diff --git a/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch b/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch new file mode 100644 index 000000000..15640604b --- /dev/null +++ b/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch @@ -0,0 +1,76 @@ +From d856e14fb043b742f94170db36b812770a2591d0 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 15 Oct 2015 17:21:37 +0100 +Subject: [PATCH 1/2] KEYS: Fix crash when attempt to garbage collect an + uninstantiated keyring + + The following sequence of commands: + + i=`keyctl add user a a @s` + keyctl request2 keyring foo bar @t + keyctl unlink $i @s + + tries to invoke an upcall to instantiate a keyring if one doesn't already + exist by that name within the user's keyring set. However, if the upcall + fails, the code sets keyring->type_data.reject_error to -ENOKEY or some + other error code. When the key is garbage collected, the key destroy + function is called unconditionally and keyring_destroy() uses list_empty() + on keyring->type_data.link - which is in a union with reject_error. + Subsequently, the kernel tries to unlink the keyring from the keyring names + list - which oopses like this: + + BUG: unable to handle kernel paging request at 00000000ffffff8a + IP: [] keyring_destroy+0x3d/0x88 + ... + Workqueue: events key_garbage_collector + ... + RIP: 0010:[] keyring_destroy+0x3d/0x88 + RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203 + RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40 + RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000 + R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900 + R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000 + ... + CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0 + ... + Call Trace: + [] key_gc_unused_keys.constprop.1+0x5d/0x10f + [] key_garbage_collector+0x1fa/0x351 + [] process_one_work+0x28e/0x547 + [] worker_thread+0x26e/0x361 + [] ? rescuer_thread+0x2a8/0x2a8 + [] kthread+0xf3/0xfb + [] ? kthread_create_on_node+0x1c2/0x1c2 + [] ret_from_fork+0x3f/0x70 + [] ? kthread_create_on_node+0x1c2/0x1c2 + + Note the value in RAX. This is a 32-bit representation of -ENOKEY. + + The solution is to only call ->destroy() if the key was successfully + instantiated. + + Reported-by: Dmitry Vyukov + Signed-off-by: David Howells +--- + security/keys/gc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/security/keys/gc.c b/security/keys/gc.c +index c7952375ac53..11c36627adbf 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -149,7 +149,9 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + atomic_dec(&key->user->nikeys); + + /* now throw away the key memory */ +- if (key->type->destroy) ++ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && ++ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) && ++ key->type->destroy) + key->type->destroy(key); + + key_user_put(key->user); +-- +2.4.3 + diff --git a/0001-x86-cpu-cacheinfo-Fix-teardown-path.patch b/0001-x86-cpu-cacheinfo-Fix-teardown-path.patch deleted file mode 100644 index 52e82feed..000000000 --- a/0001-x86-cpu-cacheinfo-Fix-teardown-path.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 680ac028240f8747f31c03986fbcf18b2b521e93 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Mon, 27 Jul 2015 09:58:05 +0200 -Subject: [PATCH] x86/cpu/cacheinfo: Fix teardown path -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Philip Müller reported a hang when booting 32-bit 4.1 kernel on -an AMD box. A fragment of the splat was enough to pinpoint the -issue: - - task: f58e0000 ti: f58e8000 task.ti: f58e800 - EIP: 0060:[] EFLAGS: 00010206 CPU: 0 - EIP is at free_cache_attributes+0x83/0xd0 - EAX: 00000001 EBX: f589d46c ECX: 00000090 EDX: 360c2000 - ESI: 00000000 EDI: c1724a80 EBP: f58e9ec0 ESP: f58e9ea0 - DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 - CR0: 8005003b CR2: 000000ac CR3: 01731000 CR4: 000006d0 - -cache_shared_cpu_map_setup() did check sibling CPUs cacheinfo -descriptor while the respective teardown path -cache_shared_cpu_map_remove() didn't. Fix that. - -From tglx's version: to be on the safe side, move the cacheinfo -descriptor check to free_cache_attributes(), thus cleaning up -the hotplug path a little and making this even more robust. - -Reported-by: Philip Müller -Signed-off-by: Borislav Petkov -Cc: # v4.1+ -Cc: Andre Przywara -Cc: Guenter Roeck -Cc: H. Peter Anvin -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Sudeep Holla -Cc: Thomas Gleixner -Cc: linux-kernel@vger.kernel.org -Cc: manjaro-dev@manjaro.org -Link: http://lkml.kernel.org/r/20150727075805.GA20416@nazgul.tnic -Link: https://lkml.kernel.org/r/55B47BB8.6080202@manjaro.org -Signed-off-by: Ingo Molnar ---- - drivers/base/cacheinfo.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c -index 764280a91776..e9fd32e91668 100644 ---- a/drivers/base/cacheinfo.c -+++ b/drivers/base/cacheinfo.c -@@ -148,7 +148,11 @@ static void cache_shared_cpu_map_remove(unsigned int cpu) - - if (sibling == cpu) /* skip itself */ - continue; -+ - sib_cpu_ci = get_cpu_cacheinfo(sibling); -+ if (!sib_cpu_ci->info_list) -+ continue; -+ - sib_leaf = sib_cpu_ci->info_list + index; - cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map); - cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map); -@@ -159,6 +163,9 @@ static void cache_shared_cpu_map_remove(unsigned int cpu) - - static void free_cache_attributes(unsigned int cpu) - { -+ if (!per_cpu_cacheinfo(cpu)) -+ return; -+ - cache_shared_cpu_map_remove(cpu); - - kfree(per_cpu_cacheinfo(cpu)); -@@ -514,8 +521,7 @@ static int cacheinfo_cpu_callback(struct notifier_block *nfb, - break; - case CPU_DEAD: - cache_remove_dev(cpu); -- if (per_cpu_cacheinfo(cpu)) -- free_cache_attributes(cpu); -+ free_cache_attributes(cpu); - break; - } - return notifier_from_errno(rc); --- -2.4.3 - diff --git a/0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch b/0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch new file mode 100644 index 000000000..884f685c8 --- /dev/null +++ b/0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch @@ -0,0 +1,61 @@ +From fd7cd061adcf5f7503515ba52b6a724642a839c8 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 12 Oct 2015 11:30:13 +0300 +Subject: [PATCH] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers + +We received several reports of systems rebooting and powering on +after an attempted shutdown. Testing showed that setting +XHCI_SPURIOUS_WAKEUP quirk in addition to the XHCI_SPURIOUS_REBOOT +quirk allowed the system to shutdown as expected for LynxPoint-LP +xHCI controllers. Set the quirk back. + +Note that the quirk was originally introduced for LynxPoint and +LynxPoint-LP just for this same reason. See: + +commit 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell") + +It was later limited to only concern HP machines as it caused +regression on some machines, see both bug and commit: + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66171 +commit 6962d914f317 ("xhci: Limit the spurious wakeup fix only to HP machines") + +Later it was discovered that the powering on after shutdown +was limited to LynxPoint-LP (Haswell-ULT) and that some non-LP HP +machine suffered from spontaneous resume from S3 (which should +not be related to the SPURIOUS_WAKEUP quirk at all). An attempt +to fix this then removed the SPURIOUS_WAKEUP flag usage completely. + +commit b45abacde3d5 ("xhci: no switching back on non-ULT Haswell") + +Current understanding is that LynxPoint-LP (Haswell ULT) machines +need the SPURIOUS_WAKEUP quirk, otherwise they will restart, and +plain Lynxpoint (Haswell) machines may _not_ have the quirk +set otherwise they again will restart. + +Signed-off-by: Laura Abbott +Cc: Takashi Iwai +Cc: Oliver Neukum +[Added more history to commit message -Mathias] +Cc: stable +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index c79d336..c47d3e4 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -147,6 +147,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) { + xhci->quirks |= XHCI_SPURIOUS_REBOOT; ++ xhci->quirks |= XHCI_SPURIOUS_WAKEUP; + } + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + (pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI || +-- +2.4.3 + diff --git a/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch b/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch new file mode 100644 index 000000000..727ee6aca --- /dev/null +++ b/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch @@ -0,0 +1,34 @@ +From 93f27344ac019135dd5ff31a518f1ef2d9e4e4a1 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 19 Oct 2015 11:33:38 +0100 +Subject: [PATCH 2/2] KEYS: Don't permit request_key() to construct a new + keyring + + If request_key() is used to find a keyring, only do the search part - don't + do the construction part if the keyring was not found by the search. We + don't really want keyrings in the negative instantiated state since the + rejected/negative instantiation error value in the payload is unioned with + keyring metadata. + + Signed-off-by: David Howells +--- + security/keys/request_key.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index 486ef6fa393b..0d6253124278 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, + + kenter(""); + ++ if (ctx->index_key.type == &key_type_keyring) ++ return ERR_PTR(-EPERM); ++ + user = key_user_lookup(current_fsuid()); + if (!user) + return ERR_PTR(-ENOMEM); +-- +2.4.3 + diff --git a/ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch b/ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch deleted file mode 100644 index ae0ac201b..000000000 --- a/ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6f501aed6a8ebecbc3a83fbd95d925ef522e0120 Mon Sep 17 00:00:00 2001 -From: Laura Abbott -Date: Thu, 1 Oct 2015 14:33:49 -0700 -Subject: [PATCH] ALSA: hda: Add dock support for ThinkPad T550 -To: Jaroslav Kysela -To: Takashi Iwai -Cc: alsa-devel@alsa-project.org -Cc: linux-kernel@vger.kernel.org - -Much like all the other Lenovo laptops, add a quirk to make -sound work with docking. - -Reported-and-tested-by: lacknerflo@gmail.com -Signed-off-by: Laura Abbott ---- - sound/pci/hda/patch_realtek.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index afec6dc..16b8dcb 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5306,6 +5306,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK), - SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK), - SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), -+ SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK), - SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK), - SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), - SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), --- -2.4.3 - diff --git a/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch b/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch deleted file mode 100644 index 8a53a43ce..000000000 --- a/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch +++ /dev/null @@ -1,117 +0,0 @@ -From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 30 Sep 2015 12:48:40 -0400 -Subject: [PATCH] Initialize msg/shm IPC objects before doing ipc_addid() - -As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before -having initialized the IPC object state. Yes, we initialize the IPC -object in a locked state, but with all