diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2012-11-30 10:43:22 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2012-11-30 10:43:22 +0000 |
| commit | 078f34957e0242bc847c0cef61c901185c885768 (patch) | |
| tree | 71dd6653621d4b50dc8402e3efa04ba290ee67e4 /freed-ora/current/f18 | |
| parent | 4ffa6c169665e77ac1a9552dd37eafd2b5cf423a (diff) | |
| download | linux-libre-raptor-078f34957e0242bc847c0cef61c901185c885768.tar.gz linux-libre-raptor-078f34957e0242bc847c0cef61c901185c885768.zip | |
3.6.8-1.fc18.gnu
Diffstat (limited to 'freed-ora/current/f18')
14 files changed, 473 insertions, 326 deletions
diff --git a/freed-ora/current/f18/8139cp-revert-set-ring-address-before-enabling-recei.patch b/freed-ora/current/f18/8139cp-revert-set-ring-address-before-enabling-recei.patch new file mode 100644 index 000000000..d9ca2f2a7 --- /dev/null +++ b/freed-ora/current/f18/8139cp-revert-set-ring-address-before-enabling-recei.patch @@ -0,0 +1,62 @@ +From b26623dab7eeb1e9f5898c7a49458789dd492f20 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?fran=C3=A7ois=20romieu?= <romieu@fr.zoreil.com> +Date: Wed, 21 Nov 2012 10:07:29 +0000 +Subject: [PATCH] 8139cp: revert "set ring address before enabling receiver" + +This patch reverts b01af4579ec41f48e9b9c774e70bd6474ad210db. + +The original patch was tested with emulated hardware. Real +hardware chokes. + +Fixes https://bugzilla.kernel.org/show_bug.cgi?id=47041 + +Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> +Acked-by: Jeff Garzik <jgarzik@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ethernet/realtek/8139cp.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c +index 1c81825..b01f83a 100644 +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -979,17 +979,6 @@ static void cp_init_hw (struct cp_private *cp) + cpw32_f (MAC0 + 0, le32_to_cpu (*(__le32 *) (dev->dev_addr + 0))); + cpw32_f (MAC0 + 4, le32_to_cpu (*(__le32 *) (dev->dev_addr + 4))); + +- cpw32_f(HiTxRingAddr, 0); +- cpw32_f(HiTxRingAddr + 4, 0); +- +- ring_dma = cp->ring_dma; +- cpw32_f(RxRingAddr, ring_dma & 0xffffffff); +- cpw32_f(RxRingAddr + 4, (ring_dma >> 16) >> 16); +- +- ring_dma += sizeof(struct cp_desc) * CP_RX_RING_SIZE; +- cpw32_f(TxRingAddr, ring_dma & 0xffffffff); +- cpw32_f(TxRingAddr + 4, (ring_dma >> 16) >> 16); +- + cp_start_hw(cp); + cpw8(TxThresh, 0x06); /* XXX convert magic num to a constant */ + +@@ -1003,6 +992,17 @@ static void cp_init_hw (struct cp_private *cp) + + cpw8(Config5, cpr8(Config5) & PMEStatus); + ++ cpw32_f(HiTxRingAddr, 0); ++ cpw32_f(HiTxRingAddr + 4, 0); ++ ++ ring_dma = cp->ring_dma; ++ cpw32_f(RxRingAddr, ring_dma & 0xffffffff); ++ cpw32_f(RxRingAddr + 4, (ring_dma >> 16) >> 16); ++ ++ ring_dma += sizeof(struct cp_desc) * CP_RX_RING_SIZE; ++ cpw32_f(TxRingAddr, ring_dma & 0xffffffff); ++ cpw32_f(TxRingAddr + 4, (ring_dma >> 16) >> 16); ++ + cpw16(MultiIntr, 0); + + cpw8_f(Cfg9346, Cfg9346_Lock); +-- +1.8.0 + diff --git a/freed-ora/current/f18/SCSI-mvsas-Fix-oops-when-ata-commond-timeout.patch b/freed-ora/current/f18/SCSI-mvsas-Fix-oops-when-ata-commond-timeout.patch new file mode 100644 index 000000000..0d83e8d03 --- /dev/null +++ b/freed-ora/current/f18/SCSI-mvsas-Fix-oops-when-ata-commond-timeout.patch @@ -0,0 +1,102 @@ +From 95ab000388974d8ffef8257306b4be6e8778b768 Mon Sep 17 00:00:00 2001 +From: Jianpeng Ma <majianpeng@gmail.com> +Date: Sat, 4 Aug 2012 10:34:14 +0800 +Subject: [PATCH] [SCSI] mvsas: Fix oops when ata commond timeout. + +Kernel message follows: + +[ 511.712011] sd 11:0:0:0: [sdf] command ffff8800a4e81400 timed out +[ 511.712022] sas: Enter sas_scsi_recover_host busy: 1 failed: 1 +[ 511.712024] sas: trying to find task 0xffff8800a4d24c80 +[ 511.712026] sas: sas_scsi_find_task: aborting task 0xffff8800a4d24c80 +[ 511.712029] drivers/scsi/mvsas/mv_sas.c 1631:mvs_abort_task() +mvi=ffff8800b5300000 task=ffff8800a4d24c80 slot=ffff8800b5325038 +slot_idx=x0 +[ 511.712035] BUG: unable to handle kernel NULL pointer dereference at +0000000000000058 +[ 511.712040] IP: [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30 +[ 511.712047] PGD 0 +[ 511.712049] Oops: 0002 [#1] SMP +[ 511.712052] Modules linked in: mvsas libsas scsi_transport_sas +raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq +async_tx [last unloaded: mvsas] +[ 511.712062] CPU 3 +[ 511.712066] Pid: 7322, comm: scsi_eh_11 Not tainted 3.5.0+ #106 To Be +Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M. +[ 511.712068] RIP: 0010:[<ffffffff815f8c0c>] [<ffffffff815f8c0c>] +_raw_spin_lock_irqsave+0xc/0x30 +[ 511.712073] RSP: 0018:ffff880098d3bcb0 EFLAGS: 00010086 +[ 511.712074] RAX: 0000000000000286 RBX: 0000000000000058 RCX: +00000000000000c3 +[ 511.712076] RDX: 0000000000000100 RSI: 0000000000000046 RDI: +0000000000000058 +[ 511.712078] RBP: ffff880098d3bcb0 R08: 000000000000000a R09: +0000000000000000 +[ 511.712080] R10: 00000000000004e8 R11: 00000000000004e7 R12: +ffff8800a4d24c80 +[ 511.712082] R13: 0000000000000050 R14: ffff8800b5325038 R15: +ffff8800a4eafe00 +[ 511.712084] FS: 0000000000000000(0000) GS:ffff8800bdb80000(0000) +knlGS:0000000000000000 +[ 511.712086] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 511.712088] CR2: 0000000000000058 CR3: 00000000a4ce6000 CR4: +00000000000407e0 +[ 511.712090] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 511.712091] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: +0000000000000400 +[ 511.712093] Process scsi_eh_11 (pid: 7322, threadinfo +ffff880098d3a000, task ffff8800a61dde40) +[ 511.712095] Stack: +[ 511.712096] ffff880098d3bce0 ffffffff81060683 ffff880000000000 +0000000000000000 +[ 511.712099] ffff8800a4d24c80 ffff8800b5300000 ffff880098d3bcf0 +ffffffffa0076a88 +[ 511.712102] ffff880098d3bd50 ffffffffa0079bb5 ffff880000000000 +ffff880000000018 +[ 511.712106] Call Trace: +[ 511.712110] [<ffffffff81060683>] complete+0x23/0x60 +[ 511.712115] [<ffffffffa0076a88>] mvs_tmf_timedout+0x18/0x20 [mvsas] +[ 511.712119] [<ffffffffa0079bb5>] mvs_slot_complete+0x765/0x7d0 +[mvsas] +[ 511.712125] [<ffffffffa005a17d>] sas_scsi_recover_host+0x55d/0xdb0 +[libsas] +[ 511.712128] [<ffffffff8106d600>] ? idle_balance+0xe0/0x130 +[ 511.712133] [<ffffffff813b150c>] scsi_error_handler+0xcc/0x470 +[ 511.712136] [<ffffffff815f7ad0>] ? __schedule+0x370/0x730 +[ 511.712139] [<ffffffff8105f728>] ? __wake_up_common+0x58/0x90 +[ 511.712142] [<ffffffff813b1440>] ? scsi_eh_get_sense+0x110/0x110 +[ 511.712146] [<ffffffff810571be>] kthread+0x8e/0xa0 +[ 511.712150] [<ffffffff816015f4>] kernel_thread_helper+0x4/0x10 +[ 511.712153] [<ffffffff81057130>] ? flush_kthread_work+0x120/0x120 +[ 511.712156] [<ffffffff816015f0>] ? gs_change+0xb/0xb +[ 511.712157] Code: 8a 00 01 00 00 89 d0 f0 66 0f b1 0f 66 39 d0 0f 94 +c0 0f b6 c0 5d c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 9c 58 fa ba 00 01 +00 00 <f0> 66 0f c1 17 0f b6 ce 38 d1 74 11 0f 1f 84 00 00 00 00 00 f3 +[ 511.712191] RIP [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30 +[ 511.712194] RSP <ffff880098d3bcb0> +[ 511.712196] CR2: 0000000000000058 +[ 511.712198] ---[ end trace a781c7b1e65db92c ]--- + +Signed-off-by: Jianpeng Ma <majianpeng@gmail.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +--- + drivers/scsi/mvsas/mv_sas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c +index 4539d59..a3776d6 100644 +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -1629,7 +1629,7 @@ int mvs_abort_task(struct sas_task *task) + mv_dprintk("mvs_abort_task() mvi=%p task=%p " + "slot=%p slot_idx=x%x\n", + mvi, task, slot, slot_idx); +- mvs_tmf_timedout((unsigned long)task); ++ task->task_state_flags |= SAS_TASK_STATE_ABORTED; + mvs_slot_task_free(mvi, task, slot, slot_idx); + rc = TMF_RESP_FUNC_COMPLETE; + goto out; +-- +1.8.0 + diff --git a/freed-ora/current/f18/config-powerpc64 b/freed-ora/current/f18/config-powerpc64 index ccd0e85d4..82f4c603b 100644 --- a/freed-ora/current/f18/config-powerpc64 +++ b/freed-ora/current/f18/config-powerpc64 @@ -164,6 +164,8 @@ CONFIG_PPC_ICSWX=y CONFIG_IO_EVENT_IRQ=y CONFIG_HW_RANDOM_AMD=m +CONFIG_UIO_PDRV=m + CONFIG_HW_RANDOM_PSERIES=m CONFIG_CRYPTO_DEV_NX=m diff --git a/freed-ora/current/f18/config-powerpc64p7 b/freed-ora/current/f18/config-powerpc64p7 index ef6ac78e1..e8e826a88 100644 --- a/freed-ora/current/f18/config-powerpc64p7 +++ b/freed-ora/current/f18/config-powerpc64p7 @@ -155,6 +155,8 @@ CONFIG_PPC_ICSWX=y CONFIG_IO_EVENT_IRQ=y CONFIG_HW_RANDOM_AMD=m +CONFIG_UIO_PDRV=m + CONFIG_HW_RANDOM_PSERIES=m CONFIG_CRYPTO_DEV_NX=m diff --git a/freed-ora/current/f18/dont-call-cifs_lookup-on-hashed-negative-dentry.patch b/freed-ora/current/f18/dont-call-cifs_lookup-on-hashed-negative-dentry.patch deleted file mode 100644 index 4e25f9d20..000000000 --- a/freed-ora/current/f18/dont-call-cifs_lookup-on-hashed-negative-dentry.patch +++ /dev/null @@ -1,19 +0,0 @@ -@@ -, +, @@ - cifs_atomic_open - fs/cifs/dir.c | 6 ++++++ - 1 file changed, 6 insertions(+) ---- a/fs/cifs/dir.c -+++ a/fs/cifs/dir.c -@@ -398,6 +398,12 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry, - * in network traffic in the other paths. - */ - if (!