diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2013-10-17 10:02:18 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2013-10-17 10:02:18 +0000 |
| commit | a1517fb80847d69778aff771f1f31db0c6934005 (patch) | |
| tree | 33e453dd10a7ffb124b9604a8c8ba6bd07091974 /freed-ora/current/f18 | |
| parent | 56804c14c5200c8953f7369e45e744a84aa8b298 (diff) | |
| download | linux-libre-raptor-a1517fb80847d69778aff771f1f31db0c6934005.tar.gz linux-libre-raptor-a1517fb80847d69778aff771f1f31db0c6934005.zip | |
3.11.5-100.fc18.gnu
Diffstat (limited to 'freed-ora/current/f18')
10 files changed, 55 insertions, 681 deletions
diff --git a/freed-ora/current/f18/bonding-driver-promisc.patch b/freed-ora/current/f18/bonding-driver-promisc.patch deleted file mode 100644 index 38315c906..000000000 --- a/freed-ora/current/f18/bonding-driver-promisc.patch +++ /dev/null @@ -1,73 +0,0 @@ -commit 5a0068deb611109c5ba77358be533f763f395ee4 -Author: Neil Horman <nhorman@tuxdriver.com> -Date: Fri Sep 27 12:22:15 2013 -0400 - - bonding: Fix broken promiscuity reference counting issue - - Recently grabbed this report: - https://bugzilla.redhat.com/show_bug.cgi?id=1005567 - - Of an issue in which the bonding driver, with an attached vlan encountered the - following errors when bond0 was taken down and back up: - - dummy1: promiscuity touches roof, set promiscuity failed. promiscuity feature of - device might be broken. - - The error occurs because, during __bond_release_one, if we release our last - slave, we take on a random mac address and issue a NETDEV_CHANGEADDR - notification. With an attached vlan, the vlan may see that the vlan and bond - mac address were in sync, but no longer are. This triggers a call to dev_uc_add - and dev_set_rx_mode, which enables IFF_PROMISC on the bond device. Then, when - we complete __bond_release_one, we use the current state of the bond flags to - determine if we should decrement the promiscuity of the releasing slave. But - since the bond changed promiscuity state during the release operation, we - incorrectly decrement the slave promisc count when it wasn't in promiscuous mode - to begin with, causing the above error - - Fix is pretty simple, just cache the bonding flags at the start of the function - and use those when determining the need to set promiscuity. - - This is also needed for the ALLMULTI flag - - CC: Jay Vosburgh <fubar@us.ibm.com> - CC: Andy Gospodarek <andy@greyhouse.net> - CC: Mark Wu <wudxw@linux.vnet.ibm.com> - CC: "David S. Miller" <davem@davemloft.net> - Reported-by: Mark Wu <wudxw@linux.vnet.ibm.com> - - Signed-off-by: David S. Miller <davem@davemloft.net> - -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 55bbb8b..e883bfe 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -1724,6 +1724,7 @@ static int __bond_release_one(struct net_device *bond_dev, - struct bonding *bond = netdev_priv(bond_dev); - struct slave *slave, *oldcurrent; - struct sockaddr addr; -+ int old_flags = bond_dev->flags; - netdev_features_t old_features = bond_dev->features; - - /* slave is not a slave or master is not master of this slave */ -@@ -1855,12 +1856,18 @@ static int __bond_release_one(struct net_device *bond_dev, - * bond_change_active_slave(..., NULL) - */ - if (!USES_PRIMARY(bond->params.mode)) { -- /* unset promiscuity level from slave */ -- if (bond_dev->flags & IFF_PROMISC) -+ /* unset promiscuity level from slave -+ * NOTE: The NETDEV_CHANGEADDR call above may change the value -+ * of the IFF_PROMISC flag in the bond_dev, but we need the -+ * value of that flag before that change, as that was the value -+ * when this slave was attached, so we cache at the start of the -+ * function and use it here. Same goes for ALLMULTI below -+ */ -+ if (old_flags & IFF_PROMISC) - dev_set_promiscuity(slave_dev, -1); - - /* unset allmulti level from slave */ -- if (bond_dev->flags & IFF_ALLMULTI) -+ if (old_flags & IFF_ALLMULTI) - dev_set_allmulti(slave_dev, -1); - - bond_hw_addr_flush(bond_dev, slave_dev); diff --git a/freed-ora/current/f18/cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch b/freed-ora/current/f18/cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch new file mode 100644 index 000000000..dcc6b84b6 --- /dev/null +++ b/freed-ora/current/f18/cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch @@ -0,0 +1,40 @@ +From cb8e390d258b7f8073afafcbb163976e27346e9d Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 11 Oct 2013 08:37:53 -0400 +Subject: [PATCH] cpupower: Fix segfault due to incorrect getopt_long arugments + +If a user calls 'cpupower set --perf-bias 15', the process will end with a +SIGSEGV in libc because cpupower-set passes a NULL optarg to the atoi call. +This is because the getopt_long structure currently has all of the options +as having an optional_argument when they really have a required argument. +We change the structure to use required_argument to match the short options +and it resolves the issue. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1000439 + +Cc: stable@vger.kernel.org +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + tools/power/cpupower/utils/cpupower-set.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/power/cpupower/utils/cpupower-set.c b/tools/power/cpupower/utils/cpupower-set.c +index dc4de37..bcf1d2f 100644 +--- a/tools/power/cpupower/utils/cpupower-set.c ++++ b/tools/power/cpupower/utils/cpupower-set.c +@@ -18,9 +18,9 @@ + #include "helpers/bitmask.h" + + static struct option set_opts[] = { +- { .name = "perf-bias", .has_arg = optional_argument, .flag = NULL, .val = 'b'}, +- { .name = "sched-mc", .has_arg = optional_argument, .flag = NULL, .val = 'm'}, +- { .name = "sched-smt", .has_arg = optional_argument, .flag = NULL, .val = 's'}, ++ { .name = "perf-bias", .has_arg = required_argument, .flag = NULL, .val = 'b'}, ++ { .name = "sched-mc", .has_arg = required_argument, .flag = NULL, .val = 'm'}, ++ { .name = "sched-smt", .has_arg = required_argument, .flag = NULL, .val = 's'}, + { }, + }; + +-- +1.8.3.1 + diff --git a/freed-ora/current/f18/cve-2013-2147-ciss-info-leak.patch b/freed-ora/current/f18/cve-2013-2147-ciss-info-leak.patch deleted file mode 100644 index ee49d3bfb..000000000 --- a/freed-ora/current/f18/cve-2013-2147-ciss-info-leak.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c -index 639d26b..2b94403 100644 ---- a/drivers/block/cpqarray.c -+++ b/drivers/block/cpqarray.c -@@ -1193,6 +1193,7 @@ out_passthru: - ida_pci_info_struct pciinfo; - - if (!arg) return -EINVAL; -+ memset(&pciinfo, 0, sizeof(pciinfo)); - pciinfo.bus = host->pci_dev->bus->number; - pciinfo.dev_fn = host->pci_dev->devfn; - pciinfo.board_id = host->board_id; - - diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c -index 6374dc1..34971aa 100644 ---- a/drivers/block/cciss.c -+++ b/drivers/block/cciss.c -@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, - int err; - u32 cp; - -+ memset(&arg64, 0, sizeof(arg64)); - err = 0; - err |= - copy_from_user(&arg64.LUN_info, &arg32->LUN_info, - -
\ No newline at end of file diff --git a/freed-ora/current/f18/drm-nouveau-bios-init-stub-opcode-0xaa.patch b/freed-ora/current/f18/drm-nouveau-bios-init-stub-opcode-0xaa.patch deleted file mode 100644 index 2daa6ed1d..000000000 --- a/freed-ora/current/f18/drm-nouveau-bios-init-stub-opcode-0xaa.patch +++ /dev/null @@ -1,109 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.11.131 with SMTP id q3csp149379oab; - Mon, 7 Oct 2013 23:45:24 -0700 (PDT) -X-Received: by 10.68.185.36 with SMTP id ez4mr69490pbc.144.1381214724506; - Mon, 07 Oct 2013 23:45:24 -0700 (PDT) -Return-Path: <stable-owner@vger.kernel.org> -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id rz6si25872020pab.249.1969.12.31.16.00.00; - Mon, 07 Oct 2013 23:45:24 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; - dkim=neutral (bad format) header.i=@gmail.com; - dmarc=fail (p=NONE dis=NONE) header.from=gmail.com -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754014Ab3JHGow (ORCPT <rfc822;lembacon@gmail.com> + 60 others); - Tue, 8 Oct 2013 02:44:52 -0400 -Received: from mail-pa0-f42.google.com ([209.85.220.42]:35990 "EHLO - mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1753696Ab3JHGov (ORCPT - <rfc822;stable@vger.kernel.org>); Tue, 8 Oct 2013 02:44:51 -0400 -Received: by mail-pa0-f42.google.com with SMTP id lj1so8433751pab.15 - for <stable@vger.kernel.org>; Mon, 07 Oct 2013 23:44:51 -0700 (PDT) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20120113; - h=from:to:cc:subject:date:message-id; - bh=DRveULH9ZaYYXMJRsSw3WWLRMs5ifsnU9G+VUu1PKtk=; - b=oCDYfvF1KXEUN6PZU0jit8kMHSKTzIWcR078uMTxLpTjheGcoLWW0efoqsO4Dac3jp - +4dHm3NSdeqk4e+aCjnvZw7He+nMGmbWhrf1vx49XCOE4s+YvC/AgSI78pku8BQE/plZ - w8F+64e+wNze1FfRAxPPM/PoLdBiuBfvUL18htMmYi/rgq0VRkNk2UwbzvGk5AJE+vwL - esavQLjvCuJZTc7i2J9Us53dUcY4aQuYlESFvOUlbDnkkgm5Htrsnyd2Eq7k61/hr0MR - /nIFNBXuhIadU5bvf6jpMT+toIK+PA176Yt9eyEgdOAxNXdn5g15mO93/WEyXf7idBfk - JLZA== -X-Received: by 10.68.232.132 with SMTP id to4mr7840579pbc.141.1381214691006; - Mon, 07 Oct 2013 23:44:51 -0700 (PDT) -Received: from