the lockless RCU lookup work, -that IPC object lock no longer means that the state cannot be seen. - -We already did this for the IPC semaphore code (see commit e8577d1f0329: -"ipc/sem.c: fully initialize sem_array before making it visible") but we -clearly forgot about msg and shm. - -Reported-by: Dmitry Vyukov -Cc: Manfred Spraul -Cc: Davidlohr Bueso -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds ---- - ipc/msg.c | 14 +++++++------- - ipc/shm.c | 13 +++++++------ - ipc/util.c | 8 ++++---- - 3 files changed, 18 insertions(+), 17 deletions(-) - -diff --git a/ipc/msg.c b/ipc/msg.c -index 66c4f567eb73..1471db9a7e61 100644 ---- a/ipc/msg.c -+++ b/ipc/msg.c -@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) - return retval; - } - -- /* ipc_addid() locks msq upon success. */ -- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); -- if (id < 0) { -- ipc_rcu_putref(msq, msg_rcu_free); -- return id; -- } -- - msq->q_stime = msq->q_rtime = 0; - msq->q_ctime = get_seconds(); - msq->q_cbytes = msq->q_qnum = 0; -@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) - INIT_LIST_HEAD(&msq->q_receivers); - INIT_LIST_HEAD(&msq->q_senders); - -+ /* ipc_addid() locks msq upon success. */ -+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); -+ if (id < 0) { -+ ipc_rcu_putref(msq, msg_rcu_free); -+ return id; -+ } -+ - ipc_unlock_object(&msq->q_perm); - rcu_read_unlock(); - -diff --git a/ipc/shm.c b/ipc/shm.c -index 222131e8e38f..41787276e141 100644 ---- a/ipc/shm.c -+++ b/ipc/shm.c -@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) - if (IS_ERR(file)) - goto no_file; - -- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); -- if (id < 0) { -- error = id; -- goto no_id; -- } -- - shp->shm_cprid = task_tgid_vnr(current); - shp->shm_lprid = 0; - shp->shm_atim = shp->shm_dtim = 0; -@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) - shp->shm_nattch = 0; - shp->shm_file = file; - shp->shm_creator = current; -+ -+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); -+ if (id < 0) { -+ error = id; -+ goto no_id; -+ } -+ - list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist); - - /* -diff --git a/ipc/util.c b/ipc/util.c -index be4230020a1f..0f401d94b7c6 100644 ---- a/ipc/util.c -+++ b/ipc/util.c -@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size) - rcu_read_lock(); - spin_lock(&new->lock); - -+ current_euid_egid(&euid, &egid); -+ new->cuid = new->uid = euid; -+ new->gid = new->cgid = egid; -+ - id = idr_alloc(&ids->ipcs_idr, new, - (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0, - GFP_NOWAIT); -@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size) - - ids->in_use++; - -- current_euid_egid(&euid, &egid); -- new->cuid = new->uid = euid; -- new->gid = new->cgid = egid; -- - if (next_id < 0) { - new->seq = ids->seq++; - if (ids->seq > IPCID_SEQ_MAX) --- -2.4.3 - diff --git a/RDS-fix-race-condition-when-sending-a-message-on-unb.patch b/RDS-fix-race-condition-when-sending-a-message-on-unb.patch new file mode 100644 index 000000000..8a44c84d3 --- /dev/null +++ b/RDS-fix-race-condition-when-sending-a-message-on-unb.patch @@ -0,0 +1,77 @@ +From 09dca584f0b6b3bb4fc5f13a388274cd76b69f18 Mon Sep 17 00:00:00 2001 +From: Quentin Casasnovas +Date: Fri, 16 Oct 2015 17:11:42 +0200 +Subject: [PATCH] RDS: fix race condition when sending a message on unbound + socket. + +Sasha's found a NULL pointer dereference in the RDS connection code when +sending a message to an apparently unbound socket. The problem is caused +by the code checking if the socket is bound in rds_sendmsg(), which checks +the rs_bound_addr field without taking a lock on the socket. This opens a +race where rs_bound_addr is temporarily set but where the transport is not +in rds_bind(), leading to a NULL pointer dereference when trying to +dereference 'trans' in __rds_conn_create(). + +Vegard wrote a reproducer for this issue, so kindly ask him to share if +you're interested. + +I cannot reproduce the NULL pointer dereference using Vegard's reproducer +with this patch, whereas I could without. + +Complete earlier incomplete fix to CVE-2015-6937: + + 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") + +Signed-off-by: Quentin Casasnovas +Reviewed-by: Vegard Nossum +Reviewed-by: Sasha Levin +Cc: Vegard Nossum +Cc: Sasha Levin +Cc: Chien Yen +Cc: Santosh Shilimkar +Cc: David S. Miller +Cc: stable@vger.kernel.org +--- + net/rds/connection.c | 6 ------ + net/rds/send.c | 4 +++- + 2 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/net/rds/connection.c b/net/rds/connection.c +index 9d66705f9d41..da6da57e5f36 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,12 +187,6 @@ new_conn: + } + } + +- if (trans == NULL) { +- kmem_cache_free(rds_conn_slab, conn); +- conn = ERR_PTR(-ENODEV); +- goto out; +- } +- + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +diff --git a/net/rds/send.c b/net/rds/send.c +index e9430f537f9c..7b30c0f3180d 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) + release_sock(sk); + } + +- /* racing with another thread binding seems ok here */ ++ lock_sock(sk); + if (daddr == 0 || rs->rs_bound_addr == 0) { ++ release_sock(sk); + ret = -ENOTCONN; /* XXX not a great errno */ + goto out; + } ++ release_sock(sk); + + /* size of rm including all sgs */ + ret = rds_rm_size(msg, payload_len); +-- +2.4.3 + diff --git a/USB-whiteheat-fix-potential-null-deref-at-probe.patch b/USB-whiteheat-fix-potential-null-deref-at-probe.patch deleted file mode 100644 index 00fd5578c..000000000 --- a/USB-whiteheat-fix-potential-null-deref-at-probe.