diff options
| author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-02-22 07:24:05 +0100 |
|---|---|---|
| committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-02-22 07:24:05 +0100 |
| commit | e5fc472bad9a1c17efcf4e99f38c8818aeaadbc9 (patch) | |
| tree | 1ca9752aaa2631a58a7007a96a12ed982754acf5 | |
| parent | ca958bf51c9072c2a7fd29eec5d7671cda87a467 (diff) | |
| parent | 4988639cd811f8eafe02a193329f44da3650eb8f (diff) | |
| download | kernel-e5fc472bad9a1c17efcf4e99f38c8818aeaadbc9.tar.gz kernel-e5fc472bad9a1c17efcf4e99f38c8818aeaadbc9.tar.xz kernel-e5fc472bad9a1c17efcf4e99f38c8818aeaadbc9.zip | |
Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.3.6-200.vanilla.knurd.1.fc22
| -rw-r--r-- | HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch | 133 | ||||
| -rw-r--r-- | HID-multitouch-fix-input-mode-switching-on-some-Elan.patch | 94 | ||||
| -rw-r--r-- | Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch | 41 | ||||
| -rw-r--r-- | block-ensure-to-split-after-potentially-bouncing-a-b.patch | 43 | ||||
| -rw-r--r-- | bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch | 92 | ||||
| -rw-r--r-- | drm-mgag200-fix-kernel-hang-in-cursor-code.patch | 107 | ||||
| -rw-r--r-- | drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch | 31 | ||||
| -rw-r--r-- | fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch | 86 | ||||
| -rw-r--r-- | iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch | 41 | ||||
| -rw-r--r-- | kernel.spec | 104 | ||||
| -rw-r--r-- | media-Revert-media-ivtv-avoid-going-past-input-audio.patch | 38 | ||||
| -rw-r--r-- | rtlwifi-fix-memory-leak-for-USB-device.patch | 36 | ||||
| -rw-r--r-- | sources | 2 | ||||
| -rw-r--r-- | tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch | 68 | ||||
| -rw-r--r-- | usb-serial-visor-fix-crash-on-detecting-device-witho.patch | 36 |
15 files changed, 463 insertions, 489 deletions
diff --git a/HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch b/HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch deleted file mode 100644 index f6bb5794f..000000000 --- a/HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 84ac7d370783d4819c5986da1c5d5c62d360dc8f Mon Sep 17 00:00:00 2001 -From: Mika Westerberg <mika.westerberg@linux.intel.com> -Date: Wed, 7 Oct 2015 15:33:43 +0300 -Subject: [PATCH] HID: multitouch: Fetch feature reports on demand for Win8 - devices - -Some newer Intel Skylake based Dell laptops with Win8 precision touchpad -fail when initial feature reports are fetched from it. Below is an example -output with some additional debug included: - - i2c_hid i2c-DLL0704:01: Fetching the HID descriptor - i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=20 00 - i2c_hid i2c-DLL0704:01: HID Descriptor: 1e 00 00 01 99 02 21 00 24 ... - ... - i2c_hid i2c-DLL0704:01: i2c_hid_get_report - i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 38 02 23 00 - i2c_hid i2c-DLL0704:01: report (len=4): 04 00 08 05 - i2c_hid i2c-DLL0704:01: report id 13 - i2c_hid i2c-DLL0704:01: i2c_hid_get_report - i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 3d 02 23 00 - i2c_hid i2c-DLL0704:01: failed to retrieve report from device. - i2c_hid i2c-DLL0704:01: report id 7 - i2c_hid i2c-DLL0704:01: i2c_hid_get_report - i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 37 02 23 00 - i2c_hid i2c-DLL0704:01: report (len=259): 03 01 07 fc 28 fe 84 40 ... - i2c_hid i2c-DLL0704:01: report id 4 - i2c_hid i2c-DLL0704:01: i2c_hid_get_report - i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 34 02 23 00 - -We manage to fetch few reports but then the touchpad dies: - - i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: lost arbitration - i2c_hid i2c-DLL0704:01: failed to retrieve report from device. - -it eventually pulls the whole I2C bus low: - - i2c_designware i2c_designware.1: controller timed out - i2c_hid i2c-DLL0704:01: failed to set a report to device. - -Fix this by preventing initial feature report retrieval for Win8 devices. -Instead we fetch reports as needed in mt_feature_mapping(). This prevents -fetching reports which might cause problems with the device in question. - -Suggested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> -Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Tested-by: Seth Forshee <seth.forshee@canonical.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- - drivers/hid/hid-multitouch.c | 45 +++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 44 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index 426b2f1a3450..4afe8d78b366 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -309,6 +309,41 @@ static struct attribute_group mt_attribute_group = { - .attrs = sysfs_attrs - }; - -+static void mt_get_feature(struct hid_device *hdev, struct hid_report *report) -+{ -+ struct mt_device *td = hid_get_drvdata(hdev); -+ int ret, size = hid_report_len(report); -+ u8 *buf; -+ -+ /* -+ * Only fetch the feature report if initial reports are not already -+ * been retrieved. Currently this is only done for Windows 8 touch -+ * devices. -+ */ -+ if (!