Linux 2.6.34.8
This commit is contained in:
parent
365577d418
commit
d9bdee82eb
@ -1,189 +0,0 @@
|
||||
From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001
|
||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Date: Tue, 7 Sep 2010 16:16:18 -0700
|
||||
Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok()
|
||||
|
||||
compat_alloc_user_space() expects the caller to independently call
|
||||
access_ok() to verify the returned area. A missing call could
|
||||
introduce problems on some architectures.
|
||||
|
||||
This patch incorporates the access_ok() check into
|
||||
compat_alloc_user_space() and also adds a sanity check on the length.
|
||||
The existing compat_alloc_user_space() implementations are renamed
|
||||
arch_compat_alloc_user_space() and are used as part of the
|
||||
implementation of the new global function.
|
||||
|
||||
This patch assumes NULL will cause __get_user()/__put_user() to either
|
||||
fail or access userspace on all architectures. This should be
|
||||
followed by checking the return value of compat_access_user_space()
|
||||
for NULL in the callers, at which time the access_ok() in the callers
|
||||
can also be removed.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
|
||||
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
|
||||
Acked-by: David S. Miller <davem@davemloft.net>
|
||||
Acked-by: Ingo Molnar <mingo@elte.hu>
|
||||
Acked-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Acked-by: Tony Luck <tony.luck@intel.com>
|
||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||
Cc: Arnd Bergmann <arnd@arndb.de>
|
||||
Cc: Fenghua Yu <fenghua.yu@intel.com>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
|
||||
Cc: Helge Deller <deller@gmx.de>
|
||||
Cc: James Bottomley <jejb@parisc-linux.org>
|
||||
Cc: Kyle McMartin <kyle@mcmartin.ca>
|
||||
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||
Cc: Paul Mackerras <paulus@samba.org>
|
||||
Cc: Ralf Baechle <ralf@linux-mips.org>
|
||||
Cc: <stable@kernel.org>
|
||||
---
|
||||
arch/ia64/include/asm/compat.h | 2 +-
|
||||
arch/mips/include/asm/compat.h | 2 +-
|
||||
arch/parisc/include/asm/compat.h | 2 +-
|
||||
arch/powerpc/include/asm/compat.h | 2 +-
|
||||
arch/s390/include/asm/compat.h | 2 +-
|
||||
arch/sparc/include/asm/compat.h | 2 +-
|
||||
arch/x86/include/asm/compat.h | 2 +-
|
||||
include/linux/compat.h | 3 +++
|
||||
kernel/compat.c | 21 +++++++++++++++++++++
|
||||
10 files changed, 32 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
|
||||
index f90edc8..9301a28 100644
|
||||
--- a/arch/ia64/include/asm/compat.h
|
||||
+++ b/arch/ia64/include/asm/compat.h
|
||||
@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr)
|
||||
}
|
||||
|
||||
static __inline__ void __user *
|
||||
-compat_alloc_user_space (long len)
|
||||
+arch_compat_alloc_user_space (long len)
|
||||
{
|
||||
struct pt_regs *regs = task_pt_regs(current);
|
||||
return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
|
||||
diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
|
||||
index 613f691..dbc5106 100644
|
||||
--- a/arch/mips/include/asm/compat.h
|
||||
+++ b/arch/mips/include/asm/compat.h
|
||||
@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = (struct pt_regs *)
|
||||
((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
|
||||
diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
|
||||
index 02b77ba..efa0b60 100644
|
||||
--- a/arch/parisc/include/asm/compat.h
|
||||
+++ b/arch/parisc/include/asm/compat.h
|
||||
@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static __inline__ void __user *compat_alloc_user_space(long len)
|
||||
+static __inline__ void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = ¤t->thread.regs;
|
||||
return (void __user *)regs->gr[30];
|
||||
diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
|
||||
index 396d21a..a11d4ea 100644
|
||||
--- a/arch/powerpc/include/asm/compat.h
|
||||
+++ b/arch/powerpc/include/asm/compat.h
|
||||
@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = current->thread.regs;
|
||||
unsigned long usp = regs->gpr[1];
|
||||
diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
|
||||
index 104f200..a875c2f 100644
|
||||
--- a/arch/s390/include/asm/compat.h
|
||||
+++ b/arch/s390/include/asm/compat.h
|
||||
@@ -181,7 +181,7 @@ static inline int is_compat_task(void)
|
||||
|
||||
#endif
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
unsigned long stack;
|
||||
|
||||
diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
|
||||
index 5016f76..6f57325 100644
|
||||
--- a/arch/sparc/include/asm/compat.h
|
||||
+++ b/arch/sparc/include/asm/compat.h
|
||||
@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = current_thread_info()->kregs;
|
||||
unsigned long usp = regs->u_regs[UREG_I6];
|
||||
diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
|
||||
index 306160e..1d9cd27 100644
|
||||
--- a/arch/x86/include/asm/compat.h
|
||||
+++ b/arch/x86/include/asm/compat.h
|
||||
@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
|
||||
return (u32)(unsigned long)uptr;
|
||||
}
|
||||
|
||||
-static inline void __user *compat_alloc_user_space(long len)
|
||||
+static inline void __user *arch_compat_alloc_user_space(long len)
|
||||
{
|
||||
struct pt_regs *regs = task_pt_regs(current);
|
||||
return (void __user *)regs->sp - len;
|
||||
diff --git a/include/linux/compat.h b/include/linux/compat.h
|
||||
index 9ddc878..5778b55 100644
|
||||
--- a/include/linux/compat.h
|
||||
+++ b/include/linux/compat.h
|
||||
@@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvector(int type,
|
||||
const struct compat_iovec __user *uvector, unsigned long nr_segs,
|
||||
unsigned long fast_segs, struct iovec *fast_pointer,
|
||||
struct iovec **ret_pointer);
|
||||
+
|
||||
+extern void __user *compat_alloc_user_space(unsigned long len);
|
||||
+
|
||||
#endif /* CONFIG_COMPAT */
|
||||
#endif /* _LINUX_COMPAT_H */
|
||||
diff --git a/kernel/compat.c b/kernel/compat.c
|
||||
index e167efc..c9e2ec0 100644
|
||||
--- a/kernel/compat.c
|
||||
+++ b/kernel/compat.c
|
||||
@@ -1126,3 +1126,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Allocate user-space memory for the duration of a single system call,
|
||||
+ * in order to marshall parameters inside a compat thunk.
|
||||
+ */
|
||||
+void __user *compat_alloc_user_space(unsigned long len)
|
||||
+{
|
||||
+ void __user *ptr;
|
||||
+
|
||||
+ /* If len would occupy more than half of the entire compat space... */
|
||||
+ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
|
||||
+ return NULL;
|
||||
+
|
||||
+ ptr = arch_compat_alloc_user_space(len);
|
||||
+
|
||||
+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
|
||||
+ return NULL;
|
||||
+
|
||||
+ return ptr;
|
||||
+}
|
||||
+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
|
||||
--
|
||||
1.7.2.3
|
||||
|
@ -1,97 +0,0 @@
|
||||
From 36d001c70d8a0144ac1d038f6876c484849a74de Mon Sep 17 00:00:00 2001
|
||||
From: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Date: Tue, 14 Sep 2010 12:42:41 -0700
|
||||
Subject: [PATCH] x86-64, compat: Test %rax for the syscall number, not %eax
|
||||
|
||||
On 64 bits, we always, by necessity, jump through the system call
|
||||
table via %rax. For 32-bit system calls, in theory the system call
|
||||
number is stored in %eax, and the code was testing %eax for a valid
|
||||
system call number. At one point we loaded the stored value back from
|
||||
the stack to enforce zero-extension, but that was removed in checkin
|
||||
d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process
|
||||
will not be able to introduce a non-zero-extended number, but it can
|
||||
happen via ptrace.
|
||||
|
||||
Instead of re-introducing the zero-extension, test what we are
|
||||
actually going to use, i.e. %rax. This only adds a handful of REX
|
||||
prefixes to the code.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Cc: Roland McGrath <roland@redhat.com>
|
||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
arch/x86/ia32/ia32entry.S | 14 +++++++-------
|
||||
1 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
||||
index b86feab..84e3a4e 100644
|
||||
--- a/arch/x86/ia32/ia32entry.S
|
||||
+++ b/arch/x86/ia32/ia32entry.S
|
||||
@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
CFI_REMEMBER_STATE
|
||||
jnz sysenter_tracesys
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
sysenter_do_call:
|
||||
IA32_ARG_FIXUP
|
||||
@@ -195,7 +195,7 @@ sysexit_from_sys_call:
|
||||
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
|
||||
call audit_syscall_entry
|
||||
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
movl %ebx,%edi /* reload 1st syscall arg */
|
||||
movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
|
||||
@@ -248,7 +248,7 @@ sysenter_tracesys:
|
||||
call syscall_trace_enter
|
||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
|
||||
jmp sysenter_do_call
|
||||
CFI_ENDPROC
|
||||
@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
CFI_REMEMBER_STATE
|
||||
jnz cstar_tracesys
|
||||
- cmpl $IA32_NR_syscalls-1,%eax
|
||||
+ cmpq $IA32_NR_syscalls-1,%rax
|
||||
ja ia32_badsys
|
||||
cstar_do_call:
|
||||
IA32_ARG_FIXUP 1
|
||||
@@ -367,7 +367,7 @@ cstar_tracesys:
|
||||
LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
xchgl %ebp,%r9d
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
|
||||
jmp cstar_do_call
|
||||
END(ia32_cstar_target)
|
||||
@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
|
||||
orl $TS_COMPAT,TI_status(%r10)
|
||||
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
|
||||
jnz ia32_tracesys
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja ia32_badsys
|
||||
ia32_do_call:
|
||||
IA32_ARG_FIXUP
|
||||
@@ -444,7 +444,7 @@ ia32_tracesys:
|
||||
call syscall_trace_enter
|
||||
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
|
||||
RESTORE_REST
|
||||
- cmpl $(IA32_NR_syscalls-1),%eax
|
||||
+ cmpq $(IA32_NR_syscalls-1),%rax
|
||||
ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
|
||||
jmp ia32_do_call
|
||||
END(ia32_syscall)
|
||||
--
|
||||
1.7.2.3
|
||||
|
@ -1,49 +0,0 @@
|
||||
From eefdca043e8391dcd719711716492063030b55ac Mon Sep 17 00:00:00 2001
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Tue, 14 Sep 2010 12:22:58 -0700
|
||||
Subject: [PATCH] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
|
||||
|
||||
In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
|
||||
32-bit tracee in system call entry. A %rax value set via ptrace at the
|
||||
entry tracing stop gets used whole as a 32-bit syscall number, while we
|
||||
only check the low 32 bits for validity.
|
||||
|
||||
Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
|
||||
in addition to testing the full 64 bits as has already been added.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
||||
---
|
||||
arch/x86/ia32/ia32entry.S | 8 +++++++-
|
||||
1 files changed, 7 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
|
||||
index 84e3a4e..518bb99 100644
|
||||
--- a/arch/x86/ia32/ia32entry.S
|
||||
+++ b/arch/x86/ia32/ia32entry.S
|
||||
@@ -50,7 +50,12 @@
|
||||
/*
|
||||
* Reload arg registers from stack in case ptrace changed them.
|
||||
* We don't reload %eax because syscall_trace_enter() returned
|
||||
- * the value it wants us to use in the table lookup.
|
||||
+ * the %rax value we should see. Instead, we just truncate that
|
||||
+ * value to 32 bits again as we did on entry from user mode.
|
||||
+ * If it's a new value set by user_regset during entry tracing,
|
||||
+ * this matches the normal truncation of the user-mode value.
|
||||
+ * If it's -1 to make us punt the syscall, then (u32)-1 is still
|
||||
+ * an appropriately invalid value.