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 10d98bced414c6fc1d09db123e7f762d91b5ebea Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 23 Sep 2015 11:41:42 -0700 -Subject: [PATCH] USB: whiteheat: fix potential null-deref at probe - -Fix potential null-pointer dereference at probe by making sure that the -required endpoints are present. - -The whiteheat driver assumes there are at least five pairs of bulk -endpoints, of which the final pair is used for the "command port". An -attempt to bind to an interface with fewer bulk endpoints would -currently lead to an oops. - -Fixes CVE-2015-5257. - -Reported-by: Moein Ghasemzadeh -Cc: stable -Signed-off-by: Johan Hovold ---- - drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c -index 6c3734d2b45a..d3ea90bef84d 100644 ---- a/drivers/usb/serial/whiteheat.c -+++ b/drivers/usb/serial/whiteheat.c -@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial, - static int whiteheat_firmware_attach(struct usb_serial *serial); - - /* function prototypes for the Connect Tech WhiteHEAT serial converter */ -+static int whiteheat_probe(struct usb_serial *serial, -+ const struct usb_device_id *id); - static int whiteheat_attach(struct usb_serial *serial); - static void whiteheat_release(struct usb_serial *serial); - static int whiteheat_port_probe(struct usb_serial_port *port); -@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = { - .description = "Connect Tech - WhiteHEAT", - .id_table = id_table_std, - .num_ports = 4, -+ .probe = whiteheat_probe, - .attach = whiteheat_attach, - .release = whiteheat_release, - .port_probe = whiteheat_port_probe, -@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial) - /***************************************************************************** - * Connect Tech's White Heat serial driver functions - *****************************************************************************/ -+ -+static int whiteheat_probe(struct usb_serial *serial, -+ const struct usb_device_id *id) -+{ -+ struct usb_host_interface *iface_desc; -+ struct usb_endpoint_descriptor *endpoint; -+ size_t num_bulk_in = 0; -+ size_t num_bulk_out = 0; -+ size_t min_num_bulk; -+ unsigned int i; -+ -+ iface_desc = serial->interface->cur_altsetting; -+ -+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { -+ endpoint = &iface_desc->endpoint[i].desc; -+ if (usb_endpoint_is_bulk_in(endpoint)) -+ ++num_bulk_in; -+ if (usb_endpoint_is_bulk_out(endpoint)) -+ ++num_bulk_out; -+ } -+ -+ min_num_bulk = COMMAND_PORT + 1; -+ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk) -+ return -ENODEV; -+ -+ return 0; -+} -+ - static int whiteheat_attach(struct usb_serial *serial) - { - struct usb_serial_port *command_port; --- -2.4.3 - diff --git a/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch b/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch deleted file mode 100644 index be5eddebc..000000000 --- a/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001 -From: Tejun Heo -Date: Sat, 5 Sep 2015 15:47:36 -0400 -Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and - ->root_rl.blkg - -While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always -create the blkcg_gq for the root blkcg") removed the part which clears -q->root_blkg and ->root_rl.blkg during q exit. This leaves the two -pointers dangling after blkg_destroy_all(). blk-throttle exit path -performs blkg traversals and dereferences ->root_blkg and can lead to -the following oops. - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000558 - IP: [] __blkg_lookup+0x26/0x70 - ... - task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000 - RIP: 0010:[] [] __blkg_lookup+0x26/0x70 - ... - Call Trace: - [] blk_throtl_drain+0x5a/0x110 - [] blkcg_drain_queue+0x18/0x20 - [] __blk_drain_queue+0xc0/0x170 - [] blk_queue_bypass_start+0x61/0x80 - [] blkcg_deactivate_policy+0x39/0x100 - [] blk_throtl_exit+0x38/0x50 - [] blkcg_exit_queue+0x3e/0x50 - [] blk_release_queue+0x1e/0xc0 - ... - -While the bug is a straigh-forward use-after-free bug, it is tricky to -reproduce because blkg release is RCU protected and the rest of exit -path usually finishes before RCU grace period. - -This patch fixes the bug by updating blkg_destro_all() to clear -q->root_blkg and ->root_rl.blkg. - -Signed-off-by: Tejun Heo -Reported-by: "Richard W.M. Jones" -Reported-by: Josh Boyer -Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com -Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg") -Cc: stable@vger.kernel.org # v4.2+ ---- - block/blk-cgroup.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index d6283b3f5db5..9cc48d1d7abb 100644 ---- a/block/blk-cgroup.c -+++ b/block/blk-cgroup.c -@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q) - blkg_destroy(blkg); - spin_unlock(&blkcg->lock); - } -+ -+ q->root_blkg = NULL; -+ q->root_rl.blkg = NULL; - } - - /* --- -2.4.3 - diff --git a/config-armv7-generic b/config-armv7-generic index 9079e0a06..b8f88bf8b 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -736,6 +736,8 @@ CONFIG_TMP006=m CONFIG_BMP085=y CONFIG_BMP085_I2C=m CONFIG_BMP085_SPI=m +CONFIG_DHT11=m +CONFIG_MPL3115=m CONFIG_SENSORS_AD7314=m CONFIG_SENSORS_ADCXX=m CONFIG_SENSORS_ADS7871=m @@ -746,7 +748,10 @@ CONFIG_SENSORS_ISL29028=m CONFIG_SENSORS_LIS3_SPI=m CONFIG_SENSORS_LM70=m CONFIG_SENSORS_MAX1111=m +CONFIG_SI7005=m +CONFIG_SI7020=m +# LCD panels CONFIG_LCD_L4F00242T03=m CONFIG_LCD_LMS283GF05=m CONFIG_LCD_LTV350QV=m @@ -815,9 +820,6 @@ CONFIG_UBIFS_FS_ADVANCED_COMPR=y CONFIG_UBIFS_FS_LZO=y CONFIG_UBIFS_FS_ZLIB=y -# Sensors -CONFIG_SENSORS_HTU21=m - # Chromebook CONFIG_MFD_CROS_EC=m CONFIG_MFD_CROS_EC_I2C=m diff --git a/config-generic b/config-generic index 6bc37e0a1..de0c6bc29 100644 --- a/config-generic +++ b/config-generic @@ -1896,7 +1896,7 @@ CONFIG_IEEE802154_FAKELB=m CONFIG_IEEE802154_CC2520=m # CONFIG_IEEE802154_AT86RF230 is not set # CONFIG_IEEE802154_MRF24J40 is not set -# CONFIG_IEEE802154_ATUSB is not set +CONFIG_IEEE802154_ATUSB=m CONFIG_MAC802154=m CONFIG_NET_MPLS_GSO=m diff --git a/dcache-Handle-escaped-paths-in-prepend_path.patch b/dcache-Handle-escaped-paths-in-prepend_path.patch deleted file mode 100644 index d5040607d..000000000 --- a/dcache-Handle-escaped-paths-in-prepend_path.patch +++ /dev/null @@ -1,65 +0,0 @@ -From c0ea161a6e7158281f64bc6d41126da43cb08f14 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Sat, 15 Aug 2015 13:36:12 -0500 -Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path - -commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream. - -A rename can result in a dentry that by walking up d_parent -will never reach it's mnt_root. For lack of a better term -I call this an escaped path. - -prepend_path is called by four different functions __d_path, -d_absolute_path, d_path, and getcwd. - -__d_path only wants to see paths are connected to the root it passes -in. So __d_path needs prepend_path to return an error. - -d_absolute_path similarly wants to see paths that are connected to -some root. Escaped paths are not connected to any mnt_root so -d_absolute_path needs prepend_path to return an error greater -than 1. So escaped paths will be treated like paths on lazily -unmounted mounts. - -getcwd needs to prepend "(unreachable)" so getcwd also needs -prepend_path to return an error. - -d_path is the interesting hold out. d_path just wants to print -something, and does not care about the weird cases. Which raises -the question what should be printed? - -Given that / should result in -ENOENT I -believe it is desirable for escaped paths to be printed as empty -paths. As there are not really any meaninful path components when -considered from the perspective of a mount tree. - -So tweak prepend_path to return an empty path with an new error -code of 3 when it encounters an escaped path. - -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Al Viro ---- - fs/dcache.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/fs/dcache.c b/fs/dcache.c -index 9b5fe503f6cb..e3b44ca75a1b 100644 ---- a/fs/dcache.c -+++ b/fs/dcache.c -@@ -2926,6 +2926,13 @@ restart: - - if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) { - struct mount *parent = ACCESS_ONCE(mnt->mnt_parent); -+ /* Escaped? */ -+ if (dentry != vfsmnt->mnt_root) { -+ bptr = *buffer; -+ blen = *buflen; -+ error = 3; -+ break; -+ } - /* Global root? */ - if (mnt != parent) { - dentry = ACCESS_ONCE(mnt->mnt_mountpoint); --- -2.4.3 - diff --git a/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch b/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch new file mode 100644 index 000000000..cf8b5a829 --- /dev/null +++ b/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch @@ -0,0 +1,40 @@ +From 59f271755df42fce6d38ebdf5b7502666b1e0c36 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 1 Nov 2015 16:21:24 +0000 +Subject: [PATCH 1/2] isdn_ppp: Add checks for allocation failure in + isdn_ppp_open() + +Compile-tested only. + +Signed-off-by: Ben Hutchings +--- + drivers/isdn/i4l/isdn_ppp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c +index c4198fa490bf..86f9abebcb72 100644 +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) + is->compflags = 0; + + is->reset = isdn_ppp_ccp_reset_alloc(is); ++ if (!is->reset) ++ return -ENOMEM; + + is->lp = NULL; + is->mp_seqno = 0; /* MP sequence number */ +@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) + * VJ header compression init + */ + is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ ++ if (!is->slcomp) { ++ isdn_ppp_ccp_reset_free(is); ++ return -ENOMEM; ++ } + #endif + #ifdef CONFIG_IPPP_FILTER + is->pass_filter = NULL; +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index daaab80b2..857c1859a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -40,7 +40,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -52,8 +52,12 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? +<<<<<<< HEAD #+Hu Pf against 4.2.3 v4.2-pf2: https://pf.natalenko.name/forum/index.php?topic=352.0 %define stable_update 3 +======= +%define stable_update 5 +>>>>>>> 8b2cbe93901e227770fad71989ed13d2327b1b8c # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -382,7 +386,7 @@ BuildRequires: net-tools, hostname, bc BuildRequires: sparse %endif %if %{with_perf} -BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python-devel perl(ExtUtils::Embed) bison flex +BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python-devel perl(ExtUtils::Embed) bison flex xz-devel BuildRequires: audit-libs-devel %ifnarch s390 s390x %{arm} BuildRequires: numactl-devel @@ -571,6 +575,7 @@ Patch16000: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch Patch16001: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch Patch16002: arm64-avoid-needing-console-to-enable-serial-console.patch Patch16003: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch +Patch16004: showmem-cma-correct-reserved-memory-calculation.patch # ARMv7 Patch16020: ARM-tegra-usb-no-reset.patch @@ -645,33 +650,25 @@ Patch515: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch Patch517: vmwgfx-Rework-device-initialization.patch Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch -#rhbz 1237136 -Patch522: block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch - #CVE-2015-6937 rhbz 1263139 1263140 Patch523: RDS-verify-the-underlying-transport-exists-before-cr.patch - -#rhbz 1263762 -Patch526: 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch - -#CVE-2015-5257 