Update to 3.8.11
svn path=/dists/sid/linux/; revision=20012
This commit is contained in:
parent
f0b5fe588b
commit
37b0eaaa6d
|
@ -1,3 +1,108 @@
|
|||
linux (3.8.11-1) UNRELEASED; urgency=high
|
||||
|
||||
* New upstream stable update:
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.6
|
||||
- sysfs: fix race between readdir and lseek
|
||||
- sysfs: handle failure path correctly for readdir()
|
||||
- rtlwifi: usb: add missing freeing of skbuff
|
||||
- b43: A fix for DMA transmission sequence errors
|
||||
- tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)
|
||||
- xen-blkback: fix dispatch_rw_block_io() error path
|
||||
- net/irda: add missing error path release_sock call
|
||||
- usb: xhci: Fix TRB transfer length macro used for Event TRB.
|
||||
- Btrfs: fix locking on ROOT_REPLACE operations in tree mod log
|
||||
- Btrfs: fix race between mmap writes and compression
|
||||
- USB: serial: fix use-after-free in TIOCMIWAIT
|
||||
- loop: prevent bdev freeing while device in use
|
||||
- virtio: console: add locking around c_ovq operations
|
||||
- nfsd4: reject "negative" acl lengths
|
||||
- Btrfs: fix space leak when we fail to reserve metadata space
|
||||
- net: remove a WARN_ON() in net_enable_timestamp()
|
||||
- 8021q: fix a potential use-after-free
|
||||
- unix: fix a race condition in unix_release()
|
||||
- atl1e: drop pci-msi support because of packet corruption
|
||||
(possibly fixes: #577747)
|
||||
- ipv6: fix bad free of addrconf_init_net
|
||||
- ipv6: don't accept multicast traffic with scope 0
|
||||
- ipv6: don't accept node local multicast traffic from the wire
|
||||
- pch_gbe: fix ip_summed checksum reporting on rx
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.7
|
||||
- drm/nouveau: fix handling empty channel list in ioctl's
|
||||
- drm/i915: Be sure to turn hsync/vsync back on at crt enable (v2)
|
||||
(fixes regression in 3.8.3)
|
||||
- drm: correctly restore mappings if drm_open fails
|
||||
- mm: prevent mmap_cache race in find_vma()
|
||||
- mwifiex: limit channel number not to overflow memory
|
||||
- spinlocks and preemption points need to be at least compiler barriers
|
||||
- crypto: gcm - fix assumption that assoc has one segment
|
||||
- NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
|
||||
- vfio-pci: Fix possible integer overflow
|
||||
- can: gw: use kmem_cache_free() instead of kfree()
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.8
|
||||
- ipc: set msg back to -EAGAIN if copy wasn't performed
|
||||
- GFS2: Fix unlock of fcntl locks during withdrawn state
|
||||
- cifs: Allow passwords which begin with a delimitor (fixes
|
||||
regression in 3.8)
|
||||
- [i386] Fix possible incomplete TLB invalidate with PAE pagetables
|
||||
- sched_clock: Prevent 64bit inatomicity on 32bit systems
|
||||
- [x86] mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates
|
||||
- tty: don't deadlock while flushing workqueue
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9
|
||||
- [powerpc] add a missing label in resume_kernel
|
||||
- [powerpc] kvm/powerpc/e500mc: fix tlb invalidation on cpu migration
|
||||
- kthread: Prevent unpark race which puts threads on the wrong cpu
|
||||
- hrtimer: Don't reinitialize a cpu_base lock on CPU_UP
|
||||
- hugetlbfs: add swap entry check in follow_hugetlb_page()
|
||||
- kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
|
||||
- hfsplus: fix potential overflow in hfsplus_file_truncate()
|
||||
- md: raid1,10: Handle REQ_WRITE_SAME flag in write bios
|
||||
- [x86] KVM: Allow cross page reads and writes from cached translations.
|
||||
(fixes regression in fix for CVE-2013-1796)
|
||||
- hsched: Convert BUG_ON()s in try_to_wake_up_local() to WARN_ON_ONCE()s
|
||||
- [armel] Fix kexec by setting outer_cache.inv_all for Feroceon
|
||||
- ath9k_htc: accept 1.x firmware newer than 1.3
|
||||
- mac80211: fix cfg80211 interaction on auth/assoc request
|
||||
- crypto: algif - suppress sending source address information in recvmsg
|
||||
(CVE-2013-3076)
|
||||
- vm: add and use vm_iomap_memory() helper function
|
||||
- Btrfs: make sure nbytes are right after log replay
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.10
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.11
|
||||
- TTY: do not update atime/mtime on read/write
|
||||
- TTY: fix atime/mtime regression
|
||||
- [sparc] sparc64: Fix race in TLB batch processing.
