Hello community, here is the log from the commit of package kernel-source for openSUSE:11.3 checked in at Tue Oct 25 23:35:49 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/kernel-source/kernel-debug.changes 2011-07-21 07:02:45.000000000 +0200 +++ 11.3/kernel-source/kernel-debug.changes 2011-10-24 17:22:05.000000000 +0200 @@ -1,0 +2,116 @@ +Wed Oct 19 22:09:05 CEST 2011 - [email protected] + +- patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch: + Ecryptfs: Add mount option to check uid of device being mounted + = expect uid (bnc#711539 CVE-2011-1833). + +------------------------------------------------------------------- +Tue Oct 11 14:56:41 CEST 2011 - [email protected] + +- patches.xen/xen-netback-multiple-tasklets: Refresh (bnc#719117). +- patches.xen/xen-netback-kernel-threads: Refresh. + +------------------------------------------------------------------- +Thu Oct 6 22:17:01 CEST 2011 - [email protected] + +- patches.fixes/drm-radeon-kms-fix-i2c-masks.patch: + drm/radeon/kms: Fix I2C mask definitions (bnc#712023). + +------------------------------------------------------------------- +Thu Oct 6 15:36:13 CEST 2011 - [email protected] + +- patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch: + ext4: Fix max file size and logical block counting of extent + format file (bnc#706374). + +------------------------------------------------------------------- +Mon Oct 3 18:35:04 CEST 2011 - [email protected] + +- patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch: + cifs: add fallback in is_path_accessible for old servers + (bnc#718028). + +------------------------------------------------------------------- +Fri Sep 30 08:52:47 CEST 2011 - [email protected] + +- series.conf: Disable + patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch + for now, it is causing a regression (bnc#712023). + +------------------------------------------------------------------- +Thu Sep 29 02:21:19 CEST 2011 - [email protected] + +- patches.fixes/perf_software_event_overflow.patch: perf: Fix + software event overflow (bnc#712366, CVE-2011-2918). + +------------------------------------------------------------------- +Fri Sep 23 11:34:36 CEST 2011 - [email protected] + +- patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch: + fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message (bnc#716901 + CVE-2011-3353). + +------------------------------------------------------------------- +Sun Sep 18 22:18:43 CEST 2011 - [email protected] + +- patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch: + Update references (bnc#718028, CVE-2011-3363). + +------------------------------------------------------------------- +Sun Sep 18 22:06:12 CEST 2011 - [email protected] + +- patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch: + cifs: always do is_path_accessible check in cifs_mount + (bnc#718028). + +------------------------------------------------------------------- +Thu Sep 8 21:52:24 CEST 2011 - [email protected] + +- patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch: + Add Git-commit tag. + +------------------------------------------------------------------- +Wed Aug 31 11:34:51 CEST 2011 - [email protected] + +- patches.fixes/pty-fix-pty-counting.patch: TTY: pty, fix pty + counting (bnc#711203). + +------------------------------------------------------------------- +Mon Aug 29 17:14:43 CEST 2011 - [email protected] + +- patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch: + cifs: fix possible memory corruption in CIFSFindNext + (bnc#714001, CVE-2011-3191). + +------------------------------------------------------------------- +Fri Aug 12 16:41:35 CEST 2011 - [email protected] + +- patches.fixes/validate-size-of-efi-guid-partition-entries.patch: + Validate size of EFI GUID partition entries (bnc#692784, + CVE-2011-1776). + +------------------------------------------------------------------- +Tue Aug 9 09:41:24 CEST 2011 - [email protected] + +- Update Xen patches to 2.6.34.10. +- patches.xen/1080-blkfront-xenbus-gather-format.patch: blkfront: fix + data size for xenbus_gather in connect(). +- patches.xen/1081-blkback-resize-transaction-end.patch: xenbus: fix + xenbus_transaction_start() hang caused by double + xenbus_transaction_end(). +- patches.xen/1089-blkback-barrier-check.patch: blkback: don't fail + empty barrier requests. +- patches.xen/1090-blktap-locking.patch: blktap: fix locking + (bnc#685276). +- patches.xen/1091-xenbus-dev-no-BUG.patch: xenbus: don't BUG() on user + mode induced conditions (bnc#696107). +- patches.xen/1098-blkfront-cdrom-ioctl-check.patch: blkfront: avoid + NULL de-reference in CDROM ioctl handling (bnc#701355). + +------------------------------------------------------------------- +Sat Aug 6 11:36:37 CEST 2011 - [email protected] + +- patches.drivers/intr-remap-allow-disabling-source-id-checking.patch: + intr-remap: allow disabling source id checking (bnc#710352). + +------------------------------------------------------------------- kernel-default.changes: same change kernel-desktop.changes: same change kernel-docs.changes: same change kernel-ec2.changes: same change kernel-net.changes: same change kernel-pae.changes: same change kernel-ppc64.changes: same change kernel-ps3.changes: same change kernel-s390.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-trace.changes: same change kernel-vanilla.changes: same change kernel-vmi.changes: same change kernel-xen.changes: same change calling whatdependson for 11.3-i586 Old: ---- minmem needed_space_in_mb ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200 @@ -56,7 +56,7 @@ Name: kernel-debug Summary: A Debug Version of the Kernel Version: 2.6.34.10 -Release: 0.<RELEASE2> +Release: 0.<RELEASE4> %if %using_buildservice %else %endif kernel-default.spec: same change kernel-desktop.spec: same change ++++++ kernel-ec2.spec ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200 @@ -56,7 +56,7 @@ Name: kernel-ec2 Summary: The Amazon EC2 Xen Kernel Version: 2.6.34.10 -Release: 0.