diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2011-05-05 16:28:34 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2011-05-05 16:28:34 +0000 |
| commit | ece7a5a9368b60444d73bde9eb05ff566f894549 (patch) | |
| tree | 983ba41178b4ad3b9223b845f4ba749d1dc3d027 /freed-ora/current/f13 | |
| parent | a2aff5ff3f37c1b6b8767dbc01830c925a378f99 (diff) | |
| download | linux-libre-raptor-ece7a5a9368b60444d73bde9eb05ff566f894549.tar.gz linux-libre-raptor-ece7a5a9368b60444d73bde9eb05ff566f894549.zip | |
2.6.34.9-69.fc13
Diffstat (limited to 'freed-ora/current/f13')
43 files changed, 609 insertions, 1798 deletions
diff --git a/freed-ora/current/f13/af_unix-limit-unix_tot_inflight.patch b/freed-ora/current/f13/af_unix-limit-unix_tot_inflight.patch deleted file mode 100644 index 0721a3d3d..000000000 --- a/freed-ora/current/f13/af_unix-limit-unix_tot_inflight.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Eric Dumazet <eric.dumazet@gmail.com> -Date: Wed, 24 Nov 2010 17:15:27 +0000 (-0800) -Subject: af_unix: limit unix_tot_inflight -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=9915672d41273f5b77f1b3c29b391ffb7732b84b - -af_unix: limit unix_tot_inflight - -Vegard Nossum found a unix socket OOM was possible, posting an exploit -program. - -My analysis is we can eat all LOWMEM memory before unix_gc() being -called from unix_release_sock(). Moreover, the thread blocked in -unix_gc() can consume huge amount of time to perform cleanup because of -huge working set. - -One way to handle this is to have a sensible limit on unix_tot_inflight, -tested from wait_for_unix_gc() and to force a call to unix_gc() if this -limit is hit. - -This solves the OOM and also reduce overall latencies, and should not -slowdown normal workloads. - -Reported-by: Vegard Nossum <vegard.nossum@gmail.com> -Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index c8df6fd..40df93d 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u) - } - - static bool gc_in_progress = false; -+#define UNIX_INFLIGHT_TRIGGER_GC 16000 - - void wait_for_unix_gc(void) - { -+ /* -+ * If number of inflight sockets is insane, -+ * force a garbage collect right now. -+ */ -+ if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress) -+ unix_gc(); - wait_event(unix_gc_wait, gc_in_progress == false); - } - diff --git a/freed-ora/current/f13/agp-fix-arbitrary-kernel-memory-writes.patch b/freed-ora/current/f13/agp-fix-arbitrary-kernel-memory-writes.patch new file mode 100644 index 000000000..35d6d1a29 --- /dev/null +++ b/freed-ora/current/f13/agp-fix-arbitrary-kernel-memory-writes.patch @@ -0,0 +1,55 @@ +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Thu, 14 Apr 2011 16:55:16 +0000 (+0400) +Subject: agp: fix arbitrary kernel memory writes +X-Git-Tag: v2.6.39-rc5~29^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=194b3da873fd334ef183806db751473512af29ce + +agp: fix arbitrary kernel memory writes + +pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl +cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the +comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, +and it is not checked at all in case of AGPIOC_UNBIND. As a result, user +with sufficient privileges (usually "video" group) may generate either +local DoS or privilege escalation. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +--- + +diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c +index 850a643..b072648 100644 +--- a/drivers/char/agp/generic.c ++++ b/drivers/char/agp/generic.c +@@ -1095,8 +1095,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type) + return -EINVAL; + } + +- /* AK: could wrap */ +- if ((pg_start + mem->page_count) > num_entries) ++ if (((pg_start + mem->page_count) > num_entries) || ++ ((pg_start + mem->page_count) < pg_start)) + return -EINVAL; + + j = pg_start; +@@ -1130,7 +1130,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type) + { + size_t i; + struct agp_bridge_data *bridge; +- int mask_type; ++ int mask_type, num_entries; + + bridge = mem->bridge; + if (!bridge) +@@ -1142,6 +1142,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type) + if (type != mem->type) + return -EINVAL; + ++ num_entries = agp_num_entries(); ++ if (((pg_start + mem->page_count) > num_entries) || ++ ((pg_start + mem->page_count) < pg_start)) ++ return -EINVAL; ++ + mask_type = bridge->driver->agp_type_to_mask_type(bridge, type); + if (mask_type != 0) { + /* The generic routines know nothing of memory types */ diff --git a/freed-ora/current/f13/agp-fix-oom-and-buffer-overflow.patch b/freed-ora/current/f13/agp-fix-oom-and-buffer-overflow.patch new file mode 100644 index 000000000..7ca5956e2 --- /dev/null +++ b/freed-ora/current/f13/agp-fix-oom-and-buffer-overflow.patch @@ -0,0 +1,56 @@ +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Thu, 14 Apr 2011 16:55:19 +0000 (+0400) +Subject: agp: fix OOM and buffer overflow +X-Git-Tag: v2.6.39-rc5~29^2~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b522f02184b413955f3bc952e3776ce41edc6355 + +agp: fix OOM and buffer overflow + +page_count is copied from userspace. agp_allocate_memory() tries to +check whether this number is too big, but doesn't take into account the +wrap case. Also agp_create_user_memory() doesn't check whether +alloc_size is calculated from num_agp_pages variable without overflow. +This may lead to allocation of too small buffer with following buffer +overflow. + +Another problem in agp code is not addressed in the patch - kernel memory +exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked +whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). +Each allocation is limited to 16KB, though, there is no per-process limit. +This might lead to OOM situation, which is not even solved in case of the +caller death by OOM killer - the memory is allocated for another (faked) process. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +--- + +diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c +index 012cba0..850a643 100644 +--- a/drivers/char/agp/generic.c ++++ b/drivers/char/agp/generic.c +@@ -115,6 +115,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages) + struct agp_memory *new; + unsigned long alloc_size = num_agp_pages*sizeof(struct page *); + ++ if (INT_MAX/sizeof(struct page *) < num_agp_pages) ++ return NULL; ++ + new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL); + if (new == NULL) + return NULL; +@@ -234,11 +237,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge, + int scratch_pages; + struct agp_memory *new; + size_t i; ++ int cur_memory; + + if (!bridge) + return NULL; + +- if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp) ++ cur_memory = atomic_read(&bridge->current_memory_agp); ++ if ((cur_memory + page_count > bridge->max_memory_agp) || ++ (cur_memory + page_count < page_count)) + return NULL; + + if (type >= AGP_USER_TYPES) { diff --git a/freed-ora/current/f13/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch b/freed-ora/current/f13/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch deleted file mode 100644 index 0bad45c0b..000000000 --- a/freed-ora/current/f13/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Jens Axboe <jaxboe@fusionio.com> -Date: Wed, 10 Nov 2010 13:36:25 +0000 (+0100) -Subject: bio: take care not overflow page count when mapping/copying user data -X-Git-Tag: v2.6.37-rc4~22^2~14 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cb4644cac4a2797afc847e6c92736664d4b0ea34 - -bio: take care not overflow page count when mapping/copying user data - -If the iovec is being set up in a way that causes uaddr + PAGE_SIZE -to overflow, we could end up attempting to map a huge number of -pages. Check for this invalid input type. - -Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> -Cc: stable@kernel.org -Signed-off-by: Jens Axboe <jaxboe@fusionio.com> ---- - -diff --git a/fs/bio.c b/fs/bio.c -index 8317a2c..4bd454f 100644 ---- a/fs/bio.c -+++ b/fs/bio.c -@@ -834,6 +834,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q, - end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT; - start = uaddr >> PAGE_SHIFT; - -+ /* -+ * Overflow, abort -+ */ -+ if (end < start) -+ return ERR_PTR(-EINVAL); -+ - nr_pages += end - start; - len += iov[i].iov_len; - } -@@ -962,6 +968,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, - unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT; - unsigned long start = uaddr >> PAGE_SHIFT; - -+ /* -+ * Overflow, abort -+ */ -+ if (end < start) -+ return ERR_PTR(-EINVAL); -+ - nr_pages += end - start; - /* - * buffer must be aligned to at least hardsector size for now -@@ -989,7 +1001,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, - unsigned long start = uaddr >> PAGE_SHIFT; - const int local_nr_pages = end - start; - const int page_limit = cur_page + local_nr_pages; -- -+ - ret = get_user_pages_fast(uaddr, local_nr_pages, - write_to_vm, &pages[cur_page]); - if (ret < local_nr_pages) { diff --git a/freed-ora/current/f13/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch b/freed-ora/current/f13/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch deleted file mode 100644 index 0ad4928a0..000000000 --- a/freed-ora/current/f13/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Xiaotian Feng <dfeng@redhat.com> -Date: Mon, 29 Nov 2010 09:03:55 +0000 (+0100) -Subject: block: check for proper length of iov entries earlier in blk_rq_map_user_iov() -X-Git-Tag: v2.6.37-rc7~10^2~5 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=54787556 - -block: check for proper length of iov entries earlier in blk_rq_map_user_iov() - -commit 9284bcf checks for proper length of iov entries in -blk_rq_map_user_iov(). But if the map is unaligned, kernel -will break out the loop without checking for the proper length. -So we need to check the proper length before the unalign check. - -Signed-off-by: Xiaotian Feng <dfeng@redhat.com> -Cc: stable@kernel.org -Signed-off-by: Jens Axboe <jaxboe@fusionio.com> ---- - -diff --git a/block/blk-map.c b/block/blk-map.c -index 5d5dbe4..e663ac2 100644 ---- a/block/blk-map.c -+++ b/block/blk-map.c -@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, - for (i = 0; i < iov_count; i++) { - unsigned long uaddr = (unsigned long)iov[i].iov_base; - -+ if (!iov[i].iov_len) -+ return -EINVAL; -+ - if (uaddr & queue_dma_alignment(q)) { - unaligned = 1; - break; - } -- if (!iov[i].iov_len) -- return -EINVAL; - } - - if (unaligned || (q->dma_pad_mask & len) || map_data) diff --git a/freed-ora/current/f13/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch b/freed-ora/current/f13/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch deleted file mode 100644 index 47ef62893..000000000 --- a/freed-ora/current/f13/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Jens Axboe <jaxboe@fusionio.com> -Date: Fri, 29 Oct 2010 14:10:18 +0000 (-0600) -Subject: block: check for proper length of iov entries in blk_rq_map_user_iov() -X-Git-Tag: v2.6.37-rc4~22^2~17 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9284bcf - -block: check for proper length of iov entries in blk_rq_map_user_iov() - -Ensure that we pass down properly validated iov segments before -calling into the mapping or copy functions. - -Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> -Cc: stable@kernel.org -Signed-off-by: Jens Axboe <jaxboe@fusionio.com> ---- - -diff --git a/block/blk-map.c b/block/blk-map.c -index d4a586d..5d5dbe4 100644 ---- a/block/blk-map.c -+++ b/block/blk-map.c -@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, - unaligned = 1; - break; - } -+ if (!iov[i].iov_len) -+ return -EINVAL; - } - - if (unaligned || (q->dma_pad_mask & len) || map_data) diff --git a/freed-ora/current/f13/bluetooth-bnep-fix-buffer-overflow.patch b/freed-ora/current/f13/bluetooth-bnep-fix-buffer-overflow.patch new file mode 100644 index 000000000..d078579c8 --- /dev/null +++ b/freed-ora/current/f13/bluetooth-bnep-fix-buffer-overflow.patch @@ -0,0 +1,28 @@ +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Mon, 14 Feb 2011 10:54:31 +0000 (+0300) +Subject: Bluetooth: bnep: fix buffer overflow +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=43629f8f5ea32a998d06d1bb41eefa0e821ff573 + +Bluetooth: bnep: fix buffer overflow + +Struct ca is copied from userspace. It is not checked whether the "device" +field is NULL terminated. This potentially leads to BUG() inside of +alloc_netdev_mqs() and/or information leak by creating a device with a name +made of contents of kernel stack. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +--- + +diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c +index 2862f53..d935da7 100644 +--- a/net/bluetooth/bnep/sock.c ++++ b/net/bluetooth/bnep/sock.c +@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long + sockfd_put(nsock); + return -EBADFD; + } ++ ca.device[sizeof(ca.device)-1] = 0; + + err = bnep_add_connection(&ca, nsock); + if (!err) { diff --git a/freed-ora/current/f13/can-bcm-fix-minor-heap-overflow.patch b/freed-ora/current/f13/can-bcm-fix-minor-heap-overflow.patch deleted file mode 100644 index 4dec6f6e7..000000000 --- a/freed-ora/current/f13/can-bcm-fix-minor-heap-overflow.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Oliver Hartkopp <socketcan@hartkopp.net> -Date: Wed, 10 Nov 2010 12:10:30 +0000 (+0000) -Subject: can-bcm: fix minor heap overflow -X-Git-Tag: v2.6.37-rc2~20^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0597d1b99fcfc2c0eada09a698f85ed413d4ba84 - -can-bcm: fix minor heap overflow - -On 64-bit platforms the ASCII representation of a pointer may be up to 17 -bytes long. This patch increases the length of the buffer accordingly. - -http://marc.info/?l=linux-netdev&m=128872251418192&w=2 - -Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> -Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> -CC: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - -diff --git a/net/can/bcm.c b/net/can/bcm.c -index 08ffe9e..6faa825 100644 ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -125,7 +125,7 @@ struct bcm_sock { - struct list_head tx_ops; - unsigned long dropped_usr_msgs; - struct proc_dir_entry *bcm_proc_read; -- char procname [9]; /* pointer printed in ASCII with \0 */ -+ char procname [20]; /* pointer printed in ASCII with \0 */ - }; - - static inline struct bcm_sock *bcm_sk(const struct sock *sk) diff --git a/freed-ora/current/f13/config-generic b/freed-ora/current/f13/config-generic index 988a846a8..976f2edf1 100644 --- a/freed-ora/current/f13/config-generic +++ b/freed-ora/current/f13/config-generic @@ -3503,6 +3503,7 @@ CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_BLKCIPHER=y CONFIG_CRYPTO_MANAGER=m +CONFIG_CRYPTO_MANAGER_TESTS=y # CONFIG_CRYPTO_CRYPTD is not set CONFIG_CRYPTO_AES=m CONFIG_CRYPTO_ARC4=m diff --git a/freed-ora/current/f13/dccp-fix-oops-on-reset-after-close.patch b/freed-ora/current/f13/dccp-fix-oops-on-reset-after-close.patch new file mode 100644 index 000000000..736a66174 --- /dev/null +++ b/freed-ora/current/f13/dccp-fix-oops-on-reset-after-close.patch @@ -0,0 +1,71 @@ +From: Gerrit Renker <gerrit@erg.abdn.ac.uk> +Date: Wed, 2 Mar 2011 07:02:07 +0000 (-0800) +Subject: dccp: fix oops on Reset after close +X-Git-Tag: v2.6.38-rc8~29^2~9 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=720dc34bbbe9493c7bd48b2243058b4e447a929d + +dccp: fix oops on Reset after close + +This fixes a bug in the order of dccp_rcv_state_process() that still permitted +reception even after closing the socket. A Reset after close thus causes a NULL +pointer dereference by not preventing operations on an already torn-down socket. + + dccp_v4_do_rcv() + | + | state other than OPEN + v + dccp_rcv_state_process() + | + | DCCP_PKT_RESET + v + dccp_rcv_reset() + | + v + dccp_time_wait() + + WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128() + Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah + [<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common) + [<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n) + [<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd) + [<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai) + [<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces) + [<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_) + [<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0) + [<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380) + [<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70) + +The fix is by testing the socket state first. Receiving a packet in Closed state +now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1. + +Reported-and-tested-by: Johan Hovold <jhovold@gmail.com> +Cc: stable@kernel.org +Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + +diff --git a/net/dccp/input.c b/net/dccp/input.c +index 8cde009..4222e7a 100644 +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -614,6 +614,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + /* Caller (dccp_v4_do_rcv) will send Reset */ + dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION; + return 1; ++ } else if (sk->sk_state == DCCP_CLOSED) { ++ dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION; ++ return 1; + } + + if (sk->sk_state != DCCP_REQUESTING && sk->sk_state != DCCP_RESPOND) { +@@ -668,10 +671,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + } + + switch (sk->sk_state) { +- case DCCP_CLOSED: +- dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION; +- return 1; +- + case DCCP_REQUESTING: + queued = dccp_rcv_request_sent_state_process(sk, skb, dh, len); + if (queued >= 0) diff --git a/freed-ora/current/f13/do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch b/freed-ora/current/f13/do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch deleted file mode 100644 index e43999c91..000000000 --- a/freed-ora/current/f13/do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Nelson Elhage <nelhage@ksplice.com> -Date: Thu, 2 Dec 2010 22:31:21 +0000 (-0800) -Subject: do_exit(): make sure that we run with get_fs() == USER_DS -X-Git-Tag: v2.6.37-rc5~17 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 - -do_exit(): make sure that we run with get_fs() == USER_DS - -If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not -otherwise reset before do_exit(). do_exit may later (via mm_release in -fork.c) do a put_user to a user-controlled address, potentially allowing -a user to leverage an oops into a controlled write into kernel memory. - -This is only triggerable in the presence of another bug, but this -potentially turns a lot of DoS bugs into privilege escalations, so it's -worth fixing. I have proof-of-concept code which uses this bug along -with CVE-2010-3849 to write a zero to an arbitrary kernel address, so -I've tested that this is not theoretical. - -A more logical place to put this fix might be when we know an oops has -occurred, before we call do_exit(), but that would involve changing -every architecture, in multiple places. - -Let's just stick it in do_exit instead. - -[akpm@linux-foundation.org: update code comment] -Signed-off-by: Nelson Elhage <nelhage@ksplice.com> -Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> -Cc: <stable@kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -diff --git a/kernel/exit.c b/kernel/exit.c -index 21aa7b3..676149a 100644 ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -914,6 +914,15 @@ NORET_TYPE void do_exit(long code) - if (unlikely(!tsk->pid)) - panic("Attempted to kill the idle task!"); - -+ /* -+ * If do_exit is called because this processes oopsed, it's possible -+ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before -+ * continuing. Amongst other possible reasons, this is to prevent -+ * mm_release()->clear_child_tid() from writing to a user-controlled -+ * kernel address. -+ */ -+ set_fs(USER_DS); -+ - tracehook_report_exit(&code); - - validate_creds_for_do_exit(tsk); diff --git a/freed-ora/current/f13/drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch b/freed-ora/current/f13/drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch new file mode 100644 index 000000000..6b137dfcb --- /dev/null +++ b/freed-ora/current/f13/drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch @@ -0,0 +1,107 @@ +From 39b4d07aa3583ceefe73622841303a0a3e942ca1 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Thu, 30 Sep 2010 09:10:26 +0100 +Subject: drm: Hold the mutex when dropping the last GEM reference (v2) + +From: Chris Wilson <chris@chris-wilson.co.uk> + +commit 39b4d07aa3583ceefe73622841303a0a3e942ca1 upstream. + +In order to be fully threadsafe we need to check that the drm_gem_object +refcount is still 0 after acquiring the mutex in order to call the free +function. Otherwise, we may encounter scenarios like: + +Thread A: Thread B: +drm_gem_close +unreference_unlocked +kref_put mutex_lock +... i915_gem_evict +... kref_get -> BUG +... i915_gem_unbind +... kref_put +... i915_gem_object_free +... mutex_unlock +mutex_lock +i915_gem_object_free -> BUG +i915_gem_object_unbind +kfree +mutex_unlock + +Note that no driver is currently using the free_unlocked vfunc and it is +scheduled for removal, hasten that process. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454 +Reported-and-Tested-by: Magnus Kessler <Magnus.Kessler@gmx.net> +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Dave Airlie <airlied@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/gpu/drm/drm_gem.c | 22 ---------------------- + include/drm/drmP.h | 10 ++++++---- + 2 files changed, 6 insertions(+), 26 deletions(-) + +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -451,28 +451,6 @@ drm_gem_object_free(struct kref *kref) + } + EXPORT_SYMBOL(drm_gem_object_free); + +-/** +- * Called after the last reference to the object has been lost. +- * Must be called without holding struct_mutex +- * +- * Frees the object +- */ +-void +-drm_gem_object_free_unlocked(struct kref *kref) +-{ +- struct drm_gem_object *obj = (struct drm_gem_object *) kref; +- struct drm_device *dev = obj->dev; +- +- if (dev->driver->gem_free_object_unlocked != NULL) +- dev->driver->gem_free_object_unlocked(obj); +- else if (dev->driver->gem_free_object != NULL) { +- mutex_lock(&dev->struct_mutex); +- dev->driver->gem_free_object(obj); +- mutex_unlock(&dev->struct_mutex); +- } +-} +-EXPORT_SYMBOL(drm_gem_object_free_unlocked); +- + static void drm_gem_object_ref_bug(struct kref *list_kref) + { + BUG(); +--- a/include/drm/drmP.h ++++ b/include/drm/drmP.h +@@ -802,7 +802,6 @@ struct drm_driver { + */ + int (*gem_init_object) (struct drm_gem_object *obj); + void (*gem_free_object) (struct drm_gem_object *obj); +- void (*gem_free_object_unlocked) (struct drm_gem_object *obj); + + /* vga arb irq handler */ + void (*vgaarb_irq)(struct drm_device *dev, bool state); +@@ -1430,7 +1429,6 @@ int drm_gem_init(struct drm_device *dev) + void drm_gem_destroy(struct drm_device *dev); + void drm_gem_object_release(struct drm_gem_object *obj); + void drm_gem_object_free(struct kref *kref); +-void drm_gem_object_free_unlocked(struct kref *kref); + struct drm_gem_object *drm_gem_object_alloc(struct drm_device *dev, + size_t size); + int drm_gem_object_init(struct drm_device *dev, +@@ -1456,8 +1454,12 @@ drm_gem_object_unreference(struct drm_ge + static inline void + drm_gem_object_unreference_unlocked(struct drm_gem_object *obj) + { +- if (obj != NULL) +- kref_put(&obj->refcount, drm_gem_object_free_unlocked); ++ if (obj != NULL) { ++ struct drm_device *dev = obj->dev; ++ mutex_lock(&dev->struct_mutex); ++ kref_put(&obj->refcount, drm_gem_object_free); ++ mutex_unlock(&dev->struct_mutex); ++ } + } + + int drm_gem_handle_create(struct drm_file *file_priv, diff --git a/freed-ora/current/f13/drm-next.patch b/freed-ora/current/f13/drm-next.patch index 1f424c824..10199f6c0 100644 --- a/freed-ora/current/f13/drm-next.patch +++ b/freed-ora/current/f13/drm-next.patch @@ -17332,11 +17332,17 @@ index e302537..df931f7 100644 struct intel_crtc; struct intel_overlay { struct drm_device *dev; -@@ -149,17 +152,18 @@ struct intel_crtc { +@@ -149,23 +152,24 @@ struct intel_crtc { bool lowfreq_avail; struct intel_overlay *overlay; struct intel_unpin_work *unpin_work; + int fdi_lanes; + + struct drm_gem_object *cursor_bo; + uint32_t cursor_addr; + int16_t cursor_x, cursor_y; + int16_t cursor_width, cursor_height; + bool cursor_visble; }; #define to_intel_crtc(x) container_of(x, struct intel_crtc, base) @@ -36031,7 +36037,7 @@ index 1227747..d5b9373 100644 --- a/drivers/gpu/drm/radeon/radeon_object.c +++ b/drivers/gpu/drm/radeon/radeon_object.c @@ -112,9 +112,11 @@ int radeon_bo_create(struct radeon_device *rdev, struct drm_gem_object *gobj, - + retry: radeon_ttm_placement_from_domain(bo, domain); /* Kernel allocation