From bab409e09b2c4d87f92f6af7ec305e57ef578a25 Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Jul 22 2013 17:33:25 +0000 Subject: Linux v3.10.2 --- diff --git a/fix-ext4-overflows.patch b/fix-ext4-overflows.patch deleted file mode 100644 index f2a08eb..0000000 --- a/fix-ext4-overflows.patch +++ /dev/null @@ -1,207 +0,0 @@ -From 93f6b57df5d9dd8c0327cebc01f6c00dbcd6d2ff Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:33:42 -0400 -Subject: [PATCH 1/4] ext4: fix data offset overflow on 32-bit archs in - ext4_inline_data_fiemap() - -On 32-bit archs when sector_t is defined as 32-bit the logic computing -data offset in ext4_inline_data_fiemap(). Fix that by properly typing -the shifted value. - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inline.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index c0fd1a1..c46a01e 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -1702,7 +1702,7 @@ int ext4_inline_data_fiemap(struct inode *inode, - if (error) - goto out; - -- physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits; -+ physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits; - physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data; - physical += offsetof(struct ext4_inode, i_block); - length = i_size_read(inode); --- -1.8.3.1 - - -From 4d2cedb535bae3ada76a335540657e948f99d9c0 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:37:56 -0400 -Subject: [PATCH 2/4] ext4: fix overflows in SEEK_HOLE, SEEK_DATA - implementations - -ext4_lblk_t is just u32 so multiplying it by blocksize can easily -overflow for files larger than 4 GB. Fix that by properly typing the -block offsets before shifting. - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o -Reviewed-by: Zheng Liu ---- - fs/ext4/file.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/fs/ext4/file.c b/fs/ext4/file.c -index 64848b5..b47ccf9 100644 ---- a/fs/ext4/file.c -+++ b/fs/ext4/file.c -@@ -311,7 +311,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, - blkbits = inode->i_sb->s_blocksize_bits; - startoff = *offset; - lastoff = startoff; -- endoff = (map->m_lblk + map->m_len) << blkbits; -+ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits; - - index = startoff >> PAGE_CACHE_SHIFT; - end = endoff >> PAGE_CACHE_SHIFT; -@@ -456,7 +456,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) - ret = ext4_map_blocks(NULL, inode, &map, 0); - if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) { - if (last != start) -- dataoff = last << blkbits; -+ dataoff = (loff_t)last << blkbits; - break; - } - -@@ -467,7 +467,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) - ext4_es_find_delayed_extent(inode, last, &es); - if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) { - if (last != start) -- dataoff = last << blkbits; -+ dataoff = (loff_t)last << blkbits; - break; - } - -@@ -485,7 +485,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) - } - - last++; -- dataoff = last << blkbits; -+ dataoff = (loff_t)last << blkbits; - } while (last <= end); - - mutex_unlock(&inode->i_mutex); -@@ -539,7 +539,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) - ret = ext4_map_blocks(NULL, inode, &map, 0); - if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) { - last += ret; -- holeoff = last << blkbits; -+ holeoff = (loff_t)last << blkbits; - continue; - } - -@@ -550,7 +550,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) - ext4_es_find_delayed_extent(inode, last, &es); - if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) { - last = es.es_lblk + es.es_len; -- holeoff = last << blkbits; -+ holeoff = (loff_t)last << blkbits; - continue; - } - -@@ -565,7 +565,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) - &map, &holeoff); - if (!unwritten) { - last += ret; -- holeoff = last << blkbits; -+ holeoff = (loff_t)last << blkbits; - continue; - } - } --- -1.8.3.1 - - -From 114fe3b7fc9ca3ca00f774dd8705e8c802f39f14 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:38:56 -0400 -Subject: [PATCH 3/4] ext4: fix data offset overflow in ext4_xattr_fiemap() on - 32-bit archs - -On 32-bit architectures with 32-bit sector_t computation of data offset -in ext4_xattr_fiemap() can overflow resulting in reporting bogus data -location. Fix the problem by typing block number to proper type before -shifting. - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o ---- - fs/ext4/extents.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c -index 9c6d06d..6bb303c 100644 ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -4605,7 +4605,7 @@ static int ext4_xattr_fiemap(struct inode *inode, - error = ext4_get_inode_loc(inode, &iloc); - if (error) - return error; -- physical = iloc.bh->b_blocknr << blockbits; -+ physical = (__u64)iloc.bh->b_blocknr << blockbits; - offset = EXT4_GOOD_OLD_INODE_SIZE + - EXT4_I(inode)->i_extra_isize; - physical += offset; -@@ -4613,7 +4613,7 @@ static int ext4_xattr_fiemap(struct inode *inode, - flags |= FIEMAP_EXTENT_DATA_INLINE; - brelse(iloc.bh); - } else { /* external block */ -- physical = EXT4_I(inode)->i_file_acl << blockbits; -+ physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits; - length = inode->i_sb->s_blocksize; - } - --- -1.8.3.1 - - -From aeb72ff4b7fe084b4373d4a91d77d3bea8089627 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:39:56 -0400 -Subject: [PATCH 4/4] ext4: fix overflow when counting used blocks on 32-bit - architectures - -The arithmetics adding delalloc blocks to the number of used blocks in -ext4_getattr() can easily overflow on 32-bit archs as we first multiply -number of blocks by blocksize and then divide back by 512. Make the -arithmetics more clever and also use proper type (unsigned long long -instead of unsigned long). - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inode.