diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-03-24 08:39:32 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-03-24 08:39:32 +0100 |
commit | 8aa57a5d9e615672c90540dd1959c7cd6140b170 (patch) | |
tree | a915abc11913094c309103b0311948176fa426f7 | |
parent | d16730fbc1fc2354558f9fddfd8534681e5b8a43 (diff) | |
parent | 4d5b4fb36b4d5a01b2267e5c39ba650ce04aca40 (diff) | |
download | kernel-8aa57a5d9e615672c90540dd1959c7cd6140b170.tar.gz kernel-8aa57a5d9e615672c90540dd1959c7cd6140b170.tar.xz kernel-8aa57a5d9e615672c90540dd1959c7cd6140b170.zip |
Merge remote-tracking branch 'origin/master'
-rw-r--r-- | ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch | 31 | ||||
-rw-r--r-- | ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch | 44 | ||||
-rw-r--r-- | ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch | 80 | ||||
-rw-r--r-- | Initial-AllWinner-A64-and-PINE64-support.patch | 4 | ||||
-rw-r--r-- | Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch | 107 | ||||
-rw-r--r-- | config-arm-generic | 4 | ||||
-rw-r--r-- | config-armv7 | 2 | ||||
-rw-r--r-- | config-armv7-generic | 7 | ||||
-rw-r--r-- | config-armv7-lpae | 3 | ||||
-rw-r--r-- | config-generic | 8 | ||||
-rw-r--r-- | digi_acceleport-do-sanity-checking-for-the-number-of.patch | 58 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | input-gtco-fix-crash-on-detecting-device-without-end.patch | 49 | ||||
-rw-r--r-- | kernel.spec | 38 | ||||
-rw-r--r-- | mct_u232-sanity-checking-in-probe.patch | 35 | ||||
-rw-r--r-- | sources | 2 |
16 files changed, 295 insertions, 179 deletions
diff --git a/ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch b/ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch deleted file mode 100644 index 892cd5b77..000000000 --- a/ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e36b3efcd07ab5c323e82319577d972ebddcbed1 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Fri, 18 Mar 2016 18:01:53 +0100 -Subject: [PATCH 2/3] ALSA: hda - Fix forgotten HDMI monitor_present update - -We forgot to copy monitor_present value when updating the ELD -information. This won't change the ELD retrieval and the jack -notification behavior, but appears only in the proc output. In that -sense, it's no fatal error, but a bug is a bug is a bug. - -Cc: <stable@vger.kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/pci/hda/patch_hdmi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index 8cdb804aa9cf..e7d9453ecd10 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -1358,6 +1358,7 @@ static void update_eld(struct hda_codec *codec, - eld->eld_size) != 0) - eld_changed = true; - -+ pin_eld->monitor_present = eld->monitor_present; - pin_eld->eld_valid = eld->eld_valid; - pin_eld->eld_size = eld->eld_size; - if (eld->eld_valid) --- -2.5.0 - diff --git a/ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch b/ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch deleted file mode 100644 index 5c9bda87c..000000000 --- a/ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1f2109de8368f08a353d7862f462b943a5ac4b4a Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Fri, 18 Mar 2016 19:45:13 +0100 -Subject: [PATCH 3/3] ALSA: hda - Fix spurious kernel WARNING on Baytrail HDMI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -snd_hdac_sync_audio_rate() call is mandatory only for HSW and later -models, but we call the function unconditionally blindly assuming that -the function doesn't do anything harmful. But since recently, the -function checks the validity of the passed pin NID, and eventually -spews the warning if an unexpected pin is passed. This is seen on old -chips like Baytrail. - -The fix is to limit the call of this function again only for the chips -with the proper binding. This can be identified by the same flag as -the eld notifier. - -Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com> -Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com> -Cc: <stable@vger.kernel.org> # v4.5 -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/pci/hda/patch_hdmi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index e7d9453ecd10..56d3575ee6cc 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -1741,7 +1741,8 @@ static int generic_hdmi_playback_pcm_prepare(struct hda_pcm_stream *hinfo, - - /* Call sync_audio_rate to set the N/CTS/M manually if necessary */ - /* Todo: add DP1.2 MST audio support later */ -- snd_hdac_sync_audio_rate(&codec->bus->core, pin_nid, runtime->rate); -+ if (codec_has_acomp(codec)) -+ snd_hdac_sync_audio_rate(&codec->bus->core, pin_nid, runtime->rate); - - non_pcm = check_non_pcm_per_cvt(codec, cvt_nid); - mutex_lock(&per_pin->lock); --- -2.5.0 - diff --git a/ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch b/ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch deleted file mode 100644 index 2224e7fd0..000000000 --- a/ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 3fb329b2c3b6c2f009aa1255d2436ec49e49877f Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Fri, 18 Mar 2016 15:10:08 +0100 -Subject: [PATCH 1/3] ALSA: hda - Really restrict i915 notifier to HSW+ -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The commit [b62232d429fa: ALSA: hda - Limit i915 HDMI binding only for -HSW and later] tried to limit the usage of i915 audio notifier to the -recent Intel models and switch to the old method on pre-Haswell -models. However, it assumed that the i915 component binding hasn't -been done on such models, and the assumption was wrong: namely, -Baytrail had already the i915 component binding due to powerwell -control. Thus, the workaround wasn't applied to Baytrail. - -For fixing this properly, this patch introduces a new flag indicating -the usage of audio notifier and codec_has_acomp() refers to this flag -instead of checking the existence of audio component. - -Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com> -Cc: <stable@vger.kernel.org> # v4.5 -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/pci/hda/patch_hdmi.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index 49ee4e55dd16..8cdb804aa9cf 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -152,6 +152,7 @@ struct hdmi_spec { - struct hda_pcm_stream pcm_playback; - - /* i915/powerwell (Haswell+/Valleyview+) specific */ -+ bool use_acomp_notifier; /* use i915 eld_notify callback for hotplug */ - struct i915_audio_component_audio_ops i915_audio_ops; - bool i915_bound; /* was i915 bound in this driver? */ - -@@ -159,8 +160,11 @@ struct hdmi_spec { - }; - - #ifdef CONFIG_SND_HDA_I915 --#define codec_has_acomp(codec) \ -- ((codec)->bus->core.audio_component != NULL) -+static inline bool codec_has_acomp(struct hda_codec *codec) -+{ -+ struct hdmi_spec *spec = codec->spec; -+ return spec->use_acomp_notifier; -+} - #else - #define codec_has_acomp(codec) false - #endif -@@ -2248,12 +2252,18 @@ static int patch_generic_hdmi(struct hda_codec *codec) - codec->spec = spec; - hdmi_array_init(spec, 4); - -+#ifdef CONFIG_SND_HDA_I915 - /* Try to bind with i915 for Intel HSW+ codecs (if not done yet) */ -- if (!codec_has_acomp(codec) && -- (codec->core.vendor_id >> 16) == 0x8086 && -- is_haswell_plus(codec)) -- if (!snd_hdac_i915_init(&codec->bus->core)) -- spec->i915_bound = true; -+ if ((codec->core.vendor_id >> 16) == 0x8086 && -+ is_haswell_plus(codec)) { -+ if (!codec->bus->core.audio_component) -+ if (!snd_hdac_i915_init(&codec->bus->core)) -+ spec->i915_bound = true; -+ /* use i915 audio