diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2014-06-28 02:44:17 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2014-06-28 02:44:17 +0000 |
| commit | aeb6df3163c1db92baf4ad78cc105e67feb13c3d (patch) | |
| tree | baff98c396d8990980eb899762c594cfa7736b01 /freed-ora/current/f20 | |
| parent | ef937bcba10f192d35712be16f8e154903f81ec0 (diff) | |
| download | linux-libre-raptor-aeb6df3163c1db92baf4ad78cc105e67feb13c3d.tar.gz linux-libre-raptor-aeb6df3163c1db92baf4ad78cc105e67feb13c3d.zip | |
3.14.9-200.fc20.gnu
Diffstat (limited to 'freed-ora/current/f20')
17 files changed, 708 insertions, 929 deletions
diff --git a/freed-ora/current/f20/1-5-netlink-Rename-netlink_capable-netlink_allowed.patch b/freed-ora/current/f20/1-5-netlink-Rename-netlink_capable-netlink_allowed.patch deleted file mode 100644 index ad18ba878..000000000 --- a/freed-ora/current/f20/1-5-netlink-Rename-netlink_capable-netlink_allowed.patch +++ /dev/null @@ -1,68 +0,0 @@ -Bugzilla: 1094270 -Upstream-status: 3.15 and queued for stable - -From a7e6a36c02e8a4c6547bfc2b789bfbfcc95072f9 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" <ebiederm@xmission.com> -Date: Wed, 23 Apr 2014 14:25:48 -0700 -Subject: [PATCH 2/6] netlink: Rename netlink_capable netlink_allowed - -netlink_capable is a static internal function in af_netlink.c and we -have better uses for the name netlink_capable. - -Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> ---- - net/netlink/af_netlink.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 04748ab649c2..28d66fbc7cef 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -1360,7 +1360,7 @@ retry: - return err; - } - --static inline int netlink_capable(const struct socket *sock, unsigned int flag) -+static inline int netlink_allowed(const struct socket *sock, unsigned int flag) - { - return (nl_table[sock->sk->sk_protocol].flags & flag) || - ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN); -@@ -1428,7 +1428,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr, - - /* Only superuser is allowed to listen multicasts */ - if (nladdr->nl_groups) { -- if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV)) -+ if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV)) - return -EPERM; - err = netlink_realloc_groups(sk); - if (err) -@@ -1490,7 +1490,7 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, - return -EINVAL; - - if ((nladdr->nl_groups || nladdr->nl_pid) && -- !netlink_capable(sock, NL_CFG_F_NONROOT_SEND)) -+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND)) - return -EPERM; - - if (!nlk->portid) -@@ -2096,7 +2096,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname, - break; - case NETLINK_ADD_MEMBERSHIP: - case NETLINK_DROP_MEMBERSHIP: { -- if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV)) -+ if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV)) - return -EPERM; - err = netlink_realloc_groups(sk); - if (err) -@@ -2247,7 +2247,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, - dst_group = ffs(addr->nl_groups); - err = -EPERM; - if ((dst_group || dst_portid) && -- !netlink_capable(sock, NL_CFG_F_NONROOT_SEND)) -+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND)) - goto out; - } else { - dst_portid = nlk->dst_portid; --- -1.9.0 - diff --git a/freed-ora/current/f20/2-5-net-Move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch b/freed-ora/current/f20/2-5-net-Move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch deleted file mode 100644 index 237569e6c..000000000 --- a/freed-ora/current/f20/2-5-net-Move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch +++ /dev/null @@ -1,104 +0,0 @@ -Bugzilla: 1094270 -Upstream-status: 3.15 and queued for stable - -From 568ddf41e32a9b4337d87fdb507e729029a69e49 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" <ebiederm@xmission.com> -Date: Wed, 23 Apr 2014 14:26:25 -0700 -Subject: [PATCH 3/6] net: Move the permission check in - sock_diag_put_filterinfo to packet_diag_dump - -The permission check in sock_diag_put_filterinfo is wrong, and it is so removed -from it's sources it is not clear why it is wrong. Move the computation -into packet_diag_dump and pass a bool of the result into sock_diag_filterinfo. - -This does not yet correct the capability check but instead simply moves it to make -it clear what is going on. - -Reported-by: Andy Lutomirski <luto@amacapital.net> -Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> ---- - include/linux/sock_diag.h | 2 +- - net/core/sock_diag.c | 4 ++-- - net/packet/diag.c | 7 ++++++- - 3 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h -index 302ab805b0bb..46cca4c06848 100644 ---- a/include/linux/sock_diag.h -+++ b/include/linux/sock_diag.h -@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie); - void sock_diag_save_cookie(void *sk, __u32 *cookie); - - int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); --int sock_diag_put_filterinfo(struct sock *sk, -+int sock_diag_put_filterinfo(bool may_report_filterinfo, struct sock *sk, - struct sk_buff *skb, int attrtype); - - #endif -diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c -index 6a7fae228634..c38e7a2b5a8e 100644 ---- a/net/core/sock_diag.c -+++ b/net/core/sock_diag.c -@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype) - } - EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); - --int sock_diag_put_filterinfo(struct sock *sk, -+int sock_diag_put_filterinfo(bool may_report_filterinfo, struct sock *sk, - struct sk_buff *skb, int attrtype) - { - struct nlattr *attr; -@@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct sock *sk, - unsigned int len; - int err = 0; - -- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { -+ if (!may_report_filterinfo) { - nla_reserve(skb, attrtype, 0); - return 0; - } -diff --git a/net/packet/diag.c b/net/packet/diag.c -index 435ff99ba8c7..b34d0de24091 100644 ---- a/net/packet/diag.c -+++ b/net/packet/diag.c -@@ -128,6 +128,7 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb) - - static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, - struct packet_diag_req *req, -+ bool may_report_filterinfo, - struct user_namespace *user_ns, - u32 portid, u32 seq, u32 flags, int sk_ino) - { -@@ -172,7 +173,8 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, - goto out_nlmsg_trim; - - if ((req->pdiag_show & PACKET_SHOW_FILTER) && -- sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) -+ sock_diag_put_filterinfo(may_report_filterinfo, sk, skb, -+ PACKET_DIAG_FILTER)) - goto out_nlmsg_trim; - - return nlmsg_end(skb, nlh); -@@ -188,9 +190,11 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) - struct packet_diag_req *req; - struct net *net; - struct sock *sk; -+ bool may_report_filterinfo; - - net = sock_net(skb->sk); - req = nlmsg_data(cb->nlh); -+ may_report_filterinfo = ns_capable(net->user_ns, CAP_NET_ADMIN); - - mutex_lock(&net->packet.sklist_lock); - sk_for_each(sk, &net->packet.sklist) { -@@ -200,6 +204,7 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) - goto next; - - if (sk_diag_fill(sk, skb, req, -+ may_report_filterinfo, - sk_user_ns(NETLINK_CB(cb->skb).sk), - NETLINK_CB(cb->skb).portid, - cb->nlh->nlmsg_seq, NLM_F_MULTI, --- -1.9.0 - diff --git a/freed-ora/current/f20/3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch b/freed-ora/current/f20/3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch deleted file mode 100644 index 34df29246..000000000 --- a/freed-ora/current/f20/3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch +++ /dev/null @@ -1,97 +0,0 @@ -Bugzilla: 1094270 -Upstream-status: 3.15 and queued for stable - -From ca469eb66a7b3e97a230c750de4d01b1dc53906a Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" <ebiederm@xmission.com> -Date: Wed, 23 Apr 2014 14:26:56 -0700 -Subject: [PATCH 4/6] net: Add variants of capable for use on on sockets - -sk_net_capable - The common case, operations that are safe in a network namespace. -sk_capable - Operations that are not known to be safe in a network namespace -sk_ns_capable - The general case for special cases. - -Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> ---- - include/net/sock.h | 5 +++++ - net/core/sock.