diff options
-rw-r--r-- | 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch | 37 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | 33 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch | 34 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch | 34 | ||||
-rw-r--r-- | bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch | 46 | ||||
-rw-r--r-- | bpf-fix-refcnt-overflow.patch | 158 | ||||
-rw-r--r-- | config-generic | 2 | ||||
-rw-r--r-- | config-x86-generic | 4 | ||||
-rw-r--r-- | kernel.spec | 44 | ||||
-rw-r--r-- | net-fix-infoleak-in-llc.patch | 32 | ||||
-rw-r--r-- | net-fix-infoleak-in-rtnetlink.patch | 50 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | sp5100_tco-properly-check-for-new-register-layouts.patch | 75 |
13 files changed, 503 insertions, 48 deletions
diff --git a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch b/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch deleted file mode 100644 index d26c5d52d..000000000 --- a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 88fd0f33c3cc5aa6a26f56902241941ac717e9f8 Mon Sep 17 00:00:00 2001 -From: Peter Robinson <pbrobinson@gmail.com> -Date: Wed, 27 Apr 2016 13:44:05 +0100 -Subject: [PATCH] gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading - ---- - drivers/gpu/ipu-v3/ipu-common.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c -index e00db3f..abb98c7 100644 ---- a/drivers/gpu/ipu-v3/ipu-common.c -+++ b/drivers/gpu/ipu-v3/ipu-common.c -@@ -1068,7 +1068,6 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) - goto err_register; - } - -- pdev->dev.of_node = of_node; - pdev->dev.parent = dev; - - ret = platform_device_add_data(pdev, ®->pdata, -@@ -1079,6 +1078,12 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) - platform_device_put(pdev); - goto err_register; - } -+ -+ /* -+ * Set of_node only after calling platform_device_add. Otherwise -+ * the platform:imx-ipuv3-crtc modalias won't be used. -+ */ -+ pdev->dev.of_node = of_node; - } - - return 0; --- -2.7.4 - diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch new file mode 100644 index 000000000..3eb8bf183 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch @@ -0,0 +1,33 @@ +From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 6469bedda2f3..964f5ebf495e 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file, + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch new file mode 100644 index 000000000..e6f46f8a8 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -0,0 +1,34 @@ +From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via + snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 964f5ebf495e..e98fa5feb731 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch new file mode 100644 index 000000000..7851c55a2 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch @@ -0,0 +1,34 @@ +From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via + snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index e98fa5feb731..c69a27155433 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch new file mode 100644 index 000000000..3ba32bae7 --- /dev/null +++ b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch @@ -0,0 +1,46 @@ +From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Tue, 26 Apr 2016 22:26:26 +0200 +Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr() + +When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode +references a non-map file descriptor as a map file descriptor, the error +handling code called fdput() twice instead of once (in __bpf_map_get() and +in replace_map_fd_with_map_ptr()). If the file descriptor table of the +current task is shared, this causes f_count to be decremented too much, +allowing the struct file to be freed while it is still in use +(use-after-free). This can be exploited to gain root privileges by an +unprivileged user. + +This bug was introduced in +commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only +exploitable since +commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because +previously, CAP_SYS_ADMIN was required to reach the vulnerable code. + +(posted publicly according to request by maintainer) + +Signed-off-by: Jann Horn <jannh@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Acked-by: Alexei Starovoitov <ast@kernel.org> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + kernel/bpf/verifier.