWAKE-SLEEP-transitions.patch
|
||||||
|
|
||||||
@ -861,8 +813,6 @@ Patch13705: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
|
|||||||
# CVE-2010-4248
|
# CVE-2010-4248
|
||||||
Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||||
|
|
||||||
Patch13704: via-ioctl-prevent-reading-uninit-memory.patch
|
|
||||||
|
|
||||||
Patch13710: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
|
Patch13710: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
|
||||||
Patch13711: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
|
Patch13711: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
|
||||||
|
|
||||||
@ -883,14 +833,8 @@ Patch13900: ima-allow-it-to-be-completely-disabled-and-default-off.patch
|
|||||||
|
|
||||||
Patch13901: ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
Patch13901: ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
||||||
|
|
||||||
# CVE-2010-2963
|
|
||||||
Patch13910: v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
|
||||||
# CVE-2010-3698
|
|
||||||
Patch13911: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
|
||||||
# CVE-2010-3705
|
# CVE-2010-3705
|
||||||
Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||||
# CVE-2010-3442
|
|
||||||
Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
|
||||||
# CVE-2010-4258
|
# CVE-2010-4258
|
||||||
Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
||||||
# CVE-2010-4169
|
# CVE-2010-4169
|
||||||
@ -900,8 +844,6 @@ Patch13916: bio-take-care-not-overflow-page-count-when-mapping-copying-user-data
|
|||||||
# CVE-2010-4249
|
# CVE-2010-4249
|
||||||
Patch13917: af_unix-limit-unix_tot_inflight.patch
|
Patch13917: af_unix-limit-unix_tot_inflight.patch
|
||||||
Patch13918: scm-lower-SCM-MAX-FD.patch
|
Patch13918: scm-lower-SCM-MAX-FD.patch
|
||||||
# CVE-2010-4157
|
|
||||||
Patch13919: gdth-integer-overflow-in-ioctl.patch
|
|
||||||
# CVE-2010-4158
|
# CVE-2010-4158
|
||||||
Patch13920: filter-make-sure-filters-dont-read-uninitialized-memory.patch
|
Patch13920: filter-make-sure-filters-dont-read-uninitialized-memory.patch
|
||||||
# CVE-2010-3874
|
# CVE-2010-3874
|
||||||
@ -1373,9 +1315,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
|
|||||||
ApplyPatch linux-2.6-x86-cfi_sections.patch
|
ApplyPatch linux-2.6-x86-cfi_sections.patch
|
||||||
|
|
||||||
# CVE-2010-3301, CVE-2010-3081
|
# CVE-2010-3301, CVE-2010-3081
|
||||||
ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
|
||||||
ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
|
||||||
ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Intel IOMMU
|
# Intel IOMMU
|
||||||
@ -1400,7 +1339,6 @@ ApplyPatch linux-2.6-execshield.patch
|
|||||||
#
|
#
|
||||||
# bugfixes to drivers and filesystems
|
# bugfixes to drivers and filesystems
|
||||||
#
|
#
|
||||||
ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
|
||||||
|
|
||||||
# ext4
|
# ext4
|
||||||
|
|
||||||
@ -1601,19 +1539,12 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch
|
|||||||
|
|
||||||
ApplyPatch quiet-prove_RCU-in-cgroups.patch
|
ApplyPatch quiet-prove_RCU-in-cgroups.patch
|
||||||
|
|
||||||
# fix broken oneshot support and missing umount events (#607327)
|
|
||||||
ApplyPatch inotify-fix-inotify-oneshot-support.patch
|
|
||||||
ApplyPatch inotify-send-IN_UNMOUNT-events.patch
|
|
||||||
|
|
||||||
# 610911
|
# 610911
|
||||||
ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||||
|
|
||||||
# fix newer synaptics touchpads not being recognized
|
# fix newer synaptics touchpads not being recognized
|
||||||
ApplyPatch input-synaptics-relax-capability-id-checks-on-new-hardware.patch
|
ApplyPatch input-synaptics-relax-capability-id-checks-on-new-hardware.patch
|
||||||
|
|
||||||
# Remove __init and __exit attributes from resolver code
|
|
||||||
ApplyPatch cifs-fix-dns-resolver.patch
|
|
||||||
|
|
||||||
# RHBZ #591015
|
# RHBZ #591015
|
||||||
ApplyPatch cred-dont-resurrect-dead-credentials.patch
|
ApplyPatch cred-dont-resurrect-dead-credentials.patch
|
||||||
|
|
||||||
@ -1631,12 +1562,6 @@ ApplyPatch kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
|
|||||||
# bz #513530
|
# bz #513530
|
||||||
ApplyPatch dell-wmi-add-support-for-eject-key.patch
|
ApplyPatch dell-wmi-add-support-for-eject-key.patch
|
||||||
|
|
||||||
# cve-2010-2954
|
|
||||||
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
|
||||||
|
|
||||||
# cve-2010-2955
|
|
||||||
ApplyPatch wireless-extensions-fix-kernel-heap-content-leak.patch
|
|
||||||
|
|
||||||
# bz #575873
|
# bz #575873
|
||||||
ApplyPatch flexcop-fix-xlate_proc_name-warning.patch
|
ApplyPatch flexcop-fix-xlate_proc_name-warning.patch
|
||||||
|
|
||||||
@ -1646,51 +1571,12 @@ ApplyPatch acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
|
|||||||
# this went in 2.6.35-stable
|
# this went in 2.6.35-stable
|
||||||
ApplyPatch nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
ApplyPatch nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
||||||
|
|
||||||
# CVE-2010-2960
|
|
||||||
ApplyPatch keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
|
||||||
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
|
||||||
|
|
||||||
# more suspend/resume fixes form 2.6.32 / 2.6.35 queue
|
|
||||||
# Fix unsafe access to MSI registers during suspend
|
|
||||||
ApplyPatch pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch
|
|
||||||
ApplyPatch pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch
|
|
||||||
# Fix scheduler load balancing after suspend/resume cycle
|
|
||||||
ApplyPatch x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch
|
|
||||||
# fix bug caused by above patch
|
|
||||||
ApplyPatch x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch
|
|
||||||
|
|
||||||
# Mitigate DOS with large argument lists.
|
|
||||||
ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
|
||||||
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
|
||||||
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
|
||||||
|
|
||||||
# CVE-2010-3080
|
|
||||||
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
|
||||||
|
|
||||||
# CVE-2010-3079
|
|
||||||
ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
|
||||||
|
|
||||||
# BZ 633037
|
|
||||||
ApplyPatch sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
|
|
||||||
|
|
||||||
# BZ 636534
|
|
||||||
ApplyPatch xen-handle-events-as-edge-triggered.patch
|
|
||||||
ApplyPatch xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
|
||||||
|
|
||||||
# CVE-2010-3432
|
|
||||||
ApplyPatch sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
|
||||||
|
|
||||||
# BZ 604630
|
# BZ 604630
|
||||||
ApplyPatch linux-2.6-bonding-sysfs-warning.patch
|
ApplyPatch linux-2.6-bonding-sysfs-warning.patch
|
||||||
|
|
||||||
# BZ 642905
|
# BZ 642905
|
||||||
ApplyPatch linux-2.6-twsock-rcu-lockdep-warn.patch
|
ApplyPatch linux-2.6-twsock-rcu-lockdep-warn.patch
|
||||||
|
|
||||||
# rhbz#629158
|
|
||||||
ApplyPatch r8169-fix-dma-allocations.patch
|
|
||||||
# rhbz#447489
|
|
||||||
ApplyPatch skge-quirk-to-4gb-dma.patch
|
|
||||||
|
|
||||||
# rhbz#605888
|
# rhbz#605888
|
||||||
ApplyPatch dmar-disable-when-ricoh-multifunction.patch
|
ApplyPatch dmar-disable-when-ricoh-multifunction.patch
|
||||||
|
|
||||||
@ -1699,8 +1585,6 @@ ApplyPatch sdhci-8-bit-data-transfer-width-support.patch
|
|||||||
ApplyPatch mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
|
ApplyPatch mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
|
||||||
ApplyPatch mmc-add-ricoh-e822-pci-id.patch
|
ApplyPatch mmc-add-ricoh-e822-pci-id.patch
|
||||||
|
|
||||||
ApplyPatch depessimize-rds_copy_page_user.patch
|
|
||||||
|
|
||||||
ApplyPatch tpm-autodetect-itpm-devices.patch
|
ApplyPatch tpm-autodetect-itpm-devices.patch
|
||||||
# rhbz#530393
|
# rhbz#530393
|
||||||
ApplyPatch tpm-fix-stall-on-boot.patch
|
ApplyPatch tpm-fix-stall-on-boot.patch
|
||||||
@ -1721,9 +1605,6 @@ ApplyPatch netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
|
|||||||
# rhbz#656264 (CVE-2010-4248)
|
# rhbz#656264 (CVE-2010-4248)
|
||||||
ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||||
|
|
||||||
# rhbz#648671 (CVE-2010-4082)
|
|
||||||
ApplyPatch via-ioctl-prevent-reading-uninit-memory.patch
|
|
||||||
|
|
||||||
ApplyPatch rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
|
ApplyPatch rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
|
||||||
ApplyPatch rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
|
ApplyPatch rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
|
||||||
|
|
||||||
@ -1749,14 +1630,8 @@ ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch
|
|||||||
# rhbz605845 [556ab45f]
|
# rhbz605845 [556ab45f]
|
||||||
ApplyPatch ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
ApplyPatch ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
||||||
|
|
||||||
# CVE-2010-2963
|
|
||||||
ApplyPatch v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
|
||||||
# CVE-2010-3698
|
|
||||||
ApplyPatch kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
|
||||||
# CVE-2010-3705
|
# CVE-2010-3705
|
||||||
ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||||
# CVE-2010-3442
|
|
||||||
ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
|
||||||
# CVE-2010-4258
|
# CVE-2010-4258
|
||||||
ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
||||||
# CVE-2010-4169
|
# CVE-2010-4169
|
||||||
@ -1766,8 +1641,6 @@ ApplyPatch bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.
