Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.8.13-100.vanilla.knurd.1.fc23

6 files changed, 208 insertions, 3 deletions

diff --git a/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
new file mode 100644
index 000000000..8c3795439
--- /dev/null
+++ b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
@@ -0,0 +1,42 @@
+From a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 6 Dec 2016 16:18:14 -0800
+Subject: [PATCH] Don't feed anything but regular iovec's to
+ blk_rq_map_user_iov
+
+In theory we could map other things, but there's a reason that function
+is called "user_iov".  Using anything else (like splice can do) just
+confuses it.
+
+Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ block/blk-map.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index b8657fa..27fd8d92 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ 	struct iov_iter i;
+ 	int ret;
+
++	if (!iter_is_iovec(iter))
++		goto fail;
++
+ 	if (map_data)
+ 		copy = true;
+ 	else if (iov_iter_alignment(iter) & align)
+@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+
+ unmap_rq:
+ 	__blk_rq_unmap_user(bio);
++fail:
+ 	rq->bio = NULL;
+ 	return -EINVAL;
+ }
+-- 
+2.9.3
+
diff --git a/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch b/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
new file mode 100644
index 000000000..6d5771ccd
--- /dev/null
+++ b/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
@@ -0,0 +1,49 @@
+From b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 2 Dec 2016 09:44:53 -0800
+Subject: [PATCH] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
+
+CAP_NET_ADMIN users should not be allowed to set negative
+sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
+corruptions, crashes, OOM...
+
+Note that before commit 82981930125a ("net: cleanups in
+sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
+and SO_RCVBUF were vulnerable.
+
+This needs to be backported to all known linux kernels.
+
+Again, many thanks to syzkaller team for discovering this gem.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/core/sock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 5e3ca41..00a074d 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ 		val = min_t(u32, val, sysctl_wmem_max);
+ set_sndbuf:
+ 		sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
+-		sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
++		sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
+ 		/* Wake up sending tasks if we upped the value. */
+ 		sk->sk_write_space(sk);
+ 		break;
+@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ 		 * returning the value we actually used in getsockopt
+ 		 * is the most desirable behavior.
+ 		 */
+-		sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
++		sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
+ 		break;
+
+ 	case SO_RCVBUFFORCE:
+-- 
+2.9.3
+
diff --git a/0001-packet-fix-race-condition-in-packet_set_ring.patch b/0001-packet-fix-race-condition-in-packet_set_ring.patch
new file mode 100644
index 000000000..ba7da62e7
--- /dev/null
+++ b/0001-packet-fix-race-condition-in-packet_set_ring.patch
@@ -0,0 +1,92 @@
+From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001
+From: Philip Pettersson <philip.pettersson@gmail.com>
+Date: Wed, 30 Nov 2016 14:55:36 -0800
+Subject: [PATCH] packet: fix race condition in packet_set_ring
+
+When packet_set_ring creates a ring buffer it will initialize a
+struct timer_list if the packet version is TPACKET_V3. This value
+can then be raced by a different thread calling setsockopt to
+set the version to TPACKET_V1 before packet_set_ring has finished.
+
+This leads to a use-after-free on a function pointer in the
+struct timer_list when the socket is closed as the previously
+initialized timer will not be deleted.
+
+The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
+changing the packet version while also taking the lock at the start
+of packet_set_ring.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index d2238b2..dd23323 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+
+ 		if (optlen != sizeof(val))
+ 			return -EINVAL;
+-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
+ 		switch (val) {
+ 		case TPACKET_V1:
+ 		case TPACKET_V2:
+ 		case TPACKET_V3:
+-			po->tp_version = val;
+-			return 0;
++			break;
+ 		default:
+ 			return -EINVAL;
+ 		}
++		lock_sock(sk);
++		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++			ret = -EBUSY;
++		} else {
++			po->tp_version = val;
++			ret = 0;
++		}
++		release_sock(sk);
++		return ret;
+ 	}
+ 	case PACKET_RESERVE:
+ 	{
+@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 	/* Added to avoid minimal code churn */
+ 	struct tpacket_req *req = &req_u->req;
+
++	lock_sock(sk);
+ 	/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
+ 	if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
+ 		net_warn_ratelimited("Tx-ring is not supported.\n");
+@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 			goto out;
+ 	}
+
+-	lock_sock(sk);
+
+ 	/* Detach socket from network */
+ 	spin_lock(&po->bind_lock);
+@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 		if (!tx_ring)
+ 			prb_shutdown_retire_blk_timer(po, rb_queue);
+ 	}
+-	release_sock(sk);
+
+ 	if (pg_vec)
+ 		free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
++	release_sock(sk);
+ 	return err;
+ }
+
+-- 
+2.9.3
+
diff --git a/config-generic b/config-generic
index 744489577..5b15dc4d1 100644
--- a/config-generic
+++ b/config-generic
@@ -1406,7 +1406,7 @@ CONFIG_L2TP_ETH=m
 
 # CONFIG_CAIF is not set
 
-CONFIG_AF_KCM=m
+# CONFIG_AF_KCM is not set
 
 CONFIG_LWTUNNEL=y
 CONFIG_NET_DEVLINK=m
diff --git a/kernel.spec b/kernel.spec
index d93540b30..0a10582a3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -656,6 +656,15 @@ Patch854: nouveau-add-maxwell-to-backlight-init.patch
 # CVE-2016-9755 rhbz 1400904 1400905
 Patch856: 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
 
+# CVE-2016-8655 rhbz 1400019 1401820
+Patch857: 0001-packet-fix-race-condition-in-packet_set_ring.patch
+
+# CVE-2016-9793 rhbz 1402013 1402014
+Patch858: 0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
+
+# CVE-2016-9576 rhbz 1403145 1403146
+Patch859: 0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2181,6 +2190,19 @@ fi
 #
 # 
 %changelog
+* Fri Dec 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.13-100
+- Linux v4.8.13
+- CVE-2016-9576 fix use after free in SCSI generic device interface (rhbz 1403145 1403146)
+
+* Wed Dec 07 2016 Laura Abbott <labbott@fedoraproject.org>
+- Disable CONFIG_AF_KCM (rhbz 1402489)
+
+* Wed Dec 07 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2016-9793 avoid signed overflows for SO_{SND|RCV}BUFFORCE (rhbz 1402013 1402014)
+
+* Tue Dec 06 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2016-8655 fix race condition in packet_set_ring (rhbz 1400019 1401820)
+
 * Fri Dec 02 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.12-100
 - Linux v4.8.12
 - CVE-2016-9755 Fix Out-of-bounds write issue when defragmenting ipv6 packets (rhbz 1400904 1400905)
diff --git a/sources b/sources
index f4f05afae..b175e7f81 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 c1af0afbd3df35c1ccdc7a5118cd2d07  linux-4.8.tar.xz
 0dad03f586e835d538d3e0d2cbdb9a28  perf-man-4.8.tar.gz
-9a938fd7a82d8b390f957657947fe673  patch-4.8.12.xz
+bc208ac66340464839ee61a4621d9384  patch-4.8.13.xz