|
||||
- atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
|
||||
- ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
|
||||
- Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
|
||||
- Bluetooth: RFCOMM - Fix missing msg_namelen update in
|
||||
rfcomm_sock_recvmsg() (CVE-2013-3225)
|
||||
- Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()
|
||||
- caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
|
||||
(CVE-2013-3227)
|
||||
- irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
|
||||
(CVE-2013-3228)
|
||||
- [s390] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
|
||||
(CVE-2013-3229)
|
||||
- l2tp: fix info leak in l2tp_ip6_recvmsg()
|
||||
- llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
|
||||
- netrom: fix info leak via msg_name in nr_recvmsg()
|
||||
- NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
|
||||
- rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
|
||||
- tipc: fix info leaks via msg_name in recv_msg/recv_stream
|
||||
(CVE-2013-3235)
|
||||
- atl1e: limit gso segment size to prevent generation of wrong ip length
|
||||
fields (Closes: #565404)
|
||||
- af_unix: If we don't care about credentials coallesce all messages
|
||||
- ipv6/tcp: Stop processing ICMPv6 redirect messages
|
||||
- rtnetlink: Call nlmsg_parse() with correct header length
|
||||
- tcp: incoming connections might use wrong route under synflood
|
||||
- tcp: Reallocate headroom if it would overflow csum_start
|
||||
- net: cdc_mbim: remove bogus sizeof()
|
||||
- net: fix incorrect credentials passing (CVE-2013-1979)
|
||||
- net: drop dst before queueing fragments
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 04 May 2013 03:45:10 +0100
|
||||
|
||||
linux (3.8.5-1~experimental.1) experimental; urgency=high
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
@ -1,42 +0,0 @@
|
|||
From: Andy Honig <ahonig@google.com>
|
||||
Date: Wed, 20 Feb 2013 14:49:16 -0800
|
||||
Subject: KVM: Fix bounds checking in ioapic indirect register reads
|
||||
(CVE-2013-1798)
|
||||
|
||||
commit a2c118bfab8bc6b8bb213abfc35201e441693d55 upstream.
|
||||
|
||||
If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
|
||||
that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
|
||||
that request. ioapic_read_indirect contains an
|
||||
ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
|
||||
non-debug builds. In recent kernels this allows a guest to cause a kernel
|
||||
oops by reading invalid memory. In older kernels (pre-3.3) this allows a
|
||||
guest to read from large ranges of host memory.
|
||||
|
||||
Tested: tested against apic unit tests.
|
||||
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
virt/kvm/ioapic.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
|
||||
index ce82b94..5ba005c 100644
|
||||
--- a/virt/kvm/ioapic.c
|
||||
+++ b/virt/kvm/ioapic.c
|
||||
@@ -74,9 +74,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
|
||||
u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
|
||||
u64 redir_content;
|
||||
|
||||
- ASSERT(redir_index < IOAPIC_NUM_PINS);
|
||||
+ if (redir_index < IOAPIC_NUM_PINS)
|
||||
+ redir_content =
|
||||
+ ioapic->redirtbl[redir_index].bits;
|
||||
+ else
|
||||
+ redir_content = ~0ULL;
|
||||
|
||||
- redir_content = ioapic->redirtbl[redir_index].bits;
|
||||
result = (ioapic->ioregsel & 0x1) ?
