From 3c34bf7a1fcbd0c27a5ea4356b91e0a9062b7ebf Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Feb 27 2013 18:52:48 +0000 Subject: Linux v3.7.10 --- diff --git a/config-sparc64-generic b/config-sparc64-generic index e15e2ef..c53b644 100644 --- a/config-sparc64-generic +++ b/config-sparc64-generic @@ -214,4 +214,4 @@ CONFIG_BPF_JIT=y # CONFIG_CRYPTO_CAMELLIA_SPARC64 is not set # CONFIG_CRYPTO_DES_SPARC64 is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set - +# CONFIG_TRANSPARENT_HUGEPAGE is not set diff --git a/drm-i915-Fix-up-mismerge-of-3490ea5d-in-3.7.y.patch b/drm-i915-Fix-up-mismerge-of-3490ea5d-in-3.7.y.patch deleted file mode 100644 index bd232a5..0000000 --- a/drm-i915-Fix-up-mismerge-of-3490ea5d-in-3.7.y.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 3566b9ac5b4004af0e2b1c62c5ded1116b39d490 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 18 Feb 2013 13:40:16 -0500 -Subject: [PATCH] drm/i915: Fix up mismerge of 3490ea5d in 3.7.y - -The 3.7.y version of this seems to have missed a hunk in i9xx_update_wm. - -Signed-off-by: Adam Jackson ---- - drivers/gpu/drm/i915/intel_pm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c -index 4e6a2b2..313088f 100644 ---- a/drivers/gpu/drm/i915/intel_pm.c -+++ b/drivers/gpu/drm/i915/intel_pm.c -@@ -1474,7 +1474,7 @@ static void i9xx_update_wm(struct drm_device *dev) - - fifo_size = dev_priv->display.get_fifo_size(dev, 0); - crtc = intel_get_crtc_for_plane(dev, 0); -- if (crtc->enabled && crtc->fb) { -+ if (intel_crtc_active(crtc)) { - planea_wm = intel_calculate_wm(crtc->mode.clock, - wm_info, fifo_size, - crtc->fb->bits_per_pixel / 8, --- -1.8.1.2 - diff --git a/kernel.spec b/kernel.spec index 0666d21..03b06a5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 106 +%global baserelease 101 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -683,8 +683,6 @@ Patch1825: drm-i915-dp-stfu.patch Patch1826: drm-i915-tv-detect-hush.patch # d-i-n backport for https://bugzilla.redhat.com/show_bug.cgi?id=901951 Patch1827: drm-i915-lvds-reclock-fix.patch -# Fix a mismerge in 3.7.y -Patch1828: drm-i915-Fix-up-mismerge-of-3490ea5d-in-3.7.y.patch Patch1900: linux-2.6-intel-iommu-igfx.patch @@ -770,21 +768,12 @@ Patch22256: net-fix-infinite-loop-in-__skb_recv_datagram.patch #rhbz 844750 Patch22257: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch -#rhbz 906055 -Patch22258: perf-hists-Fix-period-symbol_conf.field_sep-display.patch - -#CVE-2013-1763 rhbz 915052,915057 -Patch22259: sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch - #rhbz 903192 Patch22261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 Patch22262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -#CVE-2013-1767 rhbz 915592,915716 -Patch22263: tmpfs-fix-use-after-free-of-mempolicy-object.patch - Patch23000: silence-brcmsmac-warning.patch #rhbz 812111 @@ -1435,7 +1424,6 @@ ApplyOptionalPatch drm-intel-next.patch ApplyPatch drm-i915-dp-stfu.patch ApplyPatch drm-i915-tv-detect-hush.patch ApplyPatch drm-i915-lvds-reclock-fix.patch -ApplyPatch drm-i915-Fix-up-mismerge-of-3490ea5d-in-3.7.y.patch ApplyPatch linux-2.6-intel-iommu-igfx.patch @@ -1509,24 +1497,15 @@ ApplyPatch net-fix-infinite-loop-in-__skb_recv_datagram.patch #rhbz 844750 ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch -#rhbz 906055 -ApplyPatch perf-hists-Fix-period-symbol_conf.field_sep-display.patch - #rhbz 812111 ApplyPatch alps-v2-3.7.patch -#CVE-2013-1763 rhbz 915052,915057 -ApplyPatch sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch - #rhbz 903192 ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -#CVE-2013-1767 rhbz 915592,915716 -ApplyPatch tmpfs-fix-use-after-free-of-mempolicy-object.patch - ApplyPatch userns-avoid-recursion-in-put_user_ns.patch # END OF PATCH APPLICATIONS @@ -2384,6 +2363,9 @@ fi # '-' | | # '-' %changelog +* Wed Feb 27 2013 Justin M. Forbes - 3.7.10-101 +- Linux v3.7.10 + * Tue Feb 26 2013 Justin M. Forbes - Avoid recursion in put_user_ns, potential overflow diff --git a/perf-hists-Fix-period-symbol_conf.field_sep-display.patch b/perf-hists-Fix-period-symbol_conf.field_sep-display.patch deleted file mode 100644 index f81755c..0000000 --- a/perf-hists-Fix-period-symbol_conf.field_sep-display.