turiel.redhat.com (124-148-32-6.dyn.iinet.net.au. [124.148.32.6]) - by mx.google.com with ESMTPSA id j9sm44764711paj.18.1969.12.31.16.00.00 - (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); - Mon, 07 Oct 2013 23:44:50 -0700 (PDT) -From: Ben Skeggs <skeggsb@gmail.com> -To: stable@vger.kernel.org -Cc: Ben Skeggs <bskeggs@redhat.com> -Subject: [PATCH] drm/nouveau/bios/init: stub opcode 0xaa -Date: Tue, 8 Oct 2013 16:45:08 +1000 -Message-Id: <1381214708-2990-1-git-send-email-skeggsb@gmail.com> -X-Mailer: git-send-email 1.8.3.2 -Sender: stable-owner@vger.kernel.org -Precedence: bulk -List-ID: <stable.vger.kernel.org> -X-Mailing-List: stable@vger.kernel.org - -From: Ben Skeggs <bskeggs@redhat.com> - -Seen on a large number of recent boards, when triggered results in -nouveau aborting the card cold boot, giving unpredictable results -(oopses in the reported cases) later. - -commit 5495e39fb3695182b9f2a72fe4169056cada37a1 upstream - -Signed-off-by: Ben Skeggs <bskeggs@redhat.com> ---- - drivers/gpu/drm/nouveau/core/subdev/bios/init.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c -index 0687e64..8f06cca 100644 ---- a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c -+++ b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c -@@ -579,8 +579,22 @@ static void - init_reserved(struct nvbios_init *init) - { - u8 opcode = nv_ro08(init->bios, init->offset); -- trace("RESERVED\t0x%02x\n", opcode); -- init->offset += 1; -+ u8 length, i; -+ -+ switch (opcode) { -+ case 0xaa: -+ length = 4; -+ break; -+ default: -+ length = 1; -+ break; -+ } -+ -+ trace("RESERVED 0x%02x\t", opcode); -+ for (i = 1; i < length; i++) -+ cont(" 0x%02x", nv_ro08(init->bios, init->offset + i)); -+ cont("\n"); -+ init->offset += length; - } - - /** -@@ -2135,6 +2149,7 @@ static struct nvbios_init_opcode { - [0x99] = { init_zm_auxch }, - [0x9a] = { init_i2c_long_if }, - [0xa9] = { init_gpio_ne }, -+ [0xaa] = { init_reserved }, - }; - - #define init_opcode_nr (sizeof(init_opcode) / sizeof(init_opcode[0])) --- -1.8.3.2 - --- -To unsubscribe from this list: send the line "unsubscribe stable" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/freed-ora/current/f18/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch b/freed-ora/current/f18/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch deleted file mode 100644 index 9310e05a7..000000000 --- a/freed-ora/current/f18/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 2811ebac2521ceac84f2bdae402455baa6a7fb47 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa <hannes@stressinduktion.org> -Date: Sat, 21 Sep 2013 06:27:00 +0200 -Subject: [PATCH] ipv6: udp packets following an UFO enqueued packet need also - be handled by UFO - -In the following scenario the socket is corked: -If the first UDP packet is larger then the mtu we try to append it to the -write queue via ip6_ufo_append_data. A following packet, which is smaller -than the mtu would be appended to the already queued up gso-skb via -plain ip6_append_data. This causes random memory corruptions. - -In ip6_ufo_append_data we also have to be careful to not queue up the -same skb multiple times. So setup the gso frame only when no first skb -is available. - -This also fixes a shortcoming where we add the current packet's length to -cork->length but return early because of a packet > mtu with dontfrag set -(instead of sutracting it again). - -Found with trinity. - -Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> -Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> -Reported-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv6/ip6_output.c | 53 +++++++++++++++++++++------------------------------ - 1 file changed, 22 insertions(+), 31 deletions(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 3a692d5..a54c45c 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1015,6 +1015,8 @@ static inline int ip6_ufo_append_data(struct sock *sk, - * udp datagram - */ - if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) { -+ struct frag_hdr fhdr; -+ - skb = sock_alloc_send_skb(sk, - hh_len + fragheaderlen + transhdrlen + 20, - (flags & MSG_DONTWAIT), &err); -@@ -1036,12 +1038,6 @@ static inline int ip6_ufo_append_data(struct sock *sk, - skb->protocol = htons(ETH_P_IPV6); - skb->ip_summed = CHECKSUM_PARTIAL; - skb->csum = 0; -- } -- -- err = skb_append_datato_frags(sk,skb, getfrag, from, -- (length - transhdrlen)); -- if (!err) { -- struct frag_hdr fhdr; - - /* Specify the length of each IPv6 datagram fragment. - * It has to be a multiple of 8. -@@ -1052,15 +1048,10 @@ static inline int ip6_ufo_append_data(struct sock *sk, - ipv6_select_ident(&fhdr, rt); - skb_shinfo(skb)->ip6_frag_id = fhdr.identification; - __skb_queue_tail(&sk->sk_write_queue, skb); -- -- return 0; - } -- /* There is not enough support do UPD LSO, -- * so follow normal path -- */ -- kfree_skb(skb); - -- return err; -+ return skb_append_datato_frags(sk, skb, getfrag, from, -+ (length - transhdrlen)); - } - - static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src, -@@ -1227,27 +1218,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, - * --yoshfuji - */ - -- cork->length += length; -- if (length > mtu) { -- int proto = sk->sk_protocol; -- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){ -- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); -- return -EMSGSIZE; -- } -- -- if (proto == IPPROTO_UDP && -- (rt->dst.dev->features & NETIF_F_UFO)) { -+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP || -+ sk->sk_protocol == IPPROTO_RAW)) { -+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); -+ return -EMSGSIZE; -+ } - -- err = ip6_ufo_append_data(sk, getfrag, from, length, -- hh_len, fragheaderlen, -- transhdrlen, mtu, flags, rt); -- if (err) -- goto error; -- return 0; -- } -+ skb = skb_peek_tail(&sk->sk_write_queue); -+ cork->length += length; -+ if (((length > mtu) || -+ (skb && skb_is_gso(skb))) && -+ (sk->sk_protocol == IPPROTO_UDP) && -+ (rt->dst.dev->features & NETIF_F_UFO)) { -+ err = ip6_ufo_append_data(sk, getfrag, from, length, -+ hh_len, fragheaderlen, -+ transhdrlen, mtu, flags, rt); -+ if (err) -+ goto error; -+ return 0; - } - -- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) -+ if (!skb) - goto alloc_new_skb; - - while (length > 0) { --- -1.8.3.1 - diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec index 147442701..0e3860760 100644 --- a/freed-ora/current/f18/kernel.spec +++ b/freed-ora/current/f18/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 101 +%global baserelease 100 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -112,7 +112,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -790,9 +790,6 @@ Patch22247: ath9k_rx_dma_stop_check.patch #rhbz 927469 Patch25007: fix-child-thread-introspection.patch -#CVE-2013-2147 rhbz 971242 971249 -Patch25032: cve-2013-2147-ciss-info-leak.patch - #rhbz 977040 Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch @@ -800,12 +797,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4343 rhbz 1007733 1007741 -Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch - -#CVE-2013-4350 rhbz 1007872 1007903 -Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch - #CVE-2013-4345 rhbz 1007690 1009136 Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch @@ -818,9 +809,6 @@ Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch #rhbz 1010431 Patch25108: Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch -#rhbz 1008323 -Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch - #rhbz 902012 Patch25114: elevator-Fix-a-race-in-elevator-switching-and-md.patch Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch @@ -828,21 +816,12 @@ Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch #rhbz 974072 Patch25117: rt2800-add-support-for-rf3070.patch -#rhbz 1005567 -Patch25118: bonding-driver-promisc.patch - -#CVE-2013-4387 rhbz 1011927 1015166 -Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch - #rhbz 1015989 Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch #rhbz 982153 Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch -#rhbz 1015920 -Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch - #rhbz 998732 Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch @@ -853,6 +832,9 @@ Patch25127: 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch #rhbz 993744 Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch +#rhbz 1000439 +Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch + # END OF PATCH DEFINITIONS %endif @@ -1580,9 +1562,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch -#CVE-2013-2147 rhbz 971242 971249 -ApplyPatch cve-2013-2147-ciss-info-leak.patch - #rhbz 977040 ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch @@ -1590,12 +1569,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4343 rhbz 1007733 1007741 -ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch - -#CVE-2013-4350 rhbz 1007872 1007903 -ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch - #CVE-2013-4345 rhbz 1007690 1009136 ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch @@ -1608,9 +1581,6 @@ ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch #rhbz 971893 ApplyPatch bonding-driver-alb-learning.patch -#rhbz 1008323 -ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch - #rhbz 902012 ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch @@ -1618,21 +1588,12 @@ ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch #rhbz 974072 ApplyPatch rt2800-add-support-for-rf3070.patch -#rhbz 1005567 -ApplyPatch bonding-driver-promisc.patch - -#CVE-2013-4387 rhbz 1011927 1015166 -ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch - #rhbz 1015989 ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch #rhbz 982153 ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch -#rhbz 1015920 -ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch - #rhbz 998732 ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch @@ -1643,6 +1604,9 @@ ApplyPatch 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch #rhbz 993744 ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch +#rhbz 1000439 +ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch + # END OF PATCH APPLICATIONS %endif @@ -2495,6 +2459,12 @@ fi # ||----w | # || || %changelog +* Mon Oct 14 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.5-100 +- Linux v3.11.5 + +* Fri Oct 11 2013 Josh Boyer <jwboyer@fedoraproject.org> +- Fix segfault in cpupower set (rhbz 1000439) + * Thu Oct 10 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.4-101 - Fix linux-firmware requirement diff --git a/freed-ora/current/f18/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch b/freed-ora/current/f18/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch deleted file mode 100644 index 671ee98db..000000000 --- a/freed-ora/current/f18/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch +++ /dev/null @@ -1,186 +0,0 @@ -From 95ee62083cb6453e056562d91f597552021e6ae7 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <dborkman@redhat.com> -Date: Wed, 11 Sep 2013 14:58:36 +0000 -Subject: net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit - -Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not -being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport -does not seem to have the desired effect: - -SCTP + IPv4: - - 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) - 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 - 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) - 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): - -SCTP + IPv6: - - 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) - fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp - 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] - -Moreover, Alan says: - - This problem was seen with both Racoon and Racoon2. Other people have seen - this with OpenSwan. When IPsec is configured to encrypt all upper layer - protocols the SCTP connection does not initialize. After using Wireshark to - follow packets, this is because the SCTP packet leaves Box A unencrypted and - Box B believes all upper layer protocols are to be encrypted so it drops - this packet, causing the SCTP connection to fail to initialize. When IPsec - is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. - -In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" -string on the other end, results in cleartext on the wire where SCTP eventually -does not report any errors, thus in the latter case that Alan reports, the -non-paranoid user might think he's communicating over an encrypted transport on -SCTP although he's not (tcpdump ... -X): - - ... - 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... - 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... - -Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the -receiver side. Initial follow-up analysis from Alan's bug report was done by -Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. - -SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). -This has the implication that it probably never really got updated along with -changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. - -SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since -a call to inet6_csk_xmit() would solve this problem, but result in unecessary -route lookups, let us just use the cached flowi6 instead that we got through -sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), -we do the route lookup / flow caching in sctp_transport_route(), hold it in -tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in -sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect -of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() -instead