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index d69e954..e33e2d2 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -4616,7 +4616,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, - struct kstat *stat) - { - struct inode *inode; -- unsigned long delalloc_blocks; -+ unsigned long long delalloc_blocks; - - inode = dentry->d_inode; - generic_fillattr(inode, stat); -@@ -4634,7 +4634,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, - delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb), - EXT4_I(inode)->i_reserved_data_blocks); - -- stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9; -+ stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9); - return 0; - } - --- -1.8.3.1 - diff --git a/iwlwifi-pcie-fix-race-in-queue-unmapping.patch b/iwlwifi-pcie-fix-race-in-queue-unmapping.patch deleted file mode 100644 index ad9194a..0000000 --- a/iwlwifi-pcie-fix-race-in-queue-unmapping.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Emmanuel Grumbach - -When a queue is disabled, it frees all its entries. Later, -the op_mode might still get notifications from the firmware -that triggers to free entries in the tx queue. The transport -should be prepared for these races and know to ignore -reclaim calls on queues that have been disabled and whose -entries have been freed. - -Cc: stable@vger.kernel.org -Signed-off-by: Emmanuel Grumbach -Signed-off-by: Johannes Berg ---- - drivers/net/wireless/iwlwifi/pcie/tx.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c -index cb5c679..faaf77c 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/tx.c -+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c -@@ -578,9 +578,12 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) - - spin_lock_bh(&txq->lock); - while (q->write_ptr != q->read_ptr) { -+ IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n", -+ txq_id, q->read_ptr); - iwl_pcie_txq_free_tfd(trans, txq); - q->read_ptr = iwl_queue_inc_wrap(q->read_ptr, q->n_bd); - } -+ txq->active = false; - spin_unlock_bh(&txq->lock); - } - -@@ -929,6 +932,12 @@ void iwl_trans_pcie_reclaim(struct iwl_trans *trans, int txq_id, int ssn, - - spin_lock_bh(&txq->lock); - -+ if (!txq->active) { -+ IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n", -+ txq_id, ssn); -+ goto out; -+ } -+ - if (txq->q.read_ptr == tfd_num) - goto out; - -@@ -1105,6 +1114,7 @@ void iwl_trans_pcie_txq_enable(struct iwl_trans *trans, int txq_id, int fifo, - (fifo << SCD_QUEUE_STTS_REG_POS_TXF) | - (1 << SCD_QUEUE_STTS_REG_POS_WSL) | - SCD_QUEUE_STTS_REG_MSK); -+ trans_pcie->txq[txq_id].active = true; - IWL_DEBUG_TX_QUEUES(trans, "Activate queue %d on FIFO %d WrPtr: %d\n", - txq_id, fifo, ssn & 0xff); - } --- -1.7.11.7 diff --git a/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch b/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch deleted file mode 100644 index 661fc50..0000000 --- a/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Emmanuel Grumbach - -When the queue is unmapped while it was so loaded that -mac80211's was stopped, we need to wake the queue after -having freed all the packets in the queue. -Not doing so can result in weird stuff like: - -* run lots of traffic (mac80211's queue gets stopped) -* RFKILL -* de-assert RFKILL -* no traffic - -Cc: stable@vger.kernel.org -Signed-off-by: Emmanuel Grumbach -Signed-off-by: Johannes Berg ---- - drivers/net/wireless/iwlwifi/pcie/tx.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c -index faaf77c..4e7b8d4 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/tx.c -+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c -@@ -585,6 +585,9 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) - } - txq->active = false; - spin_unlock_bh(&txq->lock); -+ -+ /* just in case - this queue may have been stopped */ -+ iwl_wake_queue(trans, txq); - } - - /* --- -1.7.11.7 diff --git a/kernel.spec b/kernel.spec index a9a1baa..1b16cf7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 1 +%define stable_update 2 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -747,9 +747,6 @@ Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch -Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch - #rhbz 903741 Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch @@ -775,10 +772,7 @@ Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -#rhbz 976837 -Patch25065: fix-ext4-overflows.patch - -Patch26000: cve-2013-4125.patch +Patch26000: cve-2013-4125.patch # END OF PATCH DEFINITIONS @@ -1475,9 +1469,6 @@ ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch -ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch - #rhbz 903741 ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch @@ -1502,9 +1493,6 @@ ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -#rhbz 976837 -ApplyPatch fix-ext4-overflows.patch - ApplyPatch cve-2013-4125.patch # END OF PATCH APPLICATIONS @@ -2315,6 +2303,9 @@ fi # and build. %changelog +* Mon Jul 22 2013 Justin M. Forbes 3.10.2-300 +- Linux v3.10.2 + * Fri Jul 19 2013 Dave Jones - CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664) diff --git a/sources b/sources index c68e1b2..736fd85 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz 0e7f2a767ef3b3643856c96af3409af3 patch-3.10.1.xz +0c94fa440515e289495909749d04aae4 patch-3.10.2.xz