diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2010-09-29 01:52:12 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2010-09-29 01:52:12 +0000 |
| commit | c52798b05e28563d018fc26085272add80b7619b (patch) | |
| tree | 8ab35430c663631d798e57f30092318e4d483afd /freed-ora/current | |
| parent | 7eddee32c8fa3bca92f0392ea702d932c4813d91 (diff) | |
| download | linux-libre-raptor-c52798b05e28563d018fc26085272add80b7619b.tar.gz linux-libre-raptor-c52798b05e28563d018fc26085272add80b7619b.zip | |
2.6.32.23-170.fc12
Diffstat (limited to 'freed-ora/current')
23 files changed, 59 insertions, 855 deletions
diff --git a/freed-ora/current/f12/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch b/freed-ora/current/f12/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch deleted file mode 100644 index 2053e033c..000000000 --- a/freed-ora/current/f12/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch +++ /dev/null @@ -1,198 +0,0 @@ -From f45716729488bd8263b06e7d672c8ff8f2ded8b7 Mon Sep 17 00:00:00 2001 -From: H. Peter Anvin <hpa@linux.intel.com> -Date: Tue, 7 Sep 2010 16:16:18 -0700 -Subject: [PATCH 1/4] compat: Make compat_alloc_user_space() incorporate the access_ok() - -compat_alloc_user_space() expects the caller to independently call -access_ok() to verify the returned area. A missing call could -introduce problems on some architectures. - -This patch incorporates the access_ok() check into -compat_alloc_user_space() and also adds a sanity check on the length. -The existing compat_alloc_user_space() implementations are renamed -arch_compat_alloc_user_space() and are used as part of the -implementation of the new global function. - -This patch assumes NULL will cause __get_user()/__put_user() to either -fail or access userspace on all architectures. This should be -followed by checking the return value of compat_access_user_space() -for NULL in the callers, at which time the access_ok() in the callers -can also be removed. - -Reported-by: Ben Hawkes <hawkes@sota.gen.nz> -Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> -Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> -Acked-by: Chris Metcalf <cmetcalf@tilera.com> -Acked-by: David S. Miller <davem@davemloft.net> -Acked-by: Ingo Molnar <mingo@elte.hu> -Acked-by: Thomas Gleixner <tglx@linutronix.de> -Acked-by: Tony Luck <tony.luck@intel.com> -Cc: Andrew Morton <akpm@linux-foundation.org> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: Fenghua Yu <fenghua.yu@intel.com> -Cc: H. Peter Anvin <hpa@zytor.com> -Cc: Heiko Carstens <heiko.carstens@de.ibm.com> -Cc: Helge Deller <deller@gmx.de> -Cc: James Bottomley <jejb@parisc-linux.org> -Cc: Kyle McMartin <kyle@mcmartin.ca> -Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> -Cc: Paul Mackerras <paulus@samba.org> -Cc: Ralf Baechle <ralf@linux-mips.org> -Cc: <stable@kernel.org> ---- - - [ edited to fix build on 2.6.32 ] - - arch/ia64/include/asm/compat.h | 2 +- - arch/mips/include/asm/compat.h | 2 +- - arch/parisc/include/asm/compat.h | 2 +- - arch/powerpc/include/asm/compat.h | 2 +- - arch/s390/include/asm/compat.h | 2 +- - arch/sparc/include/asm/compat.h | 2 +- - arch/x86/include/asm/compat.h | 2 +- - include/linux/compat.h | 2 ++ - kernel/compat.c | 22 +++++++++++++++++++++ - 9 files changed, 30 insertions(+), 7 deletions(-) - -diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h -index dfcf75b..c8662cd 100644 ---- a/arch/ia64/include/asm/compat.h -+++ b/arch/ia64/include/asm/compat.h -@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr) - } - - static __inline__ void __user * --compat_alloc_user_space (long len) -+arch_compat_alloc_user_space (long len) - { - struct pt_regs *regs = task_pt_regs(current); - return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len); -diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h -index f58aed3..27505bd 100644 ---- a/arch/mips/include/asm/compat.h -+++ b/arch/mips/include/asm/compat.h -@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = (struct pt_regs *) - ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1; -diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h -index 7f32611..7c77fa9 100644 ---- a/arch/parisc/include/asm/compat.h -+++ b/arch/parisc/include/asm/compat.h -@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static __inline__ void __user *compat_alloc_user_space(long len) -+static __inline__ void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = ¤t->thread.regs; - return (void __user *)regs->gr[30]; -diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h -index 4774c2f..8d0fff3 100644 ---- a/arch/powerpc/include/asm/compat.h -+++ b/arch/powerpc/include/asm/compat.h -@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = current->thread.regs; - unsigned long usp = regs->gpr[1]; -diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h -index 01a0802..0c940d3 100644 ---- a/arch/s390/include/asm/compat.h -+++ b/arch/s390/include/asm/compat.h -@@ -180,7 +180,7 @@ static inline int is_compat_task(void) - - #endif - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - unsigned long stack; - -diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h -index 0e70625..612bb38 100644 ---- a/arch/sparc/include/asm/compat.h -+++ b/arch/sparc/include/asm/compat.h -@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = current_thread_info()->kregs; - unsigned long usp = regs->u_regs[UREG_I6]; -diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h -index 9a9c7bd..c8c9a74 100644 ---- a/arch/x86/include/asm/compat.h -+++ b/arch/x86/include/asm/compat.h -@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = task_pt_regs(current); - return (void __user *)regs->sp - len; -diff --git a/include/linux/compat.h b/include/linux/compat.h -index af931ee..cab23f2 100644 ---- a/include/linux/compat.h -+++ b/include/linux/compat.h -@@ -309,5 +309,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename, - asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename, - int flags, int mode); - -+extern void __user *compat_alloc_user_space(unsigned long len); -+ - #endif /* CONFIG_COMPAT */ - #endif /* _LINUX_COMPAT_H */ -diff a/kernel/compat.c b/kernel/compat.c ---- a/kernel/compat.c -+++ b/kernel/compat.c -@@ -13,6 +13,7 @@ - - #include <linux/linkage.h> - #include <linux/compat.h> -+#include <linux/module.h> - #include <linux/errno.h> - #include <linux/time.h> - #include <linux/signal.h> -@@ -1137,3 +1137,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info) - - return 0; - } -+ -+/* -+ * Allocate user-space memory for the duration of a single system call, -+ * in order to marshall parameters inside a compat thunk. -+ */ -+void __user *compat_alloc_user_space(unsigned long len) -+{ -+ void __user *ptr; -+ -+ /* If len would occupy more than half of the entire compat space... */ -+ if (unlikely(len > (((compat_uptr_t)~0) >> 1))) -+ return NULL; -+ -+ ptr = arch_compat_alloc_user_space(len); -+ -+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len))) -+ return NULL; -+ -+ return ptr; -+} -+EXPORT_SYMBOL_GPL(compat_alloc_user_space); --- -1.7.2.3 - diff --git a/freed-ora/current/f12/02-compat-test-rax-for-the-system-call-number-not-eax.patch b/freed-ora/current/f12/02-compat-test-rax-for-the-system-call-number-not-eax.patch deleted file mode 100644 index 8fd74902f..000000000 --- a/freed-ora/current/f12/02-compat-test-rax-for-the-system-call-number-not-eax.patch +++ /dev/null @@ -1,97 +0,0 @@ -From aaeacea2992c28f1d355ff7cd4c4754131bdd831 Mon Sep 17 00:00:00 2001 -From: H. Peter Anvin <hpa@linux.intel.com> -Date: Tue, 14 Sep 2010 12:42:41 -0700 -Subject: [PATCH 2/4] x86-64, compat: Test %rax for the syscall number, not %eax - -On 64 bits, we always, by necessity, jump through the system call -table via %rax. For 32-bit system calls, in theory the system call -number is stored in %eax, and the code was testing %eax for a valid -system call number. At one point we loaded the stored value back from -the stack to enforce zero-extension, but that was removed in checkin -d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process -will not be able to introduce a non-zero-extended number, but it can -happen via ptrace. - -Instead of re-introducing the zero-extension, test what we are -actually going to use, i.e. %rax. This only adds a handful of REX -prefixes to the code. - -Reported-by: Ben Hawkes <hawkes@sota.gen.nz> -Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> -Cc: <stable@kernel.org> -Cc: Roland McGrath <roland@redhat.com> -Cc: Andrew Morton <akpm@linux-foundation.org> ---- - arch/x86/ia32/ia32entry.S | 14 +++++++------- - 1 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 5294d84..7f9eb54 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - CFI_REMEMBER_STATE - jnz sysenter_tracesys -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - sysenter_do_call: - IA32_ARG_FIXUP -@@ -195,7 +195,7 @@ sysexit_from_sys_call: - movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ - call audit_syscall_entry - movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - movl %ebx,%edi /* reload 1st syscall arg */ - movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */ -@@ -248,7 +248,7 @@ sysenter_tracesys: - call syscall_trace_enter - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ - jmp sysenter_do_call - CFI_ENDPROC -@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - CFI_REMEMBER_STATE - jnz cstar_tracesys -- cmpl $IA32_NR_syscalls-1,%eax -+ cmpq $IA32_NR_syscalls-1,%rax - ja ia32_badsys - cstar_do_call: - IA32_ARG_FIXUP 1 -@@ -367,7 +367,7 @@ cstar_tracesys: - LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ - RESTORE_REST - xchgl %ebp,%r9d -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ - jmp cstar_do_call - END(ia32_cstar_target) -@@ -425,7 +425,7 @@ ENTRY(ia32_syscall) - orl $TS_COMPAT,TI_status(%r10) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - jnz ia32_tracesys -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - ia32_do_call: - IA32_ARG_FIXUP -@@ -444,7 +444,7 @@ ia32_tracesys: - call syscall_trace_enter - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ - jmp ia32_do_call - END(ia32_syscall) --- -1.7.2.3 - diff --git a/freed-ora/current/f12/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch b/freed-ora/current/f12/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch deleted file mode 100644 index 96c269b59..000000000 --- a/freed-ora/current/f12/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 1fa16daaa76d1b132c8fee027c11bad5a5d25761 Mon Sep 17 00:00:00 2001 -From: Roland McGrath <roland@redhat.com> -Date: Tue, 14 Sep 2010 12:22:58 -0700 -Subject: [PATCH 3/4] x86-64, compat: Retruncate rax after ia32 syscall entry tracing - -In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a -32-bit tracee in system call entry. A %rax value set via ptrace at the -entry tracing stop gets used whole as a 32-bit syscall number, while we -only check the low 32 bits for validity. - -Fix it by truncating %rax back to 32 bits after syscall_trace_enter, -in addition to testing the full 64 bits as has already been added. - -Reported-by: Ben Hawkes <hawkes@sota.gen.nz> -Signed-off-by: Roland McGrath <roland@redhat.com> -Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> ---- - arch/x86/ia32/ia32entry.S | 8 +++++++- - 1 files changed, 7 insertions(+), 1 deletions(-) - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 7f9eb54..4edd8eb 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -50,7 +50,12 @@ - /* - * Reload arg registers from stack in case ptrace changed them. - * We don't reload %eax because syscall_trace_enter() returned -- * the value it wants us to use in the table lookup. -+ * the %rax value we should see. Instead, we just truncate that -+ * value to 32 bits again as we did on entry from user mode. -+ * If it's a new value set by user_regset during entry tracing, -+ * this matches the normal truncation of the user-mode value. -+ * If it's -1 to make us punt the syscall, then (u32)-1 is still -+ * an appropriately invalid value. - */ - .macro LOAD_ARGS32 offset, _r9=0 - .if \_r9 -@@ -60,6 +65,7 @@ - movl \offset+48(%rsp),%edx - movl \offset+56(%rsp),%esi - movl \offset+64(%rsp),%edi -+ movl %eax,%eax /* zero extension */ - .endm - - .macro CFI_STARTPROC32 simple --- -1.7.2.3 - diff --git a/freed-ora/current/f12/aio-check-for-multiplication-overflow-in-do_io_submit.patch b/freed-ora/current/f12/aio-check-for-multiplication-overflow-in-do_io_submit.patch deleted file mode 100644 index 8706792b3..000000000 --- a/freed-ora/current/f12/aio-check-for-multiplication-overflow-in-do_io_submit.patch +++ /dev/null @@ -1,47 +0,0 @@ -From be18992d0630149403bfae5882601cf01a7d4eea Mon Sep 17 00:00:00 2001 -From: Jeff Moyer <jmoyer@redhat.com> -Date: Fri, 10 Sep 2010 14:16:00 -0700 -Subject: [PATCH 4/4] aio: check for multiplication overflow in do_io_submit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Tavis Ormandy pointed out that do_io_submit does not do proper bounds -checking on the passed-in iocb array: - - if (unlikely(nr < 0)) - return -EINVAL; - - if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp))))) - return -EFAULT; ^^^^^^^^^^^^^^^^^^ - -The attached patch checks for overflow, and if it is detected, the -number of iocbs submitted is scaled down to a number that will fit in -the long. This is an ok thing to do, as sys_io_submit is documented as -returning the number of iocbs submitted, so callers should handle a -return value of less than the 'nr' argument passed in. - -Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com> -Signed-off-by: Jeff Moyer <jmoyer@redhat.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - fs/aio.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 02a2c93..b84a769 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1639,6 +1639,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr, - if (unlikely(nr < 0)) - return -EINVAL; - -+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp))) -+ nr = LONG_MAX/sizeof(*iocbpp); -+ - if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) - return -EFAULT; - --- -1.7.2.3 - diff --git a/freed-ora/current/f12/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/freed-ora/current/f12/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch deleted file mode 100644 index 73e65ecda..000000000 --- a/freed-ora/current/f12/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200) -Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd - -ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() - -The error handling in snd_seq_oss_open() has several bad codes that -do dereferecing released