[kernel] r18964 - in dists/trunk/linux-2.6: . debian debian/config/kernelarch-x86 debian/lib/python/debian_linux debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/features/x86/efi-stub debian/patches/series
Ben Hutchings
benh at alioth.debian.org
Mon Apr 30 03:01:02 UTC 2012
Author: benh
Date: Mon Apr 30 03:00:58 2012
New Revision: 18964
Log:
Merge changes from sid up to 3.2.16-1
Added:
dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch
- copied unchanged from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch
dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch
- copied unchanged from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch
dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
- copied unchanged from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
dists/trunk/linux-2.6/debian/patches/bugfix/all/brcmsmac-INTERMEDIATE-but-not-AMPDU-only-when-tracin.patch
- copied unchanged from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/brcmsmac-INTERMEDIATE-but-not-AMPDU-only-when-tracin.patch
dists/trunk/linux-2.6/debian/patches/bugfix/all/revert-autofs-work-around-unhappy-compat-problem-on-.patch
- copied, changed from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/revert-autofs-work-around-unhappy-compat-problem-on-.patch
dists/trunk/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
- copied unchanged from r18962, dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
dists/trunk/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
- copied unchanged from r18962, dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
dists/trunk/linux-2.6/debian/patches/features/x86/efi-stub/
- copied from r18962, dists/sid/linux-2.6/debian/patches/features/x86/efi-stub/
Modified:
dists/trunk/linux-2.6/ (props changed)
dists/trunk/linux-2.6/debian/changelog
dists/trunk/linux-2.6/debian/config/kernelarch-x86/config
dists/trunk/linux-2.6/debian/lib/python/debian_linux/firmware.py
dists/trunk/linux-2.6/debian/patches/series/base
Modified: dists/trunk/linux-2.6/debian/changelog
==============================================================================
--- dists/trunk/linux-2.6/debian/changelog Mon Apr 30 02:52:12 2012 (r18963)
+++ dists/trunk/linux-2.6/debian/changelog Mon Apr 30 03:00:58 2012 (r18964)
@@ -30,6 +30,38 @@
-- Ben Hutchings <ben at decadent.org.uk> Sun, 04 Mar 2012 20:27:42 +0000
+linux-2.6 (3.2.16-1) unstable; urgency=low
+
+ * New upstream stable update:
+ http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.16
+ - drm/i915: properly compute dp dithering for user-created modes
+ (Closes: #666360)
+ - md/bitmap: prevent bitmap_daemon_work running while initialising bitmap
+ - [ia64] Fix futex_atomic_cmpxchg_inatomic() (Closes: #659485)
+ - USB: serial: fix race between probe and open
+ - fcaps: clear the same personality flags as suid when fcaps are used
+ (CVE-2012-2123)
+ - ACPICA: Fix to allow region arguments to reference other scopes
+ (Closes: #661581)
+ - futex: Do not leak robust list to unprivileged process
+ - drm/radeon/kms: fix the regression of DVI connector check
+ (Closes: #670047)
+
+ [ Ben Hutchings ]
+ * rt2x00: Identify rt2800usb chipsets. (Closes: #658067)
+ * [x86] Add EFI boot stub support (Closes: #669033)
+ * brcmsmac: "INTERMEDIATE but not AMPDU" only when tracing
+ * NFSv4: Fix error handling and improve error reporting for file locking
+ (Closes: #669270)
+ - Rate limit the state manager for lock reclaim warning messages
+ - Ensure that the LOCK code sets exception->inode
+ - Ensure that we check lock exclusive/shared type against open modes
+ * [x86] i915: Fix integer overflows in i915_gem_{do_execbuffer,execbuffer2}
+ * Revert "autofs: work around unhappy compat problem on x86-64".
+ Reopens #633423.
