From 3a6a43528e55197fecc2dd8d017cfa9a5df46e17 Mon Sep 17 00:00:00 2001 From: Tom Willemse Date: Sat, 1 Mar 2014 12:39:26 +0100 Subject: Update linux-drd to 3.13.5 --- ...re-that-gss_auth-isn-t-freed-before-its-u.patch | 82 ++++++++++++++++++++++ ...rect-invalid-use-of-user-timespec-in-the-.patch | 80 --------------------- linux-drd/PKGBUILD | 25 +++---- linux-drd/config.x86_64 | 3 +- 4 files changed, 95 insertions(+), 95 deletions(-) create mode 100644 linux-drd/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch delete mode 100644 linux-drd/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch (limited to 'linux-drd') diff --git a/linux-drd/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch b/linux-drd/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch new file mode 100644 index 0000000..93803d2 --- /dev/null +++ b/linux-drd/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch @@ -0,0 +1,82 @@ +From 2bd7c7b5f011b3d57e4f5625b561a6f3f2f34a81 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 16 Feb 2014 12:14:13 -0500 +Subject: [PATCH] SUNRPC: Ensure that gss_auth isn't freed before its upcall + messages + +Fix a race in which the RPC client is shutting down while the +gss daemon is processing a downcall. If the RPC client manages to +shut down before the gss daemon is done, then the struct gss_auth +used in gss_release_msg() may have already been freed. + +Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com +Reported-by: John +Reported-by: Borislav Petkov +Cc: stable@vger.kernel.org # 3.12+ +Signed-off-by: Trond Myklebust +--- + net/sunrpc/auth_gss/auth_gss.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c +index 42fdfc6..a642fd616 100644 +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -108,6 +108,7 @@ struct gss_auth { + static DEFINE_SPINLOCK(pipe_version_lock); + static struct rpc_wait_queue pipe_version_rpc_waitqueue; + static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue); ++static void gss_put_auth(struct gss_auth *gss_auth); + + static void gss_free_ctx(struct gss_cl_ctx *); + static const struct rpc_pipe_ops gss_upcall_ops_v0; +@@ -320,6 +321,7 @@ gss_release_msg(struct gss_upcall_msg *gss_msg) + if (gss_msg->ctx != NULL) + gss_put_ctx(gss_msg->ctx); + rpc_destroy_wait_queue(&gss_msg->rpc_waitqueue); ++ gss_put_auth(gss_msg->auth); + kfree(gss_msg); + } + +@@ -500,6 +502,7 @@ gss_alloc_msg(struct gss_auth *gss_auth, + if (err) + goto err_free_msg; + }; ++ kref_get(&gss_auth->kref); + return gss_msg; + err_free_msg: + kfree(gss_msg); +@@ -1071,6 +1074,12 @@ gss_free_callback(struct kref *kref) + } + + static void ++gss_put_auth(struct gss_auth *gss_auth) ++{ ++ kref_put(&gss_auth->kref, gss_free_callback); ++} ++ ++static void + gss_destroy(struct rpc_auth *auth) + { + struct gss_auth *gss_auth = container_of(auth, +@@ -1091,7 +1100,7 @@ gss_destroy(struct rpc_auth *auth) + gss_auth->gss_pipe[1] = NULL; + rpcauth_destroy_credcache(auth); + +- kref_put(&gss_auth->kref, gss_free_callback); ++ gss_put_auth(gss_auth); + } + + /* +@@ -1262,7 +1271,7 @@ gss_destroy_nullcred(struct rpc_cred *cred) + call_rcu(&cred->cr_rcu, gss_free_cred_callback); + if (ctx) + gss_put_ctx(ctx); +- kref_put(&gss_auth->kref, gss_free_callback); ++ gss_put_auth(gss_auth); + } + + static void +-- +1.9.0 + diff --git a/linux-drd/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/linux-drd/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch deleted file mode 100644 index 3f1bccc..0000000 --- a/linux-drd/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 -From: PaX Team -Date: Thu, 30 Jan 2014 16:59:25 -0800 -Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel - -The x32 case for the recvmsg() timout handling is broken: - - asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - unsigned int vlen, unsigned int flags, - struct compat_timespec __user *timeout) - { - int datagrams; - struct timespec ktspec; - - if (flags & MSG_CMSG_COMPAT) - return -EINVAL; - - if (COMPAT_USE_64BIT_TIME) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, - (struct timespec *) timeout); - ... - -The timeout pointer parameter is provided by userland (hence the __user -annotation) but for x32 syscalls it's simply cast to a kernel pointer -and is passed to __sys_recvmmsg which will eventually directly -dereference it for both reading and writing. Other callers to -__sys_recvmmsg properly copy from userland to the kernel first. - -The bug was introduced by commit ee4fa23c4bfc ("compat: Use -COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels -since 3.4 (and perhaps vendor kernels if they backported x32 support -along