diff --git a/TTY-do-not-reset-master-s-packet-mode.patch b/TTY-do-not-reset-master-s-packet-mode.patch deleted file mode 100644 index 633bfcf..0000000 --- a/TTY-do-not-reset-master-s-packet-mode.patch +++ /dev/null @@ -1,63 +0,0 @@ -From b81273a132177edd806476b953f6afeb17b786d5 Mon Sep 17 00:00:00 2001 -From: Jiri Slaby -Date: Tue, 15 Jan 2013 23:26:22 +0100 -Subject: [PATCH] TTY: do not reset master's packet mode - -Now that login from util-linux is forced to drop all references to a -TTY which it wants to hangup (to reach reference count 1) we are -seeing issues with telnet. When login closes its last reference to the -slave PTY, it also resets packet mode on the *master* side. And we -have a race here. - -What telnet does is fork+exec of `login'. Then there are two -scenarios: -* `login' closes the slave TTY and resets thus master's packet mode, - but even now telnet properly sets the mode, or -* `telnetd' sets packet mode on the master, `login' closes the slave - TTY and resets master's packet mode. - -The former case is OK. However the latter happens in much more cases, -by the order of magnitude to be precise. So when one tries to login to -such a messed telnet setup, they see the following: -inux login: - ogin incorrect - -Note the missing first letters -- telnet thinks it is still in the -packet mode, so when it receives "linux login" from `login', it -considers "l" as the type of the packet and strips it. - -SuS does not mention how the implementation should behave. Both BSDs I -checked (Free and Net) do not reset the flag upon the last close. - -By this I am resurrecting an old bug, see References. We are hitting -it regularly now, i.e. with updated util-linux, ergo login. - -Here, I am changing a behavior introduced back in 2.1 times. It would -better have a long time testing before goes upstream. - -Signed-off-by: Jiri Slaby -Cc: Mauro Carvalho Chehab -Cc: Bryan Mason -References: https://lkml.org/lkml/2009/11/11/223 -References: https://bugzilla.redhat.com/show_bug.cgi?id=504703 -References: https://bugzilla.novell.com/show_bug.cgi?id=797042 -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/pty.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 4ec11f3..40ff2bf 100644 ---- a/drivers/tty/pty.c -+++ b/drivers/tty/pty.c -@@ -47,7 +47,6 @@ static void pty_close(struct tty_struct *tty, struct file *filp) - /* Review - krefs on tty_link ?? */ - if (!tty->link) - return; -- tty->link->packet = 0; - set_bit(TTY_OTHER_CLOSED, &tty->link->flags); - wake_up_interruptible(&tty->link->read_wait); - wake_up_interruptible(&tty->link->write_wait); --- -1.8.1.2 - diff --git a/USB-cdc-wdm-fix-buffer-overflow.patch b/USB-cdc-wdm-fix-buffer-overflow.patch deleted file mode 100644 index 2b1ed42..0000000 --- a/USB-cdc-wdm-fix-buffer-overflow.patch +++ /dev/null @@ -1,88 +0,0 @@ -From c0f5ecee4e741667b2493c742b60b6218d40b3aa Mon Sep 17 00:00:00 2001 -From: Oliver Neukum -Date: Tue, 12 Mar 2013 14:52:42 +0100 -Subject: [PATCH] USB: cdc-wdm: fix buffer overflow - -The buffer for responses must not overflow. -If this would happen, set a flag, drop the data and return -an error after user space has read all remaining data. - -Signed-off-by: Oliver Neukum -CC: stable@kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c -index 5f0cb41..122d056 100644 ---- a/drivers/usb/class/cdc-wdm.c -+++ b/drivers/usb/class/cdc-wdm.c -@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); - #define WDM_RESPONDING 7 - #define WDM_SUSPENDING 8 - #define WDM_RESETTING 9 -+#define WDM_OVERFLOW 10 - - #define WDM_MAX 16 - -@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb) - { - struct wdm_device *desc = urb->context; - int status = urb->status; -+ int length = urb->actual_length; - - spin_lock(&desc->iuspin); - clear_bit(WDM_RESPONDING, &desc->flags); -@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb) - } - - desc->rerr = status; -- desc->reslength = urb->actual_length; -- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); -- desc->length += desc->reslength; -+ if (length + desc->length > desc->wMaxCommand) { -+ /* The buffer would overflow */ -+ set_bit(WDM_OVERFLOW, &desc->flags); -+ } else { -+ /* we may already be in overflow */ -+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { -+ memmove(desc->ubuf + desc->length, desc->inbuf, length); -+ desc->length += length; -+ desc->reslength = length; -+ } -+ } - skip_error: - wake_up(&desc->wait); - -@@ -435,6 +445,11 @@ retry: - rv = -ENODEV; - goto err; - } -+ if (test_bit(WDM_OVERFLOW, &desc->flags)) { -+ clear_bit(WDM_OVERFLOW, &desc->flags); -+ rv = -ENOBUFS; -+ goto err; -+ } - i++; - if (file->f_flags & O_NONBLOCK) { - if (!test_bit(WDM_READ, &desc->flags)) { -@@ -478,6 +493,7 @@ retry: - spin_unlock_irq(&desc->iuspin); - goto retry; - } -+ - if (!desc->reslength) { /* zero length read */ - dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); - clear_bit(WDM_READ, &desc->flags); -@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf) - struct wdm_device *desc = wdm_find_device(intf); - int rv; - -+ clear_bit(WDM_OVERFLOW, &desc->flags); - clear_bit(WDM_RESETTING, &desc->flags); - rv = recover_from_urb_loss(desc); - mutex_unlock(&desc->wlock); --- -1.8.1.2 - diff --git a/drm-ilk-rc6-reverts.patch b/drm-ilk-rc6-reverts.patch deleted file mode 100644 index 211ffa8..0000000 --- a/drm-ilk-rc6-reverts.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 52d7ecedac3f96fb562cb482c139015372728638 Mon Sep 17 00:00:00 2001 -From: Daniel Vetter -Date: Sat, 1 Dec 2012 21:03:22 +0100 -Subject: drm/i915: reorder setup sequence to have irqs for output setup - -From: Daniel Vetter - -commit 52d7ecedac3f96fb562cb482c139015372728638 upstream. - -Otherwise the new&shiny irq-driven gmbus and dp aux code won't work that -well. Noticed since the dp aux code doesn't have an automatic fallback -with a timeout (since the hw provides for that already). - -v2: Simple move drm_irq_install before intel_modeset_gem_init, as -suggested by Ben Widawsky. - -v3: Now that interrupts are enabled before all connectors are fully -set up, we might fall over serving a HPD interrupt while things are -still being set up. Instead of jumping through massive hoops and -complicating the code with a separate hpd irq enable step, simply -block out the hotplug work item from doing anything until things are -in place. - -v4: Actually, we can enable hotplug processing only after the fbdev is -fully set up, since we call down into the fbdev from the hotplug work -functions. So stick the hpd enabling right next to the poll helper -initialization. - -v5: We need to enable irqs before intel_modeset_init, since that -function sets up the outputs. - -v6: Fixup cleanup sequence, too. - -Reviewed-by: Imre Deak -Signed-off-by: Daniel Vetter -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/gpu/drm/i915/i915_dma.c | 23 ++++++++++++++--------- - drivers/gpu/drm/i915/i915_drv.h | 1 + - drivers/gpu/drm/i915/i915_irq.c | 4 ++++ - 3 files changed, 19 insertions(+), 9 deletions(-) - ---- a/drivers/gpu/drm/i915/i915_dma.c -+++ b/drivers/gpu/drm/i915/i915_dma.c -@@ -1297,19 +1297,21 @@ static int i915_load_modeset_init(struct - if (ret) - goto cleanup_vga_switcheroo; - -+ ret = drm_irq_install(dev); -+ if (ret) -+ goto cleanup_gem_stolen; -+ -+ /* Important: The output setup functions called by modeset_init need -+ * working irqs for e.g. gmbus and dp aux transfers. */ - intel_modeset_init(dev); - - ret = i915_gem_init(dev); - if (ret) -- goto cleanup_gem_stolen; -- -- intel_modeset_gem_init(dev); -+ goto cleanup_irq; - - INIT_WORK(&dev_priv->console_resume_work, intel_console_resume); - -- ret = drm_irq_install(dev); -- if (ret) -- goto cleanup_gem; -+ intel_modeset_gem_init(dev); - - /* Always safe in the mode setting case. */ - /* FIXME: do pre/post-mode set stuff in core KMS code */ -@@ -1317,7 +1319,10 @@ static int i915_load_modeset_init(struct - - ret = intel_fbdev_init(dev); - if (ret) -- goto cleanup_irq; -+ goto cleanup_gem; -+ -+ /* Only enable hotplug handling once the fbdev is fully set