are uninterruptible */ + mutex_lock(&rdev->vram_mutex); @@ -36040,8 +36046,8 @@ index 1227747..d5b9373 100644 &radeon_ttm_bo_destroy); + mutex_unlock(&rdev->vram_mutex); if (unlikely(r != 0)) { - if (r != -ERESTARTSYS) - dev_err(rdev->dev, + if (r != -ERESTARTSYS) { + if (domain == RADEON_GEM_DOMAIN_VRAM) { @@ -166,11 +168,15 @@ void radeon_bo_kunmap(struct radeon_bo *bo) void radeon_bo_unref(struct radeon_bo **bo) { @@ -36104,14 +36110,14 @@ index 1227747..d5b9373 100644 if (unlikely(r != 0)) { return r; @@ -331,7 +341,7 @@ int radeon_bo_list_validate(struct list_head *head) - lobj->rdomain); - } + retry: + radeon_ttm_placement_from_domain(bo, domain); r = ttm_bo_validate(&bo->tbo, &bo->placement, - true, false); + true, false, false); - if (unlikely(r)) - return r; - } + if (unlikely(r)) { + if (r != -ERESTARTSYS && domain == RADEON_GEM_DOMAIN_VRAM) { + domain |= RADEON_GEM_DOMAIN_GTT; @@ -499,11 +509,33 @@ void radeon_bo_move_notify(struct ttm_buffer_object *bo, radeon_bo_check_tiling(rbo, 0, 1); } @@ -39090,8 +39096,8 @@ index bbf3da7..bcc3319 100644 d1mode_priority_a_cnt |= S_006548_D1MODE_PRIORITY_A_ALWAYS_ON(1); d2mode_priority_a_cnt |= S_006D48_D2MODE_PRIORITY_A_ALWAYS_ON(1); @@ -502,32 +500,32 @@ void rs690_bandwidth_update(struct radeon_device *rdev) - WREG32(R_006D48_D2MODE_PRIORITY_A_CNT, d2mode_priority_a_cnt); - WREG32(R_006D4C_D2MODE_PRIORITY_B_CNT, d2mode_priority_a_cnt); + d2mode_priority_a_cnt |= S_006D48_D2MODE_PRIORITY_A_ALWAYS_ON(1); + } } else if (mode0) { - if (rfixed_trunc(wm0.dbpp) > 64) - a.full = rfixed_mul(wm0.dbpp, wm0.num_line_pair); @@ -39135,9 +39141,9 @@ index bbf3da7..bcc3319 100644 d1mode_priority_a_cnt |= S_006548_D1MODE_PRIORITY_A_ALWAYS_ON(1); WREG32(R_006548_D1MODE_PRIORITY_A_CNT, d1mode_priority_a_cnt); @@ -537,32 +535,32 @@ void rs690_bandwidth_update(struct radeon_device *rdev) - WREG32(R_006D4C_D2MODE_PRIORITY_B_CNT, - S_006D4C_D2MODE_PRIORITY_B_OFF(1)); - } else { + if (rdev->disp_priority == 2) + d1mode_priority_a_cnt |= S_006548_D1MODE_PRIORITY_A_ALWAYS_ON(1); + } else if (mode1) { - if (rfixed_trunc(wm1.dbpp) > 64) - a.full = rfixed_mul(wm1.dbpp, wm1.num_line_pair); + if (dfixed_trunc(wm1.dbpp) > 64) @@ -39619,8 +39625,8 @@ index 9035121..7d9a7b0 100644 d1mode_priority_a_cnt |= MODE_PRIORITY_ALWAYS_ON; d2mode_priority_a_cnt |= MODE_PRIORITY_ALWAYS_ON; @@ -1096,32 +1003,32 @@ void rv515_bandwidth_avivo_update(struct radeon_device *rdev) - WREG32(D2MODE_PRIORITY_A_CNT, d2mode_priority_a_cnt); - WREG32(D2MODE_PRIORITY_B_CNT, d2mode_priority_a_cnt); + d2mode_priority_a_cnt |= MODE_PRIORITY_ALWAYS_ON; + } } else if (mode0) { - if (rfixed_trunc(wm0.dbpp) > 64) - a.full = rfixed_div(wm0.dbpp, wm0.num_line_pair); @@ -39664,9 +39670,9 @@ index 9035121..7d9a7b0 100644 d1mode_priority_a_cnt |= MODE_PRIORITY_ALWAYS_ON; WREG32(D1MODE_PRIORITY_A_CNT, d1mode_priority_a_cnt); @@ -1129,32 +1036,32 @@ void rv515_bandwidth_avivo_update(struct radeon_device *rdev) - WREG32(D2MODE_PRIORITY_A_CNT, MODE_PRIORITY_OFF); - WREG32(D2MODE_PRIORITY_B_CNT, MODE_PRIORITY_OFF); - } else { + if (rdev->disp_priority == 2) + d1mode_priority_a_cnt |= MODE_PRIORITY_ALWAYS_ON; + } else if (mode1) { - if (rfixed_trunc(wm1.dbpp) > 64) - a.full = rfixed_div(wm1.dbpp, wm1.num_line_pair); + if (dfixed_trunc(wm1.dbpp) > 64) diff --git a/freed-ora/current/f13/filter-make-sure-filters-dont-read-uninitialized-memory.patch b/freed-ora/current/f13/filter-make-sure-filters-dont-read-uninitialized-memory.patch deleted file mode 100644 index 22d89a964..000000000 --- a/freed-ora/current/f13/filter-make-sure-filters-dont-read-uninitialized-memory.patch +++ /dev/null @@ -1,235 +0,0 @@ -From: David S. Miller <davem@davemloft.net> -Date: Wed, 10 Nov 2010 18:38:24 +0000 (-0800) -Subject: filter: make sure filters dont read uninitialized memory -X-Git-Tag: v2.6.37-rc2~20^2~27 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=57fe93b374a6b8711995c2d466c502af9f3a08bb - -[ trivial backport to 2.6.34 ] - -filter: make sure filters dont read uninitialized memory - -There is a possibility malicious users can get limited information about -uninitialized stack mem array. Even if sk_run_filter() result is bound -to packet length (0 .. 65535), we could imagine this can be used by -hostile user. - -Initializing mem[] array, like Dan Rosenberg suggested in his patch is -expensive since most filters dont even use this array. - -Its hard to make the filter validation in sk_chk_filter(), because of -the jumps. This might be done later. - -In this patch, I use a bitmap (a single long var) so that only filters -using mem[] loads/stores pay the price of added security checks. - -For other filters, additional cost is a single instruction. - -[ Since we access fentry->k a lot now, cache it in a local variable - and mark filter entry pointer as const. -DaveM ] - -Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> -Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - -diff --git a/net/core/filter.c b/net/core/filter.c -index 7beaec3..23e9b2a 100644 ---- a/net/core/filter.c -+++ b/net/core/filter.c -@@ -112,39 +112,41 @@ EXPORT_SYMBOL(sk_filter); - */ - unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen) - { -- struct sock_filter *fentry; /* We walk down these */ - void *ptr; - u32 A = 0; /* Accumulator */ - u32 X = 0; /* Index Register */ - u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */ -+ unsigned long memvalid = 0; - u32 tmp; - int k; - int pc; - -+ BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG); - /* - * Process array of filter instructions. - */ - for (pc = 0; pc < flen; pc++) { -- fentry = &filter[pc]; -+ const struct sock_filter *fentry = &filter[pc]; -+ u32 f_k = fentry->k; - - switch (fentry->code) { - case BPF_ALU|BPF_ADD|BPF_X: - A += X; - continue; - case BPF_ALU|BPF_ADD|BPF_K: -- A += fentry->k; -+ A += f_k; - continue; - case BPF_ALU|BPF_SUB|BPF_X: - A -= X; - continue; - case BPF_ALU|BPF_SUB|BPF_K: -- A -= fentry->k; -+ A -= f_k; - continue; - case BPF_ALU|BPF_MUL|BPF_X: - A *= X; - continue; - case BPF_ALU|BPF_MUL|BPF_K: -- A *= fentry->k; -+ A *= f_k; - continue; - case BPF_ALU|BPF_DIV|BPF_X: - if (X == 0) -@@ -152,49 +154,49 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int - A /= X; - continue; - case BPF_ALU|BPF_DIV|BPF_K: -- A /= fentry->k; -+ A /= f_k; - continue; - case BPF_ALU|BPF_AND|BPF_X: - A &= X; - continue; - case BPF_ALU|BPF_AND|BPF_K: -- A &= fentry->k; -+ A &= f_k; - continue; - case BPF_ALU|BPF_OR|BPF_X: - A |= X; - continue; - case BPF_ALU|BPF_OR|BPF_K: -- A |= fentry->k; -+ A |= f_k; - continue; - case BPF_ALU|BPF_LSH|BPF_X: - A <<= X; - continue; - case BPF_ALU|BPF_LSH|BPF_K: -- A <<= fentry->k; -+ A <<= f_k; - continue; - case BPF_ALU|BPF_RSH|BPF_X: - A >>= X; - continue; - case BPF_ALU|BPF_RSH|BPF_K: -- A >>= fentry->k; -+ A >>= f_k; - continue; - case BPF_ALU|BPF_NEG: - A = -A; - continue; - case BPF_JMP|BPF_JA: -- pc += fentry->k; -+ pc += f_k; - continue; - case BPF_JMP|BPF_JGT|BPF_K: -- pc += (A > fentry->k) ? fentry->jt : fentry->jf; -+ pc += (A > f_k) ? fentry->jt : fentry->jf; - continue; - case BPF_JMP|BPF_JGE|BPF_K: -- pc += (A >= fentry->k) ? fentry->jt : fentry->jf; -+ pc += (A >= f_k) ? fentry->jt : fentry->jf; - continue; - case BPF_JMP|BPF_JEQ|BPF_K: -- pc += (A == fentry->k) ? fentry->jt : fentry->jf; -+ pc += (A == f_k) ? fentry->jt : fentry->jf; - continue; - case BPF_JMP|BPF_JSET|BPF_K: -- pc += (A & fentry->k) ? fentry->jt : fentry->jf; -+ pc += (A & f_k) ? fentry->jt : fentry->jf; - continue; - case BPF_JMP|BPF_JGT|BPF_X: - pc += (A > X) ? fentry->jt : fentry->jf; -@@ -209,7 +211,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int - pc += (A & X) ? fentry->jt : fentry->jf; - continue; - case BPF_LD|BPF_W|BPF_ABS: -- k = fentry->k; -+ k = f_k; - load_w: - ptr = load_pointer(skb, k, 4, &tmp); - if (ptr != NULL) { -@@ -218,7 +220,7 @@ load_w: - } - break; - case BPF_LD|BPF_H|BPF_ABS: -- k = fentry->k; -+ k = f_k; - load_h: - ptr = load_pointer(skb, k, 2, &tmp); - if (ptr != NULL) { -@@ -227,7 +229,7 @@ load_h: - } - break; - case BPF_LD|BPF_B|BPF_ABS: -- k = fentry->k; -+ k = f_k; - load_b: - ptr = load_pointer(skb, k, 1, &tmp); - if (ptr != NULL) { -@@ -242,32 +244,34 @@ load_b: - X = skb->len; - continue; - case BPF_LD|BPF_W|BPF_IND: -- k = X + fentry->k; -+ k = X + f_k; - goto load_w; - case BPF_LD|BPF_H|BPF_IND: -- k = X + fentry->k; -+ k = X + f_k; - goto load_h; - case BPF_LD|BPF_B|BPF_IND: -- k = X + fentry->k; -+ k = X + f_k; - goto load_b; - case BPF_LDX|BPF_B|BPF_MSH: -- ptr = load_pointer(skb, fentry->k, 1, &tmp); -+ ptr = load_pointer(skb, f_k, 1, &tmp); - if (ptr != NULL) { - X = (*(u8 *)ptr & 0xf) << 2; - continue; - } - return 0; - case BPF_LD|BPF_IMM: -- A = fentry->k; -+ A = f_k; - continue; - case BPF_LDX|BPF_IMM: -- X = fentry->k; -+ X = f_k; - continue; - case BPF_LD|BPF_MEM: -- A = mem[fentry->k]; -+ A = (memvalid & (1UL << f_k)) ? -+ mem[f_k] : 0; - continue; - case BPF_LDX|BPF_MEM: -- X = mem[fentry->k]; -+ X = (memvalid & (1UL << f_k)) ? -+ mem[f_k] : 0; - continue; - case BPF_MISC|BPF_TAX: - X = A; -@@ -276,14 +280,16 @@ load_b: - A = X; - continue; - case BPF_RET|BPF_K: -- return fentry->k; -+ return f_k; - case BPF_RET|BPF_A: - return A; - case BPF_ST: -- mem[fentry->k] = A; -+ memvalid |= 1UL << f_k; -+ mem[f_k] = A; - continue; - case BPF_STX: -- mem[fentry->k] = X; -+ memvalid |= 1UL << f_k; -+ mem[f_k] = X; - continue; - default: - WARN_ON(1); diff --git a/freed-ora/current/f13/fuse-verify-ioctl-retries.patch b/freed-ora/current/f13/fuse-verify-ioctl-retries.patch deleted file mode 100644 index d95d8cef2..000000000 --- a/freed-ora/current/f13/fuse-verify-ioctl-retries.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Miklos Szeredi <mszeredi@suse.cz> -Date: Tue, 30 Nov 2010 15:39:27 +0000 (+0100) -Subject: fuse: verify ioctl retries -X-Git-Tag: v2.6.37-rc6~31^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7572777eef78ebdee1ecb7c258c0ef94d35bad16 - -fuse: verify ioctl retries - -Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY -doesn't overflow iov_length(). - -Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> -CC: Tejun Heo <tj@kernel.org> -CC: <stable@kernel.org> [2.6.31+] ---- - -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 0e2e25b..8b984a2 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -1666,6 +1666,20 @@ static int fuse_copy_ioctl_iovec(struct iovec *dst, void *src, - return 0; - } - -+/* Make sure iov_length() won't overflow */ -+static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count) -+{ -+ size_t n; -+ u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT; -+ -+ for (n = 0; n < count; n++) { -+ if (iov->iov_len > (size_t) max) -+ return -ENOMEM; -+ max -= iov->iov_len; -+ } -+ return 0; -+} -+ - /* - * For ioctls, there is no generic way to determine how much memory - * needs to be read and/or written. Furthermore, ioctls are allowed -@@ -1858,6 +1872,14 @@ long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg, - in_iov = page_address(iov_page); - out_iov = in_iov + in_iovs; - -+ err = fuse_verify_ioctl_iov(in_iov, in_iovs); -+ if (err) -+ goto out; -+ -+ err = fuse_verify_ioctl_iov(out_iov, out_iovs); -+ if (err) -+ goto out; -+ - goto retry; - } - diff --git a/freed-ora/current/f13/ib-uverbs-handle-large-number-of-poll-entries-in-poll-cq.patch b/freed-ora/current/f13/ib-uverbs-handle-large-number-of-poll-entries-in-poll-cq.patch deleted file mode 100644 index cfa5bf92b..000000000 --- a/freed-ora/current/f13/ib-uverbs-handle-large-number-of-poll-entries-in-poll-cq.patch +++ /dev/null @@ -1,160 +0,0 @@ -From: Dan Carpenter <error27@gmail.com> -Date: Wed, 13 Oct 2010 09:13:12 +0000 (+0000) -Subject: IB/uverbs: Handle large number of entries in poll CQ -X-Git-Tag: v2.6.37-rc6~22^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7182afea8d1afd432a17c18162cc3fd441d0da93 - -IB/uverbs: Handle large number of entries in poll CQ - -In ib_uverbs_poll_cq() code there is a potential integer overflow if -userspace passes in a large cmd.ne. The calls to kmalloc() would -allocate smaller buffers than intended, leading to memory corruption. -There iss also an information leak if resp wasn't all used. -Unprivileged userspace may call this function, although only if an -RDMA device that uses this function is present. - -Fix this by copying CQ entries one at a time, which avoids the -allocation entirely, and also by moving this copying into a function -that makes sure to initialize all memory copied to userspace. - -Special thanks to Jason Gunthorpe <jgunthorpe@obsidianresearch.com> -for his help and advice. - -Cc: <stable@kernel.org> -Signed-off-by: Dan Carpenter <error27@gmail.com> - -[ Monkey around with things a bit to avoid bad code generation by gcc - when designated initializers are used. - Roland ] - -Signed-off-by: Roland Dreier <rolandd@cisco.com> ---- - -diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c -index b342248..c426992 100644 ---- a/drivers/infiniband/core/uverbs_cmd.c -+++ b/drivers/infiniband/core/uverbs_cmd.c -@@ -893,68 +893,81 @@ out: - return ret ? ret : in_len; - } - -+static int copy_wc_to_user(void __user *dest, struct ib_wc *wc) -+{ -+ struct ib_uverbs_wc tmp; -+ -+ tmp.wr_id = wc->wr_id; -+ tmp.status = wc->status; -+ tmp.opcode = wc->opcode; -+ tmp.vendor_err = wc->vendor_err; -+ tmp.byte_len = wc->byte_len; -+ tmp.ex.imm_data = (__u32 __force) wc->ex.imm_data; -+ tmp.qp_num = wc->qp->qp_num; -+ tmp.src_qp = wc->src_qp; -+ tmp.wc_flags = wc->wc_flags; -+ tmp.pkey_index = wc->pkey_index; -+ tmp.slid = wc->slid; -+ tmp.sl = wc->sl; -+ tmp.dlid_path_bits = wc->dlid_path_bits; -+ tmp.port_num = wc->port_num; -+ tmp.reserved = 0; -+ -+ if (copy_to_user(dest, &tmp, sizeof tmp)) -+ return -EFAULT; -+ -+ return 0; -+} -+ - ssize_t ib_uverbs_poll_cq(struct ib_uverbs_file *file, - const char __user *buf, int in_len, - int out_len) - { - struct ib_uverbs_poll_cq cmd; -- struct ib_uverbs_poll_cq_resp *resp; -+ struct ib_uverbs_poll_cq_resp resp; -+ u8 __user *header_ptr; -+ u8 __user *data_ptr; - struct ib_cq *cq; -- struct ib_wc *wc; -- int ret = 0; -- int i; -- int rsize; -+ struct ib_wc wc; -+ int ret; - - if (copy_from_user(&cmd, buf, sizeof cmd)) - return -EFAULT; - -- wc = kmalloc(cmd.ne * sizeof *wc, GFP_KERNEL); -- if (!wc) -- return -ENOMEM; -- -- rsize = sizeof *resp + cmd.ne * sizeof(struct ib_uverbs_wc); -- resp = kmalloc(rsize, GFP_KERNEL); -- if (!resp) { -- ret = -ENOMEM; -- goto out_wc; -- } -- - cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0); -- if (!cq) { -- ret = -EINVAL; -- goto out; -- } -+ if (!cq) -+ return -EINVAL; - -- resp->count = ib_poll_cq(cq, cmd.ne, wc); -+ /* we copy a struct ib_uverbs_poll_cq_resp to user space */ -+ header_ptr = (void __user *)(unsigned long) cmd.response; -+ data_ptr = header_ptr + sizeof resp; - -- put_cq_read(cq); -+ memset(&resp, 0, sizeof resp); -+ while (resp.count < cmd.ne) { -+ ret = ib_poll_cq(cq, 1, &wc); -+ if (ret < 0) -+ goto out_put; -+ if (!ret) -+ break; -+ -+ ret = copy_wc_to_user(data_ptr, &wc); -+ if (ret) -+ goto out_put; - -- for (i = 0; i < resp->count; i++) { -- resp->wc[i].wr_id = wc[i].wr_id; -- resp->wc[i].status = wc[i].status; -- resp->wc[i].opcode = wc[i].opcode; -- resp->wc[i].vendor_err = wc[i].vendor_err; -- resp->wc[i].byte_len = wc[i].byte_len; -- resp->wc[i].ex.imm_data = (__u32 __force) wc[i].ex.imm_data; -- resp->wc[i].qp_num = wc[i].qp->qp_num; -- resp->wc[i].src_qp = wc[i].src_qp; -- resp->wc[i].wc_flags = wc[i].wc_flags; -- resp->wc[i].pkey_index = wc[i].pkey_index; -- resp->wc[i].slid = wc[i].slid; -- resp->wc[i].sl = wc[i].sl; -- resp->wc[i].dlid_path_bits = wc[i].dlid_path_bits; -- resp->wc[i].port_num = wc[i].port_num; -+ data_ptr += sizeof(struct ib_uverbs_wc); -+ ++resp.count; - } - -- if (copy_to_user((void __user *) (unsigned long) cmd.response, resp, rsize)) -+ if (copy_to_user(header_ptr, &resp, sizeof resp)) { - ret = -EFAULT; -+ goto out_put; -+ } - --out: -- kfree(resp); -+ ret = in_len; - --out_wc: -- kfree(wc); -- return ret ? ret : in_len; -+out_put: -+ put_cq_read(cq); -+ return ret; - } - - ssize_t ib_uverbs_req_notify_cq(struct ib_uverbs_file *file, diff --git a/freed-ora/current/f13/ima-fix-add-lsm-rule-bug.patch b/freed-ora/current/f13/ima-fix-add-lsm-rule-bug.patch deleted file mode 100644 index ac56bcdd6..000000000 --- a/freed-ora/current/f13/ima-fix-add-lsm-rule-bug.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Mimi Zohar <zohar@linux.vnet.ibm.com> -Date: Mon, 3 Jan 2011 22:59:10 +0000 (-0800) -Subject: ima: fix add LSM rule bug -X-Git-Tag: v2.6.37~5 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=867c20265459d30a01b021a9c1e81fb4c5832aa9 - -ima: fix add LSM rule bug - -If security_filter_rule_init() doesn't return a rule, then not everything -is as fine as the return code implies. - -This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. - -Adding an empty LSM rule causes ima_match_rules() to always succeed, -ignoring any remaining rules. - - default IMA TCB policy: - # PROC_SUPER_MAGIC - dont_measure fsmagic=0x9fa0 - # SYSFS_MAGIC - dont_measure fsmagic=0x62656572 - # DEBUGFS_MAGIC - dont_measure fsmagic=0x64626720 - # TMPFS_MAGIC - dont_measure fsmagic=0x01021994 - # SECURITYFS_MAGIC - dont_measure fsmagic=0x73636673 - - < LSM specific rule > - dont_measure obj_type=var_log_t - - measure func=BPRM_CHECK - measure func=FILE_MMAP mask=MAY_EXEC - measure func=FILE_CHECK mask=MAY_READ uid=0 - -Thus without the patch, with the boot parameters 'tcb selinux=0', adding -the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB -measurement policy, would result in nothing being measured. The patch -prevents the default TCB policy from being replaced. - -Signed-off-by: Mimi Zohar <zohar@us.ibm.com> -Cc: James Morris <jmorris@namei.org> -Acked-by: Serge Hallyn <serge.hallyn@canonical.com> -Cc: David Safford <safford@watson.ibm.com> -Cc: <stable@kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index aef8c0a..d661afb 100644 ---- a/security/integrity/ima/ima_policy.c -+++ b/security/integrity/ima/ima_policy.c -@@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, - result = security_filter_rule_init(entry->lsm[lsm_rule].type, - Audit_equal, args, - &entry->lsm[lsm_rule].rule); -+ if (!entry->lsm[lsm_rule].rule) -+ return -EINVAL; - return result; - } - diff --git a/freed-ora/current/f13/install-special-mapping-skips-security-file-mmap-check.patch b/freed-ora/current/f13/install-special-mapping-skips-security-file-mmap-check.patch deleted file mode 100644 index b53b39954..000000000 --- a/freed-ora/current/f13/install-special-mapping-skips-security-file-mmap-check.patch +++ /dev/null @@ -1,107 +0,0 @@ -From: Tavis Ormandy <taviso@cmpxchg8b.com> -Date: Thu, 9 Dec 2010 14:29:42 +0000 (+0100) -Subject: install_special_mapping skips security_file_mmap check. -X-Git-Tag: v2.6.37-rc6~5 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=462e635e5b73ba9a4c03913b77138cd57ce4b050 - -install_special_mapping skips security_file_mmap check. - -[ Trivial backport to 2.6.34 ] - -The install_special_mapping routine (used, for example, to setup the -vdso) skips the security check before insert_vm_struct, allowing a local -attacker to bypass the mmap_min_addr security restriction by limiting -the available pages for special mappings. - -bprm_mm_init() also skips the check, and although I don't think this can -be used to bypass any restrictions, I don't see any reason not to have -the security check. - - $ uname -m - x86_64 - $ cat /proc/sys/vm/mmap_min_addr - 65536 - $ cat install_special_mapping.s - section .bss - resb BSS_SIZE - section .text - global _start - _start: - mov eax, __NR_pause - int 0x80 - $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s - $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o - $ ./install_special_mapping & - [1] 14303 - $ cat /proc/14303/maps - 0000f000-00010000 r-xp 00000000 00:00 0 [vdso] - 00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping - 00011000-ffffe000 rwxp 00000000 00:00 0 [stack] - -It's worth noting that Red Hat are shipping with mmap_min_addr set to -4096. - -Signed-off-by: Tavis Ormandy <taviso@google.com> -Acked-by: Kees Cook <kees@ubuntu.com> -Acked-by: Robert Swiecki <swiecki@google.com> -[ Changed to not drop the error code - akpm ] -Reviewed-by: James Morris <jmorris@namei.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -diff --git a/fs/exec.c b/fs/exec.c -index d68c378..c62efcb 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -275,6 +275,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm) - vma->vm_flags = VM_STACK_FLAGS; - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); - INIT_LIST_HEAD(&vma->anon_vma_chain); -+ -+ err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1); -+ if (err) -+ goto err; -+ - err = insert_vm_struct(mm, vma); - if (err) - goto err; -diff --git a/mm/mmap.c b/mm/mmap.c -index b179abb..50a4aa0 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -2462,6 +2462,7 @@ int install_special_mapping(struct mm_struct *mm, - unsigned long addr, unsigned long len, - unsigned long vm_flags, struct page **pages) - { -+ int ret; - struct vm_area_struct *vma; - - vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); -@@ -2479,16 +2480,23 @@ int install_special_mapping(struct mm_struct *mm, - vma->vm_ops = &special_mapping_vmops; - vma->vm_private_data = pages; - -- if (unlikely(insert_vm_struct(mm, vma))) { -- kmem_cache_free(vm_area_cachep, vma); -- return -ENOMEM; -- } -+ ret = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1); -+ if (ret) -+ goto out; -+ -+ ret = insert_vm_struct(mm, vma); -+ if (ret) -+ goto out; - - mm->total_vm += len >> PAGE_SHIFT; - - perf_event_mmap(vma); - - return 0; -+ -+out: -+ kmem_cache_free(vm_area_cachep, vma); -+ return ret; - } - - static DEFINE_MUTEX(mm_all_locks_mutex); diff --git a/freed-ora/current/f13/ioat2-catch-and-recover-from-broken-vtd-configurations.patch b/freed-ora/current/f13/ioat2-catch-and-recover-from-broken-vtd-configurations.patch deleted file mode 100644 index cd37e71e8..000000000 --- a/freed-ora/current/f13/ioat2-catch-and-recover-from-broken-vtd-configurations.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 547c01ae2608ffe89d18441ea209aff0540e83ec Mon Sep 17 00:00:00 2001 -From: Kyle McMartin <kyle@mcmartin.ca> -Date: Thu, 9 Dec 2010 17:45:58 -0500 -Subject: ioat2: catch and recover from broken vtd configurations v6 - -On some platforms (MacPro3,1) the BIOS assigns the ioatdma device to the -incorrect iommu causing faults when the driver initializes. Add a quirk -to catch this misconfiguration and try falling back to untranslated -operation (which works in the MacPro3,1 case). - -Assuming there are other platforms with misconfigured iommus teach the -ioatdma driver to treat initialization failures as non-fatal (just fail -the driver load and emit a warning instead of triggering a BUG_ON). - -This can be classified as a boot regression since 2.6.32 on affected -platforms since the ioatdma module did not autoload prior to that -kernel. - -Cc: <stable@kernel.org> -Acked-by: David Woodhouse <David.Woodhouse@intel.com> -Reported-by: Chris Li <lkml@chrisli.org> -Tested-by: Chris Li <lkml@chrisli.org> -Signed-off-by: Dan Williams <dan.j.williams@intel.com> - -Conflicts: - - drivers/dma/ioat/dma.h ---- - drivers/dma/ioat/dma.h | 1 + - drivers/dma/ioat/dma_v2.c | 24 ++++++++++++++++++++++-- - drivers/dma/ioat/dma_v3.c | 5 ++++- - drivers/pci/intel-iommu.c | 28 ++++++++++++++++++++++++++++ - 4 files changed, 55 insertions(+), 3 deletions(-) - -diff --git a/drivers/dma/ioat/dma.h b/drivers/dma/ioat/dma.h -index 86b97ac..f7619e9 100644 ---- a/drivers/dma/ioat/dma.h -+++ b/drivers/dma/ioat/dma.h -@@ -96,6 +96,7 @@ struct ioat_chan_common { - #define IOAT_COMPLETION_ACK 1 - #define IOAT_RESET_PENDING 2 - #define IOAT_KOBJ_INIT_FAIL 3 -+ #define IOAT_RUN 4 - struct timer_list timer; - #define COMPLETION_TIMEOUT msecs_to_jiffies(100) - #define IDLE_TIMEOUT msecs_to_jiffies(2000) -diff --git a/drivers/dma/ioat/dma_v2.c b/drivers/dma/ioat/dma_v2.c -index b5ae56c..63e6929 100644 ---- a/drivers/dma/ioat/dma_v2.c -+++ b/drivers/dma/ioat/dma_v2.c -@@ -304,7 +304,10 @@ void ioat2_timer_event(unsigned long data) - chanerr = readl(chan->reg_base + IOAT_CHANERR_OFFSET); - dev_err(to_dev(chan), "%s: Channel halted (%x)\n", - __func__, chanerr); -- BUG_ON(is_ioat_bug(chanerr)); -+ if (test_bit(IOAT_RUN, &chan->state)) -+ BUG_ON(is_ioat_bug(chanerr)); -+ else /* we never got off the ground */ -+ return; - } - - /* if we haven't made progress and we have already -@@ -496,6 +499,8 @@ static struct ioat_ring_ent **ioat2_alloc_ring(struct dma_chan *c, int order, gf - return ring; - } - -+void ioat2_free_chan_resources(struct dma_chan *c); -+ - /* ioat2_alloc_chan_resources - allocate/initialize ioat2 descriptor ring - * @chan: channel to be initialized - */ -@@ -504,6 +509,7 @@ int ioat2_alloc_chan_resources(struct dma_chan *c) - struct ioat2_dma_chan *ioat = to_ioat2_chan(c); - struct ioat_chan_common *chan = &ioat->base; - struct ioat_ring_ent **ring; -+ u64 status; - int order; - - /* have we already been set up? */ -@@ -542,7 +548,20 @@ int ioat2_alloc_chan_resources(struct dma_chan *c) - tasklet_enable(&chan->cleanup_task); - ioat2_start_null_desc(ioat); - -- return 1 << ioat->alloc_order; -+ /* check that we got off the ground */ -+ udelay(5); -+ status = ioat_chansts(chan); -+ if (is_ioat_active(status) || is_ioat_idle(status)) { -+ set_bit(IOAT_RUN, &chan->state); -+ return 1 << ioat->alloc_order; -+ } else { -+ u32 chanerr = readl(chan->reg_base + IOAT_CHANERR_OFFSET); -+ -+ dev_WARN(to_dev(chan), -+ "failed to start channel chanerr: %#x\n", chanerr); -+ ioat2_free_chan_resources(c); -+ return -EFAULT; -+ } - } - - bool reshape_ring(struct ioat2_dma_chan *ioat, int order) -@@ -776,6 +795,7 @@ void ioat2_free_chan_resources(struct dma_chan *c) - del_timer_sync(&chan->timer); - device->cleanup_fn((unsigned long) c); - device->reset_hw(chan); -+ clear_bit(IOAT_RUN, &chan->state); - - spin_lock_bh(&ioat->ring_lock); - descs = ioat2_ring_space(ioat); -diff --git a/drivers/dma/ioat/dma_v3.c b/drivers/dma/ioat/dma_v3.c -index 6740e31..52b1e3d 100644 ---- a/drivers/dma/ioat/dma_v3.c -+++ b/drivers/dma/ioat/dma_v3.c -@@ -401,7 +401,10 @@ static void ioat3_timer_event(unsigned long data) - chanerr = readl(chan->reg_base + IOAT_CHANERR_OFFSET); - dev_err(to_dev(chan), "%s: Channel halted (%x)\n", - __func__, chanerr); -- BUG_ON(is_ioat_bug(chanerr)); -+ if (test_bit(IOAT_RUN, &chan->state)) -+ BUG_ON(is_ioat_bug(chanerr)); -+ else /* we never got off the ground */ -+ return; - } - - /* if we haven't made progress and we have already -diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c -index 4173125..f4ba2e5 100644 ---- a/drivers/pci/intel-iommu.c -+++ b/drivers/pci/intel-iommu.c -@@ -3032,6 +3032,33 @@ static void __init iommu_exit_mempool(void) - - } - -+static void quirk_ioat_snb_local_iommu(struct pci_dev *pdev) -+{ -+ struct dmar_drhd_unit *drhd; -+ u32 vtbar; -+ int rc; -+ -+ /* We know that this device on this chipset has its own IOMMU. -+ * If we find it under a different IOMMU, then the BIOS is lying -+ * to us. Hope that the IOMMU for this device is actually -+ * disabled, and it needs no translation... -+ */ -+ rc = pci_bus_read_config_dword(pdev->bus, PCI_DEVFN(0, 0), 0xb0, &vtbar); -+ if (rc) { -+ /* "can't" happen */ -+ dev_info(&pdev->dev, "failed to run vt-d quirk\n"); -+ return; -+ } -+ vtbar &= 0xffff0000; -+ -+ /* we know that the this iommu should be at offset 0xa000 from vtbar */ -+ drhd = dmar_find_matched_drhd_unit(pdev); -+ if (WARN_ONCE(!drhd || drhd->reg_base_addr - vtbar != 0xa000, -+ "BIOS assigned incorrect VT-d unit for Intel(R) QuickData Technology device\n")) -+ pdev->dev.archdata.iommu = DUMMY_DEVICE_DOMAIN_INFO; -+} -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_IOAT_SNB, quirk_ioat_snb_local_iommu); -+ - static void __init init_no_remapping_devices(void) - { - struct dmar_drhd_unit *drhd; --- -1.7.3.3 - diff --git a/freed-ora/current/f13/ipc-shm-fix-information-leak-to-user.patch b/freed-ora/current/f13/ipc-shm-fix-information-leak-to-user.patch deleted file mode 100644 index b23ad439d..000000000 --- a/freed-ora/current/f13/ipc-shm-fix-information-leak-to-user.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Vasiliy Kulikov <segooon@gmail.com> -Date: Sat, 30 Oct 2010 14:22:49 +0000 (+0400) -Subject: ipc: shm: fix information leak to userland -X-Git-Tag: v2.6.37-rc1~24 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 - -ipc: shm: fix information leak to userland - -The shmid_ds structure is copied to userland with shm_unused{,2,3} -fields unitialized. It leads to leaking of contents of kernel stack -memory. - -Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> -Acked-by: Al Viro <viro@ZenIV.linux.org.uk> -Cc: stable@kernel.org -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -diff --git a/ipc/shm.c b/ipc/shm.c -index fd658a1..7d3bb22 100644 ---- a/ipc/shm.c -+++ b/ipc/shm.c -@@ -479,6 +479,7 @@ static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ - { - struct shmid_ds out; - -+ memset(&out, 0, sizeof(out)); - ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm); - out.shm_segsz = in->shm_segsz; - out.shm_atime = in->shm_atime; diff --git a/freed-ora/current/f13/ipc-zero-struct-memory-for-compat-fns.patch b/freed-ora/current/f13/ipc-zero-struct-memory-for-compat-fns.patch deleted file mode 100644 index b682c7df0..000000000 --- a/freed-ora/current/f13/ipc-zero-struct-memory-for-compat-fns.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Dan Rosenberg <drosenberg@vsecurity.com> -Date: Wed, 27 Oct 2010 22:34:17 +0000 (-0700) -Subject: ipc: initialize structure memory to zero for compat functions -X-Git-Tag: v2.6.37-rc1~85^2~50 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=03145beb455cf5c20a761e8451e30b8a74ba58d9 - -ipc: initialize structure memory to zero for compat functions - -This takes care of leaking uninitialized kernel stack memory to -userspace from non-zeroed fields in structs in compat ipc functions. - -Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> -Cc: Manfred Spraul <manfred@colorfullife.com> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: <stable@kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -diff --git a/ipc/compat.c b/ipc/compat.c -index 9dc2c7d..845a287 100644 ---- a/ipc/compat.c -+++ b/ipc/compat.c -@@ -241,6 +241,8 @@ long compat_sys_semctl(int first, int second, int third, void __user *uptr) - struct semid64_ds __user *up64; - int version = compat_ipc_parse_version(&third); - -+ memset(&s64, 0, sizeof(s64)); -+ - if (!uptr) - return -EINVAL; - if (get_user(pad, (u32 __user *) uptr)) -@@ -421,6 +423,8 @@ long compat_sys_msgctl(int first, int second, void __user *uptr) - int version = compat_ipc_parse_version(&second); - void __user *p; - -+ memset(&m64, 0, sizeof(m64)); -+ - switch (second & (~IPC_64)) { - case IPC_INFO: - case IPC_RMID: -@@ -594,6 +598,8 @@ long compat_sys_shmctl(int first, int second, void __user *uptr) - int err, err2; - int version = compat_ipc_parse_version(&second); - -+ memset(&s64, 0, sizeof(s64)); -+ - switch (second & (~IPC_64)) { - case IPC_RMID: - case SHM_LOCK: -diff --git a/ipc/compat_mq.c b/ipc/compat_mq.c -index d8d1e9f..380ea4f 100644 ---- a/ipc/compat_mq.c -+++ b/ipc/compat_mq.c -@@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const char __user *u_name, - void __user *p = NULL; - if (u_attr && oflag & O_CREAT) { - struct mq_attr attr; -+ -+ memset(&attr, 0, sizeof(attr)); -+ - p = compat_alloc_user_space(sizeof(attr)); - if (get_compat_mq_attr(&attr, u_attr) || - copy_to_user(p, &attr, sizeof(attr))) -@@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr(mqd_t mqdes, - struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p)); - long ret; - -+ memset(&mqstat, 0, sizeof(mqstat)); -+ - if (u_mqstat) { - if (get_compat_mq_attr(&mqstat, u_mqstat) || - copy_to_user(p, &mqstat, sizeof(mqstat))) diff --git a/freed-ora/current/f13/kernel.spec b/freed-ora/current/f13/kernel.spec index 0d7f88f0c..0d3c4136b 100644 --- a/freed-ora/current/f13/kernel.spec +++ b/freed-ora/current/f13/kernel.spec @@ -48,7 +48,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 68 +%global baserelease 69 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -659,8 +659,6 @@ Patch370: linux-2.6-defaults-acpi-pci_no_crs.patch Patch371: linux-2.6-defaults-no-pm-async.patch Patch380: linux-2.6-defaults-pci_no_msi.patch -# enable ASPM -Patch383: linux-2.6-defaults-aspm.patch # fixes for ASPM Patch384: pci-acpi-disable-aspm-if-no-osc.patch Patch385: pci-aspm-dont-enable-too-early.patch @@ -760,8 +758,6 @@ Patch2906: linux-2.6-v4l-dvb-uvcvideo-update.patch Patch2910: linux-2.6-v4l-dvb-add-lgdt3304-support.patch Patch2911: linux-2.6-v4l-dvb-add-kworld-a340-support.patch -# CVE-2011-0521 -Patch2912: linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch # fs fixes @@ -830,15 +826,9 @@ Patch13647: rt2x00-fix-failed-SLEEP-AWAKE-and-AWAKE-SLEEP-transitions.patch Patch13648: tpm-autodetect-itpm-devices.patch Patch13649: tpm-fix-stall-on-boot.patch -Patch13700: ipc-zero-struct-memory-for-compat-fns.patch -Patch13701: ipc-shm-fix-information-leak-to-user.patch - Patch13702: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch Patch13705: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch -# CVE-2010-4248 -Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch - Patch13710: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch Patch13711: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch @@ -857,55 +847,18 @@ Patch13802: xfs-properly-account-for-reclaimed-inodes.patch Patch13900: ima-allow-it-to-be-completely-disabled-and-default-off.patch -Patch13901: ioat2-catch-and-recover-from-broken-vtd-configurations.patch - -# CVE-2010-3705 -Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch -# CVE-2010-4258 -Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch -# CVE-2010-4169 -Patch13915: perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch -# CVE-2010-4162 -Patch13916: bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch # CVE-2010-4249 -Patch13917: af_unix-limit-unix_tot_inflight.patch Patch13918: scm-lower-SCM-MAX-FD.patch -# CVE-2010-4158 -Patch13920: filter-make-sure-filters-dont-read-uninitialized-memory.patch -# CVE-2010-3874 -Patch13921: can-bcm-fix-minor-heap-overflow.patch # Allow AF_PACKET to be less of a pig with contiguous ram Patch13922: patch-2.6.38-afpacket-vmalloc.patch # rhbz#662344 Patch13923: fs-call-security_d_instantiate-in-d_obtain_alias.patch -# CVE-2010-4163 -Patch13924: block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch -# CVE-2010-4668 -Patch13925: block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch - # rhbz#643758 Patch13926: hostap_cs-fix-sleeping-function-called-from-invalid-context.patch -# CVE-2010-4346 -Patch13930: install-special-mapping-skips-security-file-mmap-check.patch -# CVE-2010-4649 -Patch13931: ib-uverbs-handle-large-number-of-poll-entries-in-poll-cq.patch -# CVE-2011-0006 -Patch13932: ima-fix-add-lsm-rule-bug.patch -# CVE-2010-4648 -Patch13933: orinoco-fix-tkip-countermeasure-behaviour.patch -# CVE-2010-4650 -Patch13934: fuse-verify-ioctl-retries.patch - -# Networking fixes from 2.6.36.3 -Patch13940: tcp-avoid-a-possible-divide-by-zero.patch -Patch13941: tcp-bug-fix-in-initialization-of-receive-window.patch -Patch13942: tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch # CVE-2010-4165 -Patch13943: tcp-increase-tcp_maxseg-socket-option-minimum.patch -Patch13944: tcp-make-tcp_maxseg-minimum-more-correct.patch Patch13945: tcp-protect-sysctl_tcp_cookie_size-reads.patch # rhbz#673207 (f14) @@ -914,6 +867,23 @@ Patch13950: sunrpc-kernel-panic-when-mount-nfsv4.patch # rhbz#650151 Patch13951: bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch +# rhbz#649871 +Patch13952: drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch + +Patch13955: virtio_net-add-schedule-check-to-napi_enable-call.patch + +# cve-2011-1079 +Patch13956: bluetooth-bnep-fix-buffer-overflow.patch + +# cve-2011-1745 +Patch13957: agp-fix-arbitrary-kernel-memory-writes.patch +# cve-2011-1746 +Patch13958: agp-fix-oom-and-buffer-overflow.patch +# CVE-2011-1494, CVE-2011-1495 +Patch13960: scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch +# CVE-2011-1093 +Patch13961: dccp-fix-oops-on-reset-after-close.