<RELEASE2> +Release: 0.<RELEASE4> %if %using_buildservice %else %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200 @@ -56,7 +56,7 @@ Name: kernel-pae Summary: Kernel with PAE Support Version: 2.6.34.10 -Release: 0.<RELEASE2> +Release: 0.<RELEASE4> %if %using_buildservice %else %endif kernel-ps3.spec: same change kernel-s390.spec: same change ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200 @@ -31,7 +31,7 @@ Name: kernel-source Summary: The Linux Kernel Sources Version: 2.6.34.10 -Release: 0.<RELEASE2> +Release: 0.<RELEASE4> %if %using_buildservice %else %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200 @@ -24,7 +24,7 @@ Name: kernel-syms Summary: Kernel Symbol Versions (modversions) Version: 2.6.34.10 -Release: 0.<RELEASE2> +Release: 0.<RELEASE4> %if %using_buildservice %else %define kernel_source_release %(LC_ALL=C rpm -q kernel-devel%variant-%version --qf "%{RELEASE}" | grep -v 'not installed' || echo 0) ++++++ kernel-trace.spec ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200 @@ -56,7 +56,7 @@ Name: kernel-trace Summary: The Realtime Linux Kernel Version: 2.6.34.10 -Release: 0.<RELEASE2> +Release: 0.<RELEASE4> %if %using_buildservice %else %endif kernel-vanilla.spec: same change kernel-vmi.spec: same change kernel-xen.spec: same change ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch new/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch --- old/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch 2011-08-06 11:44:49.000000000 +0200 @@ -0,0 +1,88 @@ +From d1423d5679875ebbbc2fc63b33d465baceee0430 Mon Sep 17 00:00:00 2001 +From: Chris Wright <[email protected]> +Date: Tue, 20 Jul 2010 11:06:49 -0700 +Subject: intr-remap: allow disabling source id checking +Git-commit: d1423d5679875ebbbc2fc63b33d465baceee0430 +Patch-mainline: v2.6.36-rc1 +References: bnc#710352 + +Allow disabling the source id checking while programming the interrupt +remap table entry. Useful for debugging or working around the broken +source id checks on some platforms. + +Signed-off-by: Chris Wright <[email protected]> +Acked-by: Suresh Siddha <[email protected]> +Acked-by: Weidong Han <[email protected]> +Signed-off-by: David Woodhouse <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + Documentation/kernel-parameters.txt | 7 +++++++ + drivers/pci/intr_remapping.c | 20 ++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -993,6 +993,12 @@ and is between 256 and 4096 characters. + result in a hardware IOTLB flush operation as opposed + to batching them for performance. + ++ intremap= [X86-64, Intel-IOMMU] ++ Format: { on (default) | off | nosid } ++ on enable Interrupt Remapping (default) ++ off disable Interrupt Remapping ++ nosid disable Source ID checking ++ + inttest= [IA64] + + iomem= Disable strict checking of access to MMIO memory +@@ -1716,6 +1722,7 @@ and is between 256 and 4096 characters. + + nointremap [X86-64, Intel-IOMMU] Do not enable interrupt + remapping. ++ [Deprecated - use intremap=off] + + nointroute [IA-64] + +--- a/drivers/pci/intr_remapping.c ++++ b/drivers/pci/intr_remapping.c +@@ -20,6 +20,8 @@ static int ir_ioapic_num, ir_hpet_num; + int intr_remapping_enabled; + + static int disable_intremap; ++static int disable_sourceid_checking; ++ + static __init int setup_nointremap(char *str) + { + disable_intremap = 1; +@@ -27,6 +29,22 @@ static __init int setup_nointremap(char + } + early_param("nointremap", setup_nointremap); + ++static __init int setup_intremap(char *str) ++{ ++ if (!str) ++ return -EINVAL; ++ ++ if (!strncmp(str, "on", 2)) ++ disable_intremap = 0; ++ else if (!strncmp(str, "off", 3)) ++ disable_intremap = 1; ++ else if (!strncmp(str, "nosid", 5)) ++ disable_sourceid_checking = 1; ++ ++ return 0; ++} ++early_param("intremap", setup_intremap); ++ + struct irq_2_iommu { + struct intel_iommu *iommu; + u16 irte_index; +@@ -452,6 +470,8 @@ int free_irte(int irq) + static void set_irte_sid(struct irte *irte, unsigned int svt, + unsigned int sq, unsigned int sid) + { ++ if (disable_sourceid_checking) ++ svt = SVT_NO_VERIFY; + irte->svt = svt; + irte->sq = sq; + irte->sid = sid; ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch new/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch --- old/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,36 @@ +From: Jeff Layton <[email protected]> +Date: Tue, 17 May 2011 06:40:30 -0400 +Subject: cifs: add fallback in is_path_accessible for old servers +References: bnc#718028 +Patch-mainline: v2.6.39 +Git-commit: 221d1d797202984cb874e3ed9f1388593d34ee22 + +The is_path_accessible check uses a QPathInfo call, which isn't +supported by ancient win9x era servers. Fall back to an older +SMBQueryInfo call if it fails with the magic error codes. + +Cc: [email protected] +Reported-and-Tested-by: Sandro Bonazzola <[email protected]> +Signed-off-by: Jeff Layton <[email protected]> +Signed-off-by: Steve French <[email protected]> +Signed-off-by: Suresh Jayaraman <[email protected]> +--- + fs/cifs/connect.