rhbz 1265607 1265612 -Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch - -#CVE-2015-2925 rhbz 1209367 1209373 -Patch528: dcache-Handle-escaped-paths-in-prepend_path.patch -Patch529: vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch - -#CVE-2015-7613 rhbz 1268270 1268273 -Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch - -Patch533: net-inet-fix-race-in-reqsk_queue_unlink.patch +#CVE-2015-7990 rhbz 1276437 1276438 +Patch524: RDS-fix-race-condition-when-sending-a-message-on-unb.patch #rhbz 1265978 Patch536: si2168-Bounds-check-firmware.patch Patch537: si2157-Bounds-check-firmware.patch -#rhbz 1268037 -Patch538: ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch +#rhbz 1272172 +Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch +Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch + +#rhbz 1257131 +Patch542: 0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch + +#CVE-2015-7799 rhbz 1271134 1271135 +Patch543: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch +Patch544: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch # END OF PATCH DEFINITIONS @@ -1256,6 +1253,8 @@ ApplyPatch amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch ApplyPatch usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch +ApplyPatch showmem-cma-correct-reserved-memory-calculation.patch + # # ARM # @@ -1417,35 +1416,27 @@ ApplyPatch nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch ApplyPatch vmwgfx-Rework-device-initialization.patch ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch -#rhbz 1237136 -ApplyPatch block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch - #CVE-2015-6937 rhbz 1263139 1263140 ApplyPatch RDS-verify-the-underlying-transport-exists-before-cr.patch - -#rhbz 1263762 -ApplyPatch 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch - -#CVE-2015-5257 rhbz 1265607 1265612 -ApplyPatch USB-whiteheat-fix-potential-null-deref-at-probe.patch +#CVE-2015-7990 rhbz 1276437 1276438 +ApplyPatch RDS-fix-race-condition-when-sending-a-message-on-unb.patch ApplyPatch regulator-axp20x-module-alias.patch -#CVE-2015-2925 rhbz 1209367 1209373 -ApplyPatch dcache-Handle-escaped-paths-in-prepend_path.patch -ApplyPatch vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch - -#CVE-2015-7613 rhbz 1268270 1268273 -ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch - -ApplyPatch net-inet-fix-race-in-reqsk_queue_unlink.patch - #rhbz 1265978 ApplyPatch si2168-Bounds-check-firmware.patch ApplyPatch si2157-Bounds-check-firmware.patch -#rhbz 1268037 -ApplyPatch ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch +#rhbz 1272172 +ApplyPatch 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch +ApplyPatch 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch + +#rhbz 1257131 +ApplyPatch 0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch + +#CVE-2015-7799 rhbz 1271134 1271135 +ApplyPatch isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch +ApplyPatch ppp-slip-Validate-VJ-compression-slot-parameters-com.patch # END OF PATCH APPLICATIONS @@ -2296,6 +2287,42 @@ fi # and build. # %changelog +* Wed Nov 4 2015 Peter Robinson +- Enable some IIO sensors (temp/humidity) on ARMv7 + +* Tue Nov 03 2015 Josh Boyer +- CVE-2015-7799 slip:crash when using PPP char dev driver (rhbz 1271134 1271135) + +* Tue Nov 03 2015 Justin M. Forbes +- Add xz-devel builreq for perf (rhbz 1167457) + +* Mon Nov 02 2015 Laura Abbott +- Add spurious wakeup quirk for LynxPoint-LP controllers (rhbz 1257131) + +* Thu Oct 29 2015 Josh Boyer +- CVE-2015-7099 RDS: race condition on unbound socket null deref (rhbz 1276437 1276438) + +* Tue Oct 27 2015 Justin M. Forbes - 4.2.5-201 +- Bump for build + +* Tue Oct 27 2015 Peter Robinson +- CMA memory patch to fix aarch64 builder lockups + +* Mon Oct 26 2015 Justin M. Forbes - 4.2.5-200 +- Linux v4.2.5 + +* Fri Oct 23 2015 Justin M. Forbes - 4.2.4-200 +- Linux v4.2.4 (rhbz 1272645) + +* Tue Oct 20 2015 Josh Boyer +- Enable IEEE802154_ATUSB (rhbz 1272935) + +* Mon Oct 19 2015 Josh Boyer +- Fix crash in key garbage collector when using request_key (rhbz 1272172) + +* Thu Oct 15 2015 Justin M. Forbes +- Fix for iscsi target issues (#rhbz 1271812) + * Sun Oct 11 2015 Pavel Alexeev - 4.2.3-200.hu.1.pf2 - 4.2.3-200.hu.1.pf2 - pf v4.2-pf2 https://pf.natalenko.name/forum/index.php?topic=352.0 diff --git a/net-inet-fix-race-in-reqsk_queue_unlink.patch b/net-inet-fix-race-in-reqsk_queue_unlink.patch deleted file mode 100644 index 744084314..000000000 --- a/net-inet-fix-race-in-reqsk_queue_unlink.patch +++ /dev/null @@ -1,76 +0,0 @@ -From patchwork Thu Oct 1 12:39:26 2015 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [net] inet: fix race in reqsk_queue_unlink() -From: Eric Dumazet -X-Patchwork-Id: 524966 -Message-Id: <1443703166.32531.47.camel@edumazet-glaptop2.roam.corp.google.com> -To: David Miller -Cc: netdev , Yuchung Cheng -Date: Thu, 01 Oct 2015 05:39:26 -0700 - -From: Eric Dumazet - -reqsk_timer_handler() tests if icsk_accept_queue.listen_opt -is NULL at its beginning. - -By the time it calls inet_csk_reqsk_queue_drop() and -reqsk_queue_unlink(), listener might have been closed and -inet_csk_listen_stop() had called reqsk_queue_yank_acceptq() -which sets icsk_accept_queue.listen_opt to NULL - -We therefore need to correctly check listen_opt being NULL -after holding syn_wait_lock for proper synchronization. - -Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer") -Fixes: b357a364c57c ("inet: fix possible panic in reqsk_queue_unlink()") -Signed-off-by: Eric Dumazet -Cc: Yuchung Cheng ---- - net/ipv4/inet_connection_sock.