up. */ -+ dev_priv->enable_hotplug_processing = true; - - drm_kms_helper_poll_init(dev); - -@@ -1326,13 +1331,13 @@ static int i915_load_modeset_init(struct - - return 0; - --cleanup_irq: -- drm_irq_uninstall(dev); - cleanup_gem: - mutex_lock(&dev->struct_mutex); - i915_gem_cleanup_ringbuffer(dev); - mutex_unlock(&dev->struct_mutex); - i915_gem_cleanup_aliasing_ppgtt(dev); -+cleanup_irq: -+ drm_irq_uninstall(dev); - cleanup_gem_stolen: - i915_gem_cleanup_stolen(dev); - cleanup_vga_switcheroo: ---- a/drivers/gpu/drm/i915/i915_drv.h -+++ b/drivers/gpu/drm/i915/i915_drv.h -@@ -672,6 +672,7 @@ typedef struct drm_i915_private { - - u32 hotplug_supported_mask; - struct work_struct hotplug_work; -+ bool enable_hotplug_processing; - - int num_pipe; - int num_pch_pll; ---- a/drivers/gpu/drm/i915/i915_irq.c -+++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -287,6 +287,10 @@ static void i915_hotplug_work_func(struc - struct drm_mode_config *mode_config = &dev->mode_config; - struct intel_encoder *encoder; - -+ /* HPD irq before everything is fully set up. */ -+ if (!dev_priv->enable_hotplug_processing) -+ return; -+ - mutex_lock(&mode_config->mutex); - DRM_DEBUG_KMS("running encoder hotplug functions\n"); - -From 15239099d7a7a9ecdc1ccb5b187ae4cda5488ff9 Mon Sep 17 00:00:00 2001 -From: Daniel Vetter -Date: Tue, 5 Mar 2013 09:50:58 +0100 -Subject: drm/i915: enable irqs earlier when resuming - -From: Daniel Vetter - -commit 15239099d7a7a9ecdc1ccb5b187ae4cda5488ff9 upstream. - -We need it to restore the ilk rc6 context, since the gpu wait no -requires interrupts. But in general having interrupts around should -help in code sanity, since more and more stuff is interrupt driven. - -This regression has been introduced in - -commit 3e9605018ab3e333d51cc90fccfde2031886763b -Author: Chris Wilson -Date: Tue Nov 27 16:22:54 2012 +0000 - - drm/i915: Rearrange code to only have a single method for waiting upon the ring - -Like in the driver load code we need to make sure that hotplug -interrupts don't cause havoc with our modeset state, hence block them -with the existing infrastructure. Again we ignore races where we might -loose hotplug interrupts ... - -Note that the driver load part of the regression has already been -fixed in - -commit 52d7ecedac3f96fb562cb482c139015372728638 -Author: Daniel Vetter -Date: Sat Dec 1 21:03:22 2012 +0100 - - drm/i915: reorder setup sequence to have irqs for output setup - -v2: Add a note to the commit message about which patch fixed the -driver load part of the regression. Stable kernels need to backport -both patches. - -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=54691 -Cc: Chris Wilson -Cc: Mika Kuoppala -Reported-and-Tested-by: Ilya Tumaykin -Reviewed-by: Chris wilson (v1) -Signed-off-by: Daniel Vetter -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/gpu/drm/i915/i915_drv.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/i915/i915_drv.c -+++ b/drivers/gpu/drm/i915/i915_drv.c -@@ -486,6 +486,7 @@ static int i915_drm_freeze(struct drm_de - intel_modeset_disable(dev); - - drm_irq_uninstall(dev); -+ dev_priv->enable_hotplug_processing = false; - } - - i915_save_state(dev); -@@ -562,9 +563,19 @@ static int __i915_drm_thaw(struct drm_de - error = i915_gem_init_hw(dev); - mutex_unlock(&dev->struct_mutex); - -+ /* We need working interrupts for modeset enabling ... */ -+ drm_irq_install(dev); -+ - intel_modeset_init_hw(dev); - intel_modeset_setup_hw_state(dev, false); -- drm_irq_install(dev); -+ -+ /* -+ * ... but also need to make sure that hotplug processing -+ * doesn't cause havoc. Like in the driver load code we don't -+ * bother with the tiny race here where we might loose hotplug -+ * notifications. -+ * */ -+ dev_priv->enable_hotplug_processing = true; - } - - intel_opregion_init(dev); diff --git a/fix-destroy_conntrack-GPF.patch b/fix-destroy_conntrack-GPF.patch deleted file mode 100644 index 35ffa58..0000000 --- a/fix-destroy_conntrack-GPF.patch +++ /dev/null @@ -1,92 +0,0 @@ -On Wed, 2013-03-06 at 10:59 -0500, Dave Jones wrote: -> I know 3.7.9 is EOL, but this code doesn't look like it's changed in current. -> (unless the cause/fix was in code unrelated to these paths) -> -> A user reported the following GPF.. -> -> general protection fault: 0000 [#1] SMP -> Modules linked in: ipheth fuse ebtable_nat xt_CHECKSUM bridge stp llc ip6t_REJECT iptable_mangle nf_conntrack(-) ebtable_filter ebtables snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc hp_wmi snd_timer coretemp iTCO_wdt tg3 snd sparse_keymap rfkill soundcore iTCO_vendor_support lpc_ich i7core_edac edac_core serio_raw microcode mfd_core vhost_net tun macvtap macvlan kvm_intel kvm binfmt_misc uinput nouveau mxm_wmi crc32c_intel video i2c_algo_bit drm_kms_helper ttm firewire_ohci firewire_core drm crc_itu_t i2c_core wmi [last unloaded: xt_conntrack] -> CPU 2 -> Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch -> RIP: 0010:[] [] destroy_conntrack+0x35/0x120 [nf_conntrack] -> RSP: 0018:ffff880276913d78 EFLAGS: 00010206 -> RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00 -> RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002 -> RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900 -> R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40 -> R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002 -> FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000 -> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b -> CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0 -> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 -> Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720) -> Stack: -> ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7 -> ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100 -> ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470 -> Call Trace: -> [] nf_conntrack_destroy+0x17/0x20 -> [] skb_release_head_state+0x7b/0x100 -> [] __kfree_skb+0x16/0xa0 -> [] kfree_skb+0x36/0xa0 -> [] skb_queue_purge+0x20/0x40 -> [] __tun_detach+0x117/0x140 [tun] -> [] tun_chr_close+0x3c/0xd0 [tun] -> [] __fput+0xec/0x240 -> [] ____fput+0xe/0x10 -> [] task_work_run+0xa7/0xe0 -> [] do_notify_resume+0x71/0xb0 -> [] int_signal+0x12/0x17 -> Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0 -> RIP [] destroy_conntrack+0x35/0x120 [nf_conntrack] -> RSP -> -> -> -> /* To make sure we don't get any weird locking issues here: -> * destroy_conntrack() MUST NOT be called with a write lock -> * to nf_conntrack_lock!!! -HW */ -> rcu_read_lock(); -> l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); -> 1378: 0f b6 b3 86 00 00 00 movzbl 0x86(%rbx),%esi -> 137f: 0f b7 7b 72 movzwl 0x72(%rbx),%edi -> 1383: e8 00 00 00 00 callq 1388 -> if (l4proto && l4proto->destroy) -> 1388: 48 85 c0 test %rax,%rax -> 138b: 74 0e je 139b -> 138d: 48 8b 40 28 mov 0x28(%rax),%rax <----- HERE -> 1391: 48 85 c0 test %rax,%rax -> 1394: 74 05 je 139b -> l4proto->destroy(ct); -> 1396: 48 89 df mov %rbx,%rdi -> 1399: ff d0 callq *%rax -> -> -> l4proto (%rax) is garbage (0x50626b6b7876376c) which looks a little like ascii, -> but P>kkxv7l doesn't mean much to me. -> -> https://bugzilla.redhat.com/show_bug.cgi?id=917792 is the original report, but -> there aren't any further details yet. -> -> Dave -> - -tun driver lacks a nf_reset(skb) call - -I would try : - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 2c6a22e..b7c457a 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -747,6 +747,8 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) - goto drop; - skb_orphan(skb); - -+ nf_reset(skb); -+ - /* Enqueue packet */ - skb_queue_tail(&tfile->socket.sk->sk_receive_queue, skb); - - diff --git a/kernel.spec b/kernel.spec index eb9cb27..90abcea 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 104 +%global baserelease 101 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -645,7 +645,6 @@ Patch520: quite-apm.patch Patch530: silence-fbcon-logo.patch Patch540: silence-empty-ipi-mask-warning.patch -Patch541: silence-tty-null.patch Patch800: crash-driver.patch @@ -734,37 +733,19 @@ Patch22262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch #rhbz 916544 Patch22263: 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch -#CVE-2013-1828 rhbz 919315 919316 -Patch22269: net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch - #rhbz 812111 Patch24000: alps.patch Patch24100: userns-avoid-recursion-in-put_user_ns.patch -#rhbz 859346 -Patch24101: fix-destroy_conntrack-GPF.patch - #rhbz 917353 Patch24102: backlight_revert.patch Patch24103: turbostat-makefile.diff -#rhbz 904182 -Patch24104: TTY-do-not-reset-master-s-packet-mode.patch - -#rhbz 857954 -Patch24105: w1-fix-oops-when-w1_search-is-called-from.patch - -#rhbz 911771 -Patch24106: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch - #rhbz 879462 Patch24107: uvcvideo-suspend-fix.patch -#CVE-2013-0914 rhbz 920499 920510 -Patch24108: signal-always-clear-sa_restorer-on-execve.patch - #CVE-2013-0913 rhbz 920471 920529 Patch24109: drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -775,18 +756,12 @@ Patch24112: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch #rhbz 859282 Patch24113: VMX-x86-handle-host-TSC-calibration-failure.patch -#CVE-2013-1860 rhbz 921970 922004 -Patch24114: USB-cdc-wdm-fix-buffer-overflow.patch - #rhbz 920586 Patch25000: amd64_edac_fix_rank_count.patch #rhbz 921500 Patch25001: i7300_edac_single_mode_fixup.patch -#rhbz 922304 -Patch25002: drm-ilk-rc6-reverts.patch - #CVE-2013-1798 rhbz 917017 923968 Patch25003: 0001-KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch @@ -1409,7 +1384,6 @@ ApplyPatch silence-fbcon-logo.patch # No-one cares about these warnings ApplyPatch silence-empty-ipi-mask-warning.patch -ApplyPatch silence-tty-null.patch # Changes to upstream defaults. @@ -1493,12 +1467,6 @@ ApplyPatch 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch ApplyPatch userns-avoid-recursion-in-put_user_ns.patch -#rhbz 859346 -ApplyPatch fix-destroy_conntrack-GPF.patch - -#CVE-2013-1828 rhbz 919315 919316 -ApplyPatch net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch - #rhbz 917353 ApplyPatch backlight_revert.patch -R @@ -1510,21 +1478,9 @@ ApplyPatch amd64_edac_fix_rank_count.patch #rhbz 921500 ApplyPatch i7300_edac_single_mode_fixup.patch -#rhbz 904182 -ApplyPatch TTY-do-not-reset-master-s-packet-mode.patch - -#rhbz 857954 -ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch - -#rhbz 911771 -ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch - #rhbz 879462 ApplyPatch uvcvideo-suspend-fix.patch -#CVE-2013-0914 rhbz 920499 920510 -ApplyPatch signal-always-clear-sa_restorer-on-execve.patch - #CVE-2013-0913 rhbz 920471 920529 ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -1535,12 +1491,6 @@ ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch #rhbz 859282 ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch -#CVE-2013-1860 rhbz 921970 922004 -ApplyPatch USB-cdc-wdm-fix-buffer-overflow.patch - -#rhbz 922304 -ApplyPatch drm-ilk-rc6-reverts.patch -R - #CVE-2013-1798 rhbz 917017 923968 ApplyPatch 0001-KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch @@ -2406,6 +2356,10 @@ fi # '-' | | # '-' %changelog +* Wed Mar 20 2013 Josh Boyer - 3.8.4-101 +- Linux v3.8.4 +- CVE-2013-1873 information leaks via netlink interface (rhbz 923652 923662) + * Wed Mar 20 2013 Josh Boyer - CVE-2013-1796 kvm: buffer overflow in handling of MSR_KVM_SYSTEM_TIME (rhbz 917012 923966) diff --git a/net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch b/net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch deleted file mode 100644 index bb976c5..0000000 --- a/net-sctp-Validate-parameter-size-for-SCTP_GET_ASSOC_.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 726bc6b092da4c093eb74d13c07184b18c1af0f1 Mon Sep 17 00:00:00 2001 -From: Guenter Roeck -Date: Wed, 27 Feb 2013 10:57:31 +0000 -Subject: [PATCH] net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Building sctp may fail with: - -In function ‘copy_from_user’, - inlined from ‘sctp_getsockopt_assoc_stats’ at - net/sctp/socket.c:5656:20: -arch/x86/include/asm/uaccess_32.h:211:26: error: call to - ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() - buffer size is not provably correct - -if built with W=1 due to a missing parameter size validation -before the call to copy_from_user. - -Signed-off-by: Guenter Roeck -Acked-by: Vlad Yasevich -Signed-off-by: David S. Miller ---- - net/sctp/socket.