|
|||||||
# CVE-2010-4249
|
# CVE-2010-4249
|
||||||
ApplyPatch af_unix-limit-unix_tot_inflight.patch
|
ApplyPatch af_unix-limit-unix_tot_inflight.patch
|
||||||
ApplyPatch scm-lower-SCM-MAX-FD.patch
|
ApplyPatch scm-lower-SCM-MAX-FD.patch
|
||||||
# CVE-2010-4157
|
|
||||||
ApplyPatch gdth-integer-overflow-in-ioctl.patch
|
|
||||||
# CVE-2010-4158
|
# CVE-2010-4158
|
||||||
ApplyPatch filter-make-sure-filters-dont-read-uninitialized-memory.patch
|
ApplyPatch filter-make-sure-filters-dont-read-uninitialized-memory.patch
|
||||||
# CVE-2010-3874
|
# CVE-2010-3874
|
||||||
@ -2430,6 +2303,45 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Feb 05 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||||
|
- Linux 2.6.34.8
|
||||||
|
- Drop merged patches:
|
||||||
|
01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||||
|
02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||||
|
03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||||
|
aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||||
|
cifs-fix-dns-resolver.patch
|
||||||
|
inotify-fix-inotify-oneshot-support.patch
|
||||||
|
inotify-send-IN_UNMOUNT-events.patch
|
||||||
|
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||||
|
keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
||||||
|
keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
||||||
|
wireless-extensions-fix-kernel-heap-content-leak.patch
|
||||||
|
pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch
|
||||||
|
pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch
|
||||||
|
x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch
|
||||||
|
x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch
|
||||||
|
execve-improve-interactivity-with-large-arguments.patch
|
||||||
|
execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||||
|
setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||||
|
alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||||
|
tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||||
|
sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
|
||||||
|
xen-handle-events-as-edge-triggered.patch
|
||||||
|
xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
||||||
|
sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
||||||
|
r8169-fix-dma-allocations.patch
|
||||||
|
skge-quirk-to-4gb-dma.patch
|
||||||
|
depessimize-rds_copy_page_user.patch
|
||||||
|
via-ioctl-prevent-reading-uninit-memory.patch
|
||||||
|
v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
||||||
|
kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||||
|
alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||||
|
gdth-integer-overflow-in-ioctl.patch
|
||||||
|
- Drop from drm-next patch:
|
||||||
|
d831692 sis-agp: Remove SIS 760, handled by amd64-agp
|
||||||
|
- Drop hunk of quiet-prove_RCU-in-cgroups.patch, now upstream.
|
||||||
|
|
||||||
* Sun Jan 30 2011 Chuck Ebbert <cebbert@redhat.com>
|
* Sun Jan 30 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||||
- Copy sunrpc oops fix from F14
|
- Copy sunrpc oops fix from F14
|
||||||
|
|
||||||
|
@ -1,57 +0,0 @@
|
|||||||
From: David Howells <dhowells@redhat.com>
|
|
||||||
Subject: [PATCH] KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
|
||||||
|
|
||||||
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
|
|
||||||
of the parent process's session keyring whether or not the parent has a session
|
|
||||||
keyring [CVE-2010-2960].
|
|
||||||
|
|
||||||
A program like the following:
|
|
||||||
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <keyutils.h>
|
|
||||||
int main(int argc, char **argv)
|
|
||||||
{
|
|
||||||
keyctl(KEYCTL_SESSION_TO_PARENT);
|
|
||||||
}
|
|
||||||
|
|
||||||
can be used to trigger the following bug report:
|
|
||||||
|
|
||||||
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
|
|
||||||
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
|
|
||||||
...
|
|
||||||
Call Trace:
|
|
||||||
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
|
|
||||||
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
|
|
||||||
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
|
|
||||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
|
||||||
|
|
||||||
if there is no parent process.
|
|
||||||
|
|
||||||
If the system is using pam_keyinit then it mostly protected against this as all
|
|
||||||
processes derived from a login will have inherited the session keyring created
|
|
||||||
by pam_keyinit during the log in procedure.
|
|
||||||
|
|
||||||
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
|
|
||||||
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
security/keys/keyctl.c | 3 ++-
|
|
||||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
|
||||||
index 3868c67..60924f6 100644
|
|
||||||
--- a/security/keys/keyctl.c
|
|
||||||
+++ b/security/keys/keyctl.c
|
|
||||||
@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
|
|
||||||
goto not_permitted;
|
|
||||||
|
|
||||||
/* the keyrings must have the same UID */
|
|
||||||
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
|
|
||||||
+ if ((pcred->tgcred->session_keyring &&
|
|
||||||
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
|
|
||||||
mycred->tgcred->session_keyring->uid != mycred->euid)
|
|
||||||
goto not_permitted;
|
|
||||||
|
|
||||||
|
|
@ -1,64 +0,0 @@
|
|||||||
From: David Howells <dhowells@redhat.com>
|
|
||||||
Subject: [PATCH] KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
|
||||||
|
|
||||||
There's an protected access to the parent process's credentials in the middle
|
|
||||||
of keyctl_session_to_parent(). This results in the following RCU warning:
|
|
||||||
|
|
||||||
===================================================
|
|
||||||
[ INFO: suspicious rcu_dereference_check() usage. ]
|
|
||||||
---------------------------------------------------
|
|
||||||
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
|
|
||||||
|
|
||||||
other info that might help us debug this:
|
|
||||||
|
|
||||||
rcu_scheduler_active = 1, debug_locks = 0
|
|
||||||
1 lock held by keyctl-session-/2137:
|
|
||||||
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
|
|
||||||
|
|
||||||
stack backtrace:
|
|
||||||
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
|
|
||||||
Call Trace:
|
|
||||||
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
|
|
||||||
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
|
|
||||||
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
|
|
||||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
|
||||||
|
|
||||||
The code should take the RCU read lock to make sure the parents credentials
|
|
||||||
don't go away, even though it's holding a spinlock and has IRQ disabled.
|
|
||||||
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
security/keys/keyctl.c | 3 +++
|
|
||||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
|
||||||
index b2b0998..3868c67 100644
|
|
||||||
--- a/security/keys/keyctl.c
|
|
||||||
+++ b/security/keys/keyctl.c
|
|
||||||
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
|
|
||||||
keyring_r = NULL;
|
|
||||||
|
|
||||||
me = current;
|
|
||||||
+ rcu_read_lock();
|
|
||||||
write_lock_irq(&tasklist_lock);
|
|
||||||
|
|
||||||
parent = me->real_parent;
|
|
||||||
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
|
|
||||||
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
|
|
||||||
|
|
||||||
write_unlock_irq(&tasklist_lock);
|
|
||||||
+ rcu_read_unlock();
|
|
||||||
if (oldcred)
|
|
||||||
put_cred(oldcred);
|
|
||||||
return 0;
|
|
||||||
@@ -1327,6 +1329,7 @@ already_same:
|
|
||||||
ret = 0;
|
|
||||||
not_permitted:
|
|
||||||
write_unlock_irq(&tasklist_lock);
|
|
||||||
+ rcu_read_unlock();
|
|
||||||
put_cred(cred);
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
|
|
@ -1,164 +0,0 @@
|
|||||||
From: Avi Kivity <avi@redhat.com>
|
|
||||||
Date: Tue, 19 Oct 2010 14:46:55 +0000 (+0200)
|
|
||||||
Subject: KVM: Fix fs/gs reload oops with invalid ldt
|
|
||||||
X-Git-Tag: v2.6.36~4^2
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9581d442b9058d3699b4be568b6e5eae38a41493
|
|
||||||
|
|
||||||
KVM: Fix fs/gs reload oops with invalid ldt
|
|
||||||
|
|
||||||
kvm reloads the host's fs and gs blindly, however the underlying segment
|
|
||||||
descriptors may be invalid due to the user modifying the ldt after loading
|
|
||||||
them.
|
|
||||||
|
|
||||||
Fix by using the safe accessors (loadsegment() and load_gs_index()) instead
|
|
||||||
of home grown unsafe versions.
|
|
||||||
|
|
||||||
This is CVE-2010-3698.
|
|
||||||
|
|
||||||
KVM-Stable-Tag.
