Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.5.7-200.vanilla.knurd.1.fc23

5 files changed, 78 insertions, 232 deletions

diff --git a/antenna_select.patch b/antenna_select.patch
deleted file mode 100644
index 15763e9bc..000000000
--- a/antenna_select.patch
+++ /dev/null
@@ -1,227 +0,0 @@
-From c18d8f5095715c56bb3cd9cba64242542632054b Mon Sep 17 00:00:00 2001
-From: Larry Finger <Larry.Finger@lwfinger.net>
-Date: Wed, 16 Mar 2016 13:33:34 -0500
-Subject: rtlwifi: rtl8723be: Add antenna select module parameter
-
-A number of new laptops have been delivered with only a single antenna.
-In principle, this is OK; however, a problem arises when the on-board
-EEPROM is programmed to use the other antenna connection. The option
-of opening the computer and moving the connector is not always possible
-as it will void the warranty in some cases. In addition, this solution
-breaks the Windows driver when the box dual boots Linux and Windows.
-
-A fix involving a new module parameter has been developed.  This commit
-adds the new parameter and implements the changes needed for the driver.
-
-Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Stable <stable@vger.kernel.org> [V4.0+]
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c | 5 +++++
- drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c | 3 +++
- drivers/net/wireless/realtek/rtlwifi/wifi.h         | 3 +++
- 3 files changed, 11 insertions(+)
-
-diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
-index c983d2f..5a3df91 100644
---- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
-@@ -2684,6 +2684,7 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw,
- 					      bool auto_load_fail, u8 *hwinfo)
- {
- 	struct rtl_priv *rtlpriv = rtl_priv(hw);
-+	struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params;
- 	u8 value;
- 	u32 tmpu_32;
- 
-@@ -2702,6 +2703,10 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw,
- 		rtlpriv->btcoexist.btc_info.ant_num = ANT_X2;
- 	}
- 
-+	/* override ant_num / ant_path */
-+	if (mod_params->ant_sel)
-+		rtlpriv->btcoexist.btc_info.ant_num =
-+			(mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1);
- }
- 
- void rtl8723be_bt_reg_init(struct ieee80211_hw *hw)
-diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c
-index a78eaed..2101793 100644
---- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c
-@@ -273,6 +273,7 @@ static struct rtl_mod_params rtl8723be_mod_params = {
- 	.msi_support = false,
- 	.disable_watchdog = false,
- 	.debug = DBG_EMERG,
-+	.ant_sel = 0,
- };
- 
- static struct rtl_hal_cfg rtl8723be_hal_cfg = {
-@@ -394,6 +395,7 @@ module_param_named(fwlps, rtl8723be_mod_params.fwctrl_lps, bool, 0444);
- module_param_named(msi, rtl8723be_mod_params.msi_support, bool, 0444);
- module_param_named(disable_watchdog, rtl8723be_mod_params.disable_watchdog,
- 		   bool, 0444);
-+module_param_named(ant_sel, rtl8723be_mod_params.ant_sel, int, 0444);
- MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n");
- MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n");
- MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n");
-@@ -402,6 +404,7 @@ MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 0)\n");
- MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)");
- MODULE_PARM_DESC(disable_watchdog,
- 		 "Set to 1 to disable the watchdog (default 0)\n");
-+MODULE_PARM_DESC(ant_sel, "Set to 1 or 2 to force antenna number (default 0)\n");
- 
- static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume);
- 
-diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
-index 554d814..93bd7fc 100644
---- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
-+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
-@@ -2246,6 +2246,9 @@ struct rtl_mod_params {
- 
- 	/* default 0: 1 means do not disable interrupts */
- 	bool int_clear;
-+
-+	/* select antenna */
-+	int ant_sel;
- };
- 
- struct rtl_hal_usbint_cfg {
--- 
-cgit v0.12
-
-From baa1702290953295e421f0f433e2b1ff4815827c Mon Sep 17 00:00:00 2001
-From: Larry Finger <Larry.Finger@lwfinger.net>
-Date: Wed, 16 Mar 2016 13:33:35 -0500
-Subject: rtlwifi: btcoexist: Implement antenna selection
-
-The previous patch added an option to rtl8723be to manually select the
-antenna for those cases when only a single antenna is present, and the
-on-board EEPROM is incorrectly programmed. This patch implements the
-necessary changes in the Bluetooth coexistence driver.
-
-Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Stable <stable@vger.kernel.org> [V4.0+]
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../realtek/rtlwifi/btcoexist/halbtc8723b2ant.c    |  9 ++++++--
- .../realtek/rtlwifi/btcoexist/halbtcoutsrc.c       | 27 +++++++++++++++++++++-
- .../realtek/rtlwifi/btcoexist/halbtcoutsrc.h       |  2 +-
- .../wireless/realtek/rtlwifi/btcoexist/rtl_btc.c   |  5 +++-
