diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-11-15 10:45:19 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-11-15 10:45:19 +0100 |
commit | 28437bffcfdb5b223074f0cadf9d2159e1852eb0 (patch) | |
tree | f6e8bf088e28ce6464a27439244c1609434daecf | |
parent | ac0391a06c0ba36f7f03910e755803429c31f2eb (diff) | |
parent | fe6b94d468f9d4e141572e47a6cc82b6e8f03e46 (diff) | |
download | kernel-28437bffcfdb5b223074f0cadf9d2159e1852eb0.tar.gz kernel-28437bffcfdb5b223074f0cadf9d2159e1852eb0.tar.xz kernel-28437bffcfdb5b223074f0cadf9d2159e1852eb0.zip |
Merge remote-tracking branch 'origin/f26' into f26-user-thl-vanilla-fedora
-rw-r--r-- | 0001-usb-usbtest-fix-NULL-pointer-dereference.patch | 41 | ||||
-rw-r--r-- | CVE-2017-16538.patch | 166 | ||||
-rw-r--r-- | kernel.spec | 18 | ||||
-rw-r--r-- | rpi-graphics-fix.patch | 46 | ||||
-rw-r--r-- | sources | 2 |
5 files changed, 272 insertions, 1 deletions
diff --git a/0001-usb-usbtest-fix-NULL-pointer-dereference.patch b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch new file mode 100644 index 000000000..acc03ec7d --- /dev/null +++ b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch @@ -0,0 +1,41 @@ +From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Fri, 29 Sep 2017 10:54:24 -0400 +Subject: [PATCH] usb: usbtest: fix NULL pointer dereference + +If the usbtest driver encounters a device with an IN bulk endpoint but +no OUT bulk endpoint, it will try to dereference a NULL pointer +(out->desc.bEndpointAddress). The problem can be solved by adding a +missing test. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Tested-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +--- + drivers/usb/misc/usbtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c +index 113e38bfe0ef..b3fc602b2e24 100644 +--- a/drivers/usb/misc/usbtest.c ++++ b/drivers/usb/misc/usbtest.c +@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf) + return tmp; + } + +- if (in) { ++ if (in) + dev->in_pipe = usb_rcvbulkpipe(udev, + in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); ++ if (out) + dev->out_pipe = usb_sndbulkpipe(udev, + out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); +- } ++ + if (iso_in) { + dev->iso_in = &iso_in->desc; + dev->in_iso_pipe = usb_rcvisocpipe(udev, +-- +2.13.6 + diff --git a/CVE-2017-16538.patch b/CVE-2017-16538.patch new file mode 100644 index 000000000..e9cf4b054 --- /dev/null +++ b/CVE-2017-16538.patch @@ -0,0 +1,166 @@ +From patchwork Tue Sep 26 21:10:20 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm + start. +From: Malcolm Priestley <tvboxspy@gmail.com> +X-Patchwork-Id: 44566 +Message-Id: <20170926211021.11036-1-tvboxspy@gmail.com> +To: linux-media@vger.kernel.org +Cc: Andrey Konovalov <andreyknvl@google.com>, + Malcolm Priestley <tvboxspy@gmail.com> +Date: Tue, 26 Sep 2017 22:10:20 +0100 + +Warm start has no check as whether a genuine device has +connected and proceeds to next execution path. + +Check device should read 0x47 at offset of 2 on USB descriptor read +and it is the amount requested of 6 bytes. + +Fix for +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access as + +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com> +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 5e320fa4a795..992f2011a6ba 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid, + + static int lme2510_return_status(struct dvb_usb_device *d) + { +- int ret = 0; ++ int ret; + u8 *data; + +- data = kzalloc(10, GFP_KERNEL); ++ data = kzalloc(6, GFP_KERNEL); + if (!data) + return -ENOMEM; + +- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), +- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200); +- info("Firmware Status: %x (%x)", ret , data[2]); ++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), ++ 0x06, 0x80, 0x0302, 0x00, ++ data, 0x6, 200); ++ if (ret != 6) ++ ret = -EINVAL; ++ else ++ ret = data[2]; ++ ++ info("Firmware Status: %6ph", data); + +- ret = (ret < 0) ? -ENODEV : data[2]; + kfree(data); + return ret; + } +@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d) + static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) + { + struct lme2510_state *st = d->priv; ++ int status; + + usb_reset_configuration(d->udev); + +@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) + + st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware; + +- if (lme2510_return_status(d) == 0x44) { ++ status = lme2510_return_status(d); ++ if (status == 0x44) { + *name = lme_firmware_switch(d, 0); + return COLD; + } + +- return 0; ++ if (status != 0x47) ++ return -EINVAL; ++ ++ return WARM; + } + + static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type, +From patchwork Tue Sep 26 21:10:21 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to + dm04_lme2510_tuner +From: Malcolm Priestley <tvboxspy@gmail.com> +X-Patchwork-Id: 44567 +Message-Id: <20170926211021.11036-2-tvboxspy@gmail.com> +To: linux-media@vger.kernel.org +Cc: Andrey Konovalov <andreyknvl@google.com>, + Malcolm Priestley <tvboxspy@gmail.com> +Date: Tue, 26 Sep 2017 22:10:21 +0100 + +When the tuner