diff options
-rw-r--r-- | HID-multitouch-fix-input-mode-switching-on-some-Elan.patch | 94 | ||||
-rw-r--r-- | HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch | 49 | ||||
-rw-r--r-- | KVM-svm-unconditionally-intercept-DB.patch | 80 | ||||
-rw-r--r-- | cfg80211-wext-fix-message-ordering.patch | 83 | ||||
-rw-r--r-- | config-arm64 | 1 | ||||
-rw-r--r-- | isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch | 40 | ||||
-rw-r--r-- | kernel.spec | 39 | ||||
-rw-r--r-- | media-Revert-media-ivtv-avoid-going-past-input-audio.patch | 38 | ||||
-rw-r--r-- | media-ivtv-avoid-going-past-input-audio-array.patch | 29 | ||||
-rw-r--r-- | ppp-slip-Validate-VJ-compression-slot-parameters-com.patch | 139 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | unix-properly-account-for-FDs-passed-over-unix-socke.patch | 140 | ||||
-rw-r--r-- | wext-fix-message-delay-ordering.patch | 122 |
13 files changed, 444 insertions, 412 deletions
diff --git a/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch b/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch new file mode 100644 index 000000000..c469460e5 --- /dev/null +++ b/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch @@ -0,0 +1,94 @@ +From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Date: Tue, 1 Dec 2015 12:41:38 +0100 +Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels + +as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481 + +This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature +reports on demand for Win8 devices") as the origin of the problem but this +commit actually masked 2 firmware bugs that are annihilating each other: + +The report descriptor declares two features in reports 3 and 5: + +0x05, 0x0d, // Usage Page (Digitizers) 318 +0x09, 0x0e, // Usage (Device Configuration) 320 +0xa1, 0x01, // Collection (Application) 322 +0x85, 0x03, // Report ID (3) 324 +0x09, 0x22, // Usage (Finger) 326 +0xa1, 0x00, // Collection (Physical) 328 +0x09, 0x52, // Usage (Inputmode) 330 +0x15, 0x00, // Logical Minimum (0) 332 +0x25, 0x0a, // Logical Maximum (10) 334 +0x75, 0x08, // Report Size (8) 336 +0x95, 0x02, // Report Count (2) 338 +0xb1, 0x02, // Feature (Data,Var,Abs) 340 +0xc0, // End Collection 342 +0x09, 0x22, // Usage (Finger) 343 +0xa1, 0x00, // Collection (Physical) 345 +0x85, 0x05, // Report ID (5) 347 +0x09, 0x57, // Usage (Surface Switch) 349 +0x09, 0x58, // Usage (Button Switch) 351 +0x15, 0x00, // Logical Minimum (0) 353 +0x75, 0x01, // Report Size (1) 355 +0x95, 0x02, // Report Count (2) 357 +0x25, 0x03, // Logical Maximum (3) 359 +0xb1, 0x02, // Feature (Data,Var,Abs) 361 +0x95, 0x0e, // Report Count (14) 363 +0xb1, 0x03, // Feature (Cnst,Var,Abs) 365 +0xc0, // End Collection 367 + +The report ID 3 presents 2 input mode features, while only the first one +is handled by the device. Given that we did not checked if one was +previously assigned, we were dealing with the ignored featured and we +should never have been able to switch this panel into the multitouch mode. + +However, the firmware presents an other bugs which allowed 6d4f5440 +to counteract the faulty report descriptor. When we request the values +of the feature 5, the firmware answers "03 03 00". The fields are correct +but the report id is wrong. Before 6d4f5440, we retrieved all the features +and injected them in the system. So when we called report 5, we injected +in the system the report 3 with the values "03 00". +Setting the second input mode to 03 in this report changed it to "03 03" +and the touchpad switched to the mt mode. We could have set anything +in the second field because the actual value (the first 03 in this report) +was given by the query of report ID 5. + +To sum up: 2 bugs in the firmware were hiding that we were accessing the +wrong feature. + +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +--- + drivers/hid/hid-multitouch.