to get the correct source routed dst entry, which we assign to the skb. - -Also source address routing example from 625034113 ("sctp: fix sctp to work with -ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 -it is actually 'recommended' to not use that anyway due to traffic amplification [1]. -So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if -we overwrite the flow destination here, the lower IPv6 layer will be unable to -put the correct destination address into IP header, as routing header is added in -ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, -result of this patch is that we do not have any XfrmInTmplMismatch increase plus on -the wire with this patch it now looks like: - -SCTP + IPv6: - - 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: - AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 - 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: - AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 - -This fixes Kernel Bugzilla 24412. This security issue seems to be present since -2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have -its fun with that. lksctp-tools IPv6 regression test suite passes as well with -this patch. - - [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf - -Reported-by: Alan Chester <alan.chester@tekelec.com> -Reported-by: Alexey Dobriyan <adobriyan@gmail.com> -Signed-off-by: Daniel Borkmann <dborkman@redhat.com> -Cc: Steffen Klassert <steffen.klassert@secunet.com> -Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> -Acked-by: Vlad Yasevich <vyasevich@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index da613ce..4f52e2c 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -204,44 +204,23 @@ out: - in6_dev_put(idev); - } - --/* Based on tcp_v6_xmit() in tcp_ipv6.c. */ - static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) - { - struct sock *sk = skb->sk; - struct ipv6_pinfo *np = inet6_sk(sk); -- struct flowi6 fl6; -- -- memset(&fl6, 0, sizeof(fl6)); -- -- fl6.flowi6_proto = sk->sk_protocol; -- -- /* Fill in the dest address from the route entry passed with the skb -- * and the source address from the transport. -- */ -- fl6.daddr = transport->ipaddr.v6.sin6_addr; -- fl6.saddr = transport->saddr.v6.sin6_addr; -- -- fl6.flowlabel = np->flow_label; -- IP6_ECN_flow_xmit(sk, fl6.flowlabel); -- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL) -- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id; -- else -- fl6.flowi6_oif = sk->sk_bound_dev_if; -- -- if (np->opt && np->opt->srcrt) { -- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt; -- fl6.daddr = *rt0->addr; -- } -+ struct flowi6 *fl6 = &transport->fl.u.ip6; - - pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb, -- skb->len, &fl6.saddr, &fl6.daddr); -+ skb->len, &fl6->saddr, &fl6->daddr); - -- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); -+ IP6_ECN_flow_xmit(sk, fl6->flowlabel); - - if (!(transport->param_flags & SPP_PMTUD_ENABLE)) - skb->local_df = 1; - -- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); -+ SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); -+ -+ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass); - } - - /* Returns the dst cache entry for the given source and destination ip -@@ -254,10 +233,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - struct dst_entry *dst = NULL; - struct flowi6 *fl6 = &fl->u.ip6; - struct sctp_bind_addr *bp; -+ struct ipv6_pinfo *np = inet6_sk(sk); - struct sctp_sockaddr_entry *laddr; - union sctp_addr *baddr = NULL; - union sctp_addr *daddr = &t->ipaddr; - union sctp_addr dst_saddr; -+ struct in6_addr *final_p, final; - __u8 matchlen = 0; - __u8 bmatchlen; - sctp_scope_t scope; -@@ -281,7 +262,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - pr_debug("src=%pI6 - ", &fl6->saddr); - } - -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); -+ final_p = fl6_update_dst(fl6, np->opt, &final); -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); - if (!asoc || saddr) - goto out; - -@@ -333,10 +315,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - } - } - rcu_read_unlock(); -+ - if (baddr) { - fl6->saddr = baddr->v6.sin6_addr; - fl6->fl6_sport = baddr->v6.sin6_port; -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); -+ final_p = fl6_update_dst(fl6, np->opt, &final); -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); - } - - out: --- -cgit v0.9.2 diff --git a/freed-ora/current/f18/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch b/freed-ora/current/f18/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch deleted file mode 100644 index 908e0c751..000000000 --- a/freed-ora/current/f18/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 3361dc9538832a2a9150a8c722374ca844bf8dc8 Mon Sep 17 00:00:00 2001 -From: Mikulas Patocka <mpatocka@redhat.com> -Date: Fri, 20 Sep 2013 17:53:22 +0000 -Subject: skge: fix invalid value passed to pci_unmap_sigle - -In my patch c194992cbe71c20bb3623a566af8d11b0bfaa721 ("skge: fix -broken driver") I didn't fix the skge bug correctly. The value of the -new mapping (not old) was passed to pci_unmap_single. - -If we enable CONFIG_DMA_API_DEBUG, it results in this warning: -WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:986 check_sync+0x4c4/0x580() -skge 0000:02:07.0: DMA-API: device driver tries to sync DMA memory it has -not allocated [device address=0x000000023a0096c0] [size=1536 bytes] - -This patch makes the skge driver pass the correct value to -pci_unmap_single and fixes the warning. It copies the old descriptor to -on-stack variable "ee" and unmaps it if mapping of the new descriptor -succeeded. - -This patch should be backported to 3.11-stable. - -Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> -Reported-by: Francois Romieu <romieu@fr.zoreil.com> -Tested-by: Mikulas Patocka <mpatocka@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- -diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c -index 1a9c4f6..ecc7f7b 100644 ---- a/drivers/net/ethernet/marvell/skge.c -+++ b/drivers/net/ethernet/marvell/skge.c -@@ -3086,13 +3086,16 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, - PCI_DMA_FROMDEVICE); - skge_rx_reuse(e, skge->rx_buf_size); - } else { -+ struct skge_element ee; - struct sk_buff *nskb; - - nskb = netdev_alloc_skb_ip_align(dev, skge->rx_buf_size); - if (!nskb) - goto resubmit; - -- skb = e->skb; -+ ee = *e; -+ -+ skb = ee.skb; - prefetch(skb->data); - - if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { -@@ -3101,8 +3104,8 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, - } - - pci_unmap_single(skge->hw->pdev, -- dma_unmap_addr(e, mapaddr), -- dma_unmap_len(e, maplen), -+ dma_unmap_addr(&ee, mapaddr), -+ dma_unmap_len(&ee, maplen), - PCI_DMA_FROMDEVICE); - } - --- -cgit v0.9.2 diff --git a/freed-ora/current/f18/sources b/freed-ora/current/f18/sources index 7680bba0c..21b4fe84a 100644 --- a/freed-ora/current/f18/sources +++ b/freed-ora/current/f18/sources @@ -1,2 +1,2 @@ 7ec84223c7adcf01a5287eb7af96b7e7 linux-libre-3.11-gnu.tar.xz -5147e7f82600452c5438f8309c07eccd patch-3.11.4.xz +628876a432c0d4090013b383abac20e4 patch-3.11.5.xz diff --git a/freed-ora/current/f18/tuntap-correctly-handle-error-in-tun_set_iff.patch b/freed-ora/current/f18/tuntap-correctly-handle-error-in-tun_set_iff.patch deleted file mode 100644 index 563526765..000000000 --- a/freed-ora/current/f18/tuntap-correctly-handle-error-in-tun_set_iff.patch +++ /dev/null @@ -1,57 +0,0 @@ -From dff4e504b2addc8053fc47712d44a21f733ef51b Mon Sep 17 00:00:00 2001 -From: Jason Wang <jasowang@redhat.com> -Date: Wed, 11 Sep 2013 18:09:48 +0800 -Subject: [PATCH] tuntap: correctly handle error in tun_set_iff() - -Commit c8d68e6be1c3b242f1c598595830890b65cea64a -(tuntap: multiqueue support) only call free_netdev() on error in -tun_set_iff(). This causes several issues: - -- memory of tun security were leaked -- use after free since the flow gc timer was not deleted and the tfile - were not detached - -This patch solves the above issues. - -Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu> -Cc: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Jason Wang <jasowang@redhat.com> ---- - drivers/net/tun.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 71af122..68b9aa3 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -1691,11 +1691,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) - INIT_LIST_HEAD(&tun->disabled); - err = tun_attach(tun, file); - if (err < 0) -- goto err_free_dev; -+ goto err_free_flow; - - err = register_netdevice(tun->dev); - if (err < 0) -- goto err_free_dev; -+ goto err_detach; - - if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) || - device_create_file(&tun->dev->dev, &dev_attr_owner) || -@@ -1739,7 +1739,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) - strcpy(ifr->ifr_name, tun->dev->name); - return 0; - -- err_free_dev: -+err_detach: -+ tun_detach_all(dev); -+err_free_flow: -+ tun_flow_uninit(tun); -+ security_tun_dev_free_security(tun->security); -+err_free_dev: - free_netdev(dev); - return err; - } --- -1.8.3.1 - |
