diff options
-rw-r--r-- | 0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch | 44 | ||||
-rw-r--r-- | 0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch | 81 | ||||
-rw-r--r-- | 0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch | 103 | ||||
-rw-r--r-- | arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch | 41 | ||||
-rw-r--r-- | drm-virtio-reinstate-drm_virtio_set_busid.patch | 95 | ||||
-rw-r--r-- | kernel.spec | 15 | ||||
-rw-r--r-- | sources | 2 |
7 files changed, 5 insertions, 376 deletions
diff --git a/0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch b/0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch deleted file mode 100644 index c6a47831a..000000000 --- a/0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 791cc43b36eb1f88166c8505900cad1b43c7fe1a Mon Sep 17 00:00:00 2001 -From: Artem Savkov <asavkov@redhat.com> -Date: Wed, 14 Sep 2016 07:40:35 +1000 -Subject: [PATCH] Make __xfs_xattr_put_listen preperly report errors. - -Commit 2a6fba6 "xfs: only return -errno or success from attr ->put_listent" -changes the returnvalue of __xfs_xattr_put_listen to 0 in case when there is -insufficient space in the buffer assuming that setting context->count to -1 -would be enough, but all of the ->put_listent callers only check seen_enough. -This results in a failed assertion: -XFS: Assertion failed: context->count >= 0, file: fs/xfs/xfs_xattr.c, line: 175 -in insufficient buffer size case. - -This is only reproducible with at least 2 xattrs and only when the buffer -gets depleted before the last one. - -Furthermore if buffersize is such that it is enough to hold the last xattr's -name, but not enough to hold the sum of preceeding xattr names listxattr won't -fail with ERANGE, but will suceed returning last xattr's name without the -first character. The first character end's up overwriting data stored at -(context->alist - 1). - -Signed-off-by: Artem Savkov <asavkov@redhat.com> -Reviewed-by: Dave Chinner <dchinner@redhat.com> -Signed-off-by: Dave Chinner <david@fromorbit.com> ---- - fs/xfs/xfs_xattr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c -index ea62245..6290093 100644 ---- a/fs/xfs/xfs_xattr.c -+++ b/fs/xfs/xfs_xattr.c -@@ -147,6 +147,7 @@ __xfs_xattr_put_listent( - arraytop = context->count + prefix_len + namelen + 1; - if (arraytop > context->firstu) { - context->count = -1; /* insufficient space */ -+ context->seen_enough = 1; - return 0; - } - offset = (char *)context->alist + context->count; --- -2.7.4 - diff --git a/0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch b/0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch deleted file mode 100644 index 70fec4147..000000000 --- a/0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch +++ /dev/null @@ -1,81 +0,0 @@ -From a397ba829d7f8aff4c90af3704573a28ccd61a59 Mon Sep 17 00:00:00 2001 -From: Marcelo Cerri <marcelo.cerri@canonical.com> -Date: Wed, 28 Sep 2016 13:42:09 -0300 -Subject: [PATCH] crypto: ghash-generic - move common definitions to a new - header file - -Move common values and types used by ghash-generic to a new header file -so drivers can directly use ghash-generic as a fallback implementation. - -Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") -Cc: stable@vger.kernel.org -Signed-off-by: Marcelo Cerri <marcelo.cerri@canonical.