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c +=================================================================== +--- linux-2.6.34-openSUSE-11.3.orig/fs/cifs/connect.c ++++ linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c +@@ -2261,6 +2261,11 @@ is_path_accessible(int xid, struct cifsT + 0 /* not legacy */, cifs_sb->local_nls, + cifs_sb->mnt_cifs_flags & + CIFS_MOUNT_MAP_SPECIAL_CHR); ++ ++ if (rc == -EOPNOTSUPP || rc == -EINVAL) ++ rc = SMBQueryInformation(xid, tcon, full_path, pfile_info, ++ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags & ++ CIFS_MOUNT_MAP_SPECIAL_CHR); + kfree(pfile_info); + return rc; + } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch new/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch --- old/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,42 @@ +From: Jeff Layton <[email protected]> +Date: Mon, 14 Mar 2011 13:48:08 -0400 +Subject: cifs: always do is_path_accessible check in cifs_mount +Patch-mainline: v2.6.39-rc4 +References: bnc#718028, CVE-2011-3363 +Git-commit: 70945643722ffeac779d2529a348f99567fa5c33 + +Currently, we skip doing the is_path_accessible check in cifs_mount if +there is no prefixpath. I have a report of at least one server however +that allows a TREE_CONNECT to a share that has a DFS referral at its +root. The reporter in this case was using a UNC that had no prefixpath, +so the is_path_accessible check was not triggered and the box later hit +a BUG() because we were chasing a DFS referral on the root dentry for +the mount. + +This patch fixes this by removing the check for a zero-length +prefixpath. That should make the is_path_accessible check be done in +this situation and should allow the client to chase the DFS referral at +mount time instead. + +Cc: [email protected] +Reported-and-Tested-by: Yogesh Sharma <[email protected]> +Signed-off-by: Jeff Layton <[email protected]> +Signed-off-by: Steve French <[email protected]> +Signed-off-by: Suresh Jayaraman <[email protected]> +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c +=================================================================== +--- linux-2.6.34-openSUSE-11.3.orig/fs/cifs/connect.c ++++ linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c +@@ -2563,7 +2563,7 @@ try_mount_again: + + remote_path_check: + /* check if a whole path (including prepath) is not remote */ +- if (!rc && cifs_sb->prepathlen && tcon) { ++ if (!rc && tcon) { + /* build_path_to_root works only when we have a valid tcon */ + full_path = cifs_build_path_to_root(cifs_sb); + if (full_path == NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch new/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch --- old/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,44 @@ +From: Jeff Layton <[email protected]> +Date: Tue, 23 Aug 2011 07:21:28 -0400 +Subject: cifs: fix possible memory corruption in CIFSFindNext +References: bnc#714001, CVE-2011-3191 +Patch-mainline: 3.1 (expected) +Git-commit: c32dfffaf59f73bbcf4472141b851a4dc5db2bf0 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6.git + +The name_len variable in CIFSFindNext is a signed int that gets set to +the resume_name_len in the cifs_search_info. The resume_name_len however +is unsigned and for some infolevels is populated directly from a 32 bit +value sent by the server. + +If the server sends a very large value for this, then that value could +look negative when converted to a signed int. That would make that +value pass the PATH_MAX check later in CIFSFindNext. The name_len would +then be used as a length value for a memcpy. It would then be treated +as unsigned again, and the memcpy scribbles over a ton of memory. + +Fix this by making the name_len an unsigned value in CIFSFindNext. + +Cc: <[email protected]> +Reported-by: Darren Lavender <[email protected]> +Signed-off-by: Jeff Layton <[email protected]> +Signed-off-by: Steve French <[email protected]> +Signed-off-by: Suresh Jayaraman <[email protected]> +--- + fs/cifs/cifssmb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: linux-2.6.34-openSUSE-11.3/fs/cifs/cifssmb.c +=================================================================== +--- linux-2.6.34-openSUSE-11.3.orig/fs/cifs/cifssmb.c ++++ linux-2.6.34-openSUSE-11.3/fs/cifs/cifssmb.c +@@ -3743,7 +3743,8 @@ int CIFSFindNext(const int xid, struct c + T2_FNEXT_RSP_PARMS *parms; + char *response_data; + int rc = 0; +- int bytes_returned, name_len; ++ int bytes_returned; ++ unsigned int name_len; + __u16 params, byte_count; + + cFYI(1, ("In FindNext")); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch new/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch --- old/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,30 @@ +From: Jean Delvare <[email protected]> +Subject: drm/radeon/kms: Fix I2C mask definitions +Patch-mainline: Not yet, should happen soon +References: bnc#712023 + +Commit 9b9fe724 accidentally used RADEON_GPIO_EN_* where +RADEON_GPIO_MASK_* was intended. This caused improper initialization +of I2C buses, mostly visible when setting i2c_algo_bit.bit_test=1. +Using the right constants fixes the problem. + +Signed-off-by: Jean Delvare <[email protected]> +Reviewed-by: Alex Deucher <[email protected]> +Cc: Jerome Glisse <[email protected]> +--- + drivers/gpu/drm/radeon/radeon_combios.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_combios.c ++++ b/drivers/gpu/drm/radeon/radeon_combios.c +@@ -503,8 +503,8 @@ static struct radeon_i2c_bus_rec combios + i2c.y_clk_reg = RADEON_MDGPIO_Y; + i2c.y_data_reg = RADEON_MDGPIO_Y; + } else { +- i2c.mask_clk_mask = RADEON_GPIO_EN_1; +- i2c.mask_data_mask = RADEON_GPIO_EN_0; ++ i2c.mask_clk_mask = RADEON_GPIO_MASK_1; ++ i2c.mask_data_mask = RADEON_GPIO_MASK_0; + i2c.a_clk_mask = RADEON_GPIO_A_1; + i2c.a_data_mask = RADEON_GPIO_A_0; + i2c.en_clk_mask = RADEON_GPIO_EN_1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch new/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch --- old/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,127 @@ +From 764355487ea220fdc2faf128d577d7f679b91f97 Mon Sep 17 00:00:00 2001 +From: John Johansen <[email protected]> +Date: Fri, 22 Jul 2011 08:14:15 -0700 +Subject: Ecryptfs: Add mount option to check uid of device being mounted = expect uid +Patch-mainline: 3.1 +References: bnc#711539 CVE-2011-1833 + +Close a TOCTOU race for mounts done via ecryptfs-mount-private. The mount +source (device) can be raced when the ownership test is done in userspace. +Provide Ecryptfs a means to force the uid check at mount time. + +Signed-off-by: John Johansen <[email protected]> +Cc: <[email protected]> +Signed-off-by: Tyler Hicks <[email protected]> +Acked-by: Miklos Szeredi <[email protected]> +--- + fs/ecryptfs/main.