summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThorsten Leemhuis <fedora@leemhuis.info>2017-11-15 10:45:19 +0100
committerThorsten Leemhuis <fedora@leemhuis.info>2017-11-15 10:45:19 +0100
commit28437bffcfdb5b223074f0cadf9d2159e1852eb0 (patch)
treef6e8bf088e28ce6464a27439244c1609434daecf
parentac0391a06c0ba36f7f03910e755803429c31f2eb (diff)
parentfe6b94d468f9d4e141572e47a6cc82b6e8f03e46 (diff)
downloadkernel-28437bffcfdb5b223074f0cadf9d2159e1852eb0.tar.gz
kernel-28437bffcfdb5b223074f0cadf9d2159e1852eb0.tar.xz
kernel-28437bffcfdb5b223074f0cadf9d2159e1852eb0.zip
Merge remote-tracking branch 'origin/f26' into f26-user-thl-vanilla-fedora
Diffstat
-rw-r--r--0001-usb-usbtest-fix-NULL-pointer-dereference.patch41
-rw-r--r--CVE-2017-16538.patch166
-rw-r--r--kernel.spec18
-rw-r--r--rpi-graphics-fix.patch46
-rw-r--r--sources2
5 files changed, 272 insertions, 1 deletions
diff --git a/0001-usb-usbtest-fix-NULL-pointer-dereference.patch b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch
new file mode 100644
index 000000000..acc03ec7d
--- /dev/null
+++ b/0001-usb-usbtest-fix-NULL-pointer-dereference.patch
@@ -0,0 +1,41 @@
+From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 29 Sep 2017 10:54:24 -0400
+Subject: [PATCH] usb: usbtest: fix NULL pointer dereference
+
+If the usbtest driver encounters a device with an IN bulk endpoint but
+no OUT bulk endpoint, it will try to dereference a NULL pointer
+(out->desc.bEndpointAddress). The problem can be solved by adding a
+missing test.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+---
+ drivers/usb/misc/usbtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
+index 113e38bfe0ef..b3fc602b2e24 100644
+--- a/drivers/usb/misc/usbtest.c
++++ b/drivers/usb/misc/usbtest.c
+@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf)
+ return tmp;
+ }
+
+- if (in) {
++ if (in)
+ dev->in_pipe = usb_rcvbulkpipe(udev,
+ in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
++ if (out)
+ dev->out_pipe = usb_sndbulkpipe(udev,
+ out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+- }
++
+ if (iso_in) {
+ dev->iso_in = &iso_in->desc;
+ dev->in_iso_pipe = usb_rcvisocpipe(udev,
+--
+2.13.6
+
diff --git a/CVE-2017-16538.patch b/CVE-2017-16538.patch
new file mode 100644
index 000000000..e9cf4b054
--- /dev/null
+++ b/CVE-2017-16538.patch
@@ -0,0 +1,166 @@
+From patchwork Tue Sep 26 21:10:20 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
+ start.
+From: Malcolm Priestley <tvboxspy@gmail.com>
+X-Patchwork-Id: 44566
+Message-Id: <20170926211021.11036-1-tvboxspy@gmail.com>
+To: linux-media@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@google.com>,
+ Malcolm Priestley <tvboxspy@gmail.com>
+Date: Tue, 26 Sep 2017 22:10:20 +0100
+
+Warm start has no check as whether a genuine device has
+connected and proceeds to next execution path.
+
+Check device should read 0x47 at offset of 2 on USB descriptor read
+and it is the amount requested of 6 bytes.
+
+Fix for
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access as
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+index 5e320fa4a795..992f2011a6ba 100644
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
+
+ static int lme2510_return_status(struct dvb_usb_device *d)
+ {
+- int ret = 0;
++ int ret;
+ u8 *data;
+
+- data = kzalloc(10, GFP_KERNEL);
++ data = kzalloc(6, GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
+- info("Firmware Status: %x (%x)", ret , data[2]);
++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
++ 0x06, 0x80, 0x0302, 0x00,
++ data, 0x6, 200);
++ if (ret != 6)
++ ret = -EINVAL;
++ else
++ ret = data[2];
++
++ info("Firmware Status: %6ph", data);
+
+- ret = (ret < 0) ? -ENODEV : data[2];
+ kfree(data);
+ return ret;
+ }
+@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d)
+ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
+ {
+ struct lme2510_state *st = d->priv;
++ int status;
+
+ usb_reset_configuration(d->udev);
+
+@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
+
+ st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
+
+- if (lme2510_return_status(d) == 0x44) {
++ status = lme2510_return_status(d);
++ if (status == 0x44) {
+ *name = lme_firmware_switch(d, 0);
+ return COLD;
+ }
+
+- return 0;
++ if (status != 0x47)
++ return -EINVAL;
++
++ return WARM;
+ }
+
+ static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
+From patchwork Tue Sep 26 21:10:21 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to
+ dm04_lme2510_tuner
+From: Malcolm Priestley <tvboxspy@gmail.com>
+X-Patchwork-Id: 44567
+Message-Id: <20170926211021.11036-2-tvboxspy@gmail.com>
+To: linux-media@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@google.com>,
+ Malcolm Priestley <tvboxspy@gmail.com>
+Date: Tue, 26 Sep 2017 22:10:21 +0100
+
+When the tuner was split from m88rs2000 the attach function is in wrong
+place.
+
+Move to dm04_lme2510_tuner to trap errors on failure and removing
+a call to lme_coldreset.
+
+Prevents driver starting up without any tuner connected.
+
+Fixes to trap for ts2020 fail.