pointers and double-free of kmalloc'ed data. -The object dp is release in free_devinfo() that is called via -private_free callback. The rest shouldn't touch this object any more. - -The patch changes delete_port() to call kfree() in any case, and gets -rid of unnecessary calls of destructors in snd_seq_oss_open(). - -Fixes CVE-2010-3080. - -Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com> -Cc: <stable@kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - -diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c -index 6857122..69cd7b3 100644 ---- a/sound/core/seq/oss/seq_oss_init.c -+++ b/sound/core/seq/oss/seq_oss_init.c -@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level) - return 0; - - _error: -- snd_seq_oss_writeq_delete(dp->writeq); -- snd_seq_oss_readq_delete(dp->readq); - snd_seq_oss_synth_cleanup(dp); - snd_seq_oss_midi_cleanup(dp); -- delete_port(dp); - delete_seq_queue(dp->queue); -- kfree(dp); -+ delete_port(dp); - - return rc; - } -@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp) - static int - delete_port(struct seq_oss_devinfo *dp) - { -- if (dp->port < 0) -+ if (dp->port < 0) { -+ kfree(dp); - return 0; -+ } - - debug_printk(("delete_port %i\n", dp->port)); - return snd_seq_event_port_detach(dp->cseq, dp->port); diff --git a/freed-ora/current/f12/drm-upgrayedd.patch b/freed-ora/current/f12/drm-upgrayedd.patch index f5323240f..04aee5426 100644 --- a/freed-ora/current/f12/drm-upgrayedd.patch +++ b/freed-ora/current/f12/drm-upgrayedd.patch @@ -10291,7 +10291,7 @@ index 601415d..b27202d 100644 + dev_priv->pipe_to_crtc_mapping[intel_crtc->pipe] = &intel_crtc->base; + intel_crtc->cursor_addr = 0; - intel_crtc->dpms_mode = DRM_MODE_DPMS_OFF; + intel_crtc->dpms_mode = -1; drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs); @@ -4036,7 +4382,7 @@ static void intel_setup_outputs(struct drm_device *dev) if (IS_MOBILE(dev) && !IS_I830(dev)) diff --git a/freed-ora/current/f12/hid-01-usbhid-initialize-interface-pointers-early-enough.patch b/freed-ora/current/f12/hid-01-usbhid-initialize-interface-pointers-early-enough.patch deleted file mode 100644 index d522b3f69..000000000 --- a/freed-ora/current/f12/hid-01-usbhid-initialize-interface-pointers-early-enough.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit 57ab12e418ec4fe24c11788bb1bbdabb29d05679 -Author: Jiri Kosina <jkosina at suse.cz> -Date: Wed Feb 17 14:25:01 2010 +0100 - - HID: usbhid: initialize interface pointers early enough - - Move the initialization of USB interface pointers from _start() - over to _probe() callback, which is where it belongs. - - This fixes case where interface is NULL when parsing of report - descriptor fails. - - LKML-Reference: <20100213135720.603e5f64 at neptune.home> - Reported-by: Alan Stern <stern at rowland.harvard.edu> - Tested-by: Bruno Prémont <bonbons at linux-vserver.org> - Signed-off-by: Jiri Kosina <jkosina at suse.cz> - -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index 74bd3ca..ceaf4a1 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -1005,9 +1005,6 @@ static int usbhid_start(struct hid_device *hid) - - spin_lock_init(&usbhid->lock); - -- usbhid->intf = intf; -- usbhid->ifnum = interface->desc.bInterfaceNumber; -- - usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL); - if (!usbhid->urbctrl) { - ret = -ENOMEM; -@@ -1178,6 +1175,8 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id * - - hid->driver_data = usbhid; - usbhid->hid = hid; -+ usbhid->intf = intf; -+ usbhid->ifnum = interface->desc.bInterfaceNumber; - - ret = hid_add_device(hid); - if (ret) { diff --git a/freed-ora/current/f12/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch b/freed-ora/current/f12/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch deleted file mode 100644 index bbd388030..000000000 --- a/freed-ora/current/f12/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit fde4e2f73208b8f34f123791e39c0cb6bc74b32a -Author: Alan Stern <stern at rowland.harvard.edu> -Date: Fri May 7 10:41:10 2010 -0400 - - HID: fix suspend crash by moving initializations earlier - - Although the usbhid driver allocates its usbhid structure in the probe - routine, several critical fields in that structure don't get - initialized until usbhid_start(). However if report descriptor - parsing fails then usbhid_start() is never called. This leads to - problems during system suspend -- the system will freeze. - - This patch (as1378) fixes the bug by moving the initialization - statements up into usbhid_probe(). - - Signed-off-by: Alan Stern <stern at rowland.harvard.edu> - Reported-by: Bruno Prémont <bonbons at linux-vserver.org> - Tested-By: Bruno Prémont <bonbons at linux-vserver.org> - Signed-off-by: Jiri Kosina <jkosina at suse.cz> - -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index 56d06cd..7b85b69 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -999,13 +999,6 @@ static int usbhid_start(struct hid_device *hid) - } - } - -- init_waitqueue_head(&usbhid->wait); -- INIT_WORK(&usbhid->reset_work, hid_reset); -- INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues); -- setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid); -- -- spin_lock_init(&usbhid->lock); -- - usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL); - if (!usbhid->urbctrl) { - ret = -ENOMEM; -@@ -1179,6 +1172,12 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id * - usbhid->intf = intf; - usbhid->ifnum = interface->desc.bInterfaceNumber; - -+ init_waitqueue_head(&usbhid->wait); -+ INIT_WORK(&usbhid->reset_work, hid_reset); -+ INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues); -+ setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid); -+ spin_lock_init(&usbhid->lock); -+ - ret = hid_add_device(hid); - if (ret) { - if (ret != -ENODEV) - - diff --git a/freed-ora/current/f12/inotify-fix-inotify-oneshot-support.patch b/freed-ora/current/f12/inotify-fix-inotify-oneshot-support.patch deleted file mode 100644 index ba63e1090..000000000 --- a/freed-ora/current/f12/inotify-fix-inotify-oneshot-support.patch +++ /dev/null @@ -1,25 +0,0 @@ -#607327 - -During the large inotify rewrite to fsnotify I completely dropped support -for IN_ONESHOT. Reimplement that support. - -Signed-off-by: Eric Paris <eparis@redhat.com> ---- - - fs/notify/inotify/inotify_fsnotify.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c -index daa666a..388a150 100644 ---- a/fs/notify/inotify/inotify_fsnotify.c -+++ b/fs/notify/inotify/inotify_fsnotify.c -@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev - ret = 0; - } - -+ if (entry->mask & IN_ONESHOT) -+ fsnotify_destroy_mark_by_entry(entry); -+ - /* - * If we hold the entry until after the event is on the queue - * IN_IGNORED won't be able to pass this event in the queue diff --git a/freed-ora/current/f12/inotify-send-IN_UNMOUNT-events.patch b/freed-ora/current/f12/inotify-send-IN_UNMOUNT-events.patch deleted file mode 100644 index cf1d4c4bf..000000000 --- a/freed-ora/current/f12/inotify-send-IN_UNMOUNT-events.patch +++ /dev/null @@ -1,29 +0,0 @@ -#607327 ? - -Since the .31 or so notify rewrite inotify has not sent events about -inodes which are unmounted. This patch restores those events. - -Signed-off-by: Eric Paris <eparis@redhat.com> ---- - - fs/notify/inotify/inotify_user.c | 7 +++++-- - 1 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c -index 44aeb0f..f381daf 100644 ---- a/fs/notify/inotify/inotify_user.c -+++ b/fs/notify/inotify/inotify_user.c -@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg) - { - __u32 mask; - -- /* everything should accept their own ignored and cares about children */ -- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD); -+ /* -+ * everything should accept their own ignored, cares about children, -+ * and should receive events when the inode is unmounted -+ */ -+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT); - - /* mask off the flags used to open the fd */ - mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT)); diff --git a/freed-ora/current/f12/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch b/freed-ora/current/f12/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch deleted file mode 100644 index a36f8afe3..000000000 --- a/freed-ora/current/f12/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: David S. Miller <davem@davemloft.net> -Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700) -Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure. -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257 - -irda: Correctly clean up self->ias_obj on irda_bind() failure. - -If irda_open_tsap() fails, the irda_bind() code tries to destroy -the ->ias_obj object by hand, but does so wrongly. - -In particular, it fails to a) release the hashbin attached to the -object and b) reset the self->ias_obj pointer to NULL. - -Fix both problems by using irias_delete_object() and explicitly -setting self->ias_obj to NULL, just as irda_release() does. - -Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index 79986a6..fd55b51 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - - err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name); - if (err < 0) { -- kfree(self->ias_obj->name); -- kfree(self->ias_obj); -+ irias_delete_object(self->ias_obj); -+ self->ias_obj = NULL; - return err; - } - diff --git a/freed-ora/current/f12/kernel.spec b/freed-ora/current/f12/kernel.spec index cd8d3a827..549362b7b 100644 --- a/freed-ora/current/f12/kernel.spec +++ b/freed-ora/current/f12/kernel.spec @@ -47,7 +47,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 168 +%global baserelease 170 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -73,7 +73,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 21 +%define stable_update 23 