|
|
||||||
Signed-off-by: Avi Kivity <avi@redhat.com>
|
|
||||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
|
|
||||||
index 502e53f..c52e2eb 100644
|
|
||||||
--- a/arch/x86/include/asm/kvm_host.h
|
|
||||||
+++ b/arch/x86/include/asm/kvm_host.h
|
|
||||||
@@ -652,20 +652,6 @@ static inline struct kvm_mmu_page *page_header(hpa_t shadow_page)
|
|
||||||
return (struct kvm_mmu_page *)page_private(page);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static inline u16 kvm_read_fs(void)
|
|
||||||
-{
|
|
||||||
- u16 seg;
|
|
||||||
- asm("mov %%fs, %0" : "=g"(seg));
|
|
||||||
- return seg;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static inline u16 kvm_read_gs(void)
|
|
||||||
-{
|
|
||||||
- u16 seg;
|
|
||||||
- asm("mov %%gs, %0" : "=g"(seg));
|
|
||||||
- return seg;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static inline u16 kvm_read_ldt(void)
|
|
||||||
{
|
|
||||||
u16 ldt;
|
|
||||||
@@ -673,16 +659,6 @@ static inline u16 kvm_read_ldt(void)
|
|
||||||
return ldt;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static inline void kvm_load_fs(u16 sel)
|
|
||||||
-{
|
|
||||||
- asm("mov %0, %%fs" : : "rm"(sel));
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static inline void kvm_load_gs(u16 sel)
|
|
||||||
-{
|
|
||||||
- asm("mov %0, %%gs" : : "rm"(sel));
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static inline void kvm_load_ldt(u16 sel)
|
|
||||||
{
|
|
||||||
asm("lldt %0" : : "rm"(sel));
|
|
||||||
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
|
|
||||||
index 81ed28c..8a3f9f6 100644
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -3163,8 +3163,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
|
|
||||||
sync_lapic_to_cr8(vcpu);
|
|
||||||
|
|
||||||
save_host_msrs(vcpu);
|
|
||||||
- fs_selector = kvm_read_fs();
|
|
||||||
- gs_selector = kvm_read_gs();
|
|
||||||
+ savesegment(fs, fs_selector);
|
|
||||||
+ savesegment(gs, gs_selector);
|
|
||||||
ldt_selector = kvm_read_ldt();
|
|
||||||
svm->vmcb->save.cr2 = vcpu->arch.cr2;
|
|
||||||
/* required for live migration with NPT */
|
|
||||||
@@ -3251,10 +3251,15 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
|
|
||||||
vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp;
|
|
||||||
vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip;
|
|
||||||
|
|
||||||
- kvm_load_fs(fs_selector);
|
|
||||||
- kvm_load_gs(gs_selector);
|
|
||||||
- kvm_load_ldt(ldt_selector);
|
|
||||||
load_host_msrs(vcpu);
|
|
||||||
+ loadsegment(fs, fs_selector);
|
|
||||||
+#ifdef CONFIG_X86_64
|
|
||||||
+ load_gs_index(gs_selector);
|
|
||||||
+ wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
|
|
||||||
+#else
|
|
||||||
+ loadsegment(gs, gs_selector);
|
|
||||||
+#endif
|
|
||||||
+ kvm_load_ldt(ldt_selector);
|
|
||||||
|
|
||||||
reload_tss(vcpu);
|
|
||||||
|
|
||||||
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
|
||||||
index 49b25ee..7bddfab 100644
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -803,7 +803,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
|
|
||||||
*/
|
|
||||||
vmx->host_state.ldt_sel = kvm_read_ldt();
|
|
||||||
vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel;
|
|
||||||
- vmx->host_state.fs_sel = kvm_read_fs();
|
|
||||||
+ savesegment(fs, vmx->host_state.fs_sel);
|
|
||||||
if (!(vmx->host_state.fs_sel & 7)) {
|
|
||||||
vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel);
|
|
||||||
vmx->host_state.fs_reload_needed = 0;
|
|
||||||
@@ -811,7 +811,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
|
|
||||||
vmcs_write16(HOST_FS_SELECTOR, 0);
|
|
||||||
vmx->host_state.fs_reload_needed = 1;
|
|
||||||
}
|
|
||||||
- vmx->host_state.gs_sel = kvm_read_gs();
|
|
||||||
+ savesegment(gs, vmx->host_state.gs_sel);
|
|
||||||
if (!(vmx->host_state.gs_sel & 7))
|
|
||||||
vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel);
|
|
||||||
else {
|
|
||||||
@@ -841,27 +841,21 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
|
|
||||||
|
|
||||||
static void __vmx_load_host_state(struct vcpu_vmx *vmx)
|
|
||||||
{
|
|
||||||
- unsigned long flags;
|
|
||||||
-
|
|
||||||
if (!vmx->host_state.loaded)
|
|
||||||
return;
|
|
||||||
|
|
||||||
++vmx->vcpu.stat.host_state_reload;
|
|
||||||
vmx->host_state.loaded = 0;
|
|
||||||
if (vmx->host_state.fs_reload_needed)
|
|
||||||
- kvm_load_fs(vmx->host_state.fs_sel);
|
|
||||||
+ loadsegment(fs, vmx->host_state.fs_sel);
|
|
||||||
if (vmx->host_state.gs_ldt_reload_needed) {
|
|
||||||
kvm_load_ldt(vmx->host_state.ldt_sel);
|
|
||||||
- /*
|
|
||||||
- * If we have to reload gs, we must take care to
|
|
||||||
- * preserve our gs base.
|
|
||||||
- */
|
|
||||||
- local_irq_save(flags);
|
|
||||||
- kvm_load_gs(vmx->host_state.gs_sel);
|
|
||||||
#ifdef CONFIG_X86_64
|
|
||||||
- wrmsrl(MSR_GS_BASE, vmcs_readl(HOST_GS_BASE));
|
|
||||||
+ load_gs_index(vmx->host_state.gs_sel);
|
|
||||||
+ wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
|
|
||||||
+#else
|
|
||||||
+ loadsegment(gs, vmx->host_state.gs_sel);
|
|
||||||
#endif
|
|
||||||
- local_irq_restore(flags);
|
|
||||||
}
|
|
||||||
reload_tss();
|
|
||||||
#ifdef CONFIG_X86_64
|
|
||||||
@@ -2589,8 +2583,8 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
|
|
||||||
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */
|
|
||||||
vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */
|
|
||||||
vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */
|
|
||||||
- vmcs_write16(HOST_FS_SELECTOR, kvm_read_fs()); /* 22.2.4 */
|
|
||||||
- vmcs_write16(HOST_GS_SELECTOR, kvm_read_gs()); /* 22.2.4 */
|
|
||||||
+ vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */
|
|
||||||
+ vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */
|
|
||||||
vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS); /* 22.2.4 */
|
|
||||||
#ifdef CONFIG_X86_64
|
|
||||||
rdmsrl(MSR_FS_BASE, a);
|
|
@ -1,86 +0,0 @@
|
|||||||
From fcd097f31a6ee207cc0c3da9cccd2a86d4334785 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
|
||||||
Date: Thu, 17 Jun 2010 20:16:36 +0100
|
|
||||||
Subject: PCI: MSI: Remove unsafe and unnecessary hardware access
|
|
||||||
|
|
||||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
|
||||||
|
|
||||||
commit fcd097f31a6ee207cc0c3da9cccd2a86d4334785 upstream.
|
|
||||||
|
|
||||||
During suspend on an SMP system, {read,write}_msi_msg_desc() may be
|
|
||||||
called to mask and unmask interrupts on a device that is already in a
|
|
||||||
reduced power state. At this point memory-mapped registers including
|
|
||||||
MSI-X tables are not accessible, and config space may not be fully
|
|
||||||
functional either.
|
|
||||||
|
|
||||||
While a device is in a reduced power state its interrupts are
|
|
||||||
effectively masked and its MSI(-X) state will be restored when it is
|
|
||||||
brought back to D0. Therefore these functions can simply read and
|
|
||||||
write msi_desc::msg for devices not in D0.
|
|
||||||
|
|
||||||
Further, read_msi_msg_desc() should only ever be used to update a
|
|
||||||
previously written message, so it can always read msi_desc::msg
|
|
||||||
and never needs to touch the hardware.
|
|
||||||
|
|
||||||
Tested-by: "Michael Chan" <mchan@broadcom.com>
|
|
||||||
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
|
|
||||||
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
||||||
|
|
||||||
---
|
|
||||||
drivers/pci/msi.c | 36 ++++++++++++------------------------
|
|
||||||
1 file changed, 12 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
--- a/drivers/pci/msi.c
|
|
||||||
+++ b/drivers/pci/msi.c
|
|
||||||
@@ -195,30 +195,15 @@ void unmask_msi_irq(unsigned int irq)
|
|
||||||
void read_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
|
||||||
{
|
|
||||||
struct msi_desc *entry = get_irq_desc_msi(desc);
|
|
||||||
- if (entry->msi_attrib.is_msix) {
|
|
||||||
- void __iomem *base = entry->mask_base +
|
|
||||||
- entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE;
|
|
||||||
|
|
||||||
- msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR);
|
|
||||||
- msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR);
|
|
||||||
- msg->data = readl(base + PCI_MSIX_ENTRY_DATA);
|
|
||||||
- } else {
|
|
||||||
- struct pci_dev *dev = entry->dev;
|
|
||||||
- int pos = entry->msi_attrib.pos;
|
|
||||||
- u16 data;
|
|
||||||
-
|
|
||||||
- pci_read_config_dword(dev, msi_lower_address_reg(pos),
|
|
||||||
- &msg->address_lo);
|
|
||||||
- if (entry->msi_attrib.is_64) {
|
|
||||||
- pci_read_config_dword(dev, msi_upper_address_reg(pos),
|
|
||||||
- &msg->address_hi);
|
|
||||||
- pci_read_config_word(dev, msi_data_reg(pos, 1), &data);
|
|
||||||
- } else {
|
|
||||||
- msg->address_hi = 0;
|
|
||||||
- pci_read_config_word(dev, msi_data_reg(pos, 0), &data);
|
|
||||||
- }
|
|
||||||
- msg->data = data;
|
|
||||||
- }
|
|
||||||
+ /* We do not touch the hardware (which may not even be
|
|
||||||
+ * accessible at the moment) but return the last message
|
|
||||||
+ * written. Assert that this is valid, assuming that
|
|
||||||
+ * valid messages are not all-zeroes. */
|
|
||||||
+ BUG_ON(!(entry->msg.address_hi | entry->msg.address_lo |
|
|
||||||
+ entry->msg.data));
|
|
||||||
+
|
|
||||||
+ *msg = entry->msg;
|
|
||||||
}
|
|
||||||
|
|
||||||
void read_msi_msg(unsigned int irq, struct msi_msg *msg)
|
|
||||||
@@ -231,7 +216,10 @@ void read_msi_msg(unsigned int irq, stru
|
|
||||||
void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
|
||||||
{
|
|
||||||
struct msi_desc *entry = get_irq_desc_msi(desc);
|
|
||||||
- if (entry->msi_attrib.is_msix) {
|
|
||||||
+
|
|
||||||
+ if (entry->dev->current_state != PCI_D0) {
|
|
||||||
+ /* Don't touch the hardware now */
|
|
||||||
+ } else if (entry->msi_attrib.is_msix) {
|
|
||||||
void __iomem *base;
|
|
||||||
base = entry->mask_base +
|
|
||||||
entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE;
|
|
@ -1,148 +0,0 @@
|
|||||||
From 30da55242818a8ca08583188ebcbaccd283ad4d9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
|
||||||
Date: Fri, 23 Jul 2010 14:56:28 +0100
|
|
||||||
Subject: PCI: MSI: Restore read_msi_msg_desc(); add get_cached_msi_msg_desc()
|
|
||||||
|
|
||||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
|
||||||
|
|
||||||
commit 30da55242818a8ca08583188ebcbaccd283ad4d9 upstream.
|
|
||||||
|
|
||||||
commit 2ca1af9aa3285c6a5f103ed31ad09f7399fc65d7 "PCI: MSI: Remove
|
|
||||||
unsafe and unnecessary hardware access" changed read_msi_msg_desc() to
|
|
||||||
return the last MSI message written instead of reading it from the
|
|
||||||
device, since it may be called while the device is in a reduced
|
|
||||||
power state.
|
|
||||||
|
|
||||||
However, the pSeries platform code really does need to read messages
|
|
||||||
from the device, since they are initially written by firmware.