|
||||
*/
|
||||
.macro LOAD_ARGS32 offset, _r9=0
|
||||
.if \_r9
|
||||
@@ -60,6 +65,7 @@
|
||||
movl \offset+48(%rsp),%edx
|
||||
movl \offset+56(%rsp),%esi
|
||||
movl \offset+64(%rsp),%edi
|
||||
+ movl %eax,%eax /* zero extension */
|
||||
.endm
|
||||
|
||||
.macro CFI_STARTPROC32 simple
|
||||
--
|
||||
1.7.2.3
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Moyer <jmoyer@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 14:16:00 -0700
|
||||
Subject: [PATCH] aio: check for multiplication overflow in do_io_submit
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=utf8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Tavis Ormandy pointed out that do_io_submit does not do proper bounds
|
||||
checking on the passed-in iocb array:
|
||||
|
||||
    if (unlikely(nr < 0))
|
||||
        return -EINVAL;
|
||||
|
||||
    if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
|
||||
        return -EFAULT;            ^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The attached patch checks for overflow, and if it is detected, the
|
||||
number of iocbs submitted is scaled down to a number that will fit in
|
||||
the long. Â This is an ok thing to do, as sys_io_submit is documented as
|
||||
returning the number of iocbs submitted, so callers should handle a
|
||||
return value of less than the 'nr' argument passed in.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/aio.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/fs/aio.c b/fs/aio.c
|
||||
index 3006b5b..1320b2a 100644
|
||||
--- a/fs/aio.c
|
||||
+++ b/fs/aio.c
|
||||
@@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id, long nr,
|
||||
if (unlikely(nr < 0))
|
||||
return -EINVAL;
|
||||
|
||||
+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
|
||||
+ nr = LONG_MAX/sizeof(*iocbpp);
|
||||
+
|
||||
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
|
||||
return -EFAULT;
|
||||
|
||||
--
|
||||
1.7.2.3
|
||||
|
@ -1,46 +0,0 @@
|
||||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Date: Tue, 28 Sep 2010 18:18:20 +0000 (-0400)
|
||||
Subject: ALSA: prevent heap corruption in snd_ctl_new()
|
||||
X-Git-Tag: v2.6.36-rc7~12^2~1
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftiwai%2Fsound-2.6.git;a=commitdiff_plain;h=5591bf07225523600450edd9e6ad258bb877b779
|
||||
|
||||
ALSA: prevent heap corruption in snd_ctl_new()
|
||||
|
||||
The snd_ctl_new() function in sound/core/control.c allocates space for a
|
||||
snd_kcontrol struct by performing arithmetic operations on a
|
||||
user-provided size without checking for integer overflow. If a user
|
||||
provides a large enough size, an overflow will occur, the allocated
|
||||
chunk will be too small, and a second user-influenced value will be
|
||||
written repeatedly past the bounds of this chunk. This code is
|
||||
reachable by unprivileged users who have permission to open
|
||||
a /dev/snd/controlC* device (on many distros, this is group "audio") via
|
||||
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
|
||||
|
||||
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/sound/core/control.c b/sound/core/control.c
|
||||
index 070aab4..45a8180 100644
|
||||
--- a/sound/core/control.c
|
||||
+++ b/sound/core/control.c
|
||||
@@ -31,6 +31,7 @@
|
||||
|
||||
/* max number of user-defined controls */
|
||||
#define MAX_USER_CONTROLS 32
|
||||
+#define MAX_CONTROL_COUNT 1028
|
||||
|
||||
struct snd_kctl_ioctl {
|
||||
struct list_head list; /* list of all ioctls */
|
||||
@@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
|
||||
|
||||
if (snd_BUG_ON(!control || !control->count))
|
||||
return NULL;
|
||||
+
|
||||
+ if (control->count > MAX_CONTROL_COUNT)
|
||||
+ return NULL;
|
||||
+
|
||||
kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
|
||||
if (kctl == NULL) {
|
||||
snd_printk(KERN_ERR "Cannot allocate control instance\n");
|
@ -1,53 +0,0 @@
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
|
||||
Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
|
||||
|
||||
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
|
||||
The error handling in snd_seq_oss_open() has several bad codes that
|
||||
do dereferecing released pointers and double-free of kmalloc'ed data.
|
||||
The object dp is release in free_devinfo() that is called via
|
||||
private_free callback. The rest shouldn't touch this object any more.
|
||||
|
||||
The patch changes delete_port() to call kfree() in any case, and gets
|
||||
rid of unnecessary calls of destructors in snd_seq_oss_open().
|
||||
|
||||
Fixes CVE-2010-3080.
|
||||
|
||||
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
|
||||
index 6857122..69cd7b3 100644
|
||||
--- a/sound/core/seq/oss/seq_oss_init.c
|
||||
+++ b/sound/core/seq/oss/seq_oss_init.c
|
||||
@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
|
||||
return 0;
|
||||
|
||||
_error:
|
||||
- snd_seq_oss_writeq_delete(dp->writeq);
|
||||
- snd_seq_oss_readq_delete(dp->readq);
|
||||
snd_seq_oss_synth_cleanup(dp);
|
||||
snd_seq_oss_midi_cleanup(dp);
|
||||
- delete_port(dp);
|
||||
delete_seq_queue(dp->queue);
|
||||
- kfree(dp);
|
||||
+ delete_port(dp);
|
||||
|
||||
return rc;
|
||||
}
|
||||
@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
|
||||
static int
|
||||
delete_port(struct seq_oss_devinfo *dp)
|
||||
{
|
||||
- if (dp->port < 0)
|
||||
+ if (dp->port < 0) {
|
||||
+ kfree(dp);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
debug_printk(("delete_port %i\n", dp->port));
|
||||
return snd_seq_event_port_detach(dp->cseq, dp->port);
|
@ -1,47 +0,0 @@
|
||||
From: Chuck Ebbert <cebbert@redhat.com>
|
||||
|
||||
CIFS: Fix DNS resolver build
|
||||
|
||||
In file included from fs/cifs/dns_resolve.c:29:
|
||||
fs/cifs/dns_resolve.h:27: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cifs_init_dns_resolver'
|
||||
|
||||
Just remove the __init and __exit attributes from the init and exit
|
||||
functions. __exit was removed upstream in 51c20fcced5badee0e2021c6c89f44aa3cbd72aa
|
||||
anyway, and there's no point trying to save every byte by fixing
|
||||
this properly.
|
||||
|
||||
Signed-Off-By: Chuck Ebbert <cebbert@redhat.com>
|
||||
|
||||
--- a/fs/cifs/dns_resolve.c
|
||||
+++ b/fs/cifs/dns_resolve.c
|
||||
@@ -176,7 +176,7 @@ out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
-int __init cifs_init_dns_resolver(void)
|
||||
+int cifs_init_dns_resolver(void)
|
||||
{
|
||||
struct cred *cred;
|
||||
struct key *keyring;
|
||||
@@ -226,7 +226,7 @@ failed_put_cred:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-void __exit cifs_exit_dns_resolver(void)
|
||||
+void cifs_exit_dns_resolver(void)
|
||||
{
|
||||
key_revoke(dns_resolver_cache->thread_keyring);
|
||||
unregister_key_type(&key_type_dns_resolver);
|
||||
--- a/fs/cifs/dns_resolve.h
|
||||
+++ b/fs/cifs/dns_resolve.h
|
||||
@@ -24,8 +24,8 @@
|
||||
#define _DNS_RESOLVE_H
|
||||
|
||||
#ifdef __KERNEL__
|
||||
-extern int __init cifs_init_dns_resolver(void);
|
||||
-extern void __exit cifs_exit_dns_resolver(void);
|
||||
+extern int cifs_init_dns_resolver(void);
|
||||
+extern void cifs_exit_dns_resolver(void);
|
||||
extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr);
|
||||
#endif /* KERNEL */
|
||||
|
@ -1,78 +0,0 @@
|
||||
From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Fri, 15 Oct 2010 11:09:28 -0700
|
||||
Subject: [PATCH] De-pessimize rds_page_copy_user
|
||||
|
||||
Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and
|
||||
the unsafe atomic user mode accessor functions. It's actually slower
|
||||
than the straightforward code on any reasonable modern CPU.
|
||||
|
||||
Back when the code was written (although probably not by the time it was
|
||||
actually merged, though), 32-bit x86 may have been the dominant
|
||||
architecture. And there kmap_atomic() can be a lot faster than kmap()
|
||||
(unless you have very good locality, in which case the virtual address
|
||||
caching by kmap() can overcome all the downsides).
|
||||
|
||||
But these days, x86-64 may not be more populous, but it's getting there
|
||||
(and if you care about performance, it's definitely already there -
|
||||
you'd have upgraded your CPU's already in the last few years). And on
|
||||
x86-64, the non-kmap_atomic() version is faster, simply because the code
|
||||
is simpler and doesn't have the "re-try page fault" case.
|
||||
|
||||
People with old hardware are not likely to care about RDS anyway, and
|
||||
the optimization for the 32-bit case is simply buggy, since it doesn't
|
||||
verify the user addresses properly.
|
||||
|
||||
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Acked-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
net/rds/page.c | 27 +++++++--------------------
|
||||
1 files changed, 7 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/net/rds/page.c b/net/rds/page.c
|
||||
index 595a952..1dfbfea 100644
|
||||
--- a/net/rds/page.c
|
||||
+++ b/net/rds/page.c
|
||||
@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset,
|
||||
unsigned long ret;
|
||||
void *addr;
|
||||
|
||||
- if (to_user)
|
||||
+ addr = kmap(page);
|
||||
+ if (to_user) {
|
||||
rds_stats_add(s_copy_to_user, bytes);
|
||||
- else
|
||||
+ ret = copy_to_user(ptr, addr + offset, bytes);
|
||||
+ } else {
|
||||
rds_stats_add(s_copy_from_user, bytes);
|
||||
-
|
||||
- addr = kmap_atomic(page, KM_USER0);
|
||||
- if (to_user)
|
||||
- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
|
||||
- else
|
||||
- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
|
||||
- kunmap_atomic(addr, KM_USER0);
|
||||
-
|
||||
- if (ret) {
|
||||
- addr = kmap(page);
|
||||
- if (to_user)
|
||||
- ret = copy_to_user(ptr, addr + offset, bytes);
|
||||
- else
|
||||
- ret = copy_from_user(addr + offset, ptr, bytes);
|
||||
- kunmap(page);
|
||||
- if (ret)
|
||||
- return -EFAULT;
|
||||
+ ret = copy_from_user(addr + offset, ptr, bytes);
|
||||
}
|
||||
+ kunmap(page);
|
||||
|
||||
- return 0;
|
||||
+ return ret ? -EFAULT : 0;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(rds_page_copy_user);
|
||||
|
||||
--
|
||||
1.7.3.2
|
||||
|
@ -202,7 +202,6 @@ Date: Fri May 21 11:14:52 2010 -0700
|
||||
8e36ed0 drm/radeon/kms: hpd cleanup
|
||||
2bfcc0f drm/radeon/kms: reset ddc_bus in object header parsing
|
||||
6fd0248 amd64-agp: Probe unknown AGP devices the right way
|
||||
d831692 sis-agp: Remove SIS 760, handled by amd64-agp
|
||||
26481fb drm/radeon/pm: fix device_create_file return value checks.
|
||||
4bff517 drm/radeon/kms/pm: fix r6xx+ profile setup
|
||||
ce8a3eb drm/radeon/kms/pm: make pm spam debug only
|
||||
@ -5815,21 +5814,6 @@ index 6c3837a..29aacd8 100644
|
||||
.configure = sis_configure,
|
||||
.fetch_size = sis_fetch_size,
|
||||
.cleanup = sis_cleanup,
|
||||
@@ -415,14 +416,6 @@ static struct pci_device_id agp_sis_pci_table[] = {
|
||||
.subvendor = PCI_ANY_ID,
|
||||
.subdevice = PCI_ANY_ID,
|
||||
},
|
||||
- {
|
||||
- .class = (PCI_CLASS_BRIDGE_HOST << 8),
|
||||
- .class_mask = ~0,
|
||||
- .vendor = PCI_VENDOR_ID_SI,
|
||||
- .device = PCI_DEVICE_ID_SI_760,
|
||||
- .subvendor = PCI_ANY_ID,
|
||||
- .subdevice = PCI_ANY_ID,
|
||||
- },
|
||||
{ }
|
||||
};
|
||||
|
||||
diff --git a/drivers/char/agp/uninorth-agp.c b/drivers/char/agp/uninorth-agp.c
|
||||
index 6f48931..95db713 100644
|
||||
--- a/drivers/char/agp/uninorth-agp.c
|
||||
|
@ -1,36 +0,0 @@
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Wed, 8 Sep 2010 02:36:28 +0000 (-0700)
|
||||
Subject: execve: improve interactivity with large arguments
|
||||
X-Git-Tag: v2.6.36-rc4~13
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7993bc1f4663c0db67bb8f0d98e6678145b387cd
|
||||
|
||||
execve: improve interactivity with large arguments
|
||||
|
||||
This adds a preemption point during the copying of the argument and
|
||||
environment strings for execve, in copy_strings(). There is already
|
||||
a preemption point in the count() loop, so this doesn't add any new
|
||||
points in the abstract sense.
|
||||
|
||||
When the total argument+environment strings are very large, the time
|
||||
spent copying them can be much more than a normal user time slice.
|
||||
So this change improves the interactivity of the rest of the system
|
||||
when one process is doing an execve with very large arguments.
|
||||
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/fs/exec.c b/fs/exec.c
|
||||
index 1b63237..6f2d777 100644
|
||||
--- a/fs/exec.c
|
||||
+++ b/fs/exec.c
|
||||
@@ -419,6 +419,8 @@ static int copy_strings(int argc, const char __user *const __user *argv,
|
||||
while (len > 0) {
|
||||
int offset, bytes_to_copy;
|
||||
|
||||
+ cond_resched();
|
||||
+
|
||||
offset = pos % PAGE_SIZE;
|
||||
if (offset == 0)
|
||||
offset = PAGE_SIZE;
|
@ -1,51 +0,0 @@
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Wed, 8 Sep 2010 02:37:06 +0000 (-0700)
|
||||
Subject: execve: make responsive to SIGKILL with large arguments
|
||||
X-Git-Tag: v2.6.36-rc4~12
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9aea5a65aa7a1af9a4236dfaeb0088f1624f9919
|
||||
|
||||
execve: make responsive to SIGKILL with large arguments
|
||||
|
||||
An execve with a very large total of argument/environment strings
|
||||
can take a really long time in the execve system call. It runs
|
||||
uninterruptibly to count and copy all the strings. This change
|
||||
makes it abort the exec quickly if sent a SIGKILL.
|
||||
|
||||
Note that this is the conservative change, to interrupt only for
|
||||
SIGKILL, by using fatal_signal_pending(). It would be perfectly
|
||||
correct semantics to let any signal interrupt the string-copying in
|
||||
execve, i.e. use signal_pending() instead of fatal_signal_pending().
