Author: mpagano Date: 2014-05-20 00:16:46 +0000 (Tue, 20 May 2014) New Revision: 2798
Added: genpatches-2.6/trunk/3.4/1090_linux-3.4.91.patch genpatches-2.6/trunk/3.4/1505_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch Removed: genpatches-2.6/trunk/3.4/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch genpatches-2.6/trunk/3.4/1500_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch Modified: genpatches-2.6/trunk/3.4/0000_README Log: Linux patch 3.4.91. Remove redundant patch for CVE-2014-0196 as it's now in 3.4.91. Fix numbering for patches. Modified: genpatches-2.6/trunk/3.4/0000_README =================================================================== --- genpatches-2.6/trunk/3.4/0000_README 2014-05-16 20:02:21 UTC (rev 2797) +++ genpatches-2.6/trunk/3.4/0000_README 2014-05-20 00:16:46 UTC (rev 2798) @@ -399,9 +399,9 @@ From: http://www.kernel.org Desc: Linux 3.4.90 -Patch: 1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch -From: https://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/commit/?id=19f9438d73833ed532c3ba4955f9c981c9af16f2 -Desc: n_tty: Fix n_tty_write crash when echoing in raw mode +Patch: 1090_linux-3.4.91.patch +From: http://www.kernel.org +Desc: Linux 3.4.91 Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Added: genpatches-2.6/trunk/3.4/1090_linux-3.4.91.patch =================================================================== --- genpatches-2.6/trunk/3.4/1090_linux-3.4.91.patch (rev 0) +++ genpatches-2.6/trunk/3.4/1090_linux-3.4.91.patch 2014-05-20 00:16:46 UTC (rev 2798) @@ -0,0 +1,633 @@ +diff --git a/Makefile b/Makefile +index aa1001213eb1..16899b9ba84f 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 4 +-SUBLEVEL = 90 ++SUBLEVEL = 91 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/powerpc/lib/crtsavres.S b/arch/powerpc/lib/crtsavres.S +index 1c893f05d224..21ecdf5e55f9 100644 +--- a/arch/powerpc/lib/crtsavres.S ++++ b/arch/powerpc/lib/crtsavres.S +@@ -230,6 +230,87 @@ _GLOBAL(_rest32gpr_31_x) + mr 1,11 + blr + ++#ifdef CONFIG_ALTIVEC ++/* Called with r0 pointing just beyond the end of the vector save area. */ ++ ++_GLOBAL(_savevr_20) ++ li r11,-192 ++ stvx vr20,r11,r0 ++_GLOBAL(_savevr_21) ++ li r11,-176 ++ stvx vr21,r11,r0 ++_GLOBAL(_savevr_22) ++ li r11,-160 ++ stvx vr22,r11,r0 ++_GLOBAL(_savevr_23) ++ li r11,-144 ++ stvx vr23,r11,r0 ++_GLOBAL(_savevr_24) ++ li r11,-128 ++ stvx vr24,r11,r0 ++_GLOBAL(_savevr_25) ++ li r11,-112 ++ stvx vr25,r11,r0 ++_GLOBAL(_savevr_26) ++ li r11,-96 ++ stvx vr26,r11,r0 ++_GLOBAL(_savevr_27) ++ li r11,-80 ++ stvx vr27,r11,r0 ++_GLOBAL(_savevr_28) ++ li r11,-64 ++ stvx vr28,r11,r0 ++_GLOBAL(_savevr_29) ++ li r11,-48 ++ stvx vr29,r11,r0 ++_GLOBAL(_savevr_30) ++ li r11,-32 ++ stvx vr30,r11,r0 ++_GLOBAL(_savevr_31) ++ li r11,-16 ++ stvx vr31,r11,r0 ++ blr ++ ++_GLOBAL(_restvr_20) ++ li r11,-192 ++ lvx vr20,r11,r0 ++_GLOBAL(_restvr_21) ++ li r11,-176 ++ lvx vr21,r11,r0 ++_GLOBAL(_restvr_22) ++ li r11,-160 ++ lvx vr22,r11,r0 ++_GLOBAL(_restvr_23) ++ li r11,-144 ++ lvx vr23,r11,r0 ++_GLOBAL(_restvr_24) ++ li r11,-128 ++ lvx vr24,r11,r0 ++_GLOBAL(_restvr_25) ++ li r11,-112 ++ lvx vr25,r11,r0 ++_GLOBAL(_restvr_26) ++ li r11,-96 ++ lvx vr26,r11,r0 ++_GLOBAL(_restvr_27) ++ li r11,-80 ++ lvx vr27,r11,r0 ++_GLOBAL(_restvr_28) ++ li r11,-64 ++ lvx vr28,r11,r0 ++_GLOBAL(_restvr_29) ++ li r11,-48 ++ lvx vr29,r11,r0 ++_GLOBAL(_restvr_30) ++ li r11,-32 ++ lvx vr30,r11,r0 ++_GLOBAL(_restvr_31) ++ li r11,-16 ++ lvx vr31,r11,r0 ++ blr ++ ++#endif /* CONFIG_ALTIVEC */ ++ + #else /* CONFIG_PPC64 */ + + .globl _savegpr0_14 +@@ -353,6 +434,111 @@ _restgpr0_31: + mtlr r0 + blr + ++#ifdef CONFIG_ALTIVEC ++/* Called with r0 pointing just beyond the end of the vector save area. */ ++ ++.globl _savevr_20 ++_savevr_20: ++ li r12,-192 ++ stvx vr20,r12,r0 ++.globl _savevr_21 ++_savevr_21: ++ li r12,-176 ++ stvx vr21,r12,r0 ++.globl _savevr_22 ++_savevr_22: ++ li r12,-160 ++ stvx vr22,r12,r0 ++.globl _savevr_23 ++_savevr_23: ++ li r12,-144 ++ stvx vr23,r12,r0 ++.globl _savevr_24 ++_savevr_24: ++ li r12,-128 ++ stvx vr24,r12,r0 ++.globl _savevr_25 ++_savevr_25: ++ li r12,-112 ++ stvx vr25,r12,r0 ++.globl _savevr_26 ++_savevr_26: ++ li r12,-96 ++ stvx vr26,r12,r0 ++.globl _savevr_27 ++_savevr_27: ++ li r12,-80 ++ stvx vr27,r12,r0 ++.globl _savevr_28 ++_savevr_28: ++ li r12,-64 ++ stvx vr28,r12,r0 ++.globl _savevr_29 ++_savevr_29: ++ li r12,-48 ++ stvx vr29,r12,r0 ++.globl _savevr_30 ++_savevr_30: ++ li r12,-32 ++ stvx vr30,r12,r0 ++.globl _savevr_31 ++_savevr_31: ++ li r12,-16 ++ stvx vr31,r12,r0 ++ blr ++ ++.globl _restvr_20 ++_restvr_20: ++ li r12,-192 ++ lvx vr20,r12,r0 ++.globl _restvr_21 ++_restvr_21: ++ li r12,-176 ++ lvx vr21,r12,r0 ++.globl _restvr_22 ++_restvr_22: ++ li r12,-160 ++ lvx vr22,r12,r0 ++.globl _restvr_23 ++_restvr_23: ++ li r12,-144 ++ lvx vr23,r12,r0 ++.globl _restvr_24 ++_restvr_24: ++ li r12,-128 ++ lvx vr24,r12,r0 ++.globl _restvr_25 ++_restvr_25: ++ li r12,-112 ++ lvx vr25,r12,r0 ++.globl _restvr_26 ++_restvr_26: ++ li r12,-96 ++ lvx vr26,r12,r0 ++.globl _restvr_27 ++_restvr_27: ++ li r12,-80 ++ lvx vr27,r12,r0 ++.globl _restvr_28 ++_restvr_28: ++ li r12,-64 ++ lvx vr28,r12,r0 ++.globl _restvr_29 ++_restvr_29: ++ li r12,-48 ++ lvx vr29,r12,r0 ++.globl _restvr_30 ++_restvr_30: ++ li r12,-32 ++ lvx vr30,r12,r0 ++.globl _restvr_31 ++_restvr_31: ++ li r12,-16 ++ lvx vr31,r12,r0 ++ blr ++ ++#endif /* CONFIG_ALTIVEC */ ++ + #endif /* CONFIG_PPC64 */ + + #endif +diff --git a/block/blk-core.c b/block/blk-core.c +index 279f05dcbc87..1175e57104cc 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -2104,7 +2104,7 @@ bool blk_update_request(struct request *req, int error, unsigned int nr_bytes) + if (!req->bio) + return false; + +- trace_block_rq_complete(req->q, req); ++ trace_block_rq_complete(req->q, req, nr_bytes); + + /* + * For fs requests, rq is just carrier of independent bio's +diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c +index 25506c777381..9bec1717047e 100644 +--- a/drivers/scsi/megaraid/megaraid_mm.c ++++ b/drivers/scsi/megaraid/megaraid_mm.c +@@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd, mraid_mmadp_t *adp, uioc_t *kioc) + + pthru32->dataxferaddr = kioc->buf_paddr; + if (kioc->data_dir & UIOC_WR) { ++ if (pthru32->dataxferlen > kioc->xferlen) ++ return -EINVAL; + if (copy_from_user(kioc->buf_vaddr, kioc->user_data, + pthru32->dataxferlen)) { + return (-EFAULT); +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index 37818fbfbb0e..fa0376b38019 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1996,7 +1996,9 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, + tty->ops->flush_chars(tty); + } else { + while (nr > 0) { ++ mutex_lock(&tty->output_lock); + c = tty->ops->write(tty, b, nr); ++ mutex_unlock(&tty->output_lock); + if (c < 0) { + retval = c; + goto break_out; +diff --git a/drivers/video/tgafb.c b/drivers/video/tgafb.c +index ac2cf6dcc598..3b15bcac3766 100644 +--- a/drivers/video/tgafb.c ++++ b/drivers/video/tgafb.c +@@ -192,6 +192,8 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + + if (var->xres_virtual != var->xres || var->yres_virtual != var->yres) + return -EINVAL; ++ if (var->xres * var->yres * (var->bits_per_pixel >> 3) > info->fix.smem_len) ++ return -EINVAL; + if (var->nonstd) + return -EINVAL; + if (1000000000 / var->pixclock > TGA_PLL_MAX_FREQ) +@@ -272,6 +274,7 @@ tgafb_set_par(struct fb_info *info) + par->yres = info->var.yres; + par->pll_freq = pll_freq = 1000000000 / info->var.pixclock; + par->bits_per_pixel = info->var.bits_per_pixel; ++ info->fix.line_length = par->xres * (par->bits_per_pixel >> 3); + + tga_type = par->tga_type; + +@@ -1318,6 +1321,7 @@ tgafb_init_fix(struct fb_info *info) + int tga_bus_tc = TGA_BUS_TC(par->dev); + u8 tga_type = par->tga_type; + const char *tga_type_name = NULL; ++ unsigned memory_size; + + switch (tga_type) { + case TGA_TYPE_8PLANE: +@@ -1325,21 +1329,25 @@ tgafb_init_fix(struct fb_info *info) + tga_type_name = "Digital ZLXp-E1"; + if (tga_bus_tc) + tga_type_name = "Digital ZLX-E1"; ++ memory_size = 2097152; + break; + case TGA_TYPE_24PLANE: + if (tga_bus_pci) + tga_type_name = "Digital ZLXp-E2"; + if (tga_bus_tc) + tga_type_name = "Digital ZLX-E2"; ++ memory_size = 8388608; + break; + case TGA_TYPE_24PLUSZ: + if (tga_bus_pci) + tga_type_name = "Digital ZLXp-E3"; + if (tga_bus_tc) + tga_type_name = "Digital ZLX-E3"; ++ memory_size = 16777216; + break; + default: + tga_type_name = "Unknown"; ++ memory_size = 16777216; + break; + } + +@@ -1351,9 +1359,8 @@ tgafb_init_fix(struct fb_info *info) + ? FB_VISUAL_PSEUDOCOLOR + : FB_VISUAL_DIRECTCOLOR); + +- info->fix.line_length = par->xres * (par->bits_per_pixel >> 3); + info->fix.smem_start = (size_t) par->tga_fb_base; +- info->fix.smem_len = info->fix.line_length * par->yres; ++ info->fix.smem_len = memory_size; + info->fix.mmio_start = (size_t) par->tga_regs_base; + info->fix.mmio_len = 512; + +@@ -1478,6 +1485,9 @@ tgafb_register(struct device *dev) + modedb_tga = &modedb_tc; + modedbsize_tga = 1; + } ++ ++ tgafb_init_fix(info); ++ + ret = fb_find_mode(&info->var, info, + mode_option ? mode_option : mode_option_tga, + modedb_tga, modedbsize_tga, NULL, +@@ -1495,7 +1505,6 @@ tgafb_register(struct device *dev) + } + + tgafb_set_par(info); +- tgafb_init_fix(info); + + if (register_framebuffer(info) < 0) { + printk(KERN_ERR "tgafb: Could not register framebuffer\n"); +diff --git a/include/linux/net.h b/include/linux/net.h +index ff8097592f1d..d40ccb796e8d 100644 +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -259,6 +259,29 @@ extern struct socket *sockfd_lookup(int fd, int *err); + #define sockfd_put(sock) fput(sock->file) + extern int net_ratelimit(void); + ++#define net_ratelimited_function(function, ...) \ ++do { \ ++ if (net_ratelimit()) \ ++ function(__VA_ARGS__); \ ++} while (0) ++ ++#define net_emerg_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_emerg, fmt, ##__VA_ARGS__) ++#define net_alert_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_alert, fmt, ##__VA_ARGS__) ++#define net_crit_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_crit, fmt, ##__VA_ARGS__) ++#define