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index ba94044cb859..d866720412cd 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev, + break; + } + +- td->inputmode = field->report->id; +- td->inputmode_index = usage->usage_index; ++ if (td->inputmode < 0) { ++ td->inputmode = field->report->id; ++ td->inputmode_index = usage->usage_index; ++ } else { ++ /* ++ * Some elan panels wrongly declare 2 input mode ++ * features, and silently ignore when we set the ++ * value in the second field. Skip the second feature ++ * and hope for the best. ++ */ ++ dev_info(&hdev->dev, ++ "Ignoring the extra HID_DG_INPUTMODE\n"); ++ } + + break; + case HID_DG_CONTACTMAX: +-- +2.5.0 + diff --git a/HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch b/HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch new file mode 100644 index 000000000..b1a789e84 --- /dev/null +++ b/HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch @@ -0,0 +1,49 @@ +From 954d6154959c8c196fa4b89fc98a4fb377c6a38d Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Date: Fri, 8 Jan 2016 17:58:49 +0100 +Subject: [PATCH] HID: sony: do not bail out when the sixaxis refuses the + output report + +When setting the operational mode, some third party (Speedlink Strike-FX) +gamepads refuse the output report. Failing here means we refuse to +initialize the gamepad while this should be harmless. + +The weird part is that the initial commit that added this: a7de9b8 +("HID: sony: Enable Gasia third-party PS3 controllers") mentions this +very same controller as one requiring this output report. +Anyway, it's broken for one user at least, so let's change it. +We will report an error, but at least the controller should work. + +And no, these devices present themselves as legacy Sony controllers +(VID:PID of 054C:0268, as in the official ones) so there are no ways +of discriminating them from the official ones. + +https://bugzilla.redhat.com/show_bug.cgi?id=1255325 + +Reported-and-tested-by: Max Fedotov <thesourcehim@gmail.com> +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +--- + drivers/hid/hid-sony.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c +index 661f94f8ab8b..11f91c0c2458 100644 +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -1411,8 +1411,10 @@ static int sixaxis_set_operational_usb(struct hid_device *hdev) + } + + ret = hid_hw_output_report(hdev, buf, 1); +- if (ret < 0) +- hid_err(hdev, "can't set operational mode: step 3\n"); ++ if (ret < 0) { ++ hid_info(hdev, "can't set operational mode: step 3, ignoring\n"); ++ ret = 0; ++ } + + out: + kfree(buf); +-- +2.5.0 + diff --git a/KVM-svm-unconditionally-intercept-DB.patch b/KVM-svm-unconditionally-intercept-DB.patch deleted file mode 100644 index 021af4ccb..000000000 --- a/KVM-svm-unconditionally-intercept-DB.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Tue, 10 Nov 2015 13:22:53 +0100 -Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB - -This is needed to avoid the possibility that the guest triggers -an infinite stream of #DB exceptions (CVE-2015-8104). - -VMX is not affected: because it does not save DR6 in the VMCS, -it already intercepts #DB unconditionally. - -Reported-by: Jan Beulich <jbeulich@suse.com> -Cc: stable@vger.kernel.org -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - arch/x86/kvm/svm.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 7203b3cc71b5..184e50b3c35a 100644 ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm) - set_exception_intercept(svm, UD_VECTOR); - set_exception_intercept(svm, MC_VECTOR); - set_exception_intercept(svm, AC_VECTOR); -+ set_exception_intercept(svm, DB_VECTOR); - - set_intercept(svm, INTERCEPT_INTR); - set_intercept(svm, INTERCEPT_NMI); -@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, - mark_dirty(svm->vmcb, VMCB_SEG); - } - --static void update_db_bp_intercept(struct kvm_vcpu *vcpu) -+static void update_bp_intercept(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); - -- clr_exception_intercept(svm, DB_VECTOR); - clr_exception_intercept(svm, BP_VECTOR); - -- if (svm->nmi_singlestep) -- set_exception_intercept(svm, DB_VECTOR); -- - if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { -- if (vcpu->guest_debug & -- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) -- set_exception_intercept(svm, DB_VECTOR); - if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) - set_exception_intercept(svm, BP_VECTOR); - } else -@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm) - if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) - svm->vmcb->save.rflags &= - ~(X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(&svm->vcpu); - } - - if (svm->vcpu.guest_debug & -@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) - */ - svm->nmi_singlestep = true; - svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(vcpu); - } - - static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) -@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = { - .vcpu_load = svm_vcpu_load, - .vcpu_put = svm_vcpu_put, - -- .update_db_bp_intercept = update_db_bp_intercept, -+ .update_db_bp_intercept = update_bp_intercept, - .get_msr = svm_get_msr, - .set_msr = svm_set_msr, - .get_segment_base = svm_get_segment_base, --- -2.4.3 - diff --git a/cfg80211-wext-fix-message-ordering.patch b/cfg80211-wext-fix-message-ordering.patch new file mode 100644 index 000000000..8d3cdfdda --- /dev/null +++ b/cfg80211-wext-fix-message-ordering.patch @@ -0,0 +1,83 @@ +From cb150b9d23be6ee7f3a0fff29784f1c5b5ac514d Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Wed, 27 Jan 2016 13:29:34 +0100 +Subject: cfg80211/wext: fix message ordering + +Since cfg80211 frequently takes actions from its netdev notifier +call, wireless extensions messages could still be ordered badly +since the wext netdev notifier, since wext is built into the +kernel, runs before the cfg80211 netdev notifier. For example, +the following can happen: + +5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default + link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff +5: wlan1: <BROADCAST,MULTICAST,UP> + link/ether + +when setting the interface down causes the wext message. + +To also fix this, export the wireless_nlevent_flush() function +and also call it from the cfg80211 notifier. + +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +--- + include/net/iw_handler.h | 6 ++++++ + net/wireless/core.c | 2 ++ + net/wireless/wext-core.c | 3 ++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h +index 8f81bbb..e0f4109 100644 +--- a/include/net/iw_handler.h ++++ b/include/net/iw_handler.h +@@ -439,6 +439,12 @@ int dev_get_wireless_info(char *buffer, char **start, off_t offset, int length); + /* Send a single event to user space */ + void wireless_send_event(struct net_device *dev, unsigned int cmd, + union iwreq_data *wrqu, const char *extra); ++#ifdef CONFIG_WEXT_CORE ++/* flush all previous wext events - if work is done from netdev notifiers */ ++void wireless_nlevent_flush(void); ++#else ++static inline void wireless_nlevent_flush(void) {} ++#endif + + /* We may need a function to send a stream of events to user space. + * More on that later... */ +diff --git a/net/wireless/core.c b/net/wireless/core.c +index b091551..8f0bac7 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1147,6 +1147,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb, + return NOTIFY_DONE; + } + ++ wireless_nlevent_flush(); ++ + return NOTIFY_OK; + } + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 87dd619..b50ee5d 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -342,7 +342,7 @@ static const int compat_event_type_size[] = { + + /* IW event code */ + +-static void wireless_nlevent_flush(void) ++void wireless_nlevent_flush(void) + { + struct sk_buff *skb; + struct net *net; +@@ -355,6 +355,7 @@ static void wireless_nlevent_flush(void) + GFP_KERNEL); + } + } ++EXPORT_SYMBOL_GPL(wireless_nlevent_flush); + + static int wext_netdev_notifier_call(struct notifier_block *nb, + unsigned long state, void *ptr) +-- +cgit v0.12 + diff --git a/config-arm64 b/config-arm64 index 2c2139bd6..31f4d51c6 100644 --- a/config-arm64 +++ b/config-arm64 @@ -29,6 +29,7 @@ CONFIG_ARM64_ERRATUM_827319=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_832075=y +CONFIG_ARM64_ERRATUM_834220=y CONFIG_ARM64_ERRATUM_843419=y # AMBA / VExpress diff --git a/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch b/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch deleted file mode 100644 index cf8b5a829..000000000 --- a/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 59f271755df42fce6d38ebdf5b7502666b1e0c36 Mon Sep 17 00:00:00 2001 -From: Ben Hutchings <ben@decadent.org.uk> -Date: Sun, 1 Nov 2015 16:21:24 +0000 -Subject: [PATCH 1/2] isdn_ppp: Add checks for allocation failure in - isdn_ppp_open() - -Compile-tested only. - -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/isdn/i4l/isdn_ppp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c -index c4198fa490bf..86f9abebcb72 100644 ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) - is->compflags = 0; - - is->reset = isdn_ppp_ccp_reset_alloc(is); -+ if (!is->reset) -+ return -ENOMEM; - - is->lp = NULL; - is->mp_seqno = 0; /* MP sequence number */ -@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -+ if (!is->slcomp) { -+ isdn_ppp_ccp_reset_free(is); -+ return -ENOMEM; -+ } - #endif - #ifdef CONFIG_IPPP_FILTER - is->pass_filter = NULL; --- -2.4.3 - diff --git a/kernel.spec b/kernel.spec index 8b668ac8f..b41396f82 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -611,13 +611,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch -#CVE-2015-7799 rhbz 1271134 1271135 -Patch512: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch -Patch513: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch - -#CVE-2015-8104 rhbz 1278496 1279691 -Patch551: KVM-svm-unconditionally-intercept-DB.patch - #rhbz 1269300 Patch552: megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch @@ -660,6 +653,7 @@ Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch #rhbz 1296677 Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch +Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch #rhbz 1281368 Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch @@ -695,9 +689,6 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch -#CVE-2013-4312 rhbz 1297813 1300216 -Patch636: unix-properly-account-for-FDs-passed-over-unix-socke.patch - #CVE-2016-0723 rhbz 1296253 1300224 Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch @@ -710,6 +701,17 @@ Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch #rhbz 1300955 Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch +#rhbz 1278942 +Patch642: media-Revert-media-ivtv-avoid-going-past-input-audio.patch +Patch643: media-ivtv-avoid-going-past-input-audio-array.patch + +#rhbz 1302037 +Patch644: wext-fix-message-delay-ordering.patch +Patch645: cfg80211-wext-fix-message-ordering.patch + +#rhbz 1255325 +Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch + # END OF PATCH DEFINITIONS %endif @@ -2156,7 +2158,20 @@ fi # # %changelog -* Sat Jan 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.4-300 +* Sun Jan 31 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.5-300 +- Linux v4.3.5 + +* Fri Jan 29 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Backport HID sony patch to fix some gamepads (rhbz 1255235) + +* Thu Jan 28 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Fix issues with ivtv driver on PVR350 devices (rhbz 1278942) +- Add patches to fix suprious NEWLINK netlink messages (rhbz 1302037) + +* Mon Jan 25 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.4-300 +- Add patch to fix some Elan touchpads (rhbz 1296677) + +* Sat Jan 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - Linux v4.3.4 * Fri Jan 22 2016 Josh Boyer <jwboyer@fedoraproject.org> diff --git a/media-Revert-media-ivtv-avoid-going-past-input-audio.patch b/media-Revert-media-ivtv-avoid-going-past-input-audio.patch new file mode 100644 index 000000000..7c00071c6 --- /dev/null +++ b/media-Revert-media-ivtv-avoid-going-past-input-audio.patch @@ -0,0 +1,38 @@ +From 823873481b2a17ce5900899f8ef85118f8407b67 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Date: Wed, 11 Nov 2015 09:22:36 -0200 +Subject: [PATCH] [media] Revert "[media] ivtv: avoid going past input/audio + array" + +This patch broke ivtv logic, as reported at + https://bugzilla.redhat.com/show_bug.cgi?id=1278942 + +This reverts commit 09290cc885937cab3b2d60a6d48fe3d2d3e04061. + +Cc: stable@vger.kernel.org # for v4.1 and upper +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +--- + drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c +index 8616fa8193bc..c2e60b4f292d 100644 +--- a/drivers/media/pci/ivtv/ivtv-driver.c ++++ b/drivers/media/pci/ivtv/ivtv-driver.c +@@ -805,11 +805,11 @@ static void ivtv_init_struct2(struct ivtv *itv) + { + int i; + +- for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS - 1; i++) ++ for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS; i++) + if (itv->card->video_inputs[i].video_type == 0) + break; + itv->nof_inputs = i; +- for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS - 1; i++) ++ for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS; i++) + if (itv->card->audio_inputs[i].audio_type == 0) + break; + itv->nof_audio_inputs = i; +-- +2.5.0 + diff --git a/media-ivtv-avoid-going-past-input-audio-array.patch b/media-ivtv-avoid-going-past-input-audio-array.patch new file mode 100644 index 000000000..42009eb71 --- /dev/null +++ b/media-ivtv-avoid-going-past-input-audio-array.patch @@ -0,0 +1,29 @@ +From d55ebd07b6c21a1c7e3e74f1b73b3b033cece2b5 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Date: Wed, 11 Nov 2015 09:27:42 -0200 +Subject: [PATCH] [media] ivtv: avoid going