diff --git a/TODO b/TODO index 652000e..8728760 100644 --- a/TODO +++ b/TODO @@ -1,5 +1,6 @@ Config TODOs: * review & disable a bunch of the I2C, RTC, DVB, SOUND options. +* Re-enable CONFIG_RELOCATABLE for 32bit builds with 3.4 Spec file TODOs: diff --git a/config-x86-32-generic b/config-x86-32-generic index 3fd696c..3a6a689 100644 --- a/config-x86-32-generic +++ b/config-x86-32-generic @@ -88,6 +88,9 @@ CONFIG_X86_LONGRUN=y CONFIG_X86_HT=y CONFIG_X86_TRAMPOLINE=y +# Turn back on in 3.4 +# CONFIG_RELOCATABLE is not set + # CONFIG_4KSTACKS is not set diff --git a/dl2k-Clean-up-rio_ioctl.patch b/dl2k-Clean-up-rio_ioctl.patch deleted file mode 100644 index 2ef4eed..0000000 --- a/dl2k-Clean-up-rio_ioctl.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 1bb57e940e1958e40d51f2078f50c3a96a9b2d75 Mon Sep 17 00:00:00 2001 -From: Jeff Mahoney -Date: Wed, 25 Apr 2012 14:32:09 +0000 -Subject: [PATCH] dl2k: Clean up rio_ioctl - -The dl2k driver's rio_ioctl call has a few issues: -- No permissions checking -- Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers -- Has a few ioctls that may have been used for debugging at one point - but have no place in the kernel proper. - -This patch removes all but the MII ioctls, renumbers them to use the -standard ones, and adds the proper permission check for SIOCSMIIREG. - -We can also get rid of the dl2k-specific struct mii_data in favor of -the generic struct mii_ioctl_data. - -Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too. - -Most of the MII code for the driver could probably be converted to use -the generic MII library but I don't have a device to test the results. - -Reported-by: Stephan Mueller -Signed-off-by: Jeff Mahoney -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/dlink/dl2k.c | 52 ++++++------------------------------ - drivers/net/ethernet/dlink/dl2k.h | 7 ----- - 2 files changed, 9 insertions(+), 50 deletions(-) - -diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c -index b2dc2c8..2e09edb 100644 ---- a/drivers/net/ethernet/dlink/dl2k.c -+++ b/drivers/net/ethernet/dlink/dl2k.c -@@ -1259,55 +1259,21 @@ rio_ioctl (struct net_device *dev, struct ifreq *rq, int cmd) - { - int phy_addr; - struct netdev_private *np = netdev_priv(dev); -- struct mii_data *miidata = (struct mii_data *) &rq->ifr_ifru; -- -- struct netdev_desc *desc; -- int i; -+ struct mii_ioctl_data *miidata = if_mii(rq); - - phy_addr = np->phy_addr; - switch (cmd) { -- case SIOCDEVPRIVATE: -- break; -- -- case SIOCDEVPRIVATE + 1: -- miidata->out_value = mii_read (dev, phy_addr, miidata->reg_num); -+ case SIOCGMIIPHY: -+ miidata->phy_id = phy_addr; - break; -- case SIOCDEVPRIVATE + 2: -- mii_write (dev, phy_addr, miidata->reg_num, miidata->in_value); -+ case SIOCGMIIREG: -+ miidata->val_out = mii_read (dev, phy_addr, miidata->reg_num); - break; -- case SIOCDEVPRIVATE + 3: -- break; -- case SIOCDEVPRIVATE + 4: -- break; -- case SIOCDEVPRIVATE + 5: -- netif_stop_queue (dev); -+ case SIOCSMIIREG: -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ mii_write (dev, phy_addr, miidata->reg_num, miidata->val_in); - break; -- case SIOCDEVPRIVATE + 6: -- netif_wake_queue (dev); -- break; -- case SIOCDEVPRIVATE + 7: -- printk -- ("tx_full=%x cur_tx=%lx old_tx=%lx cur_rx=%lx old_rx=%lx\n", -- netif_queue_stopped(dev), np->cur_tx, np->old_tx, np->cur_rx, -- np->old_rx); -- break; -- case SIOCDEVPRIVATE + 8: -- printk("TX ring:\n"); -- for (i = 0; i < TX_RING_SIZE; i++) { -- desc = &np->tx_ring[i]; -- printk -- ("%02x:cur:%08x next:%08x status:%08x frag1:%08x frag0:%08x", -- i, -- (u32) (np->tx_ring_dma + i * sizeof (*desc)), -- (u32)le64_to_cpu(desc->next_desc), -- (u32)le64_to_cpu(desc->status), -- (u32)(le64_to_cpu(desc->fraginfo) >> 