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index cedd9bf..9ef5c73 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, - if (len < sizeof(sctp_assoc_t)) - return -EINVAL; - -+ /* Allow the struct to grow and fill in as much as possible */ -+ len = min_t(size_t, len, sizeof(sas)); -+ - if (copy_from_user(&sas, optval, len)) - return -EFAULT; - -@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, - /* Mark beginning of a new observation period */ - asoc->stats.max_obs_rto = asoc->rto_min; - -- /* Allow the struct to grow and fill in as much as possible */ -- len = min_t(size_t, len, sizeof(sas)); -- - if (put_user(len, optlen)) - return -EFAULT; - --- -1.8.1.2 - diff --git a/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch b/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch deleted file mode 100644 index b16be44..0000000 --- a/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e94256528a988231ccc7a2a0b6b206a1131cb358 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 8 Mar 2013 21:13:52 -0500 -Subject: [PATCH] serial: 8250: Keep 8250. module options functional - after driver rename - -With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the -8250 driver was renamed to 8250_core. This means any existing usage of -the 8259. module parameters or as a kernel command line switch is -now broken, as the 8250_core driver doesn't parse options belonging to -something called "8250". - -To solve this, we redefine the module options in a dummy function using -a redefined MODULE_PARAM_PREFX when built into the kernel. In the case -where we're building as a module, we provide an alias to the old 8250 -name. The dummy function prevents compiler errors due to global variable -redefinitions that happen as part of the module_param_ macro expansions. - -Signed-off-by: Josh Boyer ---- - drivers/tty/serial/8250/8250.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c -index 0efc815..f982633 100644 ---- a/drivers/tty/serial/8250/8250.c -+++ b/drivers/tty/serial/8250/8250.c -@@ -3396,3 +3396,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444); - MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA"); - #endif - MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR); -+ -+#ifndef MODULE -+/* This module was renamed to 8250_core in 3.7. Keep the old "8250" name -+ * working as well for the module options so we don't break people. We -+ * need to keep the names identical and the convenient macros will happily -+ * refuse to let us do that by failing the build with redefinition errors -+ * of global variables. So we stick them inside a dummy function to avoid -+ * those conflicts. The options still get parsed, and the redefined -+ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive. -+ * -+ * This is hacky. I'm sorry. -+ */ -+static void __used s8250_options(void) -+{ -+#undef MODULE_PARAM_PREFIX -+#define MODULE_PARAM_PREFIX "8250." -+ -+ module_param_cb(share_irqs, ¶m_ops_uint, &share_irqs, 0644); -+ module_param_cb(nr_uarts, ¶m_ops_uint, &nr_uarts, 0644); -+ module_param_cb(skip_txen_test, ¶m_ops_uint, &skip_txen_test, 0644); -+#ifdef CONFIG_SERIAL_8250_RSA -+ __module_param_call(MODULE_PARAM_PREFIX, probe_rsa, -+ ¶m_array_ops, .arr = &__param_arr_probe_rsa, -+ 0444, -1); -+#endif -+} -+#else -+MODULE_ALIAS("8250"); -+#endif --- -1.8.1.2 - diff --git a/signal-always-clear-sa_restorer-on-execve.patch b/signal-always-clear-sa_restorer-on-execve.patch deleted file mode 100644 index 658f97a..0000000 --- a/signal-always-clear-sa_restorer-on-execve.patch +++ /dev/null @@ -1,113 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.169.233 with SMTP id ah9csp99159oac; - Mon, 11 Mar 2013 13:14:17 -0700 (PDT) -X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671; - Mon, 11 Mar 2013 13:14:16 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10; - Mon, 11 Mar 2013 13:14:16 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754069Ab3CKUN4 (ORCPT + 99 others); - Mon, 11 Mar 2013 16:13:56 -0400 -Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1753913Ab3CKUN4 (ORCPT ); - Mon, 11 Mar 2013 16:13:56 -0400 -Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) - by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201; - Mon, 11 Mar 2013 13:13:43 -0700 -Date: Mon, 11 Mar 2013 13:13:42 -0700 -From: Kees Cook -To: linux-kernel@vger.kernel.org -Cc: Al Viro , Oleg Nesterov , - Andrew Morton , - "Eric W. Biederman" , - Serge Hallyn , - Emese Revfy , - PaX Team , jln@google.com -Subject: [PATCH v2] signal: always clear sa_restorer on execve -Message-ID: <20130311201342.GA19824@www.outflux.net> -MIME-Version: 1.0 -Content-Type: text/plain; charset=us-ascii -Content-Disposition: inline -X-MIMEDefang-Filter: outflux$Revision: 1.316 $ -X-HELO: www.outflux.net -X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -When the new signal handlers are set up, the location of sa_restorer -is not cleared, leaking a parent process's address space location to -children. This allows for a potential bypass of the parent's ASLR by -examining the sa_restorer value returned when calling sigaction(). - -Based on what should be considered "secret" about addresses, it only -matters across the exec not the fork (since the VMAs haven't changed -until the exec). But since exec sets SIG_DFL and keeps sa_restorer, -this is where it should be fixed. - -Given the few uses of sa_restorer, a "set" function was not written -since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER, -as already done in other places. - -Example of the leak before applying this patch: - -$ cat /proc/$$/maps -... -7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so -... -$ ./leak -... -7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so -... -1 0 (nil) 0x7fb9f30b94a0 -2 4000000 (nil) 0x7f278bcaa4a0 -3 4000000 (nil) 0x7f278bcaa4a0 -4 0 (nil) 0x7fb9f30b94a0 -... - -Signed-off-by: Kees Cook -Reported-by: Emese Revfy -Cc: Emese Revfy -Cc: PaX Team -Cc: stable@vger.kernel.org ---- -v2: - - clarify commit, explain use of #ifdef. ---- - kernel/signal.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/signal.c b/kernel/signal.c -index 2ec870a..8c8e3ca 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) - if (force_default || ka->sa.sa_handler != SIG_IGN) - ka->sa.sa_handler = SIG_DFL; - ka->sa.sa_flags = 0; -+#ifdef SA_RESTORER -+ ka->sa.sa_restorer = NULL; -+#endif - sigemptyset(&ka->sa.sa_mask); - ka++; - } --- -1.7.9.5 - - --- -Kees Cook -Chrome OS Security --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/silence-tty-null.patch b/silence-tty-null.patch deleted file mode 100644 index 00f6423..0000000 --- a/silence-tty-null.patch +++ /dev/null @@ -1,13 +0,0 @@ -This should be fixed in 3.9, but is unlikely to be backported. - ---- linux-3.8.1-201.fc18.x86_64/drivers/tty/tty_buffer.c~ 2013-03-01 11:07:37.498291384 -0500 -+++ linux-3.8.1-201.fc18.x86_64/drivers/tty/tty_buffer.c 2013-03-01 11:08:11.088250537 -0500 -@@ -473,7 +473,7 @@ static void flush_to_ldisc(struct work_s - struct tty_ldisc *disc; - - tty = port->itty; -- if (WARN_RATELIMIT(tty == NULL, "tty is NULL\n")) -+ if (tty == NULL) - return; - - disc = tty_ldisc_ref(tty); diff --git a/sources b/sources index 499b47a..2d46829 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -ba18b5d27ed303f5e5a9cda32a451031 patch-3.8.3.xz +40ab82996ff4b49ad3f4e19cf729dcab patch-3.8.4.xz diff --git a/w1-fix-oops-when-w1_search-is-called-from.patch b/w1-fix-oops-when-w1_search-is-called-from.patch deleted file mode 100644 index 0a54eff..0000000 --- a/w1-fix-oops-when-w1_search-is-called-from.patch +++ /dev/null @@ -1,111 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.101.212.35 with SMTP id o35csp6769anq; - Sat, 2 Mar 2013 