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1443,8 +1413,6 @@ ApplyPatch linux-2.6-defaults-acpi-pci_no_crs.patch # make default state of PCI MSI a config option ApplyPatch linux-2.6-defaults-pci_no_msi.patch -# enable ASPM by default on hardware we expect to work -ApplyPatch linux-2.6-defaults-aspm.patch # disable aspm if acpi doesn't provide an _OSC method ApplyPatch pci-acpi-disable-aspm-if-no-osc.patch # allow drivers to disable aspm at load time @@ -1564,8 +1532,6 @@ ApplyPatch linux-2.6-v4l-dvb-uvcvideo-update.patch ApplyPatch linux-2.6-v4l-dvb-add-lgdt3304-support.patch ApplyPatch linux-2.6-v4l-dvb-add-kworld-a340-support.patch -# CVE-2011-0521 -ApplyPatch linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch ApplyPatch linux-2.6-phylib-autoload.patch @@ -1649,19 +1615,10 @@ ApplyPatch tpm-fix-stall-on-boot.patch ApplyPatch rt2x00-disable-auto-wakeup-before-waking-up-device.patch ApplyPatch rt2x00-fix-failed-SLEEP-AWAKE-and-AWAKE-SLEEP-transitions.patch -# rhbz#648658 (CVE-2010-4073) -ApplyPatch ipc-zero-struct-memory-for-compat-fns.patch - -# rhbz#648656 (CVE-2010-4072) -ApplyPatch ipc-shm-fix-information-leak-to-user.patch - # rhbz#651264 (CVE-2010-3880) ApplyPatch inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch ApplyPatch netlink-make-nlmsg_find_attr-take-a-const-ptr.patch -# rhbz#656264 (CVE-2010-4248) -ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch - ApplyPatch rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch ApplyPatch rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch @@ -1684,56 +1641,19 @@ ApplyPatch xfs-properly-account-for-reclaimed-inodes.patch # disable IMA by default as we did in F-14 ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch -# rhbz605845 [556ab45f] -ApplyPatch ioat2-catch-and-recover-from-broken-vtd-configurations.patch - -# CVE-2010-3705 -ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch -# CVE-2010-4258 -ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch -# CVE-2010-4169 -ApplyPatch perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch -# CVE-2010-4162 -ApplyPatch bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch # CVE-2010-4249 -ApplyPatch af_unix-limit-unix_tot_inflight.patch ApplyPatch scm-lower-SCM-MAX-FD.patch -# CVE-2010-4158 -ApplyPatch filter-make-sure-filters-dont-read-uninitialized-memory.patch -# CVE-2010-3874 -ApplyPatch can-bcm-fix-minor-heap-overflow.patch + # Allow AF_PACKET to be less of a contiguous ram pig ApplyPatch patch-2.6.38-afpacket-vmalloc.patch # rhbz#662344 ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch -# CVE-2010-4163 -ApplyPatch block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch -# CVE-2010-4668 -ApplyPatch block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch - # rhbz#643758 ApplyPatch hostap_cs-fix-sleeping-function-called-from-invalid-context.patch -# CVE-2010-4346 -ApplyPatch install-special-mapping-skips-security-file-mmap-check.patch -# CVE-2010-4649 -ApplyPatch ib-uverbs-handle-large-number-of-poll-entries-in-poll-cq.patch -# CVE-2011-0006 -ApplyPatch ima-fix-add-lsm-rule-bug.patch -# CVE-2010-4648 -ApplyPatch orinoco-fix-tkip-countermeasure-behaviour.patch -# CVE-2010-4650 -ApplyPatch fuse-verify-ioctl-retries.patch - -# Networking fixes from 2.6.36.3 -ApplyPatch tcp-avoid-a-possible-divide-by-zero.patch -ApplyPatch tcp-bug-fix-in-initialization-of-receive-window.patch -ApplyPatch tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch # CVE-2010-4165 -ApplyPatch tcp-increase-tcp_maxseg-socket-option-minimum.patch -ApplyPatch tcp-make-tcp_maxseg-minimum-more-correct.patch ApplyPatch tcp-protect-sysctl_tcp_cookie_size-reads.patch # rhbz#673207 (f14) @@ -1742,6 +1662,23 @@ ApplyPatch sunrpc-kernel-panic-when-mount-nfsv4.patch # rhbz#650151 ApplyPatch bridge-fix-mglist-corruption-that-leads-to-memory-corruption.patch +# rhbz#649871 +ApplyPatch drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch + +ApplyPatch virtio_net-add-schedule-check-to-napi_enable-call.patch + +# cve-2011-1079 +ApplyPatch bluetooth-bnep-fix-buffer-overflow.patch + +# cve-2011-1745 +ApplyPatch agp-fix-arbitrary-kernel-memory-writes.patch +# cve-2011-1746 +ApplyPatch agp-fix-oom-and-buffer-overflow.patch +# CVE-2011-1494, CVE-2011-1495 +ApplyPatch scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch +# CVE-2011-1093 +ApplyPatch dccp-fix-oops-on-reset-after-close.patch + # END OF PATCH APPLICATIONS %endif @@ -2362,6 +2299,59 @@ fi %kernel_variant_files %{with_pae_debug} PAEdebug %changelog +* Wed May 4 2011 <lxoliva@fsfla.org> -libre +- Deblobbed patch-libre-2.6.34.9. + +* Mon May 02 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.34.9-69 +- [SCSI] mpt2sas: prevent heap overflows and unchecked reads + (CVE-2011-1494, CVE-2011-1495) +- dccp: fix oops on Reset after close (CVE-2011-1093) + +* Fri Apr 29 2011 Chuck Ebbert <cebbert@redhat.com> +- Bluetooth: bnep: fix buffer overflow (CVE-2011-1079) +- agp: fix arbitrary kernel memory writes (CVE-2011-1745) +- agp: fix OOM and buffer overflow (CVE-2011-1746) + +* Sun Apr 17 2011 Chuck Ebbert <cebbert@redhat.com> +- Linux 2.6.34.9 +- Fix up drm-next.patch to apply on top of cda4b7d3a, e06b14ee9 +- Un-revert 6a1a82df9 from upstream +- Drop: + linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch + ipc-zero-struct-memory-for-compat-fns.patch + ipc-shm-fix-information-leak-to-user.patch + posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch + ioat2-catch-and-recover-from-broken-vtd-configurations.patch + sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch + do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch + perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch + bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch + af_unix-limit-unix_tot_inflight.patch + filter-make-sure-filters-dont-read-uninitialized-memory.patch + can-bcm-fix-minor-heap-overflow.patch + block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch + block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch + install-special-mapping-skips-security-file-mmap-check.patch + ib-uverbs-handle-large-number-of-poll-entries-in-poll-cq.patch + ima-fix-add-lsm-rule-bug.patch + orinoco-fix-tkip-countermeasure-behaviour.patch + fuse-verify-ioctl-retries.patch + tcp-avoid-a-possible-divide-by-zero.patch + tcp-bug-fix-in-initialization-of-receive-window.patch + tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch + tcp-increase-tcp_maxseg-socket-option-minimum.patch + tcp-make-tcp_maxseg-minimum-more-correct.patch + +* Wed Mar 23 2011 Kyle McMartin <kmcmartin@redhat.com> +- Backport 3e9d08e: "virtio_net: Add schedule check to napi_enable call" + +* Fri Mar 11 2011 Chuck Ebbert <cebbert@redhat.com> +- Drop linux-2.6-defaults-aspm.patch; fixing ASPM properly will + be too difficult in this old kernel. + +* Thu Feb 24 2011 Chuck Ebbert <cebbert@redhat.com> +- Fix crash when dropping filesystem caches (#649871) + * Mon Feb 14 2011 Kyle McMartin <kmcmartin@redhat.com> 2.6.34.8-68 - Backport commits from longterm-2.6.35.y to 'fix' Intel Sandy Bridge chipsets. (Requested by Intel folks.) diff --git a/freed-ora/current/f13/linux-2.6-defaults-aspm.patch b/freed-ora/current/f13/linux-2.6-defaults-aspm.patch deleted file mode 100644 index 49b832d2c..000000000 --- a/freed-ora/current/f13/linux-2.6-defaults-aspm.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up linux-2.6.30.noarch/drivers/pci/pcie/aspm.c.mjg linux-2.6.30.noarch/drivers/pci/pcie/aspm.c ---- linux-2.6.30.noarch/drivers/pci/pcie/aspm.c.mjg 2009-07-16 22:01:11.000000000 +0100 -+++ linux-2.6.30.noarch/drivers/pci/pcie/aspm.c 2009-07-16 22:01:30.000000000 +0100 -@@ -65,7 +65,7 @@ static LIST_HEAD(link_list); - #define POLICY_DEFAULT 0 /* BIOS default setting */ - #define POLICY_PERFORMANCE 1 /* high performance */ - #define POLICY_POWERSAVE 2 /* high power saving */ --static int aspm_policy; -+static int aspm_policy = POLICY_POWERSAVE; - static const char *policy_str[] = { - [POLICY_DEFAULT] = "default", - [POLICY_PERFORMANCE] = "performance", diff --git a/freed-ora/current/f13/linux-2.6-upstream-reverts.patch b/freed-ora/current/f13/linux-2.6-upstream-reverts.patch index 146558a65..71d57f7ac 100644 --- a/freed-ora/current/f13/linux-2.6-upstream-reverts.patch +++ b/freed-ora/current/f13/linux-2.6-upstream-reverts.patch @@ -1,52 +1,3 @@ -From 6a1a82df91fa0eb1cc76069a9efe5714d087eccd Mon Sep 17 00:00:00 2001 -From: Daniel Mack <daniel@caiaq.de> -Date: Thu, 3 Jun 2010 13:55:02 +0200 -Subject: USB: ftdi_sio: fix DTR/RTS line modes - -From: Daniel Mack <daniel@caiaq.de> - -commit 6a1a82df91fa0eb1cc76069a9efe5714d087eccd upstream. - -Call set_mctrl() and clear_mctrl() according to the flow control mode -selected. This makes serial communication for FT232 connected devices -work when CRTSCTS is not set. - -This fixes a regression introduced by 4175f3e31 ("tty_port: If we are -opened non blocking we still need to raise the carrier"). This patch -calls the low-level driver's dtr_rts() function which consequently sets -TIOCM_DTR | TIOCM_RTS. A later call to set_termios() without CRTSCTS in -cflags, however, does not reset these bits, and so data is not actually -sent out on the serial wire. - -Signed-off-by: Daniel Mack <daniel@caiaq.de> -Cc: Johan Hovold <jhovold@gmail.com> -Cc: Alan Cox <alan@linux.intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> - ---- - drivers/usb/serial/ftdi_sio.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -2289,6 +2289,8 @@ static void ftdi_set_termios(struct tty_ - "urb failed to set to rts/cts flow control\n"); - } - -+ /* raise DTR/RTS */ -+ set_mctrl(port, TIOCM_DTR | TIOCM_RTS); - } else { - /* - * Xon/Xoff code -@@ -2336,6 +2338,8 @@ static void ftdi_set_termios(struct tty_ - } - } - -+ /* lower DTR/RTS */ -+ clear_mctrl(port, TIOCM_DTR | TIOCM_RTS); - } - return; - } From 3d61510f4ecacfe47c75c0eb51c0659dfa77fb1b Mon Sep 17 00:00:00 2001 From: Alan Stern <stern@rowland.harvard.edu> Date: Fri, 2 Apr 2010 13:21:58 -0400 diff --git a/freed-ora/current/f13/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch b/freed-ora/current/f13/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch deleted file mode 100644 index 8d58eb9b7..000000000 --- a/freed-ora/current/f13/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Dan Carpenter <error27@gmail.com> -Date: Fri, 7 Jan 2011 19:41:54 +0000 (-0300) -Subject: [media] [v3,media] av7110: check for negative array offset -X-Git-Tag: v2.6.38-rc2~1^2~31 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644 - -[media] [v3,media] av7110: check for negative array offset - -info->num comes from the user. It's type int. If the user passes -in a negative value that would cause memory corruption. - -Signed-off-by: Dan Carpenter <error27@gmail.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> ---- - -diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c -index 122c728..9fc1dd0 100644 ---- a/drivers/media/dvb/ttpci/av7110_ca.c -+++ b/drivers/media/dvb/ttpci/av7110_ca.c -@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) - { - ca_slot_info_t *info=(ca_slot_info_t *)parg; - -- if (info->num > 1) -+ if (info->num < 0 || info->num > 1) - return -EINVAL; - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? diff --git a/freed-ora/current/f13/orinoco-fix-tkip-countermeasure-behaviour.patch b/freed-ora/current/f13/orinoco-fix-tkip-countermeasure-behaviour.patch deleted file mode 100644 index f62a6018c..000000000 --- a/freed-ora/current/f13/orinoco-fix-tkip-countermeasure-behaviour.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: David Kilroy <kilroyd@googlemail.com> -Date: Sun, 5 Dec 2010 15:43:55 +0000 (+0000) -Subject: orinoco: fix TKIP countermeasure behaviour -X-Git-Tag: v2.6.37-rc6~14^2~14^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0a54917c3fc295cb61f3fb52373c173fd3b69f48 - -orinoco: fix TKIP countermeasure behaviour - -Enable the port when disabling countermeasures, and disable it on -enabling countermeasures. - -This bug causes the response of the system to certain attacks to be -ineffective. - -It also prevents wpa_supplicant from getting scan results, as -wpa_supplicant disables countermeasures on startup - preventing the -hardware from scanning. - -wpa_supplicant works with ap_mode=2 despite this bug because the commit -handler re-enables the port. - -The log tends to look like: - -State: DISCONNECTED -> SCANNING -Starting AP scan for wildcard SSID -Scan requested (ret=0) - scan timeout 5 seconds -EAPOL: disable timer tick -EAPOL: Supplicant port status: Unauthorized -Scan timeout - try to get results -Failed to get scan results -Failed to get scan results - try scanning again -Setting scan request: 1 sec 0 usec -Starting AP scan for wildcard SSID -Scan requested (ret=-1) - scan timeout 5 seconds -Failed to initiate AP scan. - -Reported by: Giacomo Comes <comes@naic.edu> -Signed-off by: David Kilroy <kilroyd@googlemail.com> -Cc: stable@kernel.org -Signed-off-by: John W. Linville <linville@tuxdriver.com> ---- - -diff --git a/drivers/net/wireless/orinoco/wext.c b/drivers/net/wireless/orinoco/wext.c -index 93505f9..e5afabe 100644 ---- a/drivers/net/wireless/orinoco/wext.c -+++ b/drivers/net/wireless/orinoco/wext.c -@@ -911,10 +911,10 @@ static int orinoco_ioctl_set_auth(struct net_device *dev, - */ - if (param->value) { - priv->tkip_cm_active = 1; -- ret = hermes_enable_port(hw, 0); -+ ret = hermes_disable_port(hw, 0); - } else { - priv->tkip_cm_active = 0; -- ret = hermes_disable_port(hw, 0); -+ ret = hermes_enable_port(hw, 0); - } - break; - diff --git a/freed-ora/current/f13/patch-libre-2.6.34.8.bz2.sign b/freed-ora/current/f13/patch-libre-2.6.34.8.bz2.sign deleted file mode 100644 index 7d9b19912..000000000 --- a/freed-ora/current/f13/patch-libre-2.6.34.8.bz2.