Merge remote-tracking branch 'origin/master' into f23-user-thl-vanilla-rawhidekernel-4.6.0-0.rc7.git2.1.vanilla.knurd.1.fc23

author: Thorsten Leemhuis <fedora@leemhuis.info> 2016-05-12 07:39:55 +0200
committer: Thorsten Leemhuis <fedora@leemhuis.info> 2016-05-12 07:39:55 +0200
commit: 171b44affdc898193cef44f0cf487fa0caca3aef (patch)
tree: 11c9e945beefb9bf5d61cc32d62d7e719b6287d6
parent: d388d4090f334780614c0977ce1a74d47060bd99 (diff)
parent: 4f98eabc018bd4dfce36e8f7121f8c3951f56853 (diff)
download: kernel-4.6.0-0.rc7.git2.1.vanilla.knurd.1.fc23.tar.gz
kernel-4.6.0-0.rc7.git2.1.vanilla.knurd.1.fc23.tar.xz
kernel-4.6.0-0.rc7.git2.1.vanilla.knurd.1.fc23.zip
10 files changed, 121 insertions, 89 deletions
diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
new file mode 100644
index 000000000..3eb8bf183
--- /dev/null
+++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
@@ -0,0 +1,33 @@
+From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 6469bedda2f3..964f5ebf495e 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
+ 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ 		if (tu->tread) {
+ 			struct snd_timer_tread tread;
++			memset(&tread, 0, sizeof(tread));
+ 			tread.event = SNDRV_TIMER_EVENT_EARLY;
+ 			tread.tstamp.tv_sec = 0;
+ 			tread.tstamp.tv_nsec = 0;
+-- 
+2.5.5
+
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
new file mode 100644
index 000000000..e6f46f8a8
--- /dev/null
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
@@ -0,0 +1,34 @@
+From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
+ snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 964f5ebf495e..e98fa5feb731 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
+ 		tu->tstamp = *tstamp;
+ 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ 		return;
++	memset(&r1, 0, sizeof(r1));
+ 	r1.event = event;
+ 	r1.tstamp = *tstamp;
+ 	r1.val = resolution;
+-- 
+2.5.5
+
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
new file mode 100644
index 000000000..7851c55a2
--- /dev/null
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
@@ -0,0 +1,34 @@
+From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
+ snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index e98fa5feb731..c69a27155433 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
+ 	}
+ 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ 	    tu->last_resolution != resolution) {
++		memset(&r1, 0, sizeof(r1));
+ 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ 		r1.tstamp = tstamp;
+ 		r1.val = resolution;
+-- 
+2.5.5
+
diff --git a/config-generic b/config-generic
index 4a5879d23..6e2c632f9 100644
--- a/config-generic
+++ b/config-generic
@@ -1707,6 +1707,7 @@ CONFIG_MLX4_INFINIBAND=m
 CONFIG_MLX5_CORE=m
 CONFIG_MLX5_CORE_EN=y
 CONFIG_MLX5_CORE_EN_DCB=y
+CONFIG_MLX5_CORE_EN_VXLAN=y
 CONFIG_MLX5_INFINIBAND=m
 CONFIG_MLXSW_CORE=m
 CONFIG_MLXSW_CORE_HWMON=y
diff --git a/config-x86-generic b/config-x86-generic
index d21a99f58..06ddcd1a0 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -317,8 +317,8 @@ CONFIG_INPUT_XEN_KBDDEV_FRONTEND=m
 CONFIG_XEN_SELFBALLOONING=y
 CONFIG_XEN_PCIDEV_BACKEND=m
 CONFIG_XEN_ACPI_PROCESSOR=m
-# CONFIG_XEN_SCSI_FRONTEND is not set
-# CONFIG_XEN_SCSI_BACKEND is not set
+CONFIG_XEN_SCSI_FRONTEND=m
+CONFIG_XEN_SCSI_BACKEND=m
 CONFIG_XEN_SYMS=y
 
 CONFIG_SPI=y
diff --git a/gitrev b/gitrev
index 9e88e8850..ab0d61ef3 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-9caa7e78481f17fb6ff77dfaca774998e7440430
+c5114626f33b62fa7595e57d87f33d9d1f8298a2
diff --git a/kernel.spec b/kernel.spec
index e435aeb39..dff7856dc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -77,7 +77,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 7
 # The git snapshot level
-%define gitrev 0
+%define gitrev 2
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -631,9 +631,10 @@ Patch701: antenna_select.patch
 #CVE-2016-4482 rhbz 1332931 1332932
 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
 