(oflags & O_CREAT)) { -+ /* Check for hashed negative dentry. We have already revalidated -+ * the dentry and it is fine. No need to perform another lookup. -+ */ -+ if (!d_unhashed(direntry)) -+ return -ENOENT; -+ - struct dentry *res = cifs_lookup(inode, direntry, 0); - if (IS_ERR(res)) - return PTR_ERR(res); diff --git a/freed-ora/current/f18/exec-do-not-leave-bprm-interp-on-stack.patch b/freed-ora/current/f18/exec-do-not-leave-bprm-interp-on-stack.patch new file mode 100644 index 000000000..2a4b2dd28 --- /dev/null +++ b/freed-ora/current/f18/exec-do-not-leave-bprm-interp-on-stack.patch @@ -0,0 +1,118 @@ +From 20ae2081584450e552735a3df968ce5b5946a607 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Mon, 26 Nov 2012 08:56:37 -0500 +Subject: [PATCH 1/2] exec: do not leave bprm->interp on stack + +If a series of scripts are executed, each triggering module loading via +unprintable bytes in the script header, kernel stack contents can leak +into the command line. + +Normally execution of binfmt_script and binfmt_misc happens recursively. +However, when modules are enabled, and unprintable bytes exist in the +bprm->buf, execution will restart after attempting to load matching binfmt +modules. Unfortunately, the logic in binfmt_script and binfmt_misc does +not expect to get restarted. They leave bprm->interp pointing to their +local stack. This means on restart bprm->interp is left pointing into +unused stack memory which can then be copied into the userspace argv +areas. + +After additional study, it seems that both recursion and restart remains +the desirable way to handle exec with scripts, misc, and modules. As +such, we need to protect the changes to interp. + +This changes the logic to require allocation for any changes to the +bprm->interp. To avoid adding a new kmalloc to every exec, the default +value is left as-is. Only when passing through binfmt_script or +binfmt_misc does an allocation take place. + +For a proof of concept, see DoTest.sh from: +http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: halfdog <me@halfdog.net> +Cc: P J P <ppandit@redhat.com> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- + fs/binfmt_misc.c | 5 ++++- + fs/binfmt_script.c | 4 +++- + fs/exec.c | 15 +++++++++++++++ + include/linux/binfmts.h | 1 + + 4 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 790b3cd..772428d 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + goto _error; + bprm->argc ++; + +- bprm->interp = iname; /* for binfmt_script */ ++ /* Update interp in case binfmt_script needs it. */ ++ retval = bprm_change_interp(iname, bprm); ++ if (retval < 0) ++ goto _error; + + interp_file = open_exec (iname); + retval = PTR_ERR (interp_file); +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index d3b8c1f..df49d48 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -82,7 +82,9 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) + retval = copy_strings_kernel(1, &i_name, bprm); + if (retval) return retval; + bprm->argc++; +- bprm->interp = interp; ++ retval = bprm_change_interp(interp, bprm); ++ if (retval < 0) ++ return retval; + + /* + * OK, now restart the process with the interpreter's dentry. +diff --git a/fs/exec.c b/fs/exec.c +index fab2c6d..59896ae 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1202,9 +1202,24 @@ void free_bprm(struct linux_binprm *bprm) + mutex_unlock(¤t->signal->cred_guard_mutex); + abort_creds(bprm->cred); + } ++ /* If a binfmt changed the interp, free it. */ ++ if (bprm->interp != bprm->filename) ++ kfree(bprm->interp); + kfree(bprm); + } + ++int bprm_change_interp(char *interp, struct linux_binprm *bprm) ++{ ++ /* If a binfmt