|
||||
We'll save that change for later, since it could have user-visible
|
||||
consequences, such as having a timer set too quickly make it so that
|
||||
an execve can never complete, though it always happened to work before.
|
||||
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/fs/exec.c b/fs/exec.c
|
||||
index 6f2d777..828dd24 100644
|
||||
--- a/fs/exec.c
|
||||
+++ b/fs/exec.c
|
||||
@@ -376,6 +376,9 @@ static int count(const char __user * const __user * argv, int max)
|
||||
argv++;
|
||||
if (i++ >= max)
|
||||
return -E2BIG;
|
||||
+
|
||||
+ if (fatal_signal_pending(current))
|
||||
+ return -ERESTARTNOHAND;
|
||||
cond_resched();
|
||||
}
|
||||
}
|
||||
@@ -419,6 +422,10 @@ static int copy_strings(int argc, const char __user *const __user *argv,
|
||||
while (len > 0) {
|
||||
int offset, bytes_to_copy;
|
||||
|
||||
+ if (fatal_signal_pending(current)) {
|
||||
+ ret = -ERESTARTNOHAND;
|
||||
+ goto out;
|
||||
+ }
|
||||
cond_resched();
|
||||
|
||||
offset = pos % PAGE_SIZE;
|
@ -1,41 +0,0 @@
|
||||
From: Dan Carpenter <error27@gmail.com>
|
||||
Date: Fri, 8 Oct 2010 07:03:07 +0000 (+0200)
|
||||
Subject: [SCSI] gdth: integer overflow in ioctl
|
||||
X-Git-Tag: v2.6.37-rc1~6^2~48
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f63ae56e4e97fb12053590e41a4fa59e7daa74a4
|
||||
|
||||
[SCSI] gdth: integer overflow in ioctl
|
||||
|
||||
gdth_ioctl_alloc() takes the size variable as an int.
|
||||
copy_from_user() takes the size variable as an unsigned long.
|
||||
gen.data_len and gen.sense_len are unsigned longs.
|
||||
On x86_64 longs are 64 bit and ints are 32 bit.
|
||||
|
||||
We could pass in a very large number and the allocation would truncate
|
||||
the size to 32 bits and allocate a small buffer. Then when we do the
|
||||
copy_from_user(), it would result in a memory corruption.
|
||||
|
||||
CC: stable@kernel.org
|
||||
Signed-off-by: Dan Carpenter <error27@gmail.com>
|
||||
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
|
||||
index 5a3f931..8411018 100644
|
||||
--- a/drivers/scsi/gdth.c
|
||||
+++ b/drivers/scsi/gdth.c
|
||||
@@ -4177,6 +4177,14 @@ static int ioc_general(void __user *arg, char *cmnd)
|
||||
ha = gdth_find_ha(gen.ionode);
|
||||
if (!ha)
|
||||
return -EFAULT;
|
||||
+
|
||||
+ if (gen.data_len > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
+ if (gen.sense_len > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
+ if (gen.data_len + gen.sense_len > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (gen.data_len + gen.sense_len != 0) {
|
||||
if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
|
||||
FALSE, &paddr)))
|
@ -1,25 +0,0 @@
|
||||
#607327
|
||||
|
||||
During the large inotify rewrite to fsnotify I completely dropped support
|
||||
for IN_ONESHOT. Reimplement that support.
|
||||
|
||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
||||
---
|
||||
|
||||
fs/notify/inotify/inotify_fsnotify.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
|
||||
index daa666a..388a150 100644
|
||||
--- a/fs/notify/inotify/inotify_fsnotify.c
|
||||
+++ b/fs/notify/inotify/inotify_fsnotify.c
|
||||
@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
+ if (entry->mask & IN_ONESHOT)
|
||||
+ fsnotify_destroy_mark_by_entry(entry);
|
||||
+
|
||||
/*
|
||||
* If we hold the entry until after the event is on the queue
|
||||
* IN_IGNORED won't be able to pass this event in the queue
|
@ -1,29 +0,0 @@
|
||||
#607327 ?
|
||||
|
||||
Since the .31 or so notify rewrite inotify has not sent events about
|
||||
inodes which are unmounted. This patch restores those events.
|
||||
|
||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
||||
---
|
||||
|
||||
fs/notify/inotify/inotify_user.c | 7 +++++--
|
||||
1 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
|
||||
index 44aeb0f..f381daf 100644
|
||||
--- a/fs/notify/inotify/inotify_user.c
|
||||
+++ b/fs/notify/inotify/inotify_user.c
|
||||
@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
|
||||
{
|
||||
__u32 mask;
|
||||
|
||||
- /* everything should accept their own ignored and cares about children */
|
||||
- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
|
||||
+ /*
|
||||
+ * everything should accept their own ignored, cares about children,
|
||||
+ * and should receive events when the inode is unmounted
|
||||
+ */
|
||||
+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
|
||||
|
||||
/* mask off the flags used to open the fd */
|
||||
mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));
|
@ -1,35 +0,0 @@
|
||||
From: David S. Miller <davem@davemloft.net>
|
||||
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
|
||||
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
|
||||
|
||||
irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
|
||||
If irda_open_tsap() fails, the irda_bind() code tries to destroy
|
||||
the ->ias_obj object by hand, but does so wrongly.
|
||||
|
||||
In particular, it fails to a) release the hashbin attached to the
|
||||
object and b) reset the self->ias_obj pointer to NULL.
|
||||
|
||||
Fix both problems by using irias_delete_object() and explicitly
|
||||
setting self->ias_obj to NULL, just as irda_release() does.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index 79986a6..fd55b51 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
|
||||
|
||||
err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
|
||||
if (err < 0) {
|
||||
- kfree(self->ias_obj->name);
|
||||
- kfree(self->ias_obj);
|
||||
+ irias_delete_object(self->ias_obj);
|
||||
+ self->ias_obj = NULL;
|
||||
goto out;
|
||||
}
|
||||
|
170
kernel.spec
170
kernel.spec
@ -48,7 +48,7 @@ Summary: The Linux kernel
|
||||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||
# scripts/rebase.sh should be made to do that for you, actually.
|
||||
#
|
||||
%global baserelease 66
|
||||
%global baserelease 67
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -60,7 +60,7 @@ Summary: The Linux kernel
|
||||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 7
|
||||
%define stable_update 8
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
@ -611,13 +611,6 @@ Patch23: linux-2.6-utrace-ptrace.patch
|
||||
|
||||
Patch50: linux-2.6-x86-cfi_sections.patch
|
||||
|
||||
# CVE-2010-3301, CVE-2010-3081
|
||||
Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
# CVE-2010-3067
|
||||
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
Patch144: linux-2.6-vio-modalias.patch
|
||||
|
||||
Patch150: linux-2.6.29-sparc-IOC_TYPECHECK.patch
|
||||
@ -772,14 +765,10 @@ Patch12035: quiet-prove_RCU-in-cgroups.patch
|
||||
Patch12040: iwlwifi-manage-QoS-by-mac-stack.patch
|
||||
Patch12042: mac80211-explicitly-disable-enable-QoS.patch
|
||||
|
||||
Patch12250: inotify-fix-inotify-oneshot-support.patch
|
||||
Patch12260: inotify-send-IN_UNMOUNT-events.patch
|
||||
|
||||
Patch12270: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
Patch12400: input-synaptics-relax-capability-id-checks-on-new-hardware.patch
|
||||
|
||||
Patch12410: cifs-fix-dns-resolver.patch
|
||||
Patch12430: cred-dont-resurrect-dead-credentials.patch
|
||||
|
||||
Patch12440: direct-io-move-aio_complete-into-end_io.patch
|
||||
@ -790,42 +779,11 @@ Patch12470: drivers-hwmon-coretemp-c-detect-the-thermal-sensors-by-cpuid.patch
|
||||
Patch12480: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
|
||||
|
||||
Patch12490: dell-wmi-add-support-for-eject-key.patch
|
||||
Patch12500: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
Patch12510: wireless-extensions-fix-kernel-heap-content-leak.patch
|
||||
|
||||
Patch12517: flexcop-fix-xlate_proc_name-warning.patch
|
||||
|
||||
Patch12520: acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
|
||||
Patch12521: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
||||
Patch12522: keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
||||
Patch12523: keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
||||
|
||||
Patch12530: pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch
|
||||
Patch12531: pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch
|
||||
|
||||
Patch12532: x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch
|
||||
# fix bug caused by above patch
|
||||
Patch12533: x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch
|
||||
|
||||
# Mitigate DOS with large argument lists.
|
||||
Patch12540: execve-improve-interactivity-with-large-arguments.patch
|
||||
Patch12541: execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
Patch12542: setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
Patch12550: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
|
||||
# CVE-2010-3079
|
||||
Patch12560: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
|
||||
Patch12570: sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
|
||||
|
||||
# bz 636534
|
||||
Patch12580: xen-handle-events-as-edge-triggered.patch
|
||||
Patch12581: xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
||||
|
||||
# CVE-2010-3432
|
||||
Patch12590: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
||||
|
||||
#Bonding sysfs WARN_ON (bz 604630)
|
||||
Patch12591: linux-2.6-bonding-sysfs-warning.patch
|
||||
@ -833,9 +791,6 @@ Patch12591: linux-2.6-bonding-sysfs-warning.patch
|
||||
#twsock rcu warning fix (bz 642905)
|
||||
Patch12592: linux-2.6-twsock-rcu-lockdep-warn.patch
|
||||
|
||||
Patch13635: r8169-fix-dma-allocations.patch
|
||||
Patch13636: skge-quirk-to-4gb-dma.patch
|
||||
|
||||
Patch13637: dmar-disable-when-ricoh-multifunction.patch
|
||||
|
||||
Patch13640: mmc-SDHCI_INT_DATA_MASK-typo-error.patch
|
||||
@ -843,9 +798,6 @@ Patch13641: mmc-add-ricoh-e822-pci-id.patch
|
||||
Patch13642: mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
|
||||
Patch13643: sdhci-8-bit-data-transfer-width-support.patch
|
||||
|
||||
# CVE-2010-3904
|
||||
Patch13645: depessimize-rds_copy_page_user.patch
|
||||
|
||||
Patch13646: rt2x00-disable-auto-wakeup-before-waking-up-device.patch
|
||||
Patch13647: rt2x00-fix-failed-SLEEP-AWAKE-and-AWAKE-SLEEP-transitions.patch
|
||||
|
||||
@ -861,8 +813,6 @@ Patch13705: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
|
||||
# CVE-2010-4248
|
||||
Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||
|
||||
Patch13704: via-ioctl-prevent-reading-uninit-memory.patch
|
||||
|
||||
Patch13710: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
|
||||
Patch13711: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
|
||||
|
||||
@ -883,14 +833,8 @@ Patch13900: ima-allow-it-to-be-completely-disabled-and-default-off.patch
|
||||
|
||||
Patch13901: ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
||||
|
||||
# CVE-2010-2963
|
||||
Patch13910: v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
||||
# CVE-2010-3698
|
||||
Patch13911: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||
# CVE-2010-3705
|
||||
Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||
# CVE-2010-3442
|
||||
Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||
# CVE-2010-4258
|
||||
Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
||||
# CVE-2010-4169
|
||||
@ -900,8 +844,6 @@ Patch13916: bio-take-care-not-overflow-page-count-when-mapping-copying-user-data
|
||||
# CVE-2010-4249
|
||||
Patch13917: af_unix-limit-unix_tot_inflight.patch
|
||||
Patch13918: scm-lower-SCM-MAX-FD.patch
|
||||
# CVE-2010-4157
|
||||
Patch13919: gdth-integer-overflow-in-ioctl.patch
|
||||
# CVE-2010-4158
|
||||
Patch13920: filter-make-sure-filters-dont-read-uninitialized-memory.patch
|
||||
# CVE-2010-3874
|
||||
@ -1373,9 +1315,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
|
||||
ApplyPatch linux-2.6-x86-cfi_sections.patch
|
||||
|
||||
# CVE-2010-3301, CVE-2010-3081
|
||||
ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
|
||||
#
|
||||
# Intel IOMMU
|
||||
@ -1400,7 +1339,6 @@ ApplyPatch linux-2.6-execshield.patch
|
||||
#
|
||||
# bugfixes to drivers and filesystems
|
||||
#
|
||||
ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
# ext4
|
||||
|
||||
@ -1601,19 +1539,12 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch
|
||||
|
||||
ApplyPatch quiet-prove_RCU-in-cgroups.patch
|
||||
|
||||
# fix broken oneshot support and missing umount events (#607327)
|
||||
ApplyPatch inotify-fix-inotify-oneshot-support.patch
|
||||
ApplyPatch inotify-send-IN_UNMOUNT-events.patch
|
||||
|
||||
# 610911
|
||||
ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
# fix newer synaptics touchpads not being recognized
|
||||
ApplyPatch input-synaptics-relax-capability-id-checks-on-new-hardware.patch
|
||||
|
||||
# Remove __init and __exit attributes from resolver code
|
||||
ApplyPatch cifs-fix-dns-resolver.patch
|
||||
|
||||
# RHBZ #591015
|
||||
ApplyPatch cred-dont-resurrect-dead-credentials.patch
|
||||
|
||||
@ -1631,12 +1562,6 @@ ApplyPatch kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
|
||||
# bz #513530
|
||||
ApplyPatch dell-wmi-add-support-for-eject-key.patch
|
||||
|
||||
# cve-2010-2954
|
||||
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
# cve-2010-2955
|
||||
ApplyPatch wireless-extensions-fix-kernel-heap-content-leak.patch
|
||||
|
||||
# bz #575873
|
||||
ApplyPatch flexcop-fix-xlate_proc_name-warning.patch
|
||||
|
||||
@ -1646,51 +1571,12 @@ ApplyPatch acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
