diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2013-03-16 11:42:26 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2013-03-16 11:42:26 +0000 |
| commit | 98ef17ad82aa655e437a3730386db13c7f36dd27 (patch) | |
| tree | df58db0ebb9eb27dd3e204f41d1fc602a3bc91dc /freed-ora/current/f18 | |
| parent | ef7a5287ec647173665c0d300efe5f879b8652bc (diff) | |
| download | linux-libre-raptor-98ef17ad82aa655e437a3730386db13c7f36dd27.tar.gz linux-libre-raptor-98ef17ad82aa655e437a3730386db13c7f36dd27.zip | |
3.8.3-201.fc18.gnu
Diffstat (limited to 'freed-ora/current/f18')
21 files changed, 1261 insertions, 1355 deletions
diff --git a/freed-ora/current/f18/Input-cypress_ps2-fix-trackpadi-found-in-Dell-XPS12.patch b/freed-ora/current/f18/Input-cypress_ps2-fix-trackpadi-found-in-Dell-XPS12.patch new file mode 100644 index 000000000..15abce521 --- /dev/null +++ b/freed-ora/current/f18/Input-cypress_ps2-fix-trackpadi-found-in-Dell-XPS12.patch @@ -0,0 +1,71 @@ +From 81bb5d31fbf3893a8e041c649dea704dd11d5272 Mon Sep 17 00:00:00 2001 +From: Kamal Mostafa <kamal@canonical.com> +Date: Thu, 21 Feb 2013 11:55:05 -0800 +Subject: [PATCH] Input: cypress_ps2 - fix trackpadi found in Dell XPS12 + +Avoid firmware glitch in Cypress PS/2 Trackpad firmware version 11 +(as observed in Dell XPS12) which prevents driver from recognizing +the trackpad. + +BugLink: http://launchpad.net/bugs/1103594 + +Signed-off-by: Kamal Mostafa <kamal@canonical.com> +Cc: Dudley Du <dudl@cypress.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +--- + drivers/input/mouse/cypress_ps2.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/mouse/cypress_ps2.c b/drivers/input/mouse/cypress_ps2.c +index 1673dc6..f51765f 100644 +--- a/drivers/input/mouse/cypress_ps2.c ++++ b/drivers/input/mouse/cypress_ps2.c +@@ -236,6 +236,13 @@ static int cypress_read_fw_version(struct psmouse *psmouse) + cytp->fw_version = param[2] & FW_VERSION_MASX; + cytp->tp_metrics_supported = (param[2] & TP_METRICS_MASK) ? 1 : 0; + ++ /* ++ * Trackpad fw_version 11 (in Dell XPS12) yields a bogus response to ++ * CYTP_CMD_READ_TP_METRICS so do not try to use it. LP: #1103594. ++ */ ++ if (cytp->fw_version >= 11) ++ cytp->tp_metrics_supported = 0; ++ + psmouse_dbg(psmouse, "cytp->fw_version = %d\n", cytp->fw_version); + psmouse_dbg(psmouse, "cytp->tp_metrics_supported = %d\n", + cytp->tp_metrics_supported); +@@ -258,6 +265,9 @@ static int cypress_read_tp_metrics(struct psmouse *psmouse) + cytp->tp_res_x = cytp->tp_max_abs_x / cytp->tp_width; + cytp->tp_res_y = cytp->tp_max_abs_y / cytp->tp_high; + ++ if (!cytp->tp_metrics_supported) ++ return 0; ++ + memset(param, 0, sizeof(param)); + if (cypress_send_ext_cmd(psmouse, CYTP_CMD_READ_TP_METRICS, param) == 0) { + /* Update trackpad parameters. */ +@@ -315,18 +325,15 @@ static int cypress_read_tp_metrics(struct psmouse *psmouse) + + static int cypress_query_hardware(struct psmouse *psmouse) + { +- struct cytp_data *cytp = psmouse->private; + int ret; + + ret = cypress_read_fw_version(psmouse); + if (ret) + return ret; + +- if (cytp->tp_metrics_supported) { +- ret = cypress_read_tp_metrics(psmouse); +- if (ret) +- return ret; +- } ++ ret = cypress_read_tp_metrics(psmouse); ++ if (ret) ++ return ret; + + return 0; + } +-- +1.8.1.2 + diff --git a/freed-ora/current/f18/TTY-do-not-reset-master-s-packet-mode.patch b/freed-ora/current/f18/TTY-do-not-reset-master-s-packet-mode.patch new file mode 100644 index 000000000..633bfcf46 --- /dev/null +++ b/freed-ora/current/f18/TTY-do-not-reset-master-s-packet-mode.patch @@ -0,0 +1,63 @@ +From b81273a132177edd806476b953f6afeb17b786d5 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <jslaby@suse.cz> +Date: Tue, 15 Jan 2013 23:26:22 +0100 +Subject: [PATCH] TTY: do not reset master's packet mode + +Now that login from util-linux is forced to drop all references to a +TTY which it wants to hangup (to reach reference count 1) we are +seeing issues with telnet. When login closes its last reference to the +slave PTY, it also resets packet mode on the *master* side. And we +have a race here. + +What telnet does is fork+exec of `login'. Then there are two +scenarios: +* `login' closes the slave TTY and resets thus master's packet mode, + but even now telnet properly sets the mode, or +* `telnetd' sets packet mode on the master, `login' closes the slave + TTY and resets master's packet mode. + +The former case is OK. However the latter happens in much more cases, +by the order of magnitude to be precise. So when one tries to login to +such a messed telnet setup, they see the following: +inux login: + ogin incorrect + +Note the missing first letters -- telnet thinks it is still in the +packet mode, so when it receives "linux login" from `login', it +considers "l" as the type of the packet and strips it. + +SuS does not mention how the implementation should behave. Both BSDs I +checked (Free and Net) do not reset the flag upon the last close. + +By this I am resurrecting an old bug, see References. We are hitting +it regularly now, i.e. with updated util-linux, ergo login. + +Here, I am changing a behavior introduced back in 2.1 times. It would +better have a long time testing before goes upstream. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Cc: Mauro Carvalho Chehab <mchehab@redhat.com> +Cc: Bryan Mason <bmason@redhat.com> +References: https://lkml.org/lkml/2009/11/11/223 +References: https://bugzilla.redhat.com/show_bug.cgi?id=504703 +References: https://bugzilla.novell.com/show_bug.cgi?id=797042 +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tty/pty.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 4ec11f3..40ff2bf 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -47,7 +47,6 @@ static void pty_close(struct tty_struct *tty, struct file *filp) + /* Review - krefs on tty_link ?? */ + if (!tty->link) + return; +- tty->link->packet = 0; + set_bit(TTY_OTHER_CLOSED, &tty->link->flags); + wake_up_interruptible(&tty->link->read_wait); + wake_up_interruptible(&tty->link->write_wait); +-- +1.8.1.2 + diff --git a/freed-ora/current/f18/VMX-x86-handle-host-TSC-calibration-failure.patch b/freed-ora/current/f18/VMX-x86-handle-host-TSC-calibration-failure.patch new file mode 100644 index 000000000..6b6ddd2d2 --- /dev/null +++ b/freed-ora/current/f18/VMX-x86-handle-host-TSC-calibration-failure.patch @@ -0,0 +1,58 @@ +@@ -, +, @@ + VMX: x86: handle host TSC calibration failure + + If the host TSC calibration fails, tsc_khz is zero (see tsc_init.c). + Handle such case properly in KVM (instead of dividing by zero). + + https://bugzilla.redhat.com/show_bug.cgi?id=859282 + + Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> + Signed-off-by: Gleb Natapov <gleb@redhat.com> +--- a/arch/x86/kvm/x86.c ++++ a/arch/x86/kvm/x86.c +@@ -1079,6 +1079,10 @@ static void kvm_set_tsc_khz(struct kvm_vcpu *vcpu, u32 this_tsc_khz) + u32 thresh_lo, thresh_hi; + int use_scaling = 0; + ++ /* tsc_khz can be zero if TSC calibration fails */ ++ if (this_tsc_khz == 0) ++ return; ++ + /* Compute a scale to convert nanoseconds in TSC cycles */ + kvm_get_time_scale(this_tsc_khz, NSEC_PER_SEC / 1000, + &vcpu->arch.virtual_tsc_shift, +@@ -1156,20 +1160,23 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr) + ns = get_kernel_ns(); + elapsed = ns - kvm->arch.last_tsc_nsec; + +- /* n.b - signed multiplication and division required */ +- usdiff = data - kvm->arch.last_tsc_write; ++ if (vcpu->arch.virtual_tsc_khz) { ++ /* n.b - signed multiplication and division required */ ++ usdiff = data - kvm->arch.last_tsc_write; + #ifdef CONFIG_X86_64 +- usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; ++ usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; + #else +- /* do_div() only does unsigned */ +- asm("idivl %2; xor %%edx, %%edx" +- : "=A"(usdiff) +- : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); ++ /* do_div() only does unsigned */ ++ asm("idivl %2; xor %%edx, %%edx" ++ : "=A"(usdiff) ++ : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); + #endif +- do_div(elapsed, 1000); +- usdiff -= elapsed; +- if (usdiff < 0) +- usdiff = -usdiff; ++ do_div(elapsed, 1000); ++ usdiff -= elapsed; ++ if (usdiff < 0) ++ usdiff = -usdiff; ++ } else ++ usdiff = USEC_PER_SEC; /* disable TSC match window below */ + + /* + * Special case: TSC write with a small delta (1 second) of virtual diff --git a/freed-ora/current/f18/amd64_edac_fix_rank_count.patch b/freed-ora/current/f18/amd64_edac_fix_rank_count.patch new file mode 100644 index 000000000..eb58f0d03 --- /dev/null +++ b/freed-ora/current/f18/amd64_edac_fix_rank_count.patch @@ -0,0 +1,182 @@ +From 56ba4c93d909ef9dfab4f1101a8c3bf75bc4cdab Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@redhat.com> +Date: Mon, 11 Mar 2013 08:19:52 -0400 +Subject: [PATCH EDAC] edac: merge mci.mem_is_per_rank with mci.csbased + +Both mci.mem_is_per_rank and mci.csbased have the same meaning: +the memory controller is csrows based. Merge both fields into one. + +There's no need for the driver to actually fill it, as the core +detectsi it by checking if one of the layes has the csrows type +as part of the memory hierarchy: + + if (layers[i].type == EDAC_MC_LAYER_CHIP_SELECT) + per_rank = true; +... + mci->csbased = per_rank; + +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> + +From 2b6018dbd206e4af16edcfb80497b73105e97803 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@redhat.com> +Date: Mon, 11 Mar 2013 08:18:24 -0400 +Subject: [PATCH EDAC] amd64_edac: Correct dimm sizes + +We were filling the csrow size with a wrong value. 16a528ee3975 ("EDAC: +Fix csrow size reported in sysfs") tried to address the issue. It fixed +the report with the old API but not with the new one. Correct it for the +new API too. + +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c +index ad8bf2a..10ed0c7 100644 +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -2148,12 +2148,18 @@ static int init_csrows(struct mem_ctl_info *mci) + edac_dbg(1, "MC node: %d, csrow: %d\n", + pvt->mc_node_id, i); + +- if (row_dct0) ++ if (row_dct0) { + nr_pages = amd64_csrow_nr_pages(pvt, 0, i); ++ csrow->channels[0]->dimm->nr_pages = nr_pages; ++ } + + /* K8 has only one DCT */ +- if (boot_cpu_data.x86 != 0xf && row_dct1) +- nr_pages += amd64_csrow_nr_pages(pvt, 1, i); ++ if (boot_cpu_data.x86 != 0xf && row_dct1) { ++ int row_dct1_pages = amd64_csrow_nr_pages(pvt, 1, i); ++ ++ csrow->channels[1]->dimm->nr_pages = row_dct1_pages; ++ nr_pages += row_dct1_pages; ++ } + + mtype = amd64_determine_memory_type(pvt, i); + +@@ -2172,9 +2178,7 @@ static int init_csrows(struct mem_ctl_info *mci) + dimm = csrow->channels[j]->dimm; + dimm->mtype = mtype; + dimm->edac_mode = edac_mode; +- dimm->nr_pages = nr_pages; + } +- csrow->nr_pages = nr_pages; + } + + return empty; +@@ -2519,7 +2523,6 @@ static int amd64_init_one_instance(struct pci_dev *F2) + + mci->pvt_info = pvt; + mci->pdev = &pvt->F2->dev; +- mci->csbased = 1; + + setup_mci_misc_attrs(mci, fam_type); + +diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c +index cdb81aa..27e86d9 100644 +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -86,7 +86,7 @@ static void edac_mc_dump_dimm(struct dimm_info *dimm, int number) + edac_dimm_info_location(dimm, location, sizeof(location)); + + edac_dbg(4, "%s%i: %smapped as virtual row %d, chan %d\n", +- dimm->mci->mem_is_per_rank ? "rank" : "dimm", ++ dimm->mci->csbased ? "rank" : "dimm", + number, location, dimm->csrow, dimm->cschannel); + edac_dbg(4, " dimm = %p\n", dimm); + edac_dbg(4, " dimm->label = '%s'\n", dimm->label); +@@ -341,7 +341,7 @@ struct mem_ctl_info *edac_mc_alloc(unsigned mc_num, + memcpy(mci->layers, layers, sizeof(*layer) * n_layers); + mci->nr_csrows = tot_csrows; + mci->num_cschannel = tot_channels; +- mci->mem_is_per_rank = per_rank; ++ mci->csbased = per_rank; + + /* + * Alocate and fill the csrow/channels structs +@@ -1235,7 +1235,7 @@ void edac_mc_handle_error(const enum hw_event_mc_err_type type, + * incrementing the compat API counters + */ + edac_dbg(4, "%s csrows map: (%d,%d)\n", +- mci->mem_is_per_rank ? "rank" : "dimm", ++ mci->csbased ? "rank" : "dimm", + dimm->csrow, dimm->cschannel); + if (row == -1) + row = dimm->csrow; +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index 4f4b613..6ab4a50 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -180,9 +180,6 @@ static ssize_t csrow_size_show(struct device *dev, + int i; + u32 nr_pages = 0; + +- if (csrow->mci->csbased) +- return sprintf(data, "%u\n", PAGES_TO_MiB(csrow->nr_pages)); +- + for (i = 0; i < csrow->nr_channels; i++) + nr_pages += csrow->channels[i]->dimm->nr_pages; + return sprintf(data, "%u\n", PAGES_TO_MiB(nr_pages)); +@@ -612,7 +609,7 @@ static int edac_create_dimm_object(struct mem_ctl_info *mci, + device_initialize(&dimm->dev); + + dimm->dev.parent = &mci->dev; +- if (mci->mem_is_per_rank) ++ if (mci->csbased) + dev_set_name(&dimm->dev, "rank%d", index); + else + dev_set_name(&dimm->dev, "dimm%d", index); +@@ -778,14 +775,10 @@ static ssize_t mci_size_mb_show(struct device *dev, + for (csrow_idx = 0; csrow_idx < mci->nr_csrows; csrow_idx++) { + struct csrow_info *csrow = mci->csrows[csrow_idx]; + +- if (csrow->mci->csbased) { +- total_pages += csrow->nr_pages; +- } else { +- for (j = 0; j < csrow->nr_channels; j++) { +- struct dimm_info *dimm = csrow->channels[j]->dimm; ++ for (j = 0; j < csrow->nr_channels; j++) { ++ struct dimm_info *dimm = csrow->channels[j]->dimm; + +- total_pages += dimm->nr_pages; +- } ++ total_pages += dimm->nr_pages; + } + } + +diff --git a/include/linux/edac.h b/include/linux/edac.h +index 4fd4999..0b76327 100644 +--- a/include/linux/edac.h ++++ b/include/linux/edac.h +@@ -561,7 +561,6 @@ struct csrow_info { + + u32 ue_count; /* Uncorrectable Errors for this csrow */ + u32 ce_count; /* Correctable Errors for this csrow */ +- u32 nr_pages; /* combined pages count of all channels */ + + struct mem_ctl_info *mci; /* the parent */ + +@@ -676,11 +675,11 @@ struct mem_ctl_info { + * sees memory sticks ("dimms"), and the ones that sees memory ranks. + * All old memory controllers enumerate memories per rank, but most + * of the recent drivers enumerate memories per DIMM, instead. +- * When the memory controller is per rank, mem_is_per_rank is true. ++ * When the memory controller is per rank, csbased is true. + */ + unsigned n_layers; + struct edac_mc_layer *layers; +- bool mem_is_per_rank; ++ bool csbased; + + /* + * DIMM info. Will eventually remove the entire csrows_info some day +@@ -741,8 +740,6 @@ struct mem_ctl_info { + u32 fake_inject_ue; + u16 fake_inject_count; + #endif +- __u8 csbased : 1, /* csrow-based memory controller */ +- __resv : 7; + }; + + #endif diff --git a/freed-ora/current/f18/arm-alignment-faults.patch b/freed-ora/current/f18/arm-alignment-faults.patch deleted file mode 100644 index d386a5c3e..000000000 --- a/freed-ora/current/f18/arm-alignment-faults.patch +++ /dev/null @@ -1,127 +0,0 @@ - arch/arm/kernel/traps.c | 34 +++++++--------------------------- - arch/arm/mm/alignment.c | 11 ++++------- - 2 files changed, 11 insertions(+), 34 deletions(-) - -diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index b0179b8..62f429e 100644 ---- a/arch/arm/kernel/traps.c -+++ b/arch/arm/kernel/traps.c -@@ -89,17 +89,8 @@ static void dump_mem(const char *lvl, const char *str, unsigned long bottom, - unsigned long top) - { - unsigned long first; -- mm_segment_t fs; - int i; - -- /* -- * We need to switch to kernel mode so that we can use __get_user -- * to safely read from kernel space. Note that we now dump the -- * code first, just in case the backtrace kills us. -- */ -- fs = get_fs(); -- set_fs(KERNEL_DS); -- - printk("%s%s(0x%08lx to 0x%08lx)\n", lvl, str, bottom, top); - - for (first = bottom & ~31; first < top; first += 32) { -@@ -112,7 +103,7 @@ static void dump_mem(const char *lvl, const char *str, unsigned long bottom, - for (p = first, i = 0; i < 8 && p < top; i++, p += 4) { - if (p >= bottom && p < top) { - unsigned long val; -- if (__get_user(val, (unsigned long *)p) == 0) -+ if (probe_kernel_address(p, val) == 0) - sprintf(str + i * 9, " %08lx", val); - else - sprintf(str + i * 9, " ????????"); -@@ -120,8 +111,6 @@ static void dump_mem(const char *lvl, const char *str, unsigned long bottom, - } - printk("%s%04lx:%s\n", lvl, first & 0xffff, str); - } -- -- set_fs(fs); - } - - static void dump_instr(const char *lvl, struct pt_regs *regs) -@@ -129,25 +118,18 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) - unsigned long addr = instruction_pointer(regs); - const int thumb = thumb_mode(regs); - const int width = thumb ? 4 : 8; -- mm_segment_t fs; - char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; - int i; - -- /* -- * We need to switch to kernel mode so that we can use __get_user -- * to safely read from kernel space. Note that we now dump the -- * code first, just in case the backtrace kills us. -- */ -- fs = get_fs(); -- set_fs(KERNEL_DS); -- - for (i = -4; i < 1 + !!thumb; i++) { - unsigned int val, bad; - -- if (thumb) -- bad = __get_user(val, &((u16 *)addr)[i]); -- else -- bad = __get_user(val, &((u32 *)addr)[i]); -+ if (thumb) { -+ u16 instr; -+ bad = probe_kernel_address(addr, instr); -+ val = instr; -+ } else -+ bad = probe_kernel_address(addr, val); - - if (!bad) - p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ", -@@ -158,8 +140,6 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) - } - } - printk("%sCode: %s\n", lvl, str); -- -- set_fs(fs); - } - - #ifdef CONFIG_ARM_UNWIND -diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c -index b9f60eb..f8f14fc 100644 ---- a/arch/arm/mm/alignment.c -+++ b/arch/arm/mm/alignment.c -@@ -749,7 +749,6 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - unsigned long instr = 0, instrptr; - int (*handler)(unsigned long addr, unsigned long instr, struct pt_regs *regs); - unsigned int type; -- mm_segment_t fs; - unsigned int fault; - u16 tinstr = 0; - int isize = 4; -@@ -760,16 +759,15 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - - instrptr = instruction_pointer(regs); - -- fs = get_fs(); -- set_fs(KERNEL_DS); - if (thumb_mode(regs)) { -- fault = __get_user(tinstr, (u16 *)(instrptr & ~1)); -+ unsigned long ptr = instrptr; -+ fault = probe_kernel_address(ptr, tinstr); - if (!fault) { - if (cpu_architecture() >= CPU_ARCH_ARMv7 && - IS_T32(tinstr)) { - /* Thumb-2 32-bit */ - u16 tinst2 = 0; -- fault = __get_user(tinst2, (u16 *)(instrptr+2)); -+ fault = probe_kernel_address(ptr + 2, tinst2); - instr = (tinstr << 16) | tinst2; - thumb2_32b = 1; - } else { -@@ -778,8 +776,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - } - } - } else -- fault = __get_user(instr, (u32 *)instrptr); -- set_fs(fs); -+ fault = probe_kernel_address(instrptr, instr); - - if (fault) { - type = TYPE_FAULT; diff --git a/freed-ora/current/f18/cfg80211-mac80211-disconnect-on-suspend.patch b/freed-ora/current/f18/cfg80211-mac80211-disconnect-on-suspend.patch new file mode 100644 index 000000000..940ac2cc4 --- /dev/null +++ b/freed-ora/current/f18/cfg80211-mac80211-disconnect-on-suspend.patch @@ -0,0 +1,227 @@ +From ad3a7b84092599eef931bce4de54e18e47612f9f Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Thu, 28 Feb 2013 09:55:25 +0000 +Subject: [PATCH] cfg80211/mac80211: disconnect on suspend + +If possible that after suspend, cfg80211 will receive request to +disconnect what require action on interface that was removed during +suspend. + +Problem can manifest itself by various warnings similar to below one: + +WARNING: at net/mac80211/driver-ops.h:12 ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211]() +wlan0: Failed check-sdata-in-driver check, flags: 0x4 +Call Trace: + [<c043e0b3>] warn_slowpath_fmt+0x33/0x40 + [<f83707c9>] ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211] + [<f83a660a>] ieee80211_recalc_ps_vif+0x2a/0x30 [mac80211] + [<f83a6706>] ieee80211_set_disassoc+0xf6/0x500 [mac80211] + [<f83a9441>] ieee80211_mgd_deauth+0x1f1/0x280 [mac80211] + [<f8381b36>] ieee80211_deauth+0x16/0x20 [mac80211] + [<f8261e70>] cfg80211_mlme_down+0x70/0xc0 [cfg80211] + [<f8264de1>] __cfg80211_disconnect+0x1b1/0x1d0 [cfg80211] + +To fix the problem disconnect from any associated network before +suspend. User space is responsible to establish connection again +after resume. This basically need to be done by user space anyway, +because associated stations can go away during suspend (for example +NetworkManager disconnects on suspend and connect on resume by default). + +Patch also handle situation when driver refuse to suspend with wowlan +configured and try to suspend again without it. + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +--- + net/mac80211/pm.c | 2 +- + net/wireless/core.c | 73 +++++++++++++++++++++++++++---------------------- + net/wireless/core.h | 3 ++ + net/wireless/rdev-ops.h | 7 +++-- + net/wireless/sysfs.c | 25 +++++++++++++---- + 5 files changed, 69 insertions(+), 41 deletions(-) + +diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c +index 79a48f3..ce4f973 100644 +--- a/net/mac80211/pm.c ++++ b/net/mac80211/pm.c +@@ -92,7 +92,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) + return err; + } else if (err > 0) { + WARN_ON(err != 1); +- local->wowlan = false; ++ return err; + } else { + list_for_each_entry(sdata, &local->interfaces, list) { + cancel_work_sync(&sdata->work); +diff --git a/net/wireless/core.c b/net/wireless/core.c +index b677eab..66cc98d 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -806,6 +806,46 @@ void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, + rdev->num_running_monitor_ifaces += num; + } + ++void cfg80211_leave(struct cfg80211_registered_device *rdev, ++ struct wireless_dev *wdev) ++{ ++ struct net_device *dev = wdev->netdev; ++ ++ switch (wdev->iftype) { ++ case NL80211_IFTYPE_ADHOC: ++ cfg80211_leave_ibss(rdev, dev, true); ++ break; ++ case NL80211_IFTYPE_P2P_CLIENT: ++ case NL80211_IFTYPE_STATION: ++ mutex_lock(&rdev->sched_scan_mtx); ++ __cfg80211_stop_sched_scan(rdev, false); ++ mutex_unlock(&rdev->sched_scan_mtx); ++ ++ wdev_lock(wdev); ++#ifdef CONFIG_CFG80211_WEXT ++ kfree(wdev->wext.ie); ++ wdev->wext.ie = NULL; ++ wdev->wext.ie_len = 0; ++ wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC; ++#endif ++ __cfg80211_disconnect(rdev, dev, ++ WLAN_REASON_DEAUTH_LEAVING, true); ++ cfg80211_mlme_down(rdev, dev); ++ wdev_unlock(wdev); ++ break; ++ case NL80211_IFTYPE_MESH_POINT: ++ cfg80211_leave_mesh(rdev, dev); ++ break; ++ case NL80211_IFTYPE_AP: ++ cfg80211_stop_ap(rdev, dev); ++ break; ++ default: ++ break; ++ } ++ ++ wdev->beacon_interval = 0; ++} ++ + static int cfg80211_netdev_notifier_call(struct notifier_block *nb, + unsigned long state, + void *ndev) +@@ -874,38 +914,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb, + dev->priv_flags |= IFF_DONT_BRIDGE; + break; + case NETDEV_GOING_DOWN: +- switch (wdev->iftype) { +- case NL80211_IFTYPE_ADHOC: +- cfg80211_leave_ibss(rdev, dev, true); +- break; +- case NL80211_IFTYPE_P2P_CLIENT: +- case NL80211_IFTYPE_STATION: +- mutex_lock(&rdev->sched_scan_mtx); +- __cfg80211_stop_sched_scan(rdev, false); +- mutex_unlock(&rdev->sched_scan_mtx); +- +- wdev_lock(wdev); +-#ifdef CONFIG_CFG80211_WEXT +- kfree(wdev->wext.ie); +- wdev->wext.ie = NULL; +- wdev->wext.ie_len = 0; +- wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC; +-#endif +- __cfg80211_disconnect(rdev, dev, +- WLAN_REASON_DEAUTH_LEAVING, true); +- cfg80211_mlme_down(rdev, dev); +- wdev_unlock(wdev); +- break; +- case NL80211_IFTYPE_MESH_POINT: +- cfg80211_leave_mesh(rdev, dev); +- break; +- case NL80211_IFTYPE_AP: +- cfg80211_stop_ap(rdev, dev); +- break; +- default: +- break; +- } +- wdev->beacon_interval = 0; ++ cfg80211_leave(rdev, wdev); + break; + case NETDEV_DOWN: + cfg80211_update_iface_num(rdev, wdev->iftype, -1); +diff --git a/net/wireless/core.h b/net/wireless/core.h +index 3563097..49d79d9 100644 +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -481,6 +481,9 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev, + void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, + enum nl80211_iftype iftype, int num); + ++void cfg80211_leave(struct cfg80211_registered_device *rdev, ++ struct wireless_dev *wdev); ++ + #define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10 + + #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS +diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h +index 6c0c819..08e4145 100644 +--- a/net/wireless/rdev-ops.h ++++ b/net/wireless/rdev-ops.h +@@ -6,11 +6,12 @@ + #include "core.h" + #include "trace.h" + +-static inline int rdev_suspend(struct cfg80211_registered_device *rdev) ++static inline int rdev_suspend(struct cfg80211_registered_device *rdev, ++ struct cfg80211_wowlan *wowlan) + { + int ret; +- trace_rdev_suspend(&rdev->wiphy, rdev->wowlan); +- ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan); ++ trace_rdev_suspend(&rdev->wiphy, wowlan); ++ ret = rdev->ops->suspend(&rdev->wiphy, wowlan); + trace_rdev_return_int(&rdev->wiphy, ret); + return ret; + } +diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c +index 1f6f01e..a6a108b 100644 +--- a/net/wireless/sysfs.c ++++ b/net/wireless/sysfs.c +@@ -83,6 +83,14 @@ static int wiphy_uevent(struct device *dev, struct kobj_uevent_env *env) + return 0; + } + ++static void cfg80211_leave_all(struct cfg80211_registered_device *rdev) ++{ ++ struct wireless_dev *wdev; ++ ++ list_for_each_entry(wdev, &rdev->wdev_list, list) ++ cfg80211_leave(rdev, wdev); ++} ++ + static int wiphy_suspend(struct device *dev, pm_message_t state) + { + struct cfg80211_registered_device *rdev = dev_to_rdev(dev); +@@ -90,12 +98,19 @@ static int wiphy_suspend(struct device *dev, pm_message_t state) + + rdev->suspend_at = get_seconds(); + +- if (rdev->ops->suspend) { +- rtnl_lock(); +- if (rdev->wiphy.registered) +- ret = rdev_suspend(rdev); +- rtnl_unlock(); ++ rtnl_lock(); ++ if (rdev->wiphy.registered) { ++ if (!rdev->wowlan) ++ cfg80211_leave_all(rdev); ++ if (rdev->ops->suspend) ++ ret = rdev_suspend(rdev, rdev->wowlan); ++ if (ret == 1) { ++ /* Driver refuse to configure wowlan */ ++ cfg80211_leave_all(rdev); ++ ret = rdev_suspend(rdev, NULL); ++ } + } ++ rtnl_unlock(); + + return ret; + } +-- +1.8.1.2 + diff --git a/freed-ora/current/f18/config-arm-versatile b/freed-ora/current/f18/config-arm-versatile deleted file mode 100644 index 758a78c76..000000000 --- a/freed-ora/current/f18/config-arm-versatile +++ /dev/null @@ -1,102 +0,0 @@ -CONFIG_ARCH_VEXPRESS=y -CONFIG_ARCH_VEXPRESS_CA9X4=y -CONFIG_ARCH_VEXPRESS_DT=y -CONFIG_PLAT_VERSATILE_CLCD=y -CONFIG_PLAT_VERSATILE_SCHED_CLOCK=y -CONFIG_PLAT_VERSATILE=y -CONFIG_ARM_TIMER_SP804=y - -CONFIG_CPU_V7=y -CONFIG_CPU_32v6K=y -CONFIG_CPU_32v7=y -CONFIG_CPU_ABRT_EV7=y -CONFIG_CPU_PABRT_V7=y -CONFIG_CPU_CACHE_V7=y -CONFIG_CPU_CACHE_VIPT=y -CONFIG_CPU_COPY_V6=y -CONFIG_CPU_TLB_V7=y -CONFIG_CPU_HAS_ASID=y -CONFIG_CPU_CP15=y -CONFIG_CPU_CP15_MMU=y -CONFIG_CPU_HAS_PMU=y - -# Need to verify whether these are generic or vexpress specific -CONFIG_ARM_AMBA=y - -CONFIG_VFP=y -CONFIG_VFPv3=y - -CONFIG_CPUSETS=y -# CONFIG_THUMB2_AVOID_R_ARM_THM_JUMP11 is not set -# CONFIG_THUMB2_KERNEL is not set -CONFIG_TICK_ONESHOT=y - -CONFIG_ARM_ASM_UNIFIED=y -CONFIG_ARM_CPU_TOPOLOGY=y -CONFIG_ARM_DMA_MEM_BUFFERABLE=y - -CONFIG_ARM_ERRATA_720789=y -CONFIG_ARM_ERRATA_751472=y -CONFIG_ARM_ERRATA_753970=y - -CONFIG_ARM_GIC=y -CONFIG_ARM_L1_CACHE_SHIFT=5 - -CONFIG_ARM_THUMB=y -CONFIG_ARM_TIMER_SP804=y -CONFIG_ARM_UNWIND=y - -CONFIG_FB=y -CONFIG_FB_ARMCLCD=y -CONFIG_FB_CFB_COPYAREA=y -CONFIG_FB_CFB_FILLRECT=y -CONFIG_FB_CFB_IMAGEBLIT=y - -CONFIG_TOUCHSCREEN_ADS7846=m - -CONFIG_CMDLINE="console=ttyAM0,115200 root=/dev/sda1 rootdelay=20" - -CONFIG_SERIO_AMBAKMI=m -CONFIG_SERIAL_AMBA_PL011=y -CONFIG_SERIAL_AMBA_PL011_CONSOLE=y - -CONFIG_FB_ARMCLCD=m - -CONFIG_MMC_ARMMMCI=y -CONFIG_MMC_DW=m -# CONFIG_MMC_DW_IDMAC is not set - -# CONFIG_ARM_CHARLCD is not set -CONFIG_PL330_DMA=y -CONFIG_RTC_DRV_PL030=y -CONFIG_RTC_DRV_PL031=y - -CONFIG_I2C_VERSATILE=m - -CONFIG_OC_ETM=y - -CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y -CONFIG_ARM_THUMBEE=y -CONFIG_SWP_EMULATE=y -# CONFIG_CPU_BPREDICT_DISABLE is not set -CONFIG_CACHE_L2X0=y -CONFIG_ARM_ERRATA_430973=y -CONFIG_ARM_ERRATA_458693=y -CONFIG_ARM_ERRATA_460075=y -CONFIG_PL310_ERRATA_588369=y -CONFIG_PL310_ERRATA_727915=y -CONFIG_ARM_ERRATA_743622=y -CONFIG_ARM_ERRATA_754322=y -CONFIG_PL310_ERRATA_769419=y -CONFIG_NEON=y -CONFIG_PATA_PLATFORM=m -CONFIG_PATA_OF_PLATFORM=m -# CONFIG_NET_VENDOR_BROADCOM is not set - -# unset on versatille for jon masters -# CONFIG_GPIOLIB is not set -# CONFIG_ARCH_MULTI_V4 is not set -# CONFIG_ARCH_MULTI_V4T is not set -# CONFIG_ARCH_MULTI_V6 is not set -# CONFIG_DRM_EXYNOS is not set - diff --git a/freed-ora/current/f18/crypto-user-fix-info-leaks-in-report-API.patch b/freed-ora/current/f18/crypto-user-fix-info-leaks-in-report-API.patch deleted file mode 100644 index 1b64e1844..000000000 --- a/freed-ora/current/f18/crypto-user-fix-info-leaks-in-report-API.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6 Mon Sep 17 00:00:00 2001 -From: Mathias Krause <minipli@googlemail.com> -Date: Tue, 5 Feb 2013 18:19:13 +0100 -Subject: [PATCH] crypto: user - fix info leaks in report API - -Three errors resulting in kernel memory disclosure: - -1/ The structures used for the netlink based crypto algorithm report API -are located on the stack. As snprintf() does not fill the remainder of -the buffer with null bytes, those stack bytes will be disclosed to users -of the API. Switch to strncpy() to fix this. - -2/ crypto_report_one() does not initialize all field of struct -crypto_user_alg. Fix this to fix the heap info leak. - -3/ For the module name we should copy only as many bytes as -module_name() returns -- not as much as the destination buffer could -hold. But the current code does not and therefore copies random data -from behind the end of the module name, as the module name is always -shorter than CRYPTO_MAX_ALG_NAME. - -Also switch to use strncpy() to copy the algorithm's name and -driver_name. They are strings, after all. - -Signed-off-by: Mathias Krause <minipli@googlemail.com> -Cc: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> ---- - crypto/ablkcipher.c | 12 ++++++------ - crypto/aead.c | 9 ++++----- - crypto/ahash.c | 2 +- - crypto/blkcipher.c | 6 +++--- - crypto/crypto_user.c | 22 +++++++++++----------- - crypto/pcompress.c | 3 +-- - crypto/rng.c | 2 +- - crypto/shash.c | 3 ++- - 8 files changed, 29 insertions(+), 30 deletions(-) - -diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c -index 533de95..7d4a8d2 100644 ---- a/crypto/ablkcipher.c -+++ b/crypto/ablkcipher.c -@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "ablkcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_ablkcipher.geniv ?: "<default>"); -+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; -@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "givcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_ablkcipher.geniv ?: "<built-in>"); -+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; -diff --git a/crypto/aead.c b/crypto/aead.c -index 4d04e12..547491e 100644 ---- a/crypto/aead.c -+++ b/crypto/aead.c -@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_aead raead; - struct aead_alg *aead = &alg->cra_aead; - -- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "aead"); -- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- aead->geniv ?: "<built-in>"); -+ strncpy(raead.type, "aead", sizeof(raead.type)); -+ strncpy(raead.geniv, aead->geniv ?: "<built-in>", sizeof(raead.geniv)); - - raead.blocksize = alg->cra_blocksize; - raead.maxauthsize = aead->maxauthsize; -@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_aead raead; - struct aead_alg *aead = &alg->cra_aead; - -- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "nivaead"); -- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", aead->geniv); -+ strncpy(raead.type, "nivaead", sizeof(raead.type)); -+ strncpy(raead.geniv, aead->geniv, sizeof(raead.geniv)); - - raead.blocksize = alg->cra_blocksize; - raead.maxauthsize = aead->maxauthsize; -diff --git a/crypto/ahash.c b/crypto/ahash.c -index 3887856..793a27f 100644 ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_hash rhash; - -- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "ahash"); -+ strncpy(rhash.type, "ahash", sizeof(rhash.type)); - - rhash.blocksize = alg->cra_blocksize; - rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize; -diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c -index e9e7244..a79e7e9 100644 ---- a/crypto/blkcipher.c -+++ b/crypto/blkcipher.c -@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_blkcipher.geniv ?: "<default>"); -+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; -diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c -index 35d700a..f6d9baf 100644 ---- a/crypto/crypto_user.c -+++ b/crypto/crypto_user.c -@@ -75,7 +75,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_cipher rcipher; - -- snprintf(rcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "cipher"); -+ strncpy(rcipher.type, "cipher", sizeof(rcipher.type)); - - rcipher.blocksize = alg->cra_blocksize; - rcipher.min_keysize = alg->cra_cipher.cia_min_keysize; -@@ -94,8 +94,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_comp rcomp; - -- snprintf(rcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "compression"); -- -+ strncpy(rcomp.type, "compression", sizeof(rcomp.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, - sizeof(struct crypto_report_comp), &rcomp)) - goto nla_put_failure; -@@ -108,12 +107,14 @@ nla_put_failure: - static int crypto_report_one(struct crypto_alg *alg, - struct crypto_user_alg *ualg, struct sk_buff *skb) - { -- memcpy(&ualg->cru_name, &alg->cra_name, sizeof(ualg->cru_name)); -- memcpy(&ualg->cru_driver_name, &alg->cra_driver_name, -- sizeof(ualg->cru_driver_name)); -- memcpy(&ualg->cru_module_name, module_name(alg->cra_module), -- CRYPTO_MAX_ALG_NAME); -- -+ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name)); -+ strncpy(ualg->cru_driver_name, alg->cra_driver_name, -+ sizeof(ualg->cru_driver_name)); -+ strncpy(ualg->cru_module_name, module_name(alg->cra_module), -+ sizeof(ualg->cru_module_name)); -+ -+ ualg->cru_type = 0; -+ ualg->cru_mask = 0; - ualg->cru_flags = alg->cra_flags; - ualg->cru_refcnt = atomic_read(&alg->cra_refcnt); - -@@ -122,8 +123,7 @@ static int crypto_report_one(struct crypto_alg *alg, - if (alg->cra_flags & CRYPTO_ALG_LARVAL) { - struct crypto_report_larval rl; - -- snprintf(rl.type, CRYPTO_MAX_ALG_NAME, "%s", "larval"); -- -+ strncpy(rl.type, "larval", sizeof(rl.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL, - sizeof(struct crypto_report_larval), &rl)) - goto nla_put_failure; -diff --git a/crypto/pcompress.c b/crypto/pcompress.c -index 04e083f..7140fe7 100644 ---- a/crypto/pcompress.c -+++ b/crypto/pcompress.c -@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_comp rpcomp; - -- snprintf(rpcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "pcomp"); -- -+ strncpy(rpcomp.type, "pcomp", sizeof(rpcomp.