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 54 insertions(+) - -diff --git a/include/net/sock.h b/include/net/sock.h -index b9586a137cad..57c31dd15e64 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -2278,6 +2278,11 @@ int sock_get_timestampns(struct sock *, struct timespec __user *); - int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, int level, - int type); - -+bool sk_ns_capable(const struct sock *sk, -+ struct user_namespace *user_ns, int cap); -+bool sk_capable(const struct sock *sk, int cap); -+bool sk_net_capable(const struct sock *sk, int cap); -+ - /* - * Enable debug/info messages - */ -diff --git a/net/core/sock.c b/net/core/sock.c -index c0fc6bdad1e3..c8069561bdb7 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -145,6 +145,55 @@ - static DEFINE_MUTEX(proto_list_mutex); - static LIST_HEAD(proto_list); - -+/** -+ * sk_ns_capable - General socket capability test -+ * @sk: Socket to use a capability on or through -+ * @user_ns: The user namespace of the capability to use -+ * @cap: The capability to use -+ * -+ * Test to see if the opener of the socket had when the socket was -+ * created and the current process has the capability @cap in the user -+ * namespace @user_ns. -+ */ -+bool sk_ns_capable(const struct sock *sk, -+ struct user_namespace *user_ns, int cap) -+{ -+ return file_ns_capable(sk->sk_socket->file, user_ns, cap) && -+ ns_capable(user_ns, cap); -+} -+EXPORT_SYMBOL(sk_ns_capable); -+ -+/** -+ * sk_capable - Socket global capability test -+ * @sk: Socket to use a capability on or through -+ * @cap: The global capbility to use -+ * -+ * Test to see if the opener of the socket had when the socket was -+ * created and the current process has the capability @cap in all user -+ * namespaces. -+ */ -+bool sk_capable(const struct sock *sk, int cap) -+{ -+ return sk_ns_capable(sk, &init_user_ns, cap); -+} -+EXPORT_SYMBOL(sk_capable); -+ -+/** -+ * sk_net_capable - Network namespace socket capability test -+ * @sk: Socket to use a capability on or through -+ * @cap: The capability to use -+ * -+ * Test to see if the opener of the socket had when the socke was created -+ * and the current process has the capability @cap over the network namespace -+ * the socket is a member of. -+ */ -+bool sk_net_capable(const struct sock *sk, int cap) -+{ -+ return sk_ns_capable(sk, sock_net(sk)->user_ns, cap); -+} -+EXPORT_SYMBOL(sk_net_capable); -+ -+ - #ifdef CONFIG_MEMCG_KMEM - int mem_cgroup_sockets_init(struct mem_cgroup *memcg, struct cgroup_subsys *ss) - { --- -1.9.0 - diff --git a/freed-ora/current/f20/4-5-net-Add-variants-of-capable-for-use-on-netlink-messages.patch b/freed-ora/current/f20/4-5-net-Add-variants-of-capable-for-use-on-netlink-messages.patch deleted file mode 100644 index dfae87aef..000000000 --- a/freed-ora/current/f20/4-5-net-Add-variants-of-capable-for-use-on-netlink-messages.patch +++ /dev/null @@ -1,116 +0,0 @@ -Bugzilla: 1094270 -Upstream-status: 3.15 and queued for stable - -From 71f40189cc9a0a28296d201652a5766d7c8aa66f Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" <ebiederm@xmission.com> -Date: Wed, 23 Apr 2014 14:28:03 -0700 -Subject: [PATCH 5/6] net: Add variants of capable for use on netlink messages - -netlink_net_capable - The common case use, for operations that are safe on a network namespace -netlink_capable - For operations that are only known to be safe for the global root -netlink_ns_capable - The general case of capable used to handle special cases - -__netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of - the skbuff of a netlink message. - -Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> ---- - include/linux/netlink.h | 7 ++++++ - net/netlink/af_netlink.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 72 insertions(+) - -diff --git a/include/linux/netlink.h b/include/linux/netlink.h -index aad8eeaf416d..f64b01787ddc 100644 ---- a/include/linux/netlink.h -+++ b/include/linux/netlink.h -@@ -169,4 +169,11 @@ struct netlink_tap { - extern int netlink_add_tap(struct netlink_tap *nt); - extern int netlink_remove_tap(struct netlink_tap *nt); - -+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp, -+ struct user_namespace *ns, int cap); -+bool netlink_ns_capable(const struct sk_buff *skb, -+ struct user_namespace *ns, int cap); -+bool netlink_capable(const struct sk_buff *skb, int cap); -+bool netlink_net_capable(const struct sk_buff *skb, int cap); -+ - #endif /* __LINUX_NETLINK_H */ -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 28d66fbc7cef..6d69c27897f3 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -1360,6 +1360,71 @@ retry: - return err; - } - -+/** -+ * __netlink_ns_capable - General netlink message capability test -+ * @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace. -+ * @user_ns: The user namespace of the capability to use -+ * @cap: The capability to use -+ * -+ * Test to see if the opener of the socket we received the message -+ * from had when the netlink socket was created and the sender of the -+ * message has has the capability @cap in the user namespace @user_ns. -+ */ -+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp, -+ struct user_namespace *user_ns, int cap) -+{ -+ return sk_ns_capable(nsp->sk, user_ns, cap); -+} -+EXPORT_SYMBOL(__netlink_ns_capable); -+ -+/** -+ * netlink_ns_capable - General netlink message capability test -+ * @skb: socket buffer holding a netlink command from userspace -+ * @user_ns: The user namespace of the capability to use -+ * @cap: The capability to use -+ * -+ * Test to see if the opener of the socket we received the message -+ * from had when the netlink socket was created and the sender of the -+ * message has has the capability @cap in the user namespace @user_ns. -+ */ -+bool netlink_ns_capable(const struct sk_buff *skb, -+ struct user_namespace *user_ns, int cap) -+{ -+ return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap); -+} -+EXPORT_SYMBOL(netlink_ns_capable); -+ -+/** -+ * netlink_capable - Netlink global message capability test -+ * @skb: socket buffer holding a netlink command from userspace -+ * @cap: The capability to use -+ * -+ * Test to see if the opener of the socket we received the message -+ * from had when the netlink socket was created and the sender of the -+ * message has has the capability @cap in all user namespaces. -+ */ -+bool netlink_capable(const struct sk_buff *skb, int cap) -+{ -+ return netlink_ns_capable(skb, &init_user_ns, cap); -+} -+EXPORT_SYMBOL(netlink_capable); -+ -+/** -+ * netlink_net_capable - Netlink network namespace message capability test -+ * @skb: socket buffer holding a netlink command from userspace -+ * @cap: The capability to use -+ * -+ * Test to see if the opener of the socket we received the message -+ * from had when the netlink socket was created and the sender of the -+ * message has has the capability @cap over the network namespace of -+ * the socket we received the message from. -+ */ -+bool netlink_net_capable(const struct sk_buff *skb, int cap) -+{ -+ return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap); -+} -+EXPORT_SYMBOL(netlink_net_capable); -+ - static inline int netlink_allowed(const struct socket *sock, unsigned int flag) - { - return (nl_table[sock->sk->sk_protocol].flags & flag) || --- -1.9.0 - diff --git a/freed-ora/current/f20/5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch b/freed-ora/current/f20/5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch deleted file mode 100644 index b92c5da66..000000000 --- a/freed-ora/current/f20/5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch +++ /dev/null @@ -1,433 +0,0 @@ -Bugzilla: 1094270 -Upstream-status: 3.15 and queued for stable - -From 386e6689d3a9234ab00a80ab51906adedfa7fea7 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" <ebiederm@xmission.com> -Date: Wed, 23 Apr 2014 14:29:27 -0700 -Subject: [PATCH 6/6] net: Use netlink_ns_capable to verify the permisions of - netlink messages - -It is possible by passing a netlink socket to a more privileged -executable and then to fool that executable into writing to the socket -data that happens to be valid netlink message to do something that -privileged executable did not intend to do. - -To keep this from happening replace bare capable and ns_capable calls -with netlink_capable, netlink_net_calls and netlink_ns_capable calls. -Which act the same as the previous calls except they verify that the -opener of the socket had the desired permissions as well. - -Reported-by: Andy Lutomirski <luto@amacapital.net> -Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> ---- - crypto/crypto_user.c | 2 +- - drivers/connector/cn_proc.c | 2 +- - drivers/scsi/scsi_netlink.c | 2 +- - kernel/audit.c | 4 ++-- - net/can/gw.c | 4 ++-- - net/core/rtnetlink.c | 20 +++++++++++--------- - net/dcb/dcbnl.c | 2 +- - net/decnet/dn_dev.c | 4 ++-- - net/decnet/dn_fib.c | 4 ++-- - net/decnet/netfilter/dn_rtmsg.c | 2 +- - net/netfilter/nfnetlink.c | 2 +- - net/netlink/genetlink.c | 2 +- - net/packet/diag.c | 2 +- - net/phonet/pn_netlink.c | 8 ++++---- - net/sched/act_api.c | 2 +- - net/sched/cls_api.c | 2 +- - net/sched/sch_api.c | 6 +++--- - net/tipc/netlink.c | 2 +- - net/xfrm/xfrm_user.c | 2 +- - 19 files changed, 38 insertions(+), 36 deletions(-) - -diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c -index 1512e41cd93d..43665d0d0905 100644 ---- a/crypto/crypto_user.c -+++ b/crypto/crypto_user.c -@@ -466,7 +466,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - type -= CRYPTO_MSG_BASE; - link = &crypto_dispatch[type]; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) && -diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c -index 18c5b9b16645..3165811e2407 100644 ---- a/drivers/connector/cn_proc.c -+++ b/drivers/connector/cn_proc.c -@@ -369,7 +369,7 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, - return; - - /* Can only change if privileged. */ -- if (!capable(CAP_NET_ADMIN)) { -+ if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) { - err = EPERM; - goto out; - } -diff --git a/drivers/scsi/scsi_netlink.c b/drivers/scsi/scsi_netlink.c -index fe30ea94ffe6..109802f776ed 100644 ---- a/drivers/scsi/scsi_netlink.c -+++ b/drivers/scsi/scsi_netlink.c -@@ -77,7 +77,7 @@ scsi_nl_rcv_msg(struct sk_buff *skb) - goto next_msg; - } - -- if (!capable(CAP_SYS_ADMIN)) { -+ if (!netlink_capable(skb, CAP_SYS_ADMIN)) { - err = -EPERM; - goto next_msg; - } -diff --git a/kernel/audit.c b/kernel/audit.c -index 95a20f3f52f1..f7e680d896ec 100644 ---- a/kernel/audit.c -+++ b/kernel/audit.c -@@ -639,13 +639,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) - case AUDIT_TTY_SET: - case AUDIT_TRIM: - case AUDIT_MAKE_EQUIV: -- if (!capable(CAP_AUDIT_CONTROL)) -+ if (!netlink_capable(skb, CAP_AUDIT_CONTROL)) - err = -EPERM; - break; - case AUDIT_USER: - case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: - case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: -- if (!capable(CAP_AUDIT_WRITE)) -+ if (!netlink_capable(skb, CAP_AUDIT_WRITE)) - err = -EPERM; - break; - default: /* bad msg */ -diff --git a/net/can/gw.c b/net/can/gw.c -index ac31891967da..050a2110d43f 100644 ---- a/net/can/gw.c -+++ b/net/can/gw.c -@@ -804,7 +804,7 @@ static int cgw_create_job(struct sk_buff *skb, struct nlmsghdr *nlh) - u8 limhops = 0; - int err = 0; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if (nlmsg_len(nlh) < sizeof(*r)) -@@ -893,7 +893,7 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh) - u8 limhops = 0; - int err = 0; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if (nlmsg_len(nlh) < sizeof(*r)) -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 120eecc0f5a4..463dfe6496b4 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -1386,7 +1386,8 @@ static int do_set_master(struct net_device *dev, int ifindex) - return 0; - } - --static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm, -+static int do_setlink(const struct sk_buff *skb, -+ struct net_device *dev, struct ifinfomsg *ifm, - struct nlattr **tb, char *ifname, int modified) - { - const struct net_device_ops *ops = dev->netdev_ops; -@@ -1398,7 +1399,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm, - err = PTR_ERR(net); - goto errout; - } -- if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) { -+ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) { - err = -EPERM; - goto errout; - } -@@ -1652,7 +1653,7 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh) - if (err < 0) - goto errout; - -- err = do_setlink(dev, ifm, tb, ifname, 0); -+ err = do_setlink(skb, dev, ifm, tb, ifname, 0); - errout: - return err; - } -@@ -1769,7 +1770,8 @@ err: - } - EXPORT_SYMBOL(rtnl_create_link); - --static int rtnl_group_changelink(struct net *net, int group, -+static int rtnl_group_changelink(const struct sk_buff *skb, -+ struct net *net, int group, - struct ifinfomsg *ifm, - struct nlattr **tb) - { -@@ -1778,7 +1780,7 @@ static int rtnl_group_changelink(struct net *net, int group, - - for_each_netdev(net, dev) { - if (dev->group == group) { -- err = do_setlink(dev, ifm, tb, NULL, 0); -+ err = do_setlink(skb, dev, ifm, tb, NULL, 0); - if (err < 0) - return err; - } -@@ -1920,12 +1922,12 @@ replay: - modified = 1; - } - -- return do_setlink(dev, ifm, tb, ifname, modified); -+ return do_setlink(skb, dev, ifm, tb, ifname, modified); - } - - if (!(nlh->nlmsg_flags & NLM_F_CREATE)) { - if (ifm->ifi_index == 0 && tb[IFLA_GROUP]) -- return rtnl_group_changelink(net, -+ return rtnl_group_changelink(skb, net, - nla_get_u32(tb[IFLA_GROUP]), - ifm, tb); - return -ENODEV; -@@ -2312,7 +2314,7 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh) - int err = -EINVAL; - __u8 *addr; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); -@@ -2764,7 +2766,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - sz_idx = type>>2; - kind = type&3; - -- if (kind != 2 && !ns_capable(net->user_ns, CAP_NET_ADMIN)) -+ if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) { -diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c -index 553644402670..f8b98d89c285 100644 ---- a/net/dcb/dcbnl.c -+++ b/net/dcb/dcbnl.c -@@ -1669,7 +1669,7 @@ static int dcb_doit(struct sk_buff *skb, struct nlmsghdr *nlh) - struct nlmsghdr *reply_nlh = NULL; - const struct reply_func *fn; - -- if ((nlh->nlmsg_type == RTM_SETDCB) && !capable(CAP_NET_ADMIN)) -+ if ((nlh->nlmsg_type == RTM_SETDCB) && !netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - ret = nlmsg_parse(nlh, sizeof(*dcb), tb, DCB_ATTR_MAX, -diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c -index a603823a3e27..3b726f31c64c 100644 ---- a/net/decnet/dn_dev.c -+++ b/net/decnet/dn_dev.c -@@ -574,7 +574,7 @@ static int dn_nl_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh) - struct dn_ifaddr __rcu **ifap; - int err = -EINVAL; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if (!net_eq(net, &init_net)) -@@ -618,7 +618,7 @@ static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh) - struct dn_ifaddr *ifa; - int err; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if (!net_eq(net, &init_net)) -diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c -index 57dc159245ec..d332aefb0846 100644 ---- a/net/decnet/dn_fib.c -+++ b/net/decnet/dn_fib.c -@@ -505,7 +505,7 @@ static int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh) - struct nlattr *attrs[RTA_MAX+1]; - int err; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if (!net_eq(net, &init_net)) -@@ -530,7 +530,7 @@ static int dn_fib_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh) - struct nlattr *attrs[RTA_MAX+1]; - int err; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if (!net_eq(net, &init_net)) -diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c -index e83015cecfa7..e4d9560a910b 100644 ---- a/net/decnet/netfilter/dn_rtmsg.c -+++ b/net/decnet/netfilter/dn_rtmsg.c -@@ -107,7 +107,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb) - if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) - return; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - RCV_SKB_FAIL(-EPERM); - - /* Eventually