|
|
||||||
Therefore:
|
|
||||||
- Restore the previous behaviour of read_msi_msg_desc()
|
|
||||||
- Add new functions get_cached_msi_msg{,_desc}() which return the
|
|
||||||
last MSI message written
|
|
||||||
- Use the new functions where appropriate
|
|
||||||
|
|
||||||
Acked-by: Michael Ellerman <michael@ellerman.id.au>
|
|
||||||
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
|
|
||||||
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
||||||
|
|
||||||
---
|
|
||||||
arch/ia64/kernel/msi_ia64.c | 2 -
|
|
||||||
arch/ia64/sn/kernel/msi_sn.c | 2 -
|
|
||||||
arch/x86/kernel/apic/io_apic.c | 2 -
|
|
||||||
drivers/pci/msi.c | 47 ++++++++++++++++++++++++++++++++++++-----
|
|
||||||
include/linux/msi.h | 2 +
|
|
||||||
5 files changed, 47 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/ia64/kernel/msi_ia64.c
|
|
||||||
+++ b/arch/ia64/kernel/msi_ia64.c
|
|
||||||
@@ -25,7 +25,7 @@ static int ia64_set_msi_irq_affinity(uns
|
|
||||||
if (irq_prepare_move(irq, cpu))
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
- read_msi_msg(irq, &msg);
|
|
||||||
+ get_cached_msi_msg(irq, &msg);
|
|
||||||
|
|
||||||
addr = msg.address_lo;
|
|
||||||
addr &= MSI_ADDR_DEST_ID_MASK;
|
|
||||||
--- a/arch/ia64/sn/kernel/msi_sn.c
|
|
||||||
+++ b/arch/ia64/sn/kernel/msi_sn.c
|
|
||||||
@@ -174,7 +174,7 @@ static int sn_set_msi_irq_affinity(unsig
|
|
||||||
* Release XIO resources for the old MSI PCI address
|
|
||||||
*/
|
|
||||||
|
|
||||||
- read_msi_msg(irq, &msg);
|
|
||||||
+ get_cached_msi_msg(irq, &msg);
|
|
||||||
sn_pdev = (struct pcidev_info *)sn_irq_info->irq_pciioinfo;
|
|
||||||
pdev = sn_pdev->pdi_linux_pcidev;
|
|
||||||
provider = SN_PCIDEV_BUSPROVIDER(pdev);
|
|
||||||
--- a/arch/x86/kernel/apic/io_apic.c
|
|
||||||
+++ b/arch/x86/kernel/apic/io_apic.c
|
|
||||||
@@ -3338,7 +3338,7 @@ static int set_msi_irq_affinity(unsigned
|
|
||||||
|
|
||||||
cfg = desc->chip_data;
|
|
||||||
|
|
||||||
- read_msi_msg_desc(desc, &msg);
|
|
||||||
+ get_cached_msi_msg_desc(desc, &msg);
|
|
||||||
|
|
||||||
msg.data &= ~MSI_DATA_VECTOR_MASK;
|
|
||||||
msg.data |= MSI_DATA_VECTOR(cfg->vector);
|
|
||||||
--- a/drivers/pci/msi.c
|
|
||||||
+++ b/drivers/pci/msi.c
|
|
||||||
@@ -196,9 +196,46 @@ void read_msi_msg_desc(struct irq_desc *
|
|
||||||
{
|
|
||||||
struct msi_desc *entry = get_irq_desc_msi(desc);
|
|
||||||
|
|
||||||
- /* We do not touch the hardware (which may not even be
|
|
||||||
- * accessible at the moment) but return the last message
|
|
||||||
- * written. Assert that this is valid, assuming that
|
|
||||||
+ BUG_ON(entry->dev->current_state != PCI_D0);
|
|
||||||
+
|
|
||||||
+ if (entry->msi_attrib.is_msix) {
|
|
||||||
+ void __iomem *base = entry->mask_base +
|
|
||||||
+ entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE;
|
|
||||||
+
|
|
||||||
+ msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR);
|
|
||||||
+ msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR);
|
|
||||||
+ msg->data = readl(base + PCI_MSIX_ENTRY_DATA);
|
|
||||||
+ } else {
|
|
||||||
+ struct pci_dev *dev = entry->dev;
|
|
||||||
+ int pos = entry->msi_attrib.pos;
|
|
||||||
+ u16 data;
|
|
||||||
+
|
|
||||||
+ pci_read_config_dword(dev, msi_lower_address_reg(pos),
|
|
||||||
+ &msg->address_lo);
|
|
||||||
+ if (entry->msi_attrib.is_64) {
|
|
||||||
+ pci_read_config_dword(dev, msi_upper_address_reg(pos),
|
|
||||||
+ &msg->address_hi);
|
|
||||||
+ pci_read_config_word(dev, msi_data_reg(pos, 1), &data);
|
|
||||||
+ } else {
|
|
||||||
+ msg->address_hi = 0;
|
|
||||||
+ pci_read_config_word(dev, msi_data_reg(pos, 0), &data);
|
|
||||||
+ }
|
|
||||||
+ msg->data = data;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void read_msi_msg(unsigned int irq, struct msi_msg *msg)
|
|
||||||
+{
|
|
||||||
+ struct irq_desc *desc = irq_to_desc(irq);
|
|
||||||
+
|
|
||||||
+ read_msi_msg_desc(desc, msg);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void get_cached_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
|
||||||
+{
|
|
||||||
+ struct msi_desc *entry = get_irq_desc_msi(desc);
|
|
||||||
+
|
|
||||||
+ /* Assert that the cache is valid, assuming that
|
|
||||||
* valid messages are not all-zeroes. */
|
|
||||||
BUG_ON(!(entry->msg.address_hi | entry->msg.address_lo |
|
|
||||||
entry->msg.data));
|
|
||||||
@@ -206,11 +243,11 @@ void read_msi_msg_desc(struct irq_desc *
|
|
||||||
*msg = entry->msg;
|
|
||||||
}
|
|
||||||
|
|
||||||
-void read_msi_msg(unsigned int irq, struct msi_msg *msg)
|
|
||||||
+void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg)
|
|
||||||
{
|
|
||||||
struct irq_desc *desc = irq_to_desc(irq);
|
|
||||||
|
|
||||||
- read_msi_msg_desc(desc, msg);
|
|
||||||
+ get_cached_msi_msg_desc(desc, msg);
|
|
||||||
}
|
|
||||||
|
|
||||||
void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
|
||||||
--- a/include/linux/msi.h
|
|
||||||
+++ b/include/linux/msi.h
|
|
||||||
@@ -14,8 +14,10 @@ struct irq_desc;
|
|
||||||
extern void mask_msi_irq(unsigned int irq);
|
|
||||||
extern void unmask_msi_irq(unsigned int irq);
|
|
||||||
extern void read_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg);
|
|
||||||
+extern void get_cached_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg);
|
|
||||||
extern void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg);
|
|
||||||
extern void read_msi_msg(unsigned int irq, struct msi_msg *msg);
|
|
||||||
+extern void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg);
|
|
||||||
extern void write_msi_msg(unsigned int irq, struct msi_msg *msg);
|
|
||||||
|
|
||||||
struct msi_desc {
|
|
@ -12,25 +12,3 @@ index 4b493f6..ada1fcd 100644
|
|||||||
|
|
||||||
/* initialize timestamp */
|
/* initialize timestamp */
|
||||||
__touch_softlockup_watchdog();
|
__touch_softlockup_watchdog();
|
||||||
diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
|
|
||||||
index 5a5ea2c..47ecc56 100644
|
|
||||||
--- a/kernel/sched_fair.c
|
|
||||||
+++ b/kernel/sched_fair.c
|
|
||||||
@@ -1272,6 +1272,9 @@ static int wake_affine(struct sched_domain *sd, struct task_struct *p, int sync)
|
|
||||||
* effect of the currently running task from the load
|
|
||||||
* of the current CPU:
|
|
||||||
*/
|
|
||||||
+
|
|
||||||
+ rcu_read_lock();
|
|
||||||
+
|
|
||||||
if (sync) {
|
|
||||||
tg = task_group(current);
|
|
||||||
weight = current->se.load.weight;
|
|
||||||
@@ -1298,6 +1301,7 @@ static int wake_affine(struct sched_domain *sd, struct task_struct *p, int sync)
|
|
||||||
100*(this_load + effective_load(tg, this_cpu, weight, weight)) <=
|
|
||||||
imbalance*(load + effective_load(tg, prev_cpu, 0, weight));
|
|
||||||
|
|
||||||
+ rcu_read_unlock();
|
|
||||||
/*
|
|
||||||
* If the currently running task will sleep within
|
|
||||||
* a reasonable amount of time then attract this newly
|
|
||||||
|
@ -1,120 +0,0 @@
|
|||||||
From sgruszka@redhat.com Mon Oct 18 05:10:00 2010
|
|
||||||
Return-Path: sgruszka@redhat.com
|
|
||||||
Received: from zmta01.collab.prod.int.phx2.redhat.com (LHLO
|
|
||||||
zmta01.collab.prod.int.phx2.redhat.com) (10.5.5.31) by
|
|
||||||
mail03.corp.redhat.com with LMTP; Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
|
||||||
Received: from localhost (localhost.localdomain [127.0.0.1])
|
|
||||||
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 5E48E928A4;
|
|
||||||
Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
|
||||||
Received: from zmta01.collab.prod.int.phx2.redhat.com ([127.0.0.1])
|
|
||||||
by localhost (zmta01.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
|
|
||||||
with ESMTP id q3QJQ+TOP+bt; Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
|
||||||
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
|
|
||||||
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 423CC91A7C;
|
|
||||||
Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
|
||||||
Received: from localhost (dhcp-1-246.brq.redhat.com [10.34.1.246])
|
|
||||||
by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id o9I99x6b006228;
|
|
||||||
Mon, 18 Oct 2010 05:09:59 -0400
|
|
||||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
|
||||||
To: stable@kernel.org
|
|
||||||
Cc: Kyle McMartin <kmcmartin@redhat.com>,
|
|
||||||
Stanislaw Gruszka <sgruszka@redhat.com>,
|
|
||||||
"David S. Miller" <davem@davemloft.net>
|
|
||||||
Subject: [PATCH -stable 2.6.34+] r8169: allocate with GFP_KERNEL flag when able to sleep
|
|
||||||
Date: Mon, 18 Oct 2010 11:12:22 +0200
|
|
||||||
Message-Id: <1287393142-2566-1-git-send-email-sgruszka@redhat.com>
|
|
||||||
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
|
|
||||||
|
|
||||||
Upstream aeb19f6052b5e5c8a24aa444fbff73b84341beac commit.
|
|
||||||
|
|
||||||
We have fedora bug report where driver fail to initialize after
|
|
||||||
suspend/resume because of memory allocation errors:
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=629158
|
|
||||||
|
|
||||||
To fix use GFP_KERNEL allocation where possible.