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - - - --- -To unsubscribe from this list: send the line "unsubscribe netdev" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c -index 7bb9c39e0a4d..61b45a17fc73 100644 ---- a/net/ipv4/inet_connection_sock.c -+++ b/net/ipv4/inet_connection_sock.c -@@ -577,21 +577,22 @@ EXPORT_SYMBOL(inet_rtx_syn_ack); - static bool reqsk_queue_unlink(struct request_sock_queue *queue, - struct request_sock *req) - { -- struct listen_sock *lopt = queue->listen_opt; - struct request_sock **prev; -+ struct listen_sock *lopt; - bool found = false; - - spin_lock(&queue->syn_wait_lock); -- -- for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL; -- prev = &(*prev)->dl_next) { -- if (*prev == req) { -- *prev = req->dl_next; -- found = true; -- break; -+ lopt = queue->listen_opt; -+ if (lopt) { -+ for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL; -+ prev = &(*prev)->dl_next) { -+ if (*prev == req) { -+ *prev = req->dl_next; -+ found = true; -+ break; -+ } - } - } -- - spin_unlock(&queue->syn_wait_lock); - if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) - reqsk_put(req); diff --git a/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch b/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch new file mode 100644 index 000000000..eac5aa7de --- /dev/null +++ b/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch @@ -0,0 +1,139 @@ +From a8bc90052f18348718412cebf7b569da95bad264 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 1 Nov 2015 16:22:53 +0000 +Subject: [PATCH 2/2] ppp, slip: Validate VJ compression slot parameters + completely +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently slhc_init() treats out-of-range values of rslots and tslots +as equivalent to 0, except that if tslots is too large it will +dereference a null pointer (CVE-2015-7799). + +Add a range-check at the top of the function and make it return an +ERR_PTR() on error instead of NULL. Change the callers accordingly. + +Compile-tested only. + +Reported-by: 郭永刚 +References: http://article.gmane.org/gmane.comp.security.oss.general/17908 +Signed-off-by: Ben Hutchings +--- + drivers/isdn/i4l/isdn_ppp.c | 10 ++++------ + drivers/net/ppp/ppp_generic.c | 6 ++---- + drivers/net/slip/slhc.c | 12 ++++++++---- + drivers/net/slip/slip.c | 2 +- + 4 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c +index 86f9abebcb72..9c1e8adaf4fc 100644 +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file) + * VJ header compression init + */ + is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ +- if (!is->slcomp) { ++ if (IS_ERR(is->slcomp)) { + isdn_ppp_ccp_reset_free(is); +- return -ENOMEM; ++ return PTR_ERR(is->slcomp); + } + #endif + #ifdef CONFIG_IPPP_FILTER +@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg) + is->maxcid = val; + #ifdef CONFIG_ISDN_PPP_VJ + sltmp = slhc_init(16, val); +- if (!sltmp) { +- printk(KERN_ERR "ippp, can't realloc slhc struct\n"); +- return -ENOMEM; +- } ++ if (IS_ERR(sltmp)) ++ return PTR_ERR(sltmp); + if (is->slcomp) + slhc_free(is->slcomp); + is->slcomp = sltmp; +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index ed00446759b2..9a863c6a6a33 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + val &= 0xffff; + } + vj = slhc_init(val2+1, val+1); +- if (!vj) { +- netdev_err(ppp->dev, +- "PPP: no memory (VJ compressor)\n"); +- err = -ENOMEM; ++ if (IS_ERR(vj)) { ++ err = PTR_ERR(vj); + break; + } + ppp_lock(ppp); +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index 079f7adfcde5..27ed25252aac 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp); + static unsigned char * put16(unsigned char *cp, unsigned short x); + static unsigned short pull16(unsigned char **cpp); + +-/* Initialize compression data structure ++/* Allocate compression data structure + * slots must be in range 0 to 255 (zero meaning no compression) ++ * Returns pointer to structure or ERR_PTR() on error. + */ + struct slcompress * + slhc_init(int rslots, int tslots) +@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots) + register struct cstate *ts; + struct slcompress *comp; + ++ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255) ++ return ERR_PTR(-EINVAL); ++ + comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); + if (! comp) + goto out_fail; + +- if ( rslots > 0 && rslots < 256 ) { ++ if (rslots > 0) { + size_t rsize = rslots * sizeof(struct cstate); + comp->rstate = kzalloc(rsize, GFP_KERNEL); + if (! comp->rstate) +@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots) + comp->rslot_limit = rslots - 1; + } + +- if ( tslots > 0 && tslots < 256 ) { ++ if (tslots > 0) { + size_t tsize = tslots * sizeof(struct cstate); + comp->tstate = kzalloc(tsize, GFP_KERNEL); + if (! comp->tstate) +@@ -141,7 +145,7 @@ out_free2: + out_free: + kfree(comp); + out_fail: +- return NULL; ++ return ERR_PTR(-ENOMEM); + } + + +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c +index 05387b1e2e95..a17d86a57734 100644 +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu) + if (cbuff == NULL) + goto err_exit; + slcomp = slhc_init(16, 16); +- if (slcomp == NULL) ++ if (IS_ERR(slcomp)) + goto err_exit; + #endif + spin_lock_bh(&sl->lock); +-- +2.4.3 + diff --git a/showmem-cma-correct-reserved-memory-calculation.patch b/showmem-cma-correct-reserved-memory-calculation.patch new file mode 100644 index 000000000..c22a84969 --- /dev/null +++ b/showmem-cma-correct-reserved-memory-calculation.patch @@ -0,0 +1,61 @@ +From 3a83eda52f34b97168b70098ef0e34dbcaeaaf8f Mon Sep 17 00:00:00 2001 +From: Vishnu Pratap Singh +Date: Tue, 25 Aug 2015 00:04:44 +0000 +Subject: lib/show_mem.c: correct reserved memory calculation + +CMA reserved memory is not part of total reserved memory. +Currently