past input/audio array + +As reported by smatch: + drivers/media/pci/ivtv/ivtv-driver.c:832 ivtv_init_struct2() error: buffer overflow 'itv->card->video_inputs' 6 <= 6 + +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +--- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c +index c2e60b4f292d..2bb10cd9ecfd 100644 +--- a/drivers/media/pci/ivtv/ivtv-driver.c ++++ b/drivers/media/pci/ivtv/ivtv-driver.c +@@ -826,7 +826,7 @@ static void ivtv_init_struct2(struct ivtv *itv) + IVTV_CARD_INPUT_VID_TUNER) + break; + } +- if (i == itv->nof_inputs) ++ if (i >= itv->nof_inputs) + i = 0; + itv->active_input = i; + itv->audio_input = itv->card->video_inputs[i].audio_index; +-- +2.5.0 + diff --git a/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch b/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch deleted file mode 100644 index eac5aa7de..000000000 --- a/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch +++ /dev/null @@ -1,139 +0,0 @@ -From a8bc90052f18348718412cebf7b569da95bad264 Mon Sep 17 00:00:00 2001 -From: Ben Hutchings <ben@decadent.org.uk> -Date: Sun, 1 Nov 2015 16:22:53 +0000 -Subject: [PATCH 2/2] ppp, slip: Validate VJ compression slot parameters - completely -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently slhc_init() treats out-of-range values of rslots and tslots -as equivalent to 0, except that if tslots is too large it will -dereference a null pointer (CVE-2015-7799). - -Add a range-check at the top of the function and make it return an -ERR_PTR() on error instead of NULL. Change the callers accordingly. - -Compile-tested only. - -Reported-by: 郭永刚 <guoyonggang@360.cn> -References: http://article.gmane.org/gmane.comp.security.oss.general/17908 -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/isdn/i4l/isdn_ppp.c | 10 ++++------ - drivers/net/ppp/ppp_generic.c | 6 ++---- - drivers/net/slip/slhc.c | 12 ++++++++---- - drivers/net/slip/slip.c | 2 +- - 4 files changed, 15 insertions(+), 15 deletions(-) - -diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c -index 86f9abebcb72..9c1e8adaf4fc 100644 ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file) - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -- if (!is->slcomp) { -+ if (IS_ERR(is->slcomp)) { - isdn_ppp_ccp_reset_free(is); -- return -ENOMEM; -+ return PTR_ERR(is->slcomp); - } - #endif - #ifdef CONFIG_IPPP_FILTER -@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg) - is->maxcid = val; - #ifdef CONFIG_ISDN_PPP_VJ - sltmp = slhc_init(16, val); -- if (!sltmp) { -- printk(KERN_ERR "ippp, can't realloc slhc struct\n"); -- return -ENOMEM; -- } -+ if (IS_ERR(sltmp)) -+ return PTR_ERR(sltmp); - if (is->slcomp) - slhc_free(is->slcomp); - is->slcomp = sltmp; -diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c -index ed00446759b2..9a863c6a6a33 100644 ---- a/drivers/net/ppp/ppp_generic.c -+++ b/drivers/net/ppp/ppp_generic.c -@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - val &= 0xffff; - } - vj = slhc_init(val2+1, val+1); -- if (!vj) { -- netdev_err(ppp->dev, -- "PPP: no memory (VJ compressor)\n"); -- err = -ENOMEM; -+ if (IS_ERR(vj)) { -+ err = PTR_ERR(vj); - break; - } - ppp_lock(ppp); -diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c -index 079f7adfcde5..27ed25252aac 100644 ---- a/drivers/net/slip/slhc.c -+++ b/drivers/net/slip/slhc.c -@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp); - static unsigned char * put16(unsigned char *cp, unsigned short x); - static unsigned short pull16(unsigned char **cpp); - --/* Initialize compression data structure -+/* Allocate compression data structure - * slots must be in range 0 to 255 (zero meaning no compression) -+ * Returns pointer to structure or ERR_PTR() on error. - */ - struct slcompress * - slhc_init(int rslots, int tslots) -@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots) - register struct cstate *ts; - struct slcompress *comp; - -+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255) -+ return ERR_PTR(-EINVAL); -+ - comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); - if (! comp) - goto out_fail; - -- if ( rslots > 0 && rslots < 256 ) { -+ if (rslots > 0) { - size_t rsize = rslots * sizeof(struct cstate); - comp->rstate = kzalloc(rsize, GFP_KERNEL); - if (! comp->rstate) -@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots) - comp->rslot_limit = rslots - 1; - } - -- if ( tslots > 0 && tslots < 256 ) { -+ if (tslots > 0) { - size_t