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 29 Apr 2012 08:00:53 +0100
+
linux-2.6 (3.2.15-1) unstable; urgency=high
* New upstream stable update:
Modified: dists/trunk/linux-2.6/debian/config/kernelarch-x86/config
==============================================================================
--- dists/trunk/linux-2.6/debian/config/kernelarch-x86/config Mon Apr 30 02:52:12 2012 (r18963)
+++ dists/trunk/linux-2.6/debian/config/kernelarch-x86/config Mon Apr 30 03:00:58 2012 (r18964)
@@ -44,6 +44,7 @@
CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
CONFIG_X86_PAT=y
CONFIG_EFI=y
+CONFIG_EFI_STUB=y
CONFIG_SECCOMP=y
CONFIG_CC_STACKPROTECTOR=y
CONFIG_KEXEC=y
Modified: dists/trunk/linux-2.6/debian/lib/python/debian_linux/firmware.py
==============================================================================
--- dists/trunk/linux-2.6/debian/lib/python/debian_linux/firmware.py Mon Apr 30 02:52:12 2012 (r18963)
+++ dists/trunk/linux-2.6/debian/lib/python/debian_linux/firmware.py Mon Apr 30 03:00:58 2012 (r18964)
@@ -25,7 +25,7 @@
driver = None
files = {}
licence = None
- binary = None
+ binary = []
desc = None
source = []
version = None
@@ -48,9 +48,13 @@
if line == '\n':
# End of field; end of file fields
- if binary:
- files[binary] = FirmwareFile(binary, desc, source, version)
- binary = None
+ for b in binary:
+ # XXX The WHENCE file isn't yet consistent in its
+ # association of binaries and their sources and
+ # metadata. This associates all sources and
+ # metadata in a group with each binary.
+ files[b] = FirmwareFile(b, desc, source, version)
+ binary = []
desc = None
source = []
version = None
@@ -66,7 +70,7 @@
driver = value.split(' ')[0].lower()
elif keyword == 'File':
match = re.match(r'(\S+)(?:\s+--\s+(.*))?', value)
- binary = match.group(1)
+ binary.append(match.group(1))
desc = match.group(2)
elif keyword in ['Info', 'Version']:
version = value
@@ -79,7 +83,7 @@
re.sub(r'^(?:[/ ]\*| \*/)?\s*(.*?)\s*$', r'\1', line))
# Finish last section if non-empty
- if binary:
- files[binary] = FirmwareFile(binary, desc, source, version)
+ for b in binary:
+ files[b] = FirmwareFile(b, desc, source, version)
if driver:
self.append(FirmwareSection(driver, files, licence))
Copied: dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch (from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch Mon Apr 30 03:00:58 2012 (r18964, copy of r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch)
@@ -0,0 +1,52 @@
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Wed, 18 Apr 2012 12:20:10 -0400
+Subject: [PATCH 1/2] NFSv4: Ensure that the LOCK code sets exception->inode
+
+commit 05ffe24f5290dc095f98fbaf84afe51ef404ccc5 upstream.
+
+All callers of nfs4_handle_exception() that need to handle
+NFS4ERR_OPENMODE correctly should set exception->inode
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+Cc: stable at vger.kernel.org
+---
+ fs/nfs/nfs4proc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index f82bde0..3c787d0 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4558,7 +4558,9 @@ static int _nfs4_do_setlk(struct nfs4_state *state, int cmd, struct file_lock *f
+ static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
+ {
+ struct nfs_server *server = NFS_SERVER(state->inode);
+- struct nfs4_exception exception = { };
++ struct nfs4_exception exception = {
++ .inode = state->inode,
++ };
+ int err;
+
+ do {
+@@ -4576,7 +4578,9 @@ static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request
+ static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
+ {
+ struct nfs_server *server = NFS_SERVER(state->inode);
+- struct nfs4_exception exception = { };
++ struct nfs4_exception exception = {
++ .inode = state->inode,
++ };
+ int err;
+
+ err = nfs4_set_lock_state(state, request);
+@@ -4676,6 +4680,7 @@ static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *
+ {
+ struct nfs4_exception exception = {
+ .state = state,
++ .inode = state->inode,
+ };
+ int err;
+
+--
+1.7.10
+
Copied: dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch (from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch Mon Apr 30 03:00:58 2012 (r18964, copy of r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch)
@@ -0,0 +1,44 @@
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Wed, 18 Apr 2012 12:48:35 -0400
+Subject: [PATCH 2/2] NFSv4: Ensure that we check lock exclusive/shared type
+ against open modes
+
+commit 55725513b5ef9d462aa3e18527658a0362aaae83 upstream.
+
+Since we may be simulating flock() locks using NFS byte range locks,
+we can't rely on the VFS having checked the file open mode for us.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+Cc: stable at vger.kernel.org
+---
+ fs/nfs/nfs4proc.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 3c787d0..ba837d9 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4726,6 +4726,20 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
+
+ if (state == NULL)
+ return -ENOLCK;
++ /*
++ * Don't rely on the VFS having checked the file open mode,
++ * since it won't do this for flock() locks.