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> ---- - crypto/ghash-generic.c | 13 +------------ - include/crypto/ghash.h | 23 +++++++++++++++++++++++ - 2 files changed, 24 insertions(+), 12 deletions(-) - create mode 100644 include/crypto/ghash.h - -diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c -index bac7099..12ad3e3 100644 ---- a/crypto/ghash-generic.c -+++ b/crypto/ghash-generic.c -@@ -14,24 +14,13 @@ - - #include <crypto/algapi.h> - #include <crypto/gf128mul.h> -+#include <crypto/ghash.h> - #include <crypto/internal/hash.h> - #include <linux/crypto.h> - #include <linux/init.h> - #include <linux/kernel.h> - #include <linux/module.h> - --#define GHASH_BLOCK_SIZE 16 --#define GHASH_DIGEST_SIZE 16 -- --struct ghash_ctx { -- struct gf128mul_4k *gf128; --}; -- --struct ghash_desc_ctx { -- u8 buffer[GHASH_BLOCK_SIZE]; -- u32 bytes; --}; -- - static int ghash_init(struct shash_desc *desc) - { - struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); -diff --git a/include/crypto/ghash.h b/include/crypto/ghash.h -new file mode 100644 -index 0000000..2a61c9b ---- /dev/null -+++ b/include/crypto/ghash.h -@@ -0,0 +1,23 @@ -+/* -+ * Common values for GHASH algorithms -+ */ -+ -+#ifndef __CRYPTO_GHASH_H__ -+#define __CRYPTO_GHASH_H__ -+ -+#include <linux/types.h> -+#include <crypto/gf128mul.h> -+ -+#define GHASH_BLOCK_SIZE 16 -+#define GHASH_DIGEST_SIZE 16 -+ -+struct ghash_ctx { -+ struct gf128mul_4k *gf128; -+}; -+ -+struct ghash_desc_ctx { -+ u8 buffer[GHASH_BLOCK_SIZE]; -+ u32 bytes; -+}; -+ -+#endif --- -2.7.4 - diff --git a/0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch b/0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch deleted file mode 100644 index 69bce6507..000000000 --- a/0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 80da44c29d997e28c4442825f35f4ac339813877 Mon Sep 17 00:00:00 2001 -From: Marcelo Cerri <marcelo.cerri@canonical.com> -Date: Wed, 28 Sep 2016 13:42:10 -0300 -Subject: [PATCH] crypto: vmx - Fix memory corruption caused by p8_ghash - -This patch changes the p8_ghash driver to use ghash-generic as a fixed -fallback implementation. This allows the correct value of descsize to be -defined directly in its shash_alg structure and avoids problems with -incorrect buffer sizes when its state is exported or imported. - -Reported-by: Jan Stancek <jstancek@redhat.com> -Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") -Cc: stable@vger.kernel.org -Signed-off-by: Marcelo Cerri <marcelo.cerri@canonical.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> ---- - drivers/crypto/vmx/ghash.c | 31 ++++++++++++++++--------------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c -index 6c999cb0..27a94a1 100644 ---- a/drivers/crypto/vmx/ghash.c -+++ b/drivers/crypto/vmx/ghash.c -@@ -26,16 +26,13 @@ - #include <linux/hardirq.h> - #include <asm/switch_to.h> - #include <crypto/aes.h> -+#include <crypto/ghash.h> - #include <crypto/scatterwalk.h> - #include <crypto/internal/hash.h> - #include <crypto/b128ops.h> - - #define IN_INTERRUPT in_interrupt() - --#define GHASH_BLOCK_SIZE (16) --#define GHASH_DIGEST_SIZE (16) --#define GHASH_KEY_LEN (16) -- - void gcm_init_p8(u128 htable[16], const u64 Xi[2]); - void gcm_gmult_p8(u64 Xi[2], const u128 htable[16]); - void gcm_ghash_p8(u64 Xi[2], const u128 htable[16], -@@ -55,16 +52,11 @@ struct p8_ghash_desc_ctx { - - static int p8_ghash_init_tfm(struct crypto_tfm *tfm) - { -- const char *alg; -+ const char *alg = "ghash-generic"; - struct crypto_shash *fallback; - struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm); - struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm); - -- if (!(alg = crypto_tfm_alg_name(tfm))) { -- printk(KERN_ERR "Failed to get algorithm name.