Enable CONFIG_ACPI_REV_OVERRIDE_POSSIBLE and CONFIG_X86_NUMACHIP

5 files changed, 113 insertions, 2 deletions

diff --git a/config-x86-generic b/config-x86-generic
index 9bfd81de5..b82a9b12b 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -102,7 +102,7 @@ CONFIG_ACPI_IPMI=m
 CONFIG_ACPI_CUSTOM_METHOD=m
 CONFIG_ACPI_BGRT=y
 # CONFIG_ACPI_EXTLOG is not set
-# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
 
 CONFIG_INTEL_SOC_PMIC=y
 CONFIG_PMIC_OPREGION=y
diff --git a/config-x86_64-generic b/config-x86_64-generic
index 0fc3068dd..94c476027 100644
--- a/config-x86_64-generic
+++ b/config-x86_64-generic
@@ -14,7 +14,7 @@ CONFIG_X86_64_ACPI_NUMA=y
 CONFIG_ACPI_NFIT=m
 # CONFIG_ACPI_NFIT_DEBUG is not set
 # CONFIG_NUMA_EMU is not set
-# CONFIG_X86_NUMACHIP is not set
+CONFIG_X86_NUMACHIP=y
 CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
 CONFIG_NUMA_BALANCING=y
 
diff --git a/kernel.spec b/kernel.spec
index 110cafdcc..6f947be70 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -638,6 +638,13 @@ Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
 
 Patch533: net-inet-fix-race-in-reqsk_queue_unlink.patch
 
+#rhbz 1265978
+Patch536: si2168-Bounds-check-firmware.patch
+Patch537: si2157-Bounds-check-firmware.patch
+
+#rhbz 1268037
+Patch538: ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1395,6 +1402,13 @@ ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
 
 ApplyPatch net-inet-fix-race-in-reqsk_queue_unlink.patch
 
+#rhbz 1265978
+ApplyPatch si2168-Bounds-check-firmware.patch
+ApplyPatch si2157-Bounds-check-firmware.patch
+
+#rhbz 1268037
+ApplyPatch ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2245,6 +2259,14 @@ fi
 #
 # 
 %changelog
+* Wed Oct 07 2015 Justin M. Forbes <jforbes@fedoraproject.org>
+- Enable CONFIG_ACPI_REV_OVERRIDE_POSSIBLE for Dell XPS sound (rhbz 1255070)
+- Enable CONFIG_X86_NUMACHIP
+
+* Mon Oct 05 2015 Laura Abbott <labbott@fedoraproject.org>
+- Stop stack smash for several DVB devices (rhbz 1265978)
+- Make headphone work with with T550 + Dock (rhbz 1268037)
+
 * Mon Oct 05 2015 Justin M. Forbes <jforbes@fedoraproject.org>
 - Linux v4.2.3
 - Netdev fix race in resq_queue_unlink
diff --git a/si2157-Bounds-check-firmware.patch b/si2157-Bounds-check-firmware.patch
new file mode 100644
index 000000000..284006160
--- /dev/null
+++ b/si2157-Bounds-check-firmware.patch
@@ -0,0 +1,39 @@
+From 526fbce5b0e44c67a97c57656b3be9911f0a9b9b Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@fedoraproject.org>
+Date: Tue, 29 Sep 2015 16:59:20 -0700
+Subject: [PATCH 2/2] si2157: Bounds check firmware
+To: Antti Palosaari <crope@iki.fi>
+To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Cc: Olli Salonen <olli.salonen@iki.fi>
+Cc: linux-media@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+
+When reading the firmware and sending commands, the length
+must be bounds checked to avoid overrunning the size of the command
+buffer and smashing the stack if the firmware is not in the
+expected format. Add the proper check.
+
+Cc: stable@kernel.org
+Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
+---
+ drivers/media/tuners/si2157.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
+index 5073821..ce157ed 100644
+--- a/drivers/media/tuners/si2157.c
++++ b/drivers/media/tuners/si2157.c
+@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe)
+ 
+ 	for (remaining = fw->size; remaining > 0; remaining -= 17) {
+ 		len = fw->data[fw->size - remaining];
++		if (len > SI2157_ARGLEN) {
++			dev_err(&client->dev, "Bad firmware length\n");
++			goto err_release_firmware;
++		}
+ 		memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
+ 		cmd.wlen = len;
+ 		cmd.rlen = 1;
+-- 
+2.4.3
+
diff --git a/si2168-Bounds-check-firmware.patch b/si2168-Bounds-check-firmware.patch
new file mode 100644
index 000000000..e9c5bcc50
--- /dev/null
+++ b/si2168-Bounds-check-firmware.patch
@@ -0,0 +1,50 @@
+From 43018528944fa4965a4048fee91d76b47dcaf60e Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@fedoraproject.org>
+Date: Mon, 28 Sep 2015 14:10:34 -0700
+Subject: [PATCH 1/2] si2168: Bounds check firmware
+To: Antti Palosaari <crope@iki.fi>
+To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Cc: Olli Salonen <olli.salonen@iki.fi>
+Cc: linux-media@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Stuart Auchterlonie <sauchter@redhat.com>
+
+
+When reading the firmware and sending commands, the length must
+be bounds checked to avoid overrunning the size of the command
+buffer and smashing the stack if the firmware is not in the expected
+format:
+
+si2168 11-0064: found a 'Silicon Labs Si2168-B40'
+si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw'
+si2168 11-0064: firmware download failed -95
+Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f
+
+Add the proper check.
+
+Cc: stable@kernel.org
+Reported-by: Stuart Auchterlonie <sauchter@redhat.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
+---
+ drivers/media/dvb-frontends/si2168.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c
+index 81788c5..821a8f4 100644
+--- a/drivers/media/dvb-frontends/si2168.c
++++ b/drivers/media/dvb-frontends/si2168.c
+@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe)
+ 		/* firmware is in the new format */
+ 		for (remaining = fw->size; remaining > 0; remaining -= 17) {
+ 			len = fw->data[fw->size - remaining];
++			if (len > SI2168_ARGLEN) {
++				ret = -EINVAL;
++				break;
++			}
+ 			memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
+ 			cmd.wlen = len;
+ 			cmd.rlen = 1;
+-- 
+2.4.3
+