++ */
++ switch (request->fl_type & (F_RDLCK|F_WRLCK|F_UNLCK)) {
++ case F_RDLCK:
++ if (!(filp->f_mode & FMODE_READ))
++ return -EBADF;
++ break;
++ case F_WRLCK:
++ if (!(filp->f_mode & FMODE_WRITE))
++ return -EBADF;
++ }
++
+ do {
+ status = nfs4_proc_setlk(state, cmd, request);
+ if ((status != -EAGAIN) || IS_SETLK(cmd))
+--
+1.7.10
+
Copied: dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch (from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch Mon Apr 30 03:00:58 2012 (r18964, copy of r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch)
@@ -0,0 +1,28 @@
+From: William Dauchy <wdauchy at gmail.com>
+Date: Wed, 14 Mar 2012 12:32:04 +0100
+Subject: [PATCH] NFSv4: Rate limit the state manager for lock reclaim warning
+ messages
+
+commit 96dcadc2fdd111dca90d559f189a30c65394451a upstream.
+
+Adding rate limit on `Lock reclaim failed` messages since it could fill
+up system logs
+Signed-off-by: William Dauchy <wdauchy at gmail.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+[bwh: Backported to 3.2: add the 'NFS:' prefix at the same time]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1261,8 +1261,9 @@ restart:
+ spin_lock(&state->state_lock);
+ list_for_each_entry(lock, &state->lock_states, ls_locks) {
+ if (!(lock->ls_flags & NFS_LOCK_INITIALIZED))
+- printk("%s: Lock reclaim failed!\n",
+- __func__);
++ pr_warn_ratelimited("NFS: "
++ "%s: Lock reclaim "
++ "failed!\n", __func__);
+ }
+ spin_unlock(&state->state_lock);
+ nfs4_put_open_state(state);
Copied: dists/trunk/linux-2.6/debian/patches/bugfix/all/brcmsmac-INTERMEDIATE-but-not-AMPDU-only-when-tracin.patch (from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/brcmsmac-INTERMEDIATE-but-not-AMPDU-only-when-tracin.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/all/brcmsmac-INTERMEDIATE-but-not-AMPDU-only-when-tracin.patch Mon Apr 30 03:00:58 2012 (r18964, copy of r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/brcmsmac-INTERMEDIATE-but-not-AMPDU-only-when-tracin.patch)
@@ -0,0 +1,42 @@
+From: Eldad Zack <eldad at fogrefinery.com>
+Date: Sun, 22 Apr 2012 00:48:04 +0200
+Subject: [PATCH] brcmsmac: "INTERMEDIATE but not AMPDU" only when tracing
+
+commit 6ead629b27269c553c9092c47cd8f5ab0309ee3b upstream.
+
+I keep getting the following messages on the log buffer:
+[ 2167.097507] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU
+[ 2281.331305] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU
+[ 2281.332539] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU
+[ 2329.876605] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU
+[ 2329.877354] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU
+[ 2462.280756] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU
+[ 2615.651689] ieee80211 phy0: brcms_c_dotxstatus: INTERMEDIATE but not AMPDU
+
+From the code comment I understand that this something that can -
+and does, quite frequently - happen.
+
+Signed-off-by: Eldad Zack <eldad at fogrefinery.com>
+Acked-by: Franky Lin<frankyl at broadcom.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+ drivers/net/wireless/brcm80211/brcmsmac/main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c
+index 7083db7..b4d9279 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/main.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c
+@@ -847,8 +847,7 @@ brcms_c_dotxstatus(struct brcms_c_info *wlc, struct tx_status *txs)
+ */
+ if (!(txs->status & TX_STATUS_AMPDU)
+ && (txs->status & TX_STATUS_INTERMEDIATE)) {
+- wiphy_err(wlc->wiphy, "%s: INTERMEDIATE but not AMPDU\n",
+- __func__);
++ BCMMSG(wlc->wiphy, "INTERMEDIATE but not AMPDU\n");
+ return false;
+ }
+
+--
+1.7.10
+
Copied and modified: dists/trunk/linux-2.6/debian/patches/bugfix/all/revert-autofs-work-around-unhappy-compat-problem-on-.patch (from r18962, dists/sid/linux-2.6/debian/patches/bugfix/all/revert-autofs-work-around-unhappy-compat-problem-on-.patch)
==============================================================================
--- dists/sid/linux-2.6/debian/patches/bugfix/all/revert-autofs-work-around-unhappy-compat-problem-on-.patch Mon Apr 30 02:48:50 2012 (r18962, copy source)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/all/revert-autofs-work-around-unhappy-compat-problem-on-.patch Mon Apr 30 03:00:58 2012 (r18964)
@@ -37,7 +37,6 @@
Cc: Ian Kent <raven at themaw.net>
Cc: stable at kernel.org # for 3.3
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.2: adjust context]
---
fs/autofs4/autofs_i.h | 1 -
fs/autofs4/dev-ioctl.c | 1 -
@@ -69,6 +68,8 @@
}
out:
mutex_unlock(&sbi->wq_mutex);
+diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c
+index d8dc002..14c7bc0 100644
--- a/fs/autofs4/inode.c
+++ b/fs/autofs4/inode.c
@@ -19,7 +19,6 @@
@@ -85,8 +86,8 @@
sbi->max_proto = 0;
- sbi->compat_daemon = is_compat_task();
mutex_init(&sbi->wq_mutex);
+ mutex_init(&sbi->pipe_mutex);
spin_lock_init(&sbi->fs_lock);
- sbi->queues = NULL;
diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
index 9c098db..da8876d 100644
--- a/fs/autofs4/waitq.c
Copied: dists/trunk/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch (from r18962, dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch Mon Apr 30 03:00:58 2012 (r18964, copy of r18962, dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch)
@@ -0,0 +1,38 @@
+From: Xi Wang <xi.wang at gmail.com>
+Date: Mon, 23 Apr 2012 04:06:42 -0400
+Message-Id: <1335168402-25174-2-git-send-email-xi.wang at gmail.com>
+Subject: [PATCH v2 2/2] drm/i915: fix integer overflow in
+ i915_gem_do_execbuffer()
+
+On 32-bit systems, a large args->num_cliprects from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
+allocation for execbuffer object list").