\n"); -- return -ENOENT; -- } -- - fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK); - if (IS_ERR(fallback)) { - printk(KERN_ERR -@@ -78,10 +70,18 @@ static int p8_ghash_init_tfm(struct crypto_tfm *tfm) - crypto_shash_set_flags(fallback, - crypto_shash_get_flags((struct crypto_shash - *) tfm)); -- ctx->fallback = fallback; - -- shash_tfm->descsize = sizeof(struct p8_ghash_desc_ctx) -- + crypto_shash_descsize(fallback); -+ /* Check if the descsize defined in the algorithm is still enough. */ -+ if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx) -+ + crypto_shash_descsize(fallback)) { -+ printk(KERN_ERR -+ "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n", -+ alg, -+ shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx), -+ crypto_shash_descsize(fallback)); -+ return -EINVAL; -+ } -+ ctx->fallback = fallback; - - return 0; - } -@@ -113,7 +113,7 @@ static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key, - { - struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm)); - -- if (keylen != GHASH_KEY_LEN) -+ if (keylen != GHASH_BLOCK_SIZE) - return -EINVAL; - - preempt_disable(); -@@ -211,7 +211,8 @@ struct shash_alg p8_ghash_alg = { - .update = p8_ghash_update, - .final = p8_ghash_final, - .setkey = p8_ghash_setkey, -- .descsize = sizeof(struct p8_ghash_desc_ctx), -+ .descsize = sizeof(struct p8_ghash_desc_ctx) -+ + sizeof(struct ghash_desc_ctx), - .base = { - .cra_name = "ghash", - .cra_driver_name = "p8_ghash", --- -2.7.4 - diff --git a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch deleted file mode 100644 index 81ed8814d..000000000 --- a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: 2016-09-15 13:44:56 -Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer() - -We need to put an upper bound on "user_len" so the memcpy() doesn't -overflow. - -Reported-by: Marco Grassi <marco.gra@gmail.com> -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: Tomas Henzl <thenzl@redhat.com> - -diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c -index 7640498..110eca9 100644 ---- a/drivers/scsi/arcmsr/arcmsr_hba.c -+++ b/drivers/scsi/arcmsr/arcmsr_hba.c -@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, - } - case ARCMSR_MESSAGE_WRITE_WQBUFFER: { - unsigned char *ver_addr; -- int32_t user_len, cnt2end; -+ uint32_t user_len; -+ int32_t cnt2end; - uint8_t *pQbuffer, *ptmpuserbuffer; - ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); - if (!ver_addr) { -@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, - } - ptmpuserbuffer = ver_addr; - user_len = pcmdmessagefld->cmdmessage.Length; -+ if (user_len > ARCMSR_API_DATA_BUFLEN) { -+ retvalue = ARCMSR_MESSAGE_FAIL; -+ kfree(ver_addr); -+ goto message_out; -+ } - memcpy(ptmpuserbuffer, - pcmdmessagefld->messagedatabuffer, user_len); - spin_lock_irqsave(&acb->wqbuffer_lock, flags); --- -To unsubscribe from this list: send the line "unsubscribe linux-scsi" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drm-virtio-reinstate-drm_virtio_set_busid.patch b/drm-virtio-reinstate-drm_virtio_set_busid.patch deleted file mode 100644 index 52698e235..000000000 --- a/drm-virtio-reinstate-drm_virtio_set_busid.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 61d19a658598b2d3ea80a5a02a59d9ea0ff08ce6 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek <lersek@redhat.com> -Date: Mon, 3 Oct 2016 19:43:03 +0200 -Subject: [PATCH] drm: virtio: reinstate drm_virtio_set_busid() - -Before commit a325725633c2 ("drm: Lobotomize set_busid nonsense for !pci -drivers"), several DRM drivers for platform devices used to expose an -explicit "drm_driver.set_busid" callback, invariably backed by -drm_platform_set_busid(). - -Commit a325725633c2 removed drm_platform_set_busid(), along with the -referring .set_busid field initializations. This was justified because -interchangeable functionality had been implemented in drm_dev_alloc() / -drm_dev_init(), which DRM_IOCTL_SET_VERSION would rely on going forward. - -However, commit a325725633c2 also removed drm_virtio_set_busid(), for -which the same consolidation was not appropriate: this .set_busid callback -had been implemented with drm_pci_set_busid(), and not -drm_platform_set_busid(). The error regressed Xorg/xserver on QEMU's -"virtio-vga" card; the drmGetBusid() function from libdrm would no longer -return stable PCI identifiers like "pci:0000:00:02.0", but rather