|
||||
(redir_content >> 32) & 0xffffffff :
|
||||
redir_content & 0xffffffff;
|
|
@ -61,8 +61,8 @@ Signed-off-by: Tony Luck <tony.luck@intel.com>
|
|||
|
||||
*id = part;
|
||||
return ret;
|
||||
@@ -1670,6 +1674,75 @@ static ssize_t efivar_delete(struct file
|
||||
return count;
|
||||
@@ -1717,6 +1721,75 @@ static unsigned long var_name_strnsize(e
|
||||
return min(len, variable_name_size);
|
||||
}
|
||||
|
||||
+static bool variable_is_present(efi_char16_t *variable_name, efi_guid_t *vendor)
|
||||
|
@ -137,7 +137,7 @@ Signed-off-by: Tony Luck <tony.luck@intel.com>
|
|||
/*
|
||||
* Let's not leave out systab information that snuck into
|
||||
* the efivars driver
|
||||
@@ -2000,6 +2073,8 @@ err_put:
|
||||
@@ -2087,6 +2160,8 @@ err_put:
|
||||
static void __exit
|
||||
efivars_exit(void)
|
||||
{
|
||||
|
|
|
@ -70,15 +70,14 @@ Reported-by: Lingzhu Xiang <lxiang@redhat.com>
|
|||
Tested-by: Lingzhu Xiang <lxiang@redhat.com>
|
||||
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
|
||||
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
|
||||
[bwh: Apply only the part not included in 3.8.6]
|
||||
---
|
||||
drivers/firmware/efivars.c | 48 +++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 47 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
|
||||
index 1e9d9b9..d64661f 100644
|
||||
--- a/drivers/firmware/efivars.c
|
||||
+++ b/drivers/firmware/efivars.c
|
||||
@@ -170,6 +170,7 @@ efivar_create_sysfs_entry(struct efivars *efivars,
|
||||
@@ -171,6 +171,7 @@ efivar_create_sysfs_entry(struct efivars
|
||||
|
||||
static void efivar_update_sysfs_entries(struct work_struct *);
|
||||
static DECLARE_WORK(efivar_work, efivar_update_sysfs_entries);
|
||||
|
@ -86,7 +85,7 @@ index 1e9d9b9..d64661f 100644
|
|||
|
||||
/* Return the number of unicode characters in data */
|
||||
static unsigned long
|
||||
@@ -1444,7 +1445,7 @@ static int efi_pstore_write(enum pstore_type_id type,
|
||||
@@ -1435,7 +1436,7 @@ static int efi_pstore_write(enum pstore_
|
||||
|
||||
spin_unlock_irqrestore(&efivars->lock, flags);
|
||||
|
||||
|
@ -95,20 +94,10 @@ index 1e9d9b9..d64661f 100644
|
|||
schedule_work(&efivar_work);
|
||||
|
||||
*id = part;
|
||||
@@ -1975,6 +1976,35 @@ void unregister_efivars(struct efivars *efivars)
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(unregister_efivars);
|
||||
@@ -1998,6 +1999,13 @@ static void dup_variable_bug(efi_char16_
|
||||
size_t i, len8 = len16 / sizeof(efi_char16_t);
|
||||
char *s8;
|
||||
|
||||
+/*
|
||||
+ * Print a warning when duplicate EFI variables are encountered and
|
||||
+ * disable the sysfs workqueue since the firmware is buggy.
|
||||
+ */
|
||||
+static void dup_variable_bug(efi_char16_t *s16, efi_guid_t *vendor_guid,
|
||||
+ unsigned long len16)
|
||||
+{
|
||||
+ size_t i, len8 = len16 / sizeof(efi_char16_t);
|
||||
+ char *s8;
|
||||
+
|
||||
+ /*
|
||||
+ * Disable the workqueue since the algorithm it uses for
|
||||
+ * detecting new variables won't work with this buggy
|
||||
|
@ -116,41 +105,6 @@ index 1e9d9b9..d64661f 100644
|
|||
+ */
|
||||
+ efivar_wq_enabled = false;
|
||||
+
|
||||
+ s8 = kzalloc(len8, GFP_KERNEL);
|
||||
+ if (!s8)
|
||||
+ return;
|
||||
+
|
||||
+ for (i = 0; i < len8; i++)
|
||||
+ s8[i] = s16[i];
|
||||
+
|
||||
+ printk(KERN_WARNING "efivars: duplicate variable: %s-%pUl\n",
|
||||
+ s8, vendor_guid);
|
||||
+ kfree(s8);
|
||||
+}
|
||||
+
|
||||
int register_efivars(struct efivars *efivars,
|
||||
const struct efivar_operations *ops,
|
||||
struct kobject *parent_kobj)
|
||||
@@ -2025,6 +2055,22 @@ int register_efivars(struct efivars *efivars,
|
||||
case EFI_SUCCESS:
|
||||
variable_name_size = var_name_strnsize(variable_name,
|
||||
variable_name_size);
|
||||
+
|
||||
+ /*
|
||||
+ * Some firmware implementations return the
|
||||
+ * same variable name on multiple calls to
|
||||
+ * get_next_variable(). Terminate the loop
|
||||
+ * immediately as there is no guarantee that
|
||||
+ * we'll ever see a different variable name,
|
||||
+ * and may end up looping here forever.