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +Index: linux-2.6.32-SLE11-SP1/fs/ecryptfs/main.c +=================================================================== +--- linux-2.6.32-SLE11-SP1.orig/fs/ecryptfs/main.c 2011-10-19 21:55:25.000000000 +0200 ++++ linux-2.6.32-SLE11-SP1/fs/ecryptfs/main.c 2011-10-19 21:58:03.000000000 +0200 +@@ -212,7 +212,8 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ec + ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata, + ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, + ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, +- ecryptfs_opt_unlink_sigs, ecryptfs_opt_err }; ++ ecryptfs_opt_unlink_sigs, ecryptfs_opt_check_dev_ruid, ++ ecryptfs_opt_err }; + + static const match_table_t tokens = { + {ecryptfs_opt_sig, "sig=%s"}, +@@ -227,6 +228,7 @@ static const match_table_t tokens = { + {ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"}, + {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, + {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, ++ {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"}, + {ecryptfs_opt_err, NULL} + }; + +@@ -270,6 +272,7 @@ static void ecryptfs_init_mount_crypt_st + * ecryptfs_parse_options + * @sb: The ecryptfs super block + * @options: The options pased to the kernel ++ * @check_ruid: set to 1 if device uid should be checked against the ruid + * + * Parse mount options: + * debug=N - ecryptfs_verbosity level for debug output +@@ -285,7 +288,8 @@ static void ecryptfs_init_mount_crypt_st + * + * Returns zero on success; non-zero on error + */ +-static int ecryptfs_parse_options(struct super_block *sb, char *options) ++static int ecryptfs_parse_options(struct super_block *sb, char *options, ++ uid_t *check_ruid) + { + char *p; + int rc = 0; +@@ -310,6 +314,8 @@ static int ecryptfs_parse_options(struct + char *cipher_key_bytes_src; + char *fn_cipher_key_bytes_src; + ++ *check_ruid = 0; ++ + if (!options) { + rc = -EINVAL; + goto out; +@@ -410,6 +416,9 @@ static int ecryptfs_parse_options(struct + case ecryptfs_opt_unlink_sigs: + mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS; + break; ++ case ecryptfs_opt_check_dev_ruid: ++ *check_ruid = 1; ++ break; + case ecryptfs_opt_err: + default: + printk(KERN_WARNING +@@ -551,7 +560,8 @@ ecryptfs_fill_super(struct super_block * + * ecryptfs_interpose to create our initial inode and super block + * struct. + */ +-static int ecryptfs_read_super(struct super_block *sb, const char *dev_name) ++static int ecryptfs_read_super(struct super_block *sb, const char *dev_name, ++ uid_t check_ruid) + { + struct path path; + int rc; +@@ -561,6 +571,15 @@ static int ecryptfs_read_super(struct su + ecryptfs_printk(KERN_WARNING, "path_lookup() failed\n"); + goto out; + } ++ if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) { ++ rc = -EPERM; ++ printk(KERN_ERR "Mount of device (uid: %d) not owned by " ++ "requested user (uid: %d)\n", ++ path.dentry->d_inode->i_uid, current_uid()); ++ goto out_free; ++ } ++ ++ + ecryptfs_set_superblock_lower(sb, path.dentry->d_sb); + sb->s_maxbytes = path.dentry->d_sb->s_maxbytes; + sb->s_blocksize = path.dentry->d_sb->s_blocksize; +@@ -597,6 +616,7 @@ static int ecryptfs_get_sb(struct file_s + const char *dev_name, void *raw_data, + struct vfsmount *mnt) + { ++ uid_t check_ruid; + int rc; + struct super_block *sb; + +@@ -606,12 +626,12 @@ static int ecryptfs_get_sb(struct file_s + goto out; + } + sb = mnt->mnt_sb; +- rc = ecryptfs_parse_options(sb, raw_data); ++ rc = ecryptfs_parse_options(sb, raw_data, &check_ruid); + if (rc) { + printk(KERN_ERR "Error parsing options; rc = [%d]\n", rc); + goto out_abort; + } +- rc = ecryptfs_read_super(sb, dev_name); ++ rc = ecryptfs_read_super(sb, dev_name, check_ruid); + if (rc) { + printk(KERN_ERR "Reading sb failed; rc = [%d]\n", rc); + goto out_abort; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch new/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch --- old/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,261 @@ +From: Lukas Czerner <[email protected]> +Subject: [PATCH] ext4: Fix max file size and logical block counting of extent format file +References: bnc#706374 +Patch-mainline: 3.0 +Git-commit: f17722f917b2f21497deb6edc62fb1683daa08e6 + +Kazuya Mio reported that he was able to hit BUG_ON(next == lblock) +in ext4_ext_put_gap_in_cache() while creating a sparse file in extent +format and fill the tail of file up to its end. We will hit the BUG_ON +when we write the last block (2^32-1) into the sparse file. + +The root cause of the problem lies in the fact that we specifically set +s_maxbytes so that block at s_maxbytes fit into on-disk extent format, +which is 32 bit long. However, we are not storing start and end block +number, but rather start block number and length in blocks. It means +that in order to cover extent from 0 to EXT_MAX_BLOCK we need +EXT_MAX_BLOCK+1 to fit into len (because we counting block 0 as well) - +and it does not. + +The only way to fix it without changing the meaning of the struct +ext4_extent members is, as Kazuya Mio suggested, to lower s_maxbytes +by one fs block so we can cover the whole extent we can get by the +on-disk extent format. + +Also in many places EXT_MAX_BLOCK is used as length instead of maximum +logical block number as the name suggests, it is all a bit messy. So +this commit renames it to EXT_MAX_BLOCKS and change its usage in some +places to actually be maximum number of blocks in the extent. + +The bug which this commit fixes can be reproduced as follows: + + dd if=/dev/zero of=/mnt/mp1/file bs=<blocksize> count=1 seek=$((2**32-2)) + sync + dd if=/dev/zero of=/mnt/mp1/file bs=<blocksize> count=1 seek=$((2**32-1)) + +Reported-by: Kazuya Mio <[email protected]> +Signed-off-by: Lukas Czerner <[email protected]> +Signed-off-by: "Theodore Ts'o" <[email protected]> +Acked-by: Jan Kara <[email protected]> +--- + fs/ext4/ext4_extents.h | 7 +++++-- + fs/ext4/extents.c | 34 +++++++++++++++++----------------- + fs/ext4/move_extent.c | 10 +++++----- + fs/ext4/super.c | 15 ++++++++++++--- + 4 files changed, 39 insertions(+), 27 deletions(-) + +Index: linux-2.6.32-SLE11-SP1/fs/ext4/ext4_extents.h +=================================================================== +--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/ext4_extents.h ++++ linux-2.6.32-SLE11-SP1/fs/ext4/ext4_extents.h +@@ -137,8 +137,11 @@ typedef int (*ext_prepare_callback)(stru + #define EXT_BREAK 1 + #define EXT_REPEAT 2 + +-/* Maximum logical block in a file; ext4_extent's ee_block is __le32 */ +-#define EXT_MAX_BLOCK 0xffffffff ++/* ++ * Maximum number of logical blocks in a file; ext4_extent's ee_block is ++ * __le32. ++ */ ++#define EXT_MAX_BLOCKS 0xffffffff + + /* + * EXT_INIT_MAX_LEN is the maximum number of blocks we can have in an +Index: linux-2.6.32-SLE11-SP1/fs/ext4/extents.c +=================================================================== +--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/extents.c ++++ linux-2.6.32-SLE11-SP1/fs/ext4/extents.c +@@ -1329,7 +1329,7 @@ got_index: + + /* + * ext4_ext_next_allocated_block: +- * returns allocated block in subsequent extent or EXT_MAX_BLOCK. ++ * returns allocated block in subsequent extent or EXT_MAX_BLOCKS. + * NOTE: it considers block number from index entry as + * allocated block. Thus, index entries have to be consistent + * with leaves. +@@ -1343,7 +1343,7 @@ ext4_ext_next_allocated_block(struct ext + depth = path->p_depth; + + if (depth == 0 && path->p_ext == NULL) +- return EXT_MAX_BLOCK; ++ return EXT_MAX_BLOCKS; + + while (depth >= 0) { + if (depth == path->p_depth) { +@@ -1360,12 +1360,12 @@ ext4_ext_next_allocated_block(struct ext + depth--; + } + +- return EXT_MAX_BLOCK; ++ return EXT_MAX_BLOCKS; + } + + /* + * ext4_ext_next_leaf_block: +- * returns first allocated block from next leaf or EXT_MAX_BLOCK ++ * returns first allocated block from next leaf or EXT_MAX_BLOCKS + */ + static ext4_lblk_t ext4_ext_next_leaf_block(struct inode *inode, + struct ext4_ext_path *path) +@@ -1377,7 +1377,7 @@ static ext4_lblk_t ext4_ext_next_leaf_bl + + /* zero-tree has no leaf blocks at all */ + if (depth == 0) +- return EXT_MAX_BLOCK; ++ return EXT_MAX_BLOCKS; + + /* go to index block */ + depth--; +@@ -1390,7 +1390,7 @@ static ext4_lblk_t ext4_ext_next_leaf_bl + depth--; + } + +- return EXT_MAX_BLOCK; ++ return EXT_MAX_BLOCKS; + } + + /* +@@ -1570,13 +1570,13 @@ unsigned int ext4_ext_check_overlap(stru + */ + if (b2 < b1) { + b2 = ext4_ext_next_allocated_block(path); +- if (b2 == EXT_MAX_BLOCK) ++ if (b2 == EXT_MAX_BLOCKS) + goto out; + } + + /* check for wrap through zero on extent logical start block*/ + if (b1 + len1 < b1) { +- len1 = EXT_MAX_BLOCK - b1; ++ len1 = EXT_MAX_BLOCKS - b1; + newext->ee_len = cpu_to_le16(len1); + ret = 1; + } +@@ -1652,7 +1652,7 @@ repeat: + fex = EXT_LAST_EXTENT(eh); + next = ext4_ext_next_leaf_block(inode, path); + if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block) +- && next != EXT_MAX_BLOCK) { ++ && next != EXT_MAX_BLOCKS) { + ext_debug("next leaf block - %d\n", next); + BUG_ON(npath != NULL); + npath = ext4_ext_find_extent(inode, next, NULL); +@@ -1770,7 +1770,7 @@ int ext4_ext_walk_space(struct inode *in + BUG_ON(func == NULL); + BUG_ON(inode == NULL); + +- while (block < last && block != EXT_MAX_BLOCK) { ++ while (block < last && block != EXT_MAX_BLOCKS) { + num = last - block; + /* find extent for this block */ + down_read(&EXT4_I(inode)->i_data_sem); +@@ -1898,7 +1898,7 @@ ext4_ext_put_gap_in_cache(struct inode * + if (ex == NULL) { + /* there is no extent yet, so gap is [0;-] */ + lblock = 0; +- len = EXT_MAX_BLOCK; ++ len = EXT_MAX_BLOCKS; + ext_debug("cache gap(whole file):"); + } else if (block < le32_to_cpu(ex->ee_block)) { + lblock = block; +@@ -2143,8 +2143,8 @@ ext4_ext_rm_leaf(handle_t *handle, struc + path[depth].p_ext = ex; + + a = ex_ee_block > start ? ex_ee_block : start; +- b = ex_ee_block + ex_ee_len - 1 < EXT_MAX_BLOCK ? +- ex_ee_block + ex_ee_len - 1 : EXT_MAX_BLOCK; ++ b = ex_ee_block + ex_ee_len - 1 < EXT_MAX_BLOCKS - 1 ? ++ ex_ee_block + ex_ee_len - 1 : EXT_MAX_BLOCKS - 1; + + ext_debug(" border %u:%u\n", a, b); + +@@ -3780,15 +3780,15 @@ static int ext4_ext_fiemap_cb(struct ino + flags |= FIEMAP_EXTENT_UNWRITTEN; + + /* +- * If this extent reaches EXT_MAX_BLOCK, it must be last. ++ * If this extent reaches EXT_MAX_BLOCKS-1, it must be last. + * +- * Or if ext4_ext_next_allocated_block is EXT_MAX_BLOCK, ++ * Or if ext4_ext_next_allocated_block is EXT_MAX_BLOCKS-1, + * this also indicates no more allocated blocks. + * +- * XXX this might miss a single-block extent at EXT_MAX_BLOCK ++ * XXX this might miss a single-block extent at EXT_MAX_BLOCKS-1 + */ +- if (ext4_ext_next_allocated_block(path) == EXT_MAX_BLOCK || +- newex->ec_block + newex->ec_len - 1 == EXT_MAX_BLOCK) { ++ if (ext4_ext_next_allocated_block(path) == EXT_MAX_BLOCKS - 1 || ++ newex->ec_block + newex->ec_len == EXT_MAX_BLOCKS) { + loff_t size = i_size_read(inode); + loff_t bs = EXT4_BLOCK_SIZE(inode->i_sb); + +@@ -3868,8 +3868,8 @@ int ext4_fiemap(struct inode *inode, str + + start_blk = start >> inode->i_sb->s_blocksize_bits; + last_blk = (start + len - 1) >> inode->i_sb->s_blocksize_bits; +- if (last_blk >= EXT_MAX_BLOCK) +- last_blk = EXT_MAX_BLOCK-1; ++ if (last_blk >= EXT_MAX_BLOCKS) ++ last_blk = EXT_MAX_BLOCKS-1; + len_blks = ((ext4_lblk_t) last_blk) - start_blk + 1; + + /* +Index: linux-2.6.32-SLE11-SP1/fs/ext4/move_extent.c +=================================================================== +--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/move_extent.c ++++ linux-2.6.32-SLE11-SP1/fs/ext4/move_extent.c +@@ -1001,12 +1001,12 @@ mext_check_arguments(struct inode *orig_ + return -EINVAL; + } + +- if ((orig_start > EXT_MAX_BLOCK) || +- (donor_start > EXT_MAX_BLOCK) || +- (*len > EXT_MAX_BLOCK) || +- (orig_start + *len > EXT_MAX_BLOCK)) { ++ if ((orig_start >= EXT_MAX_BLOCKS) || ++ (donor_start >= EXT_MAX_BLOCKS) || ++ (*len > EXT_MAX_BLOCKS) || ++ (orig_start + *len >= EXT_MAX_BLOCKS)) { + ext4_debug("ext4 move extent: Can't handle over [%u] blocks " +- "[ino:orig %lu, donor %lu]\n", EXT_MAX_BLOCK, ++ "[ino:orig %lu, donor %lu]\n", EXT_MAX_BLOCKS, + orig_inode->i_ino, donor_inode->i_ino); + return -EINVAL; + } +Index: linux-2.6.32-SLE11-SP1/fs/ext4/super.c +=================================================================== +--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/super.c ++++ linux-2.6.32-SLE11-SP1/fs/ext4/super.c +@@ -1976,6 +1976,12 @@ static void ext4_orphan_cleanup(struct s + * in the vfs. ext4 inode has 48 bits of i_block in fsblock units, + * so that won't be a limiting factor. + * ++ * However there is other limiting factor. We do store extents in the form ++ * of starting block and length, hence the resulting length of the extent ++ * covering maximum file size must fit into on-disk format containers as ++ * well. Given that length is always by 1 unit bigger than max unit (because ++ * we count 0 as well) we have to lower the s_maxbytes by one fs block. ++ * + * Note, this does *not* consider any metadata overhead for vfs i_blocks. + */ + static loff_t ext4_max_size(int blkbits, int has_huge_files) +@@ -1997,10 +2003,13 @@ static loff_t ext4_max_size(int blkbits, + upper_limit <<= blkbits; + } + +- /* 32-bit extent-start container, ee_block */ +- res = 1LL << 32; ++ /* ++ * 32-bit extent-start container, ee_block. We lower the maxbytes ++ * by one fs block, so ee_len can cover the extent of maximum file ++ * size ++ */ ++ res = (1LL << 32) - 1; + res <<= blkbits; +- res -= 1; + + /* Sanity check against vm- & vfs- imposed limits */ + if (res > upper_limit) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch new/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch --- old/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,37 @@ +From c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi <[email protected]> +Date: Wed, 24 Aug 2011 10:20:17 +0200 +Subject: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message +Patch-mainline: 3.1 +References: bnc#716901 CVE-2011-3353 + +FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the +message processing could overrun and result in a "kernel BUG at +fs/fuse/dev.c:629!" + +Reported-by: Han-Wen Nienhuys <[email protected]> +Signed-off-by: Miklos Szeredi <[email protected]> +Cc: [email protected] +Acked-by: Miklos Szeredi <[email protected]> +--- + fs/fuse/dev.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 640fc22..168a80f 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size, + if (outarg.namelen > FUSE_NAME_MAX) + goto err; + ++ err = -EINVAL; ++ if (size != sizeof(outarg) + outarg.namelen + 1) ++ goto err; ++ + name.name = buf; + name.len = outarg.namelen; + err = fuse_copy_one(cs, buf, outarg.namelen + 1); +-- +1.7.3.4 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch new/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch --- old/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch 2011-07-20 18:48:56.000000000 +0200 +++ new/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch 2011-10-19 22:16:41.000000000 +0200 @@ -3,6 +3,7 @@ Date: Sun, 17 Apr 2011 10:20:19 +0200 Subject: [PATCH] i2c-algo-bit: Call pre/post_xfer for bit_test Patch-mainline: 2.6.39 +Git-commit: d3b3e15da14ded61c9654db05863b04a2435f4cc References: bnc#669937, freedesktop#36221 Apparently some distros set i2c-algo-bit.bit_test to 1 by diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch new/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch --- old/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,81 @@ +From 961277664b03c1b3b594faddba91ee13b9d2cc98 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins <[email protected]> +Date: Mon, 20 Jun 2011 11:27:40 +0100 +Subject: [PATCH] ksm: fix NULL pointer dereference in scan_get_next_rmap_item + +References: KSM (bnc #697901, CVE-2011-2183) +Patch-mainline: no (currently in mmotm, expected to hit mainline 3.0) + +Andrea Righi reported a case where an exiting task can race against +ksmd::scan_get_next_rmap_item (http://lkml.org/lkml/2011/6/1/742) easily +triggering a NULL pointer dereference in ksmd. + +ksm_scan.mm_slot == &ksm_mm_head with only one registered mm + +CPU 1 (__ksm_exit) CPU 2 (scan_get_next_rmap_item) + list_empty() is false +lock slot == &ksm_mm_head +list_del(slot->mm_list) +(list now empty) +unlock + lock + slot = list_entry(slot->mm_list.next) + (list is empty, so slot is still ksm_mm_head) + unlock + slot->mm == NULL ... Oops + +Close this race by revalidating that the new slot is not simply the list +head again. + +Andrea's test case: + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/mman.h> + +#define BUFSIZE getpagesize() + +int main(int argc, char **argv) +{ + void *ptr; + + if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) { + perror("posix_memalign"); + exit(1); + } + if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) { + perror("madvise"); + exit(1); + } + *(char *)NULL = 0; + + return 0; +} + +Reported-by: Andrea Righi <[email protected]> +Tested-by: Andrea Righi <[email protected]> +Cc: Andrea Arcangeli <[email protected]> +Signed-off-by: Hugh Dickins <[email protected]> +Signed-off-by: Chris Wright <[email protected]> +Cc: <[email protected]> +Signed-off-by: Andrew Morton <[email protected]> +Signed-off-by: Mel Gorman <[email protected]> + +diff --git a/mm/ksm.c b/mm/ksm.c +index d708b3e..9a68b0c 100644 +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -1302,6 +1302,12 @@ static struct rmap_item *scan_get_next_rmap_item(struct page **page) + slot = list_entry(slot->mm_list.next, struct mm_slot, mm_list); + ksm_scan.mm_slot = slot; + spin_unlock(&ksm_mmlist_lock); ++ /* ++ * Although we tested list_empty() above, a racing __ksm_exit ++ * of the last mm on the list may have removed it since then. ++ */ ++ if (slot == &ksm_mm_head) ++ return NULL; + next_mm: + ksm_scan.address = 0; + ksm_scan.rmap_list = &slot->rmap_list; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/perf_software_event_overflow.patch new/patches.fixes/perf_software_event_overflow.patch --- old/patches.fixes/perf_software_event_overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/perf_software_event_overflow.