diff --git a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch deleted file mode 100644 index 7197f7f..0000000 --- a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch +++ /dev/null @@ -1,228 +0,0 @@ -To fix /dev/kmsg, let's compare the existing interfaces and what they allow: - -- /proc/kmsg allows: - - open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive - single-reader interface (SYSLOG_ACTION_READ). - - everything, after an open. - -- syslog syscall allows: - - anything, if CAP_SYSLOG. - - SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if dmesg_restrict==0. - - nothing else (EPERM). - -The use-cases were: -- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs. -- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the - destructive SYSLOG_ACTION_READs. - -AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't -clear the ring buffer. - -Based on the comments in devkmsg_llseek, it sounds like actions besides -reading aren't going to be supported by /dev/kmsg (i.e. SYSLOG_ACTION_CLEAR), -so we have a strict subset of the non-destructive syslog syscall actions. - -To this end, move the check as Josh had done, but also rename the constants -to reflect their new uses (SYSLOG_FROM_CALL becomes SYSLOG_FROM_READER, and -SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC). SYSLOG_FROM_READER allows -non-destructive actions, and SYSLOG_FROM_PROC allows destructive actions -after a capabilities-constrained SYSLOG_ACTION_OPEN check. - -- /dev/kmsg allows: - - open if CAP_SYSLOG or dmesg_restrict==0 - - reading/polling, after open - -Signed-off-by: Kees Cook -Reported-by: Christian Kujau -Cc: Josh Boyer -Cc: Kay Sievers -Cc: stable@vger.kernel.org ---- - fs/proc/kmsg.c | 10 +++--- - include/linux/syslog.h | 4 +-- - kernel/printk.c | 91 ++++++++++++++++++++++++++---------------------- - 3 files changed, 57 insertions(+), 48 deletions(-) - -diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c -index bd4b5a7..bdfabda 100644 ---- a/fs/proc/kmsg.c -+++ b/fs/proc/kmsg.c -@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait; - - static int kmsg_open(struct inode * inode, struct file * file) - { -- return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE); -+ return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC); - } - - static int kmsg_release(struct inode * inode, struct file * file) - { -- (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE); -+ (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC); - return 0; - } - -@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file *file, char __user *buf, - size_t count, loff_t *ppos) - { - if ((file->f_flags & O_NONBLOCK) && -- !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) -+ !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) - return -EAGAIN; -- return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE); -+ return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC); - } - - static unsigned int kmsg_poll(struct file *file, poll_table *wait) - { - poll_wait(file, &log_wait, wait); -- if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) -+ if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) - return POLLIN | POLLRDNORM; - return 0; - } -diff --git a/include/linux/syslog.h b/include/linux/syslog.h -index 3891139..98a3153 100644 ---- a/include/linux/syslog.h -+++ b/include/linux/syslog.h -@@ -44,8 +44,8 @@ - /* Return size of the log buffer */ - #define SYSLOG_ACTION_SIZE_BUFFER 10 - --#define SYSLOG_FROM_CALL 0 --#define SYSLOG_FROM_FILE 1 -+#define SYSLOG_FROM_READER 0 -+#define SYSLOG_FROM_PROC 1 - - int do_syslog(int type, char __user *buf, int count, bool from_file); - -diff --git a/kernel/printk.c b/kernel/printk.c -index abbdd9e..53b5c5e 100644 ---- a/kernel/printk.c -+++ b/kernel/printk.c -@@ -368,6 +368,53 @@ static void log_store(int facility, int level, - log_next_seq++; - } - -+#ifdef CONFIG_SECURITY_DMESG_RESTRICT -+int dmesg_restrict = 1; -+#else -+int dmesg_restrict; -+#endif -+ -+static int syslog_action_restricted(int type) -+{ -+ if (dmesg_restrict) -+ return 1; -+ /* -+ * Unless restricted, we allow "read all" and "get buffer size" -+ * for everybody. -+ */ -+ return type != SYSLOG_ACTION_READ_ALL && -+ type != SYSLOG_ACTION_SIZE_BUFFER; -+} -+ -+static int check_syslog_permissions(int type, bool from_file) -+{ -+ /* -+ * If this is from /proc/kmsg and we've already opened it, then we've -+ * already done the capabilities checks at open time. -+ */ -+ if (from_file && type != SYSLOG_ACTION_OPEN) -+ return 0; -+ -+ if (syslog_action_restricted(type)) { -+ if (capable(CAP_SYSLOG)) -+ return 0; -+ /* -+ * For historical reasons, accept CAP_SYS_ADMIN too, with -+ * a warning. -+ */ -+ if (capable(CAP_SYS_ADMIN)) { -+ printk_once(KERN_WARNING "%s (%d): " -+ "Attempt to access syslog with CAP_SYS_ADMIN " -+ "but no CAP_SYSLOG (deprecated).