|
||||
+ */
|
||||
+ if (variable_is_present(variable_name, &vendor_guid)) {
|
||||
+ dup_variable_bug(variable_name, &vendor_guid,
|
||||
+ variable_name_size);
|
||||
+ status = EFI_NOT_FOUND;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
efivar_create_sysfs_entry(efivars,
|
||||
variable_name_size,
|
||||
variable_name,
|
||||
s8 = kzalloc(len8, GFP_KERNEL);
|
||||
if (!s8)
|
||||
return;
|
||||
|
|
|
@ -37,45 +37,14 @@ Cc: Lee, Chun-Yi <jlee@suse.com>
|
|||
Cc: Lingzhu Xiang <lxiang@redhat.com>
|
||||
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
|
||||
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
|
||||
[bwh: Apply only the part not included in 3.8.6]
|
||||
---
|
||||
drivers/firmware/efivars.c | 32 +++++++++++++++++++++++++++++++-
|
||||
1 file changed, 31 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/firmware/efivars.c
|
||||
+++ b/drivers/firmware/efivars.c
|
||||
@@ -1044,6 +1044,31 @@ static bool variable_is_present(efi_char
|
||||
return found;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Returns the size of variable_name, in bytes, including the
|
||||
+ * terminating NULL character, or variable_name_size if no NULL
|
||||
+ * character is found among the first variable_name_size bytes.
|
||||
+ */
|
||||
+static unsigned long var_name_strnsize(efi_char16_t *variable_name,
|
||||
+ unsigned long variable_name_size)
|
||||
+{
|
||||
+ unsigned long len;
|
||||
+ efi_char16_t c;
|
||||
+
|
||||
+ /*
|
||||
+ * The variable name is, by definition, a NULL-terminated
|
||||
+ * string, so make absolutely sure that variable_name_size is
|
||||
+ * the value we expect it to be. If not, return the real size.
|
||||
+ */
|
||||
+ for (len = 2; len <= variable_name_size; len += sizeof(c)) {
|
||||
+ c = variable_name[(len / sizeof(c)) - 1];
|
||||
+ if (!c)
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return min(len, variable_name_size);
|
||||
+}
|
||||
+
|
||||
static void efivar_update_sysfs_entries(struct work_struct *work)
|
||||
{
|
||||
struct efivars *efivars = &__efivars;
|
||||
@@ -1084,10 +1109,13 @@ static void efivar_update_sysfs_entries(
|
||||
@@ -1783,10 +1783,13 @@ static void efivar_update_sysfs_entries(
|
||||
if (!found) {
|
||||
kfree(variable_name);
|
||||
break;
|
||||
|
@ -90,12 +59,3 @@ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
|
|||
}
|
||||
}
|
||||
|
||||
@@ -1318,6 +1346,8 @@ int register_efivars(struct efivars *efi
|
||||
&vendor_guid);
|
||||
switch (status) {
|
||||
case EFI_SUCCESS:
|
||||
+ variable_name_size = var_name_strnsize(variable_name,
|
||||
+ variable_name_size);
|
||||
efivar_create_sysfs_entry(efivars,
|
||||
variable_name_size,
|
||||
variable_name,
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
From: Andrew Morton <akpm@linux-foundation.org>
|
||||
Date: Wed, 13 Mar 2013 14:59:34 -0700
|
||||
Subject: kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER
|
||||
|
||||
commit 522cff142d7d2f9230839c9e1f21a4d8bcc22a4a upstream.
|
||||
|
||||
__ARCH_HAS_SA_RESTORER is the preferred conditional for use in 3.9 and
|
||||
later kernels, per Kees.
|
||||
|
||||
Cc: Emese Revfy <re.emese@gmail.com>
|
||||
Cc: Emese Revfy <re.emese@gmail.com>
|
||||
Cc: PaX Team <pageexec@freemail.hu>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Cc: Oleg Nesterov <oleg@redhat.com>
|
||||
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Cc: Serge Hallyn <serge.hallyn@canonical.com>
|
||||
Cc: Julien Tinnes <jln@google.com>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/signal.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/signal.c b/kernel/signal.c
|
||||
index 43b0d4a..dd72567 100644
|
||||
--- a/kernel/signal.c
|
||||
+++ b/kernel/signal.c
|
||||
@@ -485,7 +485,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
|
||||
if (force_default || ka->sa.sa_handler != SIG_IGN)
|
||||
ka->sa.sa_handler = SIG_DFL;
|
||||
ka->sa.sa_flags = 0;
|
||||
-#ifdef SA_RESTORER
|
||||
+#ifdef __ARCH_HAS_SA_RESTORER
|
||||
ka->sa.sa_restorer = NULL;
|
||||
#endif
|
||||
sigemptyset(&ka->sa.sa_mask);
|
|
@ -1,149 +0,0 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 25 Nov 2012 22:24:19 -0500