changed the interp, free it first. */ ++ if (bprm->interp != bprm->filename) ++ kfree(bprm->interp); ++ bprm->interp = kstrdup(interp, GFP_KERNEL); ++ if (!bprm->interp) ++ return -ENOMEM; ++ return 0; ++} ++EXPORT_SYMBOL(bprm_change_interp); ++ + /* + * install the new credentials for this executable + */ +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index 366422b..eb53e15 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -128,6 +128,7 @@ extern int setup_arg_pages(struct linux_binprm * bprm, + unsigned long stack_top, + int executable_stack); + extern int bprm_mm_init(struct linux_binprm *bprm); ++extern int bprm_change_interp(char *interp, struct linux_binprm *bprm); + extern int copy_strings_kernel(int argc, const char *const *argv, + struct linux_binprm *bprm); + extern int prepare_bprm_creds(struct linux_binprm *bprm); +-- +1.8.0 + diff --git a/freed-ora/current/f18/exec-use-eloop-for-max-recursion-depth.patch b/freed-ora/current/f18/exec-use-eloop-for-max-recursion-depth.patch new file mode 100644 index 000000000..cbaff2f7a --- /dev/null +++ b/freed-ora/current/f18/exec-use-eloop-for-max-recursion-depth.patch @@ -0,0 +1,144 @@ +From 4ae8186cd77835b45f1b35edb4ce70309287bfc3 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Mon, 26 Nov 2012 09:02:11 -0500 +Subject: [PATCH 2/2] exec: use -ELOOP for max recursion depth + +To avoid an explosion of request_module calls on a chain of abusive +scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon +as maximum recursion depth is hit, the error will fail all the way back +up the chain, aborting immediately. + +This also has the side-effect of stopping the user's shell from attempting +to reexecute the top-level file as a shell script. As seen in the +dash source: + + if (cmd != path_bshell && errno == ENOEXEC) { + *argv-- = cmd; + *argv = cmd = path_bshell; + goto repeat; + } + +The above logic was designed for running scripts automatically that lacked +the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC, +things continue to behave as the shell expects. + +Additionally, when tracking recursion, the binfmt handlers should not be +involved. The recursion being tracked is the depth of calls through +search_binary_handler(), so that function should be exclusively responsible +for tracking the depth. + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: halfdog <me@halfdog.net> +Cc: P J P <ppandit@redhat.com> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- + fs/binfmt_em86.c | 1 - + fs/binfmt_misc.c | 6 ------ + fs/binfmt_script.c | 4 +--- + fs/exec.c | 10 +++++----- + include/linux/binfmts.h | 2 -- + 5 files changed, 6 insertions(+), 17 deletions(-) + +diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c +index 2790c7e..575796a 100644 +--- a/fs/binfmt_em86.c ++++ b/fs/binfmt_em86.c +@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs) + return -ENOEXEC; + } + +- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */ + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 772428d..f0f1a06 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + if (!enabled) + goto _ret; + +- retval = -ENOEXEC; +- if (bprm->recursion_depth > BINPRM_MAX_RECURSION) +- goto _ret; +- + /* to keep locking time low, we copy the interpreter string */ + read_lock(&entries_lock); + fmt = check_file(bprm); +@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + if (retval < 0) + goto _error; + +- bprm->recursion_depth++; +- + retval = search_binary_handler (bprm, regs); + if (retval < 0) + goto _error; +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index df49d48..8ae4be1 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) + char interp[BINPRM_BUF_SIZE]; + int retval; + +- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || +- (bprm->recursion_depth > BINPRM_MAX_RECURSION)) ++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) + return -ENOEXEC; + /* + * This section does the #! interpretation. + * Sorta complicated, but hopefully it will work. -TYT + */ + +- bprm->recursion_depth++; + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +diff --git a/fs/exec.c b/fs/exec.c +index 59896ae..541cc51 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1398,6 +1398,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + struct linux_binfmt *fmt; + pid_t old_pid, old_vpid; + ++ /* This allows 4 levels of binfmt rewrites before failing hard. */ ++ if (depth > 5) ++ return -ELOOP; ++ + retval = security_bprm_check(bprm); + if (retval) + return retval; +@@ -1422,12 +1426,8 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + if (!try_module_get(fmt->module)) + continue; + read_unlock(&binfmt_lock); ++ bprm->recursion_depth = depth + 1; + retval = fn(bprm, regs); +- /* +- * Restore the depth counter to its starting value +- * in this call, so we don't have to rely on every +- * load_binary function to restore it on return. +- */ + bprm->recursion_depth = depth; + if (retval >= 0) { + if (depth == 0) { +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index eb53e15..5bab59b 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -68,8 +68,6 @@ struct linux_binprm { + #define BINPRM_FLAGS_EXECFD_BIT 1 + #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT) + +-#define BINPRM_MAX_RECURSION 4 +- + /* Function parameter for binfmt->coredump */ + struct coredump_params { + long signr; +-- +1.8.0 + diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec index 43ca0d201..bb694624c 100644 --- a/freed-ora/current/f18/kernel.spec +++ b/freed-ora/current/f18/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 5 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -112,7 +112,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -824,12 +824,6 @@ Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 846037 -Patch22067: selinux-Fix-sel_netnode_insert-suspicious-rcu-dereference.patch - -#rhbz 867344 -Patch22077: dont-call-cifs_lookup-on-hashed-negative-dentry.patch - #rhbz 869904 869909 CVE-2012-4508 Patch22080: 0001-ext4-ext4_inode_info-diet.patch Patch22081: 0002-ext4-give-i_aiodio_unwritten-a-more-appropriate-name.patch @@ -847,7 +841,6 @@ Patch22091: 0012-ext4-serialize-fallocate-with-ext4_convert_unwritten.patch Patch22100: uprobes-upstream-backport.patch #rhbz 871078 -Patch22110: usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch Patch22111: USB-EHCI-urb-hcpriv-should-not-be-NULL.patch Patch22112: USB-report-submission-of-active-URBs.patch @@ -857,9 +850,6 @@ Patch22113: smp_irq_move_cleanup_interrupt.patch #rhbz 873001 Patch22114: iwlwifi-remove-queue-empty-warn-3.6.patch -#rhbz 870562 -Patch22115: keyspan.patch - #rhbz 812129 Patch22120: block-fix-a-crash-when-block-device-is.patch Patch22121: blockdev-turn-a-rw-semaphore-into-a-percpu-rw-sem.patch @@ -874,6 +864,16 @@ Patch21226: vt-Drop-K_OFF-for-VC_MUTE.patch #rhbz CVE-2012-4461 862900 878518 Patch21227: KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch +#rhbz CVE-2012-4530 868285 880147 +Patch21228: exec-do-not-leave-bprm-interp-on-stack.patch +Patch21229: exec-use-eloop-for-max-recursion-depth.patch + +#rhbz 869629 +Patch21230: SCSI-mvsas-Fix-oops-when-ata-commond-timeout.patch + +#rhbz 851278 +Patch21232: 8139cp-revert-set-ring-address-before-enabling-recei.patch + # END OF PATCH DEFINITIONS %endif @@ -1651,12 +1651,6 @@ ApplyPatch weird-root-dentry-name-debug.patch #selinux ptrace child permissions ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 846037 -ApplyPatch selinux-Fix-sel_netnode_insert-suspicious-rcu-dereference.patch - -#rhbz 867344 -ApplyPatch dont-call-cifs_lookup-on-hashed-negative-dentry.patch - #rhbz 869904 869909 CVE-2012-4508 ApplyPatch 0001-ext4-ext4_inode_info-diet.patch ApplyPatch 0002-ext4-give-i_aiodio_unwritten-a-more-appropriate-name.patch @@ -1674,7 +1668,6 @@ ApplyPatch 0012-ext4-serialize-fallocate-with-ext4_convert_unwritten.patch ApplyPatch uprobes-upstream-backport.patch #rhbz 871078 -ApplyPatch usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch ApplyPatch USB-EHCI-urb-hcpriv-should-not-be-NULL.patch ApplyPatch USB-report-submission-of-active-URBs.patch @@ -1684,9 +1677,6 @@ ApplyPatch smp_irq_move_cleanup_interrupt.patch #rhbz 873001 ApplyPatch iwlwifi-remove-queue-empty-warn-3.6.patch -#rhbz 870562 -ApplyPatch keyspan.patch - #rhbz 812129 ApplyPatch block-fix-a-crash-when-block-device-is.patch ApplyPatch blockdev-turn-a-rw-semaphore-into-a-percpu-rw-sem.patch @@ -1701,6 +1691,16 @@ ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch #rhbz