\n", -+ current->comm, task_pid_nr(current)); -+ return 0; -+ } -+ return -EPERM; -+ } -+ return security_syslog(type); -+} -+ -+ - /* /dev/kmsg - userspace message inject/listen interface */ - struct devkmsg_user { - u64 seq; -@@ -624,7 +671,8 @@ static int devkmsg_open(struct inode *inode, struct file *file) - if ((file->f_flags & O_ACCMODE) == O_WRONLY) - return 0; - -- err = security_syslog(SYSLOG_ACTION_READ_ALL); -+ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL, -+ SYSLOG_FROM_READER); - if (err) - return err; - -@@ -817,45 +865,6 @@ static inline void boot_delay_msec(int level) - } - #endif - --#ifdef CONFIG_SECURITY_DMESG_RESTRICT --int dmesg_restrict = 1; --#else --int dmesg_restrict; --#endif -- --static int syslog_action_restricted(int type) --{ -- if (dmesg_restrict) -- return 1; -- /* Unless restricted, we allow "read all" and "get buffer size" for everybody */ -- return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER; --} -- --static int check_syslog_permissions(int type, bool from_file) --{ -- /* -- * If this is from /proc/kmsg and we've already opened it, then we've -- * already done the capabilities checks at open time. -- */ -- if (from_file && type != SYSLOG_ACTION_OPEN) -- return 0; -- -- if (syslog_action_restricted(type)) { -- if (capable(CAP_SYSLOG)) -- return 0; -- /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */ -- if (capable(CAP_SYS_ADMIN)) { -- printk_once(KERN_WARNING "%s (%d): " -- "Attempt to access syslog with CAP_SYS_ADMIN " -- "but no CAP_SYSLOG (deprecated).\n", -- current->comm, task_pid_nr(current)); -- return 0; -- } -- return -EPERM; -- } -- return 0; --} -- - #if defined(CONFIG_PRINTK_TIME) - static bool printk_time = 1; - #else -@@ -1253,7 +1262,7 @@ out: - - SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) - { -- return do_syslog(type, buf, len, SYSLOG_FROM_CALL); -+ return do_syslog(type, buf, len, SYSLOG_FROM_READER); - } - - /* --- -1.7.9.5 - - --- -Kees Cook -Chrome OS Security diff --git a/Modify-UEFI-anti-bricking-code.patch b/Modify-UEFI-anti-bricking-code.patch deleted file mode 100644 index 8625745..0000000 --- a/Modify-UEFI-anti-bricking-code.patch +++ /dev/null @@ -1,371 +0,0 @@ -From 2380baac8b96f6e93ef72135d1b60d686d7f82e6 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Sat, 1 Jun 2013 16:06:20 -0400 -Subject: [PATCH] Modify UEFI anti-bricking code - -This patch reworks the UEFI anti-bricking code, including an effective -reversion of cc5a080c and 31ff2f20. It turns out that calling -QueryVariableInfo() from boot services results in some firmware -implementations jumping to physical addresses even after entering virtual -mode, so until we have 1:1 mappings for UEFI runtime space this isn't -going to work so well. - -Reverting these gets us back to the situation where we'd refuse to create -variables on some systems because they classify deleted variables as "used" -until the firmware triggers a garbage collection run, which they won't do -until they reach a lower threshold. This results in it being impossible to -install a bootloader, which is unhelpful. - -Feedback from Samsung indicates that the firmware doesn't need more than -5KB of storage space for its own purposes, so that seems like a reasonable -threshold. However, there's still no guarantee that a platform will attempt -garbage collection merely because it drops below this threshold. It seems -that this is often only triggered if an attempt to write generates a -genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to -create a variable larger than the remaining space. This should fail, but if -it somehow succeeds we can then immediately delete it. - -I've tested this on the UEFI machines I have available, but I don't have -a Samsung and so can't verify that it avoids the bricking problem. - -Signed-off-by: Matthew Garrett ---- - arch/x86/boot/compressed/eboot.c | 47 ---------- - arch/x86/include/asm/efi.h | 7 -- - arch/x86/include/uapi/asm/bootparam.h | 1 - - arch/x86/platform/efi/efi.c | 167 +++++++++------------------------- - 4 files changed, 44 insertions(+), 178 deletions(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 35ee62f..c205035 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -251,51 +251,6 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size) - *size = len; - } - --static efi_status_t setup_efi_vars(struct boot_params *params) --{ -- struct setup_data *data; -- struct efi_var_bootdata *efidata; -- u64 store_size, remaining_size, var_size; -- efi_status_t status; -- -- if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION) -- return EFI_UNSUPPORTED; -- -- data = (struct setup_data *)(unsigned long)params->hdr.setup_data; -- -- while (data && data->next) -- data = (struct setup_data *)(unsigned long)data->next; -- -- status = efi_call_phys4((void *)sys_table->runtime->query_variable_info, -- EFI_VARIABLE_NON_VOLATILE | -- EFI_VARIABLE_BOOTSERVICE_ACCESS | -- EFI_VARIABLE_RUNTIME_ACCESS, &store_size, -- &remaining_size, &var_size); -- -- if (status != EFI_SUCCESS) -- return status; -- -- status = efi_call_phys3(sys_table->boottime->allocate_pool, -- EFI_LOADER_DATA, sizeof(*efidata), &efidata); -- -- if (status != EFI_SUCCESS) -- return status; -- -- efidata->data.type = SETUP_EFI_VARS; -- efidata->data.len = sizeof(struct efi_var_bootdata) - -- sizeof(struct setup_data); -- efidata->data.next = 0; -- efidata->store_size = store_size; -- efidata->remaining_size = remaining_size; -- efidata->max_var_size = var_size; -- -- if (data) -- data->next = (unsigned long)efidata; -- else -- params->hdr.setup_data = (unsigned long)efidata; -- --} -- - static efi_status_t setup_efi_pci(struct boot_params *params) - { - efi_pci_io_protocol *pci; -@@ -1202,8 +1157,6 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, - - setup_graphics(boot_params); - -- setup_efi_vars(boot_params); -- - setup_efi_pci(boot_params); - - status = efi_call_phys3(sys_table->boottime->allocate_pool, -diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h -index 2fb5d58..60c89f3 100644 ---- a/arch/x86/include/asm/efi.h -+++ b/arch/x86/include/asm/efi.h -@@ -102,13 +102,6 @@ extern void efi_call_phys_epilog(void); - extern void efi_unmap_memmap(void); - extern void efi_memory_uc(u64 addr, unsigned long size); - --struct efi_var_bootdata { -- struct setup_data data; -- u64 store_size; -- u64 remaining_size; -- u64 max_var_size; --}; -- - #ifdef CONFIG_EFI - - static inline bool efi_is_native(void) -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 0874424..c15ddaf 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -6,7 +6,6 @@ - #define SETUP_E820_EXT 1 - #define SETUP_DTB 2 - #define SETUP_PCI 3 --#define SETUP_EFI_VARS 4 - - /* ram_size flags */ - #define RAMDISK_IMAGE_START_MASK 0x07FF -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index e4a86a6..beb5d5f 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -41,7 +41,6 @@ - #include - #include - #include --#include - - #include - #include -@@ -52,13 +51,6 @@ - - #define EFI_DEBUG 1 - --/* -- * There's some additional metadata associated with each -- * variable. Intel's reference implementation is 60 bytes - bump that -- * to account for potential alignment constraints -- */ --#define VAR_METADATA_SIZE 64 -- - struct efi __read_mostly efi = { - .mps = EFI_INVALID_TABLE_ADDR, - .acpi = EFI_INVALID_TABLE_ADDR, -@@ -77,13 +69,6 @@ struct efi_memory_map memmap; - static struct efi efi_phys __initdata; - static efi_system_table_t efi_systab __initdata; - --static u64 efi_var_store_size; --static u64 efi_var_remaining_size; --static u64 efi_var_max_var_size; --static u64 boot_used_size; --static u64 boot_var_size; --static u64 active_size; -- - unsigned long x86_efi_facility; - - /* -@@ -186,53 +171,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size, - efi_char16_t *name, - efi_guid_t *vendor) - { -- efi_status_t status; -- static bool finished = false; -- static u64 var_size; -- -- status = efi_call_virt3(get_next_variable, -+ return efi_call_virt3(get_next_variable, - name_size, name, vendor); -- -- if (status == EFI_NOT_FOUND) { -- finished = true; -- if (var_size < boot_used_size) { -- boot_var_size = boot_used_size - var_size; -- active_size += boot_var_size; -- } else { -- printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n"); -- } -- } -- -- if (boot_used_size && !finished) { -- unsigned long size; -- u32 attr; -- efi_status_t s; -- void *tmp; -- -- s = virt_efi_get_variable(name, vendor, &attr, &size, NULL); -- -- if (s != EFI_BUFFER_TOO_SMALL || !size) -- return status; -- -- tmp = kmalloc(size, GFP_ATOMIC); -- -- if (!tmp) -- return status; -- -- s = virt_efi_get_variable(name, vendor, &attr, &size, tmp); -- -- if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) { -- var_size += size; -- var_size += ucs2_strsize(name, 1024); -- active_size += size; -- active_size += VAR_METADATA_SIZE; -- active_size += ucs2_strsize(name, 1024); -- } -- -- kfree(tmp); -- } -- -- return status; - } - - static efi_status_t virt_efi_set_variable(efi_char16_t *name, -@@ -241,34 +181,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name, - unsigned long data_size, - void *data) - { -- efi_status_t status; -- u32 orig_attr = 0; -- unsigned long orig_size = 0; -- -- status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size, -- NULL); -- -- if (status != EFI_BUFFER_TOO_SMALL) -- orig_size = 0; -- -- status = efi_call_virt5(set_variable, -- name, vendor, attr, -- data_size, data); -- -- if (status == EFI_SUCCESS) { -- if (orig_size) { -- active_size -= orig_size; -- active_size -= ucs2_strsize(name, 1024); -- active_size -= VAR_METADATA_SIZE; -- } -- if (data_size) { -- active_size += data_size; -- active_size += ucs2_strsize(name, 1024); -- active_size += VAR_METADATA_SIZE; -- } -- } -- -- return status; -+ return efi_call_virt5(set_variable, -+ name, vendor, attr, -+ data_size, data); - } - - static efi_status_t virt_efi_query_variable_info(u32 attr, -@@ -776,9 +691,6 @@ void __init efi_init(void) - char vendor[100] = "unknown"; - int i = 0; - void *tmp; -- struct setup_data *data; -- struct efi_var_bootdata *efi_var_data; -- u64 pa_data; - - #ifdef CONFIG_X86_32 - if (boot_params.efi_info.efi_systab_hi || -@@ -796,22 +708,6 @@ void __init efi_init(void) - if (efi_systab_init(efi_phys.systab)) - return; - -- pa_data = boot_params.hdr.setup_data; -- while (pa_data) { -- data = early_ioremap(pa_data, sizeof(*efi_var_data)); -- if (data->type == SETUP_EFI_VARS) { -- efi_var_data = (struct efi_var_bootdata *)data; -- -- efi_var_store_size = efi_var_data->store_size; -- efi_var_remaining_size = efi_var_data->remaining_size; -- efi_var_max_var_size = efi_var_data->max_var_size; -- } -- pa_data = data->next; -- early_iounmap(data, sizeof(*efi_var_data)); -- } -- -- boot_used_size = efi_var_store_size - efi_var_remaining_size; -- - set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); - - /* -@@ -1131,28 +1027,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - if (status != EFI_SUCCESS) - return status; - -- if (!max_size && remaining_size > size) -- printk_once(KERN_ERR FW_BUG "Broken EFI implementation" -- " is returning MaxVariableSize=0\n"); - /* - * Some firmware implementations refuse to boot if there's insufficient - * space in the variable store. We account for that by refusing the - * write if permitting it would reduce the available space to under -- * 50%. However, some firmware won't reclaim variable space until -- * after the used (not merely the actively used) space drops below -- * a threshold. We can approximate that case with the value calculated -- * above. If both the firmware and our calculations indicate that the -- * available space would drop below 50%, refuse the write. -+ * 5KB. This figure was provided by Samsung, so should be safe. - */ -+ if ((remaining_size - size < 5120) && !efi_no_storage_paranoia) { -+ /* -+ * Triggering garbage collection may require that the firmware -+ * generate a real EFI_OUT_OF_RESOURCES error. We can force -+ * that by attempting to use more space than is available. -+ */ -+ unsigned long dummy_size = remaining_size + 1024; -+ void *dummy = kmalloc(dummy_size, GFP_ATOMIC); -+ efi_char16_t efi_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 }; -+ efi_guid_t guid = EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, -+ 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, -+ 0xa9); -+ -+ status = efi.set_variable(efi_name, &guid, attributes, -+ dummy_size, dummy); -+ -+ if (status == EFI_SUCCESS) { -+ /* -+ * This should have failed, so if it didn't make sure -+ * that we delete it... -+ */ -+ efi.set_variable(efi_name, &guid, attributes, 0, -+ dummy); -+ } - -- if (!storage_size || size > remaining_size || -- (max_size && size > max_size)) -- return EFI_OUT_OF_RESOURCES; -+ /* -+ * The runtime code may now have triggered a garbage collection -+ * run, so check the variable info again -+ */ -+ status = efi.query_variable_info(attributes, &storage_size, -+ &remaining_size, &max_size); - -- if (!efi_no_storage_paranoia && -- ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) && -- (remaining_size - size < storage_size / 2))) -- return EFI_OUT_OF_RESOURCES; -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ /* -+ * There still isn't enough room, so return an error -+ */ -+ if (remaining_size - size < 5120) -+ return EFI_OUT_OF_RESOURCES; -+ } - - return EFI_SUCCESS; - } --- -1.8.1.4 - diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch deleted file mode 100644 index 84249e5..0000000 --- a/b43-stop-format-string-leaking-into-error-msgs.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Fri, 10 May 2013 21:48:21 +0000 -Subject: b43: stop format string leaking into error msgs - -The module parameter "fwpostfix" is userspace controllable, unfiltered, -and is used to define the firmware filename. b43_do_request_fw() populates -ctx->errors[] on error, containing the firmware filename. b43err() -parses its arguments as a format string. For systems with b43 hardware, -this could lead to a uid-0 to ring-0 escalation. - -CVE-2013-2852 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: John W. Linville ---- -diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c -index 6dd07e2..a95b77a 100644 ---- a/drivers/net/wireless/b43/main.c -+++ b/drivers/net/wireless/b43/main.c -@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) - for (i = 0; i < B43_NR_FWTYPES; i++) { - errmsg = ctx->errors[i]; - if (strlen(errmsg)) -- b43err(dev->wl, errmsg); -+ b43err(dev->wl, "%s", errmsg); - } - b43_print_fw_helptext(dev->wl, 1); - goto out; --- -cgit v0.9.2 diff --git a/config-generic b/config-generic index 69a1fd2..5b0b50c 100644 --- a/config-generic +++ b/config-generic @@ -1533,7 +1533,7 @@ CONFIG_ATH9K_DEBUGFS=y CONFIG_ATH9K_HTC=m CONFIG_ATH9K_BTCOEX_SUPPORT=y # CONFIG_ATH9K_HTC_DEBUGFS is not set -CONFIG_ATH9K_RATE_CONTROL=y +CONFIG_ATH9K_LEGACY_RATE_CONTROL=y CONFIG_WIL6210=m CONFIG_WIL6210_ISR_COR=y CONFIG_CARL9170=m diff --git a/kernel.spec b/kernel.spec index 5a972a4..0be8f97 100644 --- a/kernel.spec +++ b/kernel.spec @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -720,9 +720,6 @@ Patch22070: net-tcp-bz857324.patch #rhbz 892811 Patch22247: ath9k_rx_dma_stop_check.patch -#rhbz 903192 -Patch22261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch - #rhbz 916544 Patch22263: 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch @@ -740,9 +737,6 @@ Patch25007: fix-child-thread-introspection.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#rhbz 964335 -Patch25026: Modify-UEFI-anti-bricking-code.patch - #CVE-2013-2140 rhbz 971146 971148 Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch @@ -752,9 +746,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2852 rhbz 969518 971665 -Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch - #CVE-2013-2851 rhbz 969515 971662 Patch25035: block-do-not-pass-disk-names-as-format-strings.patch @@ -1449,9 +1440,6 @@ ApplyPatch net-tcp-bz857324.patch #rhbz 892811 ApplyPatch ath9k_rx_dma_stop_check.patch -#rhbz 903192 -ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch - #rhbz 916544 ApplyPatch 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch @@ -1469,9 +1457,6 @@ ApplyPatch fix-child-thread-introspection.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#rhbz 964335 -ApplyPatch Modify-UEFI-anti-bricking-code.patch - #CVE-2013-2140 rhbz 971146 971148 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch @@ -1481,9 +1466,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2852 rhbz 969518 971665 -ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch - #CVE-2013-2851 rhbz 969515 971662 ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch @@ -2355,6 +2337,9 @@ fi # '-' | | # '-' %changelog +* Thu Jun 20 2013 Justin M. Forbes +- Linux v3.9.7 + * Tue Jun 18 2013 Dave Jones - Disable MTRR sanitizer by default. diff --git a/sources b/sources index 803d88c..6a7aeb8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -897cffc5167a561b38c6748e7f0a4215 patch-3.9.6.xz +74005c469fbd309ab631d981e2d3a6e7 patch-3.9.7.xz