Linux v3.6-rc2-400-g23dcfa6

- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing
2012-08-22 07:34:59 -04:00 · 2012-08-22 07:34:59 -04:00 · 14f0cc6e63
commit 14f0cc6e63
parent 7051aa7c8d
4 changed files with 7 additions and 138 deletions
--- a/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
+++ b/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
@ -1,89 +0,0 @@
-                                                                                                                                                                                                                                                               
-Delivered-To: jwboyer@gmail.com
-Received: by 10.229.184.7 with SMTP id ci7csp32184qcb;
-        Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
-Received: by 10.236.195.97 with SMTP id o61mr24210886yhn.17.1345531220620;
-        Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
-Return-Path: <airlied@redhat.com>
-Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28])
-        by mx.google.com with ESMTP id c5si239413anp.5.2012.08.20.23.40.20;
-        Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
-Received-SPF: pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28;
-Authentication-Results: mx.google.com; spf=pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) smtp.mail=airlied@redhat.com
-Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
-	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7L6eJ4K014799
-	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
-	Tue, 21 Aug 2012 02:40:19 -0400
-Received: from prime.bne.redhat.com (dhcp-41-76.bne.redhat.com [10.64.41.76])
-	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q7L6eFfB029177;
-	Tue, 21 Aug 2012 02:40:16 -0400
-From: Dave Airlie <airlied@redhat.com>
-To: linux-fbdev@vger.kernel.org
-Cc: dri-devel@lists.sf.net, linux-kernel@vger.kernel.org,
-        Linus <torvalds@linux-foundation.org>,
-        Alan Cox <alan@lxorguk.ukuu.org.uk>,
-        Randy Dunlap <rdunlap@xenotime.net>, Josh Boyer <jwboyer@gmail.com>,
-        Dave Airlie <airlied@redhat.com>
-Subject: [PATCH] fbcon: fix race condition between console lock and cursor timer
-Date: Tue, 21 Aug 2012 16:40:07 +1000
-Message-Id: <1345531207-24926-1-git-send-email-airlied@redhat.com>
-X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
-
-So we've had a fair few reports of fbcon handover breakage between
-efi/vesafb and i915 surface recently, so I dedicated a couple of
-days to finding the problem.
-
-Essentially the last thing we saw was the conflicting framebuffer
-message and that was all.
-
-So after much tracing with direct netconsole writes (printks
-under console_lock not so useful), I think I found the race.
-
-Thread A (driver load)    Thread B (timer thread)
-  unbind_con_driver ->              |
-  bind_con_driver ->                |
-  vc->vc_sw->con_deinit ->          |
-  fbcon_deinit ->                   |
-  console_lock()                    |
-      |                             |
-      |                       fbcon_flashcursor timer fires
-      |                       console_lock() <- blocked for A
-      |
-      |
-fbcon_del_cursor_timer ->
-  del_timer_sync
-  (BOOM)
-
-Of course because all of this is under the console lock,
-we never see anything, also since we also just unbound the active
-console guess what we never see anything.
-
-Hopefully this fixes the problem for anyone seeing vesafb->kms
-driver handoff.
-
-Signed-off-by: David Airlie <airlied@redhat.com>
---
- drivers/video/console/fbcon.c |    6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
-index 2e471c2..f8a79fc 100644
--- a/drivers/video/console/fbcon.c
-+++ b/drivers/video/console/fbcon.c
-@@ -372,8 +372,12 @@ static void fb_flashcursor(struct work_struct *work)
- 	struct vc_data *vc = NULL;
- 	int c;
- 	int mode;
-+	int ret;
-+
-+	ret = console_trylock();
-+	if (ret == 0)
-+		return;
- 
-	console_lock();
- 	if (ops && ops->currcon != -1)
- 		vc = vc_cons[ops->currcon].d;
- 
-- 
-1.7.10.2
-
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 1
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -95,7 +95,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 2
 # The git snapshot level
-%define gitrev 1
+%define gitrev 2
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@ -744,11 +744,6 @@ Patch22000: weird-root-dentry-name-debug.patch
 #selinux ptrace child permissions
 Patch22001: selinux-apply-different-permission-to-ptrace-child.patch

-#rhbz 836742
-Patch22059: uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
-
-Patch22065: fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
-
 #rhbz 847548
 Patch22066: virtio-scsi-Initialize-scatterlist-structure.patch

@ -1442,11 +1437,6 @@ ApplyPatch weird-root-dentry-name-debug.patch
 #selinux ptrace child permissions
 ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch

-#rhbz 836742
-ApplyPatch uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
-
-ApplyPatch fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
-
 #rhbz 847548
 ApplyPatch virtio-scsi-Initialize-scatterlist-structure.patch

@ -2315,6 +2305,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Wed Aug 22 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc2.git2.1
+- Linux v3.6-rc2-400-g23dcfa6
+- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing
+
 * Tue Aug 21 2012 Josh Boyer <jwboyer@redhat.com>
 - Add patch from Dave Jones to fix suspicious RCU usage in SELinux (rhbz 846037)
 - Add patch from Richard W.M. Jones to fix virtio scsi oops (rhbz 847548)
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 24153eaaa81dedc9481ada8cd9c3b83d  linux-3.5.tar.xz
 5f0ec612b5364c18386c1b8155c271ac  patch-3.6-rc2.xz
-12edd20554fd9469c5d7fad9935ce0af  patch-3.6-rc2-git1.xz
+35f27ef57826c644eb014ecda8f22870  patch-3.6-rc2-git2.xz
--- a/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
+++ b/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
@ -1,36 +0,0 @@
-From 3771973542a4807b251352253ed22c50e688e573 Mon Sep 17 00:00:00 2001
-From: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com>
-Date: Sun, 15 Jul 2012 15:54:03 +0200
-Subject: [PATCH] uvcvideo: Reset the bytesused field when recycling an erroneous buffer
-
-Buffers marked as erroneous are recycled immediately by the driver if
-the nodrop module parameter isn't set. The buffer payload size is reset
-to 0, but the buffer bytesused field isn't. This results in the buffer
-being immediately considered as complete, leading to an infinite loop in
-interrupt context.
-
-Fix the problem by resetting the bytesused field when recycling the
-buffer.
-
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com>
-Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
- drivers/media/video/uvc/uvc_queue.c |    1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/drivers/media/video/uvc/uvc_queue.c b/drivers/media/video/uvc/uvc_queue.c
-index 9288fbd..5577381 100644
--- a/drivers/media/video/uvc/uvc_queue.c
-+++ b/drivers/media/video/uvc/uvc_queue.c
-@@ -338,6 +338,7 @@ struct uvc_buffer *uvc_queue_next_buffer(struct uvc_video_queue *queue,
- 	if ((queue->flags & UVC_QUEUE_DROP_CORRUPTED) && buf->error) {
- 		buf->error = 0;
- 		buf->state = UVC_BUF_STATE_QUEUED;
-+		buf->bytesused = 0;
- 		vb2_set_plane_payload(&buf->buf, 0, 0);
- 		return buf;
- 	}
-- 
-1.7.2.5
-