net_err_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_err, fmt, ##__VA_ARGS__) ++#define net_notice_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_notice, fmt, ##__VA_ARGS__) ++#define net_warn_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_warn, fmt, ##__VA_ARGS__) ++#define net_info_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_info, fmt, ##__VA_ARGS__) ++#define net_dbg_ratelimited(fmt, ...) \ ++ net_ratelimited_function(pr_debug, fmt, ##__VA_ARGS__) ++ + #define net_random() random32() + #define net_srandom(seed) srandom32((__force u32)seed) + +diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h +index 96755c3798a5..0066409f86c7 100644 +--- a/include/net/netfilter/nf_conntrack_extend.h ++++ b/include/net/netfilter/nf_conntrack_extend.h +@@ -37,8 +37,8 @@ enum nf_ct_ext_id { + /* Extensions: optional stuff which isn't permanently in struct. */ + struct nf_ct_ext { + struct rcu_head rcu; +- u8 offset[NF_CT_EXT_NUM]; +- u8 len; ++ u16 offset[NF_CT_EXT_NUM]; ++ u16 len; + char data[0]; + }; + +diff --git a/include/trace/events/block.h b/include/trace/events/block.h +index 05c5e61f0a7c..048e2658d895 100644 +--- a/include/trace/events/block.h ++++ b/include/trace/events/block.h +@@ -81,6 +81,7 @@ DEFINE_EVENT(block_rq_with_error, block_rq_requeue, + * block_rq_complete - block IO operation completed by device driver + * @q: queue containing the block operation request + * @rq: block operations request ++ * @nr_bytes: number of completed bytes + * + * The block_rq_complete tracepoint event indicates that some portion + * of operation request has been completed by the device driver. If +@@ -88,11 +89,37 @@ DEFINE_EVENT(block_rq_with_error, block_rq_requeue, + * do for the request. If @rq->bio is non-NULL then there is + * additional work required to complete the request. + */ +-DEFINE_EVENT(block_rq_with_error, block_rq_complete, ++TRACE_EVENT(block_rq_complete, + +- TP_PROTO(struct request_queue *q, struct request *rq), ++ TP_PROTO(struct request_queue *q, struct request *rq, ++ unsigned int nr_bytes), + +- TP_ARGS(q, rq) ++ TP_ARGS(q, rq, nr_bytes), ++ ++ TP_STRUCT__entry( ++ __field( dev_t, dev ) ++ __field( sector_t, sector ) ++ __field( unsigned int, nr_sector ) ++ __field( int, errors ) ++ __array( char, rwbs, RWBS_LEN ) ++ __dynamic_array( char, cmd, blk_cmd_buf_len(rq) ) ++ ), ++ ++ TP_fast_assign( ++ __entry->dev = rq->rq_disk ? disk_devt(rq->rq_disk) : 0; ++ __entry->sector = blk_rq_pos(rq); ++ __entry->nr_sector = nr_bytes >> 9; ++ __entry->errors = rq->errors; ++ ++ blk_fill_rwbs(__entry->rwbs, rq->cmd_flags, nr_bytes); ++ blk_dump_cmd(__get_str(cmd), rq); ++ ), ++ ++ TP_printk("%d,%d %s (%s) %llu + %u [%d]", ++ MAJOR(__entry->dev), MINOR(__entry->dev), ++ __entry->rwbs, __get_str(cmd), ++ (unsigned long long)__entry->sector, ++ __entry->nr_sector, __entry->errors) + ); + + DECLARE_EVENT_CLASS(block_rq, +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index c0bd0308741c..b0eeda6a798b 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -685,6 +685,7 @@ void blk_trace_shutdown(struct request_queue *q) + * blk_add_trace_rq - Add a trace for a request oriented action + * @q: queue the io is for + * @rq: the source request ++ * @nr_bytes: number of completed bytes + * @what: the action + * + * Description: +@@ -692,7 +693,7 @@ void blk_trace_shutdown(struct request_queue *q) + * + **/ + static void blk_add_trace_rq(struct request_queue *q, struct request *rq, +- u32 what) ++ unsigned int nr_bytes, u32 what) + { + struct blk_trace *bt = q->blk_trace; + +@@ -701,11 +702,11 @@ static void blk_add_trace_rq(struct request_queue *q, struct request *rq, + + if (rq->cmd_type == REQ_TYPE_BLOCK_PC) { + what |= BLK_TC_ACT(BLK_TC_PC); +- __blk_add_trace(bt, 0, blk_rq_bytes(rq), rq->cmd_flags, ++ __blk_add_trace(bt, 0, nr_bytes, rq->cmd_flags, + what, rq->errors, rq->cmd_len, rq->cmd); + } else { + what |= BLK_TC_ACT(BLK_TC_FS); +- __blk_add_trace(bt, blk_rq_pos(rq), blk_rq_bytes(rq), ++ __blk_add_trace(bt, blk_rq_pos(rq), nr_bytes, + rq->cmd_flags, what, rq->errors, 0, NULL); + } + } +@@ -713,33 +714,34 @@ static void blk_add_trace_rq(struct request_queue *q, struct request *rq, + static void blk_add_trace_rq_abort(void *ignore, + struct request_queue *q, struct request *rq) + { +- blk_add_trace_rq(q, rq, BLK_TA_ABORT); ++ blk_add_trace_rq(q, rq, blk_rq_bytes(rq), BLK_TA_ABORT); + } + + static void blk_add_trace_rq_insert(void *ignore, + struct request_queue *q, struct request *rq) + { +- blk_add_trace_rq(q, rq, BLK_TA_INSERT); ++ blk_add_trace_rq(q, rq, blk_rq_bytes(rq), BLK_TA_INSERT); + } + + static void blk_add_trace_rq_issue(void *ignore, + struct request_queue *q, struct request *rq) + { +- blk_add_trace_rq(q, rq, BLK_TA_ISSUE); ++ blk_add_trace_rq(q, rq, blk_rq_bytes(rq), BLK_TA_ISSUE); + } + + static void blk_add_trace_rq_requeue(void *ignore, + struct request_queue *q, + struct request *rq) + { +- blk_add_trace_rq(q, rq, BLK_TA_REQUEUE); ++ blk_add_trace_rq(q, rq, blk_rq_bytes(rq), BLK_TA_REQUEUE); + } + + static void blk_add_trace_rq_complete(void *ignore, + struct request_queue *q, +- struct request *rq) ++ struct request *rq, ++ unsigned int nr_bytes) + { +- blk_add_trace_rq(q, rq, BLK_TA_COMPLETE); ++ blk_add_trace_rq(q, rq, nr_bytes, BLK_TA_COMPLETE); + } + + /** +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c +index 23d8560dbc56..7840b3486db3 100644 +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -638,6 +638,9 @@ static int tracepoint_module_coming(struct module *mod) + struct tp_module *tp_mod, *iter; + int ret = 0; + ++ if (!mod->num_tracepoints) ++ return 0; ++ + /* + * We skip modules that taint the kernel, especially those with different + * module headers (for forced load), to make sure we don't cause a crash. +@@ -681,6 +684,9 @@ static int tracepoint_module_going(struct module *mod) + { + struct tp_module *pos; + ++ if (!mod->num_tracepoints) ++ return 0; ++ + mutex_lock(&tracepoints_mutex); + tracepoint_update_probe_range(mod->tracepoints_ptrs, + mod->tracepoints_ptrs + mod->num_tracepoints); +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 5fe2ff3b01ef..f381fa16bdc9 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, + if (repl->num_counters && + copy_to_user(repl->counters, counterstmp, + repl->num_counters * sizeof(struct ebt_counter))) { +- ret = -EFAULT; ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n"); + } +- else +- ret = 0; + + /* decrease module count and free resources */ + EBT_ENTRY_ITERATE(table->entries, table->entries_size, +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index fd7a3f68917f..bcb6e6197595 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1039,8 +1039,10 @@ static int __do_replace(struct net *net, const char *name, + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +- sizeof(struct xt_counters) * num_counters) != 0) +- ret = -EFAULT; ++ sizeof(struct xt_counters) * num_counters) != 0) { ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n"); ++ } + vfree(counters); + xt_table_unlock(t); + return ret; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 24e556e83a3b..f98a1cf54c5b 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1227,8 +1227,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +- sizeof(struct xt_counters) * num_counters) != 0) +- ret = -EFAULT; ++ sizeof(struct xt_counters) * num_counters) != 0) { ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n"); ++ } + vfree(counters); + xt_table_unlock(t); + return ret; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 9d4e15559319..6fe8ced0068f 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1236,8 +1236,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +- sizeof(struct xt_counters) * num_counters) != 0) +- ret = -EFAULT; ++ sizeof(struct xt_counters) * num_counters) != 0) { ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n"); ++ } + vfree(counters); + xt_table_unlock(t); + return ret; +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index c4e7d1510f9d..62ed15a03515 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -569,12 +569,16 @@ static int ignore_undef_symbol(struct elf_info *info, const char *symname) + if (strncmp(symname, "_restgpr_", sizeof("_restgpr_") - 1) == 0 || + strncmp(symname, "_savegpr_", sizeof("_savegpr_") - 1) == 0 || + strncmp(symname, "_rest32gpr_", sizeof("_rest32gpr_") - 1) == 0 || +- strncmp(symname, "_save32gpr_", sizeof("_save32gpr_") - 1) == 0) ++ strncmp(symname, "_save32gpr_", sizeof("_save32gpr_") - 1) == 0 || ++ strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 || ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0) + return 1; + if (info->hdr->e_machine == EM_PPC64) + /* Special register function linked on all modules during final link of .ko */ + if (strncmp(symname, "_restgpr0_", sizeof("_restgpr0_") - 1) == 0 || +- strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0) ++ strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0 || ++ strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 || ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0) + return 1; + /* Do not ignore this symbol */ + return 0; Deleted: genpatches-2.6/trunk/3.4/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch =================================================================== --- genpatches-2.6/trunk/3.4/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch 2014-05-16 20:02:21 UTC (rev 2797) +++ genpatches-2.6/trunk/3.4/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch 2014-05-20 00:16:46 UTC (rev 2798) @@ -1,77 +0,0 @@ -From: Peter Hurley <[email protected]> -Date: Sat, 3 May 2014 14:04:59 +0200 -Subject: n_tty: Fix n_tty_write crash when echoing in raw mode - -commit 4291086b1f081b869c6d79e5b7441633dc3ace00 upstream. - -The tty atomic_write_lock does not provide an exclusion guarantee for -the tty driver if the termios settings are LECHO & !OPOST. And since -it is unexpected and not allowed to call TTY buffer helpers like -tty_insert_flip_string concurrently, this may lead to crashes when -concurrect writers call pty_write. In that case the following two -writers: -* the ECHOing from a workqueue and -* pty_write from the process -race and can overflow the corresponding TTY buffer like follows. - -If we look into tty_insert_flip_string_fixed_flag, there is: - int space = __tty_buffer_request_room(port, goal, flags); - struct tty_buffer *tb = port->buf.tail; - ... - memcpy(char_buf_ptr(tb, tb->used), chars, space); - ... - tb->used += space; - -so the race of the two can result in something like this: - A B -__tty_buffer_request_room - __tty_buffer_request_room -memcpy(buf(tb->used), ...) -tb->used += space; - memcpy(buf(tb->used), ...) ->BOOM - -B's memcpy is past the tty_buffer due to the previous A's tb->used -increment. - -Since the N_TTY line discipline input processing can output -concurrently with a tty write, obtain the N_TTY ldisc output_lock to -serialize echo output with normal tty writes. This ensures the tty -buffer helper tty_insert_flip_string is not called concurrently and -everything is fine. - -Note that this is nicely reproducible by an ordinary user using -forkpty and some setup around that (raw termios + ECHO). And it is -present in kernels at least after commit -d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to -use the normal buffering logic) in 2.6.31-rc3. - -js: add more info to the commit log -js: switch to bool -js: lock unconditionally -js: lock only the tty->ops->write call - -References: CVE-2014-0196 -Reported-and-tested-by: Jiri Slaby <[email protected]> -Signed-off-by: Peter Hurley <[email protected]> -Signed-off-by: Jiri Slaby <[email protected]> -Cc: Linus Torvalds <[email protected]> -Cc: Alan Cox <[email protected]> -Signed-off-by: Greg Kroah-Hartman <[email protected]> -[bwh: Backported to 3.2: output_lock is a member of struct tty_struct] -Signed-off-by: Ben Hutchings <[email protected]> ---- - drivers/tty/n_tty.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -1996,7 +1996,9 @@ static ssize_t n_tty_write(struct tty_st - tty->ops->flush_chars(tty); - } else { - while (nr > 0) { -+ mutex_lock(&tty->output_lock); - c = tty->ops->write(tty, b, nr); -+ mutex_unlock(&tty->output_lock); - if (c < 0) { - retval = c; - goto break_out; Deleted: genpatches-2.6/trunk/3.4/1500_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch =================================================================== --- genpatches-2.6/trunk/3.4/1500_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch 2014-05-16 20:02:21 UTC (rev 2797) +++ genpatches-2.6/trunk/3.4/1500_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch 2014-05-20 00:16:46 UTC (rev 2798) @@ -1,56 +0,0 @@ -From 6a96e15096da6e7491107321cfa660c7c2aa119d Mon Sep 17 00:00:00 2001 -From: Paul Moore <[email protected]> -Date: Tue, 28 Jan 2014 14:45:41 -0500 -Subject: [PATCH 1/2] selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink - message types - -The SELinux AF_NETLINK/NETLINK_SOCK_DIAG socket class was missing the -SOCK_DIAG_BY_FAMILY definition which caused SELINUX_ERR messages when -the ss tool was run. - - # ss - Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port - u_str ESTAB 0 0 * 14189 * 14190 - u_str ESTAB 0 0 * 14145 * 14144 - u_str ESTAB 0 0 * 14151 * 14150 - {...