--- /dev/null
+From 6b4a144a92ab81a1f45fb9b12aebaaaee0d08120 Mon Sep 17 00:00:00 2001
+From: Fathi Boudra <fathi.boudra@linaro.org>
+Date: Sat, 12 Apr 2014 13:13:24 +0300
+Subject: builddeb: use $OBJCOPY variable instead of objcopy
+
+From: Fathi Boudra <fathi.boudra@linaro.org>
+
+commit 6b4a144a92ab81a1f45fb9b12aebaaaee0d08120 upstream.
+
+In cross-build environment, we expect to use the cross-compiler objcopy
+instead of the host objcopy.
+
+It fixes following build failures:
+objcopy --only-keep-debug lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko /srv/build/linux/debian/dbgtmp/usr/lib/debug/lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko
+objcopy: Unable to recognise the format of the input file `lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko'
+
+Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
+Fixes: 810e843746b7 ('deb-pkg: split debug symbols in their own package')
+Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Michal Marek <mmarek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/package/builddeb | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/scripts/package/builddeb
++++ b/scripts/package/builddeb
+@@ -155,11 +155,11 @@ if grep -q '^CONFIG_MODULES=y' $KCONFIG_
+ for module in $(find lib/modules/ -name *.ko); do
+ mkdir -p $(dirname $dbg_dir/usr/lib/debug/$module)
+ # only keep debug symbols in the debug file
+- objcopy --only-keep-debug $module $dbg_dir/usr/lib/debug/$module
++ $OBJCOPY --only-keep-debug $module $dbg_dir/usr/lib/debug/$module
+ # strip original module from debug symbols
+- objcopy --strip-debug $module
++ $OBJCOPY --strip-debug $module
+ # then add a link to those
+- objcopy --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $module
++ $OBJCOPY --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $module
+ done
+ )
+ fi
--- /dev/null
+From 783ee43118dc773bc8b0342c5b230e017d5a04d0 Mon Sep 17 00:00:00 2001
+From: Andrzej Zaborowski <andrew.zaborowski@intel.com>
+Date: Mon, 9 Jun 2014 16:50:40 +0200
+Subject: efi-pstore: Fix an overflow on 32-bit builds
+
+From: Andrzej Zaborowski <andrew.zaborowski@intel.com>
+
+commit 783ee43118dc773bc8b0342c5b230e017d5a04d0 upstream.
+
+In generic_id the long int timestamp is multiplied by 100000 and needs
+an explicit cast to u64.
+
+Without that the id in the resulting pstore filename is wrong and
+userspace may have problems parsing it, but more importantly files in
+pstore can never be deleted and may fill the EFI flash (brick device?).
+This happens because when generic pstore code wants to delete a file,
+it passes the id to the EFI backend which reinterpretes it and a wrong
+variable name is attempted to be deleted. There's no error message but
+after remounting pstore, deleted files would reappear.
+
+Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/efi-pstore.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/efi-pstore.c
++++ b/drivers/firmware/efi/efi-pstore.c
+@@ -40,7 +40,7 @@ struct pstore_read_data {
+ static inline u64 generic_id(unsigned long timestamp,
+ unsigned int part, int count)
+ {
+- return (timestamp * 100 + part) * 1000 + count;
++ return ((u64) timestamp * 100 + part) * 1000 + count;
+ }
+
+ static int efi_pstore_read_func(struct efivar_entry *entry, void *data)
--- /dev/null
+From ebe06187bf2aec10d537ce4595e416035367d703 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Tue, 17 Jun 2014 06:58:05 +0400
+Subject: epoll: fix use-after-free in eventpoll_release_file
+
+From: Konstantin Khlebnikov <koct9i@gmail.com>
+
+commit ebe06187bf2aec10d537ce4595e416035367d703 upstream.
+
+This fixes use-after-free of epi->fllink.next inside list loop macro.
+This loop actually releases elements in the body. The list is
+rcu-protected but here we cannot hold rcu_read_lock because we need to
+lock mutex inside.
+
+The obvious solution is to use list_for_each_entry_safe(). RCU-ness
+isn't essential because nobody can change this list under us, it's final
+fput for this file.
+
+The bug was introduced by ae10b2b4eb01 ("epoll: optimize EPOLL_CTL_DEL
+using rcu")
+
+Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+Reported-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/eventpoll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -910,7 +910,7 @@ static const struct file_operations even
+ void eventpoll_release_file(struct file *file)
+ {
+ struct eventpoll *ep;
+- struct epitem *epi;
++ struct epitem *epi, *next;
+
+ /*
+ * We don't want to get "file->f_lock" because it is not
+@@ -926,7 +926,7 @@ void eventpoll_release_file(struct file
+ * Besides, ep_remove() acquires the lock, so we can't hold it here.
+ */
+ mutex_lock(&epmutex);
+- list_for_each_entry_rcu(epi, &file->f_ep_links, fllink) {
++ list_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) {
+ ep = epi->ep;
+ mutex_lock_nested(&ep->mtx, 0);
+ ep_remove(ep, epi);
--- /dev/null
+From e33ba5fa7afce1a9f159704121d4e4d110df8185 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 15 Jun 2014 21:04:32 -0400
+Subject: random: fix nasty entropy accounting bug
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit e33ba5fa7afce1a9f159704121d4e4d110df8185 upstream.
+
+Commit 0fb7a01af5b0 "random: simplify accounting code", introduced in
+v3.15, has a very nasty accounting problem when the entropy pool has
+has fewer bytes of entropy than the number of requested reserved
+bytes. In that case, "have_bytes - reserved" goes negative, and since
+size_t is unsigned, the expression:
+
+ ibytes = min_t(size_t, ibytes, have_bytes - reserved);
+
+... does not do the right thing. This is rather bad, because it
+defeats the catastrophic reseeding feature in the
+xfer_secondary_pool() path.
+
+It also can cause the "BUG: spinlock trylock failure on UP" for some
+kernel configurations when prandom_reseed() calls get_random_bytes()
+in the early init, since when the entropy count gets corrupted,
+credit_entropy_bits() erroneously believes that the nonblocking pool
+has been fully initialized (when in fact it is not), and so it calls
+prandom_reseed(true) recursively leading to the spinlock BUG.
+
+The logic is *not* the same it was originally, but in the cases where
+it matters, the behavior is the same, and the resulting code is
+hopefully easier to read and understand.
+
+Fixes: 0fb7a01af5b0 "random: simplify accounting code"
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: Greg Price <price@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -979,7 +979,6 @@ static void push_to_pool(struct work_str
+ static size_t account(struct entropy_store *r, size_t nbytes, int min,
+ int reserved)
+ {
+- int have_bytes;
+ int entropy_count, orig;
+ size_t ibytes;
+
+@@ -988,17 +987,19 @@ static size_t account(struct entropy_sto
+ /* Can we pull enough? */
+ retry:
+ entropy_count = orig = ACCESS_ONCE(r->entropy_count);
+- have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
+ ibytes = nbytes;
+ /* If limited, never pull more than available */
+- if (r->limit)
+- ibytes = min_t(size_t, ibytes, have_bytes - reserved);
++ if (r->limit) {
++ int have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
++
++ if ((have_bytes -= reserved) < 0)
++ have_bytes = 0;
++ ibytes = min_t(size_t, ibytes, have_bytes);
++ }
+ if (ibytes < min)
+ ibytes = 0;
+- if (have_bytes >= ibytes + reserved)
+- entropy_count -= ibytes << (ENTROPY_SHIFT + 3);
+- else
+- entropy_count = reserved << (ENTROPY_SHIFT + 3);
++ if ((entropy_count -= ibytes << (ENTROPY_SHIFT + 3)) < 0)
++ entropy_count = 0;
+
+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
+ goto retry;
bluetooth-clearly-distinguish-mgmt-ltk-type-from-authenticated-property.patch
bluetooth-fix-properly-ignoring-ltks-of-unknown-types.patch
lz4-fix-another-possible-overrun.patch
+x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch
+epoll-fix-use-after-free-in-eventpoll_release_file.patch
+random-fix-nasty-entropy-accounting-bug.patch
+builddeb-use-objcopy-variable-instead-of-objcopy.patch
+efi-pstore-fix-an-overflow-on-32-bit-builds.patch
--- /dev/null
+From 554086d85e71f30abe46fc014fea31929a7c6a8a Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Mon, 23 Jun 2014 14:22:15 -0700
+Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream.
+
+The bad syscall nr paths are their own incomprehensible route
+through the entry control flow. Rearrange them to work just like
+syscalls that return -ENOSYS.
+
+This fixes an OOPS in the audit code when fast-path auditing is
+enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
+
+This has probably been broken since Linux 2.6.27:
+af0575bba0 i386 syscall audit fast-path
+
+Cc: Roland McGrath <roland@redhat.com>
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_32.S | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -431,9 +431,10 @@ sysenter_past_esp:
+ jnz sysenter_audit
+ sysenter_do_call:
+ cmpl $(NR_syscalls), %eax
+- jae syscall_badsys
++ jae sysenter_badsys
+ call *sys_call_table(,%eax,4)
+ movl %eax,PT_EAX(%esp)
++sysenter_after_call:
+ LOCKDEP_SYS_EXIT
+ DISABLE_INTERRUPTS(CLBR_ANY)
+ TRACE_IRQS_OFF
+@@ -683,7 +684,12 @@ END(syscall_fault)
+
+ syscall_badsys:
+ movl $-ENOSYS,PT_EAX(%esp)
+- jmp resume_userspace
++ jmp syscall_exit
++END(syscall_badsys)
++
++sysenter_badsys:
++ movl $-ENOSYS,PT_EAX(%esp)
++ jmp sysenter_after_call
+ END(syscall_badsys)
+ CFI_ENDPROC
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