we might send routing messages too */ -diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c -index 046aa13b4fea..c6881781d70a 100644 ---- a/net/netfilter/nfnetlink.c -+++ b/net/netfilter/nfnetlink.c -@@ -367,7 +367,7 @@ static void nfnetlink_rcv(struct sk_buff *skb) - skb->len < nlh->nlmsg_len) - return; - -- if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) { -+ if (!netlink_net_capable(skb, CAP_NET_ADMIN)) { - netlink_ack(skb, nlh, -EPERM); - return; - } -diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c -index b1dcdb932a86..a3ba3ca0ff92 100644 ---- a/net/netlink/genetlink.c -+++ b/net/netlink/genetlink.c -@@ -561,7 +561,7 @@ static int genl_family_rcv_msg(struct genl_family *family, - return -EOPNOTSUPP; - - if ((ops->flags & GENL_ADMIN_PERM) && -- !capable(CAP_NET_ADMIN)) -+ !netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP) { -diff --git a/net/packet/diag.c b/net/packet/diag.c -index b34d0de24091..92f2c7107eec 100644 ---- a/net/packet/diag.c -+++ b/net/packet/diag.c -@@ -194,7 +194,7 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) - - net = sock_net(skb->sk); - req = nlmsg_data(cb->nlh); -- may_report_filterinfo = ns_capable(net->user_ns, CAP_NET_ADMIN); -+ may_report_filterinfo = netlink_net_capable(cb->skb, CAP_NET_ADMIN); - - mutex_lock(&net->packet.sklist_lock); - sk_for_each(sk, &net->packet.sklist) { -diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c -index dc15f4300808..b64151ade6b3 100644 ---- a/net/phonet/pn_netlink.c -+++ b/net/phonet/pn_netlink.c -@@ -70,10 +70,10 @@ static int addr_doit(struct sk_buff *skb, struct nlmsghdr *nlh) - int err; - u8 pnaddr; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!netlink_capable(skb, CAP_SYS_ADMIN)) - return -EPERM; - - ASSERT_RTNL(); -@@ -233,10 +233,10 @@ static int route_doit(struct sk_buff *skb, struct nlmsghdr *nlh) - int err; - u8 dst; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!netlink_capable(skb, CAP_SYS_ADMIN)) - return -EPERM; - - ASSERT_RTNL(); -diff --git a/net/sched/act_api.c b/net/sched/act_api.c -index 72bdc7166345..3b2265523552 100644 ---- a/net/sched/act_api.c -+++ b/net/sched/act_api.c -@@ -908,7 +908,7 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n) - u32 portid = skb ? NETLINK_CB(skb).portid : 0; - int ret = 0, ovr = 0; - -- if ((n->nlmsg_type != RTM_GETACTION) && !capable(CAP_NET_ADMIN)) -+ if ((n->nlmsg_type != RTM_GETACTION) && !netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - ret = nlmsg_parse(n, sizeof(struct tcamsg), tca, TCA_ACT_MAX, NULL); -diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c -index 29a30a14c315..bdbdb1a7920a 100644 ---- a/net/sched/cls_api.c -+++ b/net/sched/cls_api.c -@@ -134,7 +134,7 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n) - int err; - int tp_created = 0; - -- if ((n->nlmsg_type != RTM_GETTFILTER) && !capable(CAP_NET_ADMIN)) -+ if ((n->nlmsg_type != RTM_GETTFILTER) && !netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - replay: -diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c -index a07d55e75698..98532cfa7823 100644 ---- a/net/sched/sch_api.c -+++ b/net/sched/sch_api.c -@@ -1084,7 +1084,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n) - struct Qdisc *p = NULL; - int err; - -- if ((n->nlmsg_type != RTM_GETQDISC) && !capable(CAP_NET_ADMIN)) -+ if ((n->nlmsg_type != RTM_GETQDISC) && !netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL); -@@ -1151,7 +1151,7 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n) - struct Qdisc *q, *p; - int err; - -- if (!capable(CAP_NET_ADMIN)) -+ if (!netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - replay: -@@ -1491,7 +1491,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n) - u32 qid; - int err; - -- if ((n->nlmsg_type != RTM_GETTCLASS) && !capable(CAP_NET_ADMIN)) -+ if ((n->nlmsg_type != RTM_GETTCLASS) && !netlink_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL); -diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c -index 3aaf73de9e2d..ad844d365340 100644 ---- a/net/tipc/netlink.c -+++ b/net/tipc/netlink.c -@@ -47,7 +47,7 @@ static int handle_cmd(struct sk_buff *skb, struct genl_info *info) - int hdr_space = nlmsg_total_size(GENL_HDRLEN + TIPC_GENL_HDRLEN); - u16 cmd; - -- if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN))) -+ if ((req_userhdr->cmd & 0xC000) && (!netlink_capable(skb, CAP_NET_ADMIN))) - cmd = TIPC_CMD_NOT_NET_ADMIN; - else - cmd = req_userhdr->cmd; -diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index 2f7ddc3a59b4..b10d04fa3933 100644 ---- a/net/xfrm/xfrm_user.c -+++ b/net/xfrm/xfrm_user.c -@@ -2350,7 +2350,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - link = &xfrm_dispatch[type]; - - /* All operations require privileges, even GET */ -- if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) -+ if (!netlink_net_capable(skb, CAP_NET_ADMIN)) - return -EPERM; - - if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || --- -1.9.0 - diff --git a/freed-ora/current/f20/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch b/freed-ora/current/f20/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch new file mode 100644 index 000000000..fa93d6622 --- /dev/null +++ b/freed-ora/current/f20/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch @@ -0,0 +1,48 @@ +Bugzilla: 1112975 +Upstream-status: 3.16 and CC'd to stable + +From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001 +From: Benjamin LaHaise <bcrl@kvack.org> +Date: Tue, 24 Jun 2014 13:12:55 -0400 +Subject: [PATCH] aio: fix aio request leak when events are reaped by userspace + +The aio cleanups and optimizations by kmo that were merged into the 3.10 +tree added a regression for userspace event reaping. Specifically, the +reference counts are not decremented if the event is reaped in userspace, +leading to the application being unable to submit further aio requests. +This patch applies to 3.12+. A separate backport is required for 3.10/3.11. +This issue was uncovered as part of CVE-2014-0206. + +Signed-off-by: Benjamin LaHaise <bcrl@kvack.org> +Cc: stable@vger.kernel.org +Cc: Kent Overstreet <kmo@daterainc.com> +Cc: Mateusz Guzik <mguzik@redhat.com> +Cc: Petr Matousek <pmatouse@redhat.com> +--- + fs/aio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/aio.c b/fs/aio.c +index 4f078c054b41..6a9c7e489adf 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2) + + /* everything turned out well, dispose of the aiocb. */ + kiocb_free(iocb); ++ put_reqs_available(ctx, 1); + + /* + * We have to order our ring_info tail store above and test +@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx, + flush_dcache_page(ctx->ring_pages[0]); + + pr_debug("%li h%u t%u\n", ret, head, tail); +- +- put_reqs_available(ctx, ret); + out: + mutex_unlock(&ctx->ring_lock); + +-- +1.9.3 + diff --git a/freed-ora/current/f20/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch b/freed-ora/current/f20/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch new file mode 100644 index 000000000..831a6a85f --- /dev/null +++ b/freed-ora/current/f20/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch @@ -0,0 +1,46 @@ +Bugzilla: 1112975 +Upstream-status: 3.16 and CC'd to stable + +From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001 +From: Benjamin LaHaise <bcrl@kvack.org> +Date: Tue, 24 Jun 2014 13:32:51 -0400 +Subject: [PATCH] aio: fix kernel memory disclosure in io_getevents() + introduced in v3.10 + +A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 +by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to +aio_read_events_ring() failed to correctly limit the index into +ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of +an arbitrary page with a copy_to_user() to copy the contents into userspace. +This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and +Petr for disclosing this issue. + +This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. + +Signed-off-by: Benjamin LaHaise <bcrl@kvack.org> +Cc: Mateusz Guzik <mguzik@redhat.com> +Cc: Petr Matousek <pmatouse@redhat.com> +Cc: Kent Overstreet <kmo@daterainc.com> +Cc: Jeff Moyer <jmoyer@redhat.com> +Cc: stable@vger.kernel.org +--- + fs/aio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/aio.c b/fs/aio.c +index 6a9c7e489adf..955947ef3e02 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx, + if (head == tail) + goto out; + ++ head %= ctx->nr_events; ++ tail %= ctx->nr_events; ++ + while (ret < nr) { + long avail; + struct io_event *ev; +-- +1.9.3 + diff --git a/freed-ora/current/f20/intel_pstate-Fix-setting-VID.patch b/freed-ora/current/f20/intel_pstate-Fix-setting-VID.patch new file mode 100644 index 000000000..a71432c59 --- /dev/null +++ b/freed-ora/current/f20/intel_pstate-Fix-setting-VID.patch @@ -0,0 +1,133 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.6.212 with SMTP id d20csp423274oaa; + Fri, 20 Jun 2014 07:30:34 -0700 (PDT) +X-Received: by 10.66.141.165 with SMTP id rp5mr5252763pab.90.1403274633343; + Fri, 20 Jun 2014 07:30:33 -0700 (PDT) +Return-Path: <stable-owner@vger.kernel.org> +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id xz4si10079103pac.71.2014.06.20.07.29.38 + for <multiple recipients>; + Fri, 20 Jun 2014 07:30:33 -0700 (PDT) +Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=neutral (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (body hash did not verify) header.i=@; + dmarc=fail (p=NONE dis=NONE) header.from=gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752826AbaFTO2N (ORCPT <rfc822;tuffkidtt@gmail.com> + 73 others); + Fri, 20 Jun 2014 10:28:13 -0400 +Received: from mail-pb0-f42.google.com ([209.85.160.42]:38213 "EHLO + mail-pb0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752069AbaFTO2M (ORCPT + <rfc822;stable@vger.kernel.org>); Fri, 20 Jun 2014 10:28:12 -0400 +Received: by mail-pb0-f42.google.com with SMTP id ma3so3196581pbc.29 + for <multiple recipients>; Fri, 20 Jun 2014 07:28:11 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=from:to:cc:subject:date:message-id:in-reply-to:references; + bh=9oo+zXKxjbr7v1snerKTk1H7F9TqWZtlTUz/dYa9Mtc=; + b=dYHB8IsNt7nWot8Da4/spNLtKjWeMlpQv+LpR+c7Y8DUuJe1lcMqt6NeLHZcOBUv2Y + Y6Bw8IIE3DYaVUFzakB2oBRCHaQJwqERAb0+y8zVt4lkxRh6AOjeR6coDk9oE8sDQmkN + zZzv3mR6rd2sE6CkRFwkJUJgHRd5DgluDU96k7OKLEzJpuq+6BrvwPto8TU6ZMkmQiqj + pRP0ics6FdaE7GtFE6XmEjGYSnsAFzUn8ycgFPjZU39PhkhTDottomejlUEEs8NORxn3 + eYxzh48Ae/P9JTgydBpMpUkpsb+86akHDWoTWG3z6D6mwCzFl9dNmUL43j/ONVjf6pPh + wopw== +X-Received: by 10.66.122.70 with SMTP id lq6mr5211252pab.51.1403274491745; + Fri, 20 Jun 2014 07:28:11 -0700 (PDT) +Received: from echolake.localdomain (static-50-43-41-81.bvtn.or.frontiernet.net. [50.43.41.81]) + by mx.google.com with ESMTPSA id vx10sm44287848pac.17.2014.06.20.07.28.09 + for <multiple recipients> + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Fri, 20 Jun 2014 07:28:10 -0700 (PDT) +From: dirk.brandewie@gmail.com +X-Google-Original-From: dirk.j.brandewie@intel.com +To: linux-pm@vger.kernel.org +Cc: rjw@rjwysocki.net, dirk.brandewie@gmail.com, + stable@vger.kernel.org, Dirk Brandewie <dirk.j.brandewie@intel.com> +Subject: [PATCH 1/3] intel_pstate: Fix setting VID +Date: Fri, 20 Jun 2014 07:27:58 -0700 +Message-Id: <1403274480-10593-2-git-send-email-dirk.j.brandewie@intel.com> +X-Mailer: git-send-email 1.9.0 +In-Reply-To: <1403274480-10593-1-git-send-email-dirk.j.brandewie@intel.com> +References: <1403274480-10593-1-git-send-email-dirk.j.brandewie@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: <stable.vger.kernel.org> +X-Mailing-List: stable@vger.kernel.org + +From: Dirk Brandewie <dirk.j.brandewie@intel.com> + +Commit 21855ff5 intel_pstate: Set turbo VID for BayTrail introduced +setting the turbo VID which is required to prevent a machine check on +some Baytrail SKUs under heavy graphics based workloads. The +docmumentation update that brought the requirement to light also +changed the bit mask used for enumerating P state and VID values from +0x7f to 0x3f. + +This change returns the mask value to 0x7f. + +Tested with the Intel NUC DN2820FYK, +BIOS version FYBYT10H.86A.0034.2014.0513.1413 with v3.16-rc1 and +v3.14.8 kernel versions. + +Reported-by: Rune Reterson <rune@megahurts.dk> +Reported-by: Eric Eickmeyer <erich@ericheickmeyer.com> +Tested-by: Rune Reterson <rune@megahurts.dk> +Tested-by: Eric Eickmeyer <erich@ericheickmeyer.com> + +References: https://bugzilla.kernel.org/show_bug.cgi?id=77951 + +Cc: Cc: Stable <stable@vger.kernel.org> [3.13+] +Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com> +--- + drivers/cpufreq/intel_pstate.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 924bb2d..74376d6 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -357,21 +357,21 @@ static int byt_get_min_pstate(void) + { + u64 value; + rdmsrl(BYT_RATIOS, value); +- return (value >> 8) & 0x3F; ++ return (value >> 8) & 0x7F; + } + + static int byt_get_max_pstate(void) + { + u64 value; + rdmsrl(BYT_RATIOS, value); +- return (value >> 16) & 0x3F; ++ return (value >> 16) & 0x7F; + } + + static int byt_get_turbo_pstate(void) + { + u64 value; + rdmsrl(BYT_TURBO_RATIOS, value); +- return value & 0x3F; ++ return value & 0x7F; + } + + static void byt_set_pstate(struct cpudata *cpudata, int pstate) +@@ -405,8 +405,8 @@ static void byt_get_vid(struct cpudata *cpudata) + + + rdmsrl(BYT_VIDS, value); +- cpudata->vid.min = int_tofp((value >> 8) & 0x3f); +- cpudata->vid.max = int_tofp((value >> 16) & 0x3f); ++ cpudata->vid.min = int_tofp((value >> 8) & 0x7f); ++ cpudata->vid.max = int_tofp((value >> 16) & 0x7f); + cpudata->vid.ratio = div_fp( + cpudata->vid.max - cpudata->vid.min, + int_tofp(cpudata->pstate.max_pstate - +-- +1.9.0 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/freed-ora/current/f20/intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch b/freed-ora/current/f20/intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch new file mode 100644 index 000000000..304b6009b --- /dev/null +++ b/freed-ora/current/f20/intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch @@ -0,0 +1,97 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.6.212 with SMTP id d20csp423275oaa; + Fri, 20 Jun 2014 07:30:34 -0700 (PDT) +X-Received: by 10.68.190.98 with SMTP id gp2mr5272210pbc.88.1403274634321; + Fri, 20 Jun 2014 07:30:34 -0700 (PDT) +Return-Path: <stable-owner@vger.kernel.org> +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id hp1si10074557pad.83.2014.06.20.07.29.43 + for <multiple recipients>; + Fri, 20 Jun 2014 07:30:34 -0700 (PDT) +Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=neutral (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (body hash did not verify) header.i=@; + dmarc=fail (p=NONE dis=NONE) header.from=gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752837AbaFTO2Q (ORCPT <rfc822;tuffkidtt@gmail.com> + 73 others); + Fri, 20 Jun 2014 10:28:16 -0400 +Received: from mail-pa0-f44.google.com ([209.85.220.44]:49238 "EHLO + mail-pa0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752834AbaFTO2P (ORCPT + <rfc822;stable@vger.kernel.org>); Fri, 20 Jun 2014 10:28:15 -0400 +Received: by mail-pa0-f44.google.com with SMTP id rd3so3177765pab.17 + for <multiple recipients>; Fri, 20 Jun 2014 07:28:15 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=from:to:cc:subject:date:message-id:in-reply-to:references; + bh=rsR1AnYOOFONegcKUuZzrIkP/Fwwpd8RySrcXDcatYE=; + b=H8hEI3Sg3lQRMr4ADxJtNpRGhyOTkP+gFC3du64xhLqVHicLrvtD06Wz7Vv0AowO52 + JpoocTnE8lUQvSMqev+LIh83DoFZxvYqrWqv0815LcZATxquRCPfNw8py9uTm3o0ABIy + PhXPM7UO278Ov67fqu63akRwHfrgtd22iXkHcn68ZqbTvdfo/jJlMcgRVoysP8XNPoIV + FZ4uVsHsjcx77zgA6A8t22vG5eozHRabvcvyxAp8eC/GwSjlWRFN7ETD28w4muvZcbFm + PFDieDk7detiTEqFyXncStI0i81Ezun+IyWnPnI1EOqPXKLoFaUiyxmw6Z7iOWLs0166 + NLoA== +X-Received: by 10.68.193.100 with SMTP id hn4mr5166204pbc.50.1403274495186; + Fri, 20 Jun 2014 07:28:15 -0700 (PDT) +Received: from echolake.localdomain (static-50-43-41-81.bvtn.or.frontiernet.net. [50.43.41.81]) + by mx.google.com with ESMTPSA id vx10sm44287848pac.17.2014.06.20.07.28.13 + for <multiple recipients> + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Fri, 20 