From 7eb61976f83097b3e69cac1215317e9d1f96925c Mon Sep 17 00:00:00 2001 From: Chuck Ebbert Date: Mon, 20 Sep 2010 18:48:03 -0400 Subject: Linux 2.6.32.22 Drop merged patches: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch 02-compat-test-rax-for-the-system-call-number-not-eax.patch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch hid-01-usbhid-initialize-interface-pointers-early-enough.patch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch --- ...ser_space-incorporate-the-access_ok-check.patch | 198 --------------------- ...st-rax-for-the-system-call-number-not-eax.patch | 97 ---------- ...cate-rax-after-ia32-syscall-entry-tracing.patch | 49 ----- ...le-free-at-error-path-of-snd_seq_oss_open.patch | 53 ------ drm-upgrayedd.patch | 2 +- ...nitialize-interface-pointers-early-enough.patch | 40 ----- ...d-crash-by-moving-initializations-earlier.patch | 53 ------ kernel.spec | 39 ++-- sources | 2 +- ...-do-not-allow-llseek-to-set_ftrace_filter.patch | 51 ------ 10 files changed, 16 insertions(+), 568 deletions(-) delete mode 100644 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch delete mode 100644 02-compat-test-rax-for-the-system-call-number-not-eax.patch delete mode 100644 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch delete mode 100644 alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch delete mode 100644 hid-01-usbhid-initialize-interface-pointers-early-enough.patch delete mode 100644 hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch delete mode 100644 tracing-do-not-allow-llseek-to-set_ftrace_filter.patch diff --git a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch b/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch deleted file mode 100644 index 2053e03..0000000 --- a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch +++ /dev/null @@ -1,198 +0,0 @@ -From f45716729488bd8263b06e7d672c8ff8f2ded8b7 Mon Sep 17 00:00:00 2001 -From: H. Peter Anvin -Date: Tue, 7 Sep 2010 16:16:18 -0700 -Subject: [PATCH 1/4] compat: Make compat_alloc_user_space() incorporate the access_ok() - -compat_alloc_user_space() expects the caller to independently call -access_ok() to verify the returned area. A missing call could -introduce problems on some architectures. - -This patch incorporates the access_ok() check into -compat_alloc_user_space() and also adds a sanity check on the length. -The existing compat_alloc_user_space() implementations are renamed -arch_compat_alloc_user_space() and are used as part of the -implementation of the new global function. - -This patch assumes NULL will cause __get_user()/__put_user() to either -fail or access userspace on all architectures. This should be -followed by checking the return value of compat_access_user_space() -for NULL in the callers, at which time the access_ok() in the callers -can also be removed. - -Reported-by: Ben Hawkes -Signed-off-by: H. Peter Anvin -Acked-by: Benjamin Herrenschmidt -Acked-by: Chris Metcalf -Acked-by: David S. Miller -Acked-by: Ingo Molnar -Acked-by: Thomas Gleixner -Acked-by: Tony Luck -Cc: Andrew Morton -Cc: Arnd Bergmann -Cc: Fenghua Yu -Cc: H. Peter Anvin -Cc: Heiko Carstens -Cc: Helge Deller -Cc: James Bottomley -Cc: Kyle McMartin -Cc: Martin Schwidefsky -Cc: Paul Mackerras -Cc: Ralf Baechle -Cc: ---- - - [ edited to fix build on 2.6.32 ] - - arch/ia64/include/asm/compat.h | 2 +- - arch/mips/include/asm/compat.h | 2 +- - arch/parisc/include/asm/compat.h | 2 +- - arch/powerpc/include/asm/compat.h | 2 +- - arch/s390/include/asm/compat.h | 2 +- - arch/sparc/include/asm/compat.h | 2 +- - arch/x86/include/asm/compat.h | 2 +- - include/linux/compat.h | 2 ++ - kernel/compat.c | 22 +++++++++++++++++++++ - 9 files changed, 30 insertions(+), 7 deletions(-) - -diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h -index dfcf75b..c8662cd 100644 ---- a/arch/ia64/include/asm/compat.h -+++ b/arch/ia64/include/asm/compat.h -@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr) - } - - static __inline__ void __user * --compat_alloc_user_space (long len) -+arch_compat_alloc_user_space (long len) - { - struct pt_regs *regs = task_pt_regs(current); - return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len); -diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h -index f58aed3..27505bd 100644 ---- a/arch/mips/include/asm/compat.h -+++ b/arch/mips/include/asm/compat.h -@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = (struct pt_regs *) - ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1; -diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h -index 7f32611..7c77fa9 100644 ---- a/arch/parisc/include/asm/compat.h -+++ b/arch/parisc/include/asm/compat.h -@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static __inline__ void __user *compat_alloc_user_space(long len) -+static __inline__ void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = ¤t->thread.regs; - return (void __user *)regs->gr[30]; -diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h -index 4774c2f..8d0fff3 100644 ---- a/arch/powerpc/include/asm/compat.h -+++ b/arch/powerpc/include/asm/compat.h -@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = current->thread.regs; - unsigned long usp = regs->gpr[1]; -diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h -index 01a0802..0c940d3 100644 ---- a/arch/s390/include/asm/compat.h -+++ b/arch/s390/include/asm/compat.h -@@ -180,7 +180,7 @@ static inline int is_compat_task(void) - - #endif - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - unsigned long stack; - -diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h -index 0e70625..612bb38 100644 ---- a/arch/sparc/include/asm/compat.h -+++ b/arch/sparc/include/asm/compat.h -@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = current_thread_info()->kregs; - unsigned long usp = regs->u_regs[UREG_I6]; -diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h -index 9a9c7bd..c8c9a74 100644 ---- a/arch/x86/include/asm/compat.h -+++ b/arch/x86/include/asm/compat.h -@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = task_pt_regs(current); - return (void __user *)regs->sp - len; -diff --git a/include/linux/compat.h b/include/linux/compat.h -index af931ee..cab23f2 100644 ---- a/include/linux/compat.h -+++ b/include/linux/compat.h -@@ -309,5 +309,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename, - asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename, - int flags, int mode); - -+extern void __user *compat_alloc_user_space(unsigned long len); -+ - #endif /* CONFIG_COMPAT */ - #endif /* _LINUX_COMPAT_H */ -diff a/kernel/compat.c b/kernel/compat.c ---- a/kernel/compat.c -+++ b/kernel/compat.c -@@ -13,6 +13,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -1137,3 +1137,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info) - - return 0; - } -+ -+/* -+ * Allocate user-space memory for the duration of a single system call, -+ * in order to marshall parameters inside a compat thunk. -+ */ -+void __user *compat_alloc_user_space(unsigned long len) -+{ -+ void __user *ptr; -+ -+ /* If len would occupy more than half of the entire compat space... */ -+ if (unlikely(len > (((compat_uptr_t)~0) >> 1))) -+ return NULL; -+ -+ ptr = arch_compat_alloc_user_space(len); -+ -+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len))) -+ return NULL; -+ -+ return ptr; -+} -+EXPORT_SYMBOL_GPL(compat_alloc_user_space); --- -1.7.2.3 - diff --git a/02-compat-test-rax-for-the-system-call-number-not-eax.patch b/02-compat-test-rax-for-the-system-call-number-not-eax.patch deleted file mode 100644 index 8fd7490..0000000 --- a/02-compat-test-rax-for-the-system-call-number-not-eax.patch +++ /dev/null @@ -1,97 +0,0 @@ -From aaeacea2992c28f1d355ff7cd4c4754131bdd831 Mon Sep 17 00:00:00 2001 -From: H. Peter Anvin -Date: Tue, 14 Sep 2010 12:42:41 -0700 -Subject: [PATCH 2/4] x86-64, compat: Test %rax for the syscall number, not %eax - -On 64 bits, we always, by necessity, jump through the system call -table via %rax. For 32-bit system calls, in theory the system call -number is stored in %eax, and the code was testing %eax for a valid -system call number. At one point we loaded the stored value back from -the stack to enforce zero-extension, but that was removed in checkin -d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process -will not be able to introduce a non-zero-extended number, but it can -happen via ptrace. - -Instead of re-introducing the zero-extension, test what we are -actually going to use, i.e. %rax. This only adds a handful of REX -prefixes to the code. - -Reported-by: Ben Hawkes -Signed-off-by: H. Peter Anvin -Cc: -Cc: Roland McGrath -Cc: Andrew Morton ---- - arch/x86/ia32/ia32entry.S | 14 +++++++------- - 1 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 5294d84..7f9eb54 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - CFI_REMEMBER_STATE - jnz sysenter_tracesys -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - sysenter_do_call: - IA32_ARG_FIXUP -@@ -195,7 +195,7 @@ sysexit_from_sys_call: - movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ - call audit_syscall_entry - movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - movl %ebx,%edi /* reload 1st syscall arg */ - movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */ -@@ -248,7 +248,7 @@ sysenter_tracesys: - call syscall_trace_enter - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ - jmp sysenter_do_call - CFI_ENDPROC -@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - CFI_REMEMBER_STATE - jnz cstar_tracesys -- cmpl $IA32_NR_syscalls-1,%eax -+ cmpq $IA32_NR_syscalls-1,%rax - ja ia32_badsys - cstar_do_call: - IA32_ARG_FIXUP 1 -@@ -367,7 +367,7 @@ cstar_tracesys: - LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ - RESTORE_REST - xchgl %ebp,%r9d -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ - jmp cstar_do_call - END(ia32_cstar_target) -@@ -425,7 +425,7 @@ ENTRY(ia32_syscall) - orl $TS_COMPAT,TI_status(%r10) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - jnz ia32_tracesys -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - ia32_do_call: - IA32_ARG_FIXUP -@@ -444,7 +444,7 @@ ia32_tracesys: - call syscall_trace_enter - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ - jmp ia32_do_call - END(ia32_syscall) --- -1.7.2.3 - diff --git a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch b/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch deleted file mode 100644 index 96c269b..0000000 --- a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 1fa16daaa76d1b132c8fee027c11bad5a5d25761 Mon Sep 17 00:00:00 2001 -From: Roland McGrath -Date: Tue, 14 Sep 2010 12:22:58 -0700 -Subject: [PATCH 3/4] x86-64, compat: Retruncate rax after ia32 syscall entry tracing - -In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a -32-bit tracee in system call entry. A %rax value set via ptrace at the -entry tracing stop gets used whole as a 32-bit syscall number, while we -only check the low 32 bits for validity. - -Fix it by truncating %rax back to 32 bits after syscall_trace_enter, -in addition to testing the full 64 bits as has already been added. - -Reported-by: Ben Hawkes -Signed-off-by: Roland McGrath -Signed-off-by: H. Peter Anvin ---- - arch/x86/ia32/ia32entry.S | 8 +++++++- - 1 files changed, 7 insertions(+), 1 deletions(-) - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 7f9eb54..4edd8eb 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -50,7 +50,12 @@ - /* - * Reload arg registers from stack in case ptrace changed them. - * We don't reload %eax because syscall_trace_enter() returned -- * the value it wants us to use in the table lookup. -+ * the %rax value we should see. Instead, we just truncate that -+ * value to 32 bits again as we did on entry from user mode. -+ * If it's a new value set by user_regset during entry tracing, -+ * this matches the normal truncation of the user-mode value. -+ * If it's -1 to make us punt the syscall, then (u32)-1 is still -+ * an appropriately invalid value. - */ - .macro LOAD_ARGS32 offset, _r9=0 - .if \_r9 -@@ -60,6 +65,7 @@ - movl \offset+48(%rsp),%edx - movl \offset+56(%rsp),%esi - movl \offset+64(%rsp),%edi -+ movl %eax,%eax /* zero extension */ - .endm - - .macro CFI_STARTPROC32 simple --- -1.7.2.3 - diff --git a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch deleted file mode 100644 index 73e65ec..0000000 --- a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Takashi Iwai -Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200) -Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd - -ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() - -The error handling in snd_seq_oss_open() has several bad codes that -do dereferecing released pointers and double-free of kmalloc'ed data. -The object dp is release in free_devinfo() that is called via -private_free callback. The rest shouldn't touch this object any more. - -The patch changes delete_port() to call kfree() in any case, and gets -rid of unnecessary calls of destructors in snd_seq_oss_open(). - -Fixes CVE-2010-3080. - -Reported-and-tested-by: Tavis Ormandy -Cc: -Signed-off-by: Takashi Iwai ---- - -diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c -index 6857122..69cd7b3 100644 ---- a/sound/core/seq/oss/seq_oss_init.c -+++ b/sound/core/seq/oss/seq_oss_init.c -@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level) - return 0; - - _error: -- snd_seq_oss_writeq_delete(dp->writeq); -- snd_seq_oss_readq_delete(dp->readq); - snd_seq_oss_synth_cleanup(dp); - snd_seq_oss_midi_cleanup(dp); -- delete_port(dp); - delete_seq_queue(dp->queue); -- kfree(dp); -+ delete_port(dp); - - return rc; - } -@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp) - static int - delete_port(struct seq_oss_devinfo *dp) - { -- if (dp->port < 0) -+ if (dp->port < 0) { -+ kfree(dp); - return 0; -+ } - - debug_printk(("delete_port %i\n", dp->port)); - return snd_seq_event_port_detach(dp->cseq, dp->port); diff --git a/drm-upgrayedd.patch b/drm-upgrayedd.patch index 08f039b..2530bec 100644 --- a/drm-upgrayedd.patch +++ b/drm-upgrayedd.patch @@ -10283,7 +10283,7 @@ index 601415d..b27202d 100644 + dev_priv->pipe_to_crtc_mapping[intel_crtc->pipe] = &intel_crtc->base; + intel_crtc->cursor_addr = 0; - intel_crtc->dpms_mode = DRM_MODE_DPMS_OFF; + intel_crtc->dpms_mode = -1; drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs); @@ -4036,7 +4382,7 @@ static void intel_setup_outputs(struct drm_device *dev) if (IS_MOBILE(dev) && !IS_I830(dev)) diff --git a/hid-01-usbhid-initialize-interface-pointers-early-enough.patch b/hid-01-usbhid-initialize-interface-pointers-early-enough.patch deleted file mode 100644 index d522b3f..0000000 --- a/hid-01-usbhid-initialize-interface-pointers-early-enough.