|
||||
Subject: signal: Fix use of missing sa_restorer field
|
||||
|
||||
flush_signal_handlers() needs to know whether sigaction::sa_restorer
|
||||
is defined, not whether SA_RESTORER is defined. Define the
|
||||
__ARCH_HAS_SA_RESTORER macro to indicate this.
|
||||
|
||||
Vaguely based on upstream commit 574c4866e33d 'consolidate kernel-side
|
||||
struct sigaction declarations'.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
--- a/arch/arm/include/asm/signal.h
|
||||
+++ b/arch/arm/include/asm/signal.h
|
||||
@@ -29,6 +29,7 @@ struct sigaction {
|
||||
__sigrestore_t sa_restorer;
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/avr32/include/asm/signal.h
|
||||
+++ b/arch/avr32/include/asm/signal.h
|
||||
@@ -29,6 +29,7 @@ struct sigaction {
|
||||
__sigrestore_t sa_restorer;
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/cris/include/asm/signal.h
|
||||
+++ b/arch/cris/include/asm/signal.h
|
||||
@@ -29,6 +29,7 @@ struct sigaction {
|
||||
void (*sa_restorer)(void);
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/h8300/include/asm/signal.h
|
||||
+++ b/arch/h8300/include/asm/signal.h
|
||||
@@ -29,6 +29,7 @@ struct sigaction {
|
||||
void (*sa_restorer)(void);
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/m32r/include/asm/signal.h
|
||||
+++ b/arch/m32r/include/asm/signal.h
|
||||
@@ -22,6 +22,7 @@ struct sigaction {
|
||||
__sigrestore_t sa_restorer;
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/m68k/include/asm/signal.h
|
||||
+++ b/arch/m68k/include/asm/signal.h
|
||||
@@ -29,6 +29,7 @@ struct sigaction {
|
||||
__sigrestore_t sa_restorer;
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/mn10300/include/asm/signal.h
|
||||
+++ b/arch/mn10300/include/asm/signal.h
|
||||
@@ -39,6 +39,7 @@ struct sigaction {
|
||||
__sigrestore_t sa_restorer;
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/powerpc/include/asm/signal.h
|
||||
+++ b/arch/powerpc/include/asm/signal.h
|
||||
@@ -1,6 +1,7 @@
|
||||
#ifndef _ASM_POWERPC_SIGNAL_H
|
||||
#define _ASM_POWERPC_SIGNAL_H
|
||||
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
#include <uapi/asm/signal.h>
|
||||
|
||||
#endif /* _ASM_POWERPC_SIGNAL_H */
|
||||
--- a/arch/s390/include/asm/signal.h
|
||||
+++ b/arch/s390/include/asm/signal.h
|
||||
@@ -34,6 +34,7 @@ struct sigaction {
|
||||
void (*sa_restorer)(void);
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/arch/sparc/include/asm/signal.h
|
||||
+++ b/arch/sparc/include/asm/signal.h
|
||||
@@ -26,5 +26,7 @@ struct k_sigaction {
|
||||
void __user *ka_restorer;
|
||||
};
|
||||
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
+
|
||||
#endif /* !(__ASSEMBLY__) */
|
||||
#endif /* !(__SPARC_SIGNAL_H) */
|
||||
--- a/arch/x86/include/asm/signal.h
|
||||
+++ b/arch/x86/include/asm/signal.h
|
||||
@@ -31,6 +31,9 @@ typedef sigset_t compat_sigset_t;
|
||||
#include <uapi/asm/signal.h>
|
||||
#ifndef __ASSEMBLY__
|
||||
extern void do_notify_resume(struct pt_regs *, void *, __u32);
|
||||
+
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
+
|
||||
#ifdef __i386__
|
||||
struct old_sigaction {
|
||||
__sighandler_t sa_handler;
|
||||
--- a/arch/xtensa/include/asm/signal.h
|
||||
+++ b/arch/xtensa/include/asm/signal.h
|
||||
@@ -21,6 +21,7 @@ struct sigaction {
|
||||
void (*sa_restorer)(void);
|
||||
sigset_t sa_mask; /* mask last for extensibility */
|
||||
};
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
|
||||
struct k_sigaction {
|
||||
struct sigaction sa;
|
||||
--- a/include/uapi/asm-generic/signal.h
|
||||
+++ b/include/uapi/asm-generic/signal.h
|
||||
@@ -93,6 +93,10 @@ typedef unsigned long old_sigset_t;
|
||||
|
||||
#include <asm-generic/signal-defs.h>
|
||||
|
||||
+#ifdef SA_RESTORER
|
||||
+#define __ARCH_HAS_SA_RESTORER
|
||||
+#endif
|
||||
+
|
||||
struct sigaction {
|
||||
__sighandler_t sa_handler;
|
||||
unsigned long sa_flags;
|
|
@ -1,161 +0,0 @@
|
|||
From: Andy Honig <ahonig@google.com>
|
||||
Date: Wed, 20 Feb 2013 14:48:10 -0800
|
||||
Subject: KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache
|
||||
functions (CVE-2013-1797)
|
||||
|
||||
commit 0b79459b482e85cb7426aa7da683a9f2c97aeae1 upstream.
