From 76d02ca8dfdd5d683190a8f59811a34be4ee10fc Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Oct 29 2012 14:01:22 +0000 Subject: Linux 3.6.4 --- diff --git a/0013-ext4-race-condition-protection-for-ext4_convert_unwr.patch b/0013-ext4-race-condition-protection-for-ext4_convert_unwr.patch deleted file mode 100644 index ffd7975..0000000 --- a/0013-ext4-race-condition-protection-for-ext4_convert_unwr.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 5ff6b4cc64765e10df509a60e902561efdeb58d5 Mon Sep 17 00:00:00 2001 -From: Dmitry Monakhov -Date: Fri, 5 Oct 2012 11:32:04 -0400 -Subject: [PATCH 13/13] ext4: race-condition protection for - ext4_convert_unwritten_extents_endio - -We assumed that at the time we call ext4_convert_unwritten_extents_endio() -extent in question is fully inside [map.m_lblk, map->m_len] because -it was already split during submission. But this may not be true due to -a race between writeback vs fallocate. - -If extent in question is larger than requested we will split it again. -Special precautions should being done if zeroout required because -[map.m_lblk, map->m_len] already contains valid data. - -Signed-off-by: Dmitry Monakhov -(cherry picked from commit 0d4b4ff5282d07a4f83b87b3117cd898b0a3f673) ---- - fs/ext4/extents.c | 57 ++++++++++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 46 insertions(+), 11 deletions(-) - -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c -index ea2db86..ee0d61c 100644 ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -52,6 +52,9 @@ - #define EXT4_EXT_MARK_UNINIT1 0x2 /* mark first half uninitialized */ - #define EXT4_EXT_MARK_UNINIT2 0x4 /* mark second half uninitialized */ - -+#define EXT4_EXT_DATA_VALID1 0x8 /* first half contains valid data */ -+#define EXT4_EXT_DATA_VALID2 0x10 /* second half contains valid data */ -+ - static __le32 ext4_extent_block_csum(struct inode *inode, - struct ext4_extent_header *eh) - { -@@ -2897,6 +2900,9 @@ static int ext4_split_extent_at(handle_t *handle, - unsigned int ee_len, depth; - int err = 0; - -+ BUG_ON((split_flag & (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2)) == -+ (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2)); -+ - ext_debug("ext4_split_extents_at: inode %lu, logical" - "block %llu\n", inode->i_ino, (unsigned long long)split); - -@@ -2955,7 +2961,14 @@ static int ext4_split_extent_at(handle_t *handle, - - err = ext4_ext_insert_extent(handle, inode, path, &newex, flags); - if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) { -- err = ext4_ext_zeroout(inode, &orig_ex); -+ if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { -+ if (split_flag & EXT4_EXT_DATA_VALID1) -+ err = ext4_ext_zeroout(inode, ex2); -+ else -+ err = ext4_ext_zeroout(inode, ex); -+ } else -+ err = ext4_ext_zeroout(inode, &orig_ex); -+ - if (err) - goto fix_extent_len; - /* update the extent length and mark as initialized */ -@@ -3008,12 +3021,13 @@ static int ext4_split_extent(handle_t *handle, - uninitialized = ext4_ext_is_uninitialized(ex); - - if (map->m_lblk + map->m_len < ee_block + ee_len) { -- split_flag1 = split_flag & EXT4_EXT_MAY_ZEROOUT ? -- EXT4_EXT_MAY_ZEROOUT : 0; -+ split_flag1 = split_flag & EXT4_EXT_MAY_ZEROOUT; - flags1 = flags | EXT4_GET_BLOCKS_PRE_IO; - if (uninitialized) - split_flag1 |= EXT4_EXT_MARK_UNINIT1 | - EXT4_EXT_MARK_UNINIT2; -+ if (split_flag & EXT4_EXT_DATA_VALID2) -+ split_flag1 |= EXT4_EXT_DATA_VALID1; - err = ext4_split_extent_at(handle, inode, path, - map->m_lblk + map->m_len, split_flag1, flags1); - if (err) -@@ -3026,8 +3040,8 @@ static int ext4_split_extent(handle_t *handle, - return PTR_ERR(path); - - if (map->m_lblk >= ee_block) { -- split_flag1 = split_flag & EXT4_EXT_MAY_ZEROOUT ? -- EXT4_EXT_MAY_ZEROOUT : 0; -+ split_flag1 = split_flag & (EXT4_EXT_MAY_ZEROOUT | -+ EXT4_EXT_DATA_VALID2); - if (uninitialized) - split_flag1 |= EXT4_EXT_MARK_UNINIT1; - if (split_flag & EXT4_EXT_MARK_UNINIT2) -@@ -3305,26 +3319,47 @@ static int ext4_split_unwritten_extents(handle_t *handle, - - split_flag |= ee_block + ee_len <= eof_block ? EXT4_EXT_MAY_ZEROOUT : 0; - split_flag |= EXT4_EXT_MARK_UNINIT2; -- -+ if (flags & EXT4_GET_BLOCKS_CONVERT) -+ split_flag |= EXT4_EXT_DATA_VALID2; - flags |= EXT4_GET_BLOCKS_PRE_IO; - return