From fc511e1b9c45b3fe41530b42e90495a6a43b5a37 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 24 Oct 2012 09:06:50 -0700 Subject: [PATCH] 3.4-stable patches added patches: kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch s390-fix-linker-script-for-31-bit-builds.patch sunrpc-fix-a-udp-transport-regression.patch sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch use-clamp_t-in-uname26-fix.patch x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch --- ...tack-memory-content-leak-via-uname26.patch | 63 +++++++ ...ay-return-nlmv4-specific-error-codes.patch | 50 ++++++ ...-fix-wrapping-bug-in-op_x86_get_ctrl.patch | 31 ++++ ...psl-don-t-discard-sharpsl_pcmcia_ops.patch | 49 ++++++ ...-fix-linker-script-for-31-bit-builds.patch | 54 ++++++ queue-3.4/series | 9 + ...unrpc-fix-a-udp-transport-regression.patch | 165 ++++++++++++++++++ ...k-corruption-on-long-values-of-flush.patch | 54 ++++++ queue-3.4/use-clamp_t-in-uname26-fix.patch | 35 ++++ ...holes-above-4-gb-from-direct-mapping.patch | 52 ++++++ 10 files changed, 562 insertions(+) create mode 100644 queue-3.4/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch create mode 100644 queue-3.4/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch create mode 100644 queue-3.4/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch create mode 100644 queue-3.4/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch create mode 100644 queue-3.4/s390-fix-linker-script-for-31-bit-builds.patch create mode 100644 queue-3.4/sunrpc-fix-a-udp-transport-regression.patch create mode 100644 queue-3.4/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch create mode 100644 queue-3.4/use-clamp_t-in-uname26-fix.patch create mode 100644 queue-3.4/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch diff --git a/queue-3.4/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch b/queue-3.4/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch new file mode 100644 index 00000000000..e00460038c2 --- /dev/null +++ b/queue-3.4/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch @@ -0,0 +1,63 @@ +From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 19 Oct 2012 13:56:51 -0700 +Subject: kernel/sys.c: fix stack memory content leak via UNAME26 + +From: Kees Cook + +commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream. + +Calling uname() with the UNAME26 personality set allows a leak of kernel +stack contents. This fixes it by defensively calculating the length of +copy_to_user() call, making the len argument unsigned, and initializing +the stack buffer to zero (now technically unneeded, but hey, overkill). + +CVE-2012-0957 + +Reported-by: PaX Team +Signed-off-by: Kees Cook +Cc: Andi Kleen +Cc: PaX Team +Cc: Brad Spengler +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sys.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1180,15 +1180,16 @@ DECLARE_RWSEM(uts_sem); + * Work around broken programs that cannot handle "Linux 3.0". + * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 + */ +-static int override_release(char __user *release, int len) ++static int override_release(char __user *release, size_t len) + { + int ret = 0; +- char buf[65]; + + if (current->personality & UNAME26) { +- char *rest = UTS_RELEASE; ++ const char *rest = UTS_RELEASE; ++ char buf[65] = { 0 }; + int ndots = 0; + unsigned v; ++ size_t copy; + + while (*rest) { + if (*rest == '.' && ++ndots >= 3) +@@ -1198,8 +1199,9 @@ static int override_release(char __user + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- snprintf(buf, len, "2.6.