|
||||
# this went in 2.6.35-stable
|
||||
ApplyPatch nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
||||
|
||||
# CVE-2010-2960
|
||||
ApplyPatch keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
||||
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
||||
|
||||
# more suspend/resume fixes form 2.6.32 / 2.6.35 queue
|
||||
# Fix unsafe access to MSI registers during suspend
|
||||
ApplyPatch pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch
|
||||
ApplyPatch pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch
|
||||
# Fix scheduler load balancing after suspend/resume cycle
|
||||
ApplyPatch x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch
|
||||
# fix bug caused by above patch
|
||||
ApplyPatch x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch
|
||||
|
||||
# Mitigate DOS with large argument lists.
|
||||
ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
||||
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
|
||||
# CVE-2010-3079
|
||||
ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
|
||||
# BZ 633037
|
||||
ApplyPatch sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
|
||||
|
||||
# BZ 636534
|
||||
ApplyPatch xen-handle-events-as-edge-triggered.patch
|
||||
ApplyPatch xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
||||
|
||||
# CVE-2010-3432
|
||||
ApplyPatch sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
||||
|
||||
# BZ 604630
|
||||
ApplyPatch linux-2.6-bonding-sysfs-warning.patch
|
||||
|
||||
# BZ 642905
|
||||
ApplyPatch linux-2.6-twsock-rcu-lockdep-warn.patch
|
||||
|
||||
# rhbz#629158
|
||||
ApplyPatch r8169-fix-dma-allocations.patch
|
||||
# rhbz#447489
|
||||
ApplyPatch skge-quirk-to-4gb-dma.patch
|
||||
|
||||
# rhbz#605888
|
||||
ApplyPatch dmar-disable-when-ricoh-multifunction.patch
|
||||
|
||||
@ -1699,8 +1585,6 @@ ApplyPatch sdhci-8-bit-data-transfer-width-support.patch
|
||||
ApplyPatch mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
|
||||
ApplyPatch mmc-add-ricoh-e822-pci-id.patch
|
||||
|
||||
ApplyPatch depessimize-rds_copy_page_user.patch
|
||||
|
||||
ApplyPatch tpm-autodetect-itpm-devices.patch
|
||||
# rhbz#530393
|
||||
ApplyPatch tpm-fix-stall-on-boot.patch
|
||||
@ -1721,9 +1605,6 @@ ApplyPatch netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
|
||||
# rhbz#656264 (CVE-2010-4248)
|
||||
ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||
|
||||
# rhbz#648671 (CVE-2010-4082)
|
||||
ApplyPatch via-ioctl-prevent-reading-uninit-memory.patch
|
||||
|
||||
ApplyPatch rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
|
||||
ApplyPatch rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
|
||||
|
||||
@ -1749,14 +1630,8 @@ ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch
|
||||
# rhbz605845 [556ab45f]
|
||||
ApplyPatch ioat2-catch-and-recover-from-broken-vtd-configurations.patch
|
||||
|
||||
# CVE-2010-2963
|
||||
ApplyPatch v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
||||
# CVE-2010-3698
|
||||
ApplyPatch kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||
# CVE-2010-3705
|
||||
ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||
# CVE-2010-3442
|
||||
ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||
# CVE-2010-4258
|
||||
ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
||||
# CVE-2010-4169
|
||||
@ -1766,8 +1641,6 @@ ApplyPatch bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.
|
||||
# CVE-2010-4249
|
||||
ApplyPatch af_unix-limit-unix_tot_inflight.patch
|
||||
ApplyPatch scm-lower-SCM-MAX-FD.patch
|
||||
# CVE-2010-4157
|
||||
ApplyPatch gdth-integer-overflow-in-ioctl.patch
|
||||
# CVE-2010-4158
|
||||
ApplyPatch filter-make-sure-filters-dont-read-uninitialized-memory.patch
|
||||
# CVE-2010-3874
|
||||
@ -2430,6 +2303,45 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Sat Feb 05 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Linux 2.6.34.8
|
||||
- Drop merged patches:
|
||||
01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
02-compat-test-rax-for-the-system-call-number-not-eax.patch
|
||||
03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
|
||||
aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
cifs-fix-dns-resolver.patch
|
||||
inotify-fix-inotify-oneshot-support.patch
|
||||
inotify-send-IN_UNMOUNT-events.patch
|
||||
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
||||
keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
||||
wireless-extensions-fix-kernel-heap-content-leak.patch
|
||||
pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch
|
||||
pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch
|
||||
x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch
|
||||
x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch
|
||||
execve-improve-interactivity-with-large-arguments.patch
|
||||
execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
|
||||
sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch
|
||||
xen-handle-events-as-edge-triggered.patch
|
||||
xen-use-percpu-interrupts-for-ipis-and-virqs.patch
|
||||
sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
|
||||
r8169-fix-dma-allocations.patch
|
||||
skge-quirk-to-4gb-dma.patch
|
||||
depessimize-rds_copy_page_user.patch
|
||||
via-ioctl-prevent-reading-uninit-memory.patch
|
||||
v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
||||
kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||
alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||
gdth-integer-overflow-in-ioctl.patch
|
||||
- Drop from drm-next patch:
|
||||
d831692 sis-agp: Remove SIS 760, handled by amd64-agp
|
||||
- Drop hunk of quiet-prove_RCU-in-cgroups.patch, now upstream.
|
||||
|
||||
* Sun Jan 30 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Copy sunrpc oops fix from F14
|
||||
|
||||
|
@ -1,57 +0,0 @@
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Subject: [PATCH] KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
|
||||
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
|
||||
of the parent process's session keyring whether or not the parent has a session
|
||||
keyring [CVE-2010-2960].
|
||||
|
||||
A program like the following:
|
||||
|
||||
#include <unistd.h>
|
||||
#include <keyutils.h>
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
keyctl(KEYCTL_SESSION_TO_PARENT);
|
||||
}
|
||||
|
||||
can be used to trigger the following bug report:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
|
||||
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
|
||||
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
|
||||
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
if there is no parent process.
|
||||
|
||||
If the system is using pam_keyinit then it mostly protected against this as all
|
||||
processes derived from a login will have inherited the session keyring created
|
||||
by pam_keyinit during the log in procedure.
|
||||
|
||||
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
|
||||
security/keys/keyctl.c | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index 3868c67..60924f6 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
|
||||
goto not_permitted;
|
||||
|
||||
/* the keyrings must have the same UID */
|
||||
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
|
||||
+ if ((pcred->tgcred->session_keyring &&
|
||||
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
|
||||
mycred->tgcred->session_keyring->uid != mycred->euid)
|
||||
goto not_permitted;
|
||||
|
||||
|
@ -1,64 +0,0 @@
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Subject: [PATCH] KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
|
||||
There's an protected access to the parent process's credentials in the middle
|
||||
of keyctl_session_to_parent(). This results in the following RCU warning:
|
||||
|
||||
===================================================
|
||||
[ INFO: suspicious rcu_dereference_check() usage. ]
|
||||
---------------------------------------------------
|
||||
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
|
||||
|
||||
other info that might help us debug this:
|
||||
|
||||
rcu_scheduler_active = 1, debug_locks = 0
|
||||
1 lock held by keyctl-session-/2137:
|
||||
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
|
||||
|
||||
stack backtrace:
|
||||
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
|
||||
Call Trace:
|
||||
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
|
||||
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
|
||||
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
The code should take the RCU read lock to make sure the parents credentials
|
||||
don't go away, even though it's holding a spinlock and has IRQ disabled.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
|
||||
security/keys/keyctl.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index b2b0998..3868c67 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
|
||||
keyring_r = NULL;
|
||||
|
||||
me = current;
|
||||
+ rcu_read_lock();
|
||||
write_lock_irq(&tasklist_lock);
|
||||
|
||||
parent = me->real_parent;
|
||||
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
|
||||
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
|
||||
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
if (oldcred)
|
||||
put_cred(oldcred);
|
||||
return 0;
|
||||
@@ -1327,6 +1329,7 @@ already_same:
|
||||
ret = 0;
|
||||
not_permitted:
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
put_cred(cred);
|
||||
return ret;
|
||||
|
||||
|
@ -1,164 +0,0 @@
|
||||
From: Avi Kivity <avi@redhat.com>
|
||||
Date: Tue, 19 Oct 2010 14:46:55 +0000 (+0200)
|
||||
Subject: KVM: Fix fs/gs reload oops with invalid ldt
|
||||
X-Git-Tag: v2.6.36~4^2
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9581d442b9058d3699b4be568b6e5eae38a41493
|
||||
|
||||
KVM: Fix fs/gs reload oops with invalid ldt
|
||||
|
||||
kvm reloads the host's fs and gs blindly, however the underlying segment
|
||||
descriptors may be invalid due to the user modifying the ldt after loading
|
||||
them.
|
||||
|
||||
Fix by using the safe accessors (loadsegment() and load_gs_index()) instead
|
||||
of home grown unsafe versions.
|
||||
|
||||
This is CVE-2010-3698.
|
||||
|
||||
KVM-Stable-Tag.
|
||||
Signed-off-by: Avi Kivity <avi@redhat.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
|
||||
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
|
||||
index 502e53f..c52e2eb 100644
|
||||
--- a/arch/x86/include/asm/kvm_host.h
|
||||
+++ b/arch/x86/include/asm/kvm_host.h
|
||||
@@ -652,20 +652,6 @@ static inline struct kvm_mmu_page *page_header(hpa_t shadow_page)
|
||||
return (struct kvm_mmu_page *)page_private(page);
|
||||
}
|
||||
|
||||
-static inline u16 kvm_read_fs(void)
|
||||
-{
|
||||
- u16 seg;
|
||||
- asm("mov %%fs, %0" : "=g"(seg));
|
||||
- return seg;
|
||||
-}
|
||||
-
|
||||
-static inline u16 kvm_read_gs(void)
|
||||
-{
|
||||
- u16 seg;
|
||||
- asm("mov %%gs, %0" : "=g"(seg));
|
||||
- return seg;
|
||||
-}
|
||||
-
|
||||
static inline u16 kvm_read_ldt(void)
|
||||
{
|
||||
u16 ldt;
|
||||
@@ -673,16 +659,6 @@ static inline u16 kvm_read_ldt(void)
|
||||
return ldt;
|
||||
}
|
||||
|
||||
-static inline void kvm_load_fs(u16 sel)
|
||||
-{
|
||||
- asm("mov %0, %%fs" : : "rm"(sel));
|
||||
-}
|
||||
-
|
||||
-static inline void kvm_load_gs(u16 sel)
|
||||
-{
|
||||
- asm("mov %0, %%gs" : : "rm"(sel));
|
||||
-}
|
||||
-
|
||||
static inline void kvm_load_ldt(u16 sel)
|
||||
{
|
||||
asm("lldt %0" : : "rm"(sel));
|
||||
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
|
||||
index 81ed28c..8a3f9f6 100644
|
||||
--- a/arch/x86/kvm/svm.c
|
||||
+++ b/arch/x86/kvm/svm.c
|
||||
@@ -3163,8 +3163,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
|
||||
sync_lapic_to_cr8(vcpu);
|
||||
|
||||
save_host_msrs(vcpu);
|
||||
- fs_selector = kvm_read_fs();
|
||||
- gs_selector = kvm_read_gs();
|
||||
+ savesegment(fs, fs_selector);
|
||||
+ savesegment(gs, gs_selector);
|
||||
ldt_selector = kvm_read_ldt();
|
||||
svm->vmcb->save.cr2 = vcpu->arch.cr2;
|
||||
/* required for live migration with NPT */
|
||||
@@ -3251,10 +3251,15 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
|
||||
vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp;
|
||||
vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip;
|
||||
|
||||
- kvm_load_fs(fs_selector);
|
||||
- kvm_load_gs(gs_selector);
|
||||
- kvm_load_ldt(ldt_selector);
|
||||
load_host_msrs(vcpu);
|
||||
+ loadsegment(fs, fs_selector);
|
||||
+#ifdef CONFIG_X86_64
|
||||
+ load_gs_index(gs_selector);
|
||||
+ wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
|
||||
+#else
|
||||
+ loadsegment(gs, gs_selector);
|
||||
+#endif
|
||||
+ kvm_load_ldt(ldt_selector);
|
||||
|
||||
reload_tss(vcpu);
|
||||
|
||||
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
||||
index 49b25ee..7bddfab 100644
|
||||
--- a/arch/x86/kvm/vmx.c
|
||||
+++ b/arch/x86/kvm/vmx.c
|
||||
@@ -803,7 +803,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
|
||||
*/
|
||||
vmx->host_state.ldt_sel = kvm_read_ldt();
|
||||
vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel;
|
||||
- vmx->host_state.fs_sel = kvm_read_fs();
|
||||
+ savesegment(fs, vmx->host_state.fs_sel);
|
||||
if (!(vmx->host_state.fs_sel & 7)) {
|
||||
vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel);
|
||||
vmx->host_state.fs_reload_needed = 0;
|
||||
@@ -811,7 +811,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
|
||||
vmcs_write16(HOST_FS_SELECTOR, 0);
|
||||
vmx->host_state.fs_reload_needed = 1;
|
||||
}
|
||||
- vmx->host_state.gs_sel = kvm_read_gs();
|
||||
+ savesegment(gs, vmx->host_state.gs_sel);
|
||||
if (!(vmx->host_state.gs_sel & 7))
|
||||
vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel);
|
||||
else {
|
||||
@@ -841,27 +841,21 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
|
||||
|
||||
static void __vmx_load_host_state(struct vcpu_vmx *vmx)
|
||||
{
|
||||
- unsigned long flags;
|
||||
-
|
||||
if (!vmx->host_state.loaded)
|
||||
return;
|
||||
|
||||
++vmx->vcpu.stat.host_state_reload;
|
||||
vmx->host_state.loaded = 0;
|
||||
if (vmx->host_state.fs_reload_needed)
|
||||
- kvm_load_fs(vmx->host_state.fs_sel);
|
||||
+ loadsegment(fs, vmx->host_state.fs_sel);
|
||||
if (vmx->host_state.gs_ldt_reload_needed) {
|
||||
kvm_load_ldt(vmx->host_state.ldt_sel);
|
||||
- /*
|
||||
- * If we have to reload gs, we must take care to
|
||||
- * preserve our gs base.