(hdev->quirks & HID_QUIRK_NO_INIT_REPORTS)) -+ return; -+ if (td->mtclass.name != MT_CLS_WIN_8) -+ return; -+ -+ buf = hid_alloc_report_buf(report, GFP_KERNEL); -+ if (!buf) -+ return; -+ -+ ret = hid_hw_raw_request(hdev, report->id, buf, size, -+ HID_FEATURE_REPORT, HID_REQ_GET_REPORT); -+ if (ret < 0) { -+ dev_warn(&hdev->dev, "failed to fetch feature %d\n", -+ report->id); -+ } else { -+ ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf, -+ size, 0); -+ if (ret) -+ dev_warn(&hdev->dev, "failed to report feature\n"); -+ } -+ -+ kfree(buf); -+} -+ - static void mt_feature_mapping(struct hid_device *hdev, - struct hid_field *field, struct hid_usage *usage) - { -@@ -327,6 +362,8 @@ static void mt_feature_mapping(struct hid_device *hdev, - - break; - case HID_DG_CONTACTMAX: -+ mt_get_feature(hdev, field->report); -+ - td->maxcontact_report_id = field->report->id; - td->maxcontacts = field->value[0]; - if (!td->maxcontacts && -@@ -343,6 +380,7 @@ static void mt_feature_mapping(struct hid_device *hdev, - break; - } - -+ mt_get_feature(hdev, field->report); - if (field->value[usage->usage_index] == MT_BUTTONTYPE_CLICKPAD) - td->is_buttonpad = true; - -@@ -1026,8 +1064,13 @@ static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id) - * reports. Fortunately, the Win8 spec says that all touches - * should be sent during each report, making the initialization - * of input reports unnecessary. -+ * -+ * In addition some touchpads do not behave well if we read -+ * all feature reports from them. Instead we prevent -+ * initial report fetching and then selectively fetch each -+ * report we are interested in. - */ -- hdev->quirks |= HID_QUIRK_NO_INIT_INPUT_REPORTS; -+ hdev->quirks |= HID_QUIRK_NO_INIT_REPORTS; - - td = devm_kzalloc(&hdev->dev, sizeof(struct mt_device), GFP_KERNEL); - if (!td) { --- -2.5.0 - diff --git a/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch b/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch deleted file mode 100644 index c469460e5..000000000 --- a/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch +++ /dev/null @@ -1,94 +0,0 @@ -From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Date: Tue, 1 Dec 2015 12:41:38 +0100 -Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels - -as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481 - -This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature -reports on demand for Win8 devices") as the origin of the problem but this -commit actually masked 2 firmware bugs that are annihilating each other: - -The report descriptor declares two features in reports 3 and 5: - -0x05, 0x0d, // Usage Page (Digitizers) 318 -0x09, 0x0e, // Usage (Device Configuration) 320 -0xa1, 0x01, // Collection (Application) 322 -0x85, 0x03, // Report ID (3) 324 -0x09, 0x22, // Usage (Finger) 326 -0xa1, 0x00, // Collection (Physical) 328 -0x09, 0x52, // Usage (Inputmode) 330 -0x15, 0x00, // Logical Minimum (0) 332 -0x25, 0x0a, // Logical Maximum (10) 334 -0x75, 0x08, // Report Size (8) 336 -0x95, 0x02, // Report Count (2) 338 -0xb1, 0x02, // Feature (Data,Var,Abs) 340 -0xc0, // End Collection 342 -0x09, 0x22, // Usage (Finger) 343 -0xa1, 0x00, // Collection (Physical) 345 -0x85, 0x05, // Report ID (5) 347 -0x09, 0x57, // Usage (Surface Switch) 349 -0x09, 0x58, // Usage (Button Switch) 351 -0x15, 0x00, // Logical Minimum (0) 353 -0x75, 0x01, // Report Size (1) 355 -0x95, 0x02, // Report Count (2) 357 -0x25, 0x03, // Logical Maximum (3) 359 -0xb1, 0x02, // Feature (Data,Var,Abs) 361 -0x95, 0x0e, // Report Count (14) 363 -0xb1, 0x03, // Feature (Cnst,Var,Abs) 365 -0xc0, // End Collection 367 - -The report ID 3 presents 2 input mode features, while only the first one -is handled by the device. Given that we did not checked if one was -previously assigned, we were dealing with the ignored featured and we -should never have been able to switch this panel into the multitouch mode. - -However, the firmware presents an other bugs which allowed 6d4f5440 -to counteract the faulty report descriptor. When we request the values -of the feature 5, the firmware answers "03 03 00". The fields are correct -but the report id is wrong. Before 6d4f5440, we retrieved all the features -and injected them in the system. So when we called report 5, we injected -in the system the report 3 with the values "03 00". -Setting the second input mode to 03 in this report changed it to "03 03" -and the touchpad switched to the mt mode. We could have set anything -in the second field because the actual value (the first 03 in this report) -was given by the query of report ID 5. - -To sum up: 2 bugs in the firmware were hiding that we were accessing the -wrong feature. - -Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- - drivers/hid/hid-multitouch.