|
|
||||||
|
|
||||||
Patch should fix any allocation errors with calltrace like that:
|
|
||||||
|
|
||||||
NetworkManager: page allocation failure. order:3, mode:0x4020
|
|
||||||
Pid: 1427, comm: NetworkManager Not tainted 2.6.31.12-rhapsody.fc12-121 #1
|
|
||||||
Call Trace:
|
|
||||||
[<ffffffff810c876f>] __alloc_pages_nodemask+0x57a/0x5bb
|
|
||||||
[<ffffffff810f415d>] alloc_pages_node+0x48/0x4a
|
|
||||||
[<ffffffff810f4189>] kmalloc_large_node+0x2a/0x67
|
|
||||||
[<ffffffff810f5f1c>] __kmalloc_node_track_caller+0x31/0x11b
|
|
||||||
[<ffffffff8136f4fe>] ? __netdev_alloc_skb+0x34/0x50
|
|
||||||
[<ffffffff8136e8b8>] __alloc_skb+0x80/0x170
|
|
||||||
[<ffffffff8136f4fe>] __netdev_alloc_skb+0x34/0x50
|
|
||||||
[<ffffffffa011c5e0>] rtl8169_rx_fill+0xa8/0x154 [r8169]
|
|
||||||
[<ffffffffa011e5c5>] rtl8169_init_ring+0x71/0x9f [r8169]
|
|
||||||
[<ffffffffa011edbe>] rtl8169_open+0x7f/0x199 [r8169]
|
|
||||||
|
|
||||||
Tested-by: Neal Becker <ndbecker2@gmail.com>
|
|
||||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
|
||||||
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
drivers/net/r8169.c | 12 ++++++------
|
|
||||||
1 files changed, 6 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
|
|
||||||
index a0da4a1..a68ec8f 100644
|
|
||||||
--- a/drivers/net/r8169.c
|
|
||||||
+++ b/drivers/net/r8169.c
|
|
||||||
@@ -4000,7 +4000,7 @@ static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
|
|
||||||
static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev,
|
|
||||||
struct net_device *dev,
|
|
||||||
struct RxDesc *desc, int rx_buf_sz,
|
|
||||||
- unsigned int align)
|
|
||||||
+ unsigned int align, gfp_t gfp)
|
|
||||||
{
|
|
||||||
struct sk_buff *skb;
|
|
||||||
dma_addr_t mapping;
|
|
||||||
@@ -4008,7 +4008,7 @@ static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev,
|
|
||||||
|
|
||||||
pad = align ? align : NET_IP_ALIGN;
|
|
||||||
|
|
||||||
- skb = netdev_alloc_skb(dev, rx_buf_sz + pad);
|
|
||||||
+ skb = __netdev_alloc_skb(dev, rx_buf_sz + pad, gfp);
|
|
||||||
if (!skb)
|
|
||||||
goto err_out;
|
|
||||||
|
|
||||||
@@ -4039,7 +4039,7 @@ static void rtl8169_rx_clear(struct rtl8169_private *tp)
|
|
||||||
}
|
|
||||||
|
|
||||||
static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev,
|
|
||||||
- u32 start, u32 end)
|
|
||||||
+ u32 start, u32 end, gfp_t gfp)
|
|
||||||
{
|
|
||||||
u32 cur;
|
|
||||||
|
|
||||||
@@ -4054,7 +4054,7 @@ static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev,
|
|
||||||
|
|
||||||
skb = rtl8169_alloc_rx_skb(tp->pci_dev, dev,
|
|
||||||
tp->RxDescArray + i,
|
|
||||||
- tp->rx_buf_sz, tp->align);
|
|
||||||
+ tp->rx_buf_sz, tp->align, gfp);
|
|
||||||
if (!skb)
|
|
||||||
break;
|
|
||||||
|
|
||||||
@@ -4082,7 +4082,7 @@ static int rtl8169_init_ring(struct net_device *dev)
|
|
||||||
memset(tp->tx_skb, 0x0, NUM_TX_DESC * sizeof(struct ring_info));
|
|
||||||
memset(tp->Rx_skbuff, 0x0, NUM_RX_DESC * sizeof(struct sk_buff *));
|
|
||||||
|
|
||||||
- if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC) != NUM_RX_DESC)
|
|
||||||
+ if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC, GFP_KERNEL) != NUM_RX_DESC)
|
|
||||||
goto err_out;
|
|
||||||
|
|
||||||
rtl8169_mark_as_last_descriptor(tp->RxDescArray + NUM_RX_DESC - 1);
|
|
||||||
@@ -4583,7 +4583,7 @@ static int rtl8169_rx_interrupt(struct net_device *dev,
|
|
||||||
count = cur_rx - tp->cur_rx;
|
|
||||||
tp->cur_rx = cur_rx;
|
|
||||||
|
|
||||||
- delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx);
|
|
||||||
+ delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx, GFP_ATOMIC);
|
|
||||||
if (!delta && count)
|
|
||||||
netif_info(tp, intr, dev, "no Rx buffer allocated\n");
|
|
||||||
tp->dirty_rx += delta;
|
|
||||||
--
|
|
||||||
1.7.1
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
|
||||||
Date: Tue, 14 Sep 2010 14:35:14 +0000 (+0200)
|
|
||||||
Subject: sched: Fix user time incorrectly accounted as system time on 32-bit
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fx86%2Flinux-2.6-tip.git;a=commitdiff_plain;h=e75e863dd5c7d96b91ebbd241da5328fc38a78cc
|
|
||||||
|
|
||||||
sched: Fix user time incorrectly accounted as system time on 32-bit
|
|
||||||
|
|
||||||
We have 32-bit variable overflow possibility when multiply in
|
|
||||||
task_times() and thread_group_times() functions. When the
|
|
||||||
overflow happens then the scaled utime value becomes erroneously
|
|
||||||
small and the scaled stime becomes i erroneously big.
|
|
||||||
|
|
||||||
Reported here:
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=633037
|
|
||||||
https://bugzilla.kernel.org/show_bug.cgi?id=16559
|
|
||||||
|
|
||||||
Reported-by: Michael Chapman <redhat-bugzilla@very.puzzling.org>
|
|
||||||
Reported-by: Ciriaco Garcia de Celis <sysman@etherpilot.com>
|
|
||||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
|
||||||
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
|
||||||
Cc: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
|
|
||||||
Cc: <stable@kernel.org> # 2.6.32.19+ (partially) and 2.6.33+
|
|
||||||
LKML-Reference: <20100914143513.GB8415@redhat.com>
|
|
||||||
Signed-off-by: Ingo Molnar <mingo@elte.hu>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/kernel/sched.c b/kernel/sched.c
|
|
||||||
index ed09d4f..dc85ceb 100644
|
|
||||||
--- a/kernel/sched.c
|
|
||||||
+++ b/kernel/sched.c
|
|
||||||
@@ -3513,9 +3513,9 @@ void task_times(struct task_struct *p, cputime_t *ut, cputime_t *st)
|
|
||||||
rtime = nsecs_to_cputime(p->se.sum_exec_runtime);
|
|
||||||
|
|
||||||
if (total) {
|
|
||||||
- u64 temp;
|
|
||||||
+ u64 temp = rtime;
|
|
||||||
|
|
||||||
- temp = (u64)(rtime * utime);
|
|
||||||
+ temp *= utime;
|
|
||||||
do_div(temp, total);
|
|
||||||
utime = (cputime_t)temp;
|
|
||||||
} else
|
|
||||||
@@ -3546,9 +3546,9 @@ void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *st)
|
|
||||||
rtime = nsecs_to_cputime(cputime.sum_exec_runtime);
|
|
||||||
|
|
||||||
if (total) {
|
|
||||||
- u64 temp;
|
|
||||||
+ u64 temp = rtime;
|
|
||||||
|
|
||||||
- temp = (u64)(rtime * cputime.utime);
|
|
||||||
+ temp *= cputime.utime;
|
|
||||||
do_div(temp, total);
|
|
||||||
utime = (cputime_t)temp;
|
|
||||||
} else
|
|
@ -1,34 +0,0 @@
|
|||||||
From 4bdab43323b459900578b200a4b8cf9713ac8fab Mon Sep 17 00:00:00 2001
|
|
||||||
From: Vlad Yasevich <vladislav.yasevich@hp.com>
|
|
||||||
Date: Wed, 15 Sep 2010 10:00:26 -0400
|
|
||||||
Subject: sctp: Do not reset the packet during sctp_packet_config().
|
|
||||||
|
|
||||||
From: Vlad Yasevich <vladislav.yasevich@hp.com>
|
|
||||||
|
|
||||||
commit 4bdab43323b459900578b200a4b8cf9713ac8fab upstream.
|
|
||||||
|
|
||||||
sctp_packet_config() is called when getting the packet ready
|
|
||||||
for appending of chunks. The function should not touch the
|
|
||||||
current state, since it's possible to ping-pong between two
|
|
||||||
transports when sending, and that can result packet corruption
|
|
||||||
followed by skb overlfow crash.
|
|
||||||
|
|
||||||
Reported-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
|
|
||||||
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
||||||
|
|
||||||
---
|
|
||||||
net/sctp/output.c | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/net/sctp/output.c
|
|
||||||
+++ b/net/sctp/output.c
|
|
||||||
@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s
|
|
||||||
SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
|
|
||||||
packet, vtag);
|
|
||||||
|
|
||||||
- sctp_packet_reset(packet);
|
|
||||||
packet->vtag = vtag;
|
|
||||||
|
|
||||||
if (ecn_capable && sctp_packet_empty(packet)) {
|
|
@ -1,42 +0,0 @@
|
|||||||
From: Roland McGrath <roland@redhat.com>
|
|
||||||
Date: Wed, 8 Sep 2010 02:35:49 +0000 (-0700)
|
|
||||||
Subject: setup_arg_pages: diagnose excessive argument size
|
|
||||||
X-Git-Tag: v2.6.36-rc4~14
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1b528181b2ffa14721fb28ad1bd539fe1732c583
|
|
||||||
|
|
||||||
setup_arg_pages: diagnose excessive argument size
|
|
||||||
|
|
||||||
The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
|
|
||||||
check the size of the argument/environment area on the stack.
|
|
||||||
When it is unworkably large, shift_arg_pages() hits its BUG_ON.
|
|
||||||
This is exploitable with a very large RLIMIT_STACK limit, to
|
|
||||||
create a crash pretty easily.
