From cbdb312a9e7c96033af9643382fd375440afe81a Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Oct 22 2010 14:34:02 +0000 Subject: last minute f14 kernel fixes --- diff --git a/depessimize-rds_copy_page_user.patch b/depessimize-rds_copy_page_user.patch new file mode 100644 index 0000000..aec8bff --- /dev/null +++ b/depessimize-rds_copy_page_user.patch @@ -0,0 +1,78 @@ +From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 15 Oct 2010 11:09:28 -0700 +Subject: [PATCH] De-pessimize rds_page_copy_user + +Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and +the unsafe atomic user mode accessor functions. It's actually slower +than the straightforward code on any reasonable modern CPU. + +Back when the code was written (although probably not by the time it was +actually merged, though), 32-bit x86 may have been the dominant +architecture. And there kmap_atomic() can be a lot faster than kmap() +(unless you have very good locality, in which case the virtual address +caching by kmap() can overcome all the downsides). + +But these days, x86-64 may not be more populous, but it's getting there +(and if you care about performance, it's definitely already there - +you'd have upgraded your CPU's already in the last few years). And on +x86-64, the non-kmap_atomic() version is faster, simply because the code +is simpler and doesn't have the "re-try page fault" case. + +People with old hardware are not likely to care about RDS anyway, and +the optimization for the 32-bit case is simply buggy, since it doesn't +verify the user addresses properly. + +Reported-by: Dan Rosenberg +Acked-by: Andrew Morton +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +--- + net/rds/page.c | 27 +++++++-------------------- + 1 files changed, 7 insertions(+), 20 deletions(-) + +diff --git a/net/rds/page.c b/net/rds/page.c +index 595a952..1dfbfea 100644 +--- a/net/rds/page.c ++++ b/net/rds/page.c +@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset, + unsigned long ret; + void *addr; + +- if (to_user) ++ addr = kmap(page); ++ if (to_user) { + rds_stats_add(s_copy_to_user, bytes); +- else ++ ret = copy_to_user(ptr, addr + offset, bytes); ++ } else { + rds_stats_add(s_copy_from_user, bytes); +- +- addr = kmap_atomic(page, KM_USER0); +- if (to_user) +- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes); +- else +- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes); +- kunmap_atomic(addr, KM_USER0); +- +- if (ret) { +- addr = kmap(page); +- if (to_user) +- ret = copy_to_user(ptr, addr + offset, bytes); +- else +- ret = copy_from_user(addr + offset, ptr, bytes); +- kunmap(page); +- if (ret) +- return -EFAULT; ++ ret = copy_from_user(addr + offset, ptr, bytes); + } ++ kunmap(page); + +- return 0; ++ return ret ? -EFAULT : 0; + } + EXPORT_SYMBOL_GPL(rds_page_copy_user); + +-- +1.7.3.2 + diff --git a/kernel.spec b/kernel.spec index e7b608d..1f85975 100644 --- a/kernel.spec +++ b/kernel.spec @@ -48,7 +48,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 46 +%global baserelease 47 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -769,6 +769,9 @@ Patch13640: sdhci-8-bit-data-transfer-width-support.patch Patch13641: mmc-make-sdhci-work-with-ricoh-mmc-controller.patch Patch13642: mmc-add-ricoh-e822-pci-id.patch +Patch13645: tpm-autodetect-itpm-devices.patch +Patch13646: depessimize-rds_copy_page_user.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1436,6 +1439,9 @@ ApplyPatch sdhci-8-bit-data-transfer-width-support.patch ApplyPatch mmc-make-sdhci-work-with-ricoh-mmc-controller.patch ApplyPatch mmc-add-ricoh-e822-pci-id.patch +ApplyPatch depessimize-rds_copy_page_user.patch +ApplyPatch tpm-autodetect-itpm-devices.patch + # END OF PATCH APPLICATIONS %endif @@ -2022,6 +2028,12 @@ fi # and build. %changelog +* Fri Oct 22 2010 Kyle McMartin 2.6.35.6-47 +- tpm-autodetect-itpm-devices.patch: Auto-fix TPM issues on various + laptops which prevented suspend/resume. +- depessimize-rds_copy_page_user.patch: Fix CVE-2010-3904, local + privilege escalation via RDS protocol. + * Mon Oct 18 2010 Kyle McMartin 2.6.35.6-46 - Add Ricoh e822 support. (rhbz#596475) Thanks to sgruszka@ for sending the patches in. diff --git a/tpm-autodetect-itpm-devices.patch b/tpm-autodetect-itpm-devices.patch new file mode 100644 index 0000000..57b5d07 --- /dev/null +++ b/tpm-autodetect-itpm-devices.patch @@ -0,0 +1,65 @@ +commit 8cf5102c84dba60b2ea29b7e89f1a65100e20bb9 +Author: Matthew Garrett +Date: Thu Oct 21 17:31:56 2010 -0400 + + tpm: Autodetect itpm devices + + Some Lenovos have TPMs that require a quirk to function correctly. This can + be autodetected by checking whether the device has a _HID of INTC0102. This + is an invalid PNPid, and as such is discarded by the pnp layer - however + it's still present in the ACPI code, so we can pull it out that way. This + means that the quirk won't be automatically applied on non-ACPI systems, + but without ACPI we don't have any way to identify the chip anyway so I + don't think that's a great concern. + + Signed-off-by: Matthew Garrett + +diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c +index 1030f84..c17a305 100644 +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include "tpm.h" + + #define TPM_HEADER_SIZE 10 +@@ -78,6 +79,26 @@ enum tis_defaults { + static LIST_HEAD(tis_chips); + static DEFINE_SPINLOCK(tis_lock); + ++#ifdef CONFIG_ACPI ++static int is_itpm(struct pnp_dev *dev) ++{ ++ struct acpi_device *acpi = pnp_acpi_device(dev); ++ struct acpi_hardware_id *id; ++ ++ list_for_each_entry(id, &acpi->pnp.ids, list) { ++ if (!strcmp("INTC0102", id->id)) ++ return 1; ++ } ++ ++ return 0; ++} ++#else ++static int is_itpm(struct pnp_dev *dev) ++{ ++ return 0; ++} ++#endif ++ + static int check_locality(struct tpm_chip *chip, int l) + { + if ((ioread8(chip->vendor.iobase + TPM_ACCESS(l)) & +@@ -472,6 +493,9 @@ static int tpm_tis_init(struct device *dev, resource_size_t start, + "1.2 TPM (device-id 0x%X, rev-id %d)\n", + vendor >> 16, ioread8(chip->vendor.iobase + TPM_RID(0))); + ++ if (is_itpm(to_pnp_dev(dev))) ++ itpm = 1; ++ + if (itpm) + dev_info(dev, "Intel iTPM workaround enabled\n"); +