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index ba94044cb859..d866720412cd 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev, - break; - } - -- td->inputmode = field->report->id; -- td->inputmode_index = usage->usage_index; -+ if (td->inputmode < 0) { -+ td->inputmode = field->report->id; -+ td->inputmode_index = usage->usage_index; -+ } else { -+ /* -+ * Some elan panels wrongly declare 2 input mode -+ * features, and silently ignore when we set the -+ * value in the second field. Skip the second feature -+ * and hope for the best. -+ */ -+ dev_info(&hdev->dev, -+ "Ignoring the extra HID_DG_INPUTMODE\n"); -+ } - - break; - case HID_DG_CONTACTMAX: --- -2.5.0 - diff --git a/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch b/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch new file mode 100644 index 000000000..c02a0f53b --- /dev/null +++ b/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch @@ -0,0 +1,41 @@ +From 6544a1df11c48c8413071aac3316792e4678fbfb Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Date: Mon, 11 Jan 2016 17:35:38 -0800 +Subject: [PATCH] Input: elantech - mark protocols v2 and v3 as semi-mt + +When using a protocol v2 or v3 hardware, elantech uses the function +elantech_report_semi_mt_data() to report data. This devices are rather +creepy because if num_finger is 3, (x2,y2) is (0,0). Yes, only one valid +touch is reported. + +Anyway, userspace (libinput) is now confused by these (0,0) touches, +and detect them as palm, and rejects them. + +Commit 3c0213d17a09 ("Input: elantech - fix semi-mt protocol for v3 HW") +was sufficient enough for xf86-input-synaptics and libinput before it has +palm rejection. Now we need to actually tell libinput that this device is +a semi-mt one and it should not rely on the actual values of the 2 touches. + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +--- + drivers/input/mouse/elantech.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 537ebb0e193a..78f93cf68840 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1222,7 +1222,7 @@ static int elantech_set_input_params(struct psmouse *psmouse) + input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2, + ETP_WMAX_V2, 0, 0); + } +- input_mt_init_slots(dev, 2, 0); ++ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT); + input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0); + input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0); + break; +-- +2.5.0 + diff --git a/block-ensure-to-split-after-potentially-bouncing-a-b.patch b/block-ensure-to-split-after-potentially-bouncing-a-b.patch deleted file mode 100644 index 6dda59a4c..000000000 --- a/block-ensure-to-split-after-potentially-bouncing-a-b.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 23688bf4f830a89866fd0ed3501e342a7360fe4f Mon Sep 17 00:00:00 2001 -From: Junichi Nomura <j-nomura@ce.jp.nec.com> -Date: Tue, 22 Dec 2015 10:23:44 -0700 -Subject: [PATCH] block: ensure to split after potentially bouncing a bio - -blk_queue_bio() does split then bounce, which makes the segment -counting based on pages before bouncing and could go wrong. Move -the split to after bouncing, like we do for blk-mq, and the we -fix the issue of having the bio count for segments be wrong. - -Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios") -Cc: stable@vger.kernel.org -Tested-by: Artem S. Tashkinov <t.artem@lycos.com> -Signed-off-by: Jens Axboe <axboe@fb.com> ---- - block/blk-core.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/block/blk-core.c b/block/blk-core.c -index 3636be469fa2..c487b94c59e3 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -1689,8 +1689,6 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio) - struct request *req; - unsigned int request_count = 0; - -- blk_queue_split(q, &bio, q->bio_split); -- - /* - * low level driver can indicate that it wants pages above a - * certain limit bounced to low memory (ie for highmem, or even -@@ -1698,6 +1696,8 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio) - */ - blk_queue_bounce(q, &bio); - -+ blk_queue_split(q, &bio, q->bio_split); -+ - if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) { - bio->bi_error = -EIO; - bio_endio(bio); --- -2.5.0 - diff --git a/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch b/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch new file mode 100644 index 000000000..fc5a1a504 --- /dev/null +++ b/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch @@ -0,0 +1,92 @@ +From a1b14d27ed0965838350f1377ff97c93ee383492 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann <daniel@iogearbox.net> +Date: Wed, 10 Feb 2016 16:47:11 +0100 +Subject: [PATCH] bpf: fix branch offset adjustment on backjumps after patching + ctx expansion + +When ctx access is used, the kernel often needs to expand/rewrite +instructions, so after that patching, branch offsets have to be +adjusted for both forward and backward jumps in the new eBPF program, +but for backward jumps it fails to account the delta. Meaning, for +example, if the expansion happens exactly on the insn that sits at +the jump target, it doesn't fix up the back jump offset. + +Analysis on what the check in adjust_branches() is currently doing: + + /* adjust offset of jmps if necessary */ + if (i < pos && i + insn->off + 1 > pos) + insn->off += delta; + else if (i > pos && i + insn->off + 1 < pos) + insn->off -= delta; + +First condition (forward jumps): + + Before: After: + + insns[0] insns[0] + insns[1] <--- i/insn insns[1] <--- i/insn + insns[2] <--- pos insns[P] <--- pos + insns[3] insns[P] `------| delta + insns[4] <--- target_X insns[P] `-----| + insns[5] insns[3] + insns[4] <--- target_X + insns[5] + +First case is if we cross pos-boundary and the jump instruction was +before pos. This is handeled correctly. I.e. if i == pos, then this +would mean our jump that we currently check was the patchlet itself +that we just injected. Since such patchlets are self-contained and +have no awareness of any insns before or after the patched one, the +delta is correctly not adjusted. Also, for the second condition in +case of i + insn->off + 1 == pos, means we jump to that newly patched +instruction, so no offset adjustment are needed. That part is correct. + +Second condition (backward jumps): + + Before: After: + + insns[0] insns[0] + insns[1] <--- target_X insns[1] <--- target_X + insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y + insns[3] insns[P] `------| delta + insns[4] <--- i/insn insns[P] `-----| + insns[5] insns[3] + insns[4] <--- i/insn + insns[5] + +Second interesting case is where we cross pos-boundary and the jump +instruction was after pos. Backward jump with i == pos would be +impossible and pose a bug somewhere in the patchlet, so the first +condition checking i > pos is okay only by itself. However, i + +insn->off + 1 < pos does not always work as intended to trigger the +adjustment. It works when jump targets would be far off where the +delta wouldn't matter. But, for example, where the fixed insn->off +before pointed to pos (target_Y), it now points to pos + delta, so +that additional room needs to be taken into account for the check. +This means that i) both tests here need to be adjusted into pos + delta, +and ii) for the second condition, the test needs to be <= as pos +itself can be a target in the backjump, too. + +Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields") +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index d1d3e8f57de9..2e7f7ab739e4 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2082,7 +2082,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta) + /* adjust offset of jmps if necessary */ + if (i < pos && i + insn->off + 1 > pos) + insn->off += delta; +- else if (i > pos && i + insn->off + 1 < pos) ++ else if (i > pos + delta && i + insn->off + 1 <= pos + delta) + insn->off -= delta; + } + } +-- +2.5.0 + diff --git a/drm-mgag200-fix-kernel-hang-in-cursor-code.patch b/drm-mgag200-fix-kernel-hang-in-cursor-code.patch new file mode 100644 index 000000000..075c06241 --- /dev/null +++ b/drm-mgag200-fix-kernel-hang-in-cursor-code.patch @@ -0,0 +1,107 @@ +From f6619ef7508261be2ba3ded313ccc46ce670d0d3 Mon Sep 17 00:00:00 2001 +From: "Wang, Rui Y" <rui.y.wang@intel.com> +Date: Wed, 18 Nov 2015 23:00:53 +0800 +Subject: [PATCH] drm/mgag200: fix kernel hang in cursor code. + +The machine hang completely with the following message on the console: + +[ 487.777538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060 +[ 487.777554] IP: [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30 +[ 487.777557] PGD 42e9f7067 PUD 42f2fa067 PMD 0 +[ 487.777560] Oops: 0002 [#1] SMP +... +[ 487.777618] CPU: 21 PID: 3190 Comm: Xorg Tainted: G E 4.4.0-rc1-3-default+ #6 +[ 487.777620] Hardware name: Intel Corporation BRICKLAND/BRICKLAND, BIOS BRHSXSD1.86B.0059.R00.1501081238 01/08/2015 +[ 487.777621] task: ffff880853ae4680 ti: ffff8808696d4000 task.ti: ffff8808696d4000 +[ 487.777625] RIP: 0010:[<ffffffff8158aaee>] [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30 +[ 487.777627] RSP: 0018:ffff8808696d79c0 EFLAGS: 00010246 +[ 487.777628] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 487.777629] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000060 +[ 487.777630] RBP: ffff8808696d79e0 R08: 0000000000000000 R09: ffff88086924a780 +[ 487.777631] R10: 000000000001bb40 R11: 0000000000003246 R12: 0000000000000000 +[ 487.777632] R13: ffff880463a27360 R14: ffff88046ca50218 R15: 0000000000000080 +[ 487.777634] FS: 00007f3f81c5a8c0(0000) GS:ffff88086f060000(0000) knlGS:0000000000000000 +[ 487.777635] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 487.777636] CR2: 0000000000000060 CR3: 000000042e678000 CR4: 00000000001406e0 +[ 487.777638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 487.777639] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 487.777639] Stack: +[ 487.777642] ffffffffa00eb5fa ffff8808696d7b60 ffff88086b87d800 0000000000000000 +[ 487.777644] ffff8808696d7ac8 ffffffffa01694b6 ffff8808696d7ae8 ffffffff8109c8d5 +[ 487.777647] ffff880469158740 ffff880463a27000 ffff88086b87d800 ffff88086b87d800 +[ 487.777647] Call Trace: +[ 487.777674] [<ffffffffa00eb5fa>] ? drm_gem_object_lookup+0x1a/0xa0 [drm] +[ 487.777681] [<ffffffffa01694b6>] mga_crtc_cursor_set+0xc6/0xb60 [mgag200] +[ 487.777691] [<ffffffff8109c8d5>] ? find_busiest_group+0x35/0x4a0 +[ 487.777696] [<ffffffff81086294>] ? __might_sleep+0x44/0x80 +[ 487.777699] [<ffffffff815888c2>] ? __ww_mutex_lock+0x22/0x9c +[ 487.777722] [<ffffffffa0104f64>] ? drm_modeset_lock+0x34/0xf0 [drm] +[ 487.777733] [<ffffffffa0148d9e>] restore_fbdev_mode+0xee/0x2a0 [drm_kms_helper] +[ 487.777742] [<ffffffffa014afce>] drm_fb_helper_restore_fbdev_mode_unlocked+0x2e/0x70 [drm_kms_helper] +[ 487.777748] [<ffffffffa014b037>] drm_fb_helper_set_par+0x27/0x50 [drm_kms_helper] +[ 487.777752] [<ffffffff8134560c>] fb_set_var+0x18c/0x3f0 +[ 487.777777] [<ffffffffa02a9b0a>] ? __ext4_handle_dirty_metadata+0x8a/0x210 [ext4] +[ 487.777783] [<ffffffff8133cb97>] fbcon_blank+0x1b7/0x2b0 +[ 487.777790] [<ffffffff813be2a3>] do_unblank_screen+0xb3/0x1c0 +[ 487.777795] [<ffffffff813b5aba>] vt_ioctl+0x118a/0x1210 +[ 487.777801] [<ffffffff813a8fe0>] tty_ioctl+0x3f0/0xc90 +[ 487.777808] [<ffffffff81172018>] ? kzfree+0x28/0x30 +[ 487.777813] [<ffffffff811e053f>] ? mntput+0x1f/0x30 +[ 487.777817] [<ffffffff811d3f5d>] do_vfs_ioctl+0x30d/0x570 +[ 487.777822] [<ffffffff8107ed3a>] ? task_work_run+0x8a/0xa0 +[ 487.777825] [<ffffffff811d4234>] SyS_ioctl+0x74/0x80 +[ 487.777829] [<ffffffff8158aeae>] entry_SYSCALL_64_fastpath+0x12/0x71 +[ 487.777851] Code: 65 ff 0d ce 02 a8 7e 5d c3 ba 01 00 00 00 f0 0f b1 17 85 c0 75 e8 b0 01 5d c3 0f 1f 00 65 ff 05 b1 02 a8 7e 31 c0 ba 01 00 00 00 <f0> 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 4e f5 b1 ff 5d +[ 487.777854] RIP [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30 +[ 487.777855] RSP <ffff8808696d79c0> +[ 487.777856] CR2: 0000000000000060 +[ 487.777860] ---[ end trace 672a2cd555e0ebd3 ]--- + +The cursor code may be entered with file_priv == NULL && handle == NULL. +The problem was introduced by: + +"bf89209 drm/mga200g: Hold a proper reference for cursor_set" + +which calls drm_gem_object_lookup(dev, file_priv...). Previously this wasn't +a problem because we checked the handle. Move the check early in the function +can fix the problem. + +Signed-off-by: Rui Wang <rui.y.wang@intel.com> +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Signed-off-by: Dave Airlie <airlied@redhat.com> +--- + drivers/gpu/drm/mgag200/mgag200_cursor.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/mgag200/mgag200_cursor.c b/drivers/gpu/drm/mgag200/mgag200_cursor.c +index 4f2068fe5d88..a7bf6a90eae5 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_cursor.c ++++ b/drivers/gpu/drm/mgag200/mgag200_cursor.c +@@ -70,6 +70,11 @@ int mga_crtc_cursor_set(struct drm_crtc *crtc, + BUG_ON(pixels_2 != pixels_current && pixels_2 != pixels_prev); + BUG_ON(pixels_current == pixels_prev); + ++ if (!handle || !file_priv) { ++ mga_hide_cursor(mdev); ++ return 0; ++ } ++ + obj = drm_gem_object_lookup(dev, file_priv, handle); + if (!obj) + return -ENOENT; +@@ -88,12 +93,6 @@ int mga_crtc_cursor_set(struct drm_crtc *crtc, + goto out_unreserve1; + } + +- if (!handle) { +- mga_hide_cursor(mdev); +- ret = 0; +- goto out1; +- } +- + /* Move cursor buffers into VRAM if they aren't already */ + if (!pixels_1->pin_count) { + ret = mgag200_bo_pin(pixels_1, TTM_PL_FLAG_VRAM, +-- +2.5.0 + diff --git a/drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch b/drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch deleted file mode 100644 index 6ad5796e8..000000000 --- a/drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 65fbb05cbbf9ef7f531712634c3e914b54171707 Mon Sep 17 00:00:00 2001 -From: Alexandre Courbot <acourbot@nvidia.com> -Date: Thu, 3 Sep 2015 17:39:52 +0900 -Subject: [PATCH] drm/nouveau/pmu: do not assume a PMU is present - -Some devices may not have a PMU. Avoid a NULL pointer dereference in -such cases by checking whether the pointer given to nvkm_pmu_pgob() is -valid. - -Signed-off-by: Alexandre Courbot <acourbot@nvidia.com> -Signed-off-by: Ben Skeggs <bskeggs@redhat.com> ---- - drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c -index 27a79c0c3888..d95eb8659d1b 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c -+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c -@@ -28,7 +28,7 @@ - void - nvkm_pmu_pgob(struct nvkm_pmu *pmu, bool enable) - { -- if (pmu->func->pgob) -+ if (pmu && pmu->func->pgob) - pmu->func->pgob(pmu, enable); - } - --- -2.5.0 - diff --git a/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch b/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch new file mode 100644 index 000000000..90bf05310 --- /dev/null +++ b/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch @@ -0,0 +1,86 @@ +From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz <mike.kravetz@oracle.com> +Date: Fri, 15 Jan 2016 16:57:37 -0800 +Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() + +Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The +argument end is of type pgoff_t. It was being converted to a vaddr +offset and passed to unmap_hugepage_range. However, end was also being +used as an argument to the vma_interval_tree_foreach controlling loop. +In addition, the conversion of end to vaddr offset was incorrect. + +hugetlb_vmtruncate_list is called as part of a file truncate or +fallocate hole punch operation. + +When truncating a hugetlbfs file, this bug could prevent some pages from +being unmapped. This is possible if there are multiple vmas mapping the +file, and there is a sufficiently sized hole between the mappings. The +size of the hole between two vmas (A,B) must be such that the starting +virtual address of B is greater than (ending virtual address of A << +PAGE_SHIFT). In this case, the pages in B would not be unmapped. If +pages are not properly unmapped during