|
||||
- */
|
||||
- local_irq_save(flags);
|
||||
- kvm_load_gs(vmx->host_state.gs_sel);
|
||||
#ifdef CONFIG_X86_64
|
||||
- wrmsrl(MSR_GS_BASE, vmcs_readl(HOST_GS_BASE));
|
||||
+ load_gs_index(vmx->host_state.gs_sel);
|
||||
+ wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
|
||||
+#else
|
||||
+ loadsegment(gs, vmx->host_state.gs_sel);
|
||||
#endif
|
||||
- local_irq_restore(flags);
|
||||
}
|
||||
reload_tss();
|
||||
#ifdef CONFIG_X86_64
|
||||
@@ -2589,8 +2583,8 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
|
||||
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */
|
||||
vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */
|
||||
vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */
|
||||
- vmcs_write16(HOST_FS_SELECTOR, kvm_read_fs()); /* 22.2.4 */
|
||||
- vmcs_write16(HOST_GS_SELECTOR, kvm_read_gs()); /* 22.2.4 */
|
||||
+ vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */
|
||||
+ vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */
|
||||
vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS); /* 22.2.4 */
|
||||
#ifdef CONFIG_X86_64
|
||||
rdmsrl(MSR_FS_BASE, a);
|
@ -1,86 +0,0 @@
|
||||
From fcd097f31a6ee207cc0c3da9cccd2a86d4334785 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
||||
Date: Thu, 17 Jun 2010 20:16:36 +0100
|
||||
Subject: PCI: MSI: Remove unsafe and unnecessary hardware access
|
||||
|
||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
||||
|
||||
commit fcd097f31a6ee207cc0c3da9cccd2a86d4334785 upstream.
|
||||
|
||||
During suspend on an SMP system, {read,write}_msi_msg_desc() may be
|
||||
called to mask and unmask interrupts on a device that is already in a
|
||||
reduced power state. At this point memory-mapped registers including
|
||||
MSI-X tables are not accessible, and config space may not be fully
|
||||
functional either.
|
||||
|
||||
While a device is in a reduced power state its interrupts are
|
||||
effectively masked and its MSI(-X) state will be restored when it is
|
||||
brought back to D0. Therefore these functions can simply read and
|
||||
write msi_desc::msg for devices not in D0.
|
||||
|
||||
Further, read_msi_msg_desc() should only ever be used to update a
|
||||
previously written message, so it can always read msi_desc::msg
|
||||
and never needs to touch the hardware.
|
||||
|
||||
Tested-by: "Michael Chan" <mchan@broadcom.com>
|
||||
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
|
||||
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
drivers/pci/msi.c | 36 ++++++++++++------------------------
|
||||
1 file changed, 12 insertions(+), 24 deletions(-)
|
||||
|
||||
--- a/drivers/pci/msi.c
|
||||
+++ b/drivers/pci/msi.c
|
||||
@@ -195,30 +195,15 @@ void unmask_msi_irq(unsigned int irq)
|
||||
void read_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
||||
{
|
||||
struct msi_desc *entry = get_irq_desc_msi(desc);
|
||||
- if (entry->msi_attrib.is_msix) {
|
||||
- void __iomem *base = entry->mask_base +
|
||||
- entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE;
|
||||
|
||||
- msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR);
|
||||
- msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR);
|
||||
- msg->data = readl(base + PCI_MSIX_ENTRY_DATA);
|
||||
- } else {
|
||||
- struct pci_dev *dev = entry->dev;
|
||||
- int pos = entry->msi_attrib.pos;
|
||||
- u16 data;
|
||||
-
|
||||
- pci_read_config_dword(dev, msi_lower_address_reg(pos),
|
||||
- &msg->address_lo);
|
||||
- if (entry->msi_attrib.is_64) {
|
||||
- pci_read_config_dword(dev, msi_upper_address_reg(pos),
|
||||
- &msg->address_hi);
|
||||
- pci_read_config_word(dev, msi_data_reg(pos, 1), &data);
|
||||
- } else {
|
||||
- msg->address_hi = 0;
|
||||
- pci_read_config_word(dev, msi_data_reg(pos, 0), &data);
|
||||
- }
|
||||
- msg->data = data;
|
||||
- }
|
||||
+ /* We do not touch the hardware (which may not even be
|
||||
+ * accessible at the moment) but return the last message
|
||||
+ * written. Assert that this is valid, assuming that
|
||||
+ * valid messages are not all-zeroes. */
|
||||
+ BUG_ON(!(entry->msg.address_hi | entry->msg.address_lo |
|
||||
+ entry->msg.data));
|
||||
+
|
||||
+ *msg = entry->msg;
|
||||
}
|
||||
|
||||
void read_msi_msg(unsigned int irq, struct msi_msg *msg)
|
||||
@@ -231,7 +216,10 @@ void read_msi_msg(unsigned int irq, stru
|
||||
void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
||||
{
|
||||
struct msi_desc *entry = get_irq_desc_msi(desc);
|
||||
- if (entry->msi_attrib.is_msix) {
|
||||
+
|
||||
+ if (entry->dev->current_state != PCI_D0) {
|
||||
+ /* Don't touch the hardware now */
|
||||
+ } else if (entry->msi_attrib.is_msix) {
|
||||
void __iomem *base;
|
||||
base = entry->mask_base +
|
||||
entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE;
|
@ -1,148 +0,0 @@
|
||||
From 30da55242818a8ca08583188ebcbaccd283ad4d9 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
||||
Date: Fri, 23 Jul 2010 14:56:28 +0100
|
||||
Subject: PCI: MSI: Restore read_msi_msg_desc(); add get_cached_msi_msg_desc()
|
||||
|
||||
From: Ben Hutchings <bhutchings@solarflare.com>
|
||||
|
||||
commit 30da55242818a8ca08583188ebcbaccd283ad4d9 upstream.
|
||||
|
||||
commit 2ca1af9aa3285c6a5f103ed31ad09f7399fc65d7 "PCI: MSI: Remove
|
||||
unsafe and unnecessary hardware access" changed read_msi_msg_desc() to
|
||||
return the last MSI message written instead of reading it from the
|
||||
device, since it may be called while the device is in a reduced
|
||||
power state.
|
||||
|
||||
However, the pSeries platform code really does need to read messages
|
||||
from the device, since they are initially written by firmware.
|
||||
Therefore:
|
||||
- Restore the previous behaviour of read_msi_msg_desc()
|
||||
- Add new functions get_cached_msi_msg{,_desc}() which return the
|
||||
last MSI message written
|
||||
- Use the new functions where appropriate
|
||||
|
||||
Acked-by: Michael Ellerman <michael@ellerman.id.au>
|
||||
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
|
||||
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
arch/ia64/kernel/msi_ia64.c | 2 -
|
||||
arch/ia64/sn/kernel/msi_sn.c | 2 -
|
||||
arch/x86/kernel/apic/io_apic.c | 2 -
|
||||
drivers/pci/msi.c | 47 ++++++++++++++++++++++++++++++++++++-----
|
||||
include/linux/msi.h | 2 +
|
||||
5 files changed, 47 insertions(+), 8 deletions(-)
|
||||
|
||||
--- a/arch/ia64/kernel/msi_ia64.c
|
||||
+++ b/arch/ia64/kernel/msi_ia64.c
|
||||
@@ -25,7 +25,7 @@ static int ia64_set_msi_irq_affinity(uns
|
||||
if (irq_prepare_move(irq, cpu))
|
||||
return -1;
|
||||
|
||||
- read_msi_msg(irq, &msg);
|
||||
+ get_cached_msi_msg(irq, &msg);
|
||||
|
||||
addr = msg.address_lo;
|
||||
addr &= MSI_ADDR_DEST_ID_MASK;
|
||||
--- a/arch/ia64/sn/kernel/msi_sn.c
|
||||
+++ b/arch/ia64/sn/kernel/msi_sn.c
|
||||
@@ -174,7 +174,7 @@ static int sn_set_msi_irq_affinity(unsig
|
||||
* Release XIO resources for the old MSI PCI address
|
||||
*/
|
||||
|
||||
- read_msi_msg(irq, &msg);
|
||||
+ get_cached_msi_msg(irq, &msg);
|
||||
sn_pdev = (struct pcidev_info *)sn_irq_info->irq_pciioinfo;
|
||||
pdev = sn_pdev->pdi_linux_pcidev;
|
||||
provider = SN_PCIDEV_BUSPROVIDER(pdev);
|
||||
--- a/arch/x86/kernel/apic/io_apic.c
|
||||
+++ b/arch/x86/kernel/apic/io_apic.c
|
||||
@@ -3338,7 +3338,7 @@ static int set_msi_irq_affinity(unsigned
|
||||
|
||||
cfg = desc->chip_data;
|
||||
|
||||
- read_msi_msg_desc(desc, &msg);
|
||||
+ get_cached_msi_msg_desc(desc, &msg);
|
||||
|
||||
msg.data &= ~MSI_DATA_VECTOR_MASK;
|
||||
msg.data |= MSI_DATA_VECTOR(cfg->vector);
|
||||
--- a/drivers/pci/msi.c
|
||||
+++ b/drivers/pci/msi.c
|
||||
@@ -196,9 +196,46 @@ void read_msi_msg_desc(struct irq_desc *
|
||||
{
|
||||
struct msi_desc *entry = get_irq_desc_msi(desc);
|
||||
|
||||
- /* We do not touch the hardware (which may not even be
|
||||
- * accessible at the moment) but return the last message
|
||||
- * written. Assert that this is valid, assuming that
|
||||
+ BUG_ON(entry->dev->current_state != PCI_D0);
|
||||
+
|
||||
+ if (entry->msi_attrib.is_msix) {
|
||||
+ void __iomem *base = entry->mask_base +
|
||||
+ entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE;
|
||||
+
|
||||
+ msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR);
|
||||
+ msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR);
|
||||
+ msg->data = readl(base + PCI_MSIX_ENTRY_DATA);
|
||||
+ } else {
|
||||
+ struct pci_dev *dev = entry->dev;
|
||||
+ int pos = entry->msi_attrib.pos;
|
||||
+ u16 data;
|
||||
+
|
||||
+ pci_read_config_dword(dev, msi_lower_address_reg(pos),
|
||||
+ &msg->address_lo);
|
||||
+ if (entry->msi_attrib.is_64) {
|
||||
+ pci_read_config_dword(dev, msi_upper_address_reg(pos),
|
||||
+ &msg->address_hi);
|
||||
+ pci_read_config_word(dev, msi_data_reg(pos, 1), &data);
|
||||
+ } else {
|
||||
+ msg->address_hi = 0;
|
||||
+ pci_read_config_word(dev, msi_data_reg(pos, 0), &data);
|
||||
+ }
|
||||
+ msg->data = data;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void read_msi_msg(unsigned int irq, struct msi_msg *msg)
|
||||
+{
|
||||
+ struct irq_desc *desc = irq_to_desc(irq);
|
||||
+
|
||||
+ read_msi_msg_desc(desc, msg);
|
||||
+}
|
||||
+
|
||||
+void get_cached_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
||||
+{
|
||||
+ struct msi_desc *entry = get_irq_desc_msi(desc);
|
||||
+
|
||||
+ /* Assert that the cache is valid, assuming that
|
||||
* valid messages are not all-zeroes. */
|
||||
BUG_ON(!(entry->msg.address_hi | entry->msg.address_lo |
|
||||
entry->msg.data));
|
||||
@@ -206,11 +243,11 @@ void read_msi_msg_desc(struct irq_desc *
|
||||
*msg = entry->msg;
|
||||
}
|
||||
|
||||
-void read_msi_msg(unsigned int irq, struct msi_msg *msg)
|
||||
+void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg)
|
||||
{
|
||||
struct irq_desc *desc = irq_to_desc(irq);
|
||||
|
||||
- read_msi_msg_desc(desc, msg);
|
||||
+ get_cached_msi_msg_desc(desc, msg);
|
||||
}
|
||||
|
||||
void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg)
|
||||
--- a/include/linux/msi.h
|
||||
+++ b/include/linux/msi.h
|
||||
@@ -14,8 +14,10 @@ struct irq_desc;
|
||||
extern void mask_msi_irq(unsigned int irq);
|
||||
extern void unmask_msi_irq(unsigned int irq);
|
||||
extern void read_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg);
|
||||
+extern void get_cached_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg);
|
||||
extern void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg);
|
||||
extern void read_msi_msg(unsigned int irq, struct msi_msg *msg);
|
||||
+extern void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg);
|
||||
extern void write_msi_msg(unsigned int irq, struct msi_msg *msg);
|
||||
|
||||
struct msi_desc {
|
@ -12,25 +12,3 @@ index 4b493f6..ada1fcd 100644
|
||||
|
||||
/* initialize timestamp */
|
||||
__touch_softlockup_watchdog();
|
||||
diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
|
||||
index 5a5ea2c..47ecc56 100644
|
||||
--- a/kernel/sched_fair.c
|
||||
+++ b/kernel/sched_fair.c
|
||||
@@ -1272,6 +1272,9 @@ static int wake_affine(struct sched_domain *sd, struct task_struct *p, int sync)
|
||||
* effect of the currently running task from the load
|
||||
* of the current CPU:
|
||||
*/
|
||||
+
|
||||
+ rcu_read_lock();
|
||||
+
|
||||
if (sync) {
|
||||
tg = task_group(current);
|
||||
weight = current->se.load.weight;
|
||||
@@ -1298,6 +1301,7 @@ static int wake_affine(struct sched_domain *sd, struct task_struct *p, int sync)
|
||||
100*(this_load + effective_load(tg, this_cpu, weight, weight)) <=
|
||||
imbalance*(load + effective_load(tg, prev_cpu, 0, weight));
|
||||
|
||||
+ rcu_read_unlock();
|
||||
/*
|
||||
* If the currently running task will sleep within
|
||||
* a reasonable amount of time then attract this newly
|
||||
|
@ -1,120 +0,0 @@
|
||||
From sgruszka@redhat.com Mon Oct 18 05:10:00 2010
|
||||
Return-Path: sgruszka@redhat.com
|
||||
Received: from zmta01.collab.prod.int.phx2.redhat.com (LHLO
|
||||
zmta01.collab.prod.int.phx2.redhat.com) (10.5.5.31) by
|
||||
mail03.corp.redhat.com with LMTP; Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
||||
Received: from localhost (localhost.localdomain [127.0.0.1])
|
||||
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 5E48E928A4;
|
||||
Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
||||
Received: from zmta01.collab.prod.int.phx2.redhat.com ([127.0.0.1])
|
||||
by localhost (zmta01.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
|
||||
with ESMTP id q3QJQ+TOP+bt; Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
||||
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
|
||||
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 423CC91A7C;
|
||||
Mon, 18 Oct 2010 05:10:00 -0400 (EDT)
|
||||
Received: from localhost (dhcp-1-246.brq.redhat.com [10.34.1.246])
|
||||
by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id o9I99x6b006228;
|
||||
Mon, 18 Oct 2010 05:09:59 -0400
|
||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
To: stable@kernel.org
|
||||
Cc: Kyle McMartin <kmcmartin@redhat.com>,
|
||||
Stanislaw Gruszka <sgruszka@redhat.com>,
|
||||
"David S. Miller" <davem@davemloft.net>
|
||||
Subject: [PATCH -stable 2.6.34+] r8169: allocate with GFP_KERNEL flag when able to sleep
|
||||
Date: Mon, 18 Oct 2010 11:12:22 +0200
|
||||
Message-Id: <1287393142-2566-1-git-send-email-sgruszka@redhat.com>
|
||||
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
|
||||
|
||||
Upstream aeb19f6052b5e5c8a24aa444fbff73b84341beac commit.