%u%s", v, rest); +- ret = copy_to_user(release, buf, len); ++ copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); ++ ret = copy_to_user(release, buf, copy + 1); + } + return ret; + } diff --git a/queue-3.4/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch b/queue-3.4/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch new file mode 100644 index 00000000000..3a8121b32ae --- /dev/null +++ b/queue-3.4/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch @@ -0,0 +1,50 @@ +From cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 13 Oct 2012 00:30:28 -0400 +Subject: NLM: nlm_lookup_file() may return NLMv4-specific error codes + +From: Trond Myklebust + +commit cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 upstream. + +If the filehandle is stale, or open access is denied for some reason, +nlm_fopen() may return one of the NLMv4-specific error codes nlm4_stale_fh +or nlm4_failed. These get passed right through nlm_lookup_file(), +and so when nlmsvc_retrieve_args() calls the latter, it needs to filter +the result through the cast_status() machinery. + +Failure to do so, will trigger the BUG_ON() in encode_nlm_stat... + +Signed-off-by: Trond Myklebust +Reported-by: Larry McVoy +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/clntxdr.c | 2 +- + fs/lockd/svcproc.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/lockd/clntxdr.c ++++ b/fs/lockd/clntxdr.c +@@ -223,7 +223,7 @@ static void encode_nlm_stat(struct xdr_s + { + __be32 *p; + +- BUG_ON(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD); ++ WARN_ON_ONCE(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD); + p = xdr_reserve_space(xdr, 4); + *p = stat; + } +--- a/fs/lockd/svcproc.c ++++ b/fs/lockd/svcproc.c +@@ -67,7 +67,8 @@ nlmsvc_retrieve_args(struct svc_rqst *rq + + /* Obtain file pointer. Not used by FREE_ALL call. */ + if (filp != NULL) { +- if ((error = nlm_lookup_file(rqstp, &file, &lock->fh)) != 0) ++ error = cast_status(nlm_lookup_file(rqstp, &file, &lock->fh)); ++ if (error != 0) + goto no_locks; + *filp = file; + diff --git a/queue-3.4/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch b/queue-3.4/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch new file mode 100644 index 00000000000..ef8ff477cab --- /dev/null +++ b/queue-3.4/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch @@ -0,0 +1,31 @@ +From 44009105081b51417f311f4c3be0061870b6b8ed Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 10 Oct 2012 10:18:35 +0300 +Subject: oprofile, x86: Fix wrapping bug in op_x86_get_ctrl() + +From: Dan Carpenter + +commit 44009105081b51417f311f4c3be0061870b6b8ed upstream. + +The "event" variable is a u16 so the shift will always wrap to zero +making the line a no-op. + +Signed-off-by: Dan Carpenter +Signed-off-by: Robert Richter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/nmi_int.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -55,7 +55,7 @@ u64 op_x86_get_ctrl(struct op_x86_model_ + val |= counter_config->extra; + event &= model->event_mask ? model->event_mask : 0xFF; + val |= event & 0xFF; +- val |= (event & 0x0F00) << 24; ++ val |= (u64)(event & 0x0F00) << 24; + + return val; + } diff --git a/queue-3.4/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch b/queue-3.4/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch new file mode 100644 index 00000000000..0e8b992804a --- /dev/null +++ b/queue-3.4/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch @@ -0,0 +1,49 @@ +From fdc858a466b738d35d3492bc7cf77b1dac98bf7c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 30 Apr 2012 13:50:56 +0000 +Subject: pcmcia: sharpsl: don't discard sharpsl_pcmcia_ops + +From: Arnd Bergmann + +commit fdc858a466b738d35d3492bc7cf77b1dac98bf7c upstream. + +The sharpsl_pcmcia_ops structure gets passed into +sa11xx_drv_pcmcia_probe, where it gets accessed at run-time, +unlike all other pcmcia drivers that pass their structures +into platform_device_add_data, which makes a copy. + +This means the gcc warning is valid and the structure +must not be marked as __initdata. + +Without this patch, building collie_defconfig results in: + +drivers/pcmcia/pxa2xx_sharpsl.c:22:31: fatal error: mach-pxa/hardware.h: No such file or directory +compilation terminated. +make[3]: *** [drivers/pcmcia/pxa2xx_sharpsl.o] Error 1 +make[2]: *** [drivers/pcmcia] Error 2 +make[1]: *** [drivers] Error 2 +make: *** [sub-make] Error 2 + +Signed-off-by: Arnd Bergmann +Cc: Dominik Brodowski +Cc: Russell King +Cc: Pavel Machek +Cc: linux-pcmcia@lists.infradead.org +Cc: Jochen Friedrich +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pcmcia/pxa2xx_sharpsl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pcmcia/pxa2xx_sharpsl.c ++++ b/drivers/pcmcia/pxa2xx_sharpsl.c +@@ -194,7 +194,7 @@ static void sharpsl_pcmcia_socket_suspen + sharpsl_pcmcia_init_reset(skt); + } + +-static struct pcmcia_low_level sharpsl_pcmcia_ops __initdata = { ++static struct pcmcia_low_level sharpsl_pcmcia_ops = { + .owner = THIS_MODULE, + .hw_init = sharpsl_pcmcia_hw_init, + .socket_state = sharpsl_pcmcia_socket_state, diff --git a/queue-3.4/s390-fix-linker-script-for-31-bit-builds.patch b/queue-3.4/s390-fix-linker-script-for-31-bit-builds.patch new file mode 100644 index 00000000000..6adc8f6b265 --- /dev/null +++ b/queue-3.4/s390-fix-linker-script-for-31-bit-builds.patch @@ -0,0 +1,54 @@ +From c985cb37f1b39c2c8035af741a2a0b79f1fbaca7 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 18 Oct 2012 11:11:01 +0200 +Subject: s390: fix linker script for 31 bit builds + +From: Heiko Carstens + +commit c985cb37f1b39c2c8035af741a2a0b79f1fbaca7 upstream. + +Because of a change in the s390 arch backend of binutils (commit 23ecd77 +"Pick the default arch depending on the target size" in binutils repo) +31 bit builds will fail since the linker would now try to create 64 bit +binary output. +Fix this by setting OUTPUT_ARCH to s390:31-bit instead of s390. +Thanks to Andreas Krebbel for figuring out the issue. + +Fixes this build error: + + LD init/built-in.o +s390x-4.7.2-ld: s390:31-bit architecture of input file + `arch/s390/kernel/head.o' is incompatible with s390:64-bit output + +Cc: Andreas Krebbel +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/boot/compressed/vmlinux.lds.S | 2 +- + arch/s390/kernel/vmlinux.lds.S | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/boot/compressed/vmlinux.lds.S ++++ b/arch/s390/boot/compressed/vmlinux.lds.S +@@ -5,7 +5,7 @@ OUTPUT_FORMAT("elf64-s390", "elf64-s390" + OUTPUT_ARCH(s390:64-bit) + #else + OUTPUT_FORMAT("elf32-s390", "elf32-s390", "elf32-s390") +-OUTPUT_ARCH(s390) ++OUTPUT_ARCH(s390:31-bit) + #endif + + ENTRY(startup) +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -8,7 +8,7 @@ + + #ifndef CONFIG_64BIT + OUTPUT_FORMAT("elf32-s390", "elf32-s390", "elf32-s390") +-OUTPUT_ARCH(s390) ++OUTPUT_ARCH(s390:31-bit) + ENTRY(startup) + jiffies = jiffies_64 + 4; + #else diff --git a/queue-3.4/series b/queue-3.4/series index 17b73173d7c..ecd5af707da 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -2,3 +2,12 @@ ext4-race-condition-protection-for-ext4_convert_unwritten_extents_endio.patch ext4-avoid-underflow-in-ext4_trim_fs.patch nohz-fix-idle-ticks-in-cpu-summary-line-of-proc-stat.patch arch-tile-avoid-generating-.eh_frame-information-in-modules.patch +nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch +oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch +s390-fix-linker-script-for-31-bit-builds.patch +sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch +sunrpc-fix-a-udp-transport-regression.patch +pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch +kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch +use-clamp_t-in-uname26-fix.patch +x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch diff --git a/queue-3.4/sunrpc-fix-a-udp-transport-regression.patch b/queue-3.4/sunrpc-fix-a-udp-transport-regression.patch new file mode 100644 index 00000000000..00854c90b22 --- /dev/null +++ b/queue-3.4/sunrpc-fix-a-udp-transport-regression.patch @@ -0,0 +1,165 @@ +From Trond.Myklebust@netapp.com Wed Oct 24 08:41:09 2012 +From: Trond Myklebust +Date: Mon, 22 Oct 2012 12:56:58 -0400 +Subject: SUNRPC: Fix a UDP transport regression + +From: Trond Myklebust + +commit f39c1bfb5a03e2d255451bff05be0d7255298fa4 and +commit 84e28a307e376f271505af65a7b7e212dd6f61f4 upstream. + +Commit 43cedbf0e8dfb9c5610eb7985d5f21263e313802 (SUNRPC: Ensure that +we grab the XPRT_LOCK before calling xprt_alloc_slot) is causing +hangs in the case of NFS over UDP mounts. + +Since neither the UDP or the RDMA transport mechanism use dynamic slot +allocation, we can skip grabbing the socket lock for those transports. +Add a new rpc_xprt_op to allow switching between the TCP and UDP/RDMA +case. + +Note that the NFSv4.1 back channel assigns the slot directly +through rpc_run_bc_task, so we can ignore that case. + +Reported-by: Dick Streefland +Signed-off-by: Bryan Schumaker +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sunrpc/xprt.h | 3 +++ + net/sunrpc/xprt.c | 34 ++++++++++++++++++++-------------- + net/sunrpc/xprtrdma/transport.c | 1 + + net/sunrpc/xprtsock.c | 4 ++++ + 4 files changed, 28 insertions(+), 14 deletions(-) + +--- a/include/linux/sunrpc/xprt.h ++++ b/include/linux/sunrpc/xprt.h +@@ -114,6 +114,7 @@ struct rpc_xprt_ops { + void (*set_buffer_size)(struct rpc_xprt *xprt, size_t sndsize, size_t rcvsize); + int (*reserve_xprt)(struct rpc_xprt *xprt, struct rpc_task *task); + void (*release_xprt)(struct rpc_xprt *xprt, struct rpc_task *task); ++ void (*alloc_slot)(struct rpc_xprt *xprt, struct rpc_task *task); + void (*rpcbind)(struct rpc_task *task); + void (*set_port)(struct rpc_xprt *xprt, unsigned short port); + void (*connect)(struct rpc_task *task); +@@ -279,6 +280,8 @@ void xprt_connect(struct rpc_task *tas + void xprt_reserve(struct rpc_task *task); + int xprt_reserve_xprt(struct rpc_xprt *xprt, struct rpc_task *task); + int xprt_reserve_xprt_cong(struct rpc_xprt *xprt, struct rpc_task *task); ++void xprt_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task); ++void xprt_lock_and_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task); + int xprt_prepare_transmit(struct rpc_task *task); + void xprt_transmit(struct rpc_task *task); + void xprt_end_transmit(struct rpc_task *task); +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -969,11 +969,11 @@ static bool xprt_dynamic_free_slot(struc + return false; + } + +-static void xprt_alloc_slot(struct rpc_task *task) ++void xprt_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task) + { +- struct rpc_xprt *xprt = task->tk_xprt; + struct rpc_rqst *req; + ++ spin_lock(&xprt->reserve_lock); + if (!list_empty(&xprt->free)) { + req = list_entry(xprt->free.next, struct rpc_rqst, rq_list); + list_del(&req->rq_list); +@@ -994,12 +994,29 @@ static void xprt_alloc_slot(struct rpc_t + default: + task->tk_status = -EAGAIN; + } ++ spin_unlock(&xprt->reserve_lock); + return; + out_init_req: + task->tk_status = 0; + task->tk_rqstp = req; + xprt_request_init(task, xprt); ++ spin_unlock(&xprt->reserve_lock); ++} ++EXPORT_SYMBOL_GPL(xprt_alloc_slot); ++ ++void xprt_lock_and_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task) ++{ ++ /* Note: grabbing the xprt_lock_write() ensures that we throttle ++ * new slot allocation if the transport is congested (i.e. when ++ * reconnecting a stream transport