-#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321
-Patch707: net-fix-infoleak-in-llc.patch
-Patch708: net-fix-infoleak-in-rtnetlink.patch
+#CVE-2016-4569 rhbz 1334643 1334645
+Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
+Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
+Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2163,6 +2164,16 @@ fi
 #
 # 
 %changelog
+* Wed May 11 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git2.1
+- Linux v4.6-rc7-55-gc5114626f33b
+
+* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git1.1
+- Linux v4.6-rc7-45-g2d0bd9534c8d
+
+* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Enable XEN SCSI front and backend (rhbz 1334512)
+- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645)
+
 * Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git0.1
 - Linux v4.6-rc7
 
diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch
deleted file mode 100644
index 38f0d506a..000000000
--- a/net-fix-infoleak-in-llc.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:35:05 -0400
-Subject: [PATCH 2/2] net: fix infoleak in llc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “info” has a total size of 12 bytes. Its last byte
-is padding which is not initialized and leaked via “put_cmsg”.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/llc/af_llc.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
-index b3c52e3f689a..8ae3ed97d95c 100644
---- a/net/llc/af_llc.c
-+++ b/net/llc/af_llc.c
-@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
- 	if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
- 		struct llc_pktinfo info;
- 
-+		memset(&info, 0, sizeof(info));
- 		info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
- 		llc_pdu_decode_dsap(skb, &info.lpi_sap);
- 		llc_pdu_decode_da(skb, info.lpi_mac);
--- 
-2.5.5
-
diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch
deleted file mode 100644
index 0da35108d..000000000
--- a/net-fix-infoleak-in-rtnetlink.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:46:24 -0400
-Subject: [PATCH 1/2] net: fix infoleak in rtnetlink
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “map” has a total size of 32 bytes. Its last 4
-bytes are padding generated by compiler. These padding bytes are
-not initialized and sent out via “nla_put”.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/rtnetlink.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index a75f7e94b445..65763c29f845 100644
---- a/net/core/rtnetlink.c
-+++ b/net/core/rtnetlink.c
-@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
- 
- static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
- {
--	struct rtnl_link_ifmap map = {
--		.mem_start   = dev->mem_start,
--		.mem_end     = dev->mem_end,
--		.base_addr   = dev->base_addr,
--		.irq         = dev->irq,
--		.dma         = dev->dma,
--		.port        = dev->if_port,
--	};
-+	struct rtnl_link_ifmap map;
-+
-+	memset(&map, 0, sizeof(map));
-+	map.mem_start   = dev->mem_start;
-+	map.mem_end     = dev->mem_end;
-+	map.base_addr   = dev->base_addr;
-+	map.irq         = dev->irq;
-+	map.dma         = dev->dma;
-+	map.port        = dev->if_port;
-+
- 	if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
- 		return -EMSGSIZE;
- 
--- 
-2.5.5
-
diff --git a/sources b/sources
index 285fb2d9a..51ab1f052 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
 a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
 6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
 2089df8a0f142e2a1cdcaca0f133e47d  patch-4.6-rc7.xz
+9c27262cc4c500a0b9b6727b257717c7  patch-4.6-rc7-git2.xz
author	Thorsten Leemhuis <fedora@leemhuis.info>	2016-05-12 07:39:55 +0200
committer	Thorsten Leemhuis <fedora@leemhuis.info>	2016-05-12 07:39:55 +0200
commit	171b44affdc898193cef44f0cf487fa0caca3aef (patch)
tree	11c9e945beefb9bf5d61cc32d62d7e719b6287d6
parent	d388d4090f334780614c0977ce1a74d47060bd99 (diff)
parent	4f98eabc018bd4dfce36e8f7121f8c3951f56853 (diff)
download	kernel-4.6.0-0.rc7.git2.1.vanilla.knurd.1.fc23.tar.gz kernel-4.6.0-0.rc7.git2.1.vanilla.knurd.1.fc23.tar.xz kernel-4.6.0-0.rc7.git2.1.vanilla.knurd.1.fc23.zip