diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-06-25 09:40:22 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-06-25 09:40:22 +0200 |
commit | 7792f5c5a0deefee1ed2aded9638dcf69f87225a (patch) | |
tree | 89467e88db45e28a0aef97966e87c610e9141792 | |
parent | fe2c10e2c8a13953bef0e44b7169d083724d4cc8 (diff) | |
parent | f340e962e784a7dabd365d344a169063f4b9071c (diff) | |
download | kernel-7792f5c5a0deefee1ed2aded9638dcf69f87225a.tar.gz kernel-7792f5c5a0deefee1ed2aded9638dcf69f87225a.tar.xz kernel-7792f5c5a0deefee1ed2aded9638dcf69f87225a.zip |
Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.4.14-200.vanilla.knurd.1.fc22
-rw-r--r-- | KEYS-potential-uninitialized-variable.patch | 30 | ||||
-rw-r--r-- | hp-wmi-fix-wifi-cannot-be-hard-unblock.patch | 48 | ||||
-rw-r--r-- | ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch | 40 | ||||
-rw-r--r-- | kernel.spec | 38 | ||||
-rw-r--r-- | netfilter-x_tables-deal-with-bogus-nextoffset-values.patch | 52 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | tipc-check-nl-sock-before-parsing-nested-attributes.patch | 36 |
7 files changed, 131 insertions, 115 deletions
diff --git a/KEYS-potential-uninitialized-variable.patch b/KEYS-potential-uninitialized-variable.patch new file mode 100644 index 000000000..23cabbb2e --- /dev/null +++ b/KEYS-potential-uninitialized-variable.patch @@ -0,0 +1,30 @@ +From 82a50018782f84e733e718d4b24e1653d19333be Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 15 Jun 2016 09:31:45 -0400 +Subject: [PATCH] KEYS: potential uninitialized variable + +If __key_link_begin() failed then "edit" would be uninitialized. I've +added a check to fix that. + +Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()') +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +--- + security/keys/key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/keys/key.c b/security/keys/key.c +index bd5a272f28a6..346fbf201c22 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -597,7 +597,7 @@ int key_reject_and_link(struct key *key, + + mutex_unlock(&key_construction_mutex); + +- if (keyring) ++ if (keyring && link_ret == 0) + __key_link_end(keyring, &key->index_key, edit); + + /* wake up anyone waiting for a key to be constructed */ +-- +2.5.5 + diff --git a/hp-wmi-fix-wifi-cannot-be-hard-unblock.patch b/hp-wmi-fix-wifi-cannot-be-hard-unblock.patch new file mode 100644 index 000000000..27744a0c3 --- /dev/null +++ b/hp-wmi-fix-wifi-cannot-be-hard-unblock.patch @@ -0,0 +1,48 @@ +From patchwork Mon Jun 13 11:44:00 2016 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: hp-wmi: fix wifi cannot be hard-unblock +From: Alex Hung <alex.hung@canonical.com> +X-Patchwork-Id: 9172765 +Message-Id: <1465818240-11994-1-git-send-email-alex.hung@canonical.com> +To: dvhart@infradead.org, platform-driver-x86@vger.kernel.org, + alex.hung@canonical.com, david.ward@ll.mit.edu +Date: Mon, 13 Jun 2016 19:44:00 +0800 + +Several users reported wifi cannot be unblocked as discussed in [1]. +This patch removes the useof 2009 flag by BIOS but uses the actual WMI +function calls - it will be skipped if WMI reports unsupported + +[1] https://bugzilla.kernel.org/show_bug.cgi?id=69131 + +Signed-off-by: Alex Hung <alex.hung@canonical.com> +--- + drivers/platform/x86/hp-wmi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index 6f145f2..96ffda4 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -718,6 +718,11 @@ static int __init hp_wmi_rfkill_setup(struct platform_device *device) + if (err) + return err; + ++ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless, ++ sizeof(wireless), 0); ++ if (err) ++ return err; ++ + if (wireless & 0x1) { + wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev, + RFKILL_TYPE_WLAN, +@@ -882,7 +887,7 @@ static int __init hp_wmi_bios_setup(struct platform_device *device) + wwan_rfkill = NULL; + rfkill2_count = 0; + +- if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device)) ++ if (hp_wmi_rfkill_setup(device)) + hp_wmi_rfkill2_setup(device); + + err = device_create_file(&device->dev, &dev_attr_display); diff --git a/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch b/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch deleted file mode 100644 index 16788f756..000000000 --- a/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 14b627c610f93c2700f9a3825ac10c35d51acfe4 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Mon, 7 Dec 2015 13:50:38 -0500 -Subject: [PATCH] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill - dmi list - -One of the newest ideapad models also lacks a physical hw rfkill switch, -and trying to read the hw rfkill switch through the ideapad module -causes it to always reported blocking breaking wifi. - -Fix it by adding this model to the DMI list. - -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293 -Cc: stable@vger.kernel.org -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - drivers/platform/x86/ideapad-laptop.