05:50:51 -0800 (PST) -X-Received: by 10.68.137.42 with SMTP id qf10mr19122124pbb.80.1362232251119; - Sat, 02 Mar 2013 05:50:51 -0800 (PST) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id pu7si8560937pbc.232.2013.03.02.05.50.50; - Sat, 02 Mar 2013 05:50:51 -0800 (PST) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; - dkim=neutral (body hash did not verify) header.i=@gmail.com -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1752198Ab3CBNuU (ORCPT - + 99 others); Sat, 2 Mar 2013 08:50:20 -0500 -Received: from mail-ee0-f48.google.com ([74.125.83.48]:46431 "EHLO - mail-ee0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752038Ab3CBNuT (ORCPT - ); - Sat, 2 Mar 2013 08:50:19 -0500 -Received: by mail-ee0-f48.google.com with SMTP id t10so2921534eei.7 - for ; Sat, 02 Mar 2013 05:50:18 -0800 (PST) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20120113; - h=x-received:date:from:to:cc:subject:message-id:references - :mime-version:content-type:content-disposition:in-reply-to - :user-agent; - bh=8ABPYEMGQsyhtGtpdGpnD1kQchBrqYm9rJ3sEUcIQOc=; - b=hx/4GjbvaME9C3c+WOrfUkkwnJ5jJXefsOhCKmPCE8kmswk3Tvm11198r4+y1jM/Bl - 1wtIYby6sFgA08JUldm09fPpsKfbdeDnFAI5WmUAGJjahFXXRrQPocI6E0+s2BcM+t3H - Ii8g8ZvYJ+YMgbbSmp7mwMv98aa0+qdY6TIF4P/wNwAWrsjFh5TBgc/QyB0MzyQQ2tMp - LfA7n/2sH11vofS6FLSaWhtwGIIexPZ+oxWpvwBcCIYX+gTrSHPZqnLQkvhQ5oZDx7WF - 6QlNEqlmL+usW1ApRCAwcL4jOaORDAC2MytGH4jdZNic0PqdzonfbJTRE6YmZ45FHtNG - l+6w== -X-Received: by 10.15.101.204 with SMTP id bp52mr38431150eeb.31.1362232218031; - Sat, 02 Mar 2013 05:50:18 -0800 (PST) -Received: from gmail.com (aek101.neoplus.adsl.tpnet.pl. [83.25.114.101]) - by mx.google.com with ESMTPS id o3sm22363368eem.15.2013.03.02.05.50.16 - (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); - Sat, 02 Mar 2013 05:50:17 -0800 (PST) -Date: Sat, 2 Mar 2013 14:50:15 +0100 -From: Marcin Jurkowski -To: Sven Geggus -Cc: Evgeniy Polyakov , linux-kernel@vger.kernel.org -Subject: [PATCH 1/1] w1: fix oops when w1_search is called from netlink - connector -Message-ID: <20130302135015.GA21448@gmail.com> -References: <20130116141627.GA23638@ioremap.net> - <20130302001103.GB18026@gmail.com> - <20130302094510.GA4695@geggus.net> -MIME-Version: 1.0 -Content-Type: text/plain; charset=us-ascii -Content-Disposition: inline -In-Reply-To: <20130302094510.GA4695@geggus.net> -User-Agent: Mutt/1.5.21 (2010-09-15) -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -On Sat, Mar 02, 2013 at 10:45:10AM +0100, Sven Geggus wrote: -> This is the bad commit I found doing git bisect: -> 04f482faf50535229a5a5c8d629cf963899f857c is the first bad commit -> commit 04f482faf50535229a5a5c8d629cf963899f857c -> Author: Patrick McHardy -> Date: Mon Mar 28 08:39:36 2011 +0000 - -Good job. I was too lazy to bisect for bad commit;) - -Reading the code I found problematic kthread_should_stop call from netlink -connector which causes the oops. After applying a patch, I've been testing -owfs+w1 setup for nearly two days and it seems to work very reliable (no -hangs, no memleaks etc). -More detailed description and possible fix is given below: - -Function w1_search can be called from either kthread or netlink callback. -While the former works fine, the latter causes oops due to kthread_should_stop -invocation. - -This patch adds a check if w1_search is serving netlink command, skipping -kthread_should_stop invocation if so. - -Signed-off-by: Marcin Jurkowski ---- - drivers/w1/w1.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c -index 7994d933..7e2220d 100644 ---- a/drivers/w1/w1.c -+++ b/drivers/w1/w1.c -@@ -924,7 +924,8 @@ void w1_search(struct w1_master *dev, u8 search_type, w1_slave_found_callback cb - tmp64 = (triplet_ret >> 2); - rn |= (tmp64 << i); - -- if (kthread_should_stop()) { -+ /* ensure we're called from kthread and not by netlink callback */ -+ if (!dev->priv && kthread_should_stop()) { - mutex_unlock(&dev->bus_mutex); - dev_dbg(&dev->dev, "Abort w1_search\n"); - return; --- -1.7.12.4 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/