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, - sizeof(struct crypto_report_comp), &rpcomp)) - goto nla_put_failure; -diff --git a/crypto/rng.c b/crypto/rng.c -index f3b7894..e0a25c2 100644 ---- a/crypto/rng.c -+++ b/crypto/rng.c -@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_rng rrng; - -- snprintf(rrng.type, CRYPTO_MAX_ALG_NAME, "%s", "rng"); -+ strncpy(rrng.type, "rng", sizeof(rrng.type)); - - rrng.seedsize = alg->cra_rng.seedsize; - -diff --git a/crypto/shash.c b/crypto/shash.c -index f426330f..929058a 100644 ---- a/crypto/shash.c -+++ b/crypto/shash.c -@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_hash rhash; - struct shash_alg *salg = __crypto_shash_alg(alg); - -- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "shash"); -+ strncpy(rhash.type, "shash", sizeof(rhash.type)); -+ - rhash.blocksize = alg->cra_blocksize; - rhash.digestsize = salg->digestsize; - --- -1.8.1.2 - diff --git a/freed-ora/current/f18/dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch b/freed-ora/current/f18/dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch deleted file mode 100644 index f105a7e6a..000000000 --- a/freed-ora/current/f18/dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Ben Hutchings <ben@decadent.org.uk> -Subject: dmi_scan: fix missing check for _DMI_ signature in smbios_present() - -Commit 9f9c9cbb6057 ('drivers/firmware/dmi_scan.c: fetch dmi version from -SMBIOS if it exists') hoisted the check for "_DMI_" into -dmi_scan_machine(), which means that we don't bother to check for "_DMI_" -at offset 16 in an SMBIOS entry. smbios_present() may also call -dmi_present() for an address where we found "_SM_", if it failed further -validation. - -Check for "_DMI_" in smbios_present() before calling dmi_present(). - -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Reported-by: Tim McGrath <tmhikaru@gmail.com> -Tested-by: Tim Mcgrath <tmhikaru@gmail.com> -Cc: Zhenzhong Duan <zhenzhong.duan@oracle.com> -Cc: <stable@vger.kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> ---- - - drivers/firmware/dmi_scan.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff -puN drivers/firmware/dmi_scan.c~dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present drivers/firmware/dmi_scan.c ---- a/drivers/firmware/dmi_scan.c~dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present -+++ a/drivers/firmware/dmi_scan.c -@@ -442,7 +442,6 @@ static int __init dmi_present(const char - static int __init smbios_present(const char __iomem *p) - { - u8 buf[32]; -- int offset = 0; - - memcpy_fromio(buf, p, 32); - if ((buf[5] < 32) && dmi_checksum(buf, buf[5])) { -@@ -461,9 +460,9 @@ static int __init smbios_present(const c - dmi_ver = 0x0206; - break; - } -- offset = 16; -+ return memcmp(p + 16, "_DMI_", 5) || dmi_present(p + 16); - } -- return dmi_present(buf + offset); -+ return 1; - } - - void __init dmi_scan_machine(void) -_ diff --git a/freed-ora/current/f18/drm-i915-bounds-check-execbuffer-relocation-count.patch b/freed-ora/current/f18/drm-i915-bounds-check-execbuffer-relocation-count.patch new file mode 100644 index 000000000..a6c9d4b12 --- /dev/null +++ b/freed-ora/current/f18/drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -0,0 +1,51 @@ +From e896e9dde50fd9a44cbbed205cc0beb869e2193b Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Mon, 11 Mar 2013 17:31:45 -0700 +Subject: [PATCH] drm/i915: bounds check execbuffer relocation count + +It is possible to wrap the counter used to allocate the buffer for +relocation copies. This could lead to heap writing overflows. + +CVE-2013-0913 + +v3: collapse test, improve comment +v2: move check into validate_exec_list + +Signed-off-by: Kees Cook <keescook@chromium.org> +Reported-by: Pinkie Pie +Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +index 26d08bb..7adf5a7 100644 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -706,15 +706,20 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, + int count) + { + int i; ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); + + for (i = 0; i < count; i++) { + char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; + int length; /* limited by fault_in_pages_readable() */ + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); +-- +1.8.1.2 + diff --git a/freed-ora/current/f18/efi-fixes-3.8.patch b/freed-ora/current/f18/efi-fixes-3.8.patch deleted file mode 100644 index f53dac078..000000000 --- a/freed-ora/current/f18/efi-fixes-3.8.patch +++ /dev/null @@ -1,736 +0,0 @@ -From 27857f8a3240e35c61dedb88cbdbfbaabbd8ad2b Mon Sep 17 00:00:00 2001 -From: Seiji Aguchi <seiji.aguchi@hds.com> -Date: Tue, 12 Feb 2013 12:59:07 -0800 -Subject: [PATCH 1/4] efivars: Disable external interrupt while holding - efivars->lock - -[Problem] -There is a scenario which efi_pstore fails to log messages in a panic case. - - - CPUA holds an efi_var->lock in either efivarfs parts - or efi_pstore with interrupt enabled. - - CPUB panics and sends IPI to CPUA in smp_send_stop(). - - CPUA stops with holding the lock. - - CPUB kicks efi_pstore_write() via kmsg_dump(KSMG_DUMP_PANIC) - but it returns without logging messages. - -[Patch Description] -This patch disables an external interruption while holding efivars->lock -as follows. - -In efi_pstore_write() and get_var_data(), spin_lock/spin_unlock is -replaced by spin_lock_irqsave/spin_unlock_irqrestore because they may -be called in an interrupt context. - -In other functions, they are replaced by spin_lock_irq/spin_unlock_irq. -because they are all called from a process context. - -By applying this patch, we can avoid the problem above with -a following senario. - - - CPUA holds an efi_var->lock with interrupt disabled. - - CPUB panics and sends IPI to CPUA in smp_send_stop(). - - CPUA receives the IPI after releasing the lock because it is - disabling interrupt while holding the lock. - - CPUB waits for one sec until CPUA releases the lock. - - CPUB kicks efi_pstore_write() via kmsg_dump(KSMG_DUMP_PANIC) - And it can hold the lock successfully. - -Signed-off-by: Seiji Aguchi <seiji.aguchi@hds.com> -Acked-by: Mike Waychison <mikew@google.com> -Acked-by: Matt Fleming <matt.fleming@intel.com> -Signed-off-by: Tony Luck <tony.luck@intel.com> ---- - drivers/firmware/efivars.c | 84 ++++++++++++++++++++++++---------------------- - 1 file changed, 43 insertions(+), 41 deletions(-) - -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index bcb201c..a9277cc 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -406,10 +406,11 @@ static efi_status_t - get_var_data(struct efivars *efivars, struct efi_variable *var) - { - efi_status_t status; -+ unsigned long flags; - -- spin_lock(&efivars->lock); -+ spin_lock_irqsave(&efivars->lock, flags); - status = get_var_data_locked(efivars, var); -- spin_unlock(&efivars->lock); -+ spin_unlock_irqrestore(&efivars->lock, flags); - - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: get_variable() failed 0x%lx!\n", -@@ -538,14 +539,14 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) - return -EINVAL; - } - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - status = efivars->ops->set_variable(new_var->VariableName, - &new_var->VendorGuid, - new_var->Attributes, - new_var->DataSize, - new_var->Data); - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n", -@@ -714,7 +715,7 @@ static ssize_t efivarfs_file_write(struct file *file, - * amounts of memory. Pick a default size of 64K if - * QueryVariableInfo() isn't supported by the firmware. - */ -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - if (!efivars->ops->query_variable_info) - status = EFI_UNSUPPORTED; -@@ -724,7 +725,7 @@ static ssize_t efivarfs_file_write(struct file *file, - &remaining_size, &max_size); - } - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (status != EFI_SUCCESS) { - if (status != EFI_UNSUPPORTED) -@@ -755,7 +756,7 @@ static ssize_t efivarfs_file_write(struct file *file, - * set_variable call, and removal of the variable from the efivars - * list (in the case of an authenticated delete). - */ -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - status = efivars->ops->set_variable(var->var.VariableName, - &var->var.VendorGuid, -@@ -763,7 +764,7 @@ static ssize_t efivarfs_file_write(struct file *file, - data); - - if (status != EFI_SUCCESS) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - kfree(data); - - return efi_status_to_err(status); -@@ -784,21 +785,21 @@ static ssize_t efivarfs_file_write(struct file *file, - NULL); - - if (status == EFI_BUFFER_TOO_SMALL) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - mutex_lock(&inode->i_mutex); - i_size_write(inode, newdatasize + sizeof(attributes)); - mutex_unlock(&inode->i_mutex); - - } else if (status == EFI_NOT_FOUND) { - list_del(&var->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(var); - drop_nlink(inode); - d_delete(file->f_dentry); - dput(file->f_dentry); - - } else { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - pr_warn("efivarfs: inconsistent EFI variable implementation? " - "status = %lx\n", status); - } -@@ -820,11 +821,11 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf, - void *data; - ssize_t size = 0; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - status = efivars->ops->get_variable(var->var.VariableName, - &var->var.VendorGuid, - &attributes, &datasize, NULL); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (status != EFI_BUFFER_TOO_SMALL) - return efi_status_to_err(status); -@@ -834,12 +835,12 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf, - if (!data) - return -ENOMEM; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - status = efivars->ops->get_variable(var->var.VariableName, - &var->var.VendorGuid, - &attributes, &datasize, - (data + sizeof(attributes))); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (status != EFI_SUCCESS) { - size = efi_status_to_err(status); -@@ -1005,9 +1006,9 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - goto out; - - kobject_uevent(&var->kobj, KOBJ_ADD); -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - list_add(&var->list, &efivars->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - d_instantiate(dentry, inode); - dget(dentry); - out: -@@ -1024,7 +1025,7 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry) - struct efivars *efivars = var->efivars; - efi_status_t status; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - status = efivars->ops->set_variable(var->var.VariableName, - &var->var.VendorGuid, -@@ -1032,14 +1033,14 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry) - - if (status == EFI_SUCCESS || status == EFI_NOT_FOUND) { - list_del(&var->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(var); - drop_nlink(dentry->d_inode); - dput(dentry); - return 0; - } - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EINVAL; - }; - -@@ -1184,13 +1185,13 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - /* copied by the above to local storage in the dentry. */ - kfree(name); - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - efivars->ops->get_variable(entry->var.VariableName, - &entry->var.VendorGuid, - &entry->var.Attributes, - &size, - NULL); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - mutex_lock(&inode->i_mutex); - inode->i_private = entry; -@@ -1253,7 +1254,7 @@ static int efi_pstore_open(struct pstore_info *psi) - { - struct efivars *efivars = psi->data; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - efivars->walk_entry = list_first_entry(&efivars->list, - struct efivar_entry, list); - return 0; -@@ -1263,7 +1264,7 @@ static int