|
||||
|
||||
We have fedora bug report where driver fail to initialize after
|
||||
suspend/resume because of memory allocation errors:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=629158
|
||||
|
||||
To fix use GFP_KERNEL allocation where possible.
|
||||
|
||||
Patch should fix any allocation errors with calltrace like that:
|
||||
|
||||
NetworkManager: page allocation failure. order:3, mode:0x4020
|
||||
Pid: 1427, comm: NetworkManager Not tainted 2.6.31.12-rhapsody.fc12-121 #1
|
||||
Call Trace:
|
||||
[<ffffffff810c876f>] __alloc_pages_nodemask+0x57a/0x5bb
|
||||
[<ffffffff810f415d>] alloc_pages_node+0x48/0x4a
|
||||
[<ffffffff810f4189>] kmalloc_large_node+0x2a/0x67
|
||||
[<ffffffff810f5f1c>] __kmalloc_node_track_caller+0x31/0x11b
|
||||
[<ffffffff8136f4fe>] ? __netdev_alloc_skb+0x34/0x50
|
||||
[<ffffffff8136e8b8>] __alloc_skb+0x80/0x170
|
||||
[<ffffffff8136f4fe>] __netdev_alloc_skb+0x34/0x50
|
||||
[<ffffffffa011c5e0>] rtl8169_rx_fill+0xa8/0x154 [r8169]
|
||||
[<ffffffffa011e5c5>] rtl8169_init_ring+0x71/0x9f [r8169]
|
||||
[<ffffffffa011edbe>] rtl8169_open+0x7f/0x199 [r8169]
|
||||
|
||||
Tested-by: Neal Becker <ndbecker2@gmail.com>
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/r8169.c | 12 ++++++------
|
||||
1 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
|
||||
index a0da4a1..a68ec8f 100644
|
||||
--- a/drivers/net/r8169.c
|
||||
+++ b/drivers/net/r8169.c
|
||||
@@ -4000,7 +4000,7 @@ static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
|
||||
static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev,
|
||||
struct net_device *dev,
|
||||
struct RxDesc *desc, int rx_buf_sz,
|
||||
- unsigned int align)
|
||||
+ unsigned int align, gfp_t gfp)
|
||||
{
|
||||
struct sk_buff *skb;
|
||||
dma_addr_t mapping;
|
||||
@@ -4008,7 +4008,7 @@ static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev,
|
||||
|
||||
pad = align ? align : NET_IP_ALIGN;
|
||||
|
||||
- skb = netdev_alloc_skb(dev, rx_buf_sz + pad);
|
||||
+ skb = __netdev_alloc_skb(dev, rx_buf_sz + pad, gfp);
|
||||
if (!skb)
|
||||
goto err_out;
|
||||
|
||||
@@ -4039,7 +4039,7 @@ static void rtl8169_rx_clear(struct rtl8169_private *tp)
|
||||
}
|
||||
|
||||
static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev,
|
||||
- u32 start, u32 end)
|
||||
+ u32 start, u32 end, gfp_t gfp)
|
||||
{
|
||||
u32 cur;
|
||||
|
||||
@@ -4054,7 +4054,7 @@ static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev,
|
||||
|
||||
skb = rtl8169_alloc_rx_skb(tp->pci_dev, dev,
|
||||
tp->RxDescArray + i,
|
||||
- tp->rx_buf_sz, tp->align);
|
||||
+ tp->rx_buf_sz, tp->align, gfp);
|
||||
if (!skb)
|
||||
break;
|
||||
|
||||
@@ -4082,7 +4082,7 @@ static int rtl8169_init_ring(struct net_device *dev)
|
||||
memset(tp->tx_skb, 0x0, NUM_TX_DESC * sizeof(struct ring_info));
|
||||
memset(tp->Rx_skbuff, 0x0, NUM_RX_DESC * sizeof(struct sk_buff *));
|
||||
|
||||
- if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC) != NUM_RX_DESC)
|
||||
+ if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC, GFP_KERNEL) != NUM_RX_DESC)
|
||||
goto err_out;
|
||||
|
||||
rtl8169_mark_as_last_descriptor(tp->RxDescArray + NUM_RX_DESC - 1);
|
||||
@@ -4583,7 +4583,7 @@ static int rtl8169_rx_interrupt(struct net_device *dev,
|
||||
count = cur_rx - tp->cur_rx;
|
||||
tp->cur_rx = cur_rx;
|
||||
|
||||
- delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx);
|
||||
+ delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx, GFP_ATOMIC);
|
||||
if (!delta && count)
|
||||
netif_info(tp, intr, dev, "no Rx buffer allocated\n");
|
||||
tp->dirty_rx += delta;
|
||||
--
|
||||
1.7.1
|
||||
|
@ -1,55 +0,0 @@
|
||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Date: Tue, 14 Sep 2010 14:35:14 +0000 (+0200)
|
||||
Subject: sched: Fix user time incorrectly accounted as system time on 32-bit
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fx86%2Flinux-2.6-tip.git;a=commitdiff_plain;h=e75e863dd5c7d96b91ebbd241da5328fc38a78cc
|
||||
|
||||
sched: Fix user time incorrectly accounted as system time on 32-bit
|
||||
|
||||
We have 32-bit variable overflow possibility when multiply in
|
||||
task_times() and thread_group_times() functions. When the
|
||||
overflow happens then the scaled utime value becomes erroneously
|
||||
small and the scaled stime becomes i erroneously big.
|
||||
|
||||
Reported here:
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=633037
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=16559
|
||||
|
||||
Reported-by: Michael Chapman <redhat-bugzilla@very.puzzling.org>
|
||||
Reported-by: Ciriaco Garcia de Celis <sysman@etherpilot.com>
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
||||
Cc: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
|
||||
Cc: <stable@kernel.org> # 2.6.32.19+ (partially) and 2.6.33+
|
||||
LKML-Reference: <20100914143513.GB8415@redhat.com>
|
||||
Signed-off-by: Ingo Molnar <mingo@elte.hu>
|
||||
---
|
||||
|
||||
diff --git a/kernel/sched.c b/kernel/sched.c
|
||||
index ed09d4f..dc85ceb 100644
|
||||
--- a/kernel/sched.c
|
||||
+++ b/kernel/sched.c
|
||||
@@ -3513,9 +3513,9 @@ void task_times(struct task_struct *p, cputime_t *ut, cputime_t *st)
|
||||
rtime = nsecs_to_cputime(p->se.sum_exec_runtime);
|
||||
|
||||
if (total) {
|
||||
- u64 temp;
|
||||
+ u64 temp = rtime;
|
||||
|
||||
- temp = (u64)(rtime * utime);
|
||||
+ temp *= utime;
|
||||
do_div(temp, total);
|
||||
utime = (cputime_t)temp;
|
||||
} else
|
||||
@@ -3546,9 +3546,9 @@ void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *st)
|
||||
rtime = nsecs_to_cputime(cputime.sum_exec_runtime);
|
||||
|
||||
if (total) {
|
||||
- u64 temp;
|
||||
+ u64 temp = rtime;
|
||||
|
||||
- temp = (u64)(rtime * cputime.utime);
|
||||
+ temp *= cputime.utime;
|
||||
do_div(temp, total);
|
||||
utime = (cputime_t)temp;
|
||||
} else
|
@ -1,34 +0,0 @@
|
||||
From 4bdab43323b459900578b200a4b8cf9713ac8fab Mon Sep 17 00:00:00 2001
|
||||
From: Vlad Yasevich <vladislav.yasevich@hp.com>
|
||||
Date: Wed, 15 Sep 2010 10:00:26 -0400
|
||||
Subject: sctp: Do not reset the packet during sctp_packet_config().
|
||||
|
||||
From: Vlad Yasevich <vladislav.yasevich@hp.com>
|
||||
|
||||
commit 4bdab43323b459900578b200a4b8cf9713ac8fab upstream.
|
||||
|
||||
sctp_packet_config() is called when getting the packet ready
|
||||
for appending of chunks. The function should not touch the
|
||||
current state, since it's possible to ping-pong between two
|
||||
transports when sending, and that can result packet corruption
|
||||
followed by skb overlfow crash.
|
||||
|
||||
Reported-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
|
||||
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
net/sctp/output.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
--- a/net/sctp/output.c
|
||||
+++ b/net/sctp/output.c
|
||||
@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s
|
||||
SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
|
||||
packet, vtag);
|
||||
|
||||
- sctp_packet_reset(packet);
|
||||
packet->vtag = vtag;
|
||||
|
||||
if (ecn_capable && sctp_packet_empty(packet)) {
|
@ -1,42 +0,0 @@
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Wed, 8 Sep 2010 02:35:49 +0000 (-0700)
|
||||
Subject: setup_arg_pages: diagnose excessive argument size
|
||||
X-Git-Tag: v2.6.36-rc4~14
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1b528181b2ffa14721fb28ad1bd539fe1732c583
|
||||
|
||||
setup_arg_pages: diagnose excessive argument size
|
||||
|
||||
The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
|
||||
check the size of the argument/environment area on the stack.
|
||||
When it is unworkably large, shift_arg_pages() hits its BUG_ON.
|
||||
This is exploitable with a very large RLIMIT_STACK limit, to
|
||||
create a crash pretty easily.
|
||||
|
||||
Check that the initial stack is not too large to make it possible
|
||||
to map in any executable. We're not checking that the actual
|
||||
executable (or intepreter, for binfmt_elf) will fit. So those
|
||||
mappings might clobber part of the initial stack mapping. But
|
||||
that is just userland lossage that userland made happen, not a
|
||||
kernel problem.