32), -- (u32)le64_to_cpu(desc->fraginfo)); -- printk ("\n"); -- } -- printk ("\n"); -- break; -- - default: - return -EOPNOTSUPP; - } -diff --git a/drivers/net/ethernet/dlink/dl2k.h b/drivers/net/ethernet/dlink/dl2k.h -index ba0adca..30c2da3 100644 ---- a/drivers/net/ethernet/dlink/dl2k.h -+++ b/drivers/net/ethernet/dlink/dl2k.h -@@ -365,13 +365,6 @@ struct ioctl_data { - char *data; - }; - --struct mii_data { -- __u16 reserved; -- __u16 reg_num; -- __u16 in_value; -- __u16 out_value; --}; -- - /* The Rx and Tx buffer descriptors. */ - struct netdev_desc { - __le64 next_desc; --- -1.7.7.6 - diff --git a/dvbs-fix-zigzag.patch b/dvbs-fix-zigzag.patch deleted file mode 100644 index 4bc9daa..0000000 --- a/dvbs-fix-zigzag.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/drivers/media/dvb/dvb-core/dvb_frontend.c b/drivers/media/dvb/dvb-core/dvb_frontend.c -index 39696c6..de7dc29 100644 ---- a/drivers/media/dvb/dvb-core/dvb_frontend.c -+++ b/drivers/media/dvb/dvb-core/dvb_frontend.c -@@ -1898,6 +1898,10 @@ static int dtv_set_frontend(struct dvb_frontend *fe) - } else { - /* default values */ - switch (c->delivery_system) { -+ case SYS_DVBS: -+ case SYS_DVBS2: -+ case SYS_ISDBS: -+ case SYS_TURBO: - case SYS_DVBC_ANNEX_A: - case SYS_DVBC_ANNEX_C: - fepriv->min_delay = HZ / 20; diff --git a/kernel.spec b/kernel.spec index 9f2d1f3..fd1a987 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 5 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -698,7 +698,6 @@ Patch2802: linux-2.6-silence-acpi-blacklist.patch # media patches Patch2900: add-poll-requested-events.patch Patch2901: drivers-media-update.patch -Patch2902: dvbs-fix-zigzag.patch # fs fixes Patch4000: ext4-fix-resize-when-resizing-within-single-group.patch @@ -717,10 +716,6 @@ Patch4113: NFS-optimise-away-unnecessary-setattrs-for-open-O_TRUNC.patch Patch4114: NFSv4-fix-open-O_TRUNC-and-ftruncate-error-handling.patch Patch4115: NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch -#rhbz 822874 -Patch4116: nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch -Patch4117: nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch - # patches headed upstream Patch10000: fs-proc-devtree-remove_proc_entry.patch @@ -803,9 +798,6 @@ Patch22013: ipw2x00-add-supported-cipher-suites-to-wiphy-initialization.patch Patch22014: efifb-skip-DMI-checks-if-bootloader-knows.patch -#rhbz 818820 -Patch22016: dl2k-Clean-up-rio_ioctl.patch - #rhbz 726143 Patch22017: 0001-drm-radeon-don-t-mess-with-hot-plug-detect-for-eDP-o.patch @@ -1402,9 +1394,6 @@ ApplyPatch NFS-optimise-away-unnecessary-setattrs-for-open-O_TRUNC.patch ApplyPatch NFSv4-fix-open-O_TRUNC-and-ftruncate-error-handling.patch ApplyPatch NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch -ApplyPatch nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch -ApplyPatch nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch - # USB # WMI @@ -1491,7 +1480,6 @@ ApplyPatch quite-apm.patch # Media (V4L/DVB/IR) updates/fixes/experimental drivers # apply if non-empty ApplyPatch add-poll-requested-events.patch -ApplyPatch dvbs-fix-zigzag.patch ApplyOptionalPatch drivers-media-update.patch # Patches headed upstream @@ -1567,9 +1555,6 @@ ApplyPatch ipw2x00-add-supported-cipher-suites-to-wiphy-initialization.patch ApplyPatch efifb-skip-DMI-checks-if-bootloader-knows.patch -#rhbz 818820 -ApplyPatch dl2k-Clean-up-rio_ioctl.patch - #rhbz 726143 ApplyPatch 0001-drm-radeon-don-t-mess-with-hot-plug-detect-for-eDP-o.patch @@ -2436,6 +2421,10 @@ fi # '-' | | # '-' %changelog +* Mon May 21 2012 Justin M. Forbes 3.3.7-1 +- Linux 3.3.7 +- Disable CONFIG_RELOCATABLE for 32bit builds. Turn back on for 3.4 + * Fri