|
|
||||||
|
|
||||||
Check that the initial stack is not too large to make it possible
|
|
||||||
to map in any executable. We're not checking that the actual
|
|
||||||
executable (or intepreter, for binfmt_elf) will fit. So those
|
|
||||||
mappings might clobber part of the initial stack mapping. But
|
|
||||||
that is just userland lossage that userland made happen, not a
|
|
||||||
kernel problem.
|
|
||||||
|
|
||||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
|
||||||
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/fs/exec.c b/fs/exec.c
|
|
||||||
index 2d94552..1b63237 100644
|
|
||||||
--- a/fs/exec.c
|
|
||||||
+++ b/fs/exec.c
|
|
||||||
@@ -594,6 +594,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
|
|
||||||
#else
|
|
||||||
stack_top = arch_align_stack(stack_top);
|
|
||||||
stack_top = PAGE_ALIGN(stack_top);
|
|
||||||
+
|
|
||||||
+ if (unlikely(stack_top < mmap_min_addr) ||
|
|
||||||
+ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
|
|
||||||
+ return -ENOMEM;
|
|
||||||
+
|
|
||||||
stack_shift = vma->vm_end - stack_top;
|
|
||||||
|
|
||||||
bprm->p -= stack_shift;
|
|
@ -1,98 +0,0 @@
|
|||||||
From sgruszka@redhat.com Mon Oct 18 05:19:21 2010
|
|
||||||
Return-Path: sgruszka@redhat.com
|
|
||||||
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
|
|
||||||
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
|
|
||||||
mail03.corp.redhat.com with LMTP; Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
|
||||||
Received: from localhost (localhost.localdomain [127.0.0.1])
|
|
||||||
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id A11F69E559;
|
|
||||||
Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
|
||||||
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
|
|
||||||
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
|
|
||||||
with ESMTP id IhyIgD7E4aj3; Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
|
||||||
Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21])
|
|
||||||
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 9007B9E55E;
|
|
||||||
Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
|
||||||
Received: from localhost (dhcp-1-246.brq.redhat.com [10.34.1.246])
|
|
||||||
by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o9I9JKsF025385;
|
|
||||||
Mon, 18 Oct 2010 05:19:21 -0400
|
|
||||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
|
||||||
To: stable@kernel.org
|
|
||||||
Cc: Kyle McMartin <kmcmartin@redhat.com>,
|
|
||||||
Stanislaw Gruszka <sgruszka@redhat.com>,
|
|
||||||
"David S. Miller" <davem@davemloft.net>
|
|
||||||
Subject: [PATCH -stable 2.6.34+] skge: add quirk to limit DMA
|
|
||||||
Date: Mon, 18 Oct 2010 11:21:54 +0200
|
|
||||||
Message-Id: <1287393714-3720-1-git-send-email-sgruszka@redhat.com>
|
|
||||||
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21
|
|
||||||
|
|
||||||
Upstream 392bd0cb000d4aac9e88e4f50823db85e7220688 commit.
|
|
||||||
|
|
||||||
Skge devices installed on some Gigabyte motherboards are not able to
|
|
||||||
perform 64 dma correctly due to board PCI implementation, so limit
|
|
||||||
DMA to 32bit if such boards are detected.
|
|
||||||
|
|
||||||
Bug was reported here:
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=447489
|
|
||||||
|
|
||||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
|
||||||
Tested-by: Luya Tshimbalanga <luya@fedoraproject.org>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
drivers/net/skge.c | 18 +++++++++++++++++-
|
|
||||||
1 files changed, 17 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/net/skge.c b/drivers/net/skge.c
|
|
||||||
index 40e5c46..465ae7e 100644
|
|
||||||
--- a/drivers/net/skge.c
|
|
||||||
+++ b/drivers/net/skge.c
|
|
||||||
@@ -43,6 +43,7 @@
|
|
||||||
#include <linux/seq_file.h>
|
|
||||||
#include <linux/mii.h>
|
|
||||||
#include <linux/slab.h>
|
|
||||||
+#include <linux/dmi.h>
|
|
||||||
#include <asm/irq.h>
|
|
||||||
|
|
||||||
#include "skge.h"
|
|
||||||
@@ -3868,6 +3869,8 @@ static void __devinit skge_show_addr(struct net_device *dev)
|
|
||||||
netif_info(skge, probe, skge->netdev, "addr %pM\n", dev->dev_addr);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int only_32bit_dma;
|
|
||||||
+
|
|
||||||
static int __devinit skge_probe(struct pci_dev *pdev,
|
|
||||||
const struct pci_device_id *ent)
|
|
||||||
{
|
|
||||||
@@ -3889,7 +3892,7 @@ static int __devinit skge_probe(struct pci_dev *pdev,
|
|
||||||
|
|
||||||
pci_set_master(pdev);
|
|
||||||
|
|
||||||
- if (!pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) {
|
|
||||||
+ if (!only_32bit_dma && !pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) {
|
|
||||||
using_dac = 1;
|
|
||||||
err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
|
|
||||||
} else if (!(err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) {
|
|
||||||
@@ -4147,8 +4150,21 @@ static struct pci_driver skge_driver = {
|
|
||||||
.shutdown = skge_shutdown,
|
|
||||||
};
|
|
||||||
|
|
||||||
+static struct dmi_system_id skge_32bit_dma_boards[] = {
|
|
||||||
+ {
|
|
||||||
+ .ident = "Gigabyte nForce boards",
|
|
||||||
+ .matches = {
|
|
||||||
+ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co"),
|
|
||||||
+ DMI_MATCH(DMI_BOARD_NAME, "nForce"),
|
|
||||||
+ },
|
|
||||||
+ },
|
|
||||||
+ {}
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static int __init skge_init_module(void)
|
|
||||||
{
|
|
||||||
+ if (dmi_check_system(skge_32bit_dma_boards))
|
|
||||||
+ only_32bit_dma = 1;
|
|
||||||
skge_debug_init();
|
|
||||||
return pci_register_driver(&skge_driver);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.7.1
|
|
||||||
|
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
|||||||
10eebcb0178fb4540e2165bfd7efc7ad linux-2.6.34.tar.bz2
|
10eebcb0178fb4540e2165bfd7efc7ad linux-2.6.34.tar.bz2
|
||||||
a88e4b5a9fcb23c2229301ac4dae1f1a patch-2.6.34.7.bz2
|
de755877dbd32ed783067987c095c278 patch-2.6.34.8.bz2
|
||||||
|
@ -1,51 +0,0 @@
|
|||||||
From: Steven Rostedt <srostedt@redhat.com>
|
|
||||||
Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
|
|
||||||
Subject: tracing: Do not allow llseek to set_ftrace_filter
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
|
|
||||||
|
|
||||||
tracing: Do not allow llseek to set_ftrace_filter
|
|
||||||
|
|
||||||
Reading the file set_ftrace_filter does three things.
|
|
||||||
|
|
||||||
1) shows whether or not filters are set for the function tracer
|
|
||||||
2) shows what functions are set for the function tracer
|
|
||||||
3) shows what triggers are set on any functions
|
|
||||||
|
|
||||||
3 is independent from 1 and 2.
|
|
||||||
|
|
||||||
The way this file currently works is that it is a state machine,
|
|
||||||
and as you read it, it may change state. But this assumption breaks
|
|
||||||
when you use lseek() on the file. The state machine gets out of sync
|
|
||||||
and the t_show() may use the wrong pointer and cause a kernel oops.
|
|
||||||
|
|
||||||
Luckily, this will only kill the app that does the lseek, but the app
|
|
||||||
dies while holding a mutex. This prevents anyone else from using the
|
|
||||||
set_ftrace_filter file (or any other function tracing file for that matter).
|
|
||||||
|
|
||||||
A real fix for this is to rewrite the code, but that is too much for
|
|
||||||
a -rc release or stable. This patch simply disables llseek on the
|
|
||||||
set_ftrace_filter() file for now, and we can do the proper fix for the
|
|
||||||
next major release.
|
|
||||||
|
|
||||||
Reported-by: Robert Swiecki <swiecki@google.com>
|
|
||||||
Cc: Chris Wright <chrisw@sous-sol.org>
|
|
||||||
Cc: Tavis Ormandy <taviso@google.com>
|
|
||||||
Cc: Eugene Teo <eugene@redhat.com>
|
|
||||||
Cc: vendor-sec@lst.de
|
|
||||||
Cc: <stable@kernel.org>
|
|
||||||
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
|
|
||||||
index 7cb1f45..83a16e9 100644
|
|
||||||
--- a/kernel/trace/ftrace.c
|
|
||||||
+++ b/kernel/trace/ftrace.c
|
|
||||||
@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
|
|
||||||
.open = ftrace_filter_open,
|
|
||||||
.read = seq_read,
|
|
||||||
.write = ftrace_filter_write,
|
|
||||||
- .llseek = ftrace_regex_lseek,
|
|
||||||
+ .llseek = no_llseek,
|
|
||||||
.release = ftrace_filter_release,
|
|
||||||
};
|
|
||||||
|
|
@ -1,86 +0,0 @@
|
|||||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Date: Fri, 15 Oct 2010 18:12:38 +0000 (-0700)
|
|
||||||
Subject: v4l1: fix 32-bit compat microcode loading translation
|
|
||||||
X-Git-Tag: v2.6.36~11^2
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3e645d6b485446c54c6745c5e2cf5c528fe4deec
|
|
||||||
|
|
||||||
v4l1: fix 32-bit compat microcode loading translation
|
|
||||||
|
|
||||||
The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
|
|
||||||
It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
|
|
||||||
staging and eventually removed unless somebody steps up to maintain it
|
|
||||||
(at which point it should use request_firmware() rather than some magic
|
|
||||||
ioctl). So we'll get rid of it eventually.
|
|
||||||
|
|
||||||
But in the meantime, the compatibility ioctl code is broken, and this
|
|
||||||
tries to get it to at least limp along (even if Mauro suggested just
|
|
||||||
deleting it entirely, which may be the right thing to do - I don't think
|
|
||||||
the compatibility translation code has ever worked unless you were very
|
|
||||||
lucky).