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,32 @@ +From: Tony Jones <[email protected]> +Subject: perf: Fix software event overflow +References: bnc#712366, CVE-2011-2918 +Git-commit: a8b0ca17b80e92faab46ee7179ba9e99ccb61233 +Patch-mainline: v3.1-rc1 +Signed-off-by: Tony Jones <[email protected]> + +Signed-off-by: Peter Zijlstra <[email protected]> +Vince [Weaver] found that under certain circumstances software event overflows +go wrong and deadlock. Avoid trying to delete a timer from the timer callback. + +--- + kernel/perf_event.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/kernel/perf_event.c ++++ b/kernel/perf_event.c +@@ -3863,12 +3863,8 @@ static int __perf_event_overflow(struct + if (events && atomic_dec_and_test(&event->event_limit)) { + ret = 1; + event->pending_kill = POLL_HUP; +- if (nmi) { +- event->pending_disable = 1; +- perf_pending_queue(&event->pending, +- perf_pending_event); +- } else +- perf_event_disable(event); ++ event->pending_disable = 1; ++ perf_pending_queue(&event->pending, perf_pending_event); + } + + if (event->overflow_handler) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/pty-fix-pty-counting.patch new/patches.fixes/pty-fix-pty-counting.patch --- old/patches.fixes/pty-fix-pty-counting.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/pty-fix-pty-counting.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,134 @@ +From 24d406a6bf736f7aebdc8fa0f0ec86e0890c6d24 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <[email protected]> +Date: Wed, 10 Aug 2011 14:59:28 +0200 +Subject: TTY: pty, fix pty counting +Git-commit: 24d406a6bf736f7aebdc8fa0f0ec86e0890c6d24 +Patch-mainline: v3.1-rc4 +References: bnc#711203 + +tty_operations->remove is normally called like: +queue_release_one_tty + ->tty_shutdown + ->tty_driver_remove_tty + ->tty_operations->remove + +However tty_shutdown() is called from queue_release_one_tty() only if +tty_operations->shutdown is NULL. But for pty, it is not. +pty_unix98_shutdown() is used there as ->shutdown. + +So tty_operations->remove of pty (i.e. pty_unix98_remove()) is never +called. This results in invalid pty_count. I.e. what can be seen in +/proc/sys/kernel/pty/nr. + +I see this was already reported at: + https://lkml.org/lkml/2009/11/5/370 +But it was not fixed since then. + +This patch is kind of a hackish way. The problem lies in ->install. We +allocate there another tty (so-called tty->link). So ->install is +called once, but ->remove twice, for both tty and tty->link. The fix +here is to count both tty and tty->link and divide the count by 2 for +user. + +And to have ->remove called, let's make tty_driver_remove_tty() global +and call that from pty_unix98_shutdown() (tty_operations->shutdown). + +While at it, let's document that when ->shutdown is defined, +tty_shutdown() is not called. + +Signed-off-by: Jiri Slaby <[email protected]> +Cc: Alan Cox <[email protected]> +Cc: "H. Peter Anvin" <[email protected]> +Cc: stable <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +--- + drivers/char/pty.c | 17 +++++++++++++++-- + drivers/char/tty_io.c | 3 +-- + include/linux/tty.h | 2 ++ + include/linux/tty_driver.h | 3 +++ + 4 files changed, 21 insertions(+), 4 deletions(-) + +--- a/drivers/char/pty.c ++++ b/drivers/char/pty.c +@@ -426,8 +426,19 @@ static inline void legacy_pty_init(void) + int pty_limit = NR_UNIX98_PTY_DEFAULT; + static int pty_limit_min; + static int pty_limit_max = NR_UNIX98_PTY_MAX; ++static int tty_count; + static int pty_count; + ++static inline void pty_inc_count(void) ++{ ++ pty_count = (++tty_count) / 2; ++} ++ ++static inline void pty_dec_count(void) ++{ ++ pty_count = (--tty_count) / 2; ++} ++ + static struct cdev ptmx_cdev; + + static struct ctl_table pty_table[] = { +@@ -520,6 +531,7 @@ static struct tty_struct *pts_unix98_loo + + static void pty_unix98_shutdown(struct tty_struct *tty) + { ++ tty_driver_remove_tty(tty->driver, tty); + /* We have our own method as we don't use the tty index */ + kfree(tty->termios); + } +@@ -567,7 +579,8 @@ static int pty_unix98_install(struct tty + */ + tty_driver_kref_get(driver); + tty->count++; +- pty_count++; ++ pty_inc_count(); /* tty */ ++ pty_inc_count(); /* tty->link */ + return 0; + free_mem_out: + kfree(o_tty->termios); +@@ -579,7 +592,7 @@ free_mem_out: + + static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty) + { +- pty_count--; ++ pty_dec_count(); + } + + static const struct tty_operations ptm_unix98_ops = { +--- a/drivers/char/tty_io.c ++++ b/drivers/char/tty_io.c +@@ -1235,8 +1235,7 @@ static int tty_driver_install_tty(struct + * + * Locking: tty_mutex for now + */ +-static void tty_driver_remove_tty(struct tty_driver *driver, +- struct tty_struct *tty) ++void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *tty) + { + if (driver->ops->remove) + driver->ops->remove(driver, tty); +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -406,6 +406,8 @@ extern void tty_driver_flush_buffer(stru + extern void tty_throttle(struct tty_struct *tty); + extern void tty_unthrottle(struct tty_struct *tty); + extern int tty_do_resize(struct tty_struct *tty, struct winsize *ws); ++extern void tty_driver_remove_tty(struct tty_driver *driver, ++ struct tty_struct *tty); + extern void tty_shutdown(struct tty_struct *tty); + extern void tty_free_termios(struct tty_struct *tty); + extern int is_current_pgrp_orphaned(void); +--- a/include/linux/tty_driver.h ++++ b/include/linux/tty_driver.h +@@ -47,6 +47,9 @@ + * + * This routine is called synchronously when a particular tty device + * is closed for the last time freeing up the resources. ++ * Note that tty_shutdown() is not called if ops->shutdown is defined. ++ * This means one is responsible to take care of calling ops->remove (e.g. ++ * via tty_driver_remove_tty) and releasing tty->termios. + * + * + * void (*cleanup)(struct tty_struct * tty); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/validate-size-of-efi-guid-partition-entries.patch new/patches.fixes/validate-size-of-efi-guid-partition-entries.patch --- old/patches.fixes/validate-size-of-efi-guid-partition-entries.