diff options
-rw-r--r-- | KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch | 78 | ||||
-rw-r--r-- | config-arm-generic | 1 | ||||
-rw-r--r-- | config-arm64 | 3 | ||||
-rw-r--r-- | config-armv7 | 3 | ||||
-rw-r--r-- | config-armv7-generic | 4 | ||||
-rw-r--r-- | config-x86-generic | 3 | ||||
-rw-r--r-- | cpupower-Fix-build-error-in-cpufreq-info.patch | 40 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 22 | ||||
-rw-r--r-- | rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch | 55 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch | 68 |
12 files changed, 156 insertions, 125 deletions
diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch deleted file mode 100644 index 5eec95c62..000000000 --- a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Jan 2016 10:53:31 +0000 -Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() - -This fixes CVE-2016-0728. - -If a thread is asked to join as a session keyring the keyring that's already -set as its session, we leak a keyring reference. - -This can be tested with the following program: - - #include <stddef.h> - #include <stdio.h> - #include <sys/types.h> - #include <keyutils.h> - - int main(int argc, const char *argv[]) - { - int i = 0; - key_serial_t serial; - - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - - if (keyctl(KEYCTL_SETPERM, serial, - KEY_POS_ALL | KEY_USR_ALL) < 0) { - perror("keyctl"); - return -1; - } - - for (i = 0; i < 100; i++) { - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - } - - return 0; - } - -If, after the program has run, there something like the following line in -/proc/keys: - -3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty - -with a usage count of 100 * the number of times the program has been run, -then the kernel is malfunctioning. If leaked-keyring has zero usages or -has been garbage collected, then the problem is fixed. - -Reported-by: Yevgeny Pats <yevgeny@perception-point.io> -Signed-off-by: David Howells <dhowells@redhat.com> -RH-bugzilla: 1298036 ---- - security/keys/process_keys.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 43b4cddbf2b3..7877e5cd4e23 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) - ret = PTR_ERR(keyring); - goto error2; - } else if (keyring == new->session_keyring) { -+ key_put(keyring); - ret = 0; - goto error2; - } --- -2.5.0 - diff --git a/config-arm-generic b/config-arm-generic index 12cb852cb..987695636 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -209,6 +209,7 @@ CONFIG_USB_CONFIGFS_ACM=y CONFIG_USB_CONFIGFS_ECM=y CONFIG_USB_CONFIGFS_ECM_SUBSET=y CONFIG_USB_CONFIGFS_EEM=y +CONFIG_USB_CONFIGFS_F_TCM=y CONFIG_USB_CONFIGFS_MASS_STORAGE=y CONFIG_USB_CONFIGFS_NCM=y CONFIG_USB_CONFIGFS_OBEX=y diff --git a/config-arm64 b/config-arm64 index c6bcff93a..b6698c506 100644 --- a/config-arm64 +++ b/config-arm64 @@ -17,11 +17,13 @@ CONFIG_ARCH_XGENE=y # CONFIG_ARCH_LAYERSCAPE is not set # CONFIG_ARCH_MEDIATEK is not set # CONFIG_ARCH_QCOM is not set +# CONFIG_ARCH_RENESAS is not set # CONFIG_ARCH_SPRD is not set # CONFIG_ARCH_STRATIX10 is not set # CONFIG_ARCH_TEGRA is not set # CONFIG_ARCH_THUNDER is not set # CONFIG_ARCH_ZYNQMP is not set +# CONFIG_ARCH_UNIPHIER is not set # Erratum CONFIG_ARM64_ERRATUM_826319=y @@ -151,6 +153,7 @@ CONFIG_POWER_RESET_HISI=y CONFIG_HISI_THERMAL=m CONFIG_STUB_CLK_HI6220=y CONFIG_PHY_HI6220_USB=m +CONFIG_COMMON_RESET_HI6220=m # ThunderX # CONFIG_MDIO_OCTEON is not set diff --git a/config-armv7 b/config-armv7 index 0cc0fa55a..271751071 100644 --- a/config-armv7 +++ b/config-armv7 @@ -348,6 +348,9 @@ CONFIG_QCOM_SMEM=m CONFIG_REGULATOR_QCOM_SMD_RPM=m CONFIG_QCOM_SMEM=m CONFIG_QCOM_QFPROM=m +CONFIG_QCOM_WCNSS_CTRL=m +CONFIG_QCOM_SMSM=y +CONFIG_QCOM_SMP2P=m # i.MX # CONFIG_MXC_DEBUG_BOARD is not set diff --git a/config-armv7-generic b/config-armv7-generic index 4ea4da8dd..48941c0f6 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -61,13 +61,17 @@ CONFIG_ARCH_VIRT=y # CONFIG_ARCH_HISI is not set # CONFIG_ARCH_MEDIATEK is not set # CONFIG_ARCH_MESON is not set +# CONFIG_ARCH_MMP is not set # CONFIG_ARCH_QCOM is not set +# CONFIG_ARCH_REALVIEW is not set +# CONFIG_ARCH_RENESAS is not set # CONFIG_ARCH_S5PV210 is not set # CONFIG_ARCH_SHMOBILE_MULTI is not set # CONFIG_ARCH_SIRF is not set # CONFIG_ARCH_SOCFPGA is not set # CONFIG_PLAT_SPEAR is not set # CONFIG_ARCH_STI is not set +# CONFIG_ARCH_TANGO is not set # CONFIG_ARCH_U8500 is not set # CONFIG_ARCH_VEXPRESS_SPC is not set # CONFIG_ARCH_WM8850 is not set diff --git a/config-x86-generic b/config-x86-generic index 5648f7a8f..2d41bfbb1 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -226,6 +226,7 @@ CONFIG_X86_PLATFORM_DEVICES=y CONFIG_AMILO_RFKILL=m CONFIG_ASUS_LAPTOP=m +CONFIG_ASUS_WIRELESS=m CONFIG_COMPAL_LAPTOP=m CONFIG_DELL_LAPTOP=m CONFIG_DELL_RBTN=m @@ -236,6 +237,7 @@ CONFIG_FUJITSU_TABLET=m CONFIG_FUJITSU_LAPTOP=m # CONFIG_FUJITSU_LAPTOP_DEBUG is not set CONFIG_IDEAPAD_LAPTOP=m +CONFIG_INTEL_HID_EVENT=m CONFIG_MSI_LAPTOP=m CONFIG_PANASONIC_LAPTOP=m CONFIG_SAMSUNG_LAPTOP=m @@ -480,6 +482,7 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_HP_ACCEL=m CONFIG_SURFACE_PRO3_BUTTON=m +CONFIG_INTEL_PUNIT_IPC=m # CONFIG_RAPIDIO is not set diff --git a/cpupower-Fix-build-error-in-cpufreq-info.patch b/cpupower-Fix-build-error-in-cpufreq-info.patch deleted file mode 100644 index 618e3edf2..000000000 --- a/cpupower-Fix-build-error-in-cpufreq-info.patch +++ /dev/null @@ -1,40 +0,0 @@ -From patchwork Mon Jan 18 15:14:43 2016 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -Subject: cpupower: Fix build error in cpufreq-info -From: "Shreyas B. Prabhu" <shreyas@linux.vnet.ibm.com> -X-Patchwork-Id: 8055301 -Message-Id: <1453130083-16055-1-git-send-email-shreyas@linux.vnet.ibm.com> -To: trenn@suse.com -Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org, - rafael.j.wysocki@intel.com, jtanenba@redhat.com, - "Shreyas B. Prabhu" <shreyas@linux.vnet.ibm.com> -Date: Mon, 18 Jan 2016 20:44:43 +0530 - -Fix the following build error by including limits.h - - -utils/cpufreq-info.c: In function ‘get_latency’: -utils/cpufreq-info.c:437:29: error: ‘UINT_MAX’ undeclared (first use in -this function) - if (!latency || latency == UINT_MAX) { - ^ -Signed-off-by: Shreyas B. Prabhu <shreyas@linux.vnet.ibm.com> -Fixes: e98f033f94f3 (cpupower: fix how "cpupower frequency-info" interprets latency) - ---- -tools/power/cpupower/utils/cpufreq-info.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/power/cpupower/utils/cpufreq-info.c b/tools/power/cpupower/utils/cpufreq-info.c -index 8f3f5bb9c74e..590d12a25f6e 100644 ---- a/tools/power/cpupower/utils/cpufreq-info.c -+++ b/tools/power/cpupower/utils/cpufreq-info.c -@@ -10,6 +10,7 @@ - #include <errno.h> - #include <stdlib.h> - #include <string.h> -+#include <limits.h> - - #include <getopt.h> - @@ -1 +1 @@ -a200dcb34693084e56496960d855afdeaaf9578f +30f05309bde49295e02e45c7e615f73aa4e0ccc2 diff --git a/kernel.spec b/kernel.spec index bb9f1f765..19f2069f0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -75,7 +75,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 6 +%define gitrev 8 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -613,11 +613,11 @@ Patch621: drm-udl-Use-unlocked-gem-unreferencing.patch #CVE-2015-7566 rhbz 1296466 1297517 Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch -# https://patchwork.kernel.org/patch/8055301/ -Patch625: cpupower-Fix-build-error-in-cpufreq-info.patch +#CVE-2016-0723 rhbz 1296253 1300224 +Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch -#CVE-2016-0728 rhbz 1296623 -Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch +#rhbz 1279653 +Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch # END OF PATCH DEFINITIONS @@ -2067,6 +2067,18 @@ fi # # %changelog +* Thu Jan 21 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git8.1 +- Linux v4.4-10062-g30f0530 + +* Thu Jan 21 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Fix incorrect country code issue on RTL8812AE devices (rhbz 1279653) + +* Wed Jan 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git7.1 +- Linux v4.4-8950-g2b4015e + +* Wed Jan 20 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224) + * Tue Jan 19 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git6.1 - Linux v4.4-8855-ga200dcb - CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623) diff --git a/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch b/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch new file mode 100644 index 000000000..eb44e1e08 --- /dev/null +++ b/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch @@ -0,0 +1,55 @@ +From 933885ecca1a2b8fa03b5756ba1cbb9f094a5861 Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Wed, 20 Jan 2016 21:26:18 -0600 +Subject: [PATCH] rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly + encoded + +Recently, it has been reported that D-Link DWA-582 cards, which use an +RTL8812AE chip are not able to scan for 5G networks. The problems started +with kernel 4.2, which is the first version that had commit d10101a60372 +("rtlwifi: rtl8821ae: Fix problem with regulatory information"). With this +patch, the driver went from setting a default channel plan to using +the value derived from EEPROM. + +Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and +https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this +problem. + +The problem was solved once I learned that the internal country code was +resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE +chips available to me, the country code was such that both 2.4 and 5 GHz +channels are allowed. The fix is to allow both bands even when the EEPROM +is incorrectly encoded. + +Fixes: d10101a60372 ("rtlwifi: rtl8821ae: Fix problem with regulatory information") +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Cc: littlesmartguy@gmail.com +Cc: gabe@codehaus.org +Cc: Stable <stable@vger.kernel.org> [v4.2+] +--- + drivers/net/wireless/realtek/rtlwifi/regd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/regd.c b/drivers/net/wireless/realtek/rtlwifi/regd.c +index a62bf0a65c32..5be34118e0af 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/regd.c ++++ b/drivers/net/wireless/realtek/rtlwifi/regd.c +@@ -351,7 +351,6 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select( + case COUNTRY_CODE_SPAIN: + case COUNTRY_CODE_FRANCE: + case COUNTRY_CODE_ISRAEL: +- case COUNTRY_CODE_WORLD_WIDE_13: + return &rtl_regdom_12_13; + case COUNTRY_CODE_MKK: + case COUNTRY_CODE_MKK1: +@@ -360,6 +359,7 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select( + return &rtl_regdom_14_60_64; + case COUNTRY_CODE_GLOBAL_DOMAIN: + return &rtl_regdom_14; ++ case COUNTRY_CODE_WORLD_WIDE_13: + case COUNTRY_CODE_WORLD_WIDE_13_5G_ALL: + return &rtl_regdom_12_13_5g_all; + default: +-- +2.5.0 + @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -64ceedc19f6080bedbafdc1321d9ac95 patch-4.4-git6.xz +07568b33575bf864c7a4bb94eb0d29bb patch-4.4-git8.xz diff --git a/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch new file mode 100644 index 000000000..d169105db --- /dev/null +++ b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch @@ -0,0 +1,68 @@ +From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001 +From: Peter Hurley <peter@hurleysoftware.com> +Date: Sun, 10 Jan 2016 22:40:55 -0800 +Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) + +ioctl(TIOCGETD) retrieves the line discipline id directly from the +ldisc because the line discipline id (c_line) in termios is untrustworthy; +userspace may have set termios via ioctl(TCSETS*) without actually +changing the line discipline via ioctl(TIOCSETD). + +However, directly accessing the current ldisc via tty->ldisc is +unsafe; the ldisc ptr dereferenced may be stale if the line discipline +is changing via ioctl(TIOCSETD) or hangup. + +Wait for the line discipline reference (just like read() or write()) +to retrieve the "current" line discipline id. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Peter Hurley <peter@hurleysoftware.com> +--- + drivers/tty/tty_io.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index f435977de740..bd4027e36910 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p) + } + + /** ++ * tiocgetd - get line discipline ++ * @tty: tty device ++ * @p: pointer to user data ++ * ++ * Retrieves the line discipline id directly from the ldisc. ++ * ++ * Locking: waits for ldisc reference (in case the line discipline ++ * is changing or the tty is being hungup) ++ */ ++ ++static int tiocgetd(struct tty_struct *tty, int __user *p) ++{ ++ struct tty_ldisc *ld; ++ int ret; ++ ++ ld = tty_ldisc_ref_wait(tty); ++ ret = put_user(ld->ops->num, p); ++ tty_ldisc_deref(ld); ++ return ret; ++} ++ ++/** + * send_break - performed time break + * @tty: device to break on + * @duration: timeout in mS +@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + case TIOCGSID: + return tiocgsid(tty, real_tty, p); + case TIOCGETD: +- return put_user(tty->ldisc->ops->num, (int __user *)p); ++ return tiocgetd(tty, p); + case TIOCSETD: + return tiocsetd(tty, p); + case TIOCVHANGUP: +-- +2.5.0 + |