or when out of socket write ++ * buffer space). ++ */ ++ if (xprt_lock_write(xprt, task)) { ++ xprt_alloc_slot(xprt, task); ++ xprt_release_write(xprt, task); ++ } + } ++EXPORT_SYMBOL_GPL(xprt_lock_and_alloc_slot); + + static void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req) + { +@@ -1083,20 +1100,9 @@ void xprt_reserve(struct rpc_task *task) + if (task->tk_rqstp != NULL) + return; + +- /* Note: grabbing the xprt_lock_write() here is not strictly needed, +- * but ensures that we throttle new slot allocation if the transport +- * is congested (e.g. if reconnecting or if we're out of socket +- * write buffer space). +- */ + task->tk_timeout = 0; + task->tk_status = -EAGAIN; +- if (!xprt_lock_write(xprt, task)) +- return; +- +- spin_lock(&xprt->reserve_lock); +- xprt_alloc_slot(task); +- spin_unlock(&xprt->reserve_lock); +- xprt_release_write(xprt, task); ++ xprt->ops->alloc_slot(xprt, task); + } + + static inline __be32 xprt_alloc_xid(struct rpc_xprt *xprt) +--- a/net/sunrpc/xprtrdma/transport.c ++++ b/net/sunrpc/xprtrdma/transport.c +@@ -713,6 +713,7 @@ static void xprt_rdma_print_stats(struct + static struct rpc_xprt_ops xprt_rdma_procs = { + .reserve_xprt = xprt_rdma_reserve_xprt, + .release_xprt = xprt_release_xprt_cong, /* sunrpc/xprt.c */ ++ .alloc_slot = xprt_alloc_slot, + .release_request = xprt_release_rqst_cong, /* ditto */ + .set_retrans_timeout = xprt_set_retrans_timeout_def, /* ditto */ + .rpcbind = rpcb_getport_async, /* sunrpc/rpcb_clnt.c */ +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2444,6 +2444,7 @@ static void bc_destroy(struct rpc_xprt * + static struct rpc_xprt_ops xs_local_ops = { + .reserve_xprt = xprt_reserve_xprt, + .release_xprt = xs_tcp_release_xprt, ++ .alloc_slot = xprt_alloc_slot, + .rpcbind = xs_local_rpcbind, + .set_port = xs_local_set_port, + .connect = xs_connect, +@@ -2460,6 +2461,7 @@ static struct rpc_xprt_ops xs_udp_ops = + .set_buffer_size = xs_udp_set_buffer_size, + .reserve_xprt = xprt_reserve_xprt_cong, + .release_xprt = xprt_release_xprt_cong, ++ .alloc_slot = xprt_alloc_slot, + .rpcbind = rpcb_getport_async, + .set_port = xs_set_port, + .connect = xs_connect, +@@ -2477,6 +2479,7 @@ static struct rpc_xprt_ops xs_udp_ops = + static struct rpc_xprt_ops xs_tcp_ops = { + .reserve_xprt = xprt_reserve_xprt, + .release_xprt = xs_tcp_release_xprt, ++ .alloc_slot = xprt_lock_and_alloc_slot, + .rpcbind = rpcb_getport_async, + .set_port = xs_set_port, + .connect = xs_connect, +@@ -2496,6 +2499,7 @@ static struct rpc_xprt_ops xs_tcp_ops = + static struct rpc_xprt_ops bc_tcp_ops = { + .reserve_xprt = xprt_reserve_xprt, + .release_xprt = xprt_release_xprt, ++ .alloc_slot = xprt_alloc_slot, + .rpcbind = xs_local_rpcbind, + .buf_alloc = bc_malloc, + .buf_free = bc_free, diff --git a/queue-3.4/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch b/queue-3.4/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch new file mode 100644 index 00000000000..b6e70067b49 --- /dev/null +++ b/queue-3.4/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch @@ -0,0 +1,54 @@ +From 212ba90696ab4884e2025b0b13726d67aadc2cd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jul 2012 00:01:26 +0200 +Subject: SUNRPC: Prevent kernel stack corruption on long values of flush + +From: Sasha Levin + +commit 212ba90696ab4884e2025b0b13726d67aadc2cd4 upstream. + +The buffer size in read_flush() is too small for the longest possible values +for it. This can lead to a kernel stack corruption: + +[ 43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4 +[ 43.047329] +[ 43.049030] Pid: 6015, comm: trinity-child18 Tainted: G W 3.5.0-rc7-next-20120716-sasha #221 +[ 43.050038] Call Trace: +[ 43.050435] [] panic+0xcd/0x1f4 +[ 