|
||||
|
||||
There is a potential use after free issue with the handling of
|
||||
MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
|
||||
memory such as frame buffers then KVM might continue to write to that
|
||||
address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
|
||||
the page in memory so it's unlikely to cause an issue, but if the user
|
||||
space component re-purposes the memory previously used for the guest, then
|
||||
the guest will be able to corrupt that memory.
|
||||
|
||||
Tested: Tested against kvmclock unit test
|
||||
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
arch/x86/include/asm/kvm_host.h | 4 ++--
|
||||
arch/x86/kvm/x86.c | 47 +++++++++++++++++----------------------
|
||||
2 files changed, 22 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
|
||||
index 635a74d..4979778 100644
|
||||
--- a/arch/x86/include/asm/kvm_host.h
|
||||
+++ b/arch/x86/include/asm/kvm_host.h
|
||||
@@ -414,8 +414,8 @@ struct kvm_vcpu_arch {
|
||||
gpa_t time;
|
||||
struct pvclock_vcpu_time_info hv_clock;
|
||||
unsigned int hw_tsc_khz;
|
||||
- unsigned int time_offset;
|
||||
- struct page *time_page;
|
||||
+ struct gfn_to_hva_cache pv_time;
|
||||
+ bool pv_time_enabled;
|
||||
/* set guest stopped flag in pvclock flags field */
|
||||
bool pvclock_set_guest_stopped_request;
|
||||
|
||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||
index 2ade60c..f19ac0a 100644
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -1406,10 +1406,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
|
||||
unsigned long flags, this_tsc_khz;
|
||||
struct kvm_vcpu_arch *vcpu = &v->arch;
|
||||
struct kvm_arch *ka = &v->kvm->arch;
|
||||
- void *shared_kaddr;
|
||||
s64 kernel_ns, max_kernel_ns;
|
||||
u64 tsc_timestamp, host_tsc;
|
||||
- struct pvclock_vcpu_time_info *guest_hv_clock;
|
||||
+ struct pvclock_vcpu_time_info guest_hv_clock;
|
||||
u8 pvclock_flags;
|
||||
bool use_master_clock;
|
||||
|
||||
@@ -1463,7 +1462,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
|
||||
|
||||
local_irq_restore(flags);
|
||||
|
||||
- if (!vcpu->time_page)
|
||||
+ if (!vcpu->pv_time_enabled)
|
||||
return 0;
|
||||
|
||||
/*
|
||||
@@ -1525,12 +1524,12 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
|
||||
*/
|
||||
vcpu->hv_clock.version += 2;
|
||||
|
||||
- shared_kaddr = kmap_atomic(vcpu->time_page);
|
||||
-
|
||||
- guest_hv_clock = shared_kaddr + vcpu->time_offset;
|
||||
+ if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time,
|
||||
+ &guest_hv_clock, sizeof(guest_hv_clock))))
|
||||
+ return 0;
|
||||
|
||||
/* retain PVCLOCK_GUEST_STOPPED if set in guest copy */
|
||||
- pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED);
|
||||
+ pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED);
|
||||
|
||||
if (vcpu->pvclock_set_guest_stopped_request) {
|
||||
pvclock_flags |= PVCLOCK_GUEST_STOPPED;
|
||||
@@ -1543,12 +1542,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
|
||||
|
||||
vcpu->hv_clock.flags = pvclock_flags;
|
||||
|
||||
- memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock,
|
||||
- sizeof(vcpu->hv_clock));
|
||||
-
|
||||
- kunmap_atomic(shared_kaddr);
|
||||
-
|
||||
- mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT);
|
||||
+ kvm_write_guest_cached(v->kvm, &vcpu->pv_time,
|
||||
+ &vcpu->hv_clock,
|
||||
+ sizeof(vcpu->hv_clock));
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1837,10 +1833,7 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
|
||||
|
||||
static void kvmclock_reset(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
- if (vcpu->arch.time_page) {
|
||||
- kvm_release_page_dirty(vcpu->arch.time_page);
|
||||
- vcpu->arch.time_page = NULL;
|
||||
- }
|
||||
+ vcpu->arch.pv_time_enabled = false;