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 755b5f5715c117f4723ec04a81a46da85c9179a3 Mon Sep 17 00:00:00 2001 -From: Jiri Olsa -Date: Sat, 20 Oct 2012 22:14:10 +0200 -Subject: [PATCH] perf hists: Fix period symbol_conf.field_sep display - -Upstream commit c0d246b85fc7d42688d7a5d999ea671777caf65b - -Currently we don't properly display hist data with symbol_conf.field_sep -separator. We need to display either space or separator. - -Signed-off-by: Jiri Olsa -Cc: Arnaldo Carvalho de Melo -Cc: Peter Zijlstra -Cc: Ingo Molnar -Cc: Paul Mackerras -Cc: Corey Ashford -Cc: Frederic Weisbecker -Cc: Namhyung Kim -Link: http://lkml.kernel.org/n/tip-cyggwys0bz5kqdowwvfd8h72@git.kernel.org -Signed-off-by: Arnaldo Carvalho de Melo ---- - tools/perf/ui/hist.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c -index f5a1e4f..947e20a 100644 ---- a/tools/perf/ui/hist.c -+++ b/tools/perf/ui/hist.c -@@ -363,11 +363,15 @@ int hist_entry__period_snprintf(struct perf_hpp *hpp, struct hist_entry *he, - if (!perf_hpp__format[i].cond) - continue; - -+ /* -+ * If there's no field_sep, we still need -+ * to display initial ' '. -+ */ - if (!sep || !first) { - ret = scnprintf(hpp->buf, hpp->size, "%s", sep ?: " "); - advance_hpp(hpp, ret); -+ } else - first = false; -- } - - if (color && perf_hpp__format[i].color) - ret = perf_hpp__format[i].color(hpp, he); --- -1.8.1.2 - diff --git a/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch b/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch deleted file mode 100644 index 7508a76..0000000 --- a/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch +++ /dev/null @@ -1,86 +0,0 @@ -Path: news.gmane.org!not-for-mail -From: Mathias Krause -Newsgroups: gmane.linux.network -Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] -Date: Sat, 23 Feb 2013 12:13:47 +0100 -Lines: 28 -Approved: news@gmane.org -Message-ID: <1361618028-9024-2-git-send-email-minipli@googlemail.com> -References: <1361618028-9024-1-git-send-email-minipli@googlemail.com> -NNTP-Posting-Host: plane.gmane.org -X-Trace: ger.gmane.org 1361618069 2156 80.91.229.3 (23 Feb 2013 11:14:29 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Sat, 23 Feb 2013 11:14:29 +0000 (UTC) -Cc: netdev@vger.kernel.org, Mathias Krause -To: "David S. Miller" -Original-X-From: netdev-owner@vger.kernel.org Sat Feb 23 12:14:49 2013 -Return-path: -Envelope-to: linux-netdev-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1U9D3z-0003H8-6Z - for linux-netdev-2@plane.gmane.org; Sat, 23 Feb 2013 12:14:43 +0100 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1757811Ab3BWLOQ (ORCPT ); - Sat, 23 Feb 2013 06:14:16 -0500 -Original-Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO - mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1757044Ab3BWLOM (ORCPT - ); Sat, 23 Feb 2013 06:14:12 -0500 -Original-Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40 - for ; Sat, 23 Feb 2013 03:14:11 -0800 (PST) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=googlemail.com; s=20120113; - h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to - :references; - bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=; - b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK - ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo - Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY - D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8 - ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM - od5Q== -X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168; - Sat, 23 Feb 2013 03:14:11 -0800 (PST) -Original-Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88]) - by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09 - (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); - Sat, 23 Feb 2013 03:14:10 -0800 (PST) -X-Mailer: git-send-email 1.7.10.4 -In-Reply-To: <1361618028-9024-1-git-send-email-minipli@googlemail.com> -Original-Sender: netdev-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: netdev@vger.kernel.org -Xref: news.gmane.org gmane.linux.network:260061 -Archived-At: - -Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY -with a family greater or equal then AF_MAX -- the array size of -sock_diag_handlers[]. The current code does not test for this -condition therefore is vulnerable to an out-of-bound access opening -doors for a privilege escalation. - -Signed-off-by: Mathias Krause ---- - net/core/sock_diag.