when we print the total reserve memory it considers +cma as part of reserve memory and do minus of totalcma_pages +from reserved, which is wrong. In cases where total reserved +is less than cma reserved we will get negative values & while +printing we print as unsigned and we will get a very large value. + +Below is the show mem output on X86 ubuntu based system where +CMA reserved is 100MB (25600 pages) & total reserved is ~40MB(10316 pages). +And reserve memory shows a large value because of this bug. + +Before: +[ 127.066430] 898908 pages RAM +[ 127.066432] 671682 pages HighMem/MovableOnly +[ 127.066434] 4294952012 pages reserved +[ 127.066436] 25600 pages cma reserved + +After: +[ 44.663129] 898908 pages RAM +[ 44.663130] 671682 pages HighMem/MovableOnly +[ 44.663130] 10316 pages reserved +[ 44.663131] 25600 pages cma reserved + +Signed-off-by: Vishnu Pratap Singh +Cc: Michal Nazarewicz +Cc: Marek Szyprowski +Cc: Joonsoo Kim +Cc: Laurent Pinchart +Cc: Sasha Levin +Cc: Danesh Petigara +Cc: Laura Abbott +Signed-off-by: Andrew Morton +--- + lib/show_mem.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/lib/show_mem.c b/lib/show_mem.c +index adc98e18..1feed6a 100644 +--- a/lib/show_mem.c ++++ b/lib/show_mem.c +@@ -38,11 +38,9 @@ void show_mem(unsigned int filter) + + printk("%lu pages RAM\n", total); + printk("%lu pages HighMem/MovableOnly\n", highmem); ++ printk("%lu pages reserved\n", reserved); + #ifdef CONFIG_CMA +- printk("%lu pages reserved\n", (reserved - totalcma_pages)); + printk("%lu pages cma reserved\n", totalcma_pages); +-#else +- printk("%lu pages reserved\n", reserved); + #endif + #ifdef CONFIG_QUICKLIST + printk("%lu pages in pagetable cache\n", +-- +cgit v0.11.2 + diff --git a/sources b/sources index 2c3c8343e..6a576122e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 3d5ea06d767e2f35c999eeadafc76523 linux-4.2.tar.xz 4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz -6a7355d968116129c19dc053fb2d557a patch-4.2.3.xz +19e47863ca441b2e11f90f25fb6c41ec patch-4.2.5.xz diff --git a/vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch b/vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch deleted file mode 100644 index f9e7e6e61..000000000 --- a/vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 14588dfe2e411056df5ba85ef88ad51730a2fa0a Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Sat, 15 Aug 2015 20:27:13 -0500 -Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from - their mnt_root - -commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream. - -In rare cases a directory can be renamed out from under a bind mount. -In those cases without special handling it becomes possible to walk up -the directory tree to the root dentry of the filesystem and down -from the root dentry to every other file or directory on the filesystem. - -Like division by zero .. from an unconnected path can not be given -a useful semantic as there is no predicting at which path component -the code will realize it is unconnected. We certainly can not match -the current behavior as the current behavior is a security hole. - -Therefore when encounting .. when following an unconnected path -return -ENOENT. - -- Add a function path_connected to verify path->dentry is reachable - from path->mnt.mnt_root. AKA to validate that rename did not do - something nasty to the bind mount. - - To avoid races path_connected must be called after following a path - component to it's next path component. - -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Al Viro ---- - fs/namei.c | 27 +++++++++++++++++++++++++-- - 1 file changed, 25 insertions(+), 2 deletions(-) - -diff --git a/fs/namei.c b/fs/namei.c -index 1c2105ed20c5..29b927938b8c 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -560,6 +560,24 @@ static int __nd_alloc_stack(struct nameidata *nd) - return 0; - } - -+/** -+ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root -+ * @path: nameidate to verify -+ * -+ * Rename can sometimes move a file or directory outside of a bind -+ * mount, path_connected allows those cases to be detected. -+ */ -+static bool path_connected(const struct path *path) -+{ -+ struct vfsmount *mnt = path->mnt; -+ -+ /* Only bind mounts can have disconnected paths */ -+ if (mnt->mnt_root == mnt->mnt_sb->s_root) -+ return true; -+ -+ return is_subdir(path->dentry, mnt->mnt_root); -+} -+ - static inline int nd_alloc_stack(struct nameidata *nd) - { - if (likely(nd->depth != EMBEDDED_LEVELS)) -@@ -1296,6 +1314,8 @@ static int follow_dotdot_rcu(struct nameidata *nd) - return -ECHILD; - nd->path.dentry = parent; - nd->seq = seq; -+ if (unlikely(!path_connected(&nd->path))) -+ return -ENOENT; - break; - } else { - struct mount *mnt = real_mount(nd->path.mnt); -@@ -1396,7 +1416,7 @@ static void follow_mount(struct path *path) - } - } - --static void follow_dotdot(struct nameidata *nd) -+static int follow_dotdot(struct nameidata *nd) - { - if (!nd->root.mnt) - set_root(nd); -@@ -1412,6 +1432,8 @@ static void follow_dotdot(struct nameidata *nd) - /* rare case of legitimate dget_parent()... */ - nd->path.dentry = dget_parent(nd->path.dentry); - dput(old); -+ if (unlikely(!path_connected(&nd->path))) -+ return -ENOENT; - break; - } - if (!follow_up(&nd->path)) -@@ -1419,6 +1441,7 @@ static void follow_dotdot(struct nameidata *nd) - } - follow_mount(&nd->path); - nd->inode = nd->path.dentry->d_inode; -+ return 0; - } - - /* -@@ -1634,7 +1657,7 @@ static inline int handle_dots(struct nameidata *nd, int type) - if (nd->flags & LOOKUP_RCU) { - return follow_dotdot_rcu(nd); - } else -- follow_dotdot(nd); -+ return follow_dotdot(nd); - } - return 0; - } --- -2.4.3 -