From 14f0cc6e6324aa6a74e741d3525d9135c6a8334c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Aug 22 2012 11:35:19 +0000 Subject: Linux v3.6-rc2-400-g23dcfa6 - CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing --- diff --git a/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch b/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch deleted file mode 100644 index 992bd25..0000000 --- a/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch +++ /dev/null @@ -1,89 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.229.184.7 with SMTP id ci7csp32184qcb; - Mon, 20 Aug 2012 23:40:20 -0700 (PDT) -Received: by 10.236.195.97 with SMTP id o61mr24210886yhn.17.1345531220620; - Mon, 20 Aug 2012 23:40:20 -0700 (PDT) -Return-Path: -Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) - by mx.google.com with ESMTP id c5si239413anp.5.2012.08.20.23.40.20; - Mon, 20 Aug 2012 23:40:20 -0700 (PDT) -Received-SPF: pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; -Authentication-Results: mx.google.com; spf=pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) smtp.mail=airlied@redhat.com -Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7L6eJ4K014799 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Tue, 21 Aug 2012 02:40:19 -0400 -Received: from prime.bne.redhat.com (dhcp-41-76.bne.redhat.com [10.64.41.76]) - by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q7L6eFfB029177; - Tue, 21 Aug 2012 02:40:16 -0400 -From: Dave Airlie -To: linux-fbdev@vger.kernel.org -Cc: dri-devel@lists.sf.net, linux-kernel@vger.kernel.org, - Linus , - Alan Cox , - Randy Dunlap , Josh Boyer , - Dave Airlie -Subject: [PATCH] fbcon: fix race condition between console lock and cursor timer -Date: Tue, 21 Aug 2012 16:40:07 +1000 -Message-Id: <1345531207-24926-1-git-send-email-airlied@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 - -So we've had a fair few reports of fbcon handover breakage between -efi/vesafb and i915 surface recently, so I dedicated a couple of -days to finding the problem. - -Essentially the last thing we saw was the conflicting framebuffer -message and that was all. - -So after much tracing with direct netconsole writes (printks -under console_lock not so useful), I think I found the race. - -Thread A (driver load) Thread B (timer thread) - unbind_con_driver -> | - bind_con_driver -> | - vc->vc_sw->con_deinit -> | - fbcon_deinit -> | - console_lock() | - | | - | fbcon_flashcursor timer fires - | console_lock() <- blocked for A - | - | -fbcon_del_cursor_timer -> - del_timer_sync - (BOOM) - -Of course because all of this is under the console lock, -we never see anything, also since we also just unbound the active -console guess what we never see anything. - -Hopefully this fixes the problem for anyone seeing vesafb->kms -driver handoff. - -Signed-off-by: David Airlie ---- - drivers/video/console/fbcon.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c -index 2e471c2..f8a79fc 100644 ---- a/drivers/video/console/fbcon.c -+++ b/drivers/video/console/fbcon.c -@@ -372,8 +372,12 @@ static void fb_flashcursor(struct work_struct *work) - struct vc_data *vc = NULL; - int c; - int mode; -+ int ret; -+ -+ ret = console_trylock(); -+ if (ret == 0) -+ return; - -- console_lock(); - if (ops && ops->currcon != -1) - vc = vc_cons[ops->currcon].d; - --- -1.7.10.2 - diff --git a/kernel.spec b/kernel.spec index 9d3cc34..fe54e10 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 2 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -744,11 +744,6 @@ Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 836742 -Patch22059: uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch - -Patch22065: fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch - #rhbz 847548 Patch22066: virtio-scsi-Initialize-scatterlist-structure.patch @@ -1442,11 +1437,6 @@ ApplyPatch weird-root-dentry-name-debug.patch #selinux ptrace child permissions ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 836742 -ApplyPatch uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch - -ApplyPatch fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch - #rhbz 847548 ApplyPatch virtio-scsi-Initialize-scatterlist-structure.patch @@ -2315,6 +2305,10 @@ fi # ||----w | # || || %changelog +* Wed Aug 22 2012 Josh Boyer - 3.6.0-0.rc2.git2.1 +- Linux v3.6-rc2-400-g23dcfa6 +- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing + * Tue Aug 21 2012 Josh Boyer - Add patch from Dave Jones to fix suspicious RCU usage in SELinux (rhbz 846037) - Add patch from Richard W.M. Jones to fix virtio scsi oops (rhbz 847548) diff --git a/sources b/sources index 568d4bd..20584a4 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 24153eaaa81dedc9481ada8cd9c3b83d linux-3.5.tar.xz 5f0ec612b5364c18386c1b8155c271ac patch-3.6-rc2.xz -12edd20554fd9469c5d7fad9935ce0af patch-3.6-rc2-git1.xz +35f27ef57826c644eb014ecda8f22870 patch-3.6-rc2-git2.xz diff --git a/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch b/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch deleted file mode 100644 index 6606b7d..0000000 --- a/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3771973542a4807b251352253ed22c50e688e573 Mon Sep 17 00:00:00 2001 -From: Jayakrishnan Memana -Date: Sun, 15 Jul 2012 15:54:03 +0200 -Subject: [PATCH] uvcvideo: Reset the bytesused field when recycling an erroneous buffer - -Buffers marked as erroneous are recycled immediately by the driver if -the nodrop module parameter isn't set. The buffer payload size is reset -to 0, but the buffer bytesused field isn't. This results in the buffer -being immediately considered as complete, leading to an infinite loop in -interrupt context. - -Fix the problem by resetting the bytesused field when recycling the -buffer. - -Cc: -Signed-off-by: Jayakrishnan Memana -Signed-off-by: Laurent Pinchart ---- - drivers/media/video/uvc/uvc_queue.c | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/drivers/media/video/uvc/uvc_queue.c b/drivers/media/video/uvc/uvc_queue.c -index 9288fbd..5577381 100644 ---- a/drivers/media/video/uvc/uvc_queue.c -+++ b/drivers/media/video/uvc/uvc_queue.c -@@ -338,6 +338,7 @@ struct uvc_buffer *uvc_queue_next_buffer(struct uvc_video_queue *queue, - if ((queue->flags & UVC_QUEUE_DROP_CORRUPTED) && buf->error) { - buf->error = 0; - buf->state = UVC_BUF_STATE_QUEUED; -+ buf->bytesused = 0; - vb2_set_plane_payload(&buf->buf, 0, 0); - return buf; - } --- -1.7.2.5 -