truncate, the following BUG is +hit: + + kernel BUG at fs/hugetlbfs/inode.c:428! + +In the fallocate hole punch case, this bug could prevent pages from +being unmapped as in the truncate case. However, for hole punch the +result is that unmapped pages will not be removed during the operation. +For hole punch, it is also possible that more pages than desired will be +unmapped. This unnecessary unmapping will cause page faults to +reestablish the mappings on subsequent page access. + +Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com> +Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com> +Cc: Hugh Dickins <hughd@google.com> +Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> +Cc: Davidlohr Bueso <dave@stgolabs.net> +Cc: Dave Hansen <dave.hansen@linux.intel.com> +Cc: <stable@vger.kernel.org> [4.3] +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + fs/hugetlbfs/inode.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index bbc333b01ca3..9c07d2d754c9 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end) + */ + vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) { + unsigned long v_offset; ++ unsigned long v_end; + + /* + * Can the expression below overflow on 32-bit arches? +@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end) + else + v_offset = 0; + +- if (end) { +- end = ((end - start) << PAGE_SHIFT) + +- vma->vm_start + v_offset; +- if (end > vma->vm_end) +- end = vma->vm_end; +- } else +- end = vma->vm_end; ++ if (!end) ++ v_end = vma->vm_end; ++ else { ++ v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT) ++ + vma->vm_start; ++ if (v_end > vma->vm_end) ++ v_end = vma->vm_end; ++ } + +- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL); ++ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end, ++ NULL); + } + } + +-- +2.5.0 + diff --git a/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch new file mode 100644 index 000000000..9c517cf49 --- /dev/null +++ b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch @@ -0,0 +1,41 @@ +From 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 Mon Sep 17 00:00:00 2001 +From: Hariprasad S <hariprasad@chelsio.com> +Date: Fri, 11 Dec 2015 13:59:17 +0530 +Subject: [PATCH] iw_cxgb3: Fix incorrectly returning error on success + +The cxgb3_*_send() functions return NET_XMIT_ values, which are +positive integers values. So don't treat positive return values +as an error. + +Signed-off-by: Steve Wise <swise@opengridcomputing.com> +Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> +--- + drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c +index cb78b1e9bcd9..f504ba73e5dc 100644 +--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c ++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c +@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en + error = l2t_send(tdev, skb, l2e); + if (error < 0) + kfree_skb(skb); +- return error; ++ return error < 0 ? error : 0; + } + + int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) +@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) + error = cxgb3_ofld_send(tdev, skb); + if (error < 0) + kfree_skb(skb); +- return error; ++ return error < 0 ? error : 0; + } + + static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb) +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 1e2915c07..fe8efafd9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -652,33 +652,15 @@ Patch574: ovl-fix-permission-checking-for-setattr.patch #CVE-2015-8709 rhbz 1295287 1295288 Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch -#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch - #CVE-2015-7513 rhbz 1284847 1296142 Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch -#rhbz 1296677 -Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch -Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch - #rhbz 1281368 Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch -#rhbz 1296820 -Patch608: drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch - #rhbz 1083853 Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch -#CVE-2015-7566 rhbz 1296466 1297517 -Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch - -#rhbz 1298309 -#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch - -#rhbz 1298996 -Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch - #rhbz 1298192 Patch626: selinux-fix-bug-in-conditional-rules-handling.patch @@ -695,9 +677,6 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch -#CVE-2016-0723 rhbz 1296253 1300224 -Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch - #rhbz 1279653 Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch @@ -708,7 +687,6 @@ Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch #rhbz 1278942 -Patch642: media-Revert-media-ivtv-avoid-going-past-input-audio.patch Patch643: media-ivtv-avoid-going-past-input-audio-array.patch #rhbz 1302037 @@ -718,6 +696,24 @@ Patch645: cfg80211-wext-fix-message-ordering.patch #rhbz 1255325 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch +#rhbz 1303270 +Patch647: rtlwifi-fix-memory-leak-for-USB-device.patch + +#CVE-2016-0617 rhbz 1305803 1305804 +Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch + +#CVE-2016-2383 rhbz 