43.050931] [] ? read_flush.isra.7+0xe4/0x100 +[ 43.051602] [] __stack_chk_fail+0x16/0x20 +[ 43.052206] [] read_flush.isra.7+0xe4/0x100 +[ 43.052951] [] ? read_flush_pipefs+0x30/0x30 +[ 43.053594] [] read_flush_procfs+0x2c/0x30 +[ 43.053596] [] proc_reg_read+0x9c/0xd0 +[ 43.053596] [] ? proc_reg_write+0xd0/0xd0 +[ 43.053596] [] do_loop_readv_writev+0x4b/0x90 +[ 43.053596] [] do_readv_writev+0xf6/0x1d0 +[ 43.053596] [] vfs_readv+0x3e/0x60 +[ 43.053596] [] sys_readv+0x48/0xb0 +[ 43.053596] [] system_call_fastpath+0x1a/0x1f + +Signed-off-by: Sasha Levin +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1406,11 +1406,11 @@ static ssize_t read_flush(struct file *f + size_t count, loff_t *ppos, + struct cache_detail *cd) + { +- char tbuf[20]; ++ char tbuf[22]; + unsigned long p = *ppos; + size_t len; + +- sprintf(tbuf, "%lu\n", convert_to_wallclock(cd->flush_time)); ++ snprintf(tbuf, sizeof(tbuf), "%lu\n", convert_to_wallclock(cd->flush_time)); + len = strlen(tbuf); + if (p >= len) + return 0; diff --git a/queue-3.4/use-clamp_t-in-uname26-fix.patch b/queue-3.4/use-clamp_t-in-uname26-fix.patch new file mode 100644 index 00000000000..858fccfb07a --- /dev/null +++ b/queue-3.4/use-clamp_t-in-uname26-fix.patch @@ -0,0 +1,35 @@ +From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 19 Oct 2012 18:45:53 -0700 +Subject: use clamp_t in UNAME26 fix + +From: Kees Cook + +commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream. + +The min/max call needed to have explicit types on some architectures +(e.g. mn10300). Use clamp_t instead to avoid the warning: + + kernel/sys.c: In function 'override_release': + kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default] + +Reported-by: Fengguang Wu +Signed-off-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1199,7 +1199,7 @@ static int override_release(char __user + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = clamp_t(size_t, len, 1, sizeof(buf)); + copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); + ret = copy_to_user(release, buf, copy + 1); + } diff --git a/queue-3.4/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch b/queue-3.4/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch new file mode 100644 index 00000000000..c716e29c84e --- /dev/null +++ b/queue-3.4/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch @@ -0,0 +1,52 @@ +From 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a Mon Sep 17 00:00:00 2001 +From: Jacob Shin +Date: Thu, 20 Oct 2011 16:15:26 -0500 +Subject: x86: Exclude E820_RESERVED regions and memory holes above 4 GB from direct mapping. + +From: Jacob Shin + +commit 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a upstream. + +On systems with very large memory (1 TB in our case), BIOS may report a +reserved region or a hole in the E820 map, even above the 4 GB range. Exclude +these from the direct mapping. + +[ hpa: this should be done not just for > 4 GB but for everything above the legacy + region (1 MB), at the very least. That, however, turns out to require significant + restructuring. That work is well underway, but is not suitable for rc/stable. ] + +Signed-off-by: Jacob Shin +Link: http://lkml.kernel.org/r/1319145326-13902-1-git-send-email-jacob.shin@amd.com +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -927,8 +927,21 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_X86_64 + if (max_pfn > max_low_pfn) { +- max_pfn_mapped = init_memory_mapping(1UL<<32, +- max_pfn<addr + ei->size <= 1UL << 32) ++ continue; ++ ++ if (ei->type == E820_RESERVED) ++ continue; ++ ++ max_pfn_mapped = init_memory_mapping( ++ ei->addr < 1UL << 32 ? 1UL << 32 : ei->addr, ++ ei->addr + ei->size); ++ } ++ + /* can we preseve max_low_pfn ?*/ + max_low_pfn = max_pfn; + } -- 2.47.3