with this code). - -Note that CONFIG_X86_X32_ABI gets enabled at build time and only if -CONFIG_X86_X32 is enabled and ld can build x32 executables. - -Other uses of COMPAT_USE_64BIT_TIME seem fine. - -This addresses CVE-2014-0038. - -Signed-off-by: PaX Team -Signed-off-by: H. Peter Anvin -Cc: # v3.4+ -Signed-off-by: Linus Torvalds ---- - net/compat.c | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/net/compat.c b/net/compat.c -index dd32e34..f50161f 100644 ---- a/net/compat.c -+++ b/net/compat.c -@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - if (flags & MSG_CMSG_COMPAT) - return -EINVAL; - -- if (COMPAT_USE_64BIT_TIME) -- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, -- flags | MSG_CMSG_COMPAT, -- (struct timespec *) timeout); -- - if (timeout == NULL) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, NULL); - -- if (get_compat_timespec(&ktspec, timeout)) -+ if (compat_get_timespec(&ktspec, timeout)) - return -EFAULT; - - datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, &ktspec); -- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) -+ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) - datagrams = -EFAULT; - - return datagrams; --- -1.8.5.3 - diff --git a/linux-drd/PKGBUILD b/linux-drd/PKGBUILD index e82bf05..4dd7dc9 100644 --- a/linux-drd/PKGBUILD +++ b/linux-drd/PKGBUILD @@ -1,12 +1,12 @@ -# $Id: PKGBUILD 204912 2014-01-31 10:00:00Z bluewind $ +# $Id: PKGBUILD 206322 2014-02-23 22:56:33Z thomas $ # Maintainer: Tobias Powalowski # Maintainer: Thomas Baechler # pkgbase=linux # Build stock -ARCH kernel pkgbase=linux-drd # Build kernel with a different name _srcname=linux-3.13 -pkgver=3.13.1 -pkgrel=2 +pkgver=3.13.5 +pkgrel=1 arch=('i686' 'x86_64') url="http://www.kernel.org/" license=('GPL2') @@ -27,19 +27,15 @@ source=( '0004-rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-.patch' '0005-sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch' '0006-rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-no.patch' + '0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch' '0001-syscalls.h-use-gcc-alias-instead-of-assembler-aliase.patch' 'i8042-fix-aliases.patch' - '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch' 'aufs3-standalone::git://git.code.sf.net/p/aufs/aufs3-standalone#branch=aufs3.13' # 'aufs3-mmap.patch' ) _kernelname=${pkgbase#linux} -# module.symbols md5sums -# x86_64 -# i686 - prepare() { cd "${srcdir}/${_srcname}" @@ -73,15 +69,16 @@ prepare() { # http://git.linux-nfs.org/?p=trondmy/linux-nfs.git;a=commitdiff;h=23e66ba97127ff3b064d4c6c5138aa34eafc492f patch -p1 -i "${srcdir}/0006-rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-no.patch" + # Fix FS#38921 + # http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9eb2ddb48ce3a7bd745c14a933112994647fa3cd + patch -p1 -i "${srcdir}/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch" + # Fix symbols: Revert http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83460ec8dcac14142e7860a01fa59c267ac4657c patch -Rp1 -i "${srcdir}/0001-syscalls.h-use-gcc-alias-instead-of-assembler-aliase.patch" # Fix i8042 aliases patch -p1 -i "${srcdir}/i8042-fix-aliases.patch" - # Fix CVE-2014-0038 - patch -p1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch" - ## aufs3 patch -p1 -i "${srcdir}/aufs3-standalone/aufs3-kbuild.patch" patch -p1 -i "${srcdir}/aufs3-standalone/aufs3-base.patch" @@ -383,9 +380,9 @@ for _p in ${pkgname[@]}; do done md5sums=('0ecbaf65c00374eb4a826c2f9f37606f' - '675692f24410f375055d422e7886f3d8' + '114c391a592131f1c12544e063173a45' 'ba4468d313adfaf22368add7f58204aa' - '036251c6d0e3cd1b648a881230d8f1bd' + 'c8643861b5d5b05358fbbf37a48c3e17' 'eb14dcfd80c00852ef81ded6e826826a' '98beb36f9b8cf16e58de2483ea9985e3' '989dc54ff8b179b0f80333cc97c0d43f' @@ -395,7 +392,7 @@ md5sums=('0ecbaf65c00374eb4a826c2f9f37606f' '10dbaf863e22b2437e68f9190d65c861' 'd5907a721b97299f0685c583499f7820' 'a724515b350b29c53f20e631c6cf9a14' + '1ae4ec847f41fa1b6d488f956e94c893' 'e6fa278c092ad83780e2dd0568e24ca6' '93dbf73af819b77f03453a9c6de2bb47' - '336d2c4afd7ee5f2bdf0dcb1a54df4b2' 'SKIP') diff --git a/linux-drd/config.x86_64 b/linux-drd/config.x86_64 index 0fcaba3..b55fe20 100644 --- a/linux-drd/config.x86_64 +++ b/linux-drd/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.13.1-2 Kernel Configuration +# Linux/x86 3.13.5-1 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -1741,6 +1741,7 @@ CONFIG_MD_FAULTY=m CONFIG_BCACHE=m # CONFIG_BCACHE_DEBUG is not set # CONFIG_BCACHE_CLOSURES_DEBUG is not set +CONFIG_BLK_DEV_DM_BUILTIN=y CONFIG_BLK_DEV_DM=m # CONFIG_DM_DEBUG is not set CONFIG_DM_BUFIO=m -- cgit v1.2.3-54-g00ecf