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -663,11 +663,6 @@ Patch21: linux-2.6-tracehook.patch Patch22: linux-2.6-utrace.patch Patch23: linux-2.6-utrace-ptrace.patch -Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch -Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch -Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch -Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch - Patch141: linux-2.6-ps3-storage-alias.patch Patch143: linux-2.6-g5-therm-shutdown.patch Patch144: linux-2.6-vio-modalias.patch @@ -857,19 +852,11 @@ Patch12923: mac80211-explicitly-disable-enable-QoS.patch # l2tp: fix oops in pppol2tp_xmit (#607054) Patch13030: l2tp-fix-oops-in-pppol2tp_xmit.patch -Patch14020: inotify-fix-inotify-oneshot-support.patch -Patch14030: inotify-send-IN_UNMOUNT-events.patch - Patch14050: crypto-add-async-hash-testing.patch # Red Hat Bugzilla #610911 Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch -Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch -Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch - -Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch - Patch14200: net-do-not-check-capable-if-kernel.patch # Mitigate DOS with large argument lists @@ -877,13 +864,7 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch -# CVE-2010-3080 -Patch14220: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch -# CVE-2010-2960 -Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch -Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch -# CVE-2010-3079 -Patch14240: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch +Patch14220: xen-fix-typo-in-xen-irq-fix.patch # ============================================================================== %endif @@ -1354,11 +1335,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch ApplyPatch via-hwmon-temp-sensor.patch ApplyPatch linux-2.6-dell-laptop-rfkill-fix.patch -ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch -ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch -ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch - - # # Intel IOMMU # @@ -1392,7 +1368,6 @@ ApplyPatch linux-2.6-execshield.patch # # bugfixes to drivers and filesystems # -ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch # ext4 @@ -1614,22 +1589,11 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch # l2tp: fix oops in pppol2tp_xmit (#607054) ApplyPatch l2tp-fix-oops-in-pppol2tp_xmit.patch -# fix broken oneshot support and missing umount events (F13#607327) -ApplyPatch inotify-fix-inotify-oneshot-support.patch -ApplyPatch inotify-send-IN_UNMOUNT-events.patch - # add tests for crypto async hashing (#571577) ApplyPatch crypto-add-async-hash-testing.patch ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch -# RHBZ #592785 -ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch -ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch - -# CVE-2010-2954 -ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch - # rhbz #598796 ApplyPatch net-do-not-check-capable-if-kernel.patch @@ -1638,13 +1602,8 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch -# CVE-2010-3080 -ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch -# CVE-2010-2960 -ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch -ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch -# CVE-2010-3079 -ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch +# Fix typo in Xen patch from 2.6.22 that causes hang on boot. +ApplyPatch xen-fix-typo-in-xen-irq-fix.patch # END OF PATCH APPLICATIONS ==================================================== %endif @@ -2298,6 +2257,31 @@ fi %kernel_variant_files -k vmlinux %{with_kdump} kdump %changelog +* Mon Sep 27 2010 Alexandre Oliva <lxoliva@fsfla.org> -libre +- Adjusted patch-libre-2.6.32.23. + +* Mon Sep 27 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.23-170 +- Linux 2.6.32.23 +- Drop merged patches: + aio-check-for-multiplication-overflow-in-do_io_submit.patch + inotify-fix-inotify-oneshot-support.patch + inotify-send-IN_UNMOUNT-events.patch + irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch + keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch + keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch +- Fix typo in Xen patch from 2.6.32.22. + +* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.22-169 +- Linux 2.6.32.22 +- Drop merged patches: + 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch + 02-compat-test-rax-for-the-system-call-number-not-eax.patch + 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch + hid-01-usbhid-initialize-interface-pointers-early-enough.patch + hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch + alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch + tracing-do-not-allow-llseek-to-set_ftrace_filter.patch + * Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.21-168 - Fix three CVEs: CVE-2010-3080: /dev/sequencer