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c -index a313dfc0245f..d28db0e793df 100644 ---- a/drivers/platform/x86/ideapad-laptop.c -+++ b/drivers/platform/x86/ideapad-laptop.c -@@ -865,6 +865,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = { - }, - }, - { -+ .ident = "Lenovo ideapad Y700-17ISK", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"), -+ }, -+ }, -+ { - .ident = "Lenovo Yoga 2 11 / 13 / Pro", - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), --- -2.5.0 - diff --git a/kernel.spec b/kernel.spec index 70d9d8ec3..c055f5995 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 13 +%define stable_update 14 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -610,9 +610,6 @@ Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch #rhbz 1287819 Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch -#rhbz 1286293 -Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch - #rhbz 1288687 Patch572: alua_fix.patch @@ -660,15 +657,18 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-0758 rhbz 1300257 1335386 Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch -#CVE-2016-4951 rhbz 1338625 1338626 -Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch - #CVE-2016-5243 rhbz 1343338 1343335 Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch #CVE-2016-5244 rhbz 1343338 1343337 Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt +#CVE-2016-4470 rhbz 1341716 1346626 +Patch727: KEYS-potential-uninitialized-variable.patch + +#rhbz 1338025 +Patch728: hp-wmi-fix-wifi-cannot-be-hard-unblock.patch + # END OF PATCH DEFINITIONS %endif @@ -1327,9 +1327,6 @@ ApplyPatch kexec-uefi-copy-secure_boot-flag-in-boot-params.patch #rhbz 1287819 ApplyPatch HID-multitouch-enable-palm-rejection-if-device-imple.patch -#rhbz 1286293 -ApplyPatch ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch - #rhbz 1288687 ApplyPatch alua_fix.patch @@ -1374,15 +1371,18 @@ ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-0758 rhbz 1300257 1335386 ApplyPatch KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch -#CVE-2016-4951 rhbz 1338625 1338626 -ApplyPatch tipc-check-nl-sock-before-parsing-nested-attributes.patch - #CVE-2016-5243 rhbz 1343338 1343335 ApplyPatch tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch #CVE-2016-5244 rhbz 1343338 1343337 ApplyPatch rds-fix-an-infoleak-in-rds_inc_info_copy.txt +#CVE-2016-4470 rhbz 1341716 1346626 +ApplyPatch KEYS-potential-uninitialized-variable.patch + +#rhbz 1338025 +ApplyPatch hp-wmi-fix-wifi-cannot-be-hard-unblock.patch + # END OF PATCH APPLICATIONS %endif @@ -2232,6 +2232,18 @@ fi # # %changelog +* Fri Jun 24 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.14-200 +- Linux v4.4.14 + +* Wed Jun 15 2016 Laura Abbott <labbott@fedoraproject.org> +- hp-wmi: fix wifi cannot be hard-unblock (rhbz 1338025) + +* Wed Jun 15 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4470 keys: uninitialized variable crash (rhbz 1341716 1346626) + +* Mon Jun 13 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-1583 stack overflow via ecryptfs and /proc (rhbz 1344721 1344722) + * Wed Jun 08 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.13-200 - Linux v4.4.13 diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch index ebfe1716f..0a45f1e1f 100644 --- a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch +++ b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch @@ -1,6 +1,7 @@ -Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values -From: Florian Westphal <fw () strlen ! de> -Date: 2016-03-10 0:56:02 +From 36d815b56409ca2fb562bb7aec5b17d08db25d8e Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw () strlen ! de> +Date: Thu, 10 Mar 2016 00:56:02 -0800 +Subject: [PATCH] netfilter: x_tables: deal with bogus nextoffset values Ben Hawkes says: @@ -28,10 +29,10 @@ Signed-off-by: Florian Westphal <fw@strlen.de> 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index b488cac..5a0b591 100644 +index 6e3e0e8..42b87c7 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c -@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, +@@ -449,6 +449,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, /* Move along one */ size = e->next_offset; @@ -41,8 +42,8 @@ index b488cac..5a0b591 100644 + e = (struct arpt_entry *) (entry0 + pos + size); - e->counters.pcnt = pos; -@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + if (pos + size >= newinfo->size) +@@ -461,14 +465,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, if (strcmp(t->target.u.user.name, XT_STANDARD_TARGET) == 0 && newpos >= 0) { @@ -57,9 +58,9 @@ index b488cac..5a0b591 100644 /* This a jump; chase it. */ duprintf("Jump rule %u -> %u\n", pos, newpos); -@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - /* ... this is a fallthru */ - newpos = pos + e->next_offset; +@@ -482,6 +478,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + if (newpos >= newinfo->size) + return 0; } + + if (newpos > newinfo->size - sizeof(*e)) @@ -69,10 +70,10 @@ index b488cac..5a0b591 100644 (entry0 + newpos); e->counters.pcnt = pos; diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index b99affa..ceb995f 100644 +index a399c54..b08e186 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c -@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo, +@@ -530,6 +530,10 @@ mark_source_chains(const struct xt_table_info *newinfo, /* Move along one */ size = e->next_offset; @@ -82,8 +83,8 @@ index b99affa..ceb995f 100644 + e = (struct ipt_entry *) (entry0 + pos + size); - e->counters.pcnt = pos; -@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (pos + size >= newinfo->size) +@@ -542,13 +546,6 @@ mark_source_chains(const struct xt_table_info *newinfo, if (strcmp(t->target.u.user.name, XT_STANDARD_TARGET) == 0 && newpos >= 0) { @@ -97,9 +98,9 @@ index b99affa..ceb995f 100644 /* This a jump; chase it. */ duprintf("Jump rule %u -> %u\n", pos, newpos); -@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - /* ... this is a fallthru */ - newpos = pos + e->next_offset; +@@ -562,6 +559,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (newpos >= newinfo->size) + return 0; } + + if (newpos > newinfo->size - sizeof(*e)) @@ -109,10 +110,10 @@ index b99affa..ceb995f 100644 (entry0 + newpos); e->counters.pcnt = pos; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index 99425cf..d88a794 100644 +index 22f39e0..1b6d4e7 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c -@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo, +@@ -542,6 +542,8 @@ mark_source_chains(const struct xt_table_info *newinfo, /* Move along one */ size = e->next_offset; @@ -120,8 +121,8 @@ index 99425cf..d88a794 100644 + return 0; e = (struct ip6t_entry *) (entry0 + pos + size); - e->counters.pcnt = pos; -@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (pos + size >= newinfo->size) +@@ -554,13 +556,6 @@ mark_source_chains(const struct xt_table_info *newinfo, if (strcmp(t->target.u.user.name, XT_STANDARD_TARGET) == 0 && newpos >= 0) { @@ -135,9 +136,9 @@ index 99425cf..d88a794 100644 /* This a jump; chase it. */ duprintf("Jump rule %u -> %u\n", pos, newpos); -@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - /* ... this is a fallthru */ - newpos = pos + e->next_offset; +@@ -574,6 +569,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (newpos >= newinfo->size) + return 0; } + + if (newpos > newinfo->size - sizeof(*e)) @@ -147,4 +148,5 @@ index 99425cf..d88a794 100644 (entry0 + newpos); e->counters.pcnt = pos; -- -2.4.10 +2.5.5 + @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -0985afde06951614f594120d7c8ffad7 patch-4.4.13.xz +24bdcde8502d841d58f1e45fc2de217f patch-4.4.14.xz diff --git a/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/tipc-check-nl-sock-before-parsing-nested-attributes.patch deleted file mode 100644 index 09bfe1485..000000000 --- a/tipc-check-nl-sock-before-parsing-nested-attributes.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001 -From: Richard Alpe <richard.alpe@ericsson.com> -Date: Mon, 16 May 2016 11:14:54 +0200 -Subject: [PATCH] tipc: check nl sock before parsing nested attributes - -Make sure the socket for which the user is listing publication exists -before parsing the socket netlink attributes. - -Prior to this patch a call without any socket caused a NULL pointer -dereference in tipc_nl_publ_dump(). - -Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com> -Signed-off-by: Richard Alpe <richard.alpe@ericsson.com> -Acked-by: Jon Maloy <jon.maloy@ericsson.cm> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/tipc/socket.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index 12628890c219..3b7a79991d55 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) - if (err) - return err; - -+ if (!attrs[TIPC_NLA_SOCK]) -+ return -EINVAL; -+ - err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, - attrs[TIPC_NLA_SOCK], - tipc_nl_sock_policy); --- -2.5.5 - |