efi_pstore_close(struct pstore_info *psi) - { - struct efivars *efivars = psi->data; - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return 0; - } - -@@ -1339,8 +1340,9 @@ static int efi_pstore_write(enum pstore_type_id type, - int i, ret = 0; - u64 storage_space, remaining_space, max_variable_size; - efi_status_t status = EFI_NOT_FOUND; -+ unsigned long flags; - -- spin_lock(&efivars->lock); -+ spin_lock_irqsave(&efivars->lock, flags); - - /* - * Check if there is a space enough to log. -@@ -1352,7 +1354,7 @@ static int efi_pstore_write(enum pstore_type_id type, - &remaining_space, - &max_variable_size); - if (status || remaining_space < size + DUMP_NAME_LEN * 2) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irqrestore(&efivars->lock, flags); - *id = part; - return -ENOSPC; - } -@@ -1366,7 +1368,7 @@ static int efi_pstore_write(enum pstore_type_id type, - efivars->ops->set_variable(efi_name, &vendor, PSTORE_EFI_ATTRIBUTES, - size, psi->buf); - -- spin_unlock(&efivars->lock); -+ spin_unlock_irqrestore(&efivars->lock, flags); - - if (size) - ret = efivar_create_sysfs_entry(efivars, -@@ -1393,7 +1395,7 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, - sprintf(name, "dump-type%u-%u-%d-%lu", type, (unsigned int)id, count, - time.tv_sec); - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - for (i = 0; i < DUMP_NAME_LEN; i++) - efi_name[i] = name[i]; -@@ -1437,7 +1439,7 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, - if (found) - list_del(&found->list); - -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - if (found) - efivar_unregister(found); -@@ -1507,7 +1509,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - return -EINVAL; - } - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - /* - * Does this variable already exist? -@@ -1525,7 +1527,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - } - } - if (found) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EINVAL; - } - -@@ -1539,10 +1541,10 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n", - status); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EIO; - } -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - /* Create the entry in sysfs. Locking is not required here */ - status = efivar_create_sysfs_entry(efivars, -@@ -1570,7 +1572,7 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - - /* - * Does this variable already exist? -@@ -1588,7 +1590,7 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, - } - } - if (!found) { -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EINVAL; - } - /* force the Attributes/DataSize to 0 to ensure deletion */ -@@ -1604,12 +1606,12 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, - if (status != EFI_SUCCESS) { - printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n", - status); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - return -EIO; - } - list_del(&search_efivar->list); - /* We need to release this lock before unregistering. */ -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(search_efivar); - - /* It's dead Jim.... */ -@@ -1724,9 +1726,9 @@ efivar_create_sysfs_entry(struct efivars *efivars, - kfree(short_name); - short_name = NULL; - -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - list_add(&new_efivar->list, &efivars->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - - return 0; - } -@@ -1795,9 +1797,9 @@ void unregister_efivars(struct efivars *efivars) - struct efivar_entry *entry, *n; - - list_for_each_entry_safe(entry, n, &efivars->list, list) { -- spin_lock(&efivars->lock); -+ spin_lock_irq(&efivars->lock); - list_del(&entry->list); -- spin_unlock(&efivars->lock); -+ spin_unlock_irq(&efivars->lock); - efivar_unregister(entry); - } - if (efivars->new_var) --- -1.8.1.2 - - -From 19adc04301476eaa15e035b66e92cb333223c352 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Sat, 2 Mar 2013 19:40:17 -0500 -Subject: [PATCH 2/4] efi: be more paranoid about available space when creating - variables - -UEFI variables are typically stored in flash. For various reasons, avaiable -space is typically not reclaimed immediately upon the deletion of a -variable - instead, the system will garbage collect during initialisation -after a reboot. - -Some systems appear to handle this garbage collection extremely poorly, -failing if more than 50% of the system flash is in use. This can result in -the machine refusing to boot. The safest thing to do for the moment is to -forbid writes if they'd end up using more than half of the storage space. -We can make this more finegrained later if we come up with a method for -identifying the broken machines. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> -Cc: <stable@vger.kernel.org> -Signed-off-by: Matt Fleming <matt.fleming@intel.com> ---- - drivers/firmware/efivars.c | 106 +++++++++++++++++++++++++++++++++------------ - 1 file changed, 79 insertions(+), 27 deletions(-) - -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index a9277cc..919862b 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -419,6 +419,44 @@ get_var_data(struct efivars *efivars, struct efi_variable *var) - return status; - } - -+static efi_status_t -+check_var_size_locked(struct efivars *efivars, u32 attributes, -+ unsigned long size) -+{ -+ u64 storage_size, remaining_size, max_size; -+ efi_status_t status; -+ const struct efivar_operations *fops = efivars->ops; -+ -+ if (!efivars->ops->query_variable_info) -+ return EFI_UNSUPPORTED; -+ -+ status = fops->query_variable_info(attributes, &storage_size, -+ &remaining_size, &max_size); -+ -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ if (!storage_size || size > remaining_size || size > max_size || -+ (remaining_size - size) < (storage_size / 2)) -+ return EFI_OUT_OF_RESOURCES; -+ -+ return status; -+} -+ -+ -+static efi_status_t -+check_var_size(struct efivars *efivars, u32 attributes, unsigned long size) -+{ -+ efi_status_t status; -+ unsigned long flags; -+ -+ spin_lock_irqsave(&efivars->lock, flags); -+ status = check_var_size_locked(efivars, attributes, size); -+ spin_unlock_irqrestore(&efivars->lock, flags); -+ -+ return status; -+} -+ - static ssize_t - efivar_guid_read(struct efivar_entry *entry, char *buf) - { -@@ -540,11 +578,16 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) - } - - spin_lock_irq(&efivars->lock); -- status = efivars->ops->set_variable(new_var->VariableName, -- &new_var->VendorGuid, -- new_var->Attributes, -- new_var->DataSize, -- new_var->Data); -+ -+ status = check_var_size_locked(efivars, new_var->Attributes, -+ new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); -+ -+ if (status == EFI_SUCCESS || status == EFI_UNSUPPORTED) -+ status = efivars->ops->set_variable(new_var->VariableName, -+ &new_var->VendorGuid, -+ new_var->Attributes, -+ new_var->DataSize, -+ new_var->Data); - - spin_unlock_irq(&efivars->lock); - -@@ -695,8 +738,7 @@ static ssize_t efivarfs_file_write(struct file *file, - u32 attributes; - struct inode *inode = file->f_mapping->host; - unsigned long datasize = count - sizeof(attributes); -- unsigned long newdatasize; -- u64 storage_size, remaining_size, max_size; -+ unsigned long newdatasize, varsize; - ssize_t bytes = 0; - - if (count < sizeof(attributes)) -@@ -715,28 +757,18 @@ static ssize_t efivarfs_file_write(struct file *file, - * amounts of memory. Pick a default size of 64K if - * QueryVariableInfo() isn't supported by the firmware. - */ -- spin_lock_irq(&efivars->lock); - -- if (!efivars->ops->query_variable_info) -- status = EFI_UNSUPPORTED; -- else { -- const struct efivar_operations *fops = efivars->ops; -- status = fops->query_variable_info(attributes, &storage_size, -- &remaining_size, &max_size); -- } -- -- spin_unlock_irq(&efivars->lock); -+ varsize = datasize + utf16_strsize(var->var.VariableName, 1024); -+ status = check_var_size(efivars, attributes, varsize); - - if (status != EFI_SUCCESS) { - if (status != EFI_UNSUPPORTED) - return efi_status_to_err(status); - -- remaining_size = 65536; -+ if (datasize > 65536) -+ return -ENOSPC; - } - -- if (datasize > remaining_size) -- return -ENOSPC; -- - data = kmalloc(datasize, GFP_KERNEL); - if (!data) - return -ENOMEM; -@@ -758,6 +790,19 @@ static ssize_t efivarfs_file_write(struct file *file, - */ - spin_lock_irq(&efivars->lock); - -+ /* -+ * Ensure that the available space hasn't shrunk below the safe level -+ */ -+ -+ status = check_var_size_locked(efivars, attributes, varsize); -+ -+ if (status != EFI_SUCCESS && status != EFI_UNSUPPORTED) { -+ spin_unlock_irq(&efivars->lock); -+ kfree(data); -+ -+ return efi_status_to_err(status); -+ } -+ - status = efivars->ops->set_variable(var->var.VariableName, - &var->var.VendorGuid, - attributes, datasize, -@@ -1338,7 +1383,6 @@ static int efi_pstore_write(enum pstore_type_id type, - efi_guid_t vendor = LINUX_EFI_CRASH_GUID; - struct efivars *efivars = psi->data; - int i, ret = 0; -- u64 storage_space, remaining_space, max_variable_size; - efi_status_t status = EFI_NOT_FOUND; - unsigned long flags; - -@@ -1349,11 +1393,11 @@ static int efi_pstore_write(enum pstore_type_id type, - * size: a size of logging data - * DUMP_NAME_LEN * 2: a maximum size of variable name - */ -- status = efivars->ops->query_variable_info(PSTORE_EFI_ATTRIBUTES, -- &storage_space, -- &remaining_space, -- &max_variable_size); -- if (status || remaining_space < size + DUMP_NAME_LEN * 2) { -+ -+ status = check_var_size_locked(efivars, PSTORE_EFI_ATTRIBUTES, -+ size + DUMP_NAME_LEN * 2); -+ -+ if (status) { - spin_unlock_irqrestore(&efivars->lock, flags); - *id = part; - return -ENOSPC; -@@ -1531,6 +1575,14 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - return -EINVAL; - } - -+ status = check_var_size_locked(efivars, new_var->Attributes, -+ new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); -+ -+ if (status && status != EFI_UNSUPPORTED) { -+ spin_unlock_irq(&efivars->lock); -+ return efi_status_to_err(status); -+ } -+ - /* now *really* create the variable via EFI */ - status = efivars->ops->set_variable(new_var->VariableName, - &new_var->VendorGuid, --- -1.8.1.2 - - -From 46b6e1db3a81203deaf4615637616a0266a2e6e6 Mon Sep 17 00:00:00 2001 -From: Matt Fleming <matt.fleming@intel.com> -Date: Tue, 5 Mar 2013 07:40:16 +0000 -Subject: [PATCH 3/4] efivars: efivarfs_valid_name() should handle pstore - syntax - -Stricter validation was introduced with commit da27a24383b2b -("efivarfs: guid part of filenames are case-insensitive") and commit -47f531e8ba3b ("efivarfs: Validate filenames much more aggressively"), -which is necessary for the guid portion of efivarfs filenames, but we -don't need to be so strict with the first part, the variable name. The -UEFI specification doesn't impose any constraints on variable names -other than they be a NULL-terminated string. - -The above commits caused a regression that resulted in users seeing -the following message, - - $ sudo mount -v /sys/firmware/efi/efivars mount: Cannot allocate memory - -whenever pstore EFI variables were present in the variable store, -since their variable names failed to pass the following check, - - /* GUID should be right after the first '-' */ - if (s - 1 != strchr(str, '-')) - -as a typical pstore filename is of the form, dump-type0-10-1-<guid>. -The fix is trivial since the guid portion of the filename is GUID_LEN -bytes, we can use (len - GUID_LEN) to ensure the '-' character is -where we expect it to be. - -(The bogus ENOMEM error value will be fixed in a separate patch.) - -Reported-by: Joseph Yasi <joe.yasi@gmail.com> -Reported-by: Lingzhu Xiang <lxiang@redhat.com> -Cc: Josh Boyer <jwboyer@redhat.com> -Cc: Jeremy Kerr <jk@ozlabs.org> -Cc: Matthew Garrett <mjg59@srcf.ucam.org> -Cc: <stable@vger.kernel.org> -Signed-off-by: Matt Fleming <matt.fleming@intel.com> ---- - drivers/firmware/efivars.