diff --git a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch deleted file mode 100644 index 7197f7f7a..000000000 --- a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch +++ /dev/null @@ -1,228 +0,0 @@ -To fix /dev/kmsg, let's compare the existing interfaces and what they allow: - -- /proc/kmsg allows: - - open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive - single-reader interface (SYSLOG_ACTION_READ). - - everything, after an open. - -- syslog syscall allows: - - anything, if CAP_SYSLOG. - - SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if dmesg_restrict==0. - - nothing else (EPERM). - -The use-cases were: -- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs. -- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the - destructive SYSLOG_ACTION_READs. - -AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't -clear the ring buffer. - -Based on the comments in devkmsg_llseek, it sounds like actions besides -reading aren't going to be supported by /dev/kmsg (i.e. SYSLOG_ACTION_CLEAR), -so we have a strict subset of the non-destructive syslog syscall actions. - -To this end, move the check as Josh had done, but also rename the constants -to reflect their new uses (SYSLOG_FROM_CALL becomes SYSLOG_FROM_READER, and -SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC). SYSLOG_FROM_READER allows -non-destructive actions, and SYSLOG_FROM_PROC allows destructive actions -after a capabilities-constrained SYSLOG_ACTION_OPEN check. - -- /dev/kmsg allows: - - open if CAP_SYSLOG or dmesg_restrict==0 - - reading/polling, after open - -Signed-off-by: Kees Cook -Reported-by: Christian Kujau -Cc: Josh Boyer -Cc: Kay Sievers -Cc: stable@vger.kernel.org ---- - fs/proc/kmsg.c | 10 +++--- - include/linux/syslog.h | 4 +-- - kernel/printk.c | 91 ++++++++++++++++++++++++++---------------------- - 3 files changed, 57 insertions(+), 48 deletions(-) - -diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c -index bd4b5a7..bdfabda 100644 ---- a/fs/proc/kmsg.c -+++ b/fs/proc/kmsg.c -@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait; - - static int kmsg_open(struct inode * inode, struct file * file) - { -- return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE); -+ return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC); - } - - static int kmsg_release(struct inode * inode, struct file * file) - { -- (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE); -+ (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC); - return 0; - } - -@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file *file, char __user *buf, - size_t count, loff_t *ppos) - { - if ((file->f_flags & O_NONBLOCK) && -- !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) -+ !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) - return -EAGAIN; -- return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE); -+ return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC); - } - - static unsigned int kmsg_poll(struct file *file, poll_table *wait) - { - poll_wait(file, &log_wait, wait); -- if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) -+ if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) - return POLLIN | POLLRDNORM; - return 0; - } -diff --git a/include/linux/syslog.h b/include/linux/syslog.h -index 3891139..98a3153 100644 ---- a/include/linux/syslog.h -+++ b/include/linux/syslog.h -@@ -44,8 +44,8 @@ - /* Return size of the log buffer */ - #define SYSLOG_ACTION_SIZE_BUFFER 10 - --#define SYSLOG_FROM_CALL 0 --#define SYSLOG_FROM_FILE 1 -+#define SYSLOG_FROM_READER 0 -+#define SYSLOG_FROM_PROC 1 - - int do_syslog(int type, char __user *buf, int count, bool from_file); - -diff --git a/kernel/printk.c b/kernel/printk.c -index abbdd9e..53b5c5e 100644 ---- a/kernel/printk.c -+++ b/kernel/printk.c -@@ -368,6 +368,53 @@ static void log_store(int facility, int level, - log_next_seq++; - } - -+#ifdef CONFIG_SECURITY_DMESG_RESTRICT -+int dmesg_restrict = 1; -+#else -+int dmesg_restrict; -+#endif -+ -+static int syslog_action_restricted(int type) -+{ -+ if (dmesg_restrict) -+ return 1; -+ /* -+ * Unless restricted, we allow "read all" and "get buffer size" -+ * for everybody. -+ */ -+ return type != SYSLOG_ACTION_READ_ALL && -+ type != SYSLOG_ACTION_SIZE_BUFFER; -+} -+ -+static int check_syslog_permissions(int type, bool from_file) -+{ -+ /* -+ * If this is from /proc/kmsg and we've already opened it, then we've -+ * already done the capabilities checks at open time. -+ */ -+ if (from_file && type != SYSLOG_ACTION_OPEN) -+ return 0; -+ -+ if (syslog_action_restricted(type)) { -+ if (capable(CAP_SYSLOG)) -+ return 0; -+ /* -+ * For historical reasons, accept CAP_SYS_ADMIN too, with -+ * a warning. -+ */ -+ if (capable(CAP_SYS_ADMIN)) { -+ printk_once(KERN_WARNING "%s (%d): " -+ "Attempt to access syslog with CAP_SYS_ADMIN " -+ "but no CAP_SYSLOG (deprecated).\n", -+ current->comm, task_pid_nr(current)); -+ return 0; -+ } -+ return -EPERM; -+ } -+ return security_syslog(type); -+} -+ -+ - /* /dev/kmsg - userspace message inject/listen interface */ - struct devkmsg_user { - u64 seq; -@@ -624,7 +671,8 @@ static int devkmsg_open(struct inode *inode, struct file *file) - if ((file->f_flags & O_ACCMODE) == O_WRONLY) - return 0; - -- err = security_syslog(SYSLOG_ACTION_READ_ALL); -+ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL, -+ SYSLOG_FROM_READER); - if (err) - return err; - -@@ -817,45 +865,6 @@ static inline void boot_delay_msec(int level) - } - #endif - --#ifdef CONFIG_SECURITY_DMESG_RESTRICT --int dmesg_restrict = 1; --#else --int dmesg_restrict; --#endif -- --static int syslog_action_restricted(int type) --{ -- if (dmesg_restrict) -- return 1; -- /* Unless restricted, we allow "read all" and "get buffer size" for everybody */ -- return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER; --} -- --static int check_syslog_permissions(int type, bool from_file) --{ -- /* -- * If this is from /proc/kmsg and we've already opened it, then we've -- * already done the capabilities checks at open time. -- */ -- if (from_file && type != SYSLOG_ACTION_OPEN) -- return 0; -- -- if (syslog_action_restricted(type)) { -- if (capable(CAP_SYSLOG)) -- return 0; -- /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */ -- if (capable(CAP_SYS_ADMIN)) { -- printk_once(KERN_WARNING "%s (%d): " -- "Attempt to access syslog with CAP_SYS_ADMIN " -- "but no CAP_SYSLOG (deprecated).\n", -- current->comm, task_pid_nr(current)); -- return 0; -- } -- return -EPERM; -- } -- return 0; --} -- - #if defined(CONFIG_PRINTK_TIME) - static bool printk_time = 1; - #else -@@ -1253,7 +1262,7 @@ out: - - SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) - { -- return do_syslog(type, buf, len, SYSLOG_FROM_CALL); -+ return do_syslog(type, buf, len, SYSLOG_FROM_READER); - } - - /* --- -1.7.9.5 - - --- -Kees Cook -Chrome OS Security diff --git a/Modify-UEFI-anti-bricking-code.patch b/Modify-UEFI-anti-bricking-code.patch deleted file mode 100644 index 269359f40..000000000 --- a/Modify-UEFI-anti-bricking-code.patch +++ /dev/null @@ -1,384 +0,0 @@ -From: Matthew Garrett -To: rja@sgi.com -Cc: mingo@kernel.org, torvalds@linux-foundation.org, bp@alien8.de, - jkosina@suse.cz, jlee@suse.com, matt.fleming@intel.com, - linux-efi@vger.kernel.org, x86@kernel.org, - linux-kernel@vger.kernel.org, tglx@linutronix.de, hpa@linux.intel.com, - akpm@linux-foundation.org, - Matthew Garrett -Subject: [PATCH] Modify UEFI anti-bricking code -Date: Sat, 1 Jun 2013 16:06:20 -0400 -Message-Id: <1370117180-1712-1-git-send-email-matthew.garrett@nebula.com> - -This patch reworks the UEFI anti-bricking code, including an effective -reversion of cc5a080c and 31ff2f20. It turns out that calling -QueryVariableInfo() from boot services results in some firmware -implementations jumping to physical addresses even after entering virtual -mode, so until we have 1:1 mappings for UEFI runtime space this isn't -going to work so well. - -Reverting these gets us back to the situation where we'd refuse to create -variables on some systems because they classify deleted variables as "used" -until the firmware triggers a garbage collection run, which they won't do -until they reach a lower threshold. This results in it being impossible to -install a bootloader, which is unhelpful. - -Feedback from Samsung indicates that the firmware doesn't need more than -5KB of storage space for its own purposes, so that seems like a reasonable -threshold. However, there's still no guarantee that a platform will attempt -garbage collection merely because it drops below this threshold. It seems -that this is often only triggered if an attempt to write generates a -genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to -create a variable larger than the remaining space. This should fail, but if -it somehow succeeds we can then immediately delete it. - -I've tested this on the UEFI machines I have available, but I don't have -a Samsung and so can't verify that it avoids the bricking problem. - -Signed-off-by: Matthew Garrett ---- - arch/x86/boot/compressed/eboot.c | 47 ---------- - arch/x86/include/asm/efi.h | 7 -- - arch/x86/include/uapi/asm/bootparam.h | 1 - - arch/x86/platform/efi/efi.c | 169 +++++++++------------------------- - 4 files changed, 45 insertions(+), 179 deletions(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 35ee62f..c205035 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -251,51 +251,6 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size) - *size = len; - } - --static efi_status_t setup_efi_vars(struct boot_params *params) --{ -- struct setup_data *data; -- struct efi_var_bootdata *efidata; -- u64 store_size, remaining_size, var_size; -- efi_status_t status; -- -- if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION) -- return EFI_UNSUPPORTED; -- -- data = (struct setup_data *)(unsigned long)params->hdr.setup_data; -- -- while (data && data->next) -- data = (struct setup_data *)(unsigned long)data->next; -- -- status = efi_call_phys4((void *)sys_table->runtime->query_variable_info, -- EFI_VARIABLE_NON_VOLATILE | -- EFI_VARIABLE_BOOTSERVICE_ACCESS | -- EFI_VARIABLE_RUNTIME_ACCESS, &store_size, -- &remaining_size, &var_size); -- -- if (status != EFI_SUCCESS) -- return status; -- -- status = efi_call_phys3(sys_table->boottime->allocate_pool, -- EFI_LOADER_DATA, sizeof(*efidata), &efidata); -- -- if (status != EFI_SUCCESS) -- return status; -- -- efidata->data.type = SETUP_EFI_VARS; -- efidata->data.len = sizeof(struct efi_var_bootdata) - -- sizeof(struct setup_data); -- efidata->data.next = 0; -- efidata->store_size = store_size; -- efidata->remaining_size = remaining_size; -- efidata->max_var_size = var_size; -- -- if (data) -- data->next = (unsigned long)efidata; -- else -- params->hdr.setup_data = (unsigned long)efidata; -- --} -- - static efi_status_t setup_efi_pci(struct boot_params *params) - { - efi_pci_io_protocol *pci; -@@ -1202,8 +1157,6 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, - - setup_graphics(boot_params); - -- setup_efi_vars(boot_params); -- - setup_efi_pci(boot_params); - - status = efi_call_phys3(sys_table->boottime->allocate_pool, -diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h -index 2fb5d58..60c89f3 100644 ---- a/arch/x86/include/asm/efi.h -+++ b/arch/x86/include/asm/efi.h -@@ -102,13 +102,6 @@ extern void efi_call_phys_epilog(void); - extern void efi_unmap_memmap(void); - extern void efi_memory_uc(u64 addr, unsigned long size); - --struct efi_var_bootdata { -- struct setup_data data; -- u64 store_size; -- u64 remaining_size; -- u64 max_var_size; --}; -- - #ifdef CONFIG_EFI - - static inline bool efi_is_native(void) -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 0874424..c15ddaf 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -6,7 +6,6 @@ - #define SETUP_E820_EXT 1 - #define SETUP_DTB 2 - #define SETUP_PCI 3 --#define SETUP_EFI_VARS 4 - - /* ram_size flags */ - #define RAMDISK_IMAGE_START_MASK 0x07FF -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 82089d8..63e167a 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -42,7 +42,6 @@ - #include - #include - #include --#include - - #include - #include -@@ -54,13 +53,6 @@ - - #define EFI_DEBUG 1 - --/* -- * There's some additional metadata associated with each -- * variable. Intel's reference implementation is 60 bytes - bump that -- * to account for potential alignment constraints -- */ --#define VAR_METADATA_SIZE 64 -- - struct efi __read_mostly efi = { - .mps = EFI_INVALID_TABLE_ADDR, - .acpi = EFI_INVALID_TABLE_ADDR, -@@ -79,13 +71,6 @@ struct efi_memory_map memmap; - static struct efi efi_phys __initdata; - static efi_system_table_t efi_systab __initdata; - --static u64 efi_var_store_size; --static u64 efi_var_remaining_size; --static u64 efi_var_max_var_size; --static u64 boot_used_size; --static u64 boot_var_size; --static u64 active_size; -- - unsigned long x86_efi_facility; - - /* -@@ -188,53 +173,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size, - efi_char16_t *name, - efi_guid_t *vendor) - { -- efi_status_t status; -- static bool finished = false; -- static u64 var_size; -- -- status = efi_call_virt3(get_next_variable, -- name_size, name, vendor); -- -- if (status == EFI_NOT_FOUND) { -- finished = true; -- if (var_size < boot_used_size) { -- boot_var_size = boot_used_size - var_size; -- active_size += boot_var_size; -- } else { -- printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n"); -- } -- } -- -- if (boot_used_size && !finished) { -- unsigned long size = 0; -- u32 attr; -- efi_status_t s; -- void *tmp; -- -- s = virt_efi_get_variable(name, vendor, &attr, &size, NULL); -- -- if (s != EFI_BUFFER_TOO_SMALL || !size) -- return status; -- -- tmp = kmalloc(size, GFP_ATOMIC); -- -- if (!tmp) -- return status; -- -- s = virt_efi_get_variable(name, vendor, &attr, &size, tmp); -- -- if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) { -- var_size += size; -- var_size += ucs2_strsize(name, 1024); -- active_size += size; -- active_size += VAR_METADATA_SIZE; -- active_size += ucs2_strsize(name, 1024); -- } -- -- kfree(tmp); -- } -- -- return status; -+ return efi_call_virt3(get_next_variable, -+ name_size, name, vendor); - } - - static efi_status_t virt_efi_set_variable(efi_char16_t *name, -@@ -243,34 +183,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name, - unsigned long data_size, - void *data) - { -- efi_status_t status; -- u32 orig_attr = 0; -- unsigned long orig_size = 0; -- -- status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size, -- NULL); -- -- if (status != EFI_BUFFER_TOO_SMALL) -- orig_size = 0; -- -- status = efi_call_virt5(set_variable, -- name, vendor, attr, -- data_size, data); -- -- if (status == EFI_SUCCESS) { -- if (orig_size) { -- active_size -= orig_size; -- active_size -= ucs2_strsize(name, 1024); -- active_size -= VAR_METADATA_SIZE; -- } -- if (data_size) { -- active_size += data_size; -- active_size += ucs2_strsize(name, 1024); -- active_size += VAR_METADATA_SIZE; -- } -- } -- -- return status; -+ return efi_call_virt5(set_variable, -+ name, vendor, attr, -+ data_size, data); - } - - static efi_status_t virt_efi_query_variable_info(u32 attr, -@@ -786,9 +701,6 @@ void __init efi_init(void) - char vendor[100] = "unknown"; - int i = 0; - void *tmp; -- struct setup_data *data; -- struct efi_var_bootdata *efi_var_data; -- u64 pa_data; - - #ifdef CONFIG_X86_32 - if (boot_params.efi_info.efi_systab_hi || -@@ -806,22 +718,6 @@ void __init efi_init(void) - if (efi_systab_init(efi_phys.systab)) - return; - -- pa_data = boot_params.hdr.setup_data; -- while (pa_data) { -- data = early_ioremap(pa_data, sizeof(*efi_var_data)); -- if (data->type == SETUP_EFI_VARS) { -- efi_var_data = (struct efi_var_bootdata *)data; -- -- efi_var_store_size = efi_var_data->store_size; -- efi_var_remaining_size = efi_var_data->remaining_size; -- efi_var_max_var_size = efi_var_data->max_var_size; -- } -- pa_data = data->next; -- early_iounmap(data, sizeof(*efi_var_data)); -- } -- -- boot_used_size = efi_var_store_size - efi_var_remaining_size; -- - set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); - - /* -@@ -1141,28 +1037,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - if (status != EFI_SUCCESS) - return status; - -- if (!max_size && remaining_size > size) -- printk_once(KERN_ERR FW_BUG "Broken EFI implementation" -- " is returning MaxVariableSize=0\n"); - /* - * Some firmware implementations refuse to boot if there's insufficient - * space in the variable store. We account for that by refusing the - * write if permitting it would reduce the available space to under -- * 50%. However, some firmware won't reclaim variable space until -- * after the used (not merely the actively used) space drops below -- * a threshold. We can approximate that case with the value calculated -- * above. If both the firmware and our calculations indicate that the -- * available space would drop below 50%, refuse the write. -+ * 5KB. This figure was provided by Samsung, so should be safe. - */ -+ if ((remaining_size - size < 5120) && !efi_no_storage_paranoia) { -+ /* -+ * Triggering garbage collection may require that the firmware -+ * generate a real EFI_OUT_OF_RESOURCES error. We can force -+ * that by attempting to use more space than is available. -+ */ -+ unsigned long dummy_size = remaining_size + 1024; -+ void *dummy = kmalloc(dummy_size, GFP_ATOMIC); -+ efi_char16_t efi_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 }; -+ efi_guid_t guid = EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, -+ 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, -+ 0xa9); -+ -+ status = efi.set_variable(efi_name, &guid, attributes, -+ dummy_size, dummy); -+ -+ if (status == EFI_SUCCESS) { -+ /* -+ * This should have failed, so if it didn't make sure -+ * that we delete it... -+ */ -+ efi.set_variable(efi_name, &guid, attributes, 0, -+ dummy); -+ } - -- if (!storage_size || size > remaining_size || -- (max_size && size > max_size)) -- return EFI_OUT_OF_RESOURCES; -+ /* -+ * The runtime code may now have triggered a garbage collection -+ * run, so check the variable info again -+ */ -+ status = efi.query_variable_info(attributes, &storage_size, -+ &remaining_size, &max_size); - -- if (!efi_no_storage_paranoia && -- ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) && -- (remaining_size - size < storage_size / 2))) -- return EFI_OUT_OF_RESOURCES; -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ /* -+ * There still isn't enough room, so return an error -+ */ -+ if (remaining_size - size < 5120) -+ return EFI_OUT_OF_RESOURCES; -+ } - - return EFI_SUCCESS; - } --- -1.8.1.4 - --- -To unsubscribe from this list: send the line "unsubscribe linux-efi" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch deleted file mode 100644 index 84249e5eb..000000000 --- a/b43-stop-format-string-leaking-into-error-msgs.