1308452 1308453 +Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch + +#rhbz 1306987 +Patch651: Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch + +#rhbz 1305181 1299901 +Patch652: drm-mgag200-fix-kernel-hang-in-cursor-code.patch + +#CVE-2015-8812 rhbz 1303532 1309548 +Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch + # END OF PATCH DEFINITIONS %endif @@ -1418,33 +1414,15 @@ ApplyPatch ovl-fix-permission-checking-for-setattr.patch #CVE-2015-8709 rhbz 1295287 1295288 ApplyPatch ptrace-being-capable-wrt-a-process-requires-mapped-u.patch -#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch - #CVE-2015-7513 rhbz 1284847 1296142 ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch -#rhbz 1296677 -ApplyPatch HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch -ApplyPatch HID-multitouch-fix-input-mode-switching-on-some-Elan.patch - #rhbz 1281368 ApplyPatch drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch -#rhbz 1296820 -ApplyPatch drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch - #rhbz 1083853 ApplyPatch PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch -#CVE-2015-7566 rhbz 1296466 1297517 -ApplyPatch usb-serial-visor-fix-crash-on-detecting-device-witho.patch - -#rhbz 1298309 -#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch - -#rhbz 1298996 -ApplyPatch block-ensure-to-split-after-potentially-bouncing-a-b.patch - #rhbz 1298192 ApplyPatch selinux-fix-bug-in-conditional-rules-handling.patch @@ -1461,9 +1439,6 @@ ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch -#CVE-2016-0723 rhbz 1296253 1300224 -ApplyPatch tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch - #rhbz 1279653 ApplyPatch rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch @@ -1474,7 +1449,6 @@ ApplyPatch netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch ApplyPatch PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch #rhbz 1278942 -ApplyPatch media-Revert-media-ivtv-avoid-going-past-input-audio.patch ApplyPatch media-ivtv-avoid-going-past-input-audio-array.patch #rhbz 1302037 @@ -1484,6 +1458,24 @@ ApplyPatch cfg80211-wext-fix-message-ordering.patch #rhbz 1255325 ApplyPatch HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch +#rhbz 1303270 +ApplyPatch rtlwifi-fix-memory-leak-for-USB-device.patch + +#CVE-2016-0617 rhbz 1305803 1305804 +ApplyPatch fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch + +#CVE-2016-2383 rhbz 1308452 1308453 +ApplyPatch bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch + +#rhbz 1306987 +ApplyPatch Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch + +#rhbz 1305181 1299901 +ApplyPatch drm-mgag200-fix-kernel-hang-in-cursor-code.patch + +#CVE-2015-8812 rhbz 1303532 1309548 +ApplyPatch iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch + # END OF PATCH APPLICATIONS %endif @@ -2333,6 +2325,28 @@ fi # # %changelog +* Sat Feb 20 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.6-200 +- Linux v4.3.6 + +* Thu Feb 18 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8812 cxgb3 use after free (rhbz 1303532 1309548) + +* Wed Feb 17 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Backport mgag200 cursor hang fix (rhbz 1305181 1299901) + +* Tue Feb 16 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Backport fix for elantech touchpads (rhbz 1306987) + +* Mon Feb 15 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-2383 incorrect branch fixups for eBPG allow arbitrary reads (rhbz 1308452 1308453) +- CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445) + +* Tue Feb 09 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804) + +* Tue Feb 02 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Backport patch to fix memory leak in rtlwifi USB devices (rhbz 1303270) + * Sun Jan 31 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.5-200 - Linux v4.3.5 diff --git a/media-Revert-media-ivtv-avoid-going-past-input-audio.patch b/media-Revert-media-ivtv-avoid-going-past-input-audio.patch deleted file mode 100644 index 7c00071c6..000000000 --- a/media-Revert-media-ivtv-avoid-going-past-input-audio.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 823873481b2a17ce5900899f8ef85118f8407b67 Mon Sep 17 00:00:00 2001 -From: Mauro Carvalho Chehab <mchehab@osg.samsung.com> -Date: Wed, 11 Nov 2015 09:22:36 -0200 -Subject: [PATCH] [media] Revert "[media] ivtv: avoid going past input/audio - array" - -This patch broke ivtv logic, as reported at - https://bugzilla.redhat.com/show_bug.cgi?id=1278942 - -This reverts commit 09290cc885937cab3b2d60a6d48fe3d2d3e04061. - -Cc: stable@vger.kernel.org # for v4.1 and upper -Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> ---- - drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c -index 8616fa8193bc..c2e60b4f292d 100644 ---- a/drivers/media/pci/ivtv/ivtv-driver.c -+++ b/drivers/media/pci/ivtv/ivtv-driver.c -@@ -805,11 +805,11 @@ static void ivtv_init_struct2(struct ivtv *itv) - { - int i; - -- for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS - 1; i++) -+ for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS; i++) - if (itv->card->video_inputs[i].video_type == 0) - break; - itv->nof_inputs = i; -- for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS - 1; i++) -+ for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS; i++) - if (itv->card->audio_inputs[i].audio_type == 0) - break; - itv->nof_audio_inputs = i; --- -2.5.0 - diff --git a/rtlwifi-fix-memory-leak-for-USB-device.patch b/rtlwifi-fix-memory-leak-for-USB-device.patch new file mode 100644 index 000000000..8c06c863a --- /dev/null +++ b/rtlwifi-fix-memory-leak-for-USB-device.patch @@ -0,0 +1,36 @@ +From 17bc55864f81dd730d05f09b1641312a7990d636 Mon Sep 17 00:00:00 2001 +From: Peter Wu <peter@lekensteyn.nl> +Date: Mon, 7 Dec 2015 01:07:31 +0100 +Subject: [PATCH] rtlwifi: fix memory leak for USB device + +Free skb for received frames with a wrong checksum. This can happen +pretty rapidly, exhausting all memory. + +This fixes a memleak (detected with kmemleak). Originally found while +using monitor mode, but it also appears during managed mode (once the +link is up). + +Cc: stable@vger.kernel.org +Signed-off-by: Peter Wu <peter@lekensteyn.nl> +ACKed-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/rtlwifi/usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c +index 2721cf8..aac1ed3 100644 +--- a/drivers/net/wireless/rtlwifi/usb.c ++++ b/drivers/net/wireless/rtlwifi/usb.c +@@ -531,6 +531,8 @@ static void _rtl_usb_rx_process_noagg(struct ieee80211_hw *hw, + ieee80211_rx(hw, skb); + else + dev_kfree_skb_any(skb); ++ } else { ++ dev_kfree_skb_any(skb); + } + } + +-- +2.5.0 + @@ -1,3 +1,3 @@ 58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz 7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz -4786a4b42da54527d6ca0d1fc1f0fade patch-4.3.5.xz +d31631a3d05d66054fbb988f05ddfa6d patch-4.3.6.xz diff --git a/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch deleted file mode 100644 index d169105db..000000000 --- a/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001 -From: Peter Hurley <peter@hurleysoftware.com> -Date: Sun, 10 Jan 2016 22:40:55 -0800 -Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) - -ioctl(TIOCGETD) retrieves the line discipline id directly from the -ldisc because the line discipline id (c_line) in termios is untrustworthy; -userspace may have set termios via ioctl(TCSETS*) without actually -changing the line discipline via ioctl(TIOCSETD). - -However, directly accessing the current ldisc via tty->ldisc is -unsafe; the ldisc ptr dereferenced may be stale if the line discipline -is changing via ioctl(TIOCSETD) or hangup. - -Wait for the line discipline reference (just like read() or write()) -to retrieve the "current" line discipline id. - -Cc: <stable@vger.kernel.org> -Signed-off-by: Peter Hurley <peter@hurleysoftware.com> ---- - drivers/tty/tty_io.c | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index f435977de740..bd4027e36910 100644 ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p) - } - - /** -+ * tiocgetd - get line discipline -+ * @tty: tty device -+ * @p: pointer to user data -+ * -+ * Retrieves the line discipline id directly from the ldisc. -+ * -+ * Locking: waits for ldisc reference (in case the line discipline -+ * is changing or the tty is being hungup) -+ */ -+ -+static int tiocgetd(struct tty_struct *tty, int __user *p) -+{ -+ struct tty_ldisc *ld; -+ int ret; -+ -+ ld = tty_ldisc_ref_wait(tty); -+ ret = put_user(ld->ops->num, p); -+ tty_ldisc_deref(ld); -+ return ret; -+} -+ -+/** - * send_break - performed time break - * @tty: device to break on - * @duration: timeout in mS -@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - case TIOCGSID: - return tiocgsid(tty, real_tty, p); - case TIOCGETD: -- return put_user(tty->ldisc->ops->num, (int __user *)p); -+ return tiocgetd(tty, p); - case TIOCSETD: - return tiocsetd(tty, p); - case TIOCVHANGUP: --- -2.5.0 - diff --git a/usb-serial-visor-fix-crash-on-detecting-device-witho.patch b/usb-serial-visor-fix-crash-on-detecting-device-witho.patch deleted file mode 100644 index ddd4fc5b9..000000000 --- a/usb-serial-visor-fix-crash-on-detecting-device-witho.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b2476fe4c16be5c2b7ee950e50677cfaa9ab9bae Mon Sep 17 00:00:00 2001 -From: Vladis Dronov <vdronov@redhat.com> -Date: Tue, 12 Jan 2016 14:10:50 -0500 -Subject: [PATCH] usb: serial: visor: fix crash on detecting device without - write_urbs - -The visor driver crashes in clie_5_attach() when a specially crafted USB -device without bulk-out endpoint is detected. This fix adds a check that -the device has proper configuration expected by the driver. - -Reported-by: Ralf Spenneberg <ralf@spenneberg.net> -Signed-off-by: Vladis Dronov <vdronov@redhat.com> ---- - drivers/usb/serial/visor.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c -index 60afb39eb73c..bbc90c059002 100644 ---- a/drivers/usb/serial/visor.c -+++ b/drivers/usb/serial/visor.c -@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_serial *serial) - */ - - /* some sanity check */ -- if (serial->num_ports < 2) -- return -1; -+ if (serial->num_bulk_out < 2) { -+ dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); -+ return -ENODEV; -+ } - - /* port 0 now uses the modified endpoint Address */ - port = serial->port[0]; --- -2.5.0 - |