tsize = tslots * sizeof(struct cstate); - comp->tstate = kzalloc(tsize, GFP_KERNEL); - if (! comp->tstate) -@@ -141,7 +145,7 @@ out_free2: - out_free: - kfree(comp); - out_fail: -- return NULL; -+ return ERR_PTR(-ENOMEM); - } - - -diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c -index 05387b1e2e95..a17d86a57734 100644 ---- a/drivers/net/slip/slip.c -+++ b/drivers/net/slip/slip.c -@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu) - if (cbuff == NULL) - goto err_exit; - slcomp = slhc_init(16, 16); -- if (slcomp == NULL) -+ if (IS_ERR(slcomp)) - goto err_exit; - #endif - spin_lock_bh(&sl->lock); --- -2.4.3 - @@ -1,3 +1,3 @@ 58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz 7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz -5bbeeb57b8cff23e5c27430e60810d1b patch-4.3.4.xz +4786a4b42da54527d6ca0d1fc1f0fade patch-4.3.5.xz diff --git a/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/unix-properly-account-for-FDs-passed-over-unix-socke.patch deleted file mode 100644 index c263abf2b..000000000 --- a/unix-properly-account-for-FDs-passed-over-unix-socke.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 0cd038d23b86853d68993c94f3c713e4375fd61f Mon Sep 17 00:00:00 2001 -From: willy tarreau <w@1wt.eu> -Date: Sun, 10 Jan 2016 07:54:56 +0100 -Subject: [PATCH] unix: properly account for FDs passed over unix sockets - -It is possible for a process to allocate and accumulate far more FDs than -the process' limit by sending them over a unix socket then closing them -to keep the process' fd count low. - -This change addresses this problem by keeping track of the number of FDs -in flight per user and preventing non-privileged processes from having -more FDs in flight than their configured FD limit. - -Reported-by: socketpair@gmail.com -Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -Mitigates: CVE-2013-4312 (Linux 2.0+) -Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> -Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: Willy Tarreau <w@1wt.eu> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - include/linux/sched.h | 1 + - net/unix/af_unix.c | 24 ++++++++++++++++++++---- - net/unix/garbage.c | 13 ++++++++----- - 3 files changed, 29 insertions(+), 9 deletions(-) - -diff --git a/include/linux/sched.h b/include/linux/sched.h -index b7b9501b41af..f477e87ca46f 100644 ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -830,6 +830,7 @@ struct user_struct { - unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ - #endif - unsigned long locked_shm; /* How many pages of mlocked shm ? */ -+ unsigned long unix_inflight; /* How many files in flight in unix sockets */ - - #ifdef CONFIG_KEYS - struct key *uid_keyring; /* UID specific keyring */ -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 128b0982c96b..9085de63bb81 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1498,6 +1498,21 @@ static void unix_destruct_scm(struct sk_buff *skb) - sock_wfree(skb); - } - -+/* -+ * The "user->unix_inflight" variable is protected by the garbage -+ * collection lock, and we just read it locklessly here. If you go -+ * over the limit, there might be a tiny race in actually noticing -+ * it across threads. Tough. -+ */ -+static inline bool too_many_unix_fds(struct task_struct *p) -+{ -+ struct user_struct *user = current_user(); -+ -+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) -+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); -+ return false; -+} -+ - #define MAX_RECURSION_LEVEL 4 - - static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) -@@ -1506,6 +1521,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - unsigned char max_level = 0; - int unix_sock_count = 0; - -+ if (too_many_unix_fds(current)) -+ return -ETOOMANYREFS; -+ - for (i = scm->fp->count - 1; i >= 0; i--) { - struct sock *sk = unix_get_socket(scm->fp->fp[i]); - -@@ -1527,10 +1545,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - if (!UNIXCB(skb).fp) - return -ENOMEM; - -- if (unix_sock_count) { -- for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -- } -+ for (i = scm->fp->count - 1; i >= 0; i--) -+ unix_inflight(scm->fp->fp[i]); - return max_level; - } - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index a73a226f2d33..8fcdc2283af5 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); -- - if (atomic_long_inc_return(&u->inflight) == 