[kernel/f14/master] last minute f14 kernel fixes

Kyle McMartin kyle at fedoraproject.org
Fri Oct 22 14:34:18 UTC 2010 

commit cbdb312a9e7c96033af9643382fd375440afe81a
Author: Kyle McMartin <kyle at mcmartin.ca>
Date:   Fri Oct 22 10:34:02 2010 -0400

    last minute f14 kernel fixes

 depessimize-rds_copy_page_user.patch |   78 ++++++++++++++++++++++++++++++++++
 kernel.spec                          |   14 ++++++-
 tpm-autodetect-itpm-devices.patch    |   65 ++++++++++++++++++++++++++++
 3 files changed, 156 insertions(+), 1 deletions(-)
---
diff --git a/depessimize-rds_copy_page_user.patch b/depessimize-rds_copy_page_user.patch
new file mode 100644
index 0000000..aec8bff
--- /dev/null
+++ b/depessimize-rds_copy_page_user.patch
@@ -0,0 +1,78 @@
+From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 15 Oct 2010 11:09:28 -0700
+Subject: [PATCH] De-pessimize rds_page_copy_user
+
+Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and
+the unsafe atomic user mode accessor functions.  It's actually slower
+than the straightforward code on any reasonable modern CPU.
+
+Back when the code was written (although probably not by the time it was
+actually merged, though), 32-bit x86 may have been the dominant
+architecture.  And there kmap_atomic() can be a lot faster than kmap()
+(unless you have very good locality, in which case the virtual address
+caching by kmap() can overcome all the downsides).
+
+But these days, x86-64 may not be more populous, but it's getting there
+(and if you care about performance, it's definitely already there -
+you'd have upgraded your CPU's already in the last few years).  And on
+x86-64, the non-kmap_atomic() version is faster, simply because the code
+is simpler and doesn't have the "re-try page fault" case.
+
+People with old hardware are not likely to care about RDS anyway, and
+the optimization for the 32-bit case is simply buggy, since it doesn't
+verify the user addresses properly.
+
+Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Acked-by: Andrew Morton <akpm at linux-foundation.org>
+Cc: stable at kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ net/rds/page.c |   27 +++++++--------------------
+ 1 files changed, 7 insertions(+), 20 deletions(-)
+
+diff --git a/net/rds/page.c b/net/rds/page.c
+index 595a952..1dfbfea 100644
+--- a/net/rds/page.c
++++ b/net/rds/page.c
+@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset,
+ 	unsigned long ret;
+ 	void *addr;
+ 
+-	if (to_user)
++	addr = kmap(page);
++	if (to_user) {
+ 		rds_stats_add(s_copy_to_user, bytes);
+-	else
++		ret = copy_to_user(ptr, addr + offset, bytes);
++	} else {
+ 		rds_stats_add(s_copy_from_user, bytes);
+-
+-	addr = kmap_atomic(page, KM_USER0);
+-	if (to_user)
+-		ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
+-	else
+-		ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
+-	kunmap_atomic(addr, KM_USER0);
+-
+-	if (ret) {
+-		addr = kmap(page);
+-		if (to_user)
+-			ret = copy_to_user(ptr, addr + offset, bytes);
+-		else
+-			ret = copy_from_user(addr + offset, ptr, bytes);
+-		kunmap(page);
+-		if (ret)
+-			return -EFAULT;
++		ret = copy_from_user(addr + offset, ptr, bytes);
+ 	}
++	kunmap(page);
+ 
+-	return 0;
++	return ret ? -EFAULT : 0;
+ }
+ EXPORT_SYMBOL_GPL(rds_page_copy_user);
+ 
+-- 
+1.7.3.2
+
diff --git a/kernel.spec b/kernel.spec
index e7b608d..1f85975 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 46
+%global baserelease 47
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -769,6 +769,9 @@ Patch13640: sdhci-8-bit-data-transfer-width-support.patch
 Patch13641: mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
 Patch13642: mmc-add-ricoh-e822-pci-id.patch
 
+Patch13645: tpm-autodetect-itpm-devices.patch
+Patch13646: depessimize-rds_copy_page_user.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1436,6 +1439,9 @@ ApplyPatch sdhci-8-bit-data-transfer-width-support.patch
 ApplyPatch mmc-make-sdhci-work-with-ricoh-mmc-controller.patch
 ApplyPatch mmc-add-ricoh-e822-pci-id.patch
 
+ApplyPatch depessimize-rds_copy_page_user.patch
+ApplyPatch tpm-autodetect-itpm-devices.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2022,6 +2028,12 @@ fi
 # and build.
 
