diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch deleted file mode 100644 index f5517ab..0000000 --- a/aacraid-prevent-invalid-pointer-dereference.patch +++ /dev/null @@ -1,42 +0,0 @@ -Bugzilla: 1033593 -Upstream-status: 3.13 - -From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001 -From: Mahesh Rajashekhara -Date: Thu, 31 Oct 2013 14:01:02 +0530 -Subject: [PATCH] aacraid: prevent invalid pointer dereference - -It appears that driver runs into a problem here if fibsize is too small -because we allocate user_srbcmd with fibsize size only but later we -access it until user_srbcmd->sg.count to copy it over to srbcmd. - -It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this -structure already includes one sg element and this is not needed for -commands without data. So, we would recommend to add the following -(instead of test for fibsize == 0). - -Signed-off-by: Mahesh Rajashekhara -Reported-by: Nico Golde -Reported-by: Fabian Yamaguchi -Signed-off-by: Linus Torvalds ---- - drivers/scsi/aacraid/commctrl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c -index d85ac1a..fbcd48d 100644 ---- a/drivers/scsi/aacraid/commctrl.c -+++ b/drivers/scsi/aacraid/commctrl.c -@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) - goto cleanup; - } - -- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { -+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || -+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { - rcode = -EINVAL; - goto cleanup; - } --- -1.8.3.1 - diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch deleted file mode 100644 index c8d0154..0000000 --- a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch +++ /dev/null @@ -1,40 +0,0 @@ -Stephan Mueller reported to me recently a error in random number generation in -the ansi cprng. If several small requests are made that are less than the -instances block size, the remainder for loop code doesn't increment -rand_data_valid in the last iteration, meaning that the last bytes in the -rand_data buffer gets reused on the subsequent smaller-than-a-block request for -random data. - -The fix is pretty easy, just re-code the for loop to make sure that -rand_data_valid gets incremented appropriately - -Signed-off-by: Neil Horman -Reported-by: Stephan Mueller -CC: Stephan Mueller -CC: Petr Matousek -CC: Herbert Xu -CC: "David S. Miller" ---- - crypto/ansi_cprng.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c -index c0bb377..666f196 100644 ---- a/crypto/ansi_cprng.c -+++ b/crypto/ansi_cprng.c -@@ -230,11 +230,11 @@ remainder: - */ - if (byte_count < DEFAULT_BLK_SZ) { - empty_rbuf: -- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; -- ctx->rand_data_valid++) { -+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { - *ptr = ctx->rand_data[ctx->rand_data_valid]; - ptr++; - byte_count--; -+ ctx->rand_data_valid++; - if (byte_count == 0) - goto done; - } --- -1.8.3.1 diff --git a/btrfs-relocate-csums-properly-with-prealloc-ext.patch b/btrfs-relocate-csums-properly-with-prealloc-ext.patch deleted file mode 100644 index e103f70..0000000 --- a/btrfs-relocate-csums-properly-with-prealloc-ext.patch +++ /dev/null @@ -1,60 +0,0 @@ -A user reported a problem where they were getting csum errors when running a -balance and running systemd's journal. This is because systemd is awesome and -fallocate()'s its log space and writes into it. Unfortunately we assume that -when we read in all the csums for an extent that they are sequential starting at -the bytenr we care about. This obviously isn't the case for prealloc extents, -where we could have written to the middle of the prealloc extent only, which -means the csum would be for the bytenr in the middle of our range and not the -front of our range. Fix this by offsetting the new bytenr we are logging to -based on the original bytenr the csum was for. With this patch I no longer see -the csum errors I was seeing. Thanks, - -Cc: stable@xxxxxxxxxxxxxxx -Reported-by: Chris Murphy -Signed-off-by: Josef Bacik ---- - fs/btrfs/relocation.