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index 919862b..fc54ddd 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -967,8 +967,8 @@ static bool efivarfs_valid_name(const char *str, int len) - if (len < GUID_LEN + 2) - return false; - -- /* GUID should be right after the first '-' */ -- if (s - 1 != strchr(str, '-')) -+ /* GUID must be preceded by a '-' */ -+ if (*(s - 1) != '-') - return false; - - /* --- -1.8.1.2 - - -From f751b6c973fe5a480ff12c97df4b8ac4e9a666a7 Mon Sep 17 00:00:00 2001 -From: Matt Fleming <matt.fleming@intel.com> -Date: Tue, 5 Mar 2013 12:46:30 +0000 -Subject: [PATCH 4/4] efivarfs: return accurate error code in - efivarfs_fill_super() - -Joseph was hitting a failure case when mounting efivarfs which -resulted in an incorrect error message, - - $ sudo mount -v /sys/firmware/efi/efivars mount: Cannot allocate memory - -triggered when efivarfs_valid_name() returned -EINVAL. - -Make sure we pass accurate return values up the stack if -efivarfs_fill_super() fails to build inodes for EFI variables. - -Reported-by: Joseph Yasi <joe.yasi@gmail.com> -Reported-by: Lingzhu Xiang <lxiang@redhat.com> -Cc: Josh Boyer <jwboyer@redhat.com> -Cc: Jeremy Kerr <jk@ozlabs.org> -Cc: Matthew Garrett <mjg59@srcf.ucam.org> -Cc: <stable@vger.kernel.org> -Signed-off-by: Matt Fleming <matt.fleming@intel.com> ---- - drivers/firmware/efivars.c | 20 +++++++++++++++----- - 1 file changed, 15 insertions(+), 5 deletions(-) - -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index fc54ddd..2a2e145 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -1156,15 +1156,22 @@ static struct dentry_operations efivarfs_d_ops = { - - static struct dentry *efivarfs_alloc_dentry(struct dentry *parent, char *name) - { -+ struct dentry *d; - struct qstr q; -+ int err; - - q.name = name; - q.len = strlen(name); - -- if (efivarfs_d_hash(NULL, NULL, &q)) -- return NULL; -+ err = efivarfs_d_hash(NULL, NULL, &q); -+ if (err) -+ return ERR_PTR(err); -+ -+ d = d_alloc(parent, &q); -+ if (d) -+ return d; - -- return d_alloc(parent, &q); -+ return ERR_PTR(-ENOMEM); - } - - static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) -@@ -1174,6 +1181,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - struct efivar_entry *entry, *n; - struct efivars *efivars = &__efivars; - char *name; -+ int err = -ENOMEM; - - efivarfs_sb = sb; - -@@ -1224,8 +1232,10 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - goto fail_name; - - dentry = efivarfs_alloc_dentry(root, name); -- if (!dentry) -+ if (IS_ERR(dentry)) { -+ err = PTR_ERR(dentry); - goto fail_inode; -+ } - - /* copied by the above to local storage in the dentry. */ - kfree(name); -@@ -1252,7 +1262,7 @@ fail_inode: - fail_name: - kfree(name); - fail: -- return -ENOMEM; -+ return err; - } - - static struct dentry *efivarfs_mount(struct file_system_type *fs_type, --- -1.8.1.2 - diff --git a/freed-ora/current/f18/i7300_edac_single_mode_fixup.patch b/freed-ora/current/f18/i7300_edac_single_mode_fixup.patch new file mode 100644 index 000000000..ed08ab961 --- /dev/null +++ b/freed-ora/current/f18/i7300_edac_single_mode_fixup.patch @@ -0,0 +1,108 @@ +commit 8ed5b5d41168a98cffa63e2f6c51c3243e159706 +Author: Mauro Carvalho Chehab <mchehab@redhat.com> +Date: Wed Mar 13 22:56:33 2013 -0300 + + i7300_edac: Fix memory detection in single mode + + When the machine is on single mode, only branch 0 channel 0 + is valid. However, the code is not honouring it: + + [ 1952.639341] EDAC DEBUG: i7300_get_mc_regs: Memory controller operating on single mode + ... + [ 1952.639351] EDAC DEBUG: i7300_init_csrows: AMB-present CH0 = 0x1: + [ 1952.639353] EDAC DEBUG: i7300_init_csrows: AMB-present CH1 = 0x0: + [ 1952.639355] EDAC DEBUG: i7300_init_csrows: AMB-present CH2 = 0x0: + [ 1952.639358] EDAC DEBUG: i7300_init_csrows: AMB-present CH3 = 0x0: + ... + [ 1952.639360] EDAC DEBUG: decode_mtr: MTR0 CH0: DIMMs are Present (mtr) + [ 1952.639362] EDAC DEBUG: decode_mtr: WIDTH: x8 + [ 1952.639363] EDAC DEBUG: decode_mtr: ELECTRICAL THROTTLING is enabled + [ 1952.639364] EDAC DEBUG: decode_mtr: NUMBANK: 4 bank(s) + [ 1952.639366] EDAC DEBUG: decode_mtr: NUMRANK: single + [ 1952.639367] EDAC DEBUG: decode_mtr: NUMROW: 16,384 - 14 rows + [ 1952.639368] EDAC DEBUG: decode_mtr: NUMCOL: 1,024 - 10 columns + [ 1952.639370] EDAC DEBUG: decode_mtr: SIZE: 512 MB + [ 1952.639371] EDAC DEBUG: decode_mtr: ECC code is 8-byte-over-32-byte SECDED+ code + [ 1952.639373] EDAC DEBUG: decode_mtr: Scrub algorithm for x8 is on enhanced mode + [ 1952.639374] EDAC DEBUG: decode_mtr: MTR0 CH1: DIMMs are Present (mtr) + [ 1952.639376] EDAC DEBUG: decode_mtr: WIDTH: x8 + [ 1952.639377] EDAC DEBUG: decode_mtr: ELECTRICAL THROTTLING is enabled + [ 1952.639379] EDAC DEBUG: decode_mtr: NUMBANK: 4 bank(s) + [ 1952.639380] EDAC DEBUG: decode_mtr: NUMRANK: single + [ 1952.639381] EDAC DEBUG: decode_mtr: NUMROW: 16,384 - 14 rows + [ 1952.639383] EDAC DEBUG: decode_mtr: NUMCOL: 1,024 - 10 columns + [ 1952.639384] EDAC DEBUG: decode_mtr: SIZE: 512 MB + [ 1952.639385] EDAC DEBUG: decode_mtr: ECC code is 8-byte-over-32-byte SECDED+ code + [ 1952.639387] EDAC DEBUG: decode_mtr: Scrub algorithm for x8 is on enhanced mode + ... + [ 1952.639449] EDAC DEBUG: print_dimm_size: channel 0 | channel 1 | channel 2 | channel 3 | + [ 1952.639451] EDAC DEBUG: print_dimm_size: ------------------------------------------------------------- + [ 1952.639453] EDAC DEBUG: print_dimm_size: csrow/SLOT 0 512 MB | 512 MB | 0 MB | 0 MB | + [ 1952.639456] EDAC DEBUG: print_dimm_size: csrow/SLOT 1 0 MB | 0 MB | 0 MB | 0 MB | + [ 1952.639458] EDAC DEBUG: print_dimm_size: csrow/SLOT 2 0 MB | 0 MB | 0 MB | 0 MB | + [ 1952.639460] EDAC DEBUG: print_dimm_size: csrow/SLOT 3 0 MB | 0 MB | 0 MB | 0 MB | + [ 1952.639462] EDAC DEBUG: print_dimm_size: csrow/SLOT 4 0 MB | 0 MB | 0 MB | 0 MB | + [ 1952.639464] EDAC DEBUG: print_dimm_size: csrow/SLOT 5 0 MB | 0 MB | 0 MB | 0 MB | + [ 1952.639466] EDAC DEBUG: print_dimm_size: csrow/SLOT 6 0 MB | 0 MB | 0 MB | 0 MB | + [ 1952.639468] EDAC DEBUG: print_dimm_size: csrow/SLOT 7 0 MB | 0 MB | 0 MB | 0 MB | + [ 1952.639470] EDAC DEBUG: print_dimm_size: ------------------------------------------------------------- + + Instead of detecting a single memory at channel 0, it is showing + twice the memory. + + Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> + +diff --git a/drivers/edac/i7300_edac.c b/drivers/edac/i7300_edac.c +index 087c27b..9004c64 100644 +--- a/drivers/edac/i7300_edac.c ++++ b/drivers/edac/i7300_edac.c +@@ -750,15 +750,23 @@ static int i7300_init_csrows(struct mem_ctl_info *mci) + struct i7300_dimm_info *dinfo; + int rc = -ENODEV; + int mtr; +- int ch, branch, slot, channel; ++ int ch, branch, slot, channel, max_channel, max_branch; + struct dimm_info *dimm; + + pvt = mci->pvt_info; + + edac_dbg(2, "Memory Technology Registers:\n"); + ++ if (IS_SINGLE_MODE(pvt->mc_settings_a)) { ++ max_branch = 1; ++ max_channel = 1; ++ } else { ++ max_branch = MAX_BRANCHES; ++ max_channel = MAX_CH_PER_BRANCH; ++ } ++ + /* Get the AMB present registers for the four channels */ +- for (branch = 0; branch < MAX_BRANCHES; branch++) { ++ for (branch = 0; branch < max_branch; branch++) { + /* Read and dump branch 0's MTRs */ + channel = to_channel(0, branch); + pci_read_config_word(pvt->pci_dev_2x_0_fbd_branch[branch], +@@ -767,6 +775,9 @@ static int i7300_init_csrows(struct mem_ctl_info *mci) + edac_dbg(2, "\t\tAMB-present CH%d = 0x%x:\n", + channel, pvt->ambpresent[channel]); + ++ if (max_channel == 1) ++ continue; ++ + channel = to_channel(1, branch); + pci_read_config_word(pvt->pci_dev_2x_0_fbd_branch[branch], + AMBPRESENT_1, +@@ -778,11 +789,11 @@ static int i7300_init_csrows(struct mem_ctl_info *mci) + /* Get the set of MTR[0-7] regs by each branch */ + for (slot = 0; slot < MAX_SLOTS; slot++) { + int where = mtr_regs[slot]; +- for (branch = 0; branch < MAX_BRANCHES; branch++) { ++ for (branch = 0; branch < max_branch; branch++) { + pci_read_config_word(pvt->pci_dev_2x_0_fbd_branch[branch], + where, + &pvt->mtr[slot][branch]); +- for (ch = 0; ch < MAX_CH_PER_BRANCH; ch++) { ++ for (ch = 0; ch < max_channel; ch++) { + int channel = to_channel(ch, branch); + + dimm = EDAC_DIMM_PTR(mci->layers, mci->dimms, diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec index 795bc25c8..368e13f40 100644 --- a/freed-ora/current/f18/kernel.spec +++ b/freed-ora/current/f18/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 206 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -112,7 +112,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -133,7 +133,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 0 +%define gitrev 100 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -297,9 +297,9 @@ Summary: The Linux kernel # kernel up (versatile express), tegra and omap are only built on armv7 hfp/sfp %ifnarch armv7hl armv7l -%endif %define with_omap 0 %define with_tegra 0 +%endif # kernel-kirkwood is only built for armv5 %ifnarch armv5tel @@ -778,8 +778,6 @@ Patch20000: 0001-efifb-Skip-DMI-checks-if-the-bootloader-knows-what-i.patch Patch20001: 0002-x86-EFI-Calculate-the-EFI-framebuffer-size-instead-o.patch # ARM -# http://lists.infradead.org/pipermail/linux-arm-kernel/2012-December/137164.html -Patch21002: arm-alignment-faults.patch # ARM tegra Patch21004: arm-tegra-nvec-kconfig.patch @@ -801,6 +799,9 @@ Patch22226: vt-Drop-K_OFF-for-VC_MUTE.patch Patch22240: Input-increase-struct-ps2dev-cmdbuf-to-8-bytes.patch Patch22241: Input-add-support-for-Cypress-PS2-Trackpads.patch +#rhbz 912166 +Patch22243: Input-cypress_ps2-fix-trackpadi-found-in-Dell-XPS12.patch + #rhbz 892811 Patch22247: ath9k_rx_dma_stop_check.patch @@ -813,21 +814,6 @@ Patch22262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch #rhbz 916544 Patch22263: 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch -#rhbz 917984 -Patch22264: efi-fixes-3.8.patch - -#rhbz 918512 918521 -Patch22265: crypto-user-fix-info-leaks-in-report-API.patch - -# CVE-2013-1792 rhbz 916646,919021 -Patch22266: keys-fix-race-with-concurrent-install_user_keyrings.patch - -#rhbz 840391 -Patch22267: logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.patch - -#rhbz 916444 -Patch22268: dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch - #CVE-2013-1828 rhbz 919315 919316 Patch22269: net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch @@ -842,6 +828,37 @@ Patch24101: fix-destroy_conntrack-GPF.patch #rhbz 917353 Patch24102: backlight_revert.patch +#rhbz 904182 +Patch24103: TTY-do-not-reset-master-s-packet-mode.patch + +#rhbz 857954 +Patch24105: w1-fix-oops-when-w1_search-is-called-from.patch + +#rhbz 911771 +Patch24106: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch + +#rhbz 879462 +Patch24107: uvcvideo-suspend-fix.patch + +#CVE-2013-0914 rhbz 920499 920510 +Patch24108: signal-always-clear-sa_restorer-on-execve.patch + +#CVE-2013-0913 rhbz 920471 920529 +Patch24109: drm-i915-bounds-check-execbuffer-relocation-count.patch + +#rhbz 856863 892599 +Patch24111: cfg80211-mac80211-disconnect-on-suspend.patch +Patch24112: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch + +#rhbz 859282 +Patch24113: VMX-x86-handle-host-TSC-calibration-failure.patch + +#rhbz 920586 +Patch25000: amd64_edac_fix_rank_count.patch + +#rhbz 921500 +Patch25001: i7300_edac_single_mode_fixup.patch + # END OF PATCH DEFINITIONS %endif @@ -1013,7 +1030,7 @@ This package provides debug information for package kernel-libre-tools. # symlinks because of the trailing nonmatching alternation and # the leading .