component notifier for hotplug */ -+ if (codec->bus->core.audio_component) -+ spec->use_acomp_notifier = true; -+ } -+#endif - - if (is_haswell_plus(codec)) { - intel_haswell_enable_all_pins(codec, true); --- -2.5.0 - diff --git a/Initial-AllWinner-A64-and-PINE64-support.patch b/Initial-AllWinner-A64-and-PINE64-support.patch index e9b00f70e..966275a8f 100644 --- a/Initial-AllWinner-A64-and-PINE64-support.patch +++ b/Initial-AllWinner-A64-and-PINE64-support.patch @@ -1056,8 +1056,8 @@ index 171085a..cc89d1f 100644 --- a/drivers/clk/sunxi/clk-factors.h +++ b/drivers/clk/sunxi/clk-factors.h @@ -26,6 +26,7 @@ struct factors_data { - struct clk_factors_config *table; - void (*getter) (u32 *rate, u32 parent_rate, u8 *n, u8 *k, u8 *m, u8 *p); + void (*getter)(struct factors_request *req); + void (*recalc)(struct factors_request *req); const char *name; + int name_idx; }; diff --git a/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch b/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch new file mode 100644 index 000000000..c7a461de8 --- /dev/null +++ b/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch @@ -0,0 +1,107 @@ +From 0f8536022831faaba3a952fa633902d9686f535f Mon Sep 17 00:00:00 2001 +From: Vladis Dronov <vdronov@redhat.com> +Date: Wed, 23 Mar 2016 15:53:07 -0400 +Subject: [PATCH] Input: ati_remote2: fix crashes on detecting device with + invalid descriptor + +The ati_remote2 driver expects at least two interfaces with one +endpoint each. If given malicious descriptor that specify one +interface or no endpoints, it will crash in the probe function. +Ensure there is at least two interfaces and one endpoint for each +interface before using it. + +The full disclosure: http://seclists.org/bugtraq/2016/Mar/90 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c +index cfd58e87da26..cf5d1e8d92c7 100644 +--- a/drivers/input/misc/ati_remote2.c ++++ b/drivers/input/misc/ati_remote2.c +@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + ar2->udev = udev; + ++ /* Sanity check, first interface must have an endpoint */ ++ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) { ++ dev_err(&interface->dev, ++ "%s(): interface 0 must have an endpoint\n", __func__); ++ r = -ENODEV; ++ goto fail1; ++ } + ar2->intf[0] = interface; + ar2->ep[0] = &alt->endpoint[0].desc; + ++ /* Sanity check, the device must have two interfaces */ + ar2->intf[1] = usb_ifnum_to_if(udev, 1); ++ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { ++ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", ++ __func__, udev->actconfig->desc.bNumInterfaces); ++ r = -ENODEV; ++ goto fail1; ++ } ++ + r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); + if (r) + goto fail1; ++ ++ /* Sanity check, second interface must have an endpoint */ + alt = ar2->intf[1]->cur_altsetting; ++ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) { ++ dev_err(&interface->dev, ++ "%s(): interface 1 must have an endpoint\n", __func__); ++ r = -ENODEV; ++ goto fail2; ++ } + ar2->ep[1] = &alt->endpoint[0].desc; + + r = ati_remote2_urb_init(ar2); + if (r) +- goto fail2; ++ goto fail3; + + ar2->channel_mask = channel_mask; + ar2->mode_mask = mode_mask; + + r = ati_remote2_setup(ar2, ar2->channel_mask); + if (r) +- goto fail2; ++ goto fail3; + + usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); + strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); +@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); + if (r) +- goto fail2; ++ goto fail3; + + r = ati_remote2_input_init(ar2); + if (r) +- goto fail3; ++ goto fail4; + + usb_set_intfdata(interface, ar2); + +@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + return 0; + +- fail3: ++ fail4: + sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); +- fail2: ++ fail3: + ati_remote2_urb_cleanup(ar2); ++ fail2: + usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); + fail1: + kfree(ar2); +-- +2.5.0 + diff --git a/config-arm-generic b/config-arm-generic index eb9af25a0..e533137e4 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -42,6 +42,8 @@ CONFIG_HAVE_PERF_USER_STACK_DUMP=y CONFIG_ARM_PMU=y +# CONFIG_IOMMU_IO_PGTABLE_ARMV7S is not set + # ARM AMBA generic HW CONFIG_ARM_AMBA=y CONFIG_KERNEL_MODE_NEON=y @@ -170,7 +172,6 @@ CONFIG_SND_HDA_TEGRA=m # CONFIG_ARM_TEGRA20_CPUFREQ is not set # CONFIG_MFD_NVEC is not set -# CONFIG_TEGRA20_APB_DMA is not set # Virt CONFIG_PARAVIRT=y @@ -440,7 +441,6 @@ CONFIG_VFIO_AMBA=m # CONFIG_CADENCE_WATCHDOG is not set # CONFIG_DRM_ARMADA is not set -# CONFIG_DRM_TEGRA is not set # CONFIG_SHMOBILE_IOMMU is not set # CONFIG_COMMON_CLK_SI570 is not set diff --git a/config-armv7 b/config-armv7 index 1a040d692..1efb5899f 100644 --- a/config-armv7 +++ b/config-armv7 @@ -238,6 +238,7 @@ CONFIG_TI_CPSW_ALE=m CONFIG_TI_CPTS=y CONFIG_TI_EMIF=m CONFIG_DRM_TILCDC=m +# CONFIG_COMMON_CLK_TI_ADPLL is not set # We only need this until the BBB dts is actually updated CONFIG_DRM_TILCDC_SLAVE_COMPAT=y CONFIG_SPI_DAVINCI=m @@ -296,6 +297,7 @@ CONFIG_REGULATOR_QCOM_SPMI=m CONFIG_APQ_GCC_8084=m CONFIG_APQ_MMCC_8084=m CONFIG_IPQ_GCC_806X=m +CONFIG_IPQ_GCC_4019=m CONFIG_MSM_GCC_8660=m CONFIG_MSM_GCC_8960=m CONFIG_MSM_MMCC_8960=m diff --git a/config-armv7-generic b/config-armv7-generic index b3904423c..f042deef9 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -378,6 +378,13 @@ CONFIG_AD525X_DPOT=m CONFIG_AD525X_DPOT_I2C=m CONFIG_AD525X_DPOT_SPI=m +# Jetson TK1 +CONFIG_PINCTRL_AS3722=y +CONFIG_POWER_RESET_AS3722=y +CONFIG_MFD_AS3722=y +CONFIG_REGULATOR_AS3722=m +CONFIG_RTC_DRV_AS3722=y + # TI Generic CONFIG_TI_SOC_THERMAL=m CONFIG_TI_THERMAL=y diff --git a/config-armv7-lpae b/config-armv7-lpae index 828b13a87..e500e1d58 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -62,6 +62,7 @@ CONFIG_KEYSTONE_IRQ=m CONFIG_PCI_KEYSTONE=y CONFIG_MTD_NAND_DAVINCI=m CONFIG_GPIO_SYSCON=m +CONFIG_TI_MESSAGE_MANAGER=m # Tegra (non A15 device options) # CONFIG_ARCH_TEGRA_2x_SOC is not set @@ -71,7 +72,6 @@ CONFIG_GPIO_SYSCON=m # CONFIG_SPI_TEGRA20_SFLASH is not set # CONFIG_SPI_TEGRA20_SLINK is not set # CONFIG_MFD_MAX8907 is not set -# CONFIG_MFD_NVEC is not set # CONFIG_SND_SOC_TEGRA_ALC5632 is not set # CONFIG_SND_SOC_TEGRA_TRIMSLICE is not set # CONFIG_SND_SOC_TEGRA_WM8753 is not set @@ -80,5 +80,4 @@ CONFIG_GPIO_SYSCON=m # CONFIG_SND_SOC_TEGRA20_AC97 is not set # CONFIG_SND_SOC_TEGRA20_DAS is not set # CONFIG_SND_SOC_TEGRA20_SPDIF is not set -# CONFIG_SND_SOC_TEGRA_RT5677 is not set # CONFIG_DRM_OMAP is not set diff --git a/config-generic b/config-generic index 85d0d9733..9bccf5ec0 100644 --- a/config-generic +++ b/config-generic @@ -109,6 +109,7 @@ CONFIG_PCIE_ECRC=y CONFIG_PCIEAER_INJECT=m CONFIG_HOTPLUG_PCI=y # CONFIG_HOTPLUG_PCI_CPCI is not set +# CONFIG_HOTPLUG_PCI_SHPC is not set CONFIG_HOTPLUG_PCI_PCIE=y # CONFIG_PCIE_DW_PLAT is not set @@ -190,6 +191,7 @@ CONFIG_INFINIBAND_CXGB4=m CONFIG_SCSI_CXGB3_ISCSI=m CONFIG_SCSI_CXGB4_ISCSI=m # CONFIG_INFINIBAND_CXGB3_DEBUG is not set +CONFIG_INFINIBAND_I40IW=m CONFIG_INFINIBAND_NES=m # CONFIG_INFINIBAND_NES_DEBUG is not set CONFIG_INFINIBAND_QIB=m @@ -197,6 +199,8 @@ CONFIG_INFINIBAND_QIB_DCA=y CONFIG_INFINIBAND_OCRDMA=m CONFIG_INFINIBAND_USNIC=m +CONFIG_INFINIBAND_RDMAVT=m + # # Executable file formats # @@ -2694,6 +2698,7 @@ CONFIG_I2C_CHARDEV=m # CONFIG_I2C_MUX_PCA9541 is not set # CONFIG_I2C_MUX_PINCTRL is not set # CONFIG_I2C_MUX_REG is not set +# CONFIG_I2C_DEMUX_PINCTRL is not set # CONFIG_I2C_CADENCE is not set # @@ -4593,6 +4598,7 @@ CONFIG_MSDOS_FS=m CONFIG_VFAT_FS=m CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="ascii" +# CONFIG_FAT_DEFAULT_UTF8 is not set # CONFIG_NTFS_FS is not set # @@ -4873,6 +4879,8 @@ CONFIG_HEADERS_CHECK=y # This just changes a default enable with workqueue.debug_force_rr_cpu # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set # +# CONFIG_KCOV is not set +# # These debug options are deliberatly left on (even in 'make release' kernels). # They aren't that much of a performance impact, and the value # from getting useful bug-reports makes it worth leaving them on. diff --git a/digi_acceleport-do-sanity-checking-for-the-number-of.patch b/digi_acceleport-do-sanity-checking-for-the-number-of.patch index 2bbae94b7..eb060eb08 100644 --- a/digi_acceleport-do-sanity-checking-for-the-number-of.patch +++ b/digi_acceleport-do-sanity-checking-for-the-number-of.patch @@ -1,7 +1,7 @@ From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum@suse.com> Date: Mon, 14 Mar 2016 15:53:38 +0100 -Subject: [PATCH] digi_acceleport: do sanity checking for the number of ports +Subject: [PATCH v2] digi_acceleport: do sanity checking for the number of ports The driver can be crashed with devices that expose crafted descriptors with too few endpoints. @@ -9,26 +9,62 @@ See: http://seclists.org/bugtraq/2016/Mar/61 Signed-off-by: Oliver Neukum <ONeukum@suse.com> + +v1 - added sanity checks +v2 - moved them to probe() to fix problems Johan pointed out --- - drivers/usb/serial/digi_acceleport.c | 5 +++++ - 1 file changed, 5 insertions(+) + drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c -index 12b0e67473ba..c4d4d4547d40 100644 +index 12b0e67..dab1dcf 100644 --- a/drivers/usb/serial/digi_acceleport.c +++ b/drivers/usb/serial/digi_acceleport.c -@@ -1260,6 +1260,11 @@ static int digi_startup(struct usb_serial *serial) +@@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) + static int digi_startup(struct usb_serial *serial) + { + struct digi_serial *serial_priv; +- int ret; ++ int ret = -ENODEV; ++ int i; + + serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); + if (!serial_priv) +@@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial) spin_lock_init(&serial_priv->ds_serial_lock); serial_priv->ds_oob_port_num = serial->type->num_ports; -+ if (!(serial_priv->ds_oob_port_num == 2 && serial->type == &digi_acceleport_2_device) -+ && !(serial_priv->ds_oob_port_num == 4 && serial->type == &digi_acceleport_4_device)) { -+ kfree(serial_priv); -+ return -EINVAL; ++ ++ /* Check whether the expected number of ports matches the device */ ++ if (serial->num_ports < serial_priv->ds_oob_port_num) ++ goto error; ++ /* all features must be present */ ++ for (i = 0; i < serial->type->num_ports + 1 ; i++) { ++ if (!serial->port[i]->read_urb) ++ goto error; ++ if (!serial->port[i]->write_urb) ++ goto error; + } ++ serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num]; ret = digi_port_init(serial_priv->ds_oob_port, + serial_priv->ds_oob_port_num); +- if (ret) { +- kfree(serial_priv); +- return ret; +- } ++ if (ret) ++ goto error; + + usb_set_serial_data(serial, serial_priv); + + return 0; ++error: ++ kfree(serial_priv); ++ return ret; + } + + -- -2.5.0 - +2.1.4 @@ -1 +1 @@ -770c4c1119dbaa0e5e4c1f2e88ca8bfeb0d66b6d +c130423620331a104492bbbcc49f25125e26a21a diff --git a/input-gtco-fix-crash-on-detecting-device-without-end.patch b/input-gtco-fix-crash-on-detecting-device-without-end.patch new file mode 100644 index 000000000..849f607a5 --- /dev/null +++ b/input-gtco-fix-crash-on-detecting-device-without-end.patch @@ -0,0 +1,49 @@ +Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints +From: Vladis Dronov <vdronov@redhat.com> +Date: 2016-03-18 18:35:00 + +The gtco driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. Fix minor coding +style issue. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/86 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/input/tablet/gtco.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 3a7f3a4..7c18249 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; +-- +2.5.0 diff --git a/kernel.spec b/kernel.spec index 23683651e..96880300a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 18 +%define gitrev 22 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -637,15 +637,14 @@ Patch668: x86-tsc-Prevent-NULL-pointer-deref-in-calibrate_dela.patch #CVE-2016-3137 rhbz 1317010 1316996 Patch672: cypress_m8-add-sanity-checking.patch +#CVE-2016-2185 rhbz 1317014 1317471 +Patch669: Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch + #CVE-2016-3140 rhbz 1317010 1316995 Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch -Patch680: ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch -Patch681: ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch -Patch682: ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch - #rhbz 1315013 Patch683: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch @@ -655,6 +654,12 @@ Patch684: thermal-fix.patch #rhbz 1318079 Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch +#CVE-2016-2187 rhbz 1317017 1317010 +Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch + +#CVE-2016-3136 rhbz 1317007 1317010 +Patch687: mct_u232-sanity-checking-in-probe.patch + # END OF PATCH DEFINITIONS %endif @@ -2180,6 +2185,29 @@ fi # # %changelog +* Wed Mar 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git22.1 +- Linux v4.5-12013-gc13042362033 +- crypto, mailbox, clk merges + +* Wed Mar 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git21.1 +- Linux v4.5-11787-ga24e3d414e59 +- akpm, kvm, rdma + +* Wed Mar 23 2016 Peter Robinson <pbrobinson@fedoraproject.org> +- Fix Tegra Jetson TK1 + +* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git20.1 +- Linux v4.5-11312-g01cde1538e1d +- nfs, overlayfs, fuse, xen, i2c, target, pci, sound, iommu merges + +* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010) +- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010) + +* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git19.1 +- Linux v4.5-11118-g968f3e374faf +- btrfs, mmc, md merges + * Mon Mar 21 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git18.1 - Linux v4.5-10883-g770c4c1119db - drm, arm64-perf, arc, udf, quota merges diff --git a/mct_u232-sanity-checking-in-probe.patch b/mct_u232-sanity-checking-in-probe.patch new file mode 100644 index 000000000..006faf15f --- /dev/null +++ b/mct_u232-sanity-checking-in-probe.patch @@ -0,0 +1,35 @@ +Subject: [PATCH v2] mct_u232: sanity checking in probe +From: Oliver Neukum <oneukum@suse.com> +Date: 2016-03-21 13:14:37 + +An attack using the lack of sanity checking in probe +is known. This patch checks for the existance of a +second port. +CVE-2016-3136 + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org + +v1 - add sanity check for presence of a second port +v2 - add sanity check for an interrupt endpoint +--- + drivers/usb/serial/mct_u232.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c +index 4446b8d..3e64538 100644 +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + { + struct mct_u232_private *priv; + ++ /* check first to simplify error handling */ ++ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb) ++ return -ENODEV; ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; +-- +2.1.4 @@ -1,3 +1,3 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz -a3447af4912b536e6d7d170b2bf18109 patch-4.5-git18.xz +1efd8aeadf2822f23214a5129575a8f6 patch-4.5-git22.xz |