CVE-2012-4461 862900 878518 ApplyPatch KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch +#rhbz CVE-2012-4530 868285 880147 +ApplyPatch exec-do-not-leave-bprm-interp-on-stack.patch +ApplyPatch exec-use-eloop-for-max-recursion-depth.patch + +#rhbz 869629 +ApplyPatch SCSI-mvsas-Fix-oops-when-ata-commond-timeout.patch + +#rhbz 851278 +ApplyPatch 8139cp-revert-set-ring-address-before-enabling-recei.patch + # END OF PATCH APPLICATIONS %endif @@ -2577,6 +2577,19 @@ fi # ||----w | # || || %changelog +* Tue Nov 27 2012 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 3.6.8-gnu + +* Mon Nov 26 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.8-1 +- Linux v3.6.8 + +* Mon Nov 26 2012 Josh Boyer <jwboyer@redhat.com> +- Fix regression in 8139cp driver, debugged by William J. Eaton (rhbz 851278) +- Fix ACPI video after _DOD errors (rhbz 869383) +- Fix ata command timeout oops in mvsas (rhbz 869629) +- Enable CONFIG_UIO_PDRV on ppc64 (rhbz 878180) +- CVE-2012-4530: stack disclosure binfmt_script load_script (rhbz 868285 880147) + * Tue Nov 20 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.7-5 - CVE-2012-4461: kvm: invalid opcode oops on SET_SREGS with OSXSAVE bit set (rhbz 878518 862900) - Add VC_MUTE ioctl (rhbz 859485) diff --git a/freed-ora/current/f18/keyspan.patch b/freed-ora/current/f18/keyspan.patch deleted file mode 100644 index 43d116ea4..000000000 --- a/freed-ora/current/f18/keyspan.patch +++ /dev/null @@ -1,98 +0,0 @@ - -Delivered-To: jwboyer@gmail.com
-Received: by 10.58.186.240 with SMTP id fn16csp155256vec;
- Sat, 10 Nov 2012 01:14:20 -0800 (PST)
-Received: by 10.68.130.197 with SMTP id og5mr40733607pbb.138.1352538859530;
- Sat, 10 Nov 2012 01:14:19 -0800 (PST)
-Return-Path: <stable-owner@vger.kernel.org>
-Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
- by mx.google.com with ESMTP id pj1si1353832pbc.115.2012.11.10.01.14.15;
- Sat, 10 Nov 2012 01:14:19 -0800 (PST)
-Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
-Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
- id S1750798Ab2KJJOO (ORCPT <rfc822;crquan@gmail.com> + 33 others);
- Sat, 10 Nov 2012 04:14:14 -0500
-Received: from canardo.mork.no ([148.122.252.1]:37367 "EHLO canardo.mork.no"
- rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
- id S1750699Ab2KJJOM (ORCPT <rfc822;stable@vger.kernel.org>);
- Sat, 10 Nov 2012 04:14:12 -0500
-Received: from nemi.mork.no (nemi.mork.no [IPv6:2001:4620:9:2:216:eaff:feb3:788])
- (authenticated bits=0)
- by canardo.mork.no (8.14.3/8.14.3) with ESMTP id qAA9E1cX010750
- (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
- Sat, 10 Nov 2012 10:14:02 +0100
-Received: from bjorn by nemi.mork.no with local (Exim 4.80)
- (envelope-from <bjorn@nemi.mork.no>)
- id 1TX78a-0007Li-AD; Sat, 10 Nov 2012 10:14:00 +0100
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
-To: Richard <richjunk@pacbell.net>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
- linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
- =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>,
- <stable@vger.kernel.org>, Johan Hovold <jhovold@gmail.com>
-Subject: [PATCH usb-linus] USB: keyspan: fix typo causing GPF on open
-Date: Sat, 10 Nov 2012 10:13:42 +0100
-Message-Id: <1352538822-28221-1-git-send-email-bjorn@mork.no>
-X-Mailer: git-send-email 1.7.10.4
-In-Reply-To: <509D5BCD.3010901@pacbell.net>
-References: <509D5BCD.3010901@pacbell.net>
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-X-Virus-Scanned: clamav-milter 0.97.6 at canardo
-X-Virus-Status: Clean
-Sender: stable-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <stable.vger.kernel.org>
-X-Mailing-List: stable@vger.kernel.org
-
-Commit f79b2d0f (USB: keyspan: fix NULL-pointer dereferences and
-memory leaks) had a small typo which made the driver use wrong
-offsets when mapping serial port private data. This results in
-in a GPF when the port is opened.
-
-Reported-by: Richard <richjunk@pacbell.net>
-Cc: <stable@vger.kernel.org>
-Cc: Johan Hovold <jhovold@gmail.com>
-Signed-off-by: Bjørn Mork <bjorn@mork.no>
----
-Hello Richard,
-
-I wonder if you are able to test and verify this? I do not guarantee
-that there aren't other issues around, but this small typo looked like
-an obvious killer...