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c -index 602cd63..750f44f 100644 ---- a/net/core/sock_diag.c -+++ b/net/core/sock_diag.c -@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - if (nlmsg_len(nlh) < sizeof(*req)) - return -EINVAL; - -+ if (req->sdiag_family >= AF_MAX) -+ return -EINVAL; -+ - hndl = sock_diag_lock_handler(req->sdiag_family); - if (hndl == NULL) - err = -ENOENT; --- -1.7.10.4 - diff --git a/sources b/sources index c375bc5..7b85431 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz -375fa67b3daba9e6040f13a0a29bf543 patch-3.7.9.xz +ffc885cf2fdedf1792b999d4ab5b8ba8 patch-3.7.10.xz diff --git a/tmpfs-fix-use-after-free-of-mempolicy-object.patch b/tmpfs-fix-use-after-free-of-mempolicy-object.patch deleted file mode 100644 index 56dbf8e..0000000 --- a/tmpfs-fix-use-after-free-of-mempolicy-object.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 Mon Sep 17 00:00:00 2001 -From: Greg Thelen -Date: Fri, 22 Feb 2013 16:36:01 -0800 -Subject: [PATCH] tmpfs: fix use-after-free of mempolicy object - -The tmpfs remount logic preserves filesystem mempolicy if the mpol=M -option is not specified in the remount request. A new policy can be -specified if mpol=M is given. - -Before this patch remounting an mpol bound tmpfs without specifying -mpol= mount option in the remount request would set the filesystem's -mempolicy object to a freed mempolicy object. - -To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: - # mkdir /tmp/x - - # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x - - # grep /tmp/x /proc/mounts - nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 - - # mount -o remount,size=200M nodev /tmp/x - - # grep /tmp/x /proc/mounts - nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 - # note ? garbage in mpol=... output above - - # dd if=/dev/zero of=/tmp/x/f count=1 - # panic here - -Panic: - BUG: unable to handle kernel NULL pointer dereference at (null) - IP: [< (null)>] (null) - [...] - Oops: 0010 [#1] SMP DEBUG_PAGEALLOC - Call Trace: - mpol_shared_policy_init+0xa5/0x160 - shmem_get_inode+0x209/0x270 - shmem_mknod+0x3e/0xf0 - shmem_create+0x18/0x20 - vfs_create+0xb5/0x130 - do_last+0x9a1/0xea0 - path_openat+0xb3/0x4d0 - do_filp_open+0x42/0xa0 - do_sys_open+0xfe/0x1e0 - compat_sys_open+0x1b/0x20 - cstar_dispatch+0x7/0x1f - -Non-debug kernels will not crash immediately because referencing the -dangling mpol will not cause a fault. Instead the filesystem will -reference a freed mempolicy object, which will cause unpredictable -behavior. - -The problem boils down to a dropped mpol reference below if -shmem_parse_options() does not allocate a new mpol: - - config = *sbinfo - shmem_parse_options(data, &config, true) - mpol_put(sbinfo->mpol) - sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ - -This patch avoids the crash by not releasing the mempolicy if -shmem_parse_options() doesn't create a new mpol. - -How far back does this issue go? I see it in both 2.6.36 and 3.3. I did -not look back further. - -Signed-off-by: Greg Thelen -Acked-by: Hugh Dickins -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - mm/shmem.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/mm/shmem.c b/mm/shmem.c -index 7162c58..5e2ff59 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -2486,6 +2486,7 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) - unsigned long inodes; - int error = -EINVAL; - -+ config.mpol = NULL; - if (shmem_parse_options(data, &config, true)) - return error; - -@@ -2510,8 +2511,13 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) - sbinfo->max_inodes = config.max_inodes; - sbinfo->free_inodes = config.max_inodes - inodes; - -- mpol_put(sbinfo->mpol); -- sbinfo->mpol = config.mpol; /* transfers initial ref */ -+ /* -+ * Preserve previous mempolicy unless mpol remount option was specified. -+ */ -+ if (config.mpol) { -+ mpol_put(sbinfo->mpol); -+ sbinfo->mpol = config.mpol; /* transfers initial ref */ -+ } - out: - spin_unlock(&sbinfo->stat_lock); - return error; --- -1.8.1.2 -