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Fri, 10 May 2013 21:48:21 +0000 -Subject: b43: stop format string leaking into error msgs - -The module parameter "fwpostfix" is userspace controllable, unfiltered, -and is used to define the firmware filename. b43_do_request_fw() populates -ctx->errors[] on error, containing the firmware filename. b43err() -parses its arguments as a format string. For systems with b43 hardware, -this could lead to a uid-0 to ring-0 escalation. - -CVE-2013-2852 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: John W. Linville ---- -diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c -index 6dd07e2..a95b77a 100644 ---- a/drivers/net/wireless/b43/main.c -+++ b/drivers/net/wireless/b43/main.c -@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) - for (i = 0; i < B43_NR_FWTYPES; i++) { - errmsg = ctx->errors[i]; - if (strlen(errmsg)) -- b43err(dev->wl, errmsg); -+ b43err(dev->wl, "%s", errmsg); - } - b43_print_fw_helptext(dev->wl, 1); - goto out; --- -cgit v0.9.2 diff --git a/config-generic b/config-generic index 7861b43ba..20b21d68c 100644 --- a/config-generic +++ b/config-generic @@ -1554,7 +1554,7 @@ CONFIG_ATH9K_DEBUGFS=y CONFIG_ATH9K_HTC=m CONFIG_ATH9K_BTCOEX_SUPPORT=y # CONFIG_ATH9K_HTC_DEBUGFS is not set -CONFIG_ATH9K_RATE_CONTROL=y +# CONFIG_ATH9K_LEGACY_RATE_CONTROL is not set CONFIG_WIL6210=m CONFIG_WIL6210_ISR_COR=y CONFIG_CARL9170=m diff --git a/kernel.spec b/kernel.spec index 71fe323da..398637404 100644 --- a/kernel.spec +++ b/kernel.spec @@ -93,7 +93,7 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 5 +%define rcrev 6 # The git snapshot level %define gitrev 0 # Set rpm version accordingly @@ -744,9 +744,6 @@ Patch21242: criu-no-expert.patch #rhbz 892811 Patch21247: ath9k_rx_dma_stop_check.patch -#rhbz 903192 -Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch - Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions @@ -758,9 +755,6 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#rhbz 964335 -Patch25026: Modify-UEFI-anti-bricking-code.patch - #CVE-2013-2140 rhbz 971146 971148 Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch @@ -770,19 +764,12 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2852 rhbz 969518 971665 -Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch - #CVE-2013-2851 rhbz 969515 971662 Patch25035: block-do-not-pass-disk-names-as-format-strings.patch #CVE-2013-2164 rhbz 973100 973109 Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch -#rhbz 954181 -Patch25039: vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch -Patch25040: tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch - #rhbz 973185 Patch25041: x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch Patch25042: x86-range-make-add_range-use-blank-slot.patch @@ -1470,18 +1457,12 @@ ApplyPatch criu-no-expert.patch #rhbz 892811 ApplyPatch ath9k_rx_dma_stop_check.patch -#rhbz 903192 -ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch - #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#rhbz 964335 -ApplyPatch Modify-UEFI-anti-bricking-code.patch - #CVE-2013-2140 rhbz 971146 971148 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch @@ -1491,19 +1472,12 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2852 rhbz 969518 971665 -ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch - #CVE-2013-2851 rhbz 969515 971662 ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch #CVE-2013-2164 rhbz 973100 973109 ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch -#rhbz 954181 -ApplyPatch vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch -ApplyPatch tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch - #rhbz 973185 ApplyPatch x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch ApplyPatch x86-range-make-add_range-use-blank-slot.patch @@ -2310,6 +2284,9 @@ fi # ||----w | # || || %changelog +* Mon Jun 17 2013 Josh Boyer - 3.10.0-0.rc6.git0.1 +- Linux v3.10-rc6 + * Fri Jun 14 2013 Kyle McMartin - ARM64 support (config-arm64) Split out some config-armv7-generic options common between 32-bit and 64-bit diff --git a/sources b/sources index c75c05d1c..35df96ad9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -e421ee4d1379ba381bccc5c6bfe54385 patch-3.10-rc5.xz +b364407a81f244408835c93ea3e23478 patch-3.10-rc6.xz diff --git a/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch b/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch deleted file mode 100644 index 75de6ccce..000000000 --- a/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch +++ /dev/null @@ -1,26 +0,0 @@ -tuntap: set SOCK_ZEROCOPY flag during open - -Commit 54f968d6efdbf7dec36faa44fc11f01b0e4d1990 -(tuntap: move socket to tun_file) forgets to set SOCK_ZEROCOPY flag, which will -prevent vhost_net from doing zercopy w/ tap. This patch fixes this by setting -it during file open. - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Acked-by: Michael S. Tsirkin - ---- - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 89776c5..ff5312d 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -2159,6 +2159,8 @@ static int tun_chr_open(struct inode *inode, struct file * file) - set_bit(SOCK_EXTERNALLY_ALLOCATED, &tfile->socket.flags); - INIT_LIST_HEAD(&tfile->next); - -+ sock_set_flag(&tfile->sk, SOCK_ZEROCOPY); -+ - return 0; - } - diff --git a/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch b/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch deleted file mode 100644 index af1bc77de..000000000 --- a/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 4364d5f96eed7994a2c625bd9216656e55fba0cb Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 05 Jun 2013 07:40:46 +0000 -Subject: vhost_net: clear msg.control for non-zerocopy case during tx - -When we decide not use zero-copy, msg.control should be set to NULL otherwise -macvtap/tap may set zerocopy callbacks which may decrease the kref of ubufs -wrongly. - -Bug were introduced by commit cedb9bdce099206290a2bdd02ce47a7b253b6a84 -(vhost-net: skip head management if no outstanding). - -This solves the following warnings: - -WARNING: at include/linux/kref.h:47 handle_tx+0x477/0x4b0 [vhost_net]() -Modules linked in: vhost_net macvtap macvlan tun nfsd exportfs bridge stp llc openvswitch kvm_amd kvm bnx2 megaraid_sas [last unloaded: tun] -CPU: 5 PID: 8670 Comm: vhost-8668 Not tainted 3.10.0-rc2+ #1566 -Hardware name: Dell Inc. PowerEdge R715/00XHKG, BIOS 1.5.2 04/19/2011 -ffffffffa0198323 ffff88007c9ebd08 ffffffff81796b73 ffff88007c9ebd48 -ffffffff8103d66b 000000007b773e20 ffff8800779f0000 ffff8800779f43f0 -ffff8800779f8418 000000000000015c 0000000000000062 ffff88007c9ebd58 -Call Trace: -[] dump_stack+0x19/0x1e -[] warn_slowpath_common+0x6b/0xa0 -[] warn_slowpath_null+0x15/0x20 -[] handle_tx+0x477/0x4b0 [vhost_net] -[] handle_tx_kick+0x10/0x20 [vhost_net] -[] vhost_worker+0xfe/0x1a0 [vhost_net] -[] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net] -[] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net] -[] kthread+0xc6/0xd0 -[] ? kthread_freezable_should_stop+0x70/0x70 -[] ret_from_fork+0x7c/0xb0 -[] ? kthread_freezable_should_stop+0x70/0x70 - -Signed-off-by: Jason Wang -Acked-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- -diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c -index 2b51e23..b07d96b 100644 ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -436,7 +436,8 @@ static void handle_tx(struct vhost_net *net) - kref_get(&ubufs->kref); - } - nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV; -- } -+ } else -+ msg.msg_control = NULL; - /* TODO: Check specific error and bomb out unless ENOBUFS? */ - err = sock->ops->sendmsg(NULL, sock, &msg, len); - if (unlikely(err < 0)) { --- -cgit v0.9.2