open failure is not handled correctly diff --git a/freed-ora/current/f12/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch b/freed-ora/current/f12/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch deleted file mode 100644 index fb6251945..000000000 --- a/freed-ora/current/f12/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: David Howells <dhowells@redhat.com> -Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100) -Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376 - -KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring - -Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership -of the parent process's session keyring whether or not the parent has a session -keyring [CVE-2010-2960]. - -This results in the following oops: - - BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 - IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443 - ... - Call Trace: - [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443 - [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0 - [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8 - [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b - -if the parent process has no session keyring. - -If the system is using pam_keyinit then it mostly protected against this as all -processes derived from a login will have inherited the session keyring created -by pam_keyinit during the log in procedure. - -To test this, pam_keyinit calls need to be commented out in /etc/pam.d/. - -Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -[ 2.6.32 backport ] - -diff a/security/keys/keyctl.c b/security/keys/keyctl.c ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void) - goto not_permitted; - - /* the keyrings must have the same UID */ -- if (pcred ->tgcred->session_keyring->uid != mycred->euid || -+ if ((pcred->tgcred->session_keyring && -+ pcred->tgcred->session_keyring->uid != mycred->euid) || - mycred->tgcred->session_keyring->uid != mycred->euid) - goto not_permitted; - - diff --git a/freed-ora/current/f12/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch b/freed-ora/current/f12/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch deleted file mode 100644 index 5318f7e2f..000000000 --- a/freed-ora/current/f12/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: David Howells <dhowells@redhat.com> -Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100) -Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14 - -KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() - -There's an protected access to the parent process's credentials in the middle -of keyctl_session_to_parent(). This results in the following RCU warning: - - =================================================== - [ INFO: suspicious rcu_dereference_check() usage. ] - --------------------------------------------------- - security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection! - - other info that might help us debug this: - - rcu_scheduler_active = 1, debug_locks = 0 - 1 lock held by keyctl-session-/2137: - #0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236 - - stack backtrace: - Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1 - Call Trace: - [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3 - [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236 - [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6 - [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b - -The code should take the RCU read lock to make sure the parents credentials -don't go away, even though it's holding a spinlock and has IRQ disabled. - -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> ---- - -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index b2b0998..3868c67 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void) - keyring_r = NULL; - - me = current; -+ rcu_read_lock(); - write_lock_irq(&tasklist_lock); - - parent = me->real_parent; -@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void) - set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME); - - write_unlock_irq(&tasklist_lock); -+ rcu_read_unlock(); - if (oldcred) - put_cred(oldcred); - return 0; -@@ -1327,6 +1329,7 @@ already_same: - ret = 0; - not_permitted: - write_unlock_irq(&tasklist_lock); -+ rcu_read_unlock(); - put_cred(cred); - return ret; - diff --git a/freed-ora/current/f12/patch-libre-2.6.32.21.bz2.sign b/freed-ora/current/f12/patch-libre-2.6.32.21.bz2.sign deleted file mode 100644 index 4db2fa6eb..000000000 --- a/freed-ora/current/f12/patch-libre-2.6.32.21.bz2.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.14 (GNU/Linux) - -iEYEABECAAYFAkx3UScACgkQvLfPh359R6ensgCglpbWshQd8F/O3SvTNkKfmqlp -itcAoIXOlE5WArYl8QQFvbXVJbVM0Ilf -=iSxS ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f12/patch-libre-2.6.32.21.xdelta b/freed-ora/current/f12/patch-libre-2.6.32.21.xdelta Binary files differdeleted file mode 100644 index 49399e6b9..000000000 --- a/freed-ora/current/f12/patch-libre-2.6.32.21.xdelta +++ /dev/null diff --git a/freed-ora/current/f12/patch-libre-2.6.32.21.xdelta.sign b/freed-ora/current/f12/patch-libre-2.6.32.21.xdelta.sign deleted file mode 100644 index d10e334d5..000000000 --- a/freed-ora/current/f12/patch-libre-2.6.32.21.xdelta.