|
|
||||||
|
|
||||||
Reported-by: Kees Cook <kees.cook@canonical.com>
|
|
||||||
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
|
|
||||||
Cc: stable@kernel.org
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c
|
|
||||||
index 073f013..86294ed3 100644
|
|
||||||
--- a/drivers/media/video/v4l2-compat-ioctl32.c
|
|
||||||
+++ b/drivers/media/video/v4l2-compat-ioctl32.c
|
|
||||||
@@ -193,17 +193,24 @@ static int put_video_window32(struct video_window *kp, struct video_window32 __u
|
|
||||||
struct video_code32 {
|
|
||||||
char loadwhat[16]; /* name or tag of file being passed */
|
|
||||||
compat_int_t datasize;
|
|
||||||
- unsigned char *data;
|
|
||||||
+ compat_uptr_t data;
|
|
||||||
};
|
|
||||||
|
|
||||||
-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
|
|
||||||
+static struct video_code __user *get_microcode32(struct video_code32 *kp)
|
|
||||||
{
|
|
||||||
- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
|
|
||||||
- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
|
|
||||||
- get_user(kp->datasize, &up->datasize) ||
|
|
||||||
- copy_from_user(kp->data, up->data, up->datasize))
|
|
||||||
- return -EFAULT;
|
|
||||||
- return 0;
|
|
||||||
+ struct video_code __user *up;
|
|
||||||
+
|
|
||||||
+ up = compat_alloc_user_space(sizeof(*up));
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * NOTE! We don't actually care if these fail. If the
|
|
||||||
+ * user address is invalid, the native ioctl will do
|
|
||||||
+ * the error handling for us
|
|
||||||
+ */
|
|
||||||
+ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
|
|
||||||
+ (void) put_user(kp->datasize, &up->datasize);
|
|
||||||
+ (void) put_user(compat_ptr(kp->data), &up->data);
|
|
||||||
+ return up;
|
|
||||||
}
|
|
||||||
|
|
||||||
#define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
|
|
||||||
@@ -739,7 +746,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
|
|
||||||
struct video_tuner vt;
|
|
||||||
struct video_buffer vb;
|
|
||||||
struct video_window vw;
|
|
||||||
- struct video_code vc;
|
|
||||||
+ struct video_code32 vc;
|
|
||||||
struct video_audio va;
|
|
||||||
#endif
|
|
||||||
struct v4l2_format v2f;
|
|
||||||
@@ -818,8 +825,11 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
|
|
||||||
break;
|
|
||||||
|
|
||||||
case VIDIOCSMICROCODE:
|
|
||||||
- err = get_microcode32(&karg.vc, up);
|
|
||||||
- compatible_arg = 0;
|
|
||||||
+ /* Copy the 32-bit "video_code32" to kernel space */
|
|
||||||
+ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
|
|
||||||
+ return -EFAULT;
|
|
||||||
+ /* Convert the 32-bit version to a 64-bit version in user space */
|
|
||||||
+ up = get_microcode32(&karg.vc);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case VIDIOCSFREQ:
|
|
@ -1,33 +0,0 @@
|
|||||||
From aaa3e9152f27f6cd83c074d7dc99e79897ac8c20 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
|
||||||
Date: Wed, 15 Sep 2010 19:08:24 -0400
|
|
||||||
Subject: [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
|
|
||||||
|
|
||||||
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
|
|
||||||
bytes of uninitialized stack memory, because the "reserved" member of
|
|
||||||
the viafb_ioctl_info struct declared on the stack is not altered or
|
|
||||||
zeroed before being copied back to the user. This patch takes care of
|
|
||||||
it.
|
|
||||||
|
|
||||||
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
|
|
||||||
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
|
|
||||||
---
|
|
||||||
drivers/video/via/ioctl.c | 2 ++
|
|
||||||
1 files changed, 2 insertions(+), 0 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
|
|
||||||
index da03c07..4d553d0 100644
|
|
||||||
--- a/drivers/video/via/ioctl.c
|
|
||||||
+++ b/drivers/video/via/ioctl.c
|
|
||||||
@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg)
|
|
||||||
{
|
|
||||||
struct viafb_ioctl_info viainfo;
|
|
||||||
|
|
||||||
+ memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
|
|
||||||
+
|
|
||||||
viainfo.viafb_id = VIAID;
|
|
||||||
viainfo.vendor_id = PCI_VIA_VENDOR_ID;
|
|
||||||
|
|
||||||
--
|
|
||||||
1.7.3.2
|
|
||||||
|
|
@ -1,77 +0,0 @@
|
|||||||
From: Johannes Berg <johannes.berg@intel.com>
|
|
||||||
Date: Mon, 30 Aug 2010 10:24:54 +0000 (+0200)
|
|
||||||
Subject: wireless extensions: fix kernel heap content leak
|
|
||||||
X-Git-Tag: master-2010-08-30
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Flinville%2Fwireless-2.6.git;a=commitdiff_plain;h=42da2f948d949efd0111309f5827bf0298bcc9a4
|
|
||||||
|
|
||||||
wireless extensions: fix kernel heap content leak
|
|
||||||
|
|
||||||
Wireless extensions have an unfortunate, undocumented
|
|
||||||
requirement which requires drivers to always fill
|
|
||||||
iwp->length when returning a successful status. When
|
|
||||||
a driver doesn't do this, it leads to a kernel heap
|
|
||||||
content leak when userspace offers a larger buffer
|
|
||||||
than would have been necessary.
|
|
||||||
|
|
||||||
Arguably, this is a driver bug, as it should, if it
|
|
||||||
returns 0, fill iwp->length, even if it separately
|
|
||||||
indicated that the buffer contents was not valid.
|
|
||||||
|
|
||||||
However, we can also at least avoid the memory content
|
|
||||||
leak if the driver doesn't do this by setting the iwp
|
|
||||||
length to max_tokens, which then reflects how big the
|
|
||||||
buffer is that the driver may fill, regardless of how
|
|
||||||
big the userspace buffer is.
|
|
||||||
|
|
||||||
To illustrate the point, this patch also fixes a
|
|
||||||
corresponding cfg80211 bug (since this requirement
|
|
||||||
isn't documented nor was ever pointed out by anyone
|
|
||||||
during code review, I don't trust all drivers nor
|
|
||||||
all cfg80211 handlers to implement it correctly).
|
|
||||||
|
|
||||||
Cc: stable@kernel.org [all the way back]
|
|
||||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
||||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
|
|
||||||
index bb5e0a5..7e5c3a4 100644
|
|
||||||
--- a/net/wireless/wext-compat.c
|
|
||||||
+++ b/net/wireless/wext-compat.c
|
|
||||||
@@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_device *dev,
|
|
||||||
{
|
|
||||||
struct wireless_dev *wdev = dev->ieee80211_ptr;
|
|
||||||
|
|
||||||
+ data->flags = 0;
|
|
||||||
+ data->length = 0;
|
|
||||||
+
|
|
||||||
switch (wdev->iftype) {
|
|
||||||
case NL80211_IFTYPE_ADHOC:
|
|
||||||
return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);
|
|
||||||
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
|
|
||||||
index 0ef17bc..8f5116f 100644
|
|
||||||
--- a/net/wireless/wext-core.c
|
|
||||||
+++ b/net/wireless/wext-core.c
|
|
||||||
@@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
|
|
||||||
+ /*
|
|
||||||
+ * If this is a GET, but not NOMAX, it means that the extra
|
|
||||||
+ * data is not bounded by userspace, but by max_tokens. Thus
|
|
||||||
+ * set the length to max_tokens. This matches the extra data
|
|
||||||
+ * allocation.
|
|
||||||
+ * The driver should fill it with the number of tokens it
|
|
||||||
+ * provided, and it may check iwp->length rather than having
|
|
||||||
+ * knowledge of max_tokens. If the driver doesn't change the
|
|
||||||
+ * iwp->length, this ioctl just copies back max_token tokens
|
|
||||||
+ * filled with zeroes. Hopefully the driver isn't claiming
|
|
||||||
+ * them to be valid data.
|
|
||||||
+ */
|
|
||||||
+ iwp->length = descr->max_tokens;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
err = handler(dev, info, (union iwreq_data *) iwp, extra);
|
|
||||||
|
|
||||||
iwp->length += essid_compat;
|
|
@ -1,29 +0,0 @@
|
|||||||
From: Peter Zijlstra <peterz@infradead.org>
|
|
||||||
Date: Fri, 10 Sep 2010 20:32:53 +0000 (+0200)
|
|
||||||
Subject: x86, tsc: Fix a preemption leak in restore_sched_clock_state()
|
|
||||||
X-Git-Tag: v2.6.36-rc4~11
|
|
||||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5ee5e97ee9bca919af11c562beeaf61741ad33f1
|
|
||||||
|
|
||||||
x86, tsc: Fix a preemption leak in restore_sched_clock_state()
|
|
||||||
|
|
||||||
A real life genuine preemption leak..
|
|
||||||
|
|
||||||
Reported-and-tested-by: Jeff Chua <jeff.chua.linux@gmail.com>
|
|
||||||
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
|
||||||
Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
|
|
||||||
index d632934..26a863a 100644
|
|
||||||
--- a/arch/x86/kernel/tsc.c
|
|
||||||
+++ b/arch/x86/kernel/tsc.c
|
|
||||||
@@ -655,7 +655,7 @@ void restore_sched_clock_state(void)
|
|
||||||
|
|
||||||
local_irq_save(flags);
|
|
||||||
|
|
||||||
- get_cpu_var(cyc2ns_offset) = 0;
|
|
||||||
+ __get_cpu_var(cyc2ns_offset) = 0;
|
|
||||||
offset = cyc2ns_suspend - sched_clock();
|
|
||||||
|
|
||||||
for_each_possible_cpu(cpu)
|
|
@ -1,115 +0,0 @@
|
|||||||
From cd7240c0b900eb6d690ccee088a6c9b46dae815a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Suresh Siddha <suresh.b.siddha@intel.com>
|
|
||||||
Date: Thu, 19 Aug 2010 17:03:38 -0700
|
|
||||||
Subject: x86, tsc, sched: Recompute cyc2ns_offset's during resume from sleep states
|
|
||||||
|
|
||||||
From: Suresh Siddha <suresh.b.siddha@intel.com>
|
|
||||||
|
|
||||||
commit cd7240c0b900eb6d690ccee088a6c9b46dae815a upstream.
|
|
||||||
|
|
||||||
TSC's get reset after suspend/resume (even on cpu's with invariant TSC
|
|
||||||
which runs at a constant rate across ACPI P-, C- and T-states). And in
|
|
||||||
some systems BIOS seem to reinit TSC to arbitrary large value (still
|
|
||||||
sync'd across cpu's) during resume.
