diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2012-08-22 07:34:59 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2012-08-22 07:35:19 -0400 |
| commit | 14f0cc6e6324aa6a74e741d3525d9135c6a8334c (patch) | |
| tree | 56a79b93d67f5de52f720d86757b815bf68f87e2 | |
| parent | 7051aa7c8d04c3bf80f517ec3a0f542c191f92f5 (diff) | |
| download | kernel-14f0cc6e6324aa6a74e741d3525d9135c6a8334c.tar.gz kernel-14f0cc6e6324aa6a74e741d3525d9135c6a8334c.tar.xz kernel-14f0cc6e6324aa6a74e741d3525d9135c6a8334c.zip | |
Linux v3.6-rc2-400-g23dcfa6
- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing
| -rw-r--r-- | fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch | 89 | ||||
| -rw-r--r-- | kernel.spec | 18 | ||||
| -rw-r--r-- | sources | 2 | ||||
| -rw-r--r-- | uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch | 36 |
4 files changed, 7 insertions, 138 deletions
diff --git a/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch b/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch deleted file mode 100644 index 992bd252f..000000000 --- a/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch +++ /dev/null @@ -1,89 +0,0 @@ - -Delivered-To: jwboyer@gmail.com
-Received: by 10.229.184.7 with SMTP id ci7csp32184qcb;
- Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
-Received: by 10.236.195.97 with SMTP id o61mr24210886yhn.17.1345531220620;
- Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
-Return-Path: <airlied@redhat.com>
-Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28])
- by mx.google.com with ESMTP id c5si239413anp.5.2012.08.20.23.40.20;
- Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
-Received-SPF: pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28;
-Authentication-Results: mx.google.com; spf=pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) smtp.mail=airlied@redhat.com
-Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
- by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7L6eJ4K014799
- (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
- Tue, 21 Aug 2012 02:40:19 -0400
-Received: from prime.bne.redhat.com (dhcp-41-76.bne.redhat.com [10.64.41.76])
- by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q7L6eFfB029177;
- Tue, 21 Aug 2012 02:40:16 -0400
-From: Dave Airlie <airlied@redhat.com>
-To: linux-fbdev@vger.kernel.org
-Cc: dri-devel@lists.sf.net, linux-kernel@vger.kernel.org,
- Linus <torvalds@linux-foundation.org>,
- Alan Cox <alan@lxorguk.ukuu.org.uk>,
- Randy Dunlap <rdunlap@xenotime.net>, Josh Boyer <jwboyer@gmail.com>,
- Dave Airlie <airlied@redhat.com>
-Subject: [PATCH] fbcon: fix race condition between console lock and cursor timer
-Date: Tue, 21 Aug 2012 16:40:07 +1000
-Message-Id: <1345531207-24926-1-git-send-email-airlied@redhat.com>
-X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
-
-So we've had a fair few reports of fbcon handover breakage between
-efi/vesafb and i915 surface recently, so I dedicated a couple of
-days to finding the problem.
-
-Essentially the last thing we saw was the conflicting framebuffer
-message and that was all.
-
-So after much tracing with direct netconsole writes (printks
-under console_lock not so useful), I think I found the race.
-
-Thread A (driver load) Thread B (timer thread)
- unbind_con_driver -> |
- bind_con_driver -> |
- vc->vc_sw->con_deinit -> |
- fbcon_deinit -> |
- console_lock() |
- | |
- | fbcon_flashcursor timer fires
- | console_lock() <- blocked for A
- |
- |
-fbcon_del_cursor_timer ->
- del_timer_sync
- (BOOM)
-
-Of course because all of this is under the console lock,
-we never see anything, also since we also just unbound the active
-console guess what we never see anything.
-
-Hopefully this fixes the problem for anyone seeing vesafb->kms
-driver handoff.
-
-Signed-off-by: David Airlie <airlied@redhat.com>
----
- drivers/video/console/fbcon.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
-index 2e471c2..f8a79fc 100644
---- a/drivers/video/console/fbcon.c
-+++ b/drivers/video/console/fbcon.c
-@@ -372,8 +372,12 @@ static void fb_flashcursor(struct work_struct *work)
- struct vc_data *vc = NULL;
- int c;
- int mode;
-+ int ret;
-+
-+ ret = console_trylock();
-+ if (ret == 0)
-+ return;
-
-- console_lock();
- if (ops && ops->currcon != -1)
- vc = vc_cons[ops->currcon].d;
-
---
-1.7.10.2
-
diff --git a/kernel.spec b/kernel.spec index 9d3cc3434..fe54e105d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 2 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -744,11 +744,6 @@ Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 836742 -Patch22059: uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch - -Patch22065: fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch - #rhbz 847548 Patch22066: virtio-scsi-Initialize-scatterlist-structure.patch @@ -1442,11 +1437,6 @@ ApplyPatch weird-root-dentry-name-debug.patch #selinux ptrace child permissions ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 836742 -ApplyPatch uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch - -ApplyPatch fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch - #rhbz 847548 ApplyPatch virtio-scsi-Initialize-scatterlist-structure.patch @@ -2315,6 +2305,10 @@ fi # ||----w | # || || %changelog +* Wed Aug 22 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc2.git2.1 +- Linux v3.6-rc2-400-g23dcfa6 +- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing + * Tue Aug 21 2012 Josh Boyer <jwboyer@redhat.com> - Add patch from Dave Jones to fix suspicious RCU usage in SELinux (rhbz 846037) - Add patch from Richard W.M. Jones to fix virtio scsi oops (rhbz 847548) @@ -1,3 +1,3 @@ 24153eaaa81dedc9481ada8cd9c3b83d linux-3.5.tar.xz 5f0ec612b5364c18386c1b8155c271ac patch-3.6-rc2.xz -12edd20554fd9469c5d7fad9935ce0af patch-3.6-rc2-git1.xz +35f27ef57826c644eb014ecda8f22870 patch-3.6-rc2-git2.xz diff --git a/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch b/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch deleted file mode 100644 index 6606b7d3d..000000000 --- a/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3771973542a4807b251352253ed22c50e688e573 Mon Sep 17 00:00:00 2001 -From: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com> -Date: Sun, 15 Jul 2012 15:54:03 +0200 -Subject: [PATCH] uvcvideo: Reset the bytesused field when recycling an erroneous buffer - -Buffers marked as erroneous are recycled immediately by the driver if -the nodrop module parameter isn't set. The buffer payload size is reset -to 0, but the buffer bytesused field isn't. This results in the buffer -being immediately considered as complete, leading to an infinite loop in -interrupt context. - -Fix the problem by resetting the bytesused field when recycling the -buffer. - -Cc: <stable@vger.kernel.org> -Signed-off-by: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com> -Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> ---- - drivers/media/video/uvc/uvc_queue.c | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/drivers/media/video/uvc/uvc_queue.c b/drivers/media/video/uvc/uvc_queue.c -index 9288fbd..5577381 100644 ---- a/drivers/media/video/uvc/uvc_queue.c -+++ b/drivers/media/video/uvc/uvc_queue.c -@@ -338,6 +338,7 @@ struct uvc_buffer *uvc_queue_next_buffer(struct uvc_video_queue *queue, - if ((queue->flags & UVC_QUEUE_DROP_CORRUPTED) && buf->error) { - buf->error = 0; - buf->state = UVC_BUF_STATE_QUEUED; -+ buf->bytesused = 0; - vb2_set_plane_payload(&buf->buf, 0, 0); - return buf; - } --- -1.7.2.5 - |