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c -index 5ca7ea9..b7afeaa 100644 ---- a/fs/btrfs/relocation.c -+++ b/fs/btrfs/relocation.c -@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) - struct btrfs_root *root = BTRFS_I(inode)->root; - int ret; - u64 disk_bytenr; -+ u64 new_bytenr; - LIST_HEAD(list); - - ordered = btrfs_lookup_ordered_extent(inode, file_pos); -@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) - if (ret) - goto out; - -- disk_bytenr = ordered->start; - while (!list_empty(&list)) { - sums = list_entry(list.next, struct btrfs_ordered_sum, list); - list_del_init(&sums->list); - -- sums->bytenr = disk_bytenr; -- disk_bytenr += sums->len; -+ /* -+ * We need to offset the new_bytenr based on where the csum is. -+ * We need to do this because we will read in entire prealloc -+ * extents but we may have written to say the middle of the -+ * prealloc extent, so we need to make sure the csum goes with -+ * the right disk offset. -+ * -+ * We can do this because the data reloc inode refers strictly -+ * to the on disk bytes, so we don't have to worry about -+ * disk_len vs real len like with real inodes since it's all -+ * disk length. -+ */ -+ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr); -+ sums->bytenr = new_bytenr; - - btrfs_add_ordered_sum(inode, ordered, sums); - } --- -1.8.3.1 diff --git a/kernel.spec b/kernel.spec index 8428571..f6755f7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -733,9 +733,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4345 rhbz 1007690 1009136 -Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch - #rhbz 971893 Patch25106: bonding-driver-alb-learning.patch @@ -772,9 +769,6 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch Patch25130: fix-radeon-sound.patch Patch25149: drm-radeon-24hz-audio-fixes.patch -#rhbz 1011714 -Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch - #rhbz 984696 Patch25132: rt2800usb-slow-down-TX-status-polling.patch @@ -813,12 +807,6 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch -#CVE-2013-6378 rhbz 1033578 1034183 -Patch25155: libertas-potential-oops-in-debugfs.patch - -#CVE-2013-6380 rhbz 1033593 1034304 -Patch25156: aacraid-prevent-invalid-pointer-dereference.patch - #CVE-2013-6382 rhbz 1033603 1034670 Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -1498,9 +1486,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4345 rhbz 1007690 1009136 -ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch - #rhbz 985522 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch @@ -1537,9 +1522,6 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch ApplyPatch fix-radeon-sound.patch ApplyPatch drm-radeon-24hz-audio-fixes.patch -#rhbz 1011714 -ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch - #rhbz 984696 ApplyPatch rt2800usb-slow-down-TX-status-polling.patch @@ -1578,12 +1560,6 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch -#CVE-2013-6378 rhbz 1033578 1034183 -ApplyPatch libertas-potential-oops-in-debugfs.patch - -#CVE-2013-6380 rhbz 1033593 1034304 -ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch - #CVE-2013-6382 rhbz 1033603 1034670 ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -2434,7 +2410,8 @@ fi # ||----w | # || || %changelog -* Fri Nov 29 2013 Josh Boyer +* Fri Nov 29 2013 Josh Boyer - 3.11.10-100 +- Linux v3.11.10 - Fix memory leak in qxl (from Dave Airlie) * Tue Nov 26 2013 Josh Boyer diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch deleted file mode 100644 index 02e72d8..0000000 --- a/libertas-potential-oops-in-debugfs.patch +++ /dev/null @@ -1,50 +0,0 @@ -Bugzilla: 1034183 -Upstream-status: 3.13 - -From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Wed, 30 Oct 2013 20:12:51 +0300 -Subject: [PATCH] libertas: potential oops in debugfs - -If we do a zero size allocation then it will oops. Also we can't be -sure the user passes us a NUL terminated string so I've added a -terminator. - -This code can only be triggered by root. - -Reported-by: Nico Golde -Reported-by: Fabian Yamaguchi -Signed-off-by: Dan Carpenter -Acked-by: Dan Williams -Signed-off-by: John W. Linville ---- - drivers/net/wireless/libertas/debugfs.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c -index 668dd27..cc6a0a5 100644 ---- a/drivers/net/wireless/libertas/debugfs.c -+++ b/drivers/net/wireless/libertas/debugfs.c -@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - char *p2; - struct debug_data *d = f->private_data; - -- pdata = kmalloc(cnt, GFP_KERNEL); -+ if (cnt == 0) -+ return 0; -+ -+ pdata = kmalloc(cnt + 1, GFP_KERNEL); - if (pdata == NULL) - return 0; - -@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - kfree(pdata); - return 0; - } -+ pdata[cnt] = '\0'; - - p0 = pdata; - for (i = 0; i < num_of_items; i++) { --- -1.8.3.1 - diff --git a/sources b/sources index 391b9ff..c634d10 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -6cea7db9419cefdf4c3a4bcc89bf904b patch-3.11.9.xz +c918da07cf5ad4240945ae56c4de3bc0 patch-3.11.10.xz