was split from m88rs2000 the attach function is in wrong +place. + +Move to dm04_lme2510_tuner to trap errors on failure and removing +a call to lme_coldreset. + +Prevents driver starting up without any tuner connected. + +Fixes to trap for ts2020 fail. +LME2510(C): FE Found M88RS2000 +ts2020: probe of 0-0060 failed with error -11 +... +LME2510(C): TUN Found RS2000 tuner +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN + +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com> +Tested-by: Andrey Konovalov <andreyknvl@google.com> +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 992f2011a6ba..be26c029546b 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap) + + if (adap->fe[0]) { + info("FE Found M88RS2000"); +- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config, +- &d->i2c_adap); + st->i2c_tuner_gate_w = 5; + st->i2c_tuner_gate_r = 5; + st->i2c_tuner_addr = 0x60; +@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap) + ret = st->tuner_config; + break; + case TUNER_RS2000: +- ret = st->tuner_config; ++ if (dvb_attach(ts2020_attach, adap->fe[0], ++ &ts2020_config, &d->i2c_adap)) ++ ret = st->tuner_config; + break; + default: + break; + } + +- if (ret) ++ if (ret) { + info("TUN Found %s tuner", tun_msg[ret]); +- else { +- info("TUN No tuner found --- resetting device"); +- lme_coldreset(d); ++ } else { ++ info("TUN No tuner found"); + return -ENODEV; + } + diff --git a/kernel.spec b/kernel.spec index 27a0b56de..6e3df29ed 100644 --- a/kernel.spec +++ b/kernel.spec @@ -639,6 +639,8 @@ Patch321: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe # Updat3 move of bcm2837, landed in 4.14 Patch322: bcm2837-move-dt.patch +Patch325: rpi-graphics-fix.patch + # https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=next-20170912&id=723288836628bc1c0855f3bb7b64b1803e4b9e4a Patch324: arm-of-restrict-dma-configuration.patch @@ -718,6 +720,12 @@ Patch636: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch # rhbz 1490803 Patch637: 1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch +# CVE-2017-16532 rhbz 1510835 1510854 +Patch638: 0001-usb-usbtest-fix-NULL-pointer-dereference.patch + +# CVE-2017-16538 rhbz 1510826 1510854 +Patch639: CVE-2017-16538.patch + # END OF PATCH DEFINITIONS %endif @@ -2295,6 +2303,16 @@ fi # # %changelog +* Wed Nov 15 2017 Peter Robinson <pbrobinson@fedoraproject.org> +- Add fix for vc4 interupts + +* Wed Nov 08 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.12-200 +- Linux v4.13.12 + +* Wed Nov 08 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2017-16532 (rhbz 1510835 1510854) +- Fix CVE-2017-16538 (rhbz 1510826 1510854) + * Mon Nov 06 2017 Laura Abbott <labbott@redhat.com> - Patches for ThinkPad X1 Carbon Gen5 Touchpad (rhbz 1509461) - Fix for KVM regression on some machines (rhbz 1490803) diff --git a/rpi-graphics-fix.patch b/rpi-graphics-fix.patch new file mode 100644 index 000000000..89bfaf9a5 --- /dev/null +++ b/rpi-graphics-fix.patch @@ -0,0 +1,46 @@ +From 253696ccd613fbdaa5aba1de44c461a058e0a114 Mon Sep 17 00:00:00 2001 +From: Stefan Schake <stschake@gmail.com> +Date: Fri, 10 Nov 2017 02:05:06 +0100 +Subject: drm/vc4: Account for interrupts in flight + +Synchronously disable the IRQ to make the following cancel_work_sync +invocation effective. + +An interrupt in flight could enqueue further overflow mem work. As we +free the binner BO immediately following vc4_irq_uninstall this caused +a NULL pointer dereference in the work callback vc4_overflow_mem_work. + +Link: https://github.com/anholt/linux/issues/114 +Signed-off-by: Stefan Schake <stschake@gmail.com> +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +Signed-off-by: Eric Anholt <eric@anholt.net> +Reviewed-by: Eric Anholt <eric@anholt.net> +Link: https://patchwork.freedesktop.org/patch/msgid/1510275907-993-2-git-send-email-stschake@gmail.com + +diff --git a/drivers/gpu/drm/vc4/vc4_irq.c b/drivers/gpu/drm/vc4/vc4_irq.c +index 7d7af3a..61b2e53 100644 +--- a/drivers/gpu/drm/vc4/vc4_irq.c ++++ b/drivers/gpu/drm/vc4/vc4_irq.c +@@ -208,6 +208,9 @@ vc4_irq_postinstall(struct drm_device *dev) + { + struct vc4_dev *vc4 = to_vc4_dev(dev); + ++ /* Undo the effects of a previous vc4_irq_uninstall. */ ++ enable_irq(dev->irq); ++ + /* Enable both the render done and out of memory interrupts. */ + V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS); + +@@ -225,6 +228,9 @@ vc4_irq_uninstall(struct drm_device *dev) + /* Clear any pending interrupts we might have left. */ + V3D_WRITE(V3D_INTCTL, V3D_DRIVER_IRQS); + ++ /* Finish any interrupt handler still in flight. */ ++ disable_irq(dev->irq); ++ + cancel_work_sync(&vc4->overflow_mem_work); + } + +-- +cgit v0.10.2 + @@ -1,3 +1,3 @@ SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03 -SHA512 (patch-4.13.11.xz) = ad38845a4c05fcaace68563ffa005cf537d3564448b28750b2c872788cbc0c2495dbc9fdf98817d21aef41863614d8b707acdfb05d8f07845d921c909b5f1d22 +SHA512 (patch-4.13.12.xz) = 6ae0b61bcd62b2e90b8ef3e1030fa874aba95317ec559d6e72cbd83a21b3894c05210d2da137f7b4db063d7de52193260b2364ceb43538ab8cd1db78070efb34 |