From 7760c97dcd30271ac11cb9be2df5ffc380868700 Mon Sep 17 00:00:00 2001 From: Chuck Ebbert Date: Aug 03 2011 21:54:26 +0000 Subject: Linux 2.6.35.14 --- diff --git a/.gitignore b/.gitignore index c2fd413..8043b13 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ patch-*.bz2 clog *.rpm kernel-2.6.*/ +kernel-3.*/ diff --git a/agp-fix-arbitrary-kernel-memory-writes.patch b/agp-fix-arbitrary-kernel-memory-writes.patch deleted file mode 100644 index 35d6d1a..0000000 --- a/agp-fix-arbitrary-kernel-memory-writes.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Vasiliy Kulikov -Date: Thu, 14 Apr 2011 16:55:16 +0000 (+0400) -Subject: agp: fix arbitrary kernel memory writes -X-Git-Tag: v2.6.39-rc5~29^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=194b3da873fd334ef183806db751473512af29ce - -agp: fix arbitrary kernel memory writes - -pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl -cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the -comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, -and it is not checked at all in case of AGPIOC_UNBIND. As a result, user -with sufficient privileges (usually "video" group) may generate either -local DoS or privilege escalation. - -Signed-off-by: Vasiliy Kulikov -Signed-off-by: Dave Airlie ---- - -diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c -index 850a643..b072648 100644 ---- a/drivers/char/agp/generic.c -+++ b/drivers/char/agp/generic.c -@@ -1095,8 +1095,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type) - return -EINVAL; - } - -- /* AK: could wrap */ -- if ((pg_start + mem->page_count) > num_entries) -+ if (((pg_start + mem->page_count) > num_entries) || -+ ((pg_start + mem->page_count) < pg_start)) - return -EINVAL; - - j = pg_start; -@@ -1130,7 +1130,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type) - { - size_t i; - struct agp_bridge_data *bridge; -- int mask_type; -+ int mask_type, num_entries; - - bridge = mem->bridge; - if (!bridge) -@@ -1142,6 +1142,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type) - if (type != mem->type) - return -EINVAL; - -+ num_entries = agp_num_entries(); -+ if (((pg_start + mem->page_count) > num_entries) || -+ ((pg_start + mem->page_count) < pg_start)) -+ return -EINVAL; -+ - mask_type = bridge->driver->agp_type_to_mask_type(bridge, type); - if (mask_type != 0) { - /* The generic routines know nothing of memory types */ diff --git a/agp-fix-oom-and-buffer-overflow.patch b/agp-fix-oom-and-buffer-overflow.patch deleted file mode 100644 index 7ca5956..0000000 --- a/agp-fix-oom-and-buffer-overflow.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Vasiliy Kulikov -Date: Thu, 14 Apr 2011 16:55:19 +0000 (+0400) -Subject: agp: fix OOM and buffer overflow -X-Git-Tag: v2.6.39-rc5~29^2~1 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b522f02184b413955f3bc952e3776ce41edc6355 - -agp: fix OOM and buffer overflow - -page_count is copied from userspace. agp_allocate_memory() tries to -check whether this number is too big, but doesn't take into account the -wrap case. Also agp_create_user_memory() doesn't check whether -alloc_size is calculated from num_agp_pages variable without overflow. -This may lead to allocation of too small buffer with following buffer -overflow. - -Another problem in agp code is not addressed in the patch - kernel memory -exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked -whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). -Each allocation is limited to 16KB, though, there is no per-process limit. -This might lead to OOM situation, which is not even solved in case of the -caller death by OOM killer - the memory is allocated for another (faked) process. - -Signed-off-by: Vasiliy Kulikov -Signed-off-by: Dave Airlie ---- - -diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c -index 012cba0..850a643 100644 ---- a/drivers/char/agp/generic.c -+++ b/drivers/char/agp/generic.c -@@ -115,6 +115,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages) - struct agp_memory *new; - unsigned long alloc_size = num_agp_pages*sizeof(struct page *); - -+ if (INT_MAX/sizeof(struct page *) < num_agp_pages) -+ return NULL; -+ - new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL); - if (new == NULL) - return NULL; -@@ -234,11 +237,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge, - int scratch_pages; - struct agp_memory *new; - size_t i; -+ int cur_memory; - - if (!bridge) - return NULL; - -- if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp) -+ cur_memory = atomic_read(&bridge->current_memory_agp); -+ if ((cur_memory + page_count > bridge->max_memory_agp) || -+ (cur_memory + page_count < page_count)) - return NULL; - - if (type >= AGP_USER_TYPES) { diff --git a/btusb-macbookpro-6-2.patch b/btusb-macbookpro-6-2.patch deleted file mode 100644 index 9b452f7..0000000 --- a/btusb-macbookpro-6-2.patch +++ /dev/null @@ -1,41 +0,0 @@ -From kernel-bounces@lists.fedoraproject.org Fri Sep 17 17:09:15 2010 -From: Will Woods -To: Marcel Holtmann -Subject: [PATCH 2/2] bluetooth: add support for controller in MacBookPro6,2 -Date: Fri, 17 Sep 2010 17:09:21 -0400 - -Once again the device class is ff(vend.) instead of e0(wlcon). - -output from 'usb-devices': -T: Bus=01 Lev=03 Prnt=03 Port=02 Cnt=03 Dev#= 8 Spd=12 MxCh= 0 -D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 -P: Vendor=05ac ProdID=8218 Rev=00.22 -S: Manufacturer=Apple Inc. -S: Product=Bluetooth USB Host Controller -C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA -I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) -I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) -I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) -I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) - -Signed-off-by: Will Woods ---- - drivers/bluetooth/btusb.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index eac44e4..320e798 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -65,6 +65,9 @@ static struct usb_device_id btusb_table[] = { - /* Apple iMac11,1 */ - { USB_DEVICE(0x05ac, 0x8215) }, - -+ /* Apple MacBookPro6,2 */ -+ { USB_DEVICE(0x05ac, 0x8218) }, -+ - /* Apple MacBookPro8,2 */ - { USB_DEVICE(0x05ac, 0x821a) }, - --- -1.7.2.3 diff --git a/btusb-macbookpro-7-1.patch b/btusb-macbookpro-7-1.patch deleted file mode 100644 index 3e07dd5..0000000 --- a/btusb-macbookpro-7-1.patch +++ /dev/null @@ -1,42 +0,0 @@ -From kernel-bounces@lists.fedoraproject.org Fri Sep 17 17:09:18 2010 -From: Will Woods -To: Marcel Holtmann -Subject: [PATCH 1/2] bluetooth: add support for controller in MacBookPro7,1 -Date: Fri, 17 Sep 2010 17:09:20 -0400 - -As with iMac11,1 the device class is ff(vend.) instead of e0(wlcon). - -output from 'usb-devices': -T: Bus=04 Lev=02 Prnt=04 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0 -D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 -P: Vendor=05ac ProdID=8213 Rev=01.86 -S: Manufacturer=Apple Inc. -S: Product=Bluetooth USB Host Controller -S: SerialNumber=58B0359C28ED -C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA -I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb -I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) -I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=00 Driver=(none) - -Signed-off-by: Will Woods ---- - drivers/bluetooth/btusb.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index d22ce3c..eac44e4 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -59,6 +59,9 @@ static struct usb_device_id btusb_table[] = { - /* Generic Bluetooth USB device */ - { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, - -+ /* Apple MacBookPro7,1 */ -+ { USB_DEVICE(0x05ac, 0x8213) }, -+ - /* Apple iMac11,1 */ - { USB_DEVICE(0x05ac, 0x8215) }, - --- -1.7.2.3 diff --git a/cifs-add-fallback-in-is_path_accessible-for-old-servers.patch b/cifs-add-fallback-in-is_path_accessible-for-old-servers.patch deleted file mode 100644 index 1964c0c..0000000 --- a/cifs-add-fallback-in-is_path_accessible-for-old-servers.