|
|
||||||
|
|
||||||
This leads to a scenario of scheduler rq->clock (sched_clock_cpu()) less
|
|
||||||
than rq->age_stamp (introduced in 2.6.32). This leads to a big value
|
|
||||||
returned by scale_rt_power() and the resulting big group power set by the
|
|
||||||
update_group_power() is causing improper load balancing between busy and
|
|
||||||
idle cpu's after suspend/resume.
|
|
||||||
|
|
||||||
This resulted in multi-threaded workloads (like kernel-compilation) go
|
|
||||||
slower after suspend/resume cycle on core i5 laptops.
|
|
||||||
|
|
||||||
Fix this by recomputing cyc2ns_offset's during resume, so that
|
|
||||||
sched_clock() continues from the point where it was left off during
|
|
||||||
suspend.
|
|
||||||
|
|
||||||
Reported-by: Florian Pritz <flo@xssn.at>
|
|
||||||
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
|
|
||||||
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
|
||||||
LKML-Reference: <1282262618.2675.24.camel@sbsiddha-MOBL3.sc.intel.com>
|
|
||||||
Signed-off-by: Ingo Molnar <mingo@elte.hu>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
||||||
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/tsc.h | 2 ++
|
|
||||||
arch/x86/kernel/tsc.c | 38 ++++++++++++++++++++++++++++++++++++++
|
|
||||||
arch/x86/power/cpu.c | 2 ++
|
|
||||||
3 files changed, 42 insertions(+)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/tsc.h
|
|
||||||
+++ b/arch/x86/include/asm/tsc.h
|
|
||||||
@@ -59,5 +59,7 @@ extern void check_tsc_sync_source(int cp
|
|
||||||
extern void check_tsc_sync_target(void);
|
|
||||||
|
|
||||||
extern int notsc_setup(char *);
|
|
||||||
+extern void save_sched_clock_state(void);
|
|
||||||
+extern void restore_sched_clock_state(void);
|
|
||||||
|
|
||||||
#endif /* _ASM_X86_TSC_H */
|
|
||||||
--- a/arch/x86/kernel/tsc.c
|
|
||||||
+++ b/arch/x86/kernel/tsc.c
|
|
||||||
@@ -626,6 +626,44 @@ static void set_cyc2ns_scale(unsigned lo
|
|
||||||
local_irq_restore(flags);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static unsigned long long cyc2ns_suspend;
|
|
||||||
+
|
|
||||||
+void save_sched_clock_state(void)
|
|
||||||
+{
|
|
||||||
+ if (!sched_clock_stable)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ cyc2ns_suspend = sched_clock();
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Even on processors with invariant TSC, TSC gets reset in some the
|
|
||||||
+ * ACPI system sleep states. And in some systems BIOS seem to reinit TSC to
|
|
||||||
+ * arbitrary value (still sync'd across cpu's) during resume from such sleep
|
|
||||||
+ * states. To cope up with this, recompute the cyc2ns_offset for each cpu so
|
|
||||||
+ * that sched_clock() continues from the point where it was left off during
|
|
||||||
+ * suspend.
|
|
||||||
+ */
|
|
||||||
+void restore_sched_clock_state(void)
|
|
||||||
+{
|
|
||||||
+ unsigned long long offset;
|
|
||||||
+ unsigned long flags;
|
|
||||||
+ int cpu;
|
|
||||||
+
|
|
||||||
+ if (!sched_clock_stable)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ local_irq_save(flags);
|
|
||||||
+
|
|
||||||
+ get_cpu_var(cyc2ns_offset) = 0;
|
|
||||||
+ offset = cyc2ns_suspend - sched_clock();
|
|
||||||
+
|
|
||||||
+ for_each_possible_cpu(cpu)
|
|
||||||
+ per_cpu(cyc2ns_offset, cpu) = offset;
|
|
||||||
+
|
|
||||||
+ local_irq_restore(flags);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#ifdef CONFIG_CPU_FREQ
|
|
||||||
|
|
||||||
/* Frequency scaling support. Adjust the TSC based timer when the cpu frequency
|
|
||||||
--- a/arch/x86/power/cpu.c
|
|
||||||
+++ b/arch/x86/power/cpu.c
|
|
||||||
@@ -112,6 +112,7 @@ static void __save_processor_state(struc
|
|
||||||
void save_processor_state(void)
|
|
||||||
{
|
|
||||||
__save_processor_state(&saved_context);
|
|
||||||
+ save_sched_clock_state();
|
|
||||||
}
|
|
||||||
#ifdef CONFIG_X86_32
|
|
||||||
EXPORT_SYMBOL(save_processor_state);
|
|
||||||
@@ -253,6 +254,7 @@ static void __restore_processor_state(st
|
|
||||||
void restore_processor_state(void)
|
|
||||||
{
|
|
||||||
__restore_processor_state(&saved_context);
|
|
||||||
+ restore_sched_clock_state();
|
|
||||||
}
|
|
||||||
#ifdef CONFIG_X86_32
|
|
||||||
EXPORT_SYMBOL(restore_processor_state);
|
|
@ -1,44 +0,0 @@
|
|||||||
From dffe2e1e1a1ddb566a76266136c312801c66dcf7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
|
||||||
Date: Fri, 20 Aug 2010 19:10:01 -0700
|
|
||||||
Subject: xen: handle events as edge-triggered
|
|
||||||
|
|
||||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
|
||||||
|
|
||||||
commit dffe2e1e1a1ddb566a76266136c312801c66dcf7 upstream.
|
|
||||||
|
|
||||||
Xen events are logically edge triggered, as Xen only calls the event
|
|
||||||
upcall when an event is newly set, but not continuously as it remains set.
|
|
||||||
As a result, use handle_edge_irq rather than handle_level_irq.
|
|
||||||
|
|
||||||
This has the important side-effect of fixing a long-standing bug of
|
|
||||||
events getting lost if:
|
|
||||||
- an event's interrupt handler is running
|
|
||||||
- the event is migrated to a different vcpu
|
|
||||||
- the event is re-triggered
|
|
||||||
|
|
||||||
The most noticable symptom of these lost events is occasional lockups
|
|
||||||
of blkfront.
|
|
||||||
|
|
||||||
Many thanks to Tom Kopec and Daniel Stodden in tracking this down.
|
|
||||||
|
|
||||||
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
|
||||||
Cc: Tom Kopec <tek@acm.org>
|
|
||||||
Cc: Daniel Stodden <daniel.stodden@citrix.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
||||||
|
|
||||||
---
|
|
||||||
drivers/xen/events.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/drivers/xen/events.c
|
|
||||||
+++ b/drivers/xen/events.c
|
|
||||||
@@ -363,7 +363,7 @@ int bind_evtchn_to_irq(unsigned int evtc
|
|
||||||
irq = find_unbound_irq();
|
|
||||||
|
|
||||||
set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
|
|
||||||
- handle_level_irq, "event");
|
|
||||||
+ handle_edge_irq, "event");
|
|
||||||
|
|
||||||
evtchn_to_irq[evtchn] = irq;
|
|
||||||
irq_info[irq] = mk_evtchn_info(evtchn);
|
|
@ -1,73 +0,0 @@
|
|||||||
From aaca49642b92c8a57d3ca5029a5a94019c7af69f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
|
||||||
Date: Fri, 20 Aug 2010 18:57:53 -0700
|
|
||||||
Subject: xen: use percpu interrupts for IPIs and VIRQs
|
|
||||||
|
|
||||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
|
||||||
|
|
||||||
commit aaca49642b92c8a57d3ca5029a5a94019c7af69f upstream.
|
|
||||||
|
|
||||||
IPIs and VIRQs are inherently per-cpu event types, so treat them as such:
|
|
||||||
- use a specific percpu irq_chip implementation, and
|
|
||||||
- handle them with handle_percpu_irq
|
|
||||||
|
|
||||||
This makes the path for delivering these interrupts more efficient
|
|
||||||
(no masking/unmasking, no locks), and it avoid problems with attempts
|
|
||||||
to migrate them.
|
|
||||||
|
|
||||||
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
||||||
|
|
||||||
---
|
|
||||||
drivers/xen/events.c | 19 +++++++++++++++----
|
|
||||||
1 file changed, 15 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/drivers/xen/events.c
|
|
||||||
+++ b/drivers/xen/events.c
|
|
||||||
@@ -107,6 +107,7 @@ static inline unsigned long *cpu_evtchn_
|
|
||||||
#define VALID_EVTCHN(chn) ((chn) != 0)
|
|
||||||
|
|
||||||
static struct irq_chip xen_dynamic_chip;
|
|
||||||
+static struct irq_chip xen_percpu_chip;
|
|
||||||
|
|
||||||
/* Constructor for packed IRQ information. */
|
|
||||||
static struct irq_info mk_unbound_info(void)
|
|
||||||
@@ -389,8 +390,8 @@ static int bind_ipi_to_irq(unsigned int
|
|
||||||
if (irq < 0)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
- set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
|
|
||||||
- handle_level_irq, "ipi");
|
|
||||||
+ set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
|
|
||||||
+ handle_percpu_irq, "ipi");
|
|
||||||
|
|
||||||
bind_ipi.vcpu = cpu;
|
|
||||||
if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_ipi,
|
|
||||||
@@ -430,8 +431,8 @@ static int bind_virq_to_irq(unsigned int
|
|
||||||
|
|
||||||
irq = find_unbound_irq();
|
|
||||||
|
|
||||||
- set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
|
|
||||||
- handle_level_irq, "virq");
|
|
||||||
+ set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
|
|
||||||
+ handle_percpu_irq, "virq");
|
|
||||||
|
|
||||||
evtchn_to_irq[evtchn] = irq;
|
|
||||||
irq_info[irq] = mk_virq_info(evtchn, virq);
|
|
||||||
@@ -934,6 +935,16 @@ static struct irq_chip xen_dynamic_chip
|
|
||||||
.retrigger = retrigger_dynirq,
|
|
||||||
};
|
|
||||||
|
|
||||||
+static struct irq_chip xen_percpu_chip __read_mostly = {
|
|
||||||
+ .name = "xen-percpu",
|
|
||||||
+
|
|
||||||
+ .disable = disable_dynirq,
|
|
||||||
+ .mask = disable_dynirq,
|
|
||||||
+ .unmask = enable_dynirq,
|
|
||||||
+
|
|
||||||
+ .ack = ack_dynirq,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
void __init xen_init_IRQ(void)
|
|
||||||
{
|
|
||||||
int i;
|
|
Loading…
Reference in New Issue
Block a user