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Cc: Chris Wilson <chris at chris-wilson.co.uk>
+Cc: stable at vger.kernel.org
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index 7c50e58..de43194 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ return -EINVAL;
+ }
+
++ if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
++ DRM_DEBUG("execbuf with %u cliprects\n",
++ args->num_cliprects);
++ return -EINVAL;
++ }
+ cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
+ GFP_KERNEL);
+ if (cliprects == NULL) {
+--
+1.7.5.4
+
Copied: dists/trunk/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch (from r18962, dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch Mon Apr 30 03:00:58 2012 (r18964, copy of r18962, dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch)
@@ -0,0 +1,37 @@
+From: Xi Wang <xi.wang at gmail.com>
+Date: Mon, 23 Apr 2012 04:06:41 -0400
+Message-Id: <1335168402-25174-1-git-send-email-xi.wang at gmail.com>
+Subject: [PATCH v2 1/2] drm/i915: fix integer overflow in
+ i915_gem_execbuffer2()
+
+On 32-bit systems, a large args->buffer_count from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 8408c282 ("drm/i915:
+First try a normal large kmalloc for the temporary exec buffers").
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Cc: Chris Wilson <chris at chris-wilson.co.uk>
+Cc: stable at vger.kernel.org
+[bwh: Backported to 3.2: adjust context]
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index f51a696..7c50e58 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
+ struct drm_i915_gem_exec_object2 *exec2_list = NULL;
+ int ret;
+
+- if (args->buffer_count < 1) {
++ if (args->buffer_count < 1 ||
++ args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
+ DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count);
+ return -EINVAL;
+ }
+--
+1.7.5.4
+
Modified: dists/trunk/linux-2.6/debian/patches/series/base
==============================================================================
--- dists/trunk/linux-2.6/debian/patches/series/base Mon Apr 30 02:52:12 2012 (r18963)
+++ dists/trunk/linux-2.6/debian/patches/series/base Mon Apr 30 03:00:58 2012 (r18964)
@@ -97,3 +97,19 @@
+ features/x86/hyperv/0077-hv-remove-the-second-argument-of-k-un-map_atomic.patch
+ bugfix/all/hugetlb-fix-race-condition-in-hugetlb_fault.patch
+
++ features/x86/efi-stub/0011-x86-efi-Fix-pointer-math-issue-in-handle_ramdisks.patch
++ features/x86/efi-stub/0012-tools-include-Add-byteshift-headers-for-endian-acces.patch
++ features/x86/efi-stub/0013-x86-mkpiggy-Don-t-open-code-put_unaligned_le32.patch
++ features/x86/efi-stub/0014-x86-boot-Restrict-CFLAGS-for-hostprogs.patch
++ features/x86/efi-stub/0015-x86-efi-Fix-endian-issues-and-unaligned-accesses.patch
++ features/x86/efi-stub/0016-x86-boot-Correct-CFLAGS-for-hostprogs.patch
++ features/x86/efi-stub/0017-x86-efi-Add-dedicated-EFI-stub-entry-point.patch
+
++ bugfix/all/brcmsmac-INTERMEDIATE-but-not-AMPDU-only-when-tracin.patch
++ bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
++ bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch
++ bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
++ bugfix/all/revert-autofs-work-around-unhappy-compat-problem-on-.patch
More information about the Kernel-svn-changes
mailing list