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 618ef77c302a..db2574e7b8b0 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + if (IS_ERR(map)) { + verbose("fd %d is not pointing to valid bpf_map\n", + insn->imm); +- fdput(f); + return PTR_ERR(map); + } + +-- +2.5.5 + diff --git a/bpf-fix-refcnt-overflow.patch b/bpf-fix-refcnt-overflow.patch new file mode 100644 index 000000000..1143c8286 --- /dev/null +++ b/bpf-fix-refcnt-overflow.patch @@ -0,0 +1,158 @@ +From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov <ast@fb.com> +Date: Wed, 27 Apr 2016 18:56:20 -0700 +Subject: [PATCH] bpf: fix refcnt overflow + +On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, +the malicious application may overflow 32-bit bpf program refcnt. +It's also possible to overflow map refcnt on 1Tb system. +Impose 32k hard limit which means that the same bpf program or +map cannot be shared by more than 32k processes. + +Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Alexei Starovoitov <ast@kernel.org> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/linux/bpf.h | 3 ++- + kernel/bpf/inode.c | 7 ++++--- + kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- + kernel/bpf/verifier.c | 11 +++++++---- + 4 files changed, 33 insertions(+), 12 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 83d1926c61e4..67bc2da5d233 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl); + void bpf_register_map_type(struct bpf_map_type_list *tl); + + struct bpf_prog *bpf_prog_get(u32 ufd); ++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); + void bpf_prog_put(struct bpf_prog *prog); + void bpf_prog_put_rcu(struct bpf_prog *prog); + + struct bpf_map *bpf_map_get_with_uref(u32 ufd); + struct bpf_map *__bpf_map_get(struct fd f); +-void bpf_map_inc(struct bpf_map *map, bool uref); ++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); + void bpf_map_put_with_uref(struct bpf_map *map); + void bpf_map_put(struct bpf_map *map); + +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c +index 5a8a797d50b7..d1a7646f79c5 100644 +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type) + { + switch (type) { + case BPF_TYPE_PROG: +- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); ++ raw = bpf_prog_inc(raw); + break; + case BPF_TYPE_MAP: +- bpf_map_inc(raw, true); ++ raw = bpf_map_inc(raw, true); + break; + default: + WARN_ON_ONCE(1); +@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname, + goto out; + + raw = bpf_any_get(inode->i_private, *type); +- touch_atime(&path); ++ if (!IS_ERR(raw)) ++ touch_atime(&path); + + path_put(&path); + return raw; +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 3b39550d8485..4e32cc94edd9 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f) + return f.file->private_data; + } + +-void bpf_map_inc(struct bpf_map *map, bool uref) ++/* prog's and map's refcnt limit */ ++#define BPF_MAX_REFCNT 32768 ++ ++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) + { +- atomic_inc(&map->refcnt); ++ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { ++ atomic_dec(&map->refcnt); ++ return ERR_PTR(-EBUSY); ++ } + if (uref) + atomic_inc(&map->usercnt); ++ return map; + } + + struct bpf_map *bpf_map_get_with_uref(u32 ufd) +@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd) + if (IS_ERR(map)) + return map; + +- bpf_map_inc(map, true); ++ map = bpf_map_inc(map, true); + fdput(f); + + return map; +@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f) + return f.file->private_data; + } + ++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) ++{ ++ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { ++ atomic_dec(&prog->aux->refcnt); ++ return ERR_PTR(-EBUSY); ++ } ++ return prog; ++} ++ + /* called by sockets/tracing/seccomp before attaching program to an event + * pairs with bpf_prog_put() + */ +@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) + if (IS_ERR(prog)) + return prog; + +- atomic_inc(&prog->aux->refcnt); ++ prog = bpf_prog_inc(prog); + fdput(f); + + return prog; +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2e7f7ab739e4..060e4c4c37ea 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + return -E2BIG; + } + +- /* remember this map */ +- env->used_maps[env->used_map_cnt++] = map; +- + /* hold the map. If the program is rejected by verifier, + * the map will be released by release_maps() or it + * will be used by the valid program until it's unloaded + * and all maps are released in free_bpf_prog_info() + */ +- bpf_map_inc(map, false); ++ map = bpf_map_inc(map, false); ++ if (IS_ERR(map)) { ++ fdput(f); ++ return PTR_ERR(map); ++ } ++ env->used_maps[env->used_map_cnt++] = map; ++ + fdput(f); + next_insn: + insn++; +-- +2.5.5 + diff --git a/config-generic b/config-generic index c2e8352ce..ccc53d89a 100644 --- a/config-generic +++ b/config-generic @@ -1969,7 +1969,7 @@ CONFIG_RTL8188EE=m CONFIG_RTL8821AE=m CONFIG_RTL8XXXU=m # NOTE! This should be disabled when branching to stable -CONFIG_RTL8XXXU_UNTESTED=y +# CONFIG_RTL8XXXU_UNTESTED is not set CONFIG_MWIFIEX=m CONFIG_MWIFIEX_SDIO=m diff --git a/config-x86-generic b/config-x86-generic index 47060b9de..ea3d44975 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -319,8 +319,8 @@ CONFIG_INPUT_XEN_KBDDEV_FRONTEND=m CONFIG_XEN_SELFBALLOONING=y CONFIG_XEN_PCIDEV_BACKEND=m CONFIG_XEN_ACPI_PROCESSOR=m -# CONFIG_XEN_SCSI_FRONTEND is not set -# CONFIG_XEN_SCSI_BACKEND is not set +CONFIG_XEN_SCSI_FRONTEND=m +CONFIG_XEN_SCSI_BACKEND=m CONFIG_XEN_SYMS=y CONFIG_SPI=y diff --git a/kernel.spec b/kernel.spec index 3f3ef903f..9360b6a4f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -59,7 +59,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -524,9 +524,6 @@ Patch422: geekbox-v4-device-tree-support.patch # http://www.spinics.net/lists/arm-kernel/msg483898.html Patch423: Initial-AllWinner-A64-and-PINE64-support.patch -# rhbz 1321330 http://www.spinics.net/lists/dri-devel/msg105829.html -Patch425: 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch - # http://www.spinics.net/lists/linux-tegra/msg26029.html Patch426: usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch @@ -650,9 +647,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch # CVE-2016-3672 rhbz 1324749 1324750 Patch689: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch -#rhbz 1309980 -Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch - #rhbz 1309487 Patch701: antenna_select.patch @@ -671,6 +665,22 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch +#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321 +Patch707: net-fix-infoleak-in-llc.patch +Patch708: net-fix-infoleak-in-rtnetlink.patch + +#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311 +Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch +Patch712: bpf-fix-refcnt-overflow.patch + +#rhbz 1328633 +Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch + +#CVE-2016-4569 rhbz 1334643 1334645 +Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch + # END OF PATCH DEFINITIONS %endif @@ -2195,6 +2205,26 @@ fi # # %changelog +* Wed May 11 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.4-300 +- Linux v4.5.4 + +* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Enable XEN SCSI front and backend (rhbz 1334512) +- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645) + +* Mon May 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix ACPI issues with sp5100_tco (rhbz 1328633) + +* Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4557 bpf: Use after free vulnerability via double fdput + CVE-2016-4558 bpf: refcnt overflow (rhbz 1334307 1334303 1334311) + +* Fri May 06 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Oops in propogate_mnt if first copy is slave (rhbz 1333712 1333713) + +* Thu May 05 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4486 CVE-2016-4485 info leaks (rhbz 1333316 1333309 1333321) + * Wed May 04 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.3-300 - Linux v4.5.3 diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch new file mode 100644 index 000000000..38f0d506a --- /dev/null +++ b/net-fix-infoleak-in-llc.patch @@ -0,0 +1,32 @@ +From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:35:05 -0400 +Subject: [PATCH 2/2] net: fix infoleak in llc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “info” has a total size of 12 bytes. Its last byte +is padding which is not initialized and leaked via “put_cmsg”. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/llc/af_llc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index b3c52e3f689a..8ae3ed97d95c 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) + if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { + struct llc_pktinfo info; + ++ memset(&info, 0, sizeof(info)); + info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; + llc_pdu_decode_dsap(skb, &info.lpi_sap); + llc_pdu_decode_da(skb, info.lpi_mac); +-- +2.5.5 + diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch new file mode 100644 index 000000000..0da35108d --- /dev/null +++ b/net-fix-infoleak-in-rtnetlink.patch @@ -0,0 +1,50 @@ +From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:46:24 -0400 +Subject: [PATCH 1/2] net: fix infoleak in rtnetlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “map” has a total size of 32 bytes. Its last 4 +bytes are padding generated by compiler. These padding bytes are +not initialized and sent out via “nla_put”. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/core/rtnetlink.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index a75f7e94b445..65763c29f845 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + + static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) + { +- struct rtnl_link_ifmap map = { +- .mem_start = dev->mem_start, +- .mem_end = dev->mem_end, +- .base_addr = dev->base_addr, +- .irq = dev->irq, +- .dma = dev->dma, +- .port = dev->if_port, +- }; ++ struct rtnl_link_ifmap map; ++ ++ memset(&map, 0, sizeof(map)); ++ map.mem_start = dev->mem_start; ++ map.mem_end = dev->mem_end; ++ map.base_addr = dev->base_addr; ++ map.irq = dev->irq; ++ map.dma = dev->dma; ++ map.port = dev->if_port; ++ + if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) + return -EMSGSIZE; + +-- +2.5.5 + @@ -1,3 +1,3 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz -efc81327bd2bd0d946f057ac71cbb1a7 patch-4.5.3.xz +137460a1e32335e2eedc61fcfc2643fa patch-4.5.4.xz diff --git a/sp5100_tco-properly-check-for-new-register-layouts.patch b/sp5100_tco-properly-check-for-new-register-layouts.patch new file mode 100644 index 000000000..83c86d151 --- /dev/null +++ b/sp5100_tco-properly-check-for-new-register-layouts.patch @@ -0,0 +1,75 @@ +From 5896a59895689db447e888c1714022bbb9526ede Mon Sep 17 00:00:00 2001 +From: Lucas Stach <dev@lynxeye.de> +Date: Tue, 3 May 2016 19:15:58 +0200 +Subject: [PATCH] sp5100_tco: properly check for new register layouts + +Commits 190aa4304de6 (Add AMD Mullins platform support) and +cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the +driver on a lot more devices, but the following commit missed +a single location in the code when checking if the SB800 register +offsets should be used. This leads to the wrong register being +written which in turn causes ACPI to go haywire. + +Fix this by introducing a helper function to check for the new +register layout and use this consistently. + +https://bugzilla.kernel.org/show_bug.cgi?id=114201 +https://bugzilla.redhat.com/show_bug.cgi?id=1329910 +Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800 +and later chipsets) +Cc: stable@vger.kernel.org (4.5+) +Signed-off-by: Lucas Stach <dev@lynxeye.de> +--- + drivers/watchdog/sp5100_tco.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c +index 6467b91..028618c 100644 +--- a/drivers/watchdog/sp5100_tco.c ++++ b/drivers/watchdog/sp5100_tco.c +@@ -73,6 +73,13 @@ MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started." + /* + * Some TCO specific functions + */ ++ ++static bool tco_has_sp5100_reg_layout(struct pci_dev *dev) ++{ ++ return dev->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && ++ dev->revision < 0x40; ++} ++ + static void tco_timer_start(void) + { + u32 val; +@@ -129,7 +136,7 @@ static void tco_timer_enable(void) + { + int val; + +- if (sp5100_tco_pci->revision >= 0x40) { ++ if (!tco_has_sp5100_reg_layout(sp5100_tco_pci)) { + /* For SB800 or later */ + /* Set the Watchdog timer resolution to 1 sec */ + outb(SB800_PM_WATCHDOG_CONFIG, SB800_IO_PM_INDEX_REG); +@@ -342,8 +349,7 @@ static unsigned char sp5100_tco_setupdevice(void) + /* + * Determine type of southbridge chipset. + */ +- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && +- sp5100_tco_pci->revision < 0x40) { ++ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { + dev_name = SP5100_DEVNAME; + index_reg = SP5100_IO_PM_INDEX_REG; + data_reg = SP5100_IO_PM_DATA_REG; +@@ -388,8 +394,7 @@ static unsigned char sp5100_tco_setupdevice(void) + * Secondly, Find the watchdog timer MMIO address + * from SBResource_MMIO register. + */ +- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && +- sp5100_tco_pci->revision < 0x40) { ++ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { + /* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */ + pci_read_config_dword(sp5100_tco_pci, + SP5100_SB_RESOURCE_MMIO_BASE, &val); +-- +2.7.4 + |