Jun 2014 07:28:13 -0700 (PDT) +From: dirk.brandewie@gmail.com +X-Google-Original-From: dirk.j.brandewie@intel.com +To: linux-pm@vger.kernel.org +Cc: rjw@rjwysocki.net, dirk.brandewie@gmail.com, + stable@vger.kernel.org, Dirk Brandewie <dirk.j.brandewie@intel.com> +Subject: [PATCH 3/3] intel_pstate: Update documentation of {max,min}_perf_pct sysfs files +Date: Fri, 20 Jun 2014 07:28:00 -0700 +Message-Id: <1403274480-10593-4-git-send-email-dirk.j.brandewie@intel.com> +X-Mailer: git-send-email 1.9.0 +In-Reply-To: <1403274480-10593-1-git-send-email-dirk.j.brandewie@intel.com> +References: <1403274480-10593-1-git-send-email-dirk.j.brandewie@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: <stable.vger.kernel.org> +X-Mailing-List: stable@vger.kernel.org + +From: Dirk Brandewie <dirk.j.brandewie@intel.com> + +Update documentation to make the interpretation of the values clearer + +References: https://bugzilla.kernel.org/show_bug.cgi?id=64251 + +Cc: Stable <stable@vger.kernel.org> [3.13+] +Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com> +--- + Documentation/cpu-freq/intel-pstate.txt | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/Documentation/cpu-freq/intel-pstate.txt b/Documentation/cpu-freq/intel-pstate.txt +index e742d21..a69ffe1 100644 +--- a/Documentation/cpu-freq/intel-pstate.txt ++++ b/Documentation/cpu-freq/intel-pstate.txt +@@ -15,10 +15,13 @@ New sysfs files for controlling P state selection have been added to + /sys/devices/system/cpu/intel_pstate/ + + max_perf_pct: limits the maximum P state that will be requested by +- the driver stated as a percentage of the available performance. ++ the driver stated as a percentage of the available performance. The ++ available (P states) performance may be reduced by the no_turbo ++ setting described below. + + min_perf_pct: limits the minimum P state that will be requested by +- the driver stated as a percentage of the available performance. ++ the driver stated as a percentage of the max (non-turbo) ++ performance level. + + no_turbo: limits the driver to selecting P states below the turbo + frequency range. +-- +1.9.0 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/freed-ora/current/f20/intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch b/freed-ora/current/f20/intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch new file mode 100644 index 000000000..5d66cbb88 --- /dev/null +++ b/freed-ora/current/f20/intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch @@ -0,0 +1,163 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.6.212 with SMTP id d20csp423277oaa; + Fri, 20 Jun 2014 07:30:35 -0700 (PDT) +X-Received: by 10.68.139.36 with SMTP id qv4mr5223355pbb.82.1403274634649; + Fri, 20 Jun 2014 07:30:34 -0700 (PDT) +Return-Path: <stable-owner@vger.kernel.org> +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id qv2si9954447pbb.188.2014.06.20.07.29.40 + for <multiple recipients>; + Fri, 20 Jun 2014 07:30:34 -0700 (PDT) +Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=neutral (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (body hash did not verify) header.i=@; + dmarc=fail (p=NONE dis=NONE) header.from=gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752836AbaFTO2P (ORCPT <rfc822;tuffkidtt@gmail.com> + 73 others); + Fri, 20 Jun 2014 10:28:15 -0400 +Received: from mail-pb0-f51.google.com ([209.85.160.51]:46198 "EHLO + mail-pb0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752834AbaFTO2N (ORCPT + <rfc822;stable@vger.kernel.org>); Fri, 20 Jun 2014 10:28:13 -0400 +Received: by mail-pb0-f51.google.com with SMTP id rp16so3192728pbb.10 + for <multiple recipients>; Fri, 20 Jun 2014 07:28:13 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=from:to:cc:subject:date:message-id:in-reply-to:references; + bh=d4snuLkO7yJL099uI4N/+0VV5Rt4O8Cw+AAMmj8igq8=; + b=Hmy0dMfQu3uRTZzAq3zGf2sfVMhRUxySItx4tChAq3aaQAehBA+1vqEHeiQ6ZNpXrD + BJfbmvByR/d4G55woGKZbyOPL/t5XzkVVUuefHgKvEDjWbHns/RYax+lgRFI4Cb1aLEe + 4u1/8cZ29BpFQ/yVW2D6/K6uwcJ6MQRK8lZISKjf/9oxZLg6vEeR4JGC70qo6yDHeUlu + VUQ3RrvKJ7NQw2nXTxAPuAvNEd+JCbKp6zO6gi6jET5vAQnevlrx+LxMjKssXI+QjXsH + N11ImMdOmbmBUgEIkFctpViP+fOFMTfkwIMh05FSQZtcy3NVF5kEUHR8N3B2klbGBYln + TJ8w== +X-Received: by 10.68.133.163 with SMTP id pd3mr5111437pbb.166.1403274493273; + Fri, 20 Jun 2014 07:28:13 -0700 (PDT) +Received: from echolake.localdomain (static-50-43-41-81.bvtn.or.frontiernet.net. [50.43.41.81]) + by mx.google.com with ESMTPSA id vx10sm44287848pac.17.2014.06.20.07.28.11 + for <multiple recipients> + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Fri, 20 Jun 2014 07:28:12 -0700 (PDT) +From: dirk.brandewie@gmail.com +X-Google-Original-From: dirk.j.brandewie@intel.com +To: linux-pm@vger.kernel.org +Cc: rjw@rjwysocki.net, dirk.brandewie@gmail.com, + stable@vger.kernel.org, Dirk Brandewie <dirk.j.brandewie@intel.com> +Subject: [PATCH 2/3] intel_pstate: don't touch turbo bit if turbo disabled or unavailable. +Date: Fri, 20 Jun 2014 07:27:59 -0700 +Message-Id: <1403274480-10593-3-git-send-email-dirk.j.brandewie@intel.com> +X-Mailer: git-send-email 1.9.0 +In-Reply-To: <1403274480-10593-1-git-send-email-dirk.j.brandewie@intel.com> +References: <1403274480-10593-1-git-send-email-dirk.j.brandewie@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: <stable.vger.kernel.org> +X-Mailing-List: stable@vger.kernel.org + +From: Dirk Brandewie <dirk.j.brandewie@intel.com> + +If turbo is disabled in the BIOS bit 38 should be set in +MSR_IA32_MISC_ENABLE register per section 14.3.2.1 of the SDM Vol 3 +document 325384-050US Feb 2014. If this bit is set do *not* attempt +to disable trubo via the MSR_IA32_PERF_CTL register. On some systems +trying to disable turbo via MSR_IA32_PERF_CTL will cause subsequent +writes to MSR_IA32_PERF_CTL not take affect, in fact reading +MSR_IA32_PERF_CTL will not show the IDA/Turbo DISENGAGE bit(32) as +set. A write of bit 32 to zero returns to normal operation. + +Also deal with the case where the processor does not support +turbo and the BIOS does not report the fact in MSR_IA32_MISC_ENABLE +but does report the max and turbo P states as the same value. + +References: https://bugzilla.kernel.org/show_bug.cgi?id=64251 + +Cc: Stable <stable@vger.kernel.org> [3.13+] +Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com> +--- + drivers/cpufreq/intel_pstate.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 74376d6..127ead8 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -128,6 +128,7 @@ static struct pstate_funcs pstate_funcs; + + struct perf_limits { + int no_turbo; ++ int turbo_disabled; + int max_perf_pct; + int min_perf_pct; + int32_t max_perf; +@@ -287,7 +288,10 @@ static ssize_t store_no_turbo(struct kobject *a, struct attribute *b, + if (ret != 1) + return -EINVAL; + limits.no_turbo = clamp_t(int, input, 0 , 1); +- ++ if (limits.turbo_disabled) { ++ pr_warn("Turbo disabled by BIOS or unavailable on processor\n"); ++ limits.no_turbo = limits.turbo_disabled; ++ } + return count; + } + +@@ -381,7 +385,7 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate) + u32 vid; + + val = pstate << 8; +- if (limits.no_turbo) ++ if (limits.no_turbo && !limits.turbo_disabled) + val |= (u64)1 << 32; + + vid_fp = cpudata->vid.min + mul_fp( +@@ -448,7 +452,7 @@ static void core_set_pstate(struct cpudata *cpudata, int pstate) + u64 val; + + val = pstate << 8; +- if (limits.no_turbo) ++ if (limits.no_turbo && !limits.turbo_disabled) + val |= (u64)1 << 32; + + wrmsrl_on_cpu(cpudata->cpu, MSR_IA32_PERF_CTL, val); +@@ -741,7 +745,7 @@ static int intel_pstate_set_policy(struct cpufreq_policy *policy) + limits.min_perf = int_tofp(1); + limits.max_perf_pct = 100; + limits.max_perf = int_tofp(1); +- limits.no_turbo = 0; ++ limits.no_turbo = limits.turbo_disabled; + return 0; + } + limits.min_perf_pct = (policy->min * 100) / policy->cpuinfo.max_freq; +@@ -784,6 +788,7 @@ static int intel_pstate_cpu_init(struct cpufreq_policy *policy) + { + struct cpudata *cpu; + int rc; ++ u64 misc_en; + + rc = intel_pstate_init_cpu(policy->cpu); + if (rc) +@@ -791,8 +796,13 @@ static int intel_pstate_cpu_init(struct cpufreq_policy *policy) + + cpu = all_cpu_data[policy->cpu]; + +- if (!limits.no_turbo && +- limits.min_perf_pct == 100 && limits.max_perf_pct == 100) ++ rdmsrl(MSR_IA32_MISC_ENABLE, misc_en); ++ if (misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE || ++ cpu->pstate.max_pstate == cpu->pstate.turbo_pstate) { ++ limits.turbo_disabled = 1; ++ limits.no_turbo = 1; ++ } ++ if (limits.min_perf_pct == 100 && limits.max_perf_pct == 100) + policy->policy = CPUFREQ_POLICY_PERFORMANCE; + else + policy->policy = CPUFREQ_POLICY_POWERSAVE; +-- +1.9.0 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/freed-ora/current/f20/kernel.spec b/freed-ora/current/f20/kernel.spec index f4052fc78..c4ced279c 100644 --- a/freed-ora/current/f20/kernel.spec +++ b/freed-ora/current/f20/kernel.spec @@ -112,7 +112,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -799,24 +799,12 @@ Patch25071: drm-fix-qxl-mode-flags-backport.patch #rhbz 861573 Patch25079: 0003-samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch -#CVE-2014-0181 rhbz 1094270 1094265 -Patch25082: 1-5-netlink-Rename-netlink_capable-netlink_allowed.patch -Patch25083: 2-5-net-Move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch -Patch25084: 3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch -Patch25085: 4-5-net-Add-variants-of-capable-for-use-on-netlink-messages.patch -Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch -#rhbz 1094265 1097684 -Patch25094: netlink-Only-check-file-credentials-for-implicit-des.patch - #rhbz 1082266 Patch25087: jme-fix-dma-unmap-error.patch #rhbz 1051668 Patch25092: Input-elantech-add-support-for-newer-elantech-touchpads.patch -#rhbz 1099857 -Patch25095: team-fix-mtu-setting.patch - #rhbz 1094066 Patch25096: drm-i915-set-backlight-duty-cycle-after-backlight-enable-for-gen4.patch @@ -833,6 +821,19 @@ Patch25100: dm-thin-update-discard_granularity-to-reflect-the-thin-pool-blocksiz #rhbz 1103528 Patch25101: elantech-Deal-with-clickpads-reporting-right-button-.patch +Patch25102: intel_pstate-Fix-setting-VID.patch +Patch25103: intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch +Patch25104: intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch + +#CVE-2014-4508 rhbz 1111590 1112073 +Patch25106: x86_32-entry-Do-syscall-exit-work-on-badsys.patch + +#CVE-2014-0206 rhbz 1094602 1112975 +Patch25107: aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch +Patch25108: aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch + +Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch + # END OF PATCH DEFINITIONS %endif @@ -1584,24 +1585,12 @@ ApplyPatch drm-fix-qxl-mode-flags-backport.patch #rhbz 861573 ApplyPatch 0003-samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch -#CVE-2014-0181 rhbz 1094270 1094265 -ApplyPatch 1-5-netlink-Rename-netlink_capable-netlink_allowed.patch -ApplyPatch 2-5-net-Move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch -ApplyPatch 3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch -ApplyPatch 4-5-net-Add-variants-of-capable-for-use-on-netlink-messages.patch -ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch -#rhbz 1094265 1097684 -ApplyPatch netlink-Only-check-file-credentials-for-implicit-des.patch - #rhbz 1082266 ApplyPatch jme-fix-dma-unmap-error.patch #rhbz 1051668 ApplyPatch Input-elantech-add-support-for-newer-elantech-touchpads.patch -#rhbz 1099857 -ApplyPatch team-fix-mtu-setting.patch - #rhbz 1094066 ApplyPatch drm-i915-set-backlight-duty-cycle-after-backlight-enable-for-gen4.patch @@ -1618,6 +1607,19 @@ ApplyPatch dm-thin-update-discard_granularity-to-reflect-the-thin-pool-blocksize #rhbz 1103528 ApplyPatch elantech-Deal-with-clickpads-reporting-right-button-.patch +ApplyPatch intel_pstate-Fix-setting-VID.patch +ApplyPatch intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch +ApplyPatch intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch + +#CVE-2014-4508 rhbz 1111590 1112073 +ApplyPatch x86_32-entry-Do-syscall-exit-work-on-badsys.patch + +#CVE-2014-0206 rhbz 1094602 1112975 +ApplyPatch aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch +ApplyPatch aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch + +ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch + # END OF PATCH APPLICATIONS %endif @@ -2440,6 +2442,22 @@ fi # ||----w | # || || %changelog +* Thu Jun 26 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 3.14.9-gnu. + +* Thu Jun 26 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.9-200 +- Linux v3.14.9 + +* Wed Jun 25 2014 Josh Boyer <jwboyer@fedoraproject.org> +- Revert commit that breaks Wacom Intuos4 from Benjamin Tissoires +- CVE-2014-0206 aio: insufficient head sanitization in aio_read_events_ring (rhbz 1094602 1112975) + +* Mon Jun 23 2014 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-4508 BUG in x86_32 syscall auditing (rhbz 1111590 1112073) + +* Fri Jun 20 2014 Josh Boyer <jwboyer@fedoraproject.org> +- Bring in intel_pstate regression fixes for BayTrail (rhbz 1111920) + * Mon Jun 16 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre - GNU Linux-libre 3.14.8-gnu. diff --git a/freed-ora/current/f20/patch-3.14-gnu-3.14.8-gnu.xz.sign b/freed-ora/current/f20/patch-3.14-gnu-3.14.8-gnu.xz.sign deleted file mode 100644 index f1ef79e67..000000000 --- a/freed-ora/current/f20/patch-3.14-gnu-3.14.8-gnu.xz.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.22 (GNU/Linux) - -iEYEABECAAYFAlOfhn0ACgkQvLfPh359R6dTZQCgo8vQDkisi6Z5LUUFCWE/D5Dn -eqwAoJyRGK/6MOqZjsiLmDP4N0O/xgni -=Z811 ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f20/patch-3.14-gnu-3.14.9-gnu.xz.sign b/freed-ora/current/f20/patch-3.14-gnu-3.14.9-gnu.xz.sign new file mode 100644 index 000000000..bd22327f8 --- /dev/null +++ b/freed-ora/current/f20/patch-3.14-gnu-3.14.9-gnu.xz.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iEYEABECAAYFAlOsuzAACgkQvLfPh359R6e4UgCdEkaojeRi701uKnGBpBZzNMin +QcAAnAzNYz6YwuX5jmeEjFUdpAxCd5Wf +=MNy9 +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f20/revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch b/freed-ora/current/f20/revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch new file mode 100644 index 000000000..f9f4a72a0 --- /dev/null +++ b/freed-ora/current/f20/revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch @@ -0,0 +1,40 @@ +Bugzilla: N/A +Upstream-status: Sent upstream + +This reverts commit 1b2faaf7e219fc2905d75afcd4c815e5d39eda80. + +The Intuos4 series presents a bug in which it hangs if it receives +a set feature command while switching to the enhanced mode. +This bug is triggered when plugging an Intuos 4 while having +a gnome user session up and running. + +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx> +--- + +Hi Aris, + +actually, you bisected the bug, so can I consider that I have your signed-off-by? + +Cheers, +Benjamin + + drivers/input/tablet/wacom_sys.