1) { - BUG_ON(!list_empty(&u->link)); - list_add_tail(&u->link, &gc_inflight_list); -@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp) - BUG_ON(list_empty(&u->link)); - } - unix_tot_inflight++; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight++; -+ spin_unlock(&unix_gc_lock); - } - - void unix_notinflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); - BUG_ON(list_empty(&u->link)); - - if (atomic_long_dec_and_test(&u->inflight)) - list_del_init(&u->link); - unix_tot_inflight--; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight--; -+ spin_unlock(&unix_gc_lock); - } - - static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), --- -2.5.0 - diff --git a/wext-fix-message-delay-ordering.patch b/wext-fix-message-delay-ordering.patch new file mode 100644 index 000000000..109b68da3 --- /dev/null +++ b/wext-fix-message-delay-ordering.patch @@ -0,0 +1,122 @@ +From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Wed, 27 Jan 2016 12:37:52 +0100 +Subject: wext: fix message delay/ordering + +Beniamino reported that he was getting an RTM_NEWLINK message for a +given interface, after the RTM_DELLINK for it. It turns out that the +message is a wireless extensions message, which was sent because the +interface had been connected and disconnection while it was deleted +caused a wext message. + +For its netlink messages, wext uses RTM_NEWLINK, but the message is +without all the regular rtnetlink attributes, so "ip monitor link" +prints just rudimentary information: + +5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default + link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff +Deleted 5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default + link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff +5: wlan1: <BROADCAST,MULTICAST,UP> + link/ether +(from my hwsim reproduction) + +This can cause userspace to get confused since it doesn't expect an +RTM_NEWLINK message after RTM_DELLINK. + +The reason for this is that wext schedules a worker to send out the +messages, and the scheduling delay can cause the messages to get out +to userspace in different order. + +To fix this, have wext register a netdevice notifier and flush out +any pending messages when netdevice state changes. This fixes any +ordering whenever the original message wasn't sent by a notifier +itself. + +Cc: stable@vger.kernel.org +Reported-by: Beniamino Galvani <bgalvani@redhat.com> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +--- + net/wireless/wext-core.c | 51 +++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index c8717c1..87dd619 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = { + + /* IW event code */ + ++static void wireless_nlevent_flush(void) ++{ ++ struct sk_buff *skb; ++ struct net *net; ++ ++ ASSERT_RTNL(); ++ ++ for_each_net(net) { ++ while ((skb = skb_dequeue(&net->wext_nlevents))) ++ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, ++ GFP_KERNEL); ++ } ++} ++ ++static int wext_netdev_notifier_call(struct notifier_block *nb, ++ unsigned long state, void *ptr) ++{ ++ /* ++ * When a netdev changes state in any way, flush all pending messages ++ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after ++ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() ++ * or similar - all of which could otherwise happen due to delays from ++ * schedule_work(). ++ */ ++ wireless_nlevent_flush(); ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block wext_netdev_notifier = { ++ .notifier_call = wext_netdev_notifier_call, ++}; ++ + static int __net_init wext_pernet_init(struct net *net) + { + skb_queue_head_init(&net->wext_nlevents); +@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = { + + static int __init wireless_nlevent_init(void) + { +- return register_pernet_subsys(&wext_pernet_ops); ++ int err = register_pernet_subsys(&wext_pernet_ops); ++ ++ if (err) ++ return err; ++ ++ return register_netdevice_notifier(&wext_netdev_notifier); + } + + subsys_initcall(wireless_nlevent_init); +@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); + /* Process events generated by the wireless layer or the driver. */ + static void wireless_nlevent_process(struct work_struct *work) + { +- struct sk_buff *skb; +- struct net *net; +- + rtnl_lock(); +- +- for_each_net(net) { +- while ((skb = skb_dequeue(&net->wext_nlevents))) +- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, +- GFP_KERNEL); +- } +- ++ wireless_nlevent_flush(); + rtnl_unlock(); + } + +-- +cgit v0.12 + |