- 4 files changed, 38 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c
-index c43ab59..77cbd10 100644
---- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c
-@@ -1203,7 +1203,6 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist,
- 
- 		/* Force GNT_BT to low */
- 		btcoexist->btc_write_1byte_bitmask(btcoexist, 0x765, 0x18, 0x0);
--		btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
- 
- 		if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT) {
- 			/* tell firmware "no antenna inverse" */
-@@ -1211,19 +1210,25 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist,
- 			h2c_parameter[1] = 1;  /* ext switch type */
- 			btcoexist->btc_fill_h2c(btcoexist, 0x65, 2,
- 						h2c_parameter);
-+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
- 		} else {
- 			/* tell firmware "antenna inverse" */
- 			h2c_parameter[0] = 1;
- 			h2c_parameter[1] = 1;  /* ext switch type */
- 			btcoexist->btc_fill_h2c(btcoexist, 0x65, 2,
- 						h2c_parameter);
-+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280);
- 		}
- 	}
- 
- 	/* ext switch setting */
- 	if (use_ext_switch) {
- 		/* fixed internal switch S1->WiFi, S0->BT */
--		btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
-+		if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT)
-+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
-+		else
-+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280);
-+
- 		switch (antpos_type) {
- 		case BTC_ANT_WIFI_AT_MAIN:
- 			/* ext switch main at wifi */
-diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
-index b2791c8..babd149 100644
---- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
-@@ -965,13 +965,38 @@ void exhalbtc_set_chip_type(u8 chip_type)
- 	}
- }
- 
--void exhalbtc_set_ant_num(u8 type, u8 ant_num)
-+void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num)
- {
- 	if (BT_COEX_ANT_TYPE_PG == type) {
- 		gl_bt_coexist.board_info.pg_ant_num = ant_num;
- 		gl_bt_coexist.board_info.btdm_ant_num = ant_num;
-+		/* The antenna position:
-+		 * Main (default) or Aux for pgAntNum=2 && btdmAntNum =1.
-+		 * The antenna position should be determined by
-+		 * auto-detect mechanism.
-+		 * The following is assumed to main,
-+		 * and those must be modified
-+		 * if y auto-detect mechanism is ready
-+		 */
-+		if ((gl_bt_coexist.board_info.pg_ant_num == 2) &&
-+		    (gl_bt_coexist.board_info.btdm_ant_num == 1))
-+			gl_bt_coexist.board_info.btdm_ant_pos =
-+						       BTC_ANTENNA_AT_MAIN_PORT;
-+		else
-+			gl_bt_coexist.board_info.btdm_ant_pos =
-+						       BTC_ANTENNA_AT_MAIN_PORT;
- 	} else if (BT_COEX_ANT_TYPE_ANTDIV == type) {
- 		gl_bt_coexist.board_info.btdm_ant_num = ant_num;
-+		gl_bt_coexist.board_info.btdm_ant_pos =
-+						       BTC_ANTENNA_AT_MAIN_PORT;
-+	} else if (type == BT_COEX_ANT_TYPE_DETECTED) {
-+		gl_bt_coexist.board_info.btdm_ant_num = ant_num;
-+		if (rtlpriv->cfg->mod_params->ant_sel == 1)
-+			gl_bt_coexist.board_info.btdm_ant_pos =
-+				BTC_ANTENNA_AT_AUX_PORT;
-+		else
-+			gl_bt_coexist.board_info.btdm_ant_pos =
-+				BTC_ANTENNA_AT_MAIN_PORT;
- 	}
- }
- 
-diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h
-index 0a903ea..f41ca57 100644
---- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h
-+++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h
-@@ -535,7 +535,7 @@ void exhalbtc_set_bt_patch_version(u16 bt_hci_version, u16 bt_patch_version);
- void exhalbtc_update_min_bt_rssi(char bt_rssi);
- void exhalbtc_set_bt_exist(bool bt_exist);
- void exhalbtc_set_chip_type(u8 chip_type);
--void exhalbtc_set_ant_num(u8 type, u8 ant_num);
-+void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num);
- void exhalbtc_display_bt_coex_info(struct btc_coexist *btcoexist);
- void exhalbtc_signal_compensation(struct btc_coexist *btcoexist,
- 				  u8 *rssi_wifi, u8 *rssi_bt);
-diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c
-index b9b0cb7..d3fd921 100644
---- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c
-@@ -72,7 +72,10 @@ void rtl_btc_init_hal_vars(struct rtl_priv *rtlpriv)
- 		 __func__, bt_type);
- 	exhalbtc_set_chip_type(bt_type);
- 
--	exhalbtc_set_ant_num(BT_COEX_ANT_TYPE_PG, ant_num);
-+	if (rtlpriv->cfg->mod_params->ant_sel == 1)
-+		exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_DETECTED, 1);
-+	else
-+		exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_PG, ant_num);
- }
- 
- void rtl_btc_init_hw_config(struct rtl_priv *rtlpriv)
--- 
-cgit v0.12
-
diff --git a/kernel.spec b/kernel.spec
index ea69f8061..9cef83df9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 7
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -648,9 +648,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 # CVE-2016-3672 rhbz 1324749 1324750
 Patch689: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch
 
