Merge branch 'f12/master' into f12/user/myoung/xendom0

Conflicts:
	kernel.spec

3 files changed, 124 insertions, 17 deletions

diff --git a/drm-i915-sanity-check-pread-pwrite.patch b/drm-i915-sanity-check-pread-pwrite.patch
new file mode 100644
index 0000000..ca6d2bc
--- /dev/null
+++ b/drm-i915-sanity-check-pread-pwrite.patch
@@ -0,0 +1,90 @@
+From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sun, 26 Sep 2010 20:50:05 +0100
+Subject: drm/i915: Sanity check pread/pwrite
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream.
+
+Move the access control up from the fast paths, which are no longer
+universally taken first, up into the caller. This then duplicates some
+sanity checking along the slow paths, but is much simpler.
+Tracked as CVE-2010-2962.
+
+Reported-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Backported-by: Chuck Ebbert <cebbert@redhat.com> 2.6.32
+
+---
+ drivers/gpu/drm/i915/i915_gem.c |   28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device *
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_WRITE,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	if (i915_gem_object_needs_bit17_swizzle(obj)) {
+@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ 							file_priv);
+ 	}
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 
+@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
+ 
+ 	user_data = (char __user *) (uintptr_t) args->data_ptr;
+ 	remain = args->size;
+-	if (!access_ok(VERIFY_READ, user_data, remain))
+-		return -EFAULT;
+ 
+ 
+ 	mutex_lock(&dev->struct_mutex);
+@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_READ,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	/* We can only do the GTT pwrite on untiled buffers, as otherwise
+@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 		DRM_INFO("pwrite failed %d\n", ret);
+ #endif
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 
diff --git a/kernel.spec b/kernel.spec
index 4474ffa..da552e6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 170.1
+%global baserelease 171
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -60,9 +60,9 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 23
+%define stable_update 25
 # Is it a -stable RC?
-%define stable_rc 0
+%define stable_rc 1
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev .%{stable_update}
@@ -730,14 +730,16 @@ Patch1824: drm-intel-next.patch
 Patch1825: drm-intel-acpi-populate-didl.patch
 Patch1826: drm-intel-make-lvds-work.patch
 #Patch1827: linux-2.6-intel-agp-clear-gtt.patch
-Patch1828: drm-nouveau-g80-ctxprog.patch
-Patch1831: drm-nouveau-tvout-disable.patch
-Patch1832: drm-nouveau-safetile-getparam.patch
-Patch1844: drm-nouveau-kconfig.patch
-Patch1845: drm-nouveau-mutex.patch
-Patch1846: drm-nouveau-update.patch
-Patch1847: drm-nouveau-d620.patch
-Patch1848: drm-nouveau-nva3-noaccel.patch
+Patch1828: drm-i915-sanity-check-pread-pwrite.patch
+
+Patch1850: drm-nouveau-g80-ctxprog.patch
+Patch1851: drm-nouveau-tvout-disable.patch
+Patch1852: drm-nouveau-safetile-getparam.patch
+Patch1853: drm-nouveau-kconfig.patch
+Patch1854: drm-nouveau-mutex.patch
+Patch1855: drm-nouveau-update.patch
+Patch1856: drm-nouveau-d620.patch
+Patch1857: drm-nouveau-nva3-noaccel.patch
 
 # kludge to make ich9 e1000 work
 Patch2000: linux-2.6-e1000-ich9.patch
@@ -1471,6 +1473,8 @@ ApplyPatch drm-intel-acpi-populate-didl.patch
 ApplyPatch drm-intel-make-lvds-work.patch
 # gm45 stability fixes
 ApplyPatch drm-intel-945gm-stability-fixes.patch
+# CVE-2010-2962
+ApplyPatch drm-i915-sanity-check-pread-pwrite.patch
 
 ApplyPatch drm-nouveau-g80-ctxprog.patch
 ApplyPatch drm-nouveau-tvout-disable.patch
@@ -1553,15 +1557,15 @@ ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 ApplyPatch net-do-not-check-capable-if-kernel.patch
 
 # Mitigate DOS with large argument lists
-ApplyPatch execve-improve-interactivity-with-large-arguments.patch
-ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
-ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
+#ApplyPatch execve-improve-interactivity-with-large-arguments.patch
+#ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
+#ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
 
 # rhbz#629158
-ApplyPatch r8169-fix-dma-allocations.patch
+#ApplyPatch r8169-fix-dma-allocations.patch
 
 # rhbz#447489
-ApplyPatch skge-quirk-to-4gb-dma.patch
+#ApplyPatch skge-quirk-to-4gb-dma.patch
 
 # rhbz#596475
 ApplyPatch add-support-for-ricoh-e822-sdhci.patch
@@ -2222,6 +2226,18 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Fri Oct 22 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.25-171.rc1
+- Linux 2.6.32.25-rc1
+- Comment out patches merged upstream:
+   execve-improve-interactivity-with-large-arguments.patch
+   execve-make-responsive-to-sigkill-with-large-arguments.patch
+   setup_arg_pages-diagnose-excessive-argument-size.patch
+   xen-fix-typo-in-xen-irq-fix.patch
+   r8169-fix-dma-allocations.patch
+   skge-quirk-to-4gb-dma.patch
+- drm-i915-sanity-check-pread-pwrite.patch: backport fix for
+   CVE-2010-2962
+
 * Thu Oct 21 2010 Michael Young <m.a.young@durham.ac.uk>
 - update pvops including event channels fix
 
diff --git a/sources b/sources
index 70d5251..fec6be1 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
 260551284ac224c3a43c4adac7df4879  linux-2.6.32.tar.bz2
-6eac9aebbf9e74546b7c44c0fb9348a7  patch-2.6.32.23.bz2
+e3346e3b4b92f048b8ecded829f45cdf  patch-2.6.32.24.bz2
+811287361e4449aaad026b1c2df79d63  patch-2.6.32.25-rc1.bz2