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.14 (GNU/Linux) - -iEYEABECAAYFAkx3USQACgkQvLfPh359R6eA0ACgjlS8Af/2NRTv9xnU3v2qZ2Q7 -F1oAoKKaioBFh6iyA+yFGwGmEx6SzhG2 -=VMbw ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f12/patch-libre-2.6.32.23.bz2.sign b/freed-ora/current/f12/patch-libre-2.6.32.23.bz2.sign new file mode 100644 index 000000000..fcf461781 --- /dev/null +++ b/freed-ora/current/f12/patch-libre-2.6.32.23.bz2.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.14 (GNU/Linux) + +iEYEABECAAYFAkyiA9YACgkQvLfPh359R6cLqgCglEdTfsay0wrwwiaeqqBSho2D +EwkAn1E69tfhIS3VkEx5s7wmKYmODKWe +=Emx7 +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f12/patch-libre-2.6.32.23.xdelta b/freed-ora/current/f12/patch-libre-2.6.32.23.xdelta Binary files differnew file mode 100644 index 000000000..468bbace7 --- /dev/null +++ b/freed-ora/current/f12/patch-libre-2.6.32.23.xdelta diff --git a/freed-ora/current/f12/patch-libre-2.6.32.23.xdelta.sign b/freed-ora/current/f12/patch-libre-2.6.32.23.xdelta.sign new file mode 100644 index 000000000..db2beb80a --- /dev/null +++ b/freed-ora/current/f12/patch-libre-2.6.32.23.xdelta.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.14 (GNU/Linux) + +iEYEABECAAYFAkyiA9QACgkQvLfPh359R6f66gCeLV2un8iyv8QY3N3dOMB/xqAQ +iikAn0e//c09FIjEhNn7BUn0Na+X09mY +=wJEz +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f12/sources b/freed-ora/current/f12/sources index 030c6dd08..d588e92e7 100644 --- a/freed-ora/current/f12/sources +++ b/freed-ora/current/f12/sources @@ -1,2 +1,2 @@ 82f8fc14bf087bbb15ae5723533c56ee linux-2.6.32-libre1.tar.bz2 -7662d912527bdd2ff886072f988a1ad4 patch-libre-2.6.32.21.bz2 +572322cc32355212ead675f1f67fd311 patch-libre-2.6.32.23.bz2 diff --git a/freed-ora/current/f12/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch b/freed-ora/current/f12/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch deleted file mode 100644 index 4bbae7110..000000000 --- a/freed-ora/current/f12/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Steven Rostedt <srostedt@redhat.com> -Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400) -Subject: tracing: Do not allow llseek to set_ftrace_filter -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 - -tracing: Do not allow llseek to set_ftrace_filter - -Reading the file set_ftrace_filter does three things. - -1) shows whether or not filters are set for the function tracer -2) shows what functions are set for the function tracer -3) shows what triggers are set on any functions - -3 is independent from 1 and 2. - -The way this file currently works is that it is a state machine, -and as you read it, it may change state. But this assumption breaks -when you use lseek() on the file. The state machine gets out of sync -and the t_show() may use the wrong pointer and cause a kernel oops. - -Luckily, this will only kill the app that does the lseek, but the app -dies while holding a mutex. This prevents anyone else from using the -set_ftrace_filter file (or any other function tracing file for that matter). - -A real fix for this is to rewrite the code, but that is too much for -a -rc release or stable. This patch simply disables llseek on the -set_ftrace_filter() file for now, and we can do the proper fix for the -next major release. - -Reported-by: Robert Swiecki <swiecki@google.com> -Cc: Chris Wright <chrisw@sous-sol.org> -Cc: Tavis Ormandy <taviso@google.com> -Cc: Eugene Teo <eugene@redhat.com> -Cc: vendor-sec@lst.de -Cc: <stable@kernel.org> -Signed-off-by: Steven Rostedt <rostedt@goodmis.org> ---- - -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 7cb1f45..83a16e9 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = { - .open = ftrace_filter_open, - .read = seq_read, - .write = ftrace_filter_write, -- .llseek = ftrace_regex_lseek, -+ .llseek = no_llseek, - .release = ftrace_filter_release, - }; - diff --git a/freed-ora/current/f12/xen-fix-typo-in-xen-irq-fix.patch b/freed-ora/current/f12/xen-fix-typo-in-xen-irq-fix.patch new file mode 100644 index 000000000..3a9fb62b7 --- /dev/null +++ b/freed-ora/current/f12/xen-fix-typo-in-xen-irq-fix.patch @@ -0,0 +1,13 @@ +Fix typo in Xen patch from 2.6.35.5 + +--- linux-2.6.35.noarch.orig/drivers/xen/events.c ++++ linux-2.6.35.noarch/drivers/xen/events.c +@@ -935,7 +935,7 @@ static struct irq_chip xen_dynamic_chip + .retrigger = retrigger_dynirq, + }; + +-static struct irq_chip en_percpu_chip __read_mostly = { ++static struct irq_chip xen_percpu_chip __read_mostly = { + .name = "xen-percpu", + + .disable = disable_dynirq, |