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.16 (GNU/Linux) - -iEYEABECAAYFAk1PZlQACgkQvLfPh359R6c4sgCeJEaMvYRkQMwItgcuz6yQFcj3 -V4AAn1SdHD4upEFtG7MIC4Chups/UZST -=j4Pt ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f13/patch-libre-2.6.34.8.xdelta b/freed-ora/current/f13/patch-libre-2.6.34.8.xdelta Binary files differdeleted file mode 100644 index 52a4f6435..000000000 --- a/freed-ora/current/f13/patch-libre-2.6.34.8.xdelta +++ /dev/null diff --git a/freed-ora/current/f13/patch-libre-2.6.34.8.xdelta.sign b/freed-ora/current/f13/patch-libre-2.6.34.8.xdelta.sign deleted file mode 100644 index d4eb28f94..000000000 --- a/freed-ora/current/f13/patch-libre-2.6.34.8.xdelta.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.16 (GNU/Linux) - -iEYEABECAAYFAk1PZlIACgkQvLfPh359R6d+rgCeNOAys2Cmu8AoSYlWhocMGfB5 -VPQAnRCsjqAMVpEdRbYb49rSIShckjmQ -=+NXt ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f13/patch-libre-2.6.34.9.bz2.sign b/freed-ora/current/f13/patch-libre-2.6.34.9.bz2.sign new file mode 100644 index 000000000..d52ab6fee --- /dev/null +++ b/freed-ora/current/f13/patch-libre-2.6.34.9.bz2.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.16 (GNU/Linux) + +iEYEABECAAYFAk3A3McACgkQvLfPh359R6diZgCdGT47MGUmeKGvPL4KKM8UCsJJ +GcwAmwWVhdHf28Ufh3+6AgzlBvhOa8uA +=w+Sn +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f13/patch-libre-2.6.34.9.xdelta b/freed-ora/current/f13/patch-libre-2.6.34.9.xdelta Binary files differnew file mode 100644 index 000000000..35eb3755f --- /dev/null +++ b/freed-ora/current/f13/patch-libre-2.6.34.9.xdelta diff --git a/freed-ora/current/f13/patch-libre-2.6.34.9.xdelta.sign b/freed-ora/current/f13/patch-libre-2.6.34.9.xdelta.sign new file mode 100644 index 000000000..255cc36bf --- /dev/null +++ b/freed-ora/current/f13/patch-libre-2.6.34.9.xdelta.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.16 (GNU/Linux) + +iEYEABECAAYFAk3A3MUACgkQvLfPh359R6dbHACfVNz39zOr7lGb9swgi4m7RjOG +xeUAoKLAEhHDgKsNjTaxwxdw9Bfe4/SL +=6zKr +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f13/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch b/freed-ora/current/f13/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch deleted file mode 100644 index a2883a2cf..000000000 --- a/freed-ora/current/f13/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Pekka Enberg <penberg@kernel.org> -Date: Mon, 8 Nov 2010 19:29:07 +0000 (+0200) -Subject: perf_events: Fix perf_counter_mmap() hook in mprotect() -X-Git-Tag: v2.6.37-rc2~72 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=63bfd7384b119409685a17d5c58f0b56e5dc03da - -perf_events: Fix perf_counter_mmap() hook in mprotect() - -As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to -mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to -merging. Fix the problem by moving perf_event_mmap() hook to -mprotect_fixup(). - -Note: there's another successful return path from mprotect_fixup() if old -flags equal to new flags. We don't, however, need to call -perf_event_mmap() there because 'perf' already knows the VMA is -executable. - -Reported-by: Dave Jones <davej@redhat.com> -Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Ingo Molnar <mingo@elte.hu> -Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl> -Signed-off-by: Pekka Enberg <penberg@kernel.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -diff --git a/mm/mprotect.c b/mm/mprotect.c -index 2d1bf7c..4c51338 100644 ---- a/mm/mprotect.c -+++ b/mm/mprotect.c -@@ -211,6 +211,7 @@ success: - mmu_notifier_invalidate_range_end(mm, start, end); - vm_stat_account(mm, oldflags, vma->vm_file, -nrpages); - vm_stat_account(mm, newflags, vma->vm_file, nrpages); -+ perf_event_mmap(vma); - return 0; - - fail: -@@ -299,7 +300,6 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len, - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags); - if (error) - goto out; -- perf_event_mmap(vma); - nstart = tmp; - - if (nstart < prev->vm_end) diff --git a/freed-ora/current/f13/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch b/freed-ora/current/f13/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch deleted file mode 100644 index 8a51f1e8d..000000000 --- a/freed-ora/current/f13/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 4366640cd1342b3e77077d3d565dbaeff9b66d4d Mon Sep 17 00:00:00 2001 -From: Oleg Nesterov <oleg@redhat.com> -Date: Fri, 5 Nov 2010 16:53:42 +0100 -Subject: posix-cpu-timers: workaround to suppress the problems with mt exec - -posix-cpu-timers.c correctly assumes that the dying process does -posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD -timers from signal->cpu_timers list. - -But, it also assumes that timer->it.cpu.task is always the group -leader, and thus the dead ->task means the dead thread group. - -This is obviously not true after de_thread() changes the leader. -After that almost every posix_cpu_timer_ method has problems. - -It is not simple to fix this bug correctly. First of all, I think -that timer->it.cpu should use struct pid instead of task_struct. -Also, the locking should be reworked completely. In particular, -tasklist_lock should not be used at all. This all needs a lot of -nontrivial and hard-to-test changes. - -Change __exit_signal() to do posix_cpu_timers_exit_group() when -the old leader dies during exec. This is not the fix, just the -temporary hack to hide the problem for 2.6.37 and stable. IOW, -this is obviously wrong but this is what we currently have anyway: -cpu timers do not work after mt exec. - -In theory this change adds another race. The exiting leader can -detach the timers which were attached to the new leader. However, -the window between de_thread() and release_task() is small, we -can pretend that sys_timer_create() was called before de_thread(). - -Signed-off-by: Oleg Nesterov <oleg@redhat.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - kernel/exit.c | 8 ++++++++ - 1 files changed, 8 insertions(+), 0 deletions(-) - -diff --git a/kernel/exit.c b/kernel/exit.c -index 7f2683a..34d4c33 100644 ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -95,6 +95,14 @@ static void __exit_signal(struct task_struct *tsk) - posix_cpu_timers_exit_group(tsk); - else { - /* -+ * This can only happen if the caller is de_thread(). -+ * FIXME: this is the temporary hack, we should teach -+ * posix-cpu-timers to handle this case correctly. -+ */ -+ if (unlikely(has_group_leader_pid(tsk))) -+ posix_cpu_timers_exit_group(tsk); -+ -+ /* - * If there is any task waiting for the group exit - * then notify it: - */ --- -1.7.3.2 - diff --git a/freed-ora/current/f13/scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch b/freed-ora/current/f13/scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch new file mode 100644 index 000000000..e63ef7f02 --- /dev/null +++ b/freed-ora/current/f13/scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch @@ -0,0 +1,85 @@ +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Tue, 5 Apr 2011 16:45:59 +0000 (-0400) +Subject: [SCSI] mpt2sas: prevent heap overflows and unchecked reads +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a1f74ae82d133ebb2aabb19d181944b4e83e9960 + +[trivial backport to 2.6.34] + +[SCSI] mpt2sas: prevent heap overflows and unchecked reads + +At two points in handling device ioctls via /dev/mpt2ctl, user-supplied +length values are used to copy data from userspace into heap buffers +without bounds checking, allowing controllable heap corruption and +subsequently privilege escalation. + +Additionally, user-supplied values are used to determine the size of a +copy_to_user() as well as the offset into the buffer to be read, with no +bounds checking, allowing users to read arbitrary kernel memory. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Cc: stable@kernel.org +Acked-by: Eric Moore <eric.moore@lsi.com> +Signed-off-by: James Bottomley <James.Bottomley@suse.de> +--- + +diff --git a/drivers/scsi/mpt2sas/mpt2sas_ctl.c b/drivers/scsi/mpt2sas/mpt2sas_ctl.c +index 1c6d2b4..d72f1f2 100644 +--- a/drivers/scsi/mpt2sas/mpt2sas_ctl.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_ctl.c +@@ -688,6 +688,13 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc, + data_out_sz = karg.data_out_size; + data_in_sz = karg.data_in_size; + ++ /* Check for overflow and wraparound */ ++ if (karg.data_sge_offset * 4 > ioc->request_sz || ++ karg.data_sge_offset > (UINT_MAX / 4)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + /* copy in request message frame from user */ + if (copy_from_user(mpi_request, mf, karg.data_sge_offset*4)) { + printk(KERN_ERR "failure at %s:%d/%s()!\n", __FILE__, __LINE__, +@@ -1963,7 +1970,7 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state) + Mpi2DiagBufferPostReply_t *mpi_reply; + int rc, i; + u8 buffer_type; +- unsigned long timeleft; ++ unsigned long timeleft, request_size, copy_size; + u16 smid; + u16 ioc_status; + u8 issue_reset = 0; +@@ -1999,6 +2006,8 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state) + return -ENOMEM; + } + ++ request_size = ioc->diag_buffer_sz[buffer_type]; ++ + if ((karg.starting_offset % 4) || (karg.bytes_to_read % 4)) { + printk(MPT2SAS_ERR_FMT "%s: either the starting_offset " + "or bytes_to_read are not 4 byte aligned\n", ioc->name, +@@ -2006,13 +2015,23 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state) + return -EINVAL; + } + ++ if (karg.starting_offset > request_size) ++ return -EINVAL; ++ + diag_data = (void *)(request_data + karg.starting_offset); + dctlprintk(ioc, printk(MPT2SAS_DEBUG_FMT "%s: diag_buffer(%p), " + "offset(%d), sz(%d)\n", ioc->name, __func__, + diag_data, karg.starting_offset, karg.bytes_to_read)); + ++ /* Truncate data on requests that are too large */ ++ if ((diag_data + karg.bytes_to_read < diag_data) || ++ (diag_data + karg.bytes_to_read > request_data + request_size)) ++ copy_size = request_size - karg.starting_offset; ++ else ++ copy_size = karg.bytes_to_read; ++ + if (copy_to_user((void __user *)uarg->diagnostic_data, +- diag_data, karg.bytes_to_read)) { ++ diag_data, copy_size)) { + printk(MPT2SAS_ERR_FMT "%s: Unable to write " + "mpt_diag_read_buffer_t data @ %p\n", ioc->name, + __func__, diag_data); diff --git a/freed-ora/current/f13/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch b/freed-ora/current/f13/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch deleted file mode 100644 index 4f61bfa24..000000000 --- a/freed-ora/current/f13/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Dan Rosenberg <drosenberg@vsecurity.com> -Date: Fri, 1 Oct 2010 11:51:47 +0000 (+0000) -Subject: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() -X-Git-Tag: v2.6.36-rc8~2^2~25 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=51e97a12bef19b7e43199fc153cf9bd5f2140362 - -sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() - -The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids -array and attempts to ensure that only a supported hmac entry is -returned. The current code fails to do this properly - if the last id -in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the -id integer remains set after exiting the loop, and the address of an -out-of-bounds entry will be returned and subsequently used in the parent -function, causing potentially ugly memory corruption. This patch resets -the id integer to 0 on encountering an invalid id so that NULL will be -returned after finishing the loop if no valid ids are found. - -Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> -Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - -diff --git a/net/sctp/auth.c b/net/sctp/auth.c -index 8636639..ddbbf7c 100644 ---- a/net/sctp/auth.c -+++ b/net/sctp/auth.c -@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc) - id = ntohs(hmacs->hmac_ids[i]); - - /* Check the id is in the supported range */ -- if (id > SCTP_AUTH_HMAC_ID_MAX) -+ if (id > SCTP_AUTH_HMAC_ID_MAX) { -+ id = 0; - continue; -+ } - - /* See is we support the id. Supported IDs have name and - * length fields set, so that we can allocated and use - * them. We can safely just check for name, for without the - * name, we can't allocate the TFM. - */ -- if (!sctp_hmac_list[id].hmac_name) -+ if (!sctp_hmac_list[id].hmac_name) { -+ id = 0; - continue; -+ } - - break; - } diff --git a/freed-ora/current/f13/sources b/freed-ora/current/f13/sources index 42d67e99a..fc6642017 100644 --- a/freed-ora/current/f13/sources +++ b/freed-ora/current/f13/sources @@ -1,2 +1,2 @@ dbae740dbd7f65e686fab083bc6bcb39 linux-2.6.34-libre2.tar.bz2 -c301815248c0824e764c15f0f71ab7e4 patch-libre-2.6.34.8.bz2 +0f6499647334b2a56ab18f593a2f87e2 patch-libre-2.6.34.9.bz2 diff --git a/freed-ora/current/f13/tcp-avoid-a-possible-divide-by-zero.patch b/freed-ora/current/f13/tcp-avoid-a-possible-divide-by-zero.patch deleted file mode 100644 index 75976dac2..000000000 --- a/freed-ora/current/f13/tcp-avoid-a-possible-divide-by-zero.