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/validate-size-of-efi-guid-partition-entries.patch 2011-10-19 22:16:41.000000000 +0200 @@ -0,0 +1,35 @@ +From fa039d5f6b126fbd65eefa05db2f67e44df8f121 Mon Sep 17 00:00:00 2001 +From: Timo Warns <[email protected]> +Date: Fri, 6 May 2011 13:47:35 +0200 +Subject: [PATCH] Validate size of EFI GUID partition entries. +Patch-mainline: fa039d5f6b126fbd65eefa05db2f67e44df8f121 +References: bnc#692784, CVE-2011-1776 + +Otherwise corrupted EFI partition tables can cause total confusion. + +Signed-off-by: Timo Warns <[email protected]> +Cc: [email protected] +Signed-off-by: Linus Torvalds <[email protected]> +Acked-by: Michal Hocko <[email protected]> +Acked-by: Miklos Szeredi <[email protected]> +--- + fs/partitions/efi.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +Index: linux-2.6.16-SLES10-SP3-TD/fs/partitions/efi.c +=================================================================== +--- linux-2.6.16-SLES10-SP3-TD.orig/fs/partitions/efi.c ++++ linux-2.6.16-SLES10-SP3-TD/fs/partitions/efi.c +@@ -363,6 +363,12 @@ is_gpt_valid(struct block_device *bdev, + goto fail; + } + ++ /* Check that sizeof_partition_entry has the correct value */ ++ if (le32_to_cpu((*gpt)->sizeof_partition_entry) != sizeof(gpt_entry)) { ++ pr_debug("GUID Partitition Entry Size check failed.\n"); ++ goto fail; ++ } ++ + if (!(*ptes = alloc_read_gpt_entries(bdev, *gpt))) + goto fail; + ++++++ patches.xen.tar.bz2 ++++++ ++++ 19758 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:24.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:24.000000000 +0200 @@ -291,6 +291,12 @@ patches.fixes/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch patches.fixes/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch patches.fixes/mm-avoid-wrapping-vm_pgoff-in-mremap.patch + patches.fixes/validate-size-of-efi-guid-partition-entries.patch + + # bug 697901 + patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch + + patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch ######################################################## # IPC patches @@ -423,6 +429,9 @@ # cifs patches ######################################################## patches.fixes/cifs-ensure-credentials-match-when-using-existing-session + patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch + patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch + patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch ######################################################## # ext2/ext3 @@ -437,6 +446,7 @@ patches.fixes/ext4-move-aio-completion-after-unwritten-extent-conversion patches.fixes/ext4-mark-multi-page-IO-complete-on-mapping-failure.patch patches.fixes/ext4-fix-ext4_da_block_invalidatepages-to-handle-pag.patch + patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch ######################################################## # btrfs @@ -570,6 +580,7 @@ patches.fixes/writeback_fix_sb_locking.diff patches.fixes/debugfs_remove_corruption.diff + patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch ######################################################## # Swap-over-NFS @@ -680,6 +691,7 @@ patches.fixes/drm-radeon-kms-fix-a-regression-on-r7xx-agp-due-to-the-hdp-flush-fix patches.fixes/drm-radeon-kms-check-AA-resolve-registers-on-r300.patch patches.fixes/drm-radeon-kms-register-an-i2c-adapter-name-for-the-dp-aux-bus.patch + patches.fixes/drm-radeon-kms-fix-i2c-masks.patch ######################################################## # video4linux @@ -759,6 +771,7 @@ # PCI and PCI hotplug ######################################################## patches.fixes/pci-hotplug-cpqphp-fix-crash.patch + patches.drivers/intr-remap-allow-disabling-source-id-checking.patch ######################################################## # sysfs / driver core @@ -817,6 +830,7 @@ # Char / serial ######################################################## patches.fixes/tty-ldisc-do-not-close-until-there-are-readers.patch + patches.fixes/pty-fix-pty-counting.patch ######################################################## # Other driver fixes @@ -979,6 +993,8 @@ patches.fixes/ia64-configure-HAVE_UNSTABLE_SCHED_CLOCK-for-SGI_SN.patch + patches.fixes/perf_software_event_overflow.patch + ######################################################## # KVM patches ######################################################## @@ -1067,6 +1083,12 @@ patches.xen/1062-xenbus-dev-leak.patch patches.xen/1069-blktap-misc.patch patches.xen/1070-pciback-reset-msi.patch + patches.xen/1080-blkfront-xenbus-gather-format.patch + patches.xen/1081-blkback-resize-transaction-end.patch + patches.xen/1089-blkback-barrier-check.patch + patches.xen/1090-blktap-locking.patch + patches.xen/1091-xenbus-dev-no-BUG.patch + patches.xen/1098-blkfront-cdrom-ioctl-check.patch # changes outside arch/{i386,x86_64}/xen patches.xen/xen3-fixup-kconfig ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:24.000000000 +0200 +++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:24.000000000 +0200 @@ -1,3 +1,3 @@ -2011-07-20 18:48:56 +0200 -GIT Revision: 44c785657e56b41c4cb86b522cde6813af77c8c2 +2011-10-19 22:16:41 +0200 +GIT Revision: e5de38737cdc6b3c05a1c5214630aac9dd7ca1c4 GIT Branch: openSUSE-11.3 continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
