Linux v3.6-rc2-400-g23dcfa6

- CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing
2012-08-22 07:34:59 -04:00 · 2012-08-22 07:34:59 -04:00 · 14f0cc6e63
commit 14f0cc6e63
parent 7051aa7c8d
4 changed files with 7 additions and 138 deletions
--- a/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
+++ b/fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
@ -1,89 +0,0 @@
 Delivered-To: jwboyer@gmail.com
 Received: by 10.229.184.7 with SMTP id ci7csp32184qcb;
        Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
 Received: by 10.236.195.97 with SMTP id o61mr24210886yhn.17.1345531220620;
        Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
 Return-Path: <airlied@redhat.com>
 Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28])
        by mx.google.com with ESMTP id c5si239413anp.5.2012.08.20.23.40.20;
        Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
 Received-SPF: pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28;
 Authentication-Results: mx.google.com; spf=pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) smtp.mail=airlied@redhat.com
 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
 	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7L6eJ4K014799
 	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
 	Tue, 21 Aug 2012 02:40:19 -0400
 Received: from prime.bne.redhat.com (dhcp-41-76.bne.redhat.com [10.64.41.76])
 	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q7L6eFfB029177;
 	Tue, 21 Aug 2012 02:40:16 -0400
 From: Dave Airlie <airlied@redhat.com>
 To: linux-fbdev@vger.kernel.org
 Cc: dri-devel@lists.sf.net, linux-kernel@vger.kernel.org,
        Linus <torvalds@linux-foundation.org>,
        Alan Cox <alan@lxorguk.ukuu.org.uk>,
        Randy Dunlap <rdunlap@xenotime.net>, Josh Boyer <jwboyer@gmail.com>,
        Dave Airlie <airlied@redhat.com>
 Subject: [PATCH] fbcon: fix race condition between console lock and cursor timer
 Date: Tue, 21 Aug 2012 16:40:07 +1000
 Message-Id: <1345531207-24926-1-git-send-email-airlied@redhat.com>
 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
 So we've had a fair few reports of fbcon handover breakage between
 efi/vesafb and i915 surface recently, so I dedicated a couple of
 days to finding the problem.
 Essentially the last thing we saw was the conflicting framebuffer
 message and that was all.
 So after much tracing with direct netconsole writes (printks
 under console_lock not so useful), I think I found the race.
 Thread A (driver load)    Thread B (timer thread)
  unbind_con_driver ->              |
  bind_con_driver ->                |
  vc->vc_sw->con_deinit ->          |
  fbcon_deinit ->                   |
  console_lock()                    |
      |                             |
      |                       fbcon_flashcursor timer fires
      |                       console_lock() <- blocked for A
      |
      |
 fbcon_del_cursor_timer ->
  del_timer_sync
  (BOOM)
 Of course because all of this is under the console lock,
 we never see anything, also since we also just unbound the active
 console guess what we never see anything.
 Hopefully this fixes the problem for anyone seeing vesafb->kms
 driver handoff.
 Signed-off-by: David Airlie <airlied@redhat.com>
 ---
 drivers/video/console/fbcon.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
 index 2e471c2..f8a79fc 100644
 --- a/drivers/video/console/fbcon.c
 +++ b/drivers/video/console/fbcon.c
@@ -372,8 +372,12 @@ static void fb_flashcursor(struct work_struct *work)
 	struct vc_data *vc = NULL;
 	int c;
 	int mode;
 +	int ret;
 +
 +	ret = console_trylock();
 +	if (ret == 0)
 +		return;
 -	console_lock();
 	if (ops && ops->currcon != -1)
 		vc = vc_cons[ops->currcon].d;
 -- 
 1.7.10.2
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 1
 %global fedora_build %{baserelease}
 # base_sublevel is the kernel version we're starting with and patching
@ -95,7 +95,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 2
 # The git snapshot level
-%define gitrev 1
+%define gitrev 2
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@ -744,11 +744,6 @@ Patch22000: weird-root-dentry-name-debug.patch
 #selinux ptrace child permissions
 Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
 #rhbz 836742
 Patch22059: uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
 Patch22065: fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
 #rhbz 847548
 Patch22066: virtio-scsi-Initialize-scatterlist-structure.patch
@ -1442,11 +1437,6 @@ ApplyPatch weird-root-dentry-name-debug.patch
 #selinux ptrace child permissions
 ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
 #rhbz 836742
 ApplyPatch uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
 ApplyPatch fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
 #rhbz 847548
 ApplyPatch virtio-scsi-Initialize-scatterlist-structure.patch
@ -2315,6 +2305,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
 * Wed Aug 22 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc2.git2.1
 - Linux v3.6-rc2-400-g23dcfa6
 - CVE-2012-3520: af_netlink: invalid handling of SCM_CREDENTIALS passing
 * Tue Aug 21 2012 Josh Boyer <jwboyer@redhat.com>
 - Add patch from Dave Jones to fix suspicious RCU usage in SELinux (rhbz 846037)
 - Add patch from Richard W.M. Jones to fix virtio scsi oops (rhbz 847548)
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 24153eaaa81dedc9481ada8cd9c3b83d  linux-3.5.tar.xz
 5f0ec612b5364c18386c1b8155c271ac  patch-3.6-rc2.xz
-12edd20554fd9469c5d7fad9935ce0af  patch-3.6-rc2-git1.xz
+35f27ef57826c644eb014ecda8f22870  patch-3.6-rc2-git2.xz
--- a/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
+++ b/uvcvideo-Reset-bytesused-field-when-recycling-erroneous-buffer.patch
@ -1,36 +0,0 @@
 From 3771973542a4807b251352253ed22c50e688e573 Mon Sep 17 00:00:00 2001
 From: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com>
 Date: Sun, 15 Jul 2012 15:54:03 +0200
 Subject: [PATCH] uvcvideo: Reset the bytesused field when recycling an erroneous buffer
 Buffers marked as erroneous are recycled immediately by the driver if
 the nodrop module parameter isn't set. The buffer payload size is reset
 to 0, but the buffer bytesused field isn't. This results in the buffer
 being immediately considered as complete, leading to an infinite loop in
 interrupt context.
 Fix the problem by resetting the bytesused field when recycling the
 buffer.
 Cc: <stable@vger.kernel.org>
 Signed-off-by: Jayakrishnan Memana <jayakrishnan.memana@maxim-ic.com>
 Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
 ---
 drivers/media/video/uvc/uvc_queue.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
 diff --git a/drivers/media/video/uvc/uvc_queue.c b/drivers/media/video/uvc/uvc_queue.c
 index 9288fbd..5577381 100644
 --- a/drivers/media/video/uvc/uvc_queue.c
 +++ b/drivers/media/video/uvc/uvc_queue.c
@@ -338,6 +338,7 @@ struct uvc_buffer *uvc_queue_next_buffer(struct uvc_video_queue *queue,
 	if ((queue->flags & UVC_QUEUE_DROP_CORRUPTED) && buf->error) {
 		buf->error = 0;
 		buf->state = UVC_BUF_STATE_QUEUED;
 +		buf->bytesused = 0;
 		vb2_set_plane_payload(&buf->buf, 0, 0);
 		return buf;
 	}
 -- 
 1.7.2.5