|
||||
}
|
||||
|
||||
static void accumulate_steal_time(struct kvm_vcpu *vcpu)
|
||||
@@ -1947,6 +1940,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
|
||||
break;
|
||||
case MSR_KVM_SYSTEM_TIME_NEW:
|
||||
case MSR_KVM_SYSTEM_TIME: {
|
||||
+ u64 gpa_offset;
|
||||
kvmclock_reset(vcpu);
|
||||
|
||||
vcpu->arch.time = data;
|
||||
@@ -1956,19 +1950,17 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
|
||||
if (!(data & 1))
|
||||
break;
|
||||
|
||||
- /* ...but clean it before doing the actual write */
|
||||
- vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
|
||||
+ gpa_offset = data & ~(PAGE_MASK | 1);
|
||||
|
||||
/* Check that the address is 32-byte aligned. */
|
||||
- if (vcpu->arch.time_offset &
|
||||
- (sizeof(struct pvclock_vcpu_time_info) - 1))
|
||||
+ if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1))
|
||||
break;
|
||||
|
||||
- vcpu->arch.time_page =
|
||||
- gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
|
||||
-
|
||||
- if (is_error_page(vcpu->arch.time_page))
|
||||
- vcpu->arch.time_page = NULL;
|
||||
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
|
||||
+ &vcpu->arch.pv_time, data & ~1ULL))
|
||||
+ vcpu->arch.pv_time_enabled = false;
|
||||
+ else
|
||||
+ vcpu->arch.pv_time_enabled = true;
|
||||
|
||||
break;
|
||||
}
|
||||
@@ -2972,7 +2964,7 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu,
|
||||
*/
|
||||
static int kvm_set_guest_paused(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
- if (!vcpu->arch.time_page)
|
||||
+ if (!vcpu->arch.pv_time_enabled)
|
||||
return -EINVAL;
|
||||
vcpu->arch.pvclock_set_guest_stopped_request = true;
|
||||
kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
|
||||
@@ -6723,6 +6715,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
|
||||
goto fail_free_wbinvd_dirty_mask;
|
||||
|
||||
vcpu->arch.ia32_tsc_adjust_msr = 0x0;
|
||||
+ vcpu->arch.pv_time_enabled = false;
|
||||
kvm_async_pf_hash_reset(vcpu);
|
||||
kvm_pmu_init(vcpu);
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From: Andy Honig <ahonig@google.com>
|
||||
Date: Mon, 11 Mar 2013 09:34:52 -0700
|
||||
Subject: KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME
|
||||
(CVE-2013-1796)
|
||||
|
||||
commit c300aa64ddf57d9c5d9c898a64b36877345dd4a9 upstream.
|
||||
|
||||
If the guest sets the GPA of the time_page so that the request to update the
|
||||
time straddles a page then KVM will write onto an incorrect page. The
|
||||
write is done byusing kmap atomic to get a pointer to the page for the time
|
||||
structure and then performing a memcpy to that page starting at an offset
|
||||
that the guest controls. Well behaved guests always provide a 32-byte aligned
|
||||
address, however a malicious guest could use this to corrupt host kernel
|
||||
memory.
|
||||
|
||||
Tested: Tested against kvmclock unit test.
|
||||
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/x86.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||
index f7c850b..2ade60c 100644
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -1959,6 +1959,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
|
||||
/* ...but clean it before doing the actual write */
|
||||
vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
|
||||
|
||||
+ /* Check that the address is 32-byte aligned. */
|
||||
+ if (vcpu->arch.time_offset &
|
||||
+ (sizeof(struct pvclock_vcpu_time_info) - 1))
|
||||
+ break;
|
||||
+
|
||||
vcpu->arch.time_page =
|
||||
gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From: Jani Nikula <jani.nikula@intel.com>
|
||||
Date: Tue, 22 Jan 2013 10:50:35 +0000
|
||||
Subject: drm/i915: add quirk to invert brightness on eMachines e725
|
||||
|
||||
commit 01e3a8feb40e54b962a20fa7eb595c5efef5e109 upstream.