*, because of find-debuginfo.sh's buggy handling # of matching the pattern against the symlinks file. -%{expand:%%global debuginfo_args %{?debuginfo_args} -p '.*%%{_bindir}/centrino-decode(\.debug)?|.*%%{_bindir}/powernow-k8-decode(\.debug)?|.*%%{_bindir}/cpupower(\.debug)?|.*%%{_libdir}/libcpupower.*|XXX' -o kernel-tools-debuginfo.list} +%{expand:%%global debuginfo_args %{?debuginfo_args} -p '.*%%{_bindir}/centrino-decode(\.debug)?|.*%%{_bindir}/powernow-k8-decode(\.debug)?|.*%%{_bindir}/cpupower(\.debug)?|.*%%{_libdir}/libcpupower.*|.*%%{_bindir}/turbostat(\.debug)?|.*%%{_bindir}/x86_energy_perf_policy(\.debug)?|XXX' -o kernel-tools-debuginfo.list} %endif # with_tools @@ -1469,7 +1486,6 @@ ApplyPatch vmbugon-warnon.patch #ApplyPatch arm-tegra-nvec-kconfig.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch #ApplyPatch arm-tegra-sdhci-module-fix.patch -ApplyPatch arm-alignment-faults.patch # # bugfixes to drivers and filesystems @@ -1593,6 +1609,9 @@ ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch ApplyPatch Input-increase-struct-ps2dev-cmdbuf-to-8-bytes.patch ApplyPatch Input-add-support-for-Cypress-PS2-Trackpads.patch +#rhbz 912166 +ApplyPatch Input-cypress_ps2-fix-trackpadi-found-in-Dell-XPS12.patch + #rhbz 892811 ApplyPatch ath9k_rx_dma_stop_check.patch @@ -1608,35 +1627,51 @@ ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch #rhbz 916544 ApplyPatch 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch -#rhbz 917984 -ApplyPatch efi-fixes-3.8.patch - -#rhbz 918512 918521 -ApplyPatch crypto-user-fix-info-leaks-in-report-API.patch - ApplyPatch userns-avoid-recursion-in-put_user_ns.patch #rhbz 859346 ApplyPatch fix-destroy_conntrack-GPF.patch -# CVE-2013-1792 rhbz 916646,919021 -ApplyPatch keys-fix-race-with-concurrent-install_user_keyrings.patch - -#rhbz 840391 -ApplyPatch logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.patch - -#rhbz 916444 -ApplyPatch dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch - #CVE-2013-1828 rhbz 919315 919316 ApplyPatch net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch #rhbz 917353 ApplyPatch backlight_revert.patch -R +#rhbz 920586 +ApplyPatch amd64_edac_fix_rank_count.patch + +#rhbz 921500 +ApplyPatch i7300_edac_single_mode_fixup.patch + #Team Driver update ApplyPatch team-net-next-update-20130307.patch +#rhbz 904182 +ApplyPatch TTY-do-not-reset-master-s-packet-mode.patch + +#rhbz 857954 +ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch + +#rhbz 911771 +ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch + +#rhbz 879462 +ApplyPatch uvcvideo-suspend-fix.patch + +#CVE-2013-0914 rhbz 920499 920510 +ApplyPatch signal-always-clear-sa_restorer-on-execve.patch + +#CVE-2013-0913 rhbz 920471 920529 +ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch + +#rhbz 856863 892599 +ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch +ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch + +#rhbz 859282 +ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch + # END OF PATCH APPLICATIONS %endif @@ -2505,6 +2540,37 @@ fi # ||----w | # || || %changelog +* Fri Mar 15 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 3.8.3-gnu. + +* Thu Mar 14 2013 Justin M. Forbes <jforbes@redhat.com> 3.8.3-201 +- Linux v3.8.3 + +* Thu Mar 14 2013 Josh Boyer <jwboyer@redhat.com> +- Fix divide by zero on host TSC calibration failure (rhbz 859282) + +* Thu Mar 14 2013 Mauro Carvalho Chehab <mchehab@redhat.com> +- fix i7300_edac twice-mem-size-report via EDAC API (rhbz 921500) + +* Tue Mar 12 2013 Josh Boyer <jwboyer@redhat.com> +- Add patch to fix ieee80211_do_stop (rhbz 892599) +- Add patches to fix cfg80211 issues with suspend (rhbz 856863) +- Add patch to fix Cypress trackpad on XPS 12 machines (rhbz 912166) +- CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529) +- CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) + +* Mon Mar 11 2013 Mauro Carvalho Chehab <mchehab@redhat.com> +- fix amd64_edac twice-mem-size-report via EDAC API (rhbz 920586) + +* Mon Mar 11 2013 Josh Boyer <jwboyer@redhat.com> +- Add patch to fix usb_submit_urb error in uvcvideo (rhbz 879462) +- Add patch to allow "8250." prefix to keep working (rhbz 911771) +- Add patch to fix w1_search oops (rhbz 857954) +- Add patch to fix broken tty handling (rhbz 904182) + +* Fri Mar 08 2013 Josh Boyer <jwboyer@redhat.com> +- Add turbostat and x86_engery_perf_policy debuginfo to kernel-tools-debuginfo + * Fri Mar 08 2013 Justin M. Forbes <jforbes@redhat.com> - Revert "write backlight harder" until better solution is found (rhbz 917353) - Update team driver from net-next from Jiri Pirko diff --git a/freed-ora/current/f18/keys-fix-race-with-concurrent-install_user_keyrings.patch b/freed-ora/current/f18/keys-fix-race-with-concurrent-install_user_keyrings.patch deleted file mode 100644 index ba7b30a6d..000000000 --- a/freed-ora/current/f18/keys-fix-race-with-concurrent-install_user_keyrings.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 58dfe08..c5ec083 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -57,7 +57,7 @@ int install_user_keyrings(void) - - kenter("%p{%u}", user, uid); - -- if (user->uid_keyring) { -+ if (user->uid_keyring && user->session_keyring) { - kleave(" = 0 [exist]"); - return 0; - } - -
\ No newline at end of file diff --git a/freed-ora/current/f18/logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.patch b/freed-ora/current/f18/logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.patch deleted file mode 100644 index 68a524a94..000000000 --- a/freed-ora/current/f18/logitech-dj-do-not-directly-call-hid_output_raw_report-during-probe.patch +++ /dev/null @@ -1,66 +0,0 @@ -From dcd9006b1b053c7b1cebe81333261d4fd492ffeb Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Date: Tue, 05 Mar 2013 16:09:00 +0000 -Subject: HID: logitech-dj: do not directly call hid_output_raw_report() during probe - -hid_output_raw_report() makes a direct call to usb_control_msg(). However, -some USB3 boards have shown that the usb device is not ready during the -.probe(). This blocks the entire usb device, and the paired mice, keyboards -are not functional. The dmesg output is the following: - -[ 11.912287] logitech-djreceiver 0003:046D:C52B.0003: hiddev0,hidraw0: USB HID v1.11 Device [Logitech USB Receiver] on usb-0000:00:14.0-2/input2 -[ 11.912537] logitech-djreceiver 0003:046D:C52B.0003: logi_dj_probe:logi_dj_recv_query_paired_devices error:-32 -[ 11.912636] logitech-djreceiver: probe of 0003:046D:C52B.0003 failed with error -32 - -Relying on the scheduled call to usbhid_submit_report() fixes the problem. - -related bugs: -https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1072082 -https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1039143 -https://bugzilla.redhat.com/show_bug.cgi?id=840391 -https://bugzilla.kernel.org/show_bug.cgi?id=49781 - -Reported-and-tested-by: Bob Bowles <bobjohnbowles@gmail.com> -Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index 9500f2f..8758f38c 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -459,19 +459,25 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - struct dj_report *dj_report) - { - struct hid_device *hdev = djrcv_dev->hdev; -- int sent_bytes; -+ struct hid_report *report; -+ struct hid_report_enum *output_report_enum; -+ u8 *data = (u8 *)(&dj_report->device_index); -+ int i; - -- if (!hdev->hid_output_raw_report) { -- dev_err(&hdev->dev, "%s:" -- "hid_output_raw_report is null\n", __func__); -+ output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; -+ report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; -+ -+ if (!report) { -+ dev_err(&hdev->dev, "%s: unable to find dj report\n", __func__); - return -ENODEV; - } - -- sent_bytes = hdev->hid_output_raw_report(hdev, (u8 *) dj_report, -- sizeof(struct dj_report), -- HID_OUTPUT_REPORT); -+ for (i = 0; i < report->field[0]->report_count; i++) -+ report->field[0]->value[i] = data[i]; -+ -+ usbhid_submit_report(hdev, report, USB_DIR_OUT); - -- return (sent_bytes < 0) ? sent_bytes : 0; -+ return 0; - } - - static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) --- -cgit v0.9.1 diff --git a/freed-ora/current/f18/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch b/freed-ora/current/f18/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch new file mode 100644 index 000000000..8249ab38c --- /dev/null +++ b/freed-ora/current/f18/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch @@ -0,0 +1,71 @@ +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 8be854e..6d2bab7 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -605,7 +605,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up) + } + + ieee80211_adjust_monitor_flags(sdata, 1); +- ieee80211_configure_filter(local); ++ /* tell driver latter (if not suspended) */ + + netif_carrier_on(dev); + break; +@@ -804,8 +804,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + sdata->dev->addr_len); + spin_unlock_bh(&local->filter_lock); + netif_addr_unlock_bh(sdata->dev); +- +- ieee80211_configure_filter(local); ++ /* configure filter latter (if not suspended) */ + } + + del_timer_sync(&local->dynamic_ps_timer); +@@ -872,32 +871,30 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + */ + ieee80211_free_keys(sdata); + +- if (going_down) ++ if (going_down && !local->suspended) + drv_remove_interface(local, sdata); + } + + sdata->bss = NULL; + +- mutex_lock(&local->mtx); +- hw_reconf_flags |= __ieee80211_recalc_idle(local); +- mutex_unlock(&local->mtx); +- +- ieee80211_recalc_ps(local, -1); ++ if (!local->suspended) { ++ if (local->open_count == 0) { ++ if (local->ops->napi_poll) ++ napi_disable(&local->napi); ++ ieee80211_clear_tx_pending(local); ++ ieee80211_stop_device(local); ++ } else { ++ ieee80211_recalc_ps(local, -1); + +- if (local->open_count == 0) { +- if (local->ops->napi_poll) +- napi_disable(&local->napi); +- ieee80211_clear_tx_pending(local); +- ieee80211_stop_device(local); ++ mutex_lock(&local->mtx); ++ hw_reconf_flags |= __ieee80211_recalc_idle(local); ++ mutex_unlock(&local->mtx); + +- /* no reconfiguring after stop! */ +- hw_reconf_flags = 0; ++ if (hw_reconf_flags) ++ ieee80211_hw_config(local, hw_reconf_flags); ++ } + } + +- /* do after stop to avoid reconfiguring when we stop anyway */ +- if (hw_reconf_flags) +- ieee80211_hw_config(local, hw_reconf_flags); +- + spin_lock_irqsave(&local->queue_stop_reason_lock, flags); + for (i = 0; i < IEEE80211_MAX_QUEUES; i++) { + skb_queue_walk_safe(&local->pending[i], skb, tmp) { diff --git a/freed-ora/current/f18/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch b/freed-ora/current/f18/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch new file mode 100644 index 000000000..b16be4417 --- /dev/null +++ b/freed-ora/current/f18/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch @@ -0,0 +1,63 @@ +From e94256528a988231ccc7a2a0b6b206a1131cb358 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Fri, 8 Mar 2013 21:13:52 -0500 +Subject: [PATCH] serial: 8250: Keep 8250.<xxxx> module options functional + after driver rename + +With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the +8250 driver was renamed to 8250_core. This means any existing usage of +the 8259.<xxxx> module parameters or as a kernel command line switch is +now broken, as the 8250_core driver doesn't parse options belonging to +something called "8250". + +To solve this, we redefine the module options in a dummy function using +a redefined MODULE_PARAM_PREFX when built into the kernel. In the case +where we're building as a module, we provide an alias to the old 8250 +name. The dummy function prevents compiler errors due to global variable +redefinitions that happen as part of the module_param_ macro expansions. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +--- + drivers/tty/serial/8250/8250.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c +index 0efc815..f982633 100644 +--- a/drivers/tty/serial/8250/8250.c ++++ b/drivers/tty/serial/8250/8250.c +@@ -3396,3 +3396,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444); + MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA"); + #endif + MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR); ++ ++#ifndef MODULE ++/* This module was renamed to 8250_core in 3.7. Keep the old "8250" name ++ * working as well for the module options so we don't break people. We ++ * need to keep the names identical and the convenient macros will happily ++ * refuse to let us do that by failing the build with redefinition errors ++ * of global variables. So we stick them inside a dummy function to avoid ++ * those conflicts. The options still get parsed, and the redefined ++ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive. ++ * ++ * This is hacky. I'm sorry. ++ */ ++static void __used s8250_options(void) ++{ ++#undef MODULE_PARAM_PREFIX ++#define MODULE_PARAM_PREFIX "8250." ++ ++ module_param_cb(share_irqs, ¶m_ops_uint, &share_irqs, 0644); ++ module_param_cb(nr_uarts, ¶m_ops_uint, &nr_uarts, 0644); ++ module_param_cb(skip_txen_test, ¶m_ops_uint, &skip_txen_test, 0644); ++#ifdef CONFIG_SERIAL_8250_RSA ++ __module_param_call(MODULE_PARAM_PREFIX, probe_rsa, ++ ¶m_array_ops, .arr = &__param_arr_probe_rsa, ++ 0444, -1); ++#endif ++} ++#else ++MODULE_ALIAS("8250"); ++#endif +-- +1.8.1.2 + diff --git a/freed-ora/current/f18/signal-always-clear-sa_restorer-on-execve.patch b/freed-ora/current/f18/signal-always-clear-sa_restorer-on-execve.patch new file mode 100644 index 000000000..658f97a96 --- /dev/null +++ b/freed-ora/current/f18/signal-always-clear-sa_restorer-on-execve.patch @@ -0,0 +1,113 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.169.233 with SMTP id ah9csp99159oac; + Mon, 11 Mar 2013 13:14:17 -0700 (PDT) +X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671; + Mon, 11 Mar 2013 13:14:16 -0700 (PDT) +Return-Path: <linux-kernel-owner@vger.kernel.org> +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10; + Mon, 11 Mar 2013 13:14:16 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754069Ab3CKUN4 (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others); + Mon, 11 Mar 2013 16:13:56 -0400 +Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753913Ab3CKUN4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); + Mon, 11 Mar 2013 16:13:56 -0400 +Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) + by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201; + Mon, 11 Mar 2013 13:13:43 -0700 +Date: Mon, 11 Mar 2013 13:13:42 -0700 +From: Kees Cook <keescook@chromium.org> +To: linux-kernel@vger.kernel.org +Cc: Al Viro <viro@zeniv.linux.org.uk>, Oleg Nesterov <oleg@redhat.com>, + Andrew Morton <akpm@linux-foundation.org>, + "Eric W. Biederman" <ebiederm@xmission.com>, + Serge Hallyn <serge.hallyn@canonical.com>, + Emese Revfy <re.emese@gmail.com>, + PaX Team <pageexec@freemail.hu>, jln@google.com +Subject: [PATCH v2] signal: always clear sa_restorer on execve +Message-ID: <20130311201342.GA19824@www.outflux.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: www.outflux.net +X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-kernel.vger.kernel.org> +X-Mailing-List: linux-kernel@vger.kernel.org + +When the new signal handlers are set up, the location of sa_restorer +is not cleared, leaking a parent process's address space location to +children. This allows for a potential bypass of the parent's ASLR by +examining the sa_restorer value returned when calling sigaction(). + +Based on what should be considered "secret" about addresses, it only +matters across the exec not the fork (since the VMAs haven't changed +until the exec). But since exec sets SIG_DFL and keeps sa_restorer, +this is where it should be fixed. + +Given the few uses of sa_restorer, a "set" function was not written +since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER, +as already done in other places. + +Example of the leak before applying this patch: + +$ cat /proc/$$/maps +... +7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so +... +$ ./leak +... +7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so +... +1 0 (nil) 0x7fb9f30b94a0 +2 4000000 (nil) 0x7f278bcaa4a0 +3 4000000 (nil) 0x7f278bcaa4a0 +4 0 (nil) 0x7fb9f30b94a0 +... + +Signed-off-by: Kees Cook <keescook@chromium.org> +Reported-by: Emese Revfy <re.emese@gmail.com> +Cc: Emese Revfy <re.emese@gmail.com> +Cc: PaX Team <pageexec@freemail.hu> +Cc: stable@vger.kernel.org +--- +v2: + - clarify commit, explain use of #ifdef. +--- + kernel/signal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 2ec870a..8c8e3ca 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; ++#ifdef SA_RESTORER ++ ka->sa.sa_restorer = NULL; ++#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +-- +1.7.9.5 + + +-- +Kees Cook +Chrome OS Security +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/freed-ora/current/f18/sources b/freed-ora/current/f18/sources index f03d4bf7d..ac9d5dd82 100644 --- a/freed-ora/current/f18/sources +++ b/freed-ora/current/f18/sources @@ -1,2 +1,2 @@ 84c2a77910932ffc7d958744ac9cf2f5 linux-libre-3.8-gnu.tar.xz -e282fcff76e975e121e0636018e31a56 patch-3.8.2.xz +ba18b5d27ed303f5e5a9cda32a451031 patch-3.8.3.xz diff --git a/freed-ora/current/f18/uvcvideo-suspend-fix.patch b/freed-ora/current/f18/uvcvideo-suspend-fix.patch new file mode 100644 index 000000000..e8d825217 --- /dev/null +++ b/freed-ora/current/f18/uvcvideo-suspend-fix.patch @@ -0,0 +1,38 @@ +From a82a45f65377b05fe8cd3167c7b0a70c508356b8 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oliver@neukum.org> +Date: Thu, 10 Jan 2013 07:04:55 -0300 +Subject: [PATCH] [media] uvcvideo: Fix race of open and suspend in error case + +Ming Lei reported: +IMO, there is a minor fault in the error handling path of +uvc_status_start() inside uvc_v4l2_open(), and the 'users' count should +have been decreased before usb_autopm_put_interface(). In theory, a [URB +resubmission] warning can be triggered when the device is opened just +between usb_autopm_put_interface() and atomic_dec(&stream->dev->users). +The fix is trivial. + +Reported-by: Ming Lei <tom.leiming@gmail.com> +Signed-off-by: Oliver Neukum <oneukum@suse.de> +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +--- + drivers/media/usb/uvc/uvc_v4l2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 97a4ffd..b2dc326 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -501,8 +501,8 @@ static int uvc_v4l2_open(struct file *file) + if (atomic_inc_return(&stream->dev->users) == 1) { + ret = uvc_status_start(stream->dev); + if (ret < 0) { +- usb_autopm_put_interface(stream->dev->intf); + atomic_dec(&stream->dev->users); ++ usb_autopm_put_interface(stream->dev->intf); + kfree(handle); + return ret; + } +-- +1.8.1.2 + diff --git a/freed-ora/current/f18/w1-fix-oops-when-w1_search-is-called-from.patch b/freed-ora/current/f18/w1-fix-oops-when-w1_search-is-called-from.patch new file mode 100644 index 000000000..0a54eff17 --- /dev/null +++ b/freed-ora/current/f18/w1-fix-oops-when-w1_search-is-called-from.patch @@ -0,0 +1,111 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.101.212.35 with SMTP id o35csp6769anq; + Sat, 2 Mar 2013 05:50:51 -0800 (PST) +X-Received: by 10.68.137.42 with SMTP id qf10mr19122124pbb.80.1362232251119; + Sat, 02 Mar 2013 05:50:51 -0800 (PST) +Return-Path: <linux-kernel-owner@vger.kernel.org> +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id pu7si8560937pbc.232.2013.03.02.05.50.50; + Sat, 02 Mar 2013 05:50:51 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; + dkim=neutral (body hash did not verify) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752198Ab3CBNuU (ORCPT <rfc822;bloodsquadron@gmail.com> + + 99 others); Sat, 2 Mar 2013 08:50:20 -0500 +Received: from mail-ee0-f48.google.com ([74.125.83.48]:46431 "EHLO + mail-ee0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752038Ab3CBNuT (ORCPT + <rfc822;linux-kernel@vger.kernel.org>); + Sat, 2 Mar 2013 08:50:19 -0500 +Received: by mail-ee0-f48.google.com with SMTP id t10so2921534eei.7 + for <linux-kernel@vger.kernel.org>; Sat, 02 Mar 2013 05:50:18 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=x-received:date:from:to:cc:subject:message-id:references + :mime-version:content-type:content-disposition:in-reply-to + :user-agent; + bh=8ABPYEMGQsyhtGtpdGpnD1kQchBrqYm9rJ3sEUcIQOc=; + b=hx/4GjbvaME9C3c+WOrfUkkwnJ5jJXefsOhCKmPCE8kmswk3Tvm11198r4+y1jM/Bl + 1wtIYby6sFgA08JUldm09fPpsKfbdeDnFAI5WmUAGJjahFXXRrQPocI6E0+s2BcM+t3H + Ii8g8ZvYJ+YMgbbSmp7mwMv98aa0+qdY6TIF4P/wNwAWrsjFh5TBgc/QyB0MzyQQ2tMp + LfA7n/2sH11vofS6FLSaWhtwGIIexPZ+oxWpvwBcCIYX+gTrSHPZqnLQkvhQ5oZDx7WF + 6QlNEqlmL+usW1ApRCAwcL4jOaORDAC2MytGH4jdZNic0PqdzonfbJTRE6YmZ45FHtNG + l+6w== +X-Received: by 10.15.101.204 with SMTP id bp52mr38431150eeb.31.1362232218031; + Sat, 02 Mar 2013 05:50:18 -0800 (PST) +Received: from gmail.com (aek101.neoplus.adsl.tpnet.pl. [83.25.114.101]) + by mx.google.com with ESMTPS id o3sm22363368eem.15.2013.03.02.05.50.16 + (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); + Sat, 02 Mar 2013 05:50:17 -0800 (PST) +Date: Sat, 2 Mar 2013 14:50:15 +0100 +From: Marcin Jurkowski <marcin1j@gmail.com> +To: Sven Geggus <lists@fuchsschwanzdomain.de> +Cc: Evgeniy Polyakov <zbr@ioremap.net>, linux-kernel@vger.kernel.org +Subject: [PATCH 1/1] w1: fix oops when w1_search is called from netlink + connector +Message-ID: <20130302135015.GA21448@gmail.com> +References: <20130116141627.GA23638@ioremap.net> + <20130302001103.GB18026@gmail.com> + <20130302094510.GA4695@geggus.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20130302094510.GA4695@geggus.net> +User-Agent: Mutt/1.5.21 (2010-09-15) +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-kernel.vger.kernel.org> +X-Mailing-List: linux-kernel@vger.kernel.org + +On Sat, Mar 02, 2013 at 10:45:10AM +0100, Sven Geggus wrote: +> This is the bad commit I found doing git bisect: +> 04f482faf50535229a5a5c8d629cf963899f857c is the first bad commit +> commit 04f482faf50535229a5a5c8d629cf963899f857c +> Author: Patrick McHardy <kaber@trash.net> +> Date: Mon Mar 28 08:39:36 2011 +0000 + +Good job. I was too lazy to bisect for bad commit;) + +Reading the code I found problematic kthread_should_stop call from netlink +connector which causes the oops. After applying a patch, I've been testing +owfs+w1 setup for nearly two days and it seems to work very reliable (no +hangs, no memleaks etc). +More detailed description and possible fix is given below: + +Function w1_search can be called from either kthread or netlink callback. +While the former works fine, the latter causes oops due to kthread_should_stop +invocation. + +This patch adds a check if w1_search is serving netlink command, skipping +kthread_should_stop invocation if so. + +Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com> +--- + drivers/w1/w1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 7994d933..7e2220d 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -924,7 +924,8 @@ void w1_search(struct w1_master *dev, u8 search_type, w1_slave_found_callback cb + tmp64 = (triplet_ret >> 2); + rn |= (tmp64 << i); + +- if (kthread_should_stop()) { ++ /* ensure we're called from kthread and not by netlink callback */ ++ if (!dev->priv && kthread_should_stop()) { + mutex_unlock(&dev->bus_mutex); + dev_dbg(&dev->dev, "Abort w1_search\n"); + return; +-- +1.7.12.4 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ |
