From: Greg Kroah-Hartman Date: Mon, 23 Sep 2013 20:17:16 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.97~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08d74c40c36f921ef1095e3a40eab45ac8b76fb0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: crypto-api-fix-race-condition-in-larval-lookup.patch powerpc-handle-unaligned-ldbrx-stdbrx.patch scsi-sd-fix-potential-out-of-bounds-access.patch xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch --- diff --git a/queue-3.4/crypto-api-fix-race-condition-in-larval-lookup.patch b/queue-3.4/crypto-api-fix-race-condition-in-larval-lookup.patch new file mode 100644 index 00000000000..f403b84b78a --- /dev/null +++ b/queue-3.4/crypto-api-fix-race-condition-in-larval-lookup.patch @@ -0,0 +1,49 @@ +From 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Sun, 8 Sep 2013 14:33:50 +1000 +Subject: crypto: api - Fix race condition in larval lookup + +From: Herbert Xu + +commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa upstream. + +crypto_larval_lookup should only return a larval if it created one. +Any larval created by another entity must be processed through +crypto_larval_wait before being returned. + +Otherwise this will lead to a larval being killed twice, which +will most likely lead to a crash. + +Reported-by: Kees Cook +Tested-by: Kees Cook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/api.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -40,6 +40,8 @@ static inline struct crypto_alg *crypto_ + return alg; + } + ++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); ++ + struct crypto_alg *crypto_mod_get(struct crypto_alg *alg) + { + return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL; +@@ -150,8 +152,11 @@ static struct crypto_alg *crypto_larval_ + } + up_write(&crypto_alg_sem); + +- if (alg != &larval->alg) ++ if (alg != &larval->alg) { + kfree(larval); ++ if (crypto_is_larval(alg)) ++ alg = crypto_larval_wait(alg); ++ } + + return alg; + } diff --git a/queue-3.4/powerpc-handle-unaligned-ldbrx-stdbrx.patch b/queue-3.4/powerpc-handle-unaligned-ldbrx-stdbrx.patch new file mode 100644 index 00000000000..62ffc4ff4d9 --- /dev/null +++ b/queue-3.4/powerpc-handle-unaligned-ldbrx-stdbrx.patch @@ -0,0 +1,51 @@ +From 230aef7a6a23b6166bd4003bfff5af23c9bd381f Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Wed, 7 Aug 2013 02:01:19 +1000 +Subject: powerpc: Handle unaligned ldbrx/stdbrx + +From: Anton Blanchard + +commit 230aef7a6a23b6166bd4003bfff5af23c9bd381f upstream. + +Normally when we haven't implemented an alignment handler for +a load or store instruction the process will be terminated. + +The alignment handler uses the DSISR (or a pseudo one) to locate +the right handler. Unfortunately ldbrx and stdbrx overlap lfs and +stfs so we incorrectly think ldbrx is an lfs and stdbrx is an +stfs. + +This bug is particularly nasty - instead of terminating the +process we apply an incorrect fixup and continue on. + +With more and more overlapping instructions we should stop +creating a pseudo DSISR and index using the instruction directly, +but for now add a special case to catch ldbrx/stdbrx. + +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/align.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/kernel/align.c ++++ b/arch/powerpc/kernel/align.c +@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs) + nb = aligninfo[instr].len; + flags = aligninfo[instr].flags; + ++ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */ ++ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) { ++ nb = 8; ++ flags = LD+SW; ++ } else if (IS_XFORM(instruction) && ++ ((instruction >> 1) & 0x3ff) == 660) { ++ nb = 8; ++ flags = ST+SW; ++ } ++ + /* Byteswap little endian loads and stores */ + swiz = 0; + if (regs->msr & MSR_LE) { diff --git a/queue-3.4/scsi-sd-fix-potential-out-of-bounds-access.patch b/queue-3.4/scsi-sd-fix-potential-out-of-bounds-access.patch new file mode 100644 index 00000000000..c5ec429be47 --- /dev/null +++ b/queue-3.4/scsi-sd-fix-potential-out-of-bounds-access.patch @@ -0,0 +1,44 @@ +From 984f1733fcee3fbc78d47e26c5096921c5d9946a Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 6 Sep 2013 11:49:51 -0400 +Subject: SCSI: sd: Fix potential out-of-bounds access + +From: Alan Stern + +commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream. + +This patch fixes an out-of-bounds error in sd_read_cache_type(), found +by Google's AddressSanitizer tool. When the loop ends, we know that +"offset" lies beyond the end of the data in the buffer, so no Caching +mode page was found. In theory it may be present, but the buffer size +is limited to 512 bytes. + +Signed-off-by: Alan Stern +Reported-by: Dmitry Vyukov +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2225,14 +2225,9 @@ sd_read_cache_type(struct scsi_disk *sdk + } + } + +- if (modepage == 0x3F) { +- sd_printk(KERN_ERR, sdkp, "No Caching mode page " +- "present\n"); +- goto defaults; +- } else if ((buffer[offset] & 0x3f) != modepage) { +- sd_printk(KERN_ERR, sdkp, "Got wrong page\n"); +- goto defaults; +- } ++ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n"); ++ goto defaults; ++ + Page_found: + if (modepage == 8) { + sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0); diff --git a/queue-3.4/series b/queue-3.4/series index e69de29bb2d..daa46a3a48a 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -0,0 +1,4 @@ +scsi-sd-fix-potential-out-of-bounds-access.patch +crypto-api-fix-race-condition-in-larval-lookup.patch +powerpc-handle-unaligned-ldbrx-stdbrx.patch +xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch diff --git a/queue-3.4/xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch b/queue-3.4/xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch new file mode 100644 index 00000000000..6dd6999a9f4 --- /dev/null +++ b/queue-3.4/xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch @@ -0,0 +1,53 @@ +From 5f338d9001094a56cf87bd8a280b4e7ff953bb59 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Wed, 31 Jul 2013 17:00:42 +0200 +Subject: xen-gnt: prevent adding duplicate gnt callbacks + +From: Roger Pau Monne + +commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream. + +With the current implementation, the callback in the tail of the list +can be added twice, because the check done in +gnttab_request_free_callback is bogus, callback->next can be NULL if +it is the last callback in the list. If we add the same callback twice +we end up with an infinite loop, were callback == callback->next. + +Replace this check with a proper one that iterates over the list to +see if the callback has already been added. + +Signed-off-by: Roger Pau Monné +Cc: Konrad Rzeszutek Wilk +Cc: David Vrabel +Signed-off-by: Konrad Rzeszutek Wilk +Acked-by: Matt Wilson +Reviewed-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/grant-table.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -641,9 +641,18 @@ void gnttab_request_free_callback(struct + void (*fn)(void *), void *arg, u16 count) + { + unsigned long flags; ++ struct gnttab_free_callback *cb; ++ + spin_lock_irqsave(&gnttab_list_lock, flags); +- if (callback->next) +- goto out; ++ ++ /* Check if the callback is already on the list */ ++ cb = gnttab_free_callback_list; ++ while (cb) { ++ if (cb == callback) ++ goto out; ++ cb = cb->next; ++ } ++ + callback->fn = fn; + callback->arg = arg; + callback->count = count;