 %changelog
+* Fri Oct 22 2010 Kyle McMartin <kyle at redhat.com> 2.6.35.6-47
+- tpm-autodetect-itpm-devices.patch: Auto-fix TPM issues on various
+  laptops which prevented suspend/resume.
+- depessimize-rds_copy_page_user.patch: Fix CVE-2010-3904, local
+  privilege escalation via RDS protocol.
+
 * Mon Oct 18 2010 Kyle McMartin <kyle at redhat.com> 2.6.35.6-46
 - Add Ricoh e822 support. (rhbz#596475) Thanks to sgruszka@ for
   sending the patches in.
diff --git a/tpm-autodetect-itpm-devices.patch b/tpm-autodetect-itpm-devices.patch
new file mode 100644
index 0000000..57b5d07
--- /dev/null
+++ b/tpm-autodetect-itpm-devices.patch
@@ -0,0 +1,65 @@
+commit 8cf5102c84dba60b2ea29b7e89f1a65100e20bb9
+Author: Matthew Garrett <mjg at redhat.com>
+Date:   Thu Oct 21 17:31:56 2010 -0400
+
+    tpm: Autodetect itpm devices
+    
+    Some Lenovos have TPMs that require a quirk to function correctly. This can
+    be autodetected by checking whether the device has a _HID of INTC0102. This
+    is an invalid PNPid, and as such is discarded by the pnp layer - however
+    it's still present in the ACPI code, so we can pull it out that way. This
+    means that the quirk won't be automatically applied on non-ACPI systems,
+    but without ACPI we don't have any way to identify the chip anyway so I
+    don't think that's a great concern.
+    
+    Signed-off-by: Matthew Garrett <mjg at redhat.com>
+
+diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
+index 1030f84..c17a305 100644
+--- a/drivers/char/tpm/tpm_tis.c
++++ b/drivers/char/tpm/tpm_tis.c
+@@ -25,6 +25,7 @@
+ #include <linux/slab.h>
+ #include <linux/interrupt.h>
+ #include <linux/wait.h>
++#include <linux/acpi.h>
+ #include "tpm.h"
+ 
+ #define TPM_HEADER_SIZE 10
+@@ -78,6 +79,26 @@ enum tis_defaults {
+ static LIST_HEAD(tis_chips);
+ static DEFINE_SPINLOCK(tis_lock);
+ 
++#ifdef CONFIG_ACPI
++static int is_itpm(struct pnp_dev *dev)
++{
++	struct acpi_device *acpi = pnp_acpi_device(dev);
++	struct acpi_hardware_id *id;
++
++	list_for_each_entry(id, &acpi->pnp.ids, list) {
++		if (!strcmp("INTC0102", id->id))
++			return 1;
++	}
++
++	return 0;
++}
++#else
++static int is_itpm(struct pnp_dev *dev)
++{
++	return 0;
++}
++#endif
++
+ static int check_locality(struct tpm_chip *chip, int l)
+ {
+ 	if ((ioread8(chip->vendor.iobase + TPM_ACCESS(l)) &
+@@ -472,6 +493,9 @@ static int tpm_tis_init(struct device *dev, resource_size_t start,
+ 		 "1.2 TPM (device-id 0x%X, rev-id %d)\n",
+ 		 vendor >> 16, ioread8(chip->vendor.iobase + TPM_RID(0)));
+ 
++	if (is_itpm(to_pnp_dev(dev)))
++		itpm = 1;
++
+ 	if (itpm)
+ 		dev_info(dev, "Intel iTPM workaround enabled\n");
+

More information about the scm-commits mailing list