+LME2510(C): FE Found M88RS2000
+ts2020: probe of 0-0060 failed with error -11
+...
+LME2510(C): TUN Found RS2000 tuner
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+index 992f2011a6ba..be26c029546b 100644
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap)
+
+ if (adap->fe[0]) {
+ info("FE Found M88RS2000");
+- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
+- &d->i2c_adap);
+ st->i2c_tuner_gate_w = 5;
+ st->i2c_tuner_gate_r = 5;
+ st->i2c_tuner_addr = 0x60;
+@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap)
+ ret = st->tuner_config;
+ break;
+ case TUNER_RS2000:
+- ret = st->tuner_config;
++ if (dvb_attach(ts2020_attach, adap->fe[0],
++ &ts2020_config, &d->i2c_adap))
++ ret = st->tuner_config;
+ break;
+ default:
+ break;
+ }
+
+- if (ret)
++ if (ret) {
+ info("TUN Found %s tuner", tun_msg[ret]);
+- else {
+- info("TUN No tuner found --- resetting device");
+- lme_coldreset(d);
++ } else {
++ info("TUN No tuner found");
+ return -ENODEV;
+ }
+
diff --git a/kernel.spec b/kernel.spec
index 27a0b56de..6e3df29ed 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -639,6 +639,8 @@ Patch321: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe
# Updat3 move of bcm2837, landed in 4.14
Patch322: bcm2837-move-dt.patch
+Patch325: rpi-graphics-fix.patch
+
# https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=next-20170912&id=723288836628bc1c0855f3bb7b64b1803e4b9e4a
Patch324: arm-of-restrict-dma-configuration.patch
@@ -718,6 +720,12 @@ Patch636: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
# rhbz 1490803
Patch637: 1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch
+# CVE-2017-16532 rhbz 1510835 1510854
+Patch638: 0001-usb-usbtest-fix-NULL-pointer-dereference.patch
+
+# CVE-2017-16538 rhbz 1510826 1510854
+Patch639: CVE-2017-16538.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -2295,6 +2303,16 @@ fi
#
#
%changelog
+* Wed Nov 15 2017 Peter Robinson <pbrobinson@fedoraproject.org>
+- Add fix for vc4 interupts
+
+* Wed Nov 08 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.12-200
+- Linux v4.13.12
+
+* Wed Nov 08 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2017-16532 (rhbz 1510835 1510854)
+- Fix CVE-2017-16538 (rhbz 1510826 1510854)
+
* Mon Nov 06 2017 Laura Abbott <labbott@redhat.com>
- Patches for ThinkPad X1 Carbon Gen5 Touchpad (rhbz 1509461)
- Fix for KVM regression on some machines (rhbz 1490803)
diff --git a/rpi-graphics-fix.patch b/rpi-graphics-fix.patch
new file mode 100644
index 000000000..89bfaf9a5
--- /dev/null
+++ b/rpi-graphics-fix.patch
@@ -0,0 +1,46 @@
+From 253696ccd613fbdaa5aba1de44c461a058e0a114 Mon Sep 17 00:00:00 2001
+From: Stefan Schake <stschake@gmail.com>
+Date: Fri, 10 Nov 2017 02:05:06 +0100
+Subject: drm/vc4: Account for interrupts in flight
+
+Synchronously disable the IRQ to make the following cancel_work_sync
+invocation effective.
+
+An interrupt in flight could enqueue further overflow mem work. As we
+free the binner BO immediately following vc4_irq_uninstall this caused
+a NULL pointer dereference in the work callback vc4_overflow_mem_work.
+
+Link: https://github.com/anholt/linux/issues/114
+Signed-off-by: Stefan Schake <stschake@gmail.com>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510275907-993-2-git-send-email-stschake@gmail.com
+
+diff --git a/drivers/gpu/drm/vc4/vc4_irq.c b/drivers/gpu/drm/vc4/vc4_irq.c
+index 7d7af3a..61b2e53 100644
+--- a/drivers/gpu/drm/vc4/vc4_irq.c
++++ b/drivers/gpu/drm/vc4/vc4_irq.c
+@@ -208,6 +208,9 @@ vc4_irq_postinstall(struct drm_device *dev)
+ {
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+
++ /* Undo the effects of a previous vc4_irq_uninstall. */
++ enable_irq(dev->irq);
++
+ /* Enable both the render done and out of memory interrupts. */
+ V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS);
+
+@@ -225,6 +228,9 @@ vc4_irq_uninstall(struct drm_device *dev)
+ /* Clear any pending interrupts we might have left. */
+ V3D_WRITE(V3D_INTCTL, V3D_DRIVER_IRQS);
+
++ /* Finish any interrupt handler still in flight. */
++ disable_irq(dev->irq);
++
+ cancel_work_sync(&vc4->overflow_mem_work);
+ }
+
+--
+cgit v0.10.2
+
diff --git a/sources b/sources
index 5567d2f7e..4f9960f5e 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2
SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
-SHA512 (patch-4.13.11.xz) = ad38845a4c05fcaace68563ffa005cf537d3564448b28750b2c872788cbc0c2495dbc9fdf98817d21aef41863614d8b707acdfb05d8f07845d921c909b5f1d22
+SHA512 (patch-4.13.12.xz) = 6ae0b61bcd62b2e90b8ef3e1030fa874aba95317ec559d6e72cbd83a21b3894c05210d2da137f7b4db063d7de52193260b2364ceb43538ab8cd1db78070efb34
generated by cgit (git 2.34.1) at 2024-05-31 15:54:08 +0000