-#rhbz 1309487
-Patch701: antenna_select.patch
-
 #rhbz 1302071
 Patch702: x86-build-Build-compressed-x86-kernels-as-PIE.patch
 
@@ -677,6 +674,12 @@ Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
 #CVE-2016-4951 rhbz 1338625 1338626
 Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
 
+#CVE-2016-5243 rhbz 1343338 1343335
+Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
+
+#CVE-2016-5244 rhbz 1343338 1343337
+Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2197,6 +2200,13 @@ fi
 #
 # 
 %changelog
+* Wed Jun 08 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.7-200
+- Linux v4.5.7
+
+* Tue Jun 07 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-5244 info leak in rds (rhbz 1343338 1343337)
+- CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335)
+
 * Wed Jun 01 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.6-200
 - Linux v4.5.6
 
diff --git a/rds-fix-an-infoleak-in-rds_inc_info_copy.txt b/rds-fix-an-infoleak-in-rds_inc_info_copy.txt
new file mode 100644
index 000000000..a9b1e49fe
--- /dev/null
+++ b/rds-fix-an-infoleak-in-rds_inc_info_copy.txt
@@ -0,0 +1,31 @@
+From 4116def2337991b39919f3b448326e21c40e0dbb Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Thu, 2 Jun 2016 04:11:20 -0400
+Subject: rds: fix an infoleak in rds_inc_info_copy
+
+The last field "flags" of object "minfo" is not initialized.
+Copying this object out may leak kernel stack data.
+Assign 0 to it to avoid leak.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/rds/recv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index c0be1ec..8413f6c 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -561,5 +561,7 @@ void rds_inc_info_copy(struct rds_incoming *inc,
+ 		minfo.fport = inc->i_hdr.h_dport;
+ 	}
+ 
++	minfo.flags = 0;
++
+ 	rds_info_copy(iter, &minfo, sizeof(minfo));
+ }
+-- 
+cgit v0.12
+
diff --git a/sources b/sources
index 51db1cae0..e9b1da3a8 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
 6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
-165ea1f74c34d264f11be8c25d97635b  patch-4.5.6.xz
+5405f81eacd09def60777b0e0f0a1cb5  patch-4.5.7.xz
diff --git a/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
new file mode 100644
index 000000000..9cd7c09a3
--- /dev/null
+++ b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
@@ -0,0 +1,32 @@
+From 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Thu, 2 Jun 2016 04:04:56 -0400
+Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump
+
+link_info.str is a char array of size 60. Memory after the NULL
+byte is not initialized. Sending the whole object out can cause
+a leak.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/tipc/netlink_compat.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index f795b1d..3ad9fab 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -604,7 +604,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
+ 
+ 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
+ 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
+-	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
++	nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]),
++		    TIPC_MAX_LINK_NAME);
+ 
+ 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
+ 			    &link_info, sizeof(link_info));
+-- 
+cgit v0.12
+