|
||||
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/fs/exec.c b/fs/exec.c
|
||||
index 2d94552..1b63237 100644
|
||||
--- a/fs/exec.c
|
||||
+++ b/fs/exec.c
|
||||
@@ -594,6 +594,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
|
||||
#else
|
||||
stack_top = arch_align_stack(stack_top);
|
||||
stack_top = PAGE_ALIGN(stack_top);
|
||||
+
|
||||
+ if (unlikely(stack_top < mmap_min_addr) ||
|
||||
+ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
stack_shift = vma->vm_end - stack_top;
|
||||
|
||||
bprm->p -= stack_shift;
|
@ -1,98 +0,0 @@
|
||||
From sgruszka@redhat.com Mon Oct 18 05:19:21 2010
|
||||
Return-Path: sgruszka@redhat.com
|
||||
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
|
||||
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
|
||||
mail03.corp.redhat.com with LMTP; Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
||||
Received: from localhost (localhost.localdomain [127.0.0.1])
|
||||
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id A11F69E559;
|
||||
Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
||||
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
|
||||
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
|
||||
with ESMTP id IhyIgD7E4aj3; Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
||||
Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21])
|
||||
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 9007B9E55E;
|
||||
Mon, 18 Oct 2010 05:19:21 -0400 (EDT)
|
||||
Received: from localhost (dhcp-1-246.brq.redhat.com [10.34.1.246])
|
||||
by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o9I9JKsF025385;
|
||||
Mon, 18 Oct 2010 05:19:21 -0400
|
||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
To: stable@kernel.org
|
||||
Cc: Kyle McMartin <kmcmartin@redhat.com>,
|
||||
Stanislaw Gruszka <sgruszka@redhat.com>,
|
||||
"David S. Miller" <davem@davemloft.net>
|
||||
Subject: [PATCH -stable 2.6.34+] skge: add quirk to limit DMA
|
||||
Date: Mon, 18 Oct 2010 11:21:54 +0200
|
||||
Message-Id: <1287393714-3720-1-git-send-email-sgruszka@redhat.com>
|
||||
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21
|
||||
|
||||
Upstream 392bd0cb000d4aac9e88e4f50823db85e7220688 commit.
|
||||
|
||||
Skge devices installed on some Gigabyte motherboards are not able to
|
||||
perform 64 dma correctly due to board PCI implementation, so limit
|
||||
DMA to 32bit if such boards are detected.
|
||||
|
||||
Bug was reported here:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=447489
|
||||
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Tested-by: Luya Tshimbalanga <luya@fedoraproject.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/skge.c | 18 +++++++++++++++++-
|
||||
1 files changed, 17 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/skge.c b/drivers/net/skge.c
|
||||
index 40e5c46..465ae7e 100644
|
||||
--- a/drivers/net/skge.c
|
||||
+++ b/drivers/net/skge.c
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <linux/seq_file.h>
|
||||
#include <linux/mii.h>
|
||||
#include <linux/slab.h>
|
||||
+#include <linux/dmi.h>
|
||||
#include <asm/irq.h>
|
||||
|
||||
#include "skge.h"
|
||||
@@ -3868,6 +3869,8 @@ static void __devinit skge_show_addr(struct net_device *dev)
|
||||
netif_info(skge, probe, skge->netdev, "addr %pM\n", dev->dev_addr);
|
||||
}
|
||||
|
||||
+static int only_32bit_dma;
|
||||
+
|
||||
static int __devinit skge_probe(struct pci_dev *pdev,
|
||||
const struct pci_device_id *ent)
|
||||
{
|
||||
@@ -3889,7 +3892,7 @@ static int __devinit skge_probe(struct pci_dev *pdev,
|
||||
|
||||
pci_set_master(pdev);
|
||||
|
||||
- if (!pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) {
|
||||
+ if (!only_32bit_dma && !pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) {
|
||||
using_dac = 1;
|
||||
err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
|
||||
} else if (!(err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) {
|
||||
@@ -4147,8 +4150,21 @@ static struct pci_driver skge_driver = {
|
||||
.shutdown = skge_shutdown,
|
||||
};
|
||||
|
||||
+static struct dmi_system_id skge_32bit_dma_boards[] = {
|
||||
+ {
|
||||
+ .ident = "Gigabyte nForce boards",
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co"),
|
||||
+ DMI_MATCH(DMI_BOARD_NAME, "nForce"),
|
||||
+ },
|
||||
+ },
|
||||
+ {}
|
||||
+};
|
||||
+
|
||||
static int __init skge_init_module(void)
|
||||
{
|
||||
+ if (dmi_check_system(skge_32bit_dma_boards))
|
||||
+ only_32bit_dma = 1;
|
||||
skge_debug_init();
|
||||
return pci_register_driver(&skge_driver);
|
||||
}
|
||||
--
|
||||
1.7.1
|
||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
10eebcb0178fb4540e2165bfd7efc7ad linux-2.6.34.tar.bz2
|
||||
a88e4b5a9fcb23c2229301ac4dae1f1a patch-2.6.34.7.bz2
|
||||
de755877dbd32ed783067987c095c278 patch-2.6.34.8.bz2
|
||||
|
@ -1,51 +0,0 @@
|
||||
From: Steven Rostedt <srostedt@redhat.com>
|
||||
Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
|
||||
Subject: tracing: Do not allow llseek to set_ftrace_filter
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
|
||||
|
||||
tracing: Do not allow llseek to set_ftrace_filter
|
||||
|
||||
Reading the file set_ftrace_filter does three things.
|
||||
|
||||
1) shows whether or not filters are set for the function tracer
|
||||
2) shows what functions are set for the function tracer
|
||||
3) shows what triggers are set on any functions
|
||||
|
||||
3 is independent from 1 and 2.
|
||||
|
||||
The way this file currently works is that it is a state machine,
|
||||
and as you read it, it may change state. But this assumption breaks
|
||||
when you use lseek() on the file. The state machine gets out of sync
|
||||
and the t_show() may use the wrong pointer and cause a kernel oops.
|
||||
|
||||
Luckily, this will only kill the app that does the lseek, but the app
|
||||
dies while holding a mutex. This prevents anyone else from using the
|
||||
set_ftrace_filter file (or any other function tracing file for that matter).
|
||||
|
||||
A real fix for this is to rewrite the code, but that is too much for
|
||||
a -rc release or stable. This patch simply disables llseek on the
|
||||
set_ftrace_filter() file for now, and we can do the proper fix for the
|
||||
next major release.
|
||||
|
||||
Reported-by: Robert Swiecki <swiecki@google.com>
|
||||
Cc: Chris Wright <chrisw@sous-sol.org>
|
||||
Cc: Tavis Ormandy <taviso@google.com>
|
||||
Cc: Eugene Teo <eugene@redhat.com>
|
||||
Cc: vendor-sec@lst.de
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
|
||||
---
|
||||
|
||||
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
|
||||
index 7cb1f45..83a16e9 100644
|
||||
--- a/kernel/trace/ftrace.c
|
||||
+++ b/kernel/trace/ftrace.c
|
||||
@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
|
||||
.open = ftrace_filter_open,
|
||||
.read = seq_read,
|
||||
.write = ftrace_filter_write,
|
||||
- .llseek = ftrace_regex_lseek,
|
||||
+ .llseek = no_llseek,
|
||||
.release = ftrace_filter_release,
|
||||
};
|
||||
|
@ -1,86 +0,0 @@
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Fri, 15 Oct 2010 18:12:38 +0000 (-0700)
|
||||
Subject: v4l1: fix 32-bit compat microcode loading translation
|
||||
X-Git-Tag: v2.6.36~11^2
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3e645d6b485446c54c6745c5e2cf5c528fe4deec
|
||||
|
||||
v4l1: fix 32-bit compat microcode loading translation
|
||||
|
||||
The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
|
||||
It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
|
||||
staging and eventually removed unless somebody steps up to maintain it
|
||||
(at which point it should use request_firmware() rather than some magic
|
||||
ioctl). So we'll get rid of it eventually.
|
||||
|
||||
But in the meantime, the compatibility ioctl code is broken, and this
|
||||
tries to get it to at least limp along (even if Mauro suggested just
|
||||
deleting it entirely, which may be the right thing to do - I don't think
|
||||
the compatibility translation code has ever worked unless you were very
|
||||
lucky).
|
||||
|
||||
Reported-by: Kees Cook <kees.cook@canonical.com>
|
||||
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c
|
||||
index 073f013..86294ed3 100644
|
||||
--- a/drivers/media/video/v4l2-compat-ioctl32.c
|
||||
+++ b/drivers/media/video/v4l2-compat-ioctl32.c
|
||||
@@ -193,17 +193,24 @@ static int put_video_window32(struct video_window *kp, struct video_window32 __u
|
||||
struct video_code32 {
|
||||
char loadwhat[16]; /* name or tag of file being passed */
|
||||
compat_int_t datasize;
|
||||
- unsigned char *data;
|
||||
+ compat_uptr_t data;
|
||||
};
|
||||
|
||||
-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
|
||||
+static struct video_code __user *get_microcode32(struct video_code32 *kp)
|
||||
{
|
||||
- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
|
||||
- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
|
||||
- get_user(kp->datasize, &up->datasize) ||
|
||||
- copy_from_user(kp->data, up->data, up->datasize))
|
||||
- return -EFAULT;
|
||||
- return 0;
|
||||
+ struct video_code __user *up;
|
||||
+
|
||||
+ up = compat_alloc_user_space(sizeof(*up));
|
||||
+
|
||||
+ /*
|
||||
+ * NOTE! We don't actually care if these fail. If the
|
||||
+ * user address is invalid, the native ioctl will do
|
||||
+ * the error handling for us
|
||||
+ */
|
||||
+ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
|
||||
+ (void) put_user(kp->datasize, &up->datasize);
|
||||
+ (void) put_user(compat_ptr(kp->data), &up->data);
|
||||
+ return up;
|
||||
}
|
||||
|
||||
#define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
|
||||
@@ -739,7 +746,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
|
||||
struct video_tuner vt;
|
||||
struct video_buffer vb;
|
||||
struct video_window vw;
|
||||
- struct video_code vc;
|
||||
+ struct video_code32 vc;
|
||||
struct video_audio va;
|
||||
#endif
|
||||
struct v4l2_format v2f;
|
||||
@@ -818,8 +825,11 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
|
||||
break;
|
||||
|
||||
case VIDIOCSMICROCODE:
|
||||
- err = get_microcode32(&karg.vc, up);
|
||||
- compatible_arg = 0;
|
||||
+ /* Copy the 32-bit "video_code32" to kernel space */
|
||||
+ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
|
||||
+ return -EFAULT;
|
||||
+ /* Convert the 32-bit version to a 64-bit version in user space */
|
||||
+ up = get_microcode32(&karg.vc);
|
||||
break;
|
||||
|
||||
case VIDIOCSFREQ:
|
@ -1,33 +0,0 @@
|
||||
From aaa3e9152f27f6cd83c074d7dc99e79897ac8c20 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Date: Wed, 15 Sep 2010 19:08:24 -0400
|
||||
Subject: [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
|
||||
|
||||
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
|
||||
bytes of uninitialized stack memory, because the "reserved" member of
|
||||
the viafb_ioctl_info struct declared on the stack is not altered or
|
||||
zeroed before being copied back to the user. This patch takes care of
|
||||
it.
|
||||
|
||||
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
|
||||
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
|
||||
---
|
||||
drivers/video/via/ioctl.c | 2 ++
|
||||
1 files changed, 2 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
|
||||
index da03c07..4d553d0 100644
|
||||
--- a/drivers/video/via/ioctl.c
|
||||
+++ b/drivers/video/via/ioctl.c
|
||||
@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg)
|
||||
{
|
||||
struct viafb_ioctl_info viainfo;
|
||||
|
||||
+ memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
|
||||
+
|
||||
viainfo.viafb_id = VIAID;
|
||||
viainfo.vendor_id = PCI_VIA_VENDOR_ID;
|
||||
|
||||
--
|
||||
1.7.3.2
|
||||
|
@ -1,77 +0,0 @@
|
||||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Mon, 30 Aug 2010 10:24:54 +0000 (+0200)
|
||||
Subject: wireless extensions: fix kernel heap content leak
|
||||
X-Git-Tag: master-2010-08-30
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Flinville%2Fwireless-2.6.git;a=commitdiff_plain;h=42da2f948d949efd0111309f5827bf0298bcc9a4
|
||||
|
||||
wireless extensions: fix kernel heap content leak
|
||||
|
||||
Wireless extensions have an unfortunate, undocumented
|
||||
requirement which requires drivers to always fill
|
||||
iwp->length when returning a successful status. When
|
||||
a driver doesn't do this, it leads to a kernel heap
|
||||
content leak when userspace offers a larger buffer
|
||||
than would have been necessary.
|
||||
|
||||
Arguably, this is a driver bug, as it should, if it
|
||||
returns 0, fill iwp->length, even if it separately
|
||||
indicated that the buffer contents was not valid.
|
||||
|
||||
However, we can also at least avoid the memory content
|
||||
leak if the driver doesn't do this by setting the iwp
|
||||
length to max_tokens, which then reflects how big the
|
||||
buffer is that the driver may fill, regardless of how
|
||||
big the userspace buffer is.
|
||||
|
||||
To illustrate the point, this patch also fixes a
|
||||
corresponding cfg80211 bug (since this requirement
|
||||
isn't documented nor was ever pointed out by anyone
|
||||
during code review, I don't trust all drivers nor
|
||||
all cfg80211 handlers to implement it correctly).