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Jeff Layton -Date: Tue, 17 May 2011 10:40:30 +0000 (-0400) -Subject: cifs: add fallback in is_path_accessible for old servers -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=221d1d797202984cb874e3ed9f1388593d34ee22 - -cifs: add fallback in is_path_accessible for old servers - -The is_path_accessible check uses a QPathInfo call, which isn't -supported by ancient win9x era servers. Fall back to an older -SMBQueryInfo call if it fails with the magic error codes. - -Cc: stable@kernel.org -Reported-and-Tested-by: Sandro Bonazzola -Signed-off-by: Jeff Layton -Signed-off-by: Steve French ---- - -diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c -index 05f1dcf..277262a 100644 ---- a/fs/cifs/connect.c -+++ b/fs/cifs/connect.c -@@ -2673,6 +2673,11 @@ is_path_accessible(int xid, struct cifsTconInfo *tcon, - 0 /* not legacy */, cifs_sb->local_nls, - cifs_sb->mnt_cifs_flags & - CIFS_MOUNT_MAP_SPECIAL_CHR); -+ -+ if (rc == -EOPNOTSUPP || rc == -EINVAL) -+ rc = SMBQueryInformation(xid, tcon, full_path, pfile_info, -+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags & -+ CIFS_MOUNT_MAP_SPECIAL_CHR); - kfree(pfile_info); - return rc; - } diff --git a/dccp-handle-invalid-feature-options-length.patch b/dccp-handle-invalid-feature-options-length.patch deleted file mode 100644 index 48f66a3..0000000 --- a/dccp-handle-invalid-feature-options-length.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001 -From: Dan Rosenberg -Date: Fri, 6 May 2011 03:27:18 +0000 -Subject: dccp: handle invalid feature options length - -From: Dan Rosenberg - -commit a294865978b701e4d0d90135672749531b9a900d upstream. - -A length of zero (after subtracting two for the type and len fields) for -the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to -the subtraction. The subsequent code may read past the end of the -options value buffer when parsing. I'm unsure of what the consequences -of this might be, but it's probably not good. - -Signed-off-by: Dan Rosenberg -Acked-by: Gerrit Renker -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman - ---- - net/dccp/options.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/dccp/options.c -+++ b/net/dccp/options.c -@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, - case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: - if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ - break; -+ if (len == 0) -+ goto out_invalid_option; - rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, - *value, value + 1, len - 1); - if (rc) diff --git a/fix-i8k-inline-asm.patch b/fix-i8k-inline-asm.patch deleted file mode 100644 index 87fadc0..0000000 --- a/fix-i8k-inline-asm.patch +++ /dev/null @@ -1,84 +0,0 @@ -commit 22d3243de86bc92d874abb7c5b185d5c47aba323 -Author: Jim Bos -Date: Mon Nov 15 21:22:37 2010 +0100 - - Fix gcc 4.5.1 miscompiling drivers/char/i8k.c (again) - - The fix in commit 6b4e81db2552 ("i8k: Tell gcc that *regs gets - clobbered") to work around the gcc miscompiling i8k.c to add "+m - (*regs)" caused register pressure problems and a build failure. - - Changing the 'asm' statement to 'asm volatile' instead should prevent - that and works around the gcc bug as well, so we can remove the "+m". - - [ Background on the gcc bug: a memory clobber fails to mark the function - the asm resides in as non-pure (aka "__attribute__((const))"), so if - the function does nothing else that triggers the non-pure logic, gcc - will think that that function has no side effects at all. As a result, - callers will be mis-compiled. - - Adding the "+m" made gcc see that it's not a pure function, and so - does "asm volatile". The problem was never