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit 57ab12e418ec4fe24c11788bb1bbdabb29d05679 -Author: Jiri Kosina -Date: Wed Feb 17 14:25:01 2010 +0100 - - HID: usbhid: initialize interface pointers early enough - - Move the initialization of USB interface pointers from _start() - over to _probe() callback, which is where it belongs. - - This fixes case where interface is NULL when parsing of report - descriptor fails. - - LKML-Reference: <20100213135720.603e5f64 at neptune.home> - Reported-by: Alan Stern - Tested-by: Bruno Prémont - Signed-off-by: Jiri Kosina - -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index 74bd3ca..ceaf4a1 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -1005,9 +1005,6 @@ static int usbhid_start(struct hid_device *hid) - - spin_lock_init(&usbhid->lock); - -- usbhid->intf = intf; -- usbhid->ifnum = interface->desc.bInterfaceNumber; -- - usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL); - if (!usbhid->urbctrl) { - ret = -ENOMEM; -@@ -1178,6 +1175,8 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id * - - hid->driver_data = usbhid; - usbhid->hid = hid; -+ usbhid->intf = intf; -+ usbhid->ifnum = interface->desc.bInterfaceNumber; - - ret = hid_add_device(hid); - if (ret) { diff --git a/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch b/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch deleted file mode 100644 index bbd3880..0000000 --- a/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit fde4e2f73208b8f34f123791e39c0cb6bc74b32a -Author: Alan Stern -Date: Fri May 7 10:41:10 2010 -0400 - - HID: fix suspend crash by moving initializations earlier - - Although the usbhid driver allocates its usbhid structure in the probe - routine, several critical fields in that structure don't get - initialized until usbhid_start(). However if report descriptor - parsing fails then usbhid_start() is never called. This leads to - problems during system suspend -- the system will freeze. - - This patch (as1378) fixes the bug by moving the initialization - statements up into usbhid_probe(). - - Signed-off-by: Alan Stern - Reported-by: Bruno Prémont - Tested-By: Bruno Prémont - Signed-off-by: Jiri Kosina - -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index 56d06cd..7b85b69 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -999,13 +999,6 @@ static int usbhid_start(struct hid_device *hid) - } - } - -- init_waitqueue_head(&usbhid->wait); -- INIT_WORK(&usbhid->reset_work, hid_reset); -- INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues); -- setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid); -- -- spin_lock_init(&usbhid->lock); -- - usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL); - if (!usbhid->urbctrl) { - ret = -ENOMEM; -@@ -1179,6 +1172,12 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id * - usbhid->intf = intf; - usbhid->ifnum = interface->desc.bInterfaceNumber; - -+ init_waitqueue_head(&usbhid->wait); -+ INIT_WORK(&usbhid->reset_work, hid_reset); -+ INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues); -+ setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid); -+ spin_lock_init(&usbhid->lock); -+ - ret = hid_add_device(hid); - if (ret) { - if (ret != -ENODEV) - - diff --git a/kernel.spec b/kernel.spec index a7b0070..db75c73 100644 --- a/kernel.spec +++ b/kernel.spec @@ -47,7 +47,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 168 +%global baserelease 169 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -59,7 +59,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 21 +%define stable_update 22 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -638,9 +638,6 @@ Patch21: linux-2.6-tracehook.patch Patch22: linux-2.6-utrace.patch Patch23: linux-2.6-utrace-ptrace.patch -Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch -Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch -Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch Patch141: linux-2.6-ps3-storage-alias.patch @@ -840,9 +837,6 @@ Patch14050: crypto-add-async-hash-testing.patch # Red Hat Bugzilla #610911 Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch -Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch -Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch - Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch Patch14200: net-do-not-check-capable-if-kernel.patch @@ -852,13 +846,9 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch -# CVE-2010-3080 -Patch14220: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch # CVE-2010-2960 Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch -# CVE-2010-3079 -Patch14240: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch # ============================================================================== %endif @@ -1300,11 +1290,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch ApplyPatch via-hwmon-temp-sensor.patch ApplyPatch linux-2.6-dell-laptop-rfkill-fix.patch -ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch -ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch -ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch - - # # Intel IOMMU # @@ -1338,6 +1323,7 @@ ApplyPatch linux-2.6-execshield.patch # # bugfixes to drivers and filesystems # +# CVE-2010-3067 ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch # ext4 @@ -1569,10 +1555,6 @@ ApplyPatch crypto-add-async-hash-testing.patch ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch -# RHBZ #592785 -ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch -ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch - # CVE-2010-2954 ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch @@ -1584,13 +1566,9 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch -# CVE-2010-3080 -ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch # CVE-2010-2960 ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch -# CVE-2010-3079 -ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch # END OF PATCH APPLICATIONS ==================================================== %endif @@ -2244,6 +2222,17 @@ fi %kernel_variant_files -k vmlinux %{with_kdump} kdump %changelog +* Mon Sep 20 2010 Chuck Ebbert 2.6.32.21-169 +- Linux 2.6.32.22 +- Drop merged patches: + 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch + 02-compat-test-rax-for-the-system-call-number-not-eax.patch + 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch + hid-01-usbhid-initialize-interface-pointers-early-enough.patch + hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch + alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch + tracing-do-not-allow-llseek-to-set_ftrace_filter.patch + * Tue Sep 14 2010 Chuck Ebbert 2.6.32.21-168 - Fix three CVEs: CVE-2010-3080: /dev/sequencer open failure is not handled correctly diff --git a/sources b/sources index aa75510..2f21808 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2 -29aa10a231882a6e52908642b572326f patch-2.6.32.21.bz2 +da1431a1d659298c6bd11714416c840f patch-2.6.32.22.bz2 diff --git a/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch b/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch deleted file mode 100644 index 4bbae71..0000000 --- a/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Steven Rostedt -Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400) -Subject: tracing: Do not allow llseek to set_ftrace_filter -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 - -tracing: Do not allow llseek to set_ftrace_filter - -Reading the file set_ftrace_filter does three things. - -1) shows whether or not filters are set for the function tracer -2) shows what functions are set for the function tracer -3) shows what triggers are set on any functions - -3 is independent from 1 and 2. - -The way this file currently works is that it is a state machine, -and as you read it, it may change state. But this assumption breaks -when you use lseek() on the file. The state machine gets out of sync -and the t_show() may use the wrong pointer and cause a kernel oops. - -Luckily, this will only kill the app that does the lseek, but the app -dies while holding a mutex. This prevents anyone else from using the -set_ftrace_filter file (or any other function tracing file for that matter). - -A real fix for this is to rewrite the code, but that is too much for -a -rc release or stable. This patch simply disables llseek on the -set_ftrace_filter() file for now, and we can do the proper fix for the -next major release. - -Reported-by: Robert Swiecki -Cc: Chris Wright -Cc: Tavis Ormandy -Cc: Eugene Teo -Cc: vendor-sec@lst.de -Cc: -Signed-off-by: Steven Rostedt ---- - -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 7cb1f45..83a16e9 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = { - .open = ftrace_filter_open, - .read = seq_read, - .write = ftrace_filter_write, -- .llseek = ftrace_regex_lseek, -+ .llseek = no_llseek, - .release = ftrace_filter_release, - }; - -- cgit