|
||||
|
||||
Cc: stable@kernel.org [all the way back]
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
|
||||
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
|
||||
index bb5e0a5..7e5c3a4 100644
|
||||
--- a/net/wireless/wext-compat.c
|
||||
+++ b/net/wireless/wext-compat.c
|
||||
@@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_device *dev,
|
||||
{
|
||||
struct wireless_dev *wdev = dev->ieee80211_ptr;
|
||||
|
||||
+ data->flags = 0;
|
||||
+ data->length = 0;
|
||||
+
|
||||
switch (wdev->iftype) {
|
||||
case NL80211_IFTYPE_ADHOC:
|
||||
return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);
|
||||
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
|
||||
index 0ef17bc..8f5116f 100644
|
||||
--- a/net/wireless/wext-core.c
|
||||
+++ b/net/wireless/wext-core.c
|
||||
@@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
|
||||
+ /*
|
||||
+ * If this is a GET, but not NOMAX, it means that the extra
|
||||
+ * data is not bounded by userspace, but by max_tokens. Thus
|
||||
+ * set the length to max_tokens. This matches the extra data
|
||||
+ * allocation.
|
||||
+ * The driver should fill it with the number of tokens it
|
||||
+ * provided, and it may check iwp->length rather than having
|
||||
+ * knowledge of max_tokens. If the driver doesn't change the
|
||||
+ * iwp->length, this ioctl just copies back max_token tokens
|
||||
+ * filled with zeroes. Hopefully the driver isn't claiming
|
||||
+ * them to be valid data.
|
||||
+ */
|
||||
+ iwp->length = descr->max_tokens;
|
||||
+ }
|
||||
+
|
||||
err = handler(dev, info, (union iwreq_data *) iwp, extra);
|
||||
|
||||
iwp->length += essid_compat;
|
@ -1,29 +0,0 @@
|
||||
From: Peter Zijlstra <peterz@infradead.org>
|
||||
Date: Fri, 10 Sep 2010 20:32:53 +0000 (+0200)
|
||||
Subject: x86, tsc: Fix a preemption leak in restore_sched_clock_state()
|
||||
X-Git-Tag: v2.6.36-rc4~11
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5ee5e97ee9bca919af11c562beeaf61741ad33f1
|
||||
|
||||
x86, tsc: Fix a preemption leak in restore_sched_clock_state()
|
||||
|
||||
A real life genuine preemption leak..
|
||||
|
||||
Reported-and-tested-by: Jeff Chua <jeff.chua.linux@gmail.com>
|
||||
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
||||
Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
|
||||
index d632934..26a863a 100644
|
||||
--- a/arch/x86/kernel/tsc.c
|
||||
+++ b/arch/x86/kernel/tsc.c
|
||||
@@ -655,7 +655,7 @@ void restore_sched_clock_state(void)
|
||||
|
||||
local_irq_save(flags);
|
||||
|
||||
- get_cpu_var(cyc2ns_offset) = 0;
|
||||
+ __get_cpu_var(cyc2ns_offset) = 0;
|
||||
offset = cyc2ns_suspend - sched_clock();
|
||||
|
||||
for_each_possible_cpu(cpu)
|
@ -1,115 +0,0 @@
|
||||
From cd7240c0b900eb6d690ccee088a6c9b46dae815a Mon Sep 17 00:00:00 2001
|
||||
From: Suresh Siddha <suresh.b.siddha@intel.com>
|
||||
Date: Thu, 19 Aug 2010 17:03:38 -0700
|
||||
Subject: x86, tsc, sched: Recompute cyc2ns_offset's during resume from sleep states
|
||||
|
||||
From: Suresh Siddha <suresh.b.siddha@intel.com>
|
||||
|
||||
commit cd7240c0b900eb6d690ccee088a6c9b46dae815a upstream.
|
||||
|
||||
TSC's get reset after suspend/resume (even on cpu's with invariant TSC
|
||||
which runs at a constant rate across ACPI P-, C- and T-states). And in
|
||||
some systems BIOS seem to reinit TSC to arbitrary large value (still
|
||||
sync'd across cpu's) during resume.
|
||||
|
||||
This leads to a scenario of scheduler rq->clock (sched_clock_cpu()) less
|
||||
than rq->age_stamp (introduced in 2.6.32). This leads to a big value
|
||||
returned by scale_rt_power() and the resulting big group power set by the
|
||||
update_group_power() is causing improper load balancing between busy and
|
||||
idle cpu's after suspend/resume.
|
||||
|
||||
This resulted in multi-threaded workloads (like kernel-compilation) go
|
||||
slower after suspend/resume cycle on core i5 laptops.
|
||||
|
||||
Fix this by recomputing cyc2ns_offset's during resume, so that
|
||||
sched_clock() continues from the point where it was left off during
|
||||
suspend.
|
||||
|
||||
Reported-by: Florian Pritz <flo@xssn.at>
|
||||
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
|
||||
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
||||
LKML-Reference: <1282262618.2675.24.camel@sbsiddha-MOBL3.sc.intel.com>
|
||||
Signed-off-by: Ingo Molnar <mingo@elte.hu>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
arch/x86/include/asm/tsc.h | 2 ++
|
||||
arch/x86/kernel/tsc.c | 38 ++++++++++++++++++++++++++++++++++++++
|
||||
arch/x86/power/cpu.c | 2 ++
|
||||
3 files changed, 42 insertions(+)
|
||||
|
||||
--- a/arch/x86/include/asm/tsc.h
|
||||
+++ b/arch/x86/include/asm/tsc.h
|
||||
@@ -59,5 +59,7 @@ extern void check_tsc_sync_source(int cp
|
||||
extern void check_tsc_sync_target(void);
|
||||
|
||||
extern int notsc_setup(char *);
|
||||
+extern void save_sched_clock_state(void);
|
||||
+extern void restore_sched_clock_state(void);
|
||||
|
||||
#endif /* _ASM_X86_TSC_H */
|
||||
--- a/arch/x86/kernel/tsc.c
|
||||
+++ b/arch/x86/kernel/tsc.c
|
||||
@@ -626,6 +626,44 @@ static void set_cyc2ns_scale(unsigned lo
|
||||
local_irq_restore(flags);
|
||||
}
|
||||
|
||||
+static unsigned long long cyc2ns_suspend;
|
||||
+
|
||||
+void save_sched_clock_state(void)
|
||||
+{
|
||||
+ if (!sched_clock_stable)
|
||||
+ return;
|
||||
+
|
||||
+ cyc2ns_suspend = sched_clock();
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Even on processors with invariant TSC, TSC gets reset in some the
|
||||
+ * ACPI system sleep states. And in some systems BIOS seem to reinit TSC to
|
||||
+ * arbitrary value (still sync'd across cpu's) during resume from such sleep
|
||||
+ * states. To cope up with this, recompute the cyc2ns_offset for each cpu so
|
||||
+ * that sched_clock() continues from the point where it was left off during
|
||||
+ * suspend.
|
||||
+ */
|
||||
+void restore_sched_clock_state(void)
|
||||
+{
|
||||
+ unsigned long long offset;
|
||||
+ unsigned long flags;
|
||||
+ int cpu;
|
||||
+
|
||||
+ if (!sched_clock_stable)
|
||||
+ return;
|
||||
+
|
||||
+ local_irq_save(flags);
|
||||
+
|
||||
+ get_cpu_var(cyc2ns_offset) = 0;
|
||||
+ offset = cyc2ns_suspend - sched_clock();
|
||||
+
|
||||
+ for_each_possible_cpu(cpu)
|
||||
+ per_cpu(cyc2ns_offset, cpu) = offset;
|
||||
+
|
||||
+ local_irq_restore(flags);
|
||||
+}
|
||||
+
|
||||
#ifdef CONFIG_CPU_FREQ
|
||||
|
||||
/* Frequency scaling support. Adjust the TSC based timer when the cpu frequency
|
||||
--- a/arch/x86/power/cpu.c
|
||||
+++ b/arch/x86/power/cpu.c
|
||||
@@ -112,6 +112,7 @@ static void __save_processor_state(struc
|
||||
void save_processor_state(void)
|
||||
{
|
||||
__save_processor_state(&saved_context);
|
||||
+ save_sched_clock_state();
|
||||
}
|
||||
#ifdef CONFIG_X86_32
|
||||
EXPORT_SYMBOL(save_processor_state);
|
||||
@@ -253,6 +254,7 @@ static void __restore_processor_state(st
|
||||
void restore_processor_state(void)
|
||||
{
|
||||
__restore_processor_state(&saved_context);
|
||||
+ restore_sched_clock_state();
|
||||
}
|
||||
#ifdef CONFIG_X86_32
|
||||
EXPORT_SYMBOL(restore_processor_state);
|
@ -1,44 +0,0 @@
|
||||
From dffe2e1e1a1ddb566a76266136c312801c66dcf7 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
||||
Date: Fri, 20 Aug 2010 19:10:01 -0700
|
||||
Subject: xen: handle events as edge-triggered
|
||||
|
||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
||||
|
||||
commit dffe2e1e1a1ddb566a76266136c312801c66dcf7 upstream.
|
||||
|
||||
Xen events are logically edge triggered, as Xen only calls the event
|
||||
upcall when an event is newly set, but not continuously as it remains set.
|
||||
As a result, use handle_edge_irq rather than handle_level_irq.
|
||||
|
||||
This has the important side-effect of fixing a long-standing bug of
|
||||
events getting lost if:
|
||||
- an event's interrupt handler is running
|
||||
- the event is migrated to a different vcpu
|
||||
- the event is re-triggered
|
||||
|
||||
The most noticable symptom of these lost events is occasional lockups
|
||||
of blkfront.
|
||||
|
||||
Many thanks to Tom Kopec and Daniel Stodden in tracking this down.
|
||||
|
||||
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
||||
Cc: Tom Kopec <tek@acm.org>
|
||||
Cc: Daniel Stodden <daniel.stodden@citrix.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
drivers/xen/events.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/xen/events.c
|
||||
+++ b/drivers/xen/events.c
|
||||
@@ -363,7 +363,7 @@ int bind_evtchn_to_irq(unsigned int evtc
|
||||
irq = find_unbound_irq();
|
||||
|
||||
set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
|
||||
- handle_level_irq, "event");
|
||||
+ handle_edge_irq, "event");
|
||||
|
||||
evtchn_to_irq[evtchn] = irq;
|
||||
irq_info[irq] = mk_evtchn_info(evtchn);
|
@ -1,73 +0,0 @@
|
||||
From aaca49642b92c8a57d3ca5029a5a94019c7af69f Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
||||
Date: Fri, 20 Aug 2010 18:57:53 -0700
|
||||
Subject: xen: use percpu interrupts for IPIs and VIRQs
|
||||
|
||||
From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
||||
|
||||
commit aaca49642b92c8a57d3ca5029a5a94019c7af69f upstream.
|
||||
|
||||
IPIs and VIRQs are inherently per-cpu event types, so treat them as such:
|
||||
- use a specific percpu irq_chip implementation, and
|
||||
- handle them with handle_percpu_irq
|
||||
|
||||
This makes the path for delivering these interrupts more efficient
|
||||
(no masking/unmasking, no locks), and it avoid problems with attempts
|
||||
to migrate them.
|
||||
|
||||
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
drivers/xen/events.c | 19 +++++++++++++++----
|
||||
1 file changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/drivers/xen/events.c
|
||||
+++ b/drivers/xen/events.c
|
||||
@@ -107,6 +107,7 @@ static inline unsigned long *cpu_evtchn_
|
||||
#define VALID_EVTCHN(chn) ((chn) != 0)
|
||||
|
||||
static struct irq_chip xen_dynamic_chip;
|
||||
+static struct irq_chip xen_percpu_chip;
|
||||
|
||||
/* Constructor for packed IRQ information. */
|
||||
static struct irq_info mk_unbound_info(void)
|
||||
@@ -389,8 +390,8 @@ static int bind_ipi_to_irq(unsigned int
|
||||
if (irq < 0)
|
||||
goto out;
|
||||
|
||||
- set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
|
||||
- handle_level_irq, "ipi");
|
||||
+ set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
|
||||
+ handle_percpu_irq, "ipi");
|
||||
|
||||
bind_ipi.vcpu = cpu;
|
||||
if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_ipi,
|
||||
@@ -430,8 +431,8 @@ static int bind_virq_to_irq(unsigned int
|
||||
|
||||
irq = find_unbound_irq();
|
||||
|
||||
- set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
|
||||
- handle_level_irq, "virq");
|
||||
+ set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
|
||||
+ handle_percpu_irq, "virq");
|
||||
|
||||
evtchn_to_irq[evtchn] = irq;
|
||||
irq_info[irq] = mk_virq_info(evtchn, virq);
|
||||
@@ -934,6 +935,16 @@ static struct irq_chip xen_dynamic_chip
|
||||
.retrigger = retrigger_dynirq,
|
||||
};
|
||||
|
||||
+static struct irq_chip xen_percpu_chip __read_mostly = {
|
||||
+ .name = "xen-percpu",
|
||||
+
|
||||
+ .disable = disable_dynirq,
|
||||
+ .mask = disable_dynirq,
|
||||
+ .unmask = enable_dynirq,
|
||||
+
|
||||
+ .ack = ack_dynirq,
|
||||
+};
|
||||
+
|
||||
void __init xen_init_IRQ(void)
|
||||
{
|
||||
int i;
|
Loading…
Reference in New Issue
Block a user