Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.8.8-100.vanilla.knurd.1.fc23

4 files changed, 144 insertions, 2 deletions

diff --git a/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch b/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch
new file mode 100644
index 000000000..1c9b2f022
--- /dev/null
+++ b/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch
@@ -0,0 +1,105 @@
+From ac6e780070e30e4c35bd395acfe9191e6268bdd3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 10 Nov 2016 13:12:35 -0800
+Subject: [PATCH] tcp: take care of truncations done by sk_filter()
+
+With syzkaller help, Marco Grassi found a bug in TCP stack,
+crashing in tcp_collapse()
+
+Root cause is that sk_filter() can truncate the incoming skb,
+but TCP stack was not really expecting this to happen.
+It probably was expecting a simple DROP or ACCEPT behavior.
+
+We first need to make sure no part of TCP header could be removed.
+Then we need to adjust TCP_SKB_CB(skb)->end_seq
+
+Many thanks to syzkaller team and Marco for giving us a reproducer.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Marco Grassi <marco.gra@gmail.com>
+Reported-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/tcp.h   |  1 +
+ net/ipv4/tcp_ipv4.c | 19 ++++++++++++++++++-
+ net/ipv6/tcp_ipv6.c |  6 ++++--
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 304a8e1..123979f 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1220,6 +1220,7 @@ static inline void tcp_prequeue_init(struct tcp_sock *tp)
+ }
+
+ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb);
++int tcp_filter(struct sock *sk, struct sk_buff *skb);
+
+ #undef STATE_TRACE
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 61b7be3..2259114 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1564,6 +1564,21 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ }
+ EXPORT_SYMBOL(tcp_prequeue);
+
++int tcp_filter(struct sock *sk, struct sk_buff *skb)
++{
++	struct tcphdr *th = (struct tcphdr *)skb->data;
++	unsigned int eaten = skb->len;
++	int err;
++
++	err = sk_filter_trim_cap(sk, skb, th->doff * 4);
++	if (!err) {
++		eaten -= skb->len;
++		TCP_SKB_CB(skb)->end_seq -= eaten;
++	}
++	return err;
++}
++EXPORT_SYMBOL(tcp_filter);
++
+ /*
+  *	From tcp_input.c
+  */
+@@ -1676,8 +1691,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
+
+ 	nf_reset(skb);
+
+-	if (sk_filter(sk, skb))
++	if (tcp_filter(sk, skb))
+ 		goto discard_and_relse;
++	th = (const struct tcphdr *)skb->data;
++	iph = ip_hdr(skb);
+
+ 	skb->dev = NULL;
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 6ca23c2..b9f1fee 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1229,7 +1229,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+ 	if (skb->protocol == htons(ETH_P_IP))
+ 		return tcp_v4_do_rcv(sk, skb);
+
+-	if (sk_filter(sk, skb))
++	if (tcp_filter(sk, skb))
+ 		goto discard;
+
+ 	/*
+@@ -1457,8 +1457,10 @@ static int tcp_v6_rcv(struct sk_buff *skb)
+ 	if (tcp_v6_inbound_md5_hash(sk, skb))
+ 		goto discard_and_relse;
+
+-	if (sk_filter(sk, skb))
++	if (tcp_filter(sk, skb))
+ 		goto discard_and_relse;
++	th = (const struct tcphdr *)skb->data;
++	hdr = ipv6_hdr(skb);
+
+ 	skb->dev = NULL;
+
+-- 
+2.7.4
+
diff --git a/kernel.spec b/kernel.spec
index d10600766..f7cebef2b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 7
+%define stable_update 8
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -654,6 +654,12 @@ Patch852: 0001-HID-input-ignore-System-Control-application-usages-i.patch
 #rhbz 1392885
 Patch853: 0001-drm-i915-Refresh-that-status-of-MST-capable-connecto.patch
 
+#rhbz 1390308
+Patch854: nouveau-add-maxwell-to-backlight-init.patch
+
+#CVE-2016-8645 rhbz 1393904 1393908
+Patch856: 0001-tcp-take-care-of-truncations-done-by-sk_filter.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2179,6 +2185,13 @@ fi
 #
 # 
 %changelog
+* Tue Nov 15 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.8-100
+- Linux v4.8.8
+- Fix crash in tcp_collapse CVE-2016-8645 (rhbz 1393904 1393908)
+
+* Fri Nov 11 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- Nouveau: Add Maxwell to backlight initialization (rhbz 1390308)
+
 * Fri Nov 11 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.7-100
 - Refresh status of MST capable connectors (rhbz 1392885)
 
diff --git a/nouveau-add-maxwell-to-backlight-init.patch b/nouveau-add-maxwell-to-backlight-init.patch
new file mode 100644
index 000000000..9d89069c1
--- /dev/null
+++ b/nouveau-add-maxwell-to-backlight-init.patch
@@ -0,0 +1,24 @@
+From bbe1f94a8b3f2e8622dd400a6827d3242005d951 Mon Sep 17 00:00:00 2001
+From: Faris Alsalama <farisbenbrahem@gmail.com>
+Date: Sat, 21 May 2016 14:41:43 -0400
+Subject: drm/nouveau/kms: add Maxwell to backlight initialization
+
+Signed-off-by: Faris Alsalama <farisbenbrahem@gmail.com>
+Acked-by: Acked-by: Pierre Moreau <pierre.morrow@free.fr>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_backlight.c b/drivers/gpu/drm/nouveau/nouveau_backlight.c
+index f5101be..5e2c568 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_backlight.c
++++ b/drivers/gpu/drm/nouveau/nouveau_backlight.c
+@@ -232,6 +232,7 @@ nouveau_backlight_init(struct drm_device *dev)
+ 		case NV_DEVICE_INFO_V0_TESLA:
+ 		case NV_DEVICE_INFO_V0_FERMI:
+ 		case NV_DEVICE_INFO_V0_KEPLER:
++		case NV_DEVICE_INFO_V0_MAXWELL:
+ 			return nv50_backlight_init(connector);
+ 		default:
+ 			break;
+-- 
+cgit v0.10.2
+
diff --git a/sources b/sources
index a8bdd281b..0da55e4e1 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 c1af0afbd3df35c1ccdc7a5118cd2d07  linux-4.8.tar.xz
 0dad03f586e835d538d3e0d2cbdb9a28  perf-man-4.8.tar.gz
-ad7cdae5329497d07582b31858516686  patch-4.8.7.xz
+38e85040e09193251766975d6fd30d08  patch-4.8.8.xz