ext4_split_extent(handle, inode, path, map, split_flag, flags); - } - - static int ext4_convert_unwritten_extents_endio(handle_t *handle, -- struct inode *inode, -- struct ext4_ext_path *path) -+ struct inode *inode, -+ struct ext4_map_blocks *map, -+ struct ext4_ext_path *path) - { - struct ext4_extent *ex; -+ ext4_lblk_t ee_block; -+ unsigned int ee_len; - int depth; - int err = 0; - - depth = ext_depth(inode); - ex = path[depth].p_ext; -+ ee_block = le32_to_cpu(ex->ee_block); -+ ee_len = ext4_ext_get_actual_len(ex); - - ext_debug("ext4_convert_unwritten_extents_endio: inode %lu, logical" - "block %llu, max_blocks %u\n", inode->i_ino, -- (unsigned long long)le32_to_cpu(ex->ee_block), -- ext4_ext_get_actual_len(ex)); -+ (unsigned long long)ee_block, ee_len); -+ -+ /* If extent is larger than requested then split is required */ -+ if (ee_block != map->m_lblk || ee_len > map->m_len) { -+ err = ext4_split_unwritten_extents(handle, inode, map, path, -+ EXT4_GET_BLOCKS_CONVERT); -+ if (err < 0) -+ goto out; -+ ext4_ext_drop_refs(path); -+ path = ext4_ext_find_extent(inode, map->m_lblk, path); -+ if (IS_ERR(path)) { -+ err = PTR_ERR(path); -+ goto out; -+ } -+ depth = ext_depth(inode); -+ ex = path[depth].p_ext; -+ } - - err = ext4_ext_get_access(handle, inode, path + depth); - if (err) -@@ -3634,7 +3669,7 @@ ext4_ext_handle_uninitialized_extents(handle_t *handle, struct inode *inode, - } - /* IO end_io complete, convert the filled extent to written */ - if ((flags & EXT4_GET_BLOCKS_CONVERT)) { -- ret = ext4_convert_unwritten_extents_endio(handle, inode, -+ ret = ext4_convert_unwritten_extents_endio(handle, inode, map, - path); - if (ret >= 0) { - ext4_update_inode_fsync_trans(handle, inode, 1); --- -1.7.12.rc0.22.gcdd159b - diff --git a/drm-i915-Use-cpu-relocations-if-the-object-is-in-the.patch b/drm-i915-Use-cpu-relocations-if-the-object-is-in-the.patch deleted file mode 100644 index 0e282bf..0000000 --- a/drm-i915-Use-cpu-relocations-if-the-object-is-in-the.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 504c7267a1e84b157cbd7e9c1b805e1bc0c2c846 Mon Sep 17 00:00:00 2001 -From: Chris Wilson -Date: Thu, 23 Aug 2012 13:12:52 +0100 -Subject: [PATCH] drm/i915: Use cpu relocations if the object is in the GTT - but not mappable - -This prevents the case of unbinding the object in order to process the -relocations through the GTT and then rebinding it only to then proceed -to use cpu relocations as the object is now in the CPU write domain. By -choosing to use cpu relocations up front, we can therefore avoid the -rebind penalty. - -Signed-off-by: Chris Wilson -Signed-off-by: Daniel Vetter ---- - drivers/gpu/drm/i915/i915_gem_execbuffer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index f7346d8..dc87563 100644 ---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c -+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -@@ -95,6 +95,7 @@ eb_destroy(struct eb_objects *eb) - static inline int use_cpu_reloc(struct drm_i915_gem_object *obj) - { - return (obj->base.write_domain == I915_GEM_DOMAIN_CPU || -+ !obj->map_and_fenceable || - obj->cache_level != I915_CACHE_NONE); - } - --- -1.7.12.1 - diff --git a/fix-stack-memory-content-leak-via-UNAME26.patch b/fix-stack-memory-content-leak-via-UNAME26.patch deleted file mode 100644 index 5121ca0..0000000 --- a/fix-stack-memory-content-leak-via-UNAME26.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Fri, 19 Oct 2012 13:56:51 -0700 -Subject: [PATCH 1/2] kernel/sys.c: fix stack memory content leak via UNAME26 - -Calling uname() with the UNAME26 personality set allows a leak of kernel -stack contents. This fixes it by defensively calculating the length of -copy_to_user() call, making the len argument unsigned, and initializing -the stack buffer to zero (now technically unneeded, but hey, overkill). - -CVE-2012-0957 - -Reported-by: PaX Team -Signed-off-by: Kees Cook -Cc: Andi Kleen -Cc: PaX Team -Cc: Brad Spengler -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - kernel/sys.