May 18 2012 Josh Boyer - Additional fixes for CVE-2011-4131 (rhbz 822874 822869) diff --git a/nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch b/nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch deleted file mode 100644 index 2798b0d..0000000 --- a/nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 5794d21ef4639f0e33440927bb903f9598c21e92 Mon Sep 17 00:00:00 2001 -From: Sachin Prabhu -Date: Tue, 17 Apr 2012 14:36:40 +0100 -Subject: [PATCH] Avoid beyond bounds copy while caching ACL - -When attempting to cache ACLs returned from the server, if the bitmap -size + the ACL size is greater than a PAGE_SIZE but the ACL size itself -is smaller than a PAGE_SIZE, we can read past the buffer page boundary. - -Signed-off-by: Sachin Prabhu -Reported-by: Jian Li -Signed-off-by: Trond Myklebust ---- - fs/nfs/nfs4proc.c | 12 +++++------- - fs/nfs/nfs4xdr.c | 2 +- - 2 files changed, 6 insertions(+), 8 deletions(-) - -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index f5f125f..2ce0698 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -3628,16 +3628,16 @@ out: - return ret; - } - --static void nfs4_write_cached_acl(struct inode *inode, const char *buf, size_t acl_len) -+static void nfs4_write_cached_acl(struct inode *inode, struct page **pages, size_t pgbase, size_t acl_len) - { - struct nfs4_cached_acl *acl; - -- if (buf && acl_len <= PAGE_SIZE) { -+ if (pages && acl_len <= PAGE_SIZE) { - acl = kmalloc(sizeof(*acl) + acl_len, GFP_KERNEL); - if (acl == NULL) - goto out; - acl->cached = 1; -- memcpy(acl->data, buf, acl_len); -+ _copy_from_pages(acl->data, pages, pgbase, acl_len); - } else { - acl = kmalloc(sizeof(*acl), GFP_KERNEL); - if (acl == NULL) -@@ -3670,7 +3670,6 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu - struct nfs_getaclres res = { - .acl_len = buflen, - }; -- void *resp_buf; - struct rpc_message msg = { - .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GETACL], - .rpc_argp = &args, -@@ -3705,7 +3704,6 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu - * the page we send as a guess */ - if (buf == NULL) - res.acl_flags |= NFS4_ACL_LEN_REQUEST; -- resp_buf = page_address(pages[0]); - - dprintk("%s buf %p buflen %zu npages %d args.acl_len %zu\n", - __func__, buf, buflen, npages, args.acl_len); -@@ -3716,9 +3714,9 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu - - acl_len = res.acl_len - res.acl_data_offset; - if (acl_len > args.acl_len) -- nfs4_write_cached_acl(inode, NULL, acl_len); -+ nfs4_write_cached_acl(inode, NULL, 0, acl_len); - else -- nfs4_write_cached_acl(inode, resp_buf + res.acl_data_offset, -+ nfs4_write_cached_acl(inode, pages, res.acl_data_offset, - acl_len); - if (buf) { - ret = -ERANGE; -diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c -index 9312dd7..203c096 100644 ---- a/fs/nfs/nfs4xdr.c -+++ b/fs/nfs/nfs4xdr.c -@@ -4940,7 +4940,7 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req, - res->acl_len = attrlen; - goto out; - } -- dprintk("NFS: acl reply: attrlen %zu > page_len %u\n", -+ dprintk("NFS: acl reply: attrlen %u > page_len %zu\n", - attrlen, page_len); - return -EINVAL; - } --- -1.7.7.6 - diff --git a/nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch b/nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch deleted file mode 100644 index 7122e3b..0000000 --- a/nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 5a00689930ab975fdd1b37b034475017e460cf2a Mon Sep 17 00:00:00 2001 -From: Sachin Prabhu -Date: Tue, 17 Apr 2012 14:35:39 +0100 -Subject: [PATCH] Avoid reading past buffer when calling GETACL - -Bug noticed in commit -bf118a342f10dafe44b14451a1392c3254629a1f - -When calling GETACL, if the size of the bitmap array, the