-
-Bjørn
-
- drivers/usb/serial/keyspan.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
-index 7179b0c..cff8dd5 100644
---- a/drivers/usb/serial/keyspan.c
-+++ b/drivers/usb/serial/keyspan.c
-@@ -2430,7 +2430,7 @@ static void keyspan_release(struct usb_serial *serial)
- static int keyspan_port_probe(struct usb_serial_port *port)
- {
- struct usb_serial *serial = port->serial;
-- struct keyspan_port_private *s_priv;
-+ struct keyspan_serial_private *s_priv;
- struct keyspan_port_private *p_priv;
- const struct keyspan_device_details *d_details;
- struct callbacks *cback;
-@@ -2445,7 +2445,6 @@ static int keyspan_port_probe(struct usb_serial_port *port)
- if (!p_priv)
- return -ENOMEM;
-
-- s_priv = usb_get_serial_data(port->serial);
- p_priv->device_details = d_details;
-
- /* Setup values for the various callback routines */
---
-1.7.10.4
-
---
-To unsubscribe from this list: send the line "unsubscribe stable" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/freed-ora/current/f18/patch-3.6-gnu-3.6.7-gnu.xz.sign b/freed-ora/current/f18/patch-3.6-gnu-3.6.7-gnu.xz.sign deleted file mode 100644 index 14d4a0cd2..000000000 --- a/freed-ora/current/f18/patch-3.6-gnu-3.6.7-gnu.xz.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.18 (GNU/Linux) - -iEYEABECAAYFAlCoSBEACgkQvLfPh359R6cxRQCdGO9IGrzh6oUJNL56cO7x5Q4s -t5MAmwcdMPV9Rzw6uOSZtcvNkXM9r5gu -=cEgI ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f18/patch-3.6-gnu-3.6.8-gnu.xz.sign b/freed-ora/current/f18/patch-3.6-gnu-3.6.8-gnu.xz.sign new file mode 100644 index 000000000..e59af1940 --- /dev/null +++ b/freed-ora/current/f18/patch-3.6-gnu-3.6.8-gnu.xz.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.18 (GNU/Linux) + +iEYEABECAAYFAlC0sEsACgkQvLfPh359R6cXTwCfTmw6Op/cVGzYZaXn91H6iyOA +gwEAnjJx/Cvwo9Fp7pmiVBaWgxdS93oB +=cAzr +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f18/selinux-Fix-sel_netnode_insert-suspicious-rcu-dereference.patch b/freed-ora/current/f18/selinux-Fix-sel_netnode_insert-suspicious-rcu-dereference.patch deleted file mode 100644 index 43fddf73d..000000000 --- a/freed-ora/current/f18/selinux-Fix-sel_netnode_insert-suspicious-rcu-dereference.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Dave Jones <> -Subject: Fix sel_netnode_insert suspicious rcu dereference. - - -I reported this a year ago (https://lkml.org/lkml/2011/4/20/308). -It's still a problem apparently ... - -=============================== -[ INFO: suspicious RCU usage. ] -3.5.0-rc1+ #63 Not tainted -------------------------------- -security/selinux/netnode.c:178 suspicious rcu_dereference_check() usage! -other info that might help us debug this: - - -rcu_scheduler_active = 1, debug_locks = 0 -1 lock held by trinity-child1/8750: - #0: (sel_netnode_lock){+.....}, at: [<ffffffff812d8f8a>] sel_netnode_sid+0x16a/0x3e0 -stack backtrace: -Pid: 8750, comm: trinity-child1 Not tainted 3.5.0-rc1+ #63 -Call Trace: - [<ffffffff810cec2d>] lockdep_rcu_suspicious+0xfd/0x130 - [<ffffffff812d91d1>] sel_netnode_sid+0x3b1/0x3e0 - [<ffffffff812d8e20>] ? sel_netnode_find+0x1a0/0x1a0 - [<ffffffff812d24a6>] selinux_socket_bind+0xf6/0x2c0 - [<ffffffff810cd1dd>] ? trace_hardirqs_off+0xd/0x10 - [<ffffffff810cdb55>] ? lock_release_holdtime.part.9+0x15/0x1a0 - [<ffffffff81093841>] ? lock_hrtimer_base+0x31/0x60 - [<ffffffff812c9536>] security_socket_bind+0x16/0x20 - [<ffffffff815550ca>] sys_bind+0x7a/0x100 - [<ffffffff816c03d5>] ? sysret_check+0x22/0x5d - [<ffffffff810d392d>] ? trace_hardirqs_on_caller+0x10d/0x1a0 - [<ffffffff8133b09e>] ? trace_hardirqs_on_thunk+0x3a/0x3f - [<ffffffff816c03a9>] system_call_fastpath+0x16/0x1b -This patch below does what Paul McKenney suggested in the previous thread. - -Signed-off-by: Dave Jones <davej@redhat.com> - -diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c -index 28f911c..c5454c0 100644 ---- a/security/selinux/netnode.c -+++ b/security/selinux/netnode.c -@@ -174,7 +174,8 @@ static void sel_netnode_insert(struct sel_netnode *node) - if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) { - struct sel_netnode *tail; - tail = list_entry( -- rcu_dereference(sel_netnode_hash[idx].list.prev), -+ rcu_dereference_protected(sel_netnode_hash[idx].list.prev, -+ lockdep_is_held(&sel_netnode_lock)), - struct sel_netnode, list); - list_del_rcu(&tail->list); - kfree_rcu(tail, rcu); - - diff --git a/freed-ora/current/f18/sources b/freed-ora/current/f18/sources index 13501444c..31ffbc561 100644 --- a/freed-ora/current/f18/sources +++ b/freed-ora/current/f18/sources @@ -1,2 +1,2 @@ a2312edd0265b5b07bd4b50afae2b380 linux-libre-3.6-gnu.tar.xz -a4e642180c7d757a642175fe32e4a264 patch-3.6-gnu-3.6.7-gnu.xz +3f4d630f49a12079598a3601dd2adb24 patch-3.6-gnu-3.6.8-gnu.xz diff --git a/freed-ora/current/f18/usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch b/freed-ora/current/f18/usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch deleted file mode 100644 index 9f3e6f993..000000000 --- a/freed-ora/current/f18/usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch +++ /dev/null @@ -1,125 +0,0 @@ -At Thu, 08 Nov 2012 08:31:35 +0100, -Daniel Mack wrote: -(snip) -> >> We can't simply stop both endpoints in the prepare callback. -> > -> > The new function doesn't stop the stream by itself but it just syncs -> > if the stream is being stopped beforehand. So, it's safe to call it -> > there. -> > -> > Maybe the name was confusing. It should have been like -> > snd_usb_endpoint_sync_pending_stop() or such. -> -> Ah, right. I was errornously looking closer to Alan's patch but then -> replied to yours. Alright then - thanks for explaining :) - -OK, thanks for checking. - -FWIW, below is the patch I applied now to for-linus branch. -Renamed the function, added the comment and put NULL check to the -function to simplify. - - -Takashi - ---- -From: Takashi Iwai <tiwai@suse.de> -Subject: [PATCH] ALSA: usb-audio: Fix crash at re-preparing the PCM stream - -There are bug reports of a crash with USB-audio devices when PCM -prepare is performed immediately after the stream is stopped via -trigger callback. It turned out that the problem is that we don't -wait until all URBs are killed. - -This patch adds a new function to synchronize the pending stop -operation on an endpoint, and calls in the prepare callback for -avoiding the crash above. - -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=49181 - -Reported-and-tested-by: Artem S. Tashkinov <t.artem@lycos.com> -Cc: <stable@vger.kernel.org> [v3.6] -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/usb/endpoint.c | 13 +++++++++++++ - sound/usb/endpoint.h | 1 + - sound/usb/pcm.c | 3 +++ - 3 files changed, 17 insertions(+) - -diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c -index 7f78c6d..34de6f2 100644 ---- a/sound/usb/endpoint.c -+++ b/sound/usb/endpoint.c -@@ -35,6 +35,7 @@ - - #define EP_FLAG_ACTIVATED 0 - #define EP_FLAG_RUNNING 1 -+#define EP_FLAG_STOPPING 2 - - /* - * snd_usb_endpoint is a model that abstracts everything related to an -@@ -502,10 +503,20 @@ static int wait_clear_urbs(struct snd_usb_endpoint *ep) - if (alive) - snd_printk(KERN_ERR "timeout: still %d active urbs on EP #%x\n", - alive, ep->ep_num); -+ clear_bit(EP_FLAG_STOPPING, &ep->flags); - - return 0; - } - -+/* sync the pending stop operation; -+ * this function itself doesn't trigger the stop operation -+ */ -+void snd_usb_endpoint_sync_pending_stop(struct snd_usb_endpoint *ep) -+{ -+ if (ep && test_bit(EP_FLAG_STOPPING, &ep->flags)) -+ wait_clear_urbs(ep); -+} -+ - /* - * unlink active urbs. - */ -@@ -918,6 +929,8 @@ void snd_usb_endpoint_stop(struct snd_usb_endpoint *ep, - - if (wait) - wait_clear_urbs(ep); -+ else -+ set_bit(EP_FLAG_STOPPING, &ep->flags); - } - } - -diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h -index 6376ccf..3d4c970 100644 ---- a/sound/usb/endpoint.h -+++ b/sound/usb/endpoint.h -@@ -19,6 +19,7 @@ int snd_usb_endpoint_set_params(struct snd_usb_endpoint *ep, - int snd_usb_endpoint_start(struct snd_usb_endpoint *ep, int can_sleep); - void snd_usb_endpoint_stop(struct snd_usb_endpoint *ep, - int force, int can_sleep, int wait); -+void snd_usb_endpoint_sync_pending_stop(struct snd_usb_endpoint *ep); - int snd_usb_endpoint_activate(struct snd_usb_endpoint *ep); - int snd_usb_endpoint_deactivate(struct snd_usb_endpoint *ep); - void snd_usb_endpoint_free(struct list_head *head); -diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c -index 37428f7..5c12a3f 100644 ---- a/sound/usb/pcm.c -+++ b/sound/usb/pcm.c -@@ -552,6 +552,9 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream) - goto unlock; - } - -+ snd_usb_endpoint_sync_pending_stop(subs->sync_endpoint); -+ snd_usb_endpoint_sync_pending_stop(subs->data_endpoint); -+ - /* some unit conversions in runtime */ - subs->data_endpoint->maxframesize = - bytes_to_frames(runtime, subs->data_endpoint->maxpacksize); --- -1.8.0 - - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ |