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index c5cb5b9..01865c6 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem); - * Work around broken programs that cannot handle "Linux 3.0". - * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 - */ --static int override_release(char __user *release, int len) -+static int override_release(char __user *release, size_t len) - { - int ret = 0; -- char buf[65]; - - if (current->personality & UNAME26) { -- char *rest = UTS_RELEASE; -+ const char *rest = UTS_RELEASE; -+ char buf[65] = { 0 }; - int ndots = 0; - unsigned v; -+ size_t copy; - - while (*rest) { - if (*rest == '.' && ++ndots >= 3) -@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len) - rest++; - } - v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; -- snprintf(buf, len, "2.6.%u%s", v, rest); -- ret = copy_to_user(release, buf, len); -+ copy = min(sizeof(buf), max_t(size_t, 1, len)); -+ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); -+ ret = copy_to_user(release, buf, copy + 1); - } - return ret; - } --- -1.7.12.1 - - -From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Fri, 19 Oct 2012 18:45:53 -0700 -Subject: [PATCH 2/2] use clamp_t in UNAME26 fix - -The min/max call needed to have explicit types on some architectures -(e.g. mn10300). Use clamp_t instead to avoid the warning: - - kernel/sys.c: In function 'override_release': - kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default] - -Reported-by: Fengguang Wu -Signed-off-by: Kees Cook -Signed-off-by: Linus Torvalds ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index 01865c6..e6e0ece 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len) - rest++; - } - v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; -- copy = min(sizeof(buf), max_t(size_t, 1, len)); -+ copy = clamp_t(size_t, len, 1, sizeof(buf)); - copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); - ret = copy_to_user(release, buf, copy + 1); - } --- -1.7.12.1 - diff --git a/kernel.spec b/kernel.spec index eda0c2c..64cf182 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -755,15 +755,9 @@ Patch22073: mac80211_local_deauth_v3.6.patch #rhbz 866013 Patch22074: mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch -#rhbz 862877 864824 CVE-2012-0957 -Patch22076: fix-stack-memory-content-leak-via-UNAME26.patch - #rhbz 867344 Patch22077: dont-call-cifs_lookup-on-hashed-negative-dentry.patch -#rhbz 852210 -Patch22078: drm-i915-Use-cpu-relocations-if-the-object-is-in-the.patch - #rhbz 869904 869909 CVE-2012-4508 Patch22080: 0001-ext4-ext4_inode_info-diet.patch Patch22081: 0002-ext4-give-i_aiodio_unwritten-a-more-appropriate-name.patch @@ -777,7 +771,6 @@ Patch22088: 0009-ext4-punch_hole-should-wait-for-DIO-writers.patch Patch22089: 0010-ext4-fix-ext_remove_space-for-punch_hole-case.patch Patch22090: 0011-ext4-fix-ext4_flush_completed_IO-wait-semantics.patch Patch22091: 0012-ext4-serialize-fallocate-with-ext4_convert_unwritten.patch -Patch22092: 0013-ext4-race-condition-protection-for-ext4_convert_unwr.patch # END OF PATCH DEFINITIONS @@ -1483,15 +1476,9 @@ ApplyPatch mac80211_local_deauth_v3.6.patch #rhbz 866013 ApplyPatch mac80211-connect-with-HT20-if-HT40-is-not-permitted.patch -#rhbz 862877 864824 CVE-2012-0957 -ApplyPatch fix-stack-memory-content-leak-via-UNAME26.patch - #rhbz 867344 ApplyPatch dont-call-cifs_lookup-on-hashed-negative-dentry.patch -#rhbz 852210 -ApplyPatch drm-i915-Use-cpu-relocations-if-the-object-is-in-the.patch - #rhbz 869904 869909 CVE-2012-4508 ApplyPatch 0001-ext4-ext4_inode_info-diet.patch ApplyPatch 0002-ext4-give-i_aiodio_unwritten-a-more-appropriate-name.patch @@ -1505,7 +1492,6 @@ ApplyPatch 0009-ext4-punch_hole-should-wait-for-DIO-writers.patch ApplyPatch 0010-ext4-fix-ext_remove_space-for-punch_hole-case.patch ApplyPatch 0011-ext4-fix-ext4_flush_completed_IO-wait-semantics.patch ApplyPatch 0012-ext4-serialize-fallocate-with-ext4_convert_unwritten.patch -ApplyPatch 0013-ext4-race-condition-protection-for-ext4_convert_unwr.patch # END OF PATCH APPLICATIONS @@ -2370,6 +2356,9 @@ fi # '-' | | # '-' %changelog +* Mon Oct 29 2012 Justin M. Forbes 3.6.4-1 +- Linux 3.6.4 + * Thu Oct 25 2012 Justin M. Forbes - CVE-2012-4508: ext4: AIO vs fallocate stale data exposure (rhbz 869904 869909) diff --git a/sources b/sources index 8c5ed1c..965397c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz -96701113d37ef4f9b785206ab8bcc71e patch-3.6.3.xz +d7efab4da2682c44662b684026b059f7 patch-3.6.4.xz