length -attribute and the acl returned by the server is greater than the -allocated buffer(args.acl_len), we can Oops with a General Protection -fault at _copy_from_pages() when we attempt to read past the pages -allocated. - -This patch allocates an extra PAGE for the bitmap and checks to see that -the bitmap + attribute_length + ACLs don't exceed the buffer space -allocated to it. - -Signed-off-by: Sachin Prabhu -Reported-by: Jian Li -[Trond: Fixed a size_t vs unsigned int printk() warning] -Signed-off-by: Trond Myklebust ---- - fs/nfs/nfs4proc.c | 16 ++++++++++------ - fs/nfs/nfs4xdr.c | 18 +++++++++++------- - 2 files changed, 21 insertions(+), 13 deletions(-) - -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 60d5f4c..f5f125f 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -3684,19 +3684,23 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu - if (npages == 0) - npages = 1; - -+ /* Add an extra page to handle the bitmap returned */ -+ npages++; -+ - for (i = 0; i < npages; i++) { - pages[i] = alloc_page(GFP_KERNEL); - if (!pages[i]) - goto out_free; - } -- if (npages > 1) { -- /* for decoding across pages */ -- res.acl_scratch = alloc_page(GFP_KERNEL); -- if (!res.acl_scratch) -- goto out_free; -- } -+ -+ /* for decoding across pages */ -+ res.acl_scratch = alloc_page(GFP_KERNEL); -+ if (!res.acl_scratch) -+ goto out_free; -+ - args.acl_len = npages * PAGE_SIZE; - args.acl_pgbase = 0; -+ - /* Let decode_getfacl know not to fail if the ACL data is larger than - * the page we send as a guess */ - if (buf == NULL) -diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c -index 77fc5f9..9312dd7 100644 ---- a/fs/nfs/nfs4xdr.c -+++ b/fs/nfs/nfs4xdr.c -@@ -4902,11 +4902,19 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req, - bitmap[3] = {0}; - struct kvec *iov = req->rq_rcv_buf.head; - int status; -+ size_t page_len = xdr->buf->page_len; - - res->acl_len = 0; - if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0) - goto out; -+ - bm_p = xdr->p; -+ res->acl_data_offset = be32_to_cpup(bm_p) + 2; -+ res->acl_data_offset <<= 2; -+ /* Check if the acl data starts beyond the allocated buffer */ -+ if (res->acl_data_offset > page_len) -+ return -ERANGE; -+ - if ((status = decode_attr_bitmap(xdr, bitmap)) != 0) - goto out; - if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0) -@@ -4916,28 +4924,24 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req, - return -EIO; - if (likely(bitmap[0] & FATTR4_WORD0_ACL)) { - size_t hdrlen; -- u32 recvd; - - /* The bitmap (xdr len + bitmaps) and the attr xdr len words - * are stored with the acl data to handle the problem of - * variable length bitmaps.*/ - xdr->p = bm_p; -- res->acl_data_offset = be32_to_cpup(bm_p) + 2; -- res->acl_data_offset <<= 2; - - /* We ignore &savep and don't do consistency checks on - * the attr length. Let userspace figure it out.... */ - hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base; - attrlen += res->acl_data_offset; -- recvd = req->rq_rcv_buf.len - hdrlen; -- if (attrlen > recvd) { -+ if (attrlen > page_len) { - if (res->acl_flags & NFS4_ACL_LEN_REQUEST) { - /* getxattr interface called with a NULL buf */ - res->acl_len = attrlen; - goto out; - } -- dprintk("NFS: acl reply: attrlen %u > recvd %u\n", -- attrlen, recvd); -+ dprintk("NFS: acl reply: attrlen %zu > page_len %u\n", -+ attrlen, page_len); - return -EINVAL; - } - xdr_read_pages(xdr, attrlen); --- -1.7.7.6 - diff --git a/sources b/sources index 755d90d..03cb562 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 7133f5a2086a7d7ef97abac610c094f5 linux-3.3.tar.xz -a7f67e9c491403906e4bb475de194631 patch-3.3.6.xz +622a3b43238559aeb778279969631260 patch-3.3.7.xz