3.10-rc4
merged: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch merged: iscsi-target-fix-heap-buffer-overflow-on-error.patch
This commit is contained in:
parent
f58391d7ed
commit
bc6523eec2
@ -1,7 +1,14 @@
|
||||
From 2380baac8b96f6e93ef72135d1b60d686d7f82e6 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Sat, 1 Jun 2013 16:06:20 -0400
|
||||
To: rja@sgi.com
|
||||
Cc: mingo@kernel.org, torvalds@linux-foundation.org, bp@alien8.de,
|
||||
jkosina@suse.cz, jlee@suse.com, matt.fleming@intel.com,
|
||||
linux-efi@vger.kernel.org, x86@kernel.org,
|
||||
linux-kernel@vger.kernel.org, tglx@linutronix.de, hpa@linux.intel.com,
|
||||
akpm@linux-foundation.org,
|
||||
Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Subject: [PATCH] Modify UEFI anti-bricking code
|
||||
Date: Sat, 1 Jun 2013 16:06:20 -0400
|
||||
Message-Id: <1370117180-1712-1-git-send-email-matthew.garrett@nebula.com>
|
||||
|
||||
This patch reworks the UEFI anti-bricking code, including an effective
|
||||
reversion of cc5a080c and 31ff2f20. It turns out that calling
|
||||
@ -33,8 +40,8 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
arch/x86/boot/compressed/eboot.c | 47 ----------
|
||||
arch/x86/include/asm/efi.h | 7 --
|
||||
arch/x86/include/uapi/asm/bootparam.h | 1 -
|
||||
arch/x86/platform/efi/efi.c | 167 +++++++++-------------------------
|
||||
4 files changed, 44 insertions(+), 178 deletions(-)
|
||||
arch/x86/platform/efi/efi.c | 169 +++++++++-------------------------
|
||||
4 files changed, 45 insertions(+), 179 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 35ee62f..c205035 100644
|
||||
@ -132,10 +139,10 @@ index 0874424..c15ddaf 100644
|
||||
/* ram_size flags */
|
||||
#define RAMDISK_IMAGE_START_MASK 0x07FF
|
||||
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
|
||||
index e4a86a6..beb5d5f 100644
|
||||
index 82089d8..63e167a 100644
|
||||
--- a/arch/x86/platform/efi/efi.c
|
||||
+++ b/arch/x86/platform/efi/efi.c
|
||||
@@ -41,7 +41,6 @@
|
||||
@@ -42,7 +42,6 @@
|
||||
#include <linux/io.h>
|
||||
#include <linux/reboot.h>
|
||||
#include <linux/bcd.h>
|
||||
@ -143,7 +150,7 @@ index e4a86a6..beb5d5f 100644
|
||||
|
||||
#include <asm/setup.h>
|
||||
#include <asm/efi.h>
|
||||
@@ -52,13 +51,6 @@
|
||||
@@ -54,13 +53,6 @@
|
||||
|
||||
#define EFI_DEBUG 1
|
||||
|
||||
@ -157,7 +164,7 @@ index e4a86a6..beb5d5f 100644
|
||||
struct efi __read_mostly efi = {
|
||||
.mps = EFI_INVALID_TABLE_ADDR,
|
||||
.acpi = EFI_INVALID_TABLE_ADDR,
|
||||
@@ -77,13 +69,6 @@ struct efi_memory_map memmap;
|
||||
@@ -79,13 +71,6 @@ struct efi_memory_map memmap;
|
||||
static struct efi efi_phys __initdata;
|
||||
static efi_system_table_t efi_systab __initdata;
|
||||
|
||||
@ -171,7 +178,7 @@ index e4a86a6..beb5d5f 100644
|
||||
unsigned long x86_efi_facility;
|
||||
|
||||
/*
|
||||
@@ -186,53 +171,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
|
||||
@@ -188,53 +173,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
|
||||
efi_char16_t *name,
|
||||
efi_guid_t *vendor)
|
||||
{
|
||||
@ -180,8 +187,7 @@ index e4a86a6..beb5d5f 100644
|
||||
- static u64 var_size;
|
||||
-
|
||||
- status = efi_call_virt3(get_next_variable,
|
||||
+ return efi_call_virt3(get_next_variable,
|
||||
name_size, name, vendor);
|
||||
- name_size, name, vendor);
|
||||
-
|
||||
- if (status == EFI_NOT_FOUND) {
|
||||
- finished = true;
|
||||
@ -194,7 +200,7 @@ index e4a86a6..beb5d5f 100644
|
||||
- }
|
||||
-
|
||||
- if (boot_used_size && !finished) {
|
||||
- unsigned long size;
|
||||
- unsigned long size = 0;
|
||||
- u32 attr;
|
||||
- efi_status_t s;
|
||||
- void *tmp;
|
||||
@ -223,10 +229,12 @@ index e4a86a6..beb5d5f 100644
|
||||
- }
|
||||
-
|
||||
- return status;
|
||||
+ return efi_call_virt3(get_next_variable,
|
||||
+ name_size, name, vendor);
|
||||
}
|
||||
|
||||
static efi_status_t virt_efi_set_variable(efi_char16_t *name,
|
||||
@@ -241,34 +181,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
|
||||
@@ -243,34 +183,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
|
||||
unsigned long data_size,
|
||||
void *data)
|
||||
{
|
||||
@ -264,7 +272,7 @@ index e4a86a6..beb5d5f 100644
|
||||
}
|
||||
|
||||
static efi_status_t virt_efi_query_variable_info(u32 attr,
|
||||
@@ -776,9 +691,6 @@ void __init efi_init(void)
|
||||
@@ -786,9 +701,6 @@ void __init efi_init(void)
|
||||
char vendor[100] = "unknown";
|
||||
int i = 0;
|
||||
void *tmp;
|
||||
@ -274,7 +282,7 @@ index e4a86a6..beb5d5f 100644
|
||||
|
||||
#ifdef CONFIG_X86_32
|
||||
if (boot_params.efi_info.efi_systab_hi ||
|
||||
@@ -796,22 +708,6 @@ void __init efi_init(void)
|
||||
@@ -806,22 +718,6 @@ void __init efi_init(void)
|
||||
if (efi_systab_init(efi_phys.systab))
|
||||
return;
|
||||
|
||||
@ -297,7 +305,7 @@ index e4a86a6..beb5d5f 100644
|
||||
set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
|
||||
|
||||
/*
|
||||
@@ -1131,28 +1027,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
|
||||
@@ -1141,28 +1037,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
|
||||
if (status != EFI_SUCCESS)
|
||||
return status;
|
||||
|
||||
@ -369,3 +377,8 @@ index e4a86a6..beb5d5f 100644
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
|
||||
|
@ -1,63 +0,0 @@
|
||||
From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Thu, 23 May 2013 17:32:17 +0000
|
||||
Subject: iscsi-target: fix heap buffer overflow on error
|
||||
|
||||
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
|
||||
error response packet, generated by iscsi_add_notunderstood_response(),
|
||||
would still attempt to copy the entire key into the packet, overflowing
|
||||
the structure on the heap.
|
||||
|
||||
Remote preauthentication kernel memory corruption was possible if a
|
||||
target was configured and listening on the network.
|
||||
|
||||
CVE-2013-2850
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
||||
---
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
index c2185fc..e382221 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
|
||||
}
|
||||
INIT_LIST_HEAD(&extra_response->er_list);
|
||||
|
||||
- strncpy(extra_response->key, key, strlen(key) + 1);
|
||||
- strncpy(extra_response->value, NOTUNDERSTOOD,
|
||||
- strlen(NOTUNDERSTOOD) + 1);
|
||||
+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
|
||||
+ strlcpy(extra_response->value, NOTUNDERSTOOD,
|
||||
+ sizeof(extra_response->value));
|
||||
|
||||
list_add_tail(&extra_response->er_list,
|
||||
¶m_list->extra_response_list);
|
||||
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
|
||||
|
||||
if (phase & PHASE_SECURITY) {
|
||||
if (iscsi_check_for_auth_key(key) > 0) {
|
||||
- char *tmpptr = key + strlen(key);
|
||||
- *tmpptr = '=';
|
||||
kfree(tmpbuf);
|
||||
return 1;
|
||||
}
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
index 915b067..a47046a 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
@@ -1,8 +1,10 @@
|
||||
#ifndef ISCSI_PARAMETERS_H
|
||||
#define ISCSI_PARAMETERS_H
|
||||
|
||||
+#include <scsi/iscsi_proto.h>
|
||||
+
|
||||
struct iscsi_extra_response {
|
||||
- char key[64];
|
||||
+ char key[KEY_MAXLEN];
|
||||
char value[32];
|
||||
struct list_head er_list;
|
||||
} ____cacheline_aligned;
|
||||
--
|
||||
cgit v0.9.2
|
21
kernel.spec
21
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 2
|
||||
%global baserelease 1
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -93,7 +93,7 @@ Summary: The Linux kernel
|
||||
# The next upstream release sublevel (base_sublevel+1)
|
||||
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
|
||||
# The rc snapshot level
|
||||
%define rcrev 3
|
||||
%define rcrev 4
|
||||
# The git snapshot level
|
||||
%define gitrev 0
|
||||
# Set rpm version accordingly
|
||||
@ -733,18 +733,12 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
||||
#rhbz 927469
|
||||
Patch23006: fix-child-thread-introspection.patch
|
||||
|
||||
#rhbz 961527
|
||||
Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
|
||||
|
||||
#rhbz 964367
|
||||
Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
|
||||
|
||||
#rhbz 948262
|
||||
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||
|
||||
#CVE-2013-2850 rhbz 968036 969272
|
||||
Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch
|
||||
|
||||
#rhbz 964335
|
||||
Patch25026: Modify-UEFI-anti-bricking-code.patch
|
||||
|
||||
@ -1424,18 +1418,12 @@ ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
||||
#rhbz 927469
|
||||
ApplyPatch fix-child-thread-introspection.patch
|
||||
|
||||
#rhbz 961527
|
||||
ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
|
||||
|
||||
#rhbz 964367
|
||||
ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
|
||||
|
||||
#rhbz 948262
|
||||
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||
|
||||
#CVE-2013-2850 rhbz 968036 969272
|
||||
ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch
|
||||
|
||||
#rhbz 964335
|
||||
ApplyPatch Modify-UEFI-anti-bricking-code.patch
|
||||
|
||||
@ -2244,6 +2232,11 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Tue Jun 04 2013 Dave Jones <davej@redhat.com> - 3.10.0-0.rc4.git0.1
|
||||
- 3.10-rc4
|
||||
merged: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
|
||||
merged: iscsi-target-fix-heap-buffer-overflow-on-error.patch
|
||||
|
||||
* Mon Jun 03 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- Fix UEFI anti-bricking code (rhbz 964335)
|
||||
|
||||
|
@ -1,99 +0,0 @@
|
||||
radeon: use max_bus_speed to activate gen2 speeds
|
||||
|
||||
radeon currently uses a drm function to get the speed capabilities for
|
||||
the bus, drm_pcie_get_speed_cap_mask. However, this is a non-standard
|
||||
method of performing this detection and this patch changes it to use
|
||||
the max_bus_speed attribute.
|
||||
|
||||
From: Lucas Kannebley Tavares <lucaskt at linux.vnet.ibm.com>
|
||||
Signed-off-by: Kleber Sacilotto de Souza <klebers at linux.vnet.ibm.com>
|
||||
---
|
||||
drivers/gpu/drm/radeon/evergreen.c | 10 +++-------
|
||||
drivers/gpu/drm/radeon/r600.c | 9 ++-------
|
||||
drivers/gpu/drm/radeon/rv770.c | 9 ++-------
|
||||
3 files changed, 7 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
|
||||
index 105bafb..3966696 100644
|
||||
--- a/drivers/gpu/drm/radeon/evergreen.c
|
||||
+++ b/drivers/gpu/drm/radeon/evergreen.c
|
||||
@@ -4992,8 +4992,7 @@ void evergreen_fini(struct radeon_device *rdev)
|
||||
|
||||
void evergreen_pcie_gen2_enable(struct radeon_device *rdev)
|
||||
{
|
||||
- u32 link_width_cntl, speed_cntl, mask;
|
||||
- int ret;
|
||||
+ u32 link_width_cntl, speed_cntl;
|
||||
|
||||
if (radeon_pcie_gen2 == 0)
|
||||
return;
|
||||
@@ -5008,11 +5007,8 @@ void evergreen_pcie_gen2_enable(struct radeon_device *rdev)
|
||||
if (ASIC_IS_X2(rdev))
|
||||
return;
|
||||
|
||||
- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask);
|
||||
- if (ret != 0)
|
||||
- return;
|
||||
-
|
||||
- if (!(mask & DRM_PCIE_SPEED_50))
|
||||
+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) &&
|
||||
+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT))
|
||||
return;
|
||||
|
||||
speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL);
|
||||
diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
|
||||
index 1a08008..b45e648 100644
|
||||
--- a/drivers/gpu/drm/radeon/r600.c
|
||||
+++ b/drivers/gpu/drm/radeon/r600.c
|
||||
@@ -4631,8 +4631,6 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev)
|
||||
{
|
||||
u32 link_width_cntl, lanes, speed_cntl, training_cntl, tmp;
|
||||
u16 link_cntl2;
|
||||
- u32 mask;
|
||||
- int ret;
|
||||
|
||||
if (radeon_pcie_gen2 == 0)
|
||||
return;
|
||||
@@ -4651,11 +4649,8 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev)
|
||||
if (rdev->family <= CHIP_R600)
|
||||
return;
|
||||
|
||||
- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask);
|
||||
- if (ret != 0)
|
||||
- return;
|
||||
-
|
||||
- if (!(mask & DRM_PCIE_SPEED_50))
|
||||
+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) &&
|
||||
+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT))
|
||||
return;
|
||||
|
||||
speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL);
|
||||
diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
|
||||
index 83f612a..a6af4aa 100644
|
||||
--- a/drivers/gpu/drm/radeon/rv770.c
|
||||
+++ b/drivers/gpu/drm/radeon/rv770.c
|
||||
@@ -2113,8 +2113,6 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev)
|
||||
{
|
||||
u32 link_width_cntl, lanes, speed_cntl, tmp;
|
||||
u16 link_cntl2;
|
||||
- u32 mask;
|
||||
- int ret;
|
||||
|
||||
if (radeon_pcie_gen2 == 0)
|
||||
return;
|
||||
@@ -2129,11 +2127,8 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev)
|
||||
if (ASIC_IS_X2(rdev))
|
||||
return;
|
||||
|
||||
- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask);
|
||||
- if (ret != 0)
|
||||
- return;
|
||||
-
|
||||
- if (!(mask & DRM_PCIE_SPEED_50))
|
||||
+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) &&
|
||||
+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT))
|
||||
return;
|
||||
|
||||
DRM_INFO("enabling PCIE gen 2 link speeds, disable with radeon.pcie_gen2=0\n");
|
||||
--
|
||||
1.7.1
|
Loading…
Reference in New Issue
Block a user