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b6bd33114e63d96f424c8e2baf46b3a58745077b Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <eric.dumazet@gmail.com> -Date: Tue, 7 Dec 2010 12:03:55 +0000 -Subject: tcp: avoid a possible divide by zero - - -From: Eric Dumazet <eric.dumazet@gmail.com> - -[ Upstream commit ad9f4f50fe9288bbe65b7dfd76d8820afac6a24c ] -[ trivial backport to 2.6.34 ] - -sysctl_tcp_tso_win_divisor might be set to zero while one cpu runs in -tcp_tso_should_defer(). Make sure we dont allow a divide by zero by -reading sysctl_tcp_tso_win_divisor exactly once. - -Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> ---- - net/ipv4/tcp_output.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1518,6 +1518,7 @@ static int tcp_tso_should_defer(struct s - struct tcp_sock *tp = tcp_sk(sk); - const struct inet_connection_sock *icsk = inet_csk(sk); - u32 send_win, cong_win, limit, in_flight; -+ int win_divisor; - - if (TCP_SKB_CB(skb)->flags & TCPCB_FLAG_FIN) - goto send_now; -@@ -1549,13 +1550,14 @@ static int tcp_tso_should_defer(struct s - if ((skb != tcp_write_queue_tail(sk)) && (limit >= skb->len)) - goto send_now; - -- if (sysctl_tcp_tso_win_divisor) { -+ win_divisor = ACCESS_ONCE(sysctl_tcp_tso_win_divisor); -+ if (win_divisor) { - u32 chunk = min(tp->snd_wnd, tp->snd_cwnd * tp->mss_cache); - - /* If at least some fraction of a window is available, - * just use it. - */ -- chunk /= sysctl_tcp_tso_win_divisor; -+ chunk /= win_divisor; - if (limit >= chunk) - goto send_now; - } else { diff --git a/freed-ora/current/f13/tcp-bug-fix-in-initialization-of-receive-window.patch b/freed-ora/current/f13/tcp-bug-fix-in-initialization-of-receive-window.patch deleted file mode 100644 index 241b1d78a..000000000 --- a/freed-ora/current/f13/tcp-bug-fix-in-initialization-of-receive-window.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 18ab4520fd46404b67d415045ee5d9c4535eaacb Mon Sep 17 00:00:00 2001 -From: Nandita Dukkipati <nanditad@google.com> -Date: Fri, 3 Dec 2010 13:33:44 +0000 -Subject: tcp: Bug fix in initialization of receive window. - - -From: Nandita Dukkipati <nanditad@google.com> - -[ Upstream commit b1afde60f2b9ee8444fba4e012dc99a3b28d224d ] - -The bug has to do with boundary checks on the initial receive window. -If the initial receive window falls between init_cwnd and the -receive window specified by the user, the initial window is incorrectly -brought down to init_cwnd. The correct behavior is to allow it to -remain unchanged. - -Signed-off-by: Nandita Dukkipati <nanditad@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> ---- - net/ipv4/tcp_output.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -237,11 +237,10 @@ void tcp_select_initial_window(int __spa - /* when initializing use the value from init_rcv_wnd - * rather than the default from above - */ -- if (init_rcv_wnd && -- (*rcv_wnd > init_rcv_wnd * mss)) -- *rcv_wnd = init_rcv_wnd * mss; -- else if (*rcv_wnd > init_cwnd * mss) -- *rcv_wnd = init_cwnd * mss; -+ if (init_rcv_wnd) -+ *rcv_wnd = min(*rcv_wnd, init_rcv_wnd * mss); -+ else -+ *rcv_wnd = min(*rcv_wnd, init_cwnd * mss); - } - - /* Set the clamp no higher than max representable value */ diff --git a/freed-ora/current/f13/tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch b/freed-ora/current/f13/tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch deleted file mode 100644 index 10e02a96d..000000000 --- a/freed-ora/current/f13/tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 34eef919139f6a7558b43576b12b40731f12f7d7 Mon Sep 17 00:00:00 2001 -From: David S. Miller <davem@davemloft.net> -Date: Fri, 12 Nov 2010 13:35:00 -0800 -Subject: tcp: Don't change unlocked socket state in tcp_v4_err(). - - -From: David S. Miller <davem@davemloft.net> - -[ Upstream commit 8f49c2703b33519aaaccc63f571b465b9d2b3a2d ] - -Alexey Kuznetsov noticed a regression introduced by -commit f1ecd5d9e7366609d640ff4040304ea197fbc618 -("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable") - -The RTO and timer modification code added to tcp_v4_err() -doesn't check sock_owned_by_user(), which if true means we -don't have exclusive access to the socket and therefore cannot -modify it's critical state. - -Just skip this new code block if sock_owned_by_user() is true -and eliminate the now superfluous sock_owned_by_user() code -block contained within. - -Reported-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> -Signed-off-by: David S. Miller <davem@davemloft.net> -CC: Damian Lukowski <damian@tvk.rwth-aachen.de> -Acked-by: Eric Dumazet <eric.dumazet@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> ---- - net/ipv4/tcp_ipv4.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb - !icsk->icsk_backoff) - break; - -+ if (sock_owned_by_user(sk)) -+ break; -+ - icsk->icsk_backoff--; - inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) << - icsk->icsk_backoff; -@@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb - if (remaining) { - inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, - remaining, TCP_RTO_MAX); -- } else if (sock_owned_by_user(sk)) { -- /* RTO revert clocked out retransmission, -- * but socket is locked. Will defer. */ -- inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, -- HZ/20, TCP_RTO_MAX); - } else { - /* RTO revert clocked out retransmission. - * Will retransmit now */ diff --git a/freed-ora/current/f13/tcp-increase-tcp_maxseg-socket-option-minimum.patch b/freed-ora/current/f13/tcp-increase-tcp_maxseg-socket-option-minimum.patch deleted file mode 100644 index f42df415b..000000000 --- a/freed-ora/current/f13/tcp-increase-tcp_maxseg-socket-option-minimum.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 47a8c78fffc3bde1f828c9fce0aae5ae5320cfb3 Mon Sep 17 00:00:00 2001 -From: David S. Miller <davem@davemloft.net> -Date: Wed, 10 Nov 2010 21:35:37 -0800 -Subject: tcp: Increase TCP_MAXSEG socket option minimum. - - -From: David S. Miller <davem@davemloft.net> - -[ Upstream commit 7a1abd08d52fdeddb3e9a5a33f2f15cc6a5674d2 ] - -As noted by Steve Chen, since commit -f5fff5dc8a7a3f395b0525c02ba92c95d42b7390 ("tcp: advertise MSS -requested by user") we can end up with a situation where -tcp_select_initial_window() does a divide by a zero (or -even negative) mss value. - -The problem is that sometimes we effectively subtract -TCPOLEN_TSTAMP_ALIGNED and/or TCPOLEN_MD5SIG_ALIGNED from the mss. - -Fix this by increasing the minimum from 8 to 64. - -Reported-by: Steve Chen <schen@mvista.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> ---- - net/ipv4/tcp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock - /* Values greater than interface MTU won't take effect. However - * at the point when this call is done we typically don't yet - * know which interface is going to be used */ -- if (val < 8 || val > MAX_TCP_WINDOW) { -+ if (val < 64 || val > MAX_TCP_WINDOW) { - err = -EINVAL; - break; - } diff --git a/freed-ora/current/f13/tcp-make-tcp_maxseg-minimum-more-correct.patch b/freed-ora/current/f13/tcp-make-tcp_maxseg-minimum-more-correct.patch deleted file mode 100644 index 2d04147ce..000000000 --- a/freed-ora/current/f13/tcp-make-tcp_maxseg-minimum-more-correct.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 9f3ec7da60ef8443addc35828214f129590495f2 Mon Sep 17 00:00:00 2001 -From: David S. Miller <davem@davemloft.net> -Date: Wed, 24 Nov 2010 11:47:22 -0800 -Subject: tcp: Make TCP_MAXSEG minimum more correct. - - -From: David S. Miller <davem@davemloft.net> - -[ Upstream commit c39508d6f118308355468314ff414644115a07f3 ] - -Use TCP_MIN_MSS instead of constant 64. - -Reported-by: Min Zhang <mzhang@mvista.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> ---- - net/ipv4/tcp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock - /* Values greater than interface MTU won't take effect. However - * at the point when this call is done we typically don't yet - * know which interface is going to be used */ -- if (val < 64 || val > MAX_TCP_WINDOW) { -+ if (val < TCP_MIN_MSS || val > MAX_TCP_WINDOW) { - err = -EINVAL; - break; - } diff --git a/freed-ora/current/f13/virtio_net-add-schedule-check-to-napi_enable-call.patch b/freed-ora/current/f13/virtio_net-add-schedule-check-to-napi_enable-call.patch new file mode 100644 index 000000000..743c41006 --- /dev/null +++ b/freed-ora/current/f13/virtio_net-add-schedule-check-to-napi_enable-call.patch @@ -0,0 +1,76 @@ +From 0d043d4e014306398b5aae1aebbeb9c258e2d5f1 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers <brogers@novell.com> +Date: Thu, 10 Feb 2011 11:03:31 -0800 +Subject: [PATCH] virtio_net: Add schedule check to napi_enable call + +Under harsh testing conditions, including low memory, the guest would +stop receiving packets. With this patch applied we no longer see any +problems in the driver while performing these tests for extended periods +of time. + +Make sure napi is scheduled subsequent to each napi_enable. + +Signed-off-by: Bruce Rogers <brogers@novell.com> +Signed-off-by: Olaf Kirch <okir@suse.de> +Cc: stable@kernel.org +Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/virtio_net.c | 27 ++++++++++++++++----------- + 1 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index f5b5d74..195104d 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -448,6 +448,20 @@ static void skb_recv_done(struct virtqueue *rvq) + } + } + ++static void virtnet_napi_enable(struct virtnet_info *vi) ++{ ++ napi_enable(&vi->napi); ++ ++ /* If all buffers were filled by other side before we napi_enabled, we ++ * won't get another interrupt, so process any outstanding packets ++ * now. virtnet_poll wants re-enable the queue, so we disable here. ++ * We synchronize against interrupts via NAPI_STATE_SCHED */ ++ if (napi_schedule_prep(&vi->napi)) { ++ virtqueue_disable_cb(vi->rvq); ++ __napi_schedule(&vi->napi); ++ } ++} ++ + static void refill_work(struct work_struct *work) + { + struct virtnet_info *vi; +@@ -456,7 +470,7 @@ static void refill_work(struct work_struct *work) + vi = container_of(work, struct virtnet_info, refill.work); + napi_disable(&vi->napi); + still_empty = !try_fill_recv(vi, GFP_KERNEL); +- napi_enable(&vi->napi); ++ virtnet_napi_enable(vi); + + /* In theory, this can happen: if we don't get any buffers in + * we will *never* try to fill again. */ +@@ -642,16 +656,7 @@ static int virtnet_open(struct net_device *dev) + { + struct virtnet_info *vi = netdev_priv(dev); + +- napi_enable(&vi->napi); +- +- /* If all buffers were filled by other side before we napi_enabled, we +- * won't get another interrupt, so process any outstanding packets +- * now. virtnet_poll wants re-enable the queue, so we disable here. +- * We synchronize against interrupts via NAPI_STATE_SCHED */ +- if (napi_schedule_prep(&vi->napi)) { +- virtqueue_disable_cb(vi->rvq); +- __napi_schedule(&vi->napi); +- } ++ virtnet_napi_enable(vi); + return 0; + } + +-- +1.7.4.1 + |