} - # ausearch -m SELINUX_ERR - ---- - time->Thu Jan 23 11:11:16 2014 - type=SYSCALL msg=audit(1390493476.445:374): - arch=c000003e syscall=44 success=yes exit=40 - a0=3 a1=7fff03aa11f0 a2=28 a3=0 items=0 ppid=1852 pid=1895 - auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 - tty=pts0 ses=1 comm="ss" exe="/usr/sbin/ss" - subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) - type=SELINUX_ERR msg=audit(1390493476.445:374): - SELinux: unrecognized netlink message type=20 for sclass=32 - -Signed-off-by: Paul Moore <[email protected]> ---- - security/selinux/nlmsgtab.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c -index 332ac8a..2df7b90 100644 ---- a/security/selinux/nlmsgtab.c -+++ b/security/selinux/nlmsgtab.c -@@ -17,6 +17,7 @@ - #include <linux/inet_diag.h> - #include <linux/xfrm.h> - #include <linux/audit.h> -+#include <linux/sock_diag.h> - - #include "flask.h" - #include "av_permissions.h" -@@ -78,6 +79,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] = - { - { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, - { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, -+ { SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, - }; - - static struct nlmsg_perm nlmsg_xfrm_perms[] = --- -1.9.2 - Added: genpatches-2.6/trunk/3.4/1505_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch =================================================================== --- genpatches-2.6/trunk/3.4/1505_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch (rev 0) +++ genpatches-2.6/trunk/3.4/1505_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch 2014-05-20 00:16:46 UTC (rev 2798) @@ -0,0 +1,56 @@ +From 6a96e15096da6e7491107321cfa660c7c2aa119d Mon Sep 17 00:00:00 2001 +From: Paul Moore <[email protected]> +Date: Tue, 28 Jan 2014 14:45:41 -0500 +Subject: [PATCH 1/2] selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink + message types + +The SELinux AF_NETLINK/NETLINK_SOCK_DIAG socket class was missing the +SOCK_DIAG_BY_FAMILY definition which caused SELINUX_ERR messages when +the ss tool was run. + + # ss + Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port + u_str ESTAB 0 0 * 14189 * 14190 + u_str ESTAB 0 0 * 14145 * 14144 + u_str ESTAB 0 0 * 14151 * 14150 + {...} + # ausearch -m SELINUX_ERR + ---- + time->Thu Jan 23 11:11:16 2014 + type=SYSCALL msg=audit(1390493476.445:374): + arch=c000003e syscall=44 success=yes exit=40 + a0=3 a1=7fff03aa11f0 a2=28 a3=0 items=0 ppid=1852 pid=1895 + auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 + tty=pts0 ses=1 comm="ss" exe="/usr/sbin/ss" + subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) + type=SELINUX_ERR msg=audit(1390493476.445:374): + SELinux: unrecognized netlink message type=20 for sclass=32 + +Signed-off-by: Paul Moore <[email protected]> +--- + security/selinux/nlmsgtab.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c +index 332ac8a..2df7b90 100644 +--- a/security/selinux/nlmsgtab.c ++++ b/security/selinux/nlmsgtab.c +@@ -17,6 +17,7 @@ + #include <linux/inet_diag.h> + #include <linux/xfrm.h> + #include <linux/audit.h> ++#include <linux/sock_diag.h> + + #include "flask.h" + #include "av_permissions.h" +@@ -78,6 +79,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] = + { + { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, + { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, ++ { SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, + }; + + static struct nlmsg_perm nlmsg_xfrm_perms[] = +-- +1.9.2 +