really the need to mark - "*regs" as changed, since the memory clobber did that part - the - problem was just a bug in the gcc "pure" function analysis - Linus ] - - Signed-off-by: Jim Bos - Acked-by: Jakub Jelinek - Cc: Andi Kleen - Cc: Andreas Schwab - Signed-off-by: Linus Torvalds - -commit 6b4e81db2552bad04100e7d5ddeed7e848f53b48 -Author: Jim Bos -Date: Sat Nov 13 12:13:53 2010 +0100 - - i8k: Tell gcc that *regs gets clobbered - - More recent GCC caused the i8k driver to stop working, on Slackware - compiler was upgraded from gcc-4.4.4 to gcc-4.5.1 after which it didn't - work anymore, meaning the driver didn't load or gave total nonsensical - output. - - As it turned out the asm(..) statement forgot to mention it modifies the - *regs variable. - - Credits to Andi Kleen and Andreas Schwab for providing the fix. - - Signed-off-by: Jim Bos - Cc: Andi Kleen - Cc: Andreas Schwab - Signed-off-by: Linus Torvalds - ---- -diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c -index 3bc0eef..d72433f 100644 ---- a/drivers/char/i8k.c -+++ b/drivers/char/i8k.c -@@ -120,7 +120,7 @@ static int i8k_smm(struct smm_regs *regs) - int eax = regs->eax; - - #if defined(CONFIG_X86_64) -- asm("pushq %%rax\n\t" -+ asm volatile("pushq %%rax\n\t" - "movl 0(%%rax),%%edx\n\t" - "pushq %%rdx\n\t" - "movl 4(%%rax),%%ebx\n\t" -@@ -146,7 +146,7 @@ static int i8k_smm(struct smm_regs *regs) - : "a"(regs) - : "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory"); - #else -- asm("pushl %%eax\n\t" -+ asm volatile("pushl %%eax\n\t" - "movl 0(%%eax),%%edx\n\t" - "push %%edx\n\t" - "movl 4(%%eax),%%ebx\n\t" -@@ -167,7 +167,8 @@ static int i8k_smm(struct smm_regs *regs) - "movl %%edx,0(%%eax)\n\t" - "lahf\n\t" - "shrl $8,%%eax\n\t" -- "andl $1,%%eax\n":"=a"(rc) -+ "andl $1,%%eax\n" -+ :"=a"(rc) - : "a"(regs) - : "%ebx", "%ecx", "%edx", "%esi", "%edi", "memory"); - #endif diff --git a/flexcop-fix-xlate_proc_name-warning.patch b/flexcop-fix-xlate_proc_name-warning.patch deleted file mode 100644 index 82b50a4..0000000 --- a/flexcop-fix-xlate_proc_name-warning.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/drivers/media/dvb/b2c2/flexcop-pci.c b/drivers/media/dvb/b2c2/flexcop-pci.c -index 227c020..7465308 100644 ---- a/drivers/media/dvb/b2c2/flexcop-pci.c -+++ b/drivers/media/dvb/b2c2/flexcop-pci.c -@@ -39,6 +39,7 @@ MODULE_PARM_DESC(debug, - - #define DRIVER_VERSION "0.1" - #define DRIVER_NAME "Technisat/B2C2 FlexCop II/IIb/III Digital TV PCI Driver" -+#define FLEXCOP_MODULE_NAME "b2c2-flexcop" - #define DRIVER_AUTHOR "Patrick Boettcher " - - struct flexcop_pci { -@@ -299,7 +300,7 @@ static int flexcop_pci_init(struct flexcop_pci *fc_pci) - return ret; - pci_set_master(fc_pci->pdev); - -- if ((ret = pci_request_regions(fc_pci->pdev, DRIVER_NAME)) != 0) -+ if ((ret = pci_request_regions(fc_pci->pdev, FLEXCOP_MODULE_NAME)) != 0) - goto err_pci_disable_device; - - fc_pci->io_mem = pci_iomap(fc_pci->pdev, 0, 0x800); -@@ -313,7 +314,7 @@ static int flexcop_pci_init(struct flexcop_pci *fc_pci) - pci_set_drvdata(fc_pci->pdev, fc_pci); - spin_lock_init(&fc_pci->irq_lock); - if ((ret = request_irq(fc_pci->pdev->irq, flexcop_pci_isr, -- IRQF_SHARED, DRIVER_NAME, fc_pci)) != 0) -+ IRQF_SHARED, FLEXCOP_MODULE_NAME, fc_pci)) != 0) - goto err_pci_iounmap; - - fc_pci->init_state |= FC_PCI_INIT; diff --git a/kernel.spec b/kernel.spec index 0ef4812..4735f32 100644 --- a/kernel.spec +++ b/kernel.spec @@ -48,7 +48,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 93 +%global baserelease 94 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -60,7 +60,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 13 +%define stable_update 14 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -757,17 +757,12 @@ Patch12080: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch Patch12085: fix-rcu_deref_check-warning.patch Patch12086: linux-2.6-cgroups-rcu.patch -Patch12517: flexcop-fix-xlate_proc_name-warning.patch - Patch12565: sched-05-avoid-side-effect-of-tickless-idle-on-update_cpu_load.patch Patch12570: sched-10-change-nohz-idle-load-balancing-logic-to-push-model.patch Patch12575: sched-15-update-rq-clock-for-nohz-balanced-cpus.patch Patch12580: sched-20-fix-rq-clock-synchronization-when-migrating-tasks.patch Patch12590: sched-30-sched-fix-nohz-balance-kick.patch -Patch13600: btusb-macbookpro-6-2.patch -Patch13601: btusb-macbookpro-7-1.patch - Patch13610: libata-it821x-dump-stack-on-cache-flush.patch Patch13630: dm-allow-setting-of-uuid-via-rename-if-not-already-set.patch @@ -782,8 +777,6 @@ Patch13642: mmc-add-ricoh-e822-pci-id.patch Patch13645: tpm-autodetect-itpm-devices.patch -Patch13652: fix-i8k-inline-asm.patch - Patch13660: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch Patch13661: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch @@ -830,31 +823,12 @@ Patch13710: linux-2.6-bonding-sysfs-warning.patch # rhbz#680791 Patch13711: md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch -Patch13713: virtio_net-add-schedule-check-to-napi_enable-call.patch - -# cve-2011-1745 -Patch13957: agp-fix-arbitrary-kernel-memory-writes.patch -# cve-2011-1746 -Patch13958: agp-fix-oom-and-buffer-overflow.patch -# CVE-2011-1494, CVE-2011-1495 -Patch13960: scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch - # fix credentials leakage regression (#700637) Patch13961: revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch Patch13962: af_netlink-add-needed-scm_destroy-after-scm_send.patch -# fix regression causing stalls on AMD processors in 2.6.35.13 -Patch13963: x86-amd-fix-arat-feature-setting-again.patch -Patch13964: x86-amd-arat-bug-on-sempron-workaround.patch - Patch13969: scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch -# fix bug in 2.6.35.13 with old windows servers -Patch13970: cifs-add-fallback-in-is_path_accessible-for-old-servers.patch - -# cve-2011-1770 -Patch13980: dccp-handle-invalid-feature-options-length.patch - # the rest of the pgoff wrap fix Patch13990: vm-fix-vm_pgoff-wrap-in-stack-expansion.patch @@ -1493,9 +1467,6 @@ ApplyPatch linux-2.6-v4l-dvb-build-lirc.patch # own patch ApplyPatch linux-2.6-v4l-dvb-backport-reverts.patch -# bz #575873 -ApplyPatch flexcop-fix-xlate_proc_name-warning.patch - # Fix DMA bug on via-velocity ApplyPatch linux-2.6-via-velocity-dma-fix.patch @@ -1528,9 +1499,6 @@ ApplyPatch sched-15-update-rq-clock-for-nohz-balanced-cpus.patch ApplyPatch sched-20-fix-rq-clock-synchronization-when-migrating-tasks.patch ApplyPatch sched-30-sched-fix-nohz-balance-kick.patch -ApplyPatch btusb-macbookpro-7-1.patch -ApplyPatch btusb-macbookpro-6-2.patch - # temporary patch, dump stack on failed it821x commands ApplyPatch libata-it821x-dump-stack-on-cache-flush.patch @@ -1549,8 +1517,6 @@ ApplyPatch mmc-add-ricoh-e822-pci-id.patch ApplyPatch tpm-autodetect-itpm-devices.patch -ApplyPatch fix-i8k-inline-asm.patch - ApplyPatch rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch ApplyPatch rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch @@ -1592,31 +1558,12 @@ ApplyPatch linux-2.6-bonding-sysfs-warning.patch # rhbz#680791 ApplyPatch md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch -ApplyPatch virtio_net-add-schedule-check-to-napi_enable-call.patch - -# cve-2011-1745 -ApplyPatch agp-fix-arbitrary-kernel-memory-writes.patch -# cve-2011-1746 -ApplyPatch agp-fix-oom-and-buffer-overflow.patch -# CVE-2011-1494, CVE-2011-1495 -ApplyPatch scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch - # fix credentials leakage regression (#700637) ApplyPatch revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch ApplyPatch af_netlink-add-needed-scm_destroy-after-scm_send.patch -# fix regression causing stalls on AMD processors in 2.6.35.13 -ApplyPatch x86-amd-fix-arat-feature-setting-again.patch -ApplyPatch x86-amd-arat-bug-on-sempron-workaround.patch - ApplyPatch scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch -# fix bug in 2.6.35.13 with old windows servers -ApplyPatch cifs-add-fallback-in-is_path_accessible-for-old-servers.patch - -# cve-2011-1770 -ApplyPatch dccp-handle-invalid-feature-options-length.patch - # the rest of the pgoff wrap fix ApplyPatch vm-fix-vm_pgoff-wrap-in-stack-expansion.patch @@ -2211,6 +2158,22 @@ fi # and build. %changelog +* Wed Aug 03 2011 Chuck Ebbert 2.6.35.14-94 +- Linux 2.6.35.14 +- Drop merged patches: + flexcop-fix-xlate_proc_name-warning.patch + btusb-macbookpro-6-2.patch + btusb-macbookpro-7-1.patch + fix-i8k-inline-asm.patch + virtio_net-add-schedule-check-to-napi_enable-call.patch + agp-fix-arbitrary-kernel-memory-writes.patch + agp-fix-oom-and-buffer-overflow.patch + scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch + x86-amd-arat-bug-on-sempron-workaround.patch + x86-amd-fix-arat-feature-setting-again.patch + cifs-add-fallback-in-is_path_accessible-for-old-servers.patch + dccp-handle-invalid-feature-options-length.patch + * Mon Jun 20 2011 Kyle McMartin 2.6.35.13-93 - [sgruszka@] iwlwifi: fix general 11n instability (#648732,#666646) diff --git a/linux-2.6-i386-nx-emulation.patch b/linux-2.6-i386-nx-emulation.patch index 224fe05..9ec8e35 100644 --- a/linux-2.6-i386-nx-emulation.patch +++ b/linux-2.6-i386-nx-emulation.patch @@ -141,8 +141,8 @@ set_user_gs(regs, 0); + regs->fs = 0; - set_fs(USER_DS); regs->ds = __USER_DS; + regs->es = __USER_DS; @@ -252,6 +255,11 @@ start_thread(struct pt_regs *regs, unsigned long new_ip, unsigned long new_sp) regs->cs = __USER_CS; regs->ip = new_ip; diff --git a/linux-2.6-v4l-dvb-update.patch b/linux-2.6-v4l-dvb-update.patch index 4e785fc..f6a94e4 100644 --- a/linux-2.6-v4l-dvb-update.patch +++ b/linux-2.6-v4l-dvb-update.patch @@ -187072,7 +187072,7 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by -@@ -78,16 +78,51 @@ +@@ -78,16 +78,53 @@ * */ @@ -187103,6 +187103,8 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/ + } + + if (queue->count) { ++ uvc_queue_cancel(queue, 0); ++ INIT_LIST_HEAD(&queue->mainqueue); + vfree(queue->mem); + queue->count = 0; + } @@ -187142,7 +187144,7 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/ queue->buffer[i].buf.field = V4L2_FIELD_NONE; queue->buffer[i].buf.memory = V4L2_MEMORY_MMAP; queue->buffer[i].buf.flags = 0; -@@ -151,28 +185,6 @@ done: +@@ -151,30 +185,6 @@ done: } /* @@ -187160,6 +187162,8 @@ diff -Naurp linux-2.6.35/drivers/media/video/uvc/uvc_queue.c linux-2.6.35.media/ - } - - if (queue->count) { +- uvc_queue_cancel(queue, 0); +- INIT_LIST_HEAD(&queue->mainqueue); - vfree(queue->mem); - queue->count = 0; - } diff --git a/scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch b/scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch deleted file mode 100644 index e63ef7f..0000000 --- a/scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch +++ /dev/null @@ -1,85 +0,0 @@ -From: Dan Rosenberg -Date: Tue, 5 Apr 2011 16:45:59 +0000 (-0400) -Subject: [SCSI] mpt2sas: prevent heap overflows and unchecked reads -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a1f74ae82d133ebb2aabb19d181944b4e83e9960 - -[trivial backport to 2.6.34] - -[SCSI] mpt2sas: prevent heap overflows and unchecked reads - -At two points in handling device ioctls via /dev/mpt2ctl, user-supplied -length values are used to copy data from userspace into heap buffers -without bounds checking, allowing controllable heap corruption and -subsequently privilege escalation. - -Additionally, user-supplied values are used to determine the size of a -copy_to_user() as well as the offset into the buffer to be read, with no -bounds checking, allowing users to read arbitrary kernel memory. - -Signed-off-by: Dan Rosenberg -Cc: stable@kernel.org -Acked-by: Eric Moore -Signed-off-by: James Bottomley ---- - -diff --git a/drivers/scsi/mpt2sas/mpt2sas_ctl.c b/drivers/scsi/mpt2sas/mpt2sas_ctl.c -index 1c6d2b4..d72f1f2 100644 ---- a/drivers/scsi/mpt2sas/mpt2sas_ctl.c -+++ b/drivers/scsi/mpt2sas/mpt2sas_ctl.c -@@ -688,6 +688,13 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc, - data_out_sz = karg.data_out_size; - data_in_sz = karg.data_in_size; - -+ /* Check for overflow and wraparound */ -+ if (karg.data_sge_offset * 4 > ioc->request_sz || -+ karg.data_sge_offset > (UINT_MAX / 4)) { -+ ret = -EINVAL; -+ goto out; -+ } -+ - /* copy in request message frame from user */ - if (copy_from_user(mpi_request, mf, karg.data_sge_offset*4)) { - printk(KERN_ERR "failure at %s:%d/%s()!\n", __FILE__, __LINE__, -@@ -1963,7 +1970,7 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state) - Mpi2DiagBufferPostReply_t *mpi_reply; - int rc, i; - u8 buffer_type; -- unsigned long timeleft; -+ unsigned long timeleft, request_size, copy_size; - u16 smid; - u16 ioc_status; - u8 issue_reset = 0; -@@ -1999,6 +2006,8 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state) - return -ENOMEM; - } - -+ request_size = ioc->diag_buffer_sz[buffer_type]; -+ - if ((karg.starting_offset % 4) || (karg.bytes_to_read % 4)) { - printk(MPT2SAS_ERR_FMT "%s: either the starting_offset " - "or bytes_to_read are not 4 byte aligned\n", ioc->name, -@@ -2006,13 +2015,23 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state) - return -EINVAL; - } - -+ if (karg.starting_offset > request_size) -+ return -EINVAL; -+ - diag_data = (void *)(request_data + karg.starting_offset); - dctlprintk(ioc, printk(MPT2SAS_DEBUG_FMT "%s: diag_buffer(%p), " - "offset(%d), sz(%d)\n", ioc->name, __func__, - diag_data, karg.starting_offset, karg.bytes_to_read)); - -+ /* Truncate data on requests that are too large */ -+ if ((diag_data + karg.bytes_to_read < diag_data) || -+ (diag_data + karg.bytes_to_read > request_data + request_size)) -+ copy_size = request_size - karg.starting_offset; -+ else -+ copy_size = karg.bytes_to_read; -+ - if (copy_to_user((void __user *)uarg->diagnostic_data, -- diag_data, karg.bytes_to_read)) { -+ diag_data, copy_size)) { - printk(MPT2SAS_ERR_FMT "%s: Unable to write " - "mpt_diag_read_buffer_t data @ %p\n", ioc->name, - __func__, diag_data); diff --git a/sources b/sources index 87a67d5..2f7e72c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 091abeb4684ce03d1d936851618687b6 linux-2.6.35.tar.bz2 -017e8564c850d950b91bb4ce94974c07 patch-2.6.35.13.bz2 +1f540c6bb638e1fff9de25648d063e4c patch-2.6.35.14.bz2 diff --git a/virtio_net-add-schedule-check-to-napi_enable-call.patch b/virtio_net-add-schedule-check-to-napi_enable-call.patch deleted file mode 100644 index c61dd36..0000000 --- a/virtio_net-add-schedule-check-to-napi_enable-call.patch +++ /dev/null @@ -1,76 +0,0 @@ -From b5740f0377e4fb924517b68f9a7ad7f5647fe8ac Mon Sep 17 00:00:00 2001 -From: Bruce Rogers -Date: Thu, 10 Feb 2011 11:03:31 -0800 -Subject: [PATCH] virtio_net: Add schedule check to napi_enable call - -Under harsh testing conditions, including low memory, the guest would -stop receiving packets. With this patch applied we no longer see any -problems in the driver while performing these tests for extended periods -of time. - -Make sure napi is scheduled subsequent to each napi_enable. - -Signed-off-by: Bruce Rogers -Signed-off-by: Olaf Kirch -Cc: stable@kernel.org -Signed-off-by: Rusty Russell -Signed-off-by: David S. Miller ---- - drivers/net/virtio_net.c | 27 ++++++++++++++++----------- - 1 files changed, 16 insertions(+), 11 deletions(-) - -diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index bb6b67f..1cf8da8 100644 ---- a/drivers/net/virtio_net.c -+++ b/drivers/net/virtio_net.c -@@ -446,6 +446,20 @@ static void skb_recv_done(struct virtqueue *rvq) - } - } - -+static void virtnet_napi_enable(struct virtnet_info *vi) -+{ -+ napi_enable(&vi->napi); -+ -+ /* If all buffers were filled by other side before we napi_enabled, we -+ * won't get another interrupt, so process any outstanding packets -+ * now. virtnet_poll wants re-enable the queue, so we disable here. -+ * We synchronize against interrupts via NAPI_STATE_SCHED */ -+ if (napi_schedule_prep(&vi->napi)) { -+ virtqueue_disable_cb(vi->rvq); -+ __napi_schedule(&vi->napi); -+ } -+} -+ - static void refill_work(struct work_struct *work) - { - struct virtnet_info *vi; -@@ -454,7 +468,7 @@ static void refill_work(struct work_struct *work) - vi = container_of(work, struct virtnet_info, refill.work); - napi_disable(&vi->napi); - still_empty = !try_fill_recv(vi, GFP_KERNEL); -- napi_enable(&vi->napi); -+ virtnet_napi_enable(vi); - - /* In theory, this can happen: if we don't get any buffers in - * we will *never* try to fill again. */ -@@ -638,16 +652,7 @@ static int virtnet_open(struct net_device *dev) - { - struct virtnet_info *vi = netdev_priv(dev); - -- napi_enable(&vi->napi); -- -- /* If all buffers were filled by other side before we napi_enabled, we -- * won't get another interrupt, so process any outstanding packets -- * now. virtnet_poll wants re-enable the queue, so we disable here. -- * We synchronize against interrupts via NAPI_STATE_SCHED */ -- if (napi_schedule_prep(&vi->napi)) { -- virtqueue_disable_cb(vi->rvq); -- __napi_schedule(&vi->napi); -- } -+ virtnet_napi_enable(vi); - return 0; - } - --- -1.7.4.1 - diff --git a/x86-amd-arat-bug-on-sempron-workaround.patch b/x86-amd-arat-bug-on-sempron-workaround.patch deleted file mode 100644 index 262293b..0000000 --- a/x86-amd-arat-bug-on-sempron-workaround.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -724,6 +724,15 @@ bool cpu_has_amd_erratum(const int *erra - if (cpu->x86_vendor != X86_VENDOR_AMD) - return false; - -+ /* -+ * Temporary workaround for ARAT bug on Sempron. -+ * The BIOS clears the bit in OSVW, so the check -+ * fails, then ARAT gets set and when the processor -+ * uses C3 it hangs. Always return true for that CPU. -+ */ -+ if (cpu->x86 == 0x10 && cpu->x86_model == 6 && cpu->x86_mask == 2) -+ return true; -+ - if (osvw_id >= 0 && osvw_id < 65536 && - cpu_has(cpu, X86_FEATURE_OSVW)) { - u64 osvw_len; diff --git a/x86-amd-fix-arat-feature-setting-again.patch b/x86-amd-fix-arat-feature-setting-again.patch deleted file mode 100644 index 6d21701..0000000 --- a/x86-amd-fix-arat-feature-setting-again.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Borislav Petkov -Date: Tue, 17 May 2011 12:55:19 +0000 (+0200) -Subject: x86, AMD: Fix ARAT feature setting again -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=14fb57dccb6e1defe9f89a66f548fcb24c374c1d - -x86, AMD: Fix ARAT feature setting again - -Trying to enable the local APIC timer on early K8 revisions -uncovers a number of other issues with it, in conjunction with -the C1E enter path on AMD. Fixing those causes much more churn -and troubles than the benefit of using that timer brings so -don't enable it on K8 at all, falling back to the original -functionality the kernel had wrt to that. - -Reported-and-bisected-by: Nick Bowler -Cc: Boris Ostrovsky -Cc: Andreas Herrmann -Cc: Greg Kroah-Hartman -Cc: Hans Rosenfeld -Cc: Nick Bowler -Cc: Joerg-Volker-Peetz -Signed-off-by: Borislav Petkov -Link: http://lkml.kernel.org/r/1305636919-31165-3-git-send-email-bp@amd64.org -Signed-off-by: Ingo Molnar ---- - -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 3532d3b..6f9d1f6 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -613,7 +613,7 @@ static void __cpuinit init_amd(struct cpuinfo_x86 *c) - #endif - - /* As a rule processors have APIC timer running in deep C states */ -- if (c->x86 >= 0xf && !cpu_has_amd_erratum(amd_erratum_400)) -+ if (c->x86 > 0xf && !cpu_has_amd_erratum(amd_erratum_400)) - set_cpu_cap(c, X86_FEATURE_ARAT); - - /*