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/input/tablet/wacom_sys.c b/drivers/input/tablet/wacom_sys.c +index 7087b33..319a3ff 100644 +--- a/drivers/input/tablet/wacom_sys.c ++++ b/drivers/input/tablet/wacom_sys.c +@@ -536,6 +536,9 @@ static int wacom_set_device_mode(struct usb_interface *intf, int report_id, int + + error = wacom_set_report(intf, WAC_HID_FEATURE_REPORT, + report_id, rep_data, length, 1); ++ if (error >= 0) ++ error = wacom_get_report(intf, WAC_HID_FEATURE_REPORT, ++ report_id, rep_data, length, 1); + } while ((error < 0 || rep_data[1] != mode) && limit++ < WAC_MSG_RETRIES); + + kfree(rep_data); +-- +1.9.0 + diff --git a/freed-ora/current/f20/sources b/freed-ora/current/f20/sources index 01b4e95cd..dfff76dce 100644 --- a/freed-ora/current/f20/sources +++ b/freed-ora/current/f20/sources @@ -1,2 +1,2 @@ c108ec52eeb2a9b9ddbb8d12496ff25f linux-libre-3.14-gnu.tar.xz -542e6bc95ee2493a0f0782d25645f6c3 patch-3.14-gnu-3.14.8-gnu.xz +d24f388f14cc0829fcc35b792d0392a5 patch-3.14-gnu-3.14.9-gnu.xz diff --git a/freed-ora/current/f20/team-fix-mtu-setting.patch b/freed-ora/current/f20/team-fix-mtu-setting.patch deleted file mode 100644 index 6703be71e..000000000 --- a/freed-ora/current/f20/team-fix-mtu-setting.patch +++ /dev/null @@ -1,78 +0,0 @@ -Bugzilla: 1099857 -Upstream-status: 3.15 and CC'd for stable - -From 9d0d68faea6962d62dd501cd6e71ce5cc8ed262b Mon Sep 17 00:00:00 2001 -From: Jiri Pirko <jiri@resnulli.us> -Date: Thu, 29 May 2014 20:46:17 +0200 -Subject: [PATCH] team: fix mtu setting - -Now it is not possible to set mtu to team device which has a port -enslaved to it. The reason is that when team_change_mtu() calls -dev_set_mtu() for port device, notificator for NETDEV_PRECHANGEMTU -event is called and team_device_event() returns NOTIFY_BAD forbidding -the change. So fix this by returning NOTIFY_DONE here in case team is -changing mtu in team_change_mtu(). - -Introduced-by: 3d249d4c "net: introduce ethernet teaming device" -Signed-off-by: Jiri Pirko <jiri@resnulli.us> -Acked-by: Flavio Leitner <fbl@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - drivers/net/team/team.c | 7 ++++++- - include/linux/if_team.h | 1 + - 2 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 767fe61..ce4989b 100644 ---- a/drivers/net/team/team.c -+++ b/drivers/net/team/team.c -@@ -1724,6 +1724,7 @@ static int team_change_mtu(struct net_device *dev, int new_mtu) - * to traverse list in reverse under rcu_read_lock - */ - mutex_lock(&team->lock); -+ team->port_mtu_change_allowed = true; - list_for_each_entry(port, &team->port_list, list) { - err = dev_set_mtu(port->dev, new_mtu); - if (err) { -@@ -1732,6 +1733,7 @@ static int team_change_mtu(struct net_device *dev, int new_mtu) - goto unwind; - } - } -+ team->port_mtu_change_allowed = false; - mutex_unlock(&team->lock); - - dev->mtu = new_mtu; -@@ -1741,6 +1743,7 @@ static int team_change_mtu(struct net_device *dev, int new_mtu) - unwind: - list_for_each_entry_continue_reverse(port, &team->port_list, list) - dev_set_mtu(port->dev, dev->mtu); -+ team->port_mtu_change_allowed = false; - mutex_unlock(&team->lock); - - return err; -@@ -2851,7 +2854,9 @@ static int team_device_event(struct notifier_block *unused, - break; - case NETDEV_PRECHANGEMTU: - /* Forbid to change mtu of underlaying device */ -- return NOTIFY_BAD; -+ if (!port->team->port_mtu_change_allowed) -+ return NOTIFY_BAD; -+ break; - case NETDEV_PRE_TYPE_CHANGE: - /* Forbid to change type of underlaying device */ - return NOTIFY_BAD; -diff --git a/include/linux/if_team.h b/include/linux/if_team.h -index a899dc2..a6aa970 100644 ---- a/include/linux/if_team.h -+++ b/include/linux/if_team.h -@@ -194,6 +194,7 @@ struct team { - bool user_carrier_enabled; - bool queue_override_enabled; - struct list_head *qom_lists; /* array of queue override mapping lists */ -+ bool port_mtu_change_allowed; - struct { - unsigned int count; - unsigned int interval; /* in ms */ --- -1.9.3 - diff --git a/freed-ora/current/f20/x86_32-entry-Do-syscall-exit-work-on-badsys.patch b/freed-ora/current/f20/x86_32-entry-Do-syscall-exit-work-on-badsys.patch new file mode 100644 index 000000000..c174e9453 --- /dev/null +++ b/freed-ora/current/f20/x86_32-entry-Do-syscall-exit-work-on-badsys.patch @@ -0,0 +1,130 @@ +Bugzilla: 1112073 +Upstream-status: Sent for 3.16 and CC'd to stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.6.212 with SMTP id d20csp139586oaa; + Mon, 23 Jun 2014 14:28:15 -0700 (PDT) +X-Received: by 10.68.222.196 with SMTP id qo4mr32453892pbc.14.1403558895116; + Mon, 23 Jun 2014 14:28:15 -0700 (PDT) +Return-Path: <stable-owner@vger.kernel.org> +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id bm3si23587434pad.232.2014.06.23.14.27.47 + for <multiple recipients>; + Mon, 23 Jun 2014 14:28:15 -0700 (PDT) +Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=neutral (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752475AbaFWVWX (ORCPT <rfc822;tuffkidtt@gmail.com> + 73 others); + Mon, 23 Jun 2014 17:22:23 -0400 +Received: from mail-pb0-f42.google.com ([209.85.160.42]:39692 "EHLO + mail-pb0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752518AbaFWVWW (ORCPT + <rfc822;stable@vger.kernel.org>); Mon, 23 Jun 2014 17:22:22 -0400 +Received: by mail-pb0-f42.google.com with SMTP id ma3so6319797pbc.15 + for <stable@vger.kernel.org>; Mon, 23 Jun 2014 14:22:21 -0700 (PDT) +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20130820; + h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to + :references:mime-version:content-type:content-transfer-encoding; + bh=7AW5eK5e3OhAcFYPrsffKoD56CbJdqfg9BcyF1JKfUE=; + b=iLlWTJCuH9FlKTif4N6XtFZNvj8a/fbsjuP4kWWD/gmHHGEOWI6bh2Jm8X3vcN6GtV + f7rqFO0SAMf197e66uME3pq8NzYFad4eRgJpBGON93P22+cPbqrsT9FZjMZqn2bJkEw4 + EDZZy2MFqm3Kx2m/5g76NLDV1tgafEnwbgL1vg6IxlbPi6J8inkXwKP3FdMoTcfRBO6p + dIcI1cV7VDNf6zKaMj+XS/ZiSxqpArhwvZ6xnXRmLfgD+x/JsxEcg2pX03BXHTKO9QNm + nixe+cuug0X0E5idHuiLJzV0Wf6IhYsvVz/FvjY16pggduecA2NgNU2e7txqb+IcTBZ/ + jBbA== +X-Gm-Message-State: ALoCoQlblcwmTrVjpekrIOzidDrxwB18p5Rfd5SObiPQifpOQZmSFUKrxzV0kxCjcW/wVwxOzAG7 +X-Received: by 10.68.197.8 with SMTP id iq8mr32930210pbc.124.1403558541680; + Mon, 23 Jun 2014 14:22:21 -0700 (PDT) +Received: from localhost (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73]) + by mx.google.com with ESMTPSA id fl6sm99195659pab.43.2014.06.23.14.22.19 + for <multiple recipients> + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Mon, 23 Jun 2014 14:22:20 -0700 (PDT) +From: Andy Lutomirski <luto@amacapital.net> +Cc: "H. Peter Anvin" <hpa@zytor.com>, + Richard Weinberger <richard@nod.at>, X86 ML <x86@kernel.org>, + Eric Paris <eparis@redhat.com>, + Linux Kernel <linux-kernel@vger.kernel.org>, + security@kernel.org, Steven Rostedt <rostedt@goodmis.org>, + Borislav Petkov <bp@alien8.de>, + =?UTF-8?q?Toralf=20F=C3=B6rster?= <toralf.foerster@gmx.de>, + Andy Lutomirski <luto@amacapital.net>, stable@vger.kernel.org, + Roland McGrath <roland@redhat.com> +Subject: [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508) +Date: Mon, 23 Jun 2014 14:22:15 -0700 +Message-Id: <e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net> +X-Mailer: git-send-email 1.9.3 +In-Reply-To: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ@mail.gmail.com> +References: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ@mail.gmail.com> +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +To: unlisted-recipients:; (no To-header on input) +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: <stable.vger.kernel.org> +X-Mailing-List: stable@vger.kernel.org + +The bad syscall nr paths are their own incomprehensible route +through the entry control flow. Rearrange them to work just like +syscalls that return -ENOSYS. + +This fixes an OOPS in the audit code when fast-path auditing is +enabled and sysenter gets a bad syscall nr (CVE-2014-4508). + +This has probably been broken since Linux 2.6.27: +af0575bba0 i386 syscall audit fast-path + +Cc: stable@vger.kernel.org +Cc: Roland McGrath <roland@redhat.com> +Reported-by: Toralf Förster <toralf.foerster@gmx.de> +Signed-off-by: Andy Lutomirski <luto@amacapital.net> +--- + +I realize that the syscall audit fast path and badsys code, on 32-bit +x86 no less, is possibly one of the least fun things in the kernel to +review, but this is still a real security bug and should get fixed :( + +So I'm cc-ing a bunch of people and maybe someone will review it. + + arch/x86/kernel/entry_32.S | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S +index a2a4f46..f4258a5 100644 +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -431,9 +431,10 @@ sysenter_past_esp: + jnz sysenter_audit + sysenter_do_call: + cmpl $(NR_syscalls), %eax +- jae syscall_badsys ++ jae sysenter_badsys + call *sys_call_table(,%eax,4) + movl %eax,PT_EAX(%esp) ++sysenter_after_call: + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +@@ -688,7 +689,12 @@ END(syscall_fault) + + syscall_badsys: + movl $-ENOSYS,PT_EAX(%esp) +- jmp resume_userspace ++ jmp syscall_exit ++END(syscall_badsys) ++ ++sysenter_badsys: ++ movl $-ENOSYS,PT_EAX(%esp) ++ jmp sysenter_after_call + END(syscall_badsys) + CFI_ENDPROC + /* +-- +1.9.3 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html |