|
||||
|
||||
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=31522#c35
|
||||
[Note: There are more than one broken setups in the bug. This fixes one.]
|
||||
Reported-by: Martins <andrissr@inbox.lv>
|
||||
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
||||
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||
---
|
||||
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
|
||||
index 44f9d8f..8575a62 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_display.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_display.c
|
||||
@@ -8602,6 +8602,9 @@ static struct intel_quirk intel_quirks[] = {
|
||||
|
||||
/* Acer/eMachines G725 */
|
||||
{ 0x2a42, 0x1025, 0x0210, quirk_invert_brightness },
|
||||
+
|
||||
+ /* Acer/eMachines e725 */
|
||||
+ { 0x2a42, 0x1025, 0x0212, quirk_invert_brightness },
|
||||
};
|
||||
|
||||
static void intel_init_quirks(struct drm_device *dev)
|
|
@ -1,24 +0,0 @@
|
|||
From: Jani Nikula <jani.nikula@intel.com>
|
||||
Date: Tue, 22 Jan 2013 10:50:34 +0000
|
||||
Subject: drm/i915: add quirk to invert brightness on eMachines G725
|
||||
|
||||
commit 1ffff60320879830e469e26062c18f75236822ba upstream.
|
||||
|
||||
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=59628
|
||||
Reported-by: Roland Gruber <post@rolandgruber.de>
|
||||
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
||||
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||
[bwh: Adjust context to apply after 3.8.1]
|
||||
---
|
||||
--- a/drivers/gpu/drm/i915/intel_display.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_display.c
|
||||
@@ -8599,6 +8599,9 @@ static struct intel_quirk intel_quirks[] = {
|
||||
|
||||
/* Acer Aspire 4736Z */
|
||||
{ 0x2a42, 0x1025, 0x0260, quirk_invert_brightness },
|
||||
+
|
||||
+ /* Acer/eMachines G725 */
|
||||
+ { 0x2a42, 0x1025, 0x0210, quirk_invert_brightness },
|
||||
};
|
||||
|
||||
static void intel_init_quirks(struct drm_device *dev)
|
|
@ -1,25 +0,0 @@
|
|||
From: Jani Nikula <jani.nikula@intel.com>
|
||||
Date: Tue, 22 Jan 2013 10:50:36 +0000
|
||||
Subject: drm/i915: add quirk to invert brightness on Packard Bell NCL20
|
||||
|
||||
commit 5559ecadad5a73b27f863e92f4b4f369501dce6f upstream.
|
||||
|
||||
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44156
|
||||
Reported-by: Alan Zimmerman <alan.zimm@gmail.com>
|
||||
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
||||
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||
---
|
||||
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
|
||||
index 8575a62..7262786 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_display.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_display.c
|
||||
@@ -8605,6 +8605,9 @@ static struct intel_quirk intel_quirks[] = {
|
||||
|
||||
/* Acer/eMachines e725 */
|
||||
{ 0x2a42, 0x1025, 0x0212, quirk_invert_brightness },
|
||||
+
|
||||
+ /* Acer/Packard Bell NCL20 */
|
||||
+ { 0x2a42, 0x1025, 0x034b, quirk_invert_brightness },
|
||||
};
|
||||
|
||||
static void intel_init_quirks(struct drm_device *dev)
|
|
@ -70,21 +70,13 @@ features/all/alx/mark-as-staging.patch
|
|||
|
||||
bugfix/ia64/nouveau-ACPI-support-is-dependent-on-X86.patch
|
||||
debian/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
|
||||
bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch
|
||||
bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch
|
||||
bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch
|
||||
|
||||
bugfix/all/mm-Try-harder-to-allocate-vmemmap-blocks.patch
|
||||
features/all/alx/alx-update-for-3.8.patch
|
||||
bugfix/mips/mips-add-dependencies-for-have_arch_transparent_hugepage.patch
|
||||
bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch
|
||||
bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch
|
||||
debian/efi-autoload-efivars.patch
|
||||
bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch
|
||||
bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch
|
||||
bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch
|
||||
debian/efivars-remove-check-for-50-full-on-write.patch
|
||||
bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch
|
||||
bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch
|
||||
bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch
|
||||
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
|
||||
|
|
Loading…
Reference in New Issue