unstable -platform ones like "virtio0". - -Reinstate drm_virtio_set_busid() with judicious use of - - git checkout -p a325725633c2^ -- drivers/gpu/drm/virtio - -Cc: Daniel Vetter <daniel.vetter@ffwll.ch> -Cc: Daniel Vetter <daniel.vetter@intel.com> -Cc: David Airlie <airlied@redhat.com> -Cc: Emil Velikov <emil.l.velikov@gmail.com> -Cc: Gerd Hoffmann <kraxel@redhat.com> -Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk> -Cc: Hans de Goede <hdegoede@redhat.com> -Cc: Joachim Frieben <jfrieben@hotmail.com> -Cc: stable@vger.kernel.org -Reported-by: Joachim Frieben <jfrieben@hotmail.com> -Fixes: a325725633c26aa66ab940f762a6b0778edf76c0 -Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1366842 -Signed-off-by: Laszlo Ersek <lersek@redhat.com> -Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> ---- - drivers/gpu/drm/virtio/virtgpu_drm_bus.c | 10 ++++++++++ - drivers/gpu/drm/virtio/virtgpu_drv.c | 1 + - drivers/gpu/drm/virtio/virtgpu_drv.h | 1 + - 3 files changed, 12 insertions(+) - -diff --git a/drivers/gpu/drm/virtio/virtgpu_drm_bus.c b/drivers/gpu/drm/virtio/virtgpu_drm_bus.c -index 7f0e93f87a55..88a39165edd5 100644 ---- a/drivers/gpu/drm/virtio/virtgpu_drm_bus.c -+++ b/drivers/gpu/drm/virtio/virtgpu_drm_bus.c -@@ -27,6 +27,16 @@ - - #include "virtgpu_drv.h" - -+int drm_virtio_set_busid(struct drm_device *dev, struct drm_master *master) -+{ -+ struct pci_dev *pdev = dev->pdev; -+ -+ if (pdev) { -+ return drm_pci_set_busid(dev, master); -+ } -+ return 0; -+} -+ - static void virtio_pci_kick_out_firmware_fb(struct pci_dev *pci_dev) - { - struct apertures_struct *ap; -diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c -index c13f70cfc461..5820b7020ae5 100644 ---- a/drivers/gpu/drm/virtio/virtgpu_drv.c -+++ b/drivers/gpu/drm/virtio/virtgpu_drv.c -@@ -117,6 +117,7 @@ static const struct file_operations virtio_gpu_driver_fops = { - - static struct drm_driver driver = { - .driver_features = DRIVER_MODESET | DRIVER_GEM | DRIVER_PRIME | DRIVER_RENDER | DRIVER_ATOMIC, -+ .set_busid = drm_virtio_set_busid, - .load = virtio_gpu_driver_load, - .unload = virtio_gpu_driver_unload, - .open = virtio_gpu_driver_open, -diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h -index b18ef3111f0c..acf556a35cb2 100644 ---- a/drivers/gpu/drm/virtio/virtgpu_drv.h -+++ b/drivers/gpu/drm/virtio/virtgpu_drv.h -@@ -49,6 +49,7 @@ - #define DRIVER_PATCHLEVEL 1 - - /* virtgpu_drm_bus.c */ -+int drm_virtio_set_busid(struct drm_device *dev, struct drm_master *master); - int drm_virtio_init(struct drm_driver *driver, struct virtio_device *vdev); - - struct virtio_gpu_object { --- -2.7.4 - diff --git a/kernel.spec b/kernel.spec index 29252e00d..d51cc2a69 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -642,16 +642,6 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch #ongoing complaint, full discussion delayed until ksummit/plumbers Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch -#CVE-2016-7425 rhbz 1377330 1377331 -Patch850: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch - -#rhbz 1366842 -Patch851: drm-virtio-reinstate-drm_virtio_set_busid.patch - -# Fix memory corruption caused by p8_ghash -Patch852: 0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch -Patch853: 0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch - # END OF PATCH DEFINITIONS %endif @@ -2191,6 +2181,9 @@ fi # # %changelog +* Mon Oct 24 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.4-300 +- Linux v4.8.4 + * Thu Oct 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.3-300 - Linux v4.8.3 - CVE-2016-5195 (rhbz 1384344 1387080) @@ -1,3 +1,3 @@ c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz 0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz -9e430392b1cc430522fa7b27fc4301fc patch-4.8.3.xz +4d85e2c59ec33dd7766e18d079e75114 patch-4.8.4.xz |