diff --git a/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch b/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch new file mode 100644 index 000000000..52b082b36 --- /dev/null +++ b/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch @@ -0,0 +1,31 @@ +From cb6fcfe5a7e9197ceb7e9eec56e9c526e4e76354 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 14 Mar 2016 19:37:12 +0100 +Subject: [PATCH] Input: synaptics - handle spurious release of trackstick + buttons, again + +Looks like the fimware 8.2 stall has the extra buttons spurious release +bug. + +Signed-off-by: Benjamin Tissoires +--- + drivers/input/mouse/synaptics.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index 6025eb4..4ef8d7a 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -863,7 +863,8 @@ static void synaptics_report_ext_buttons(struct psmouse *psmouse, + return; + + /* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */ +- if (SYN_ID_FULL(priv->identity) == 0x801 && ++ if ((SYN_ID_FULL(priv->identity) == 0x801 || ++ SYN_ID_FULL(priv->identity) == 0x802) && + !((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02)) + return; + +-- +2.5.0 + diff --git a/0001-Test-ata-fix.patch b/0001-Test-ata-fix.patch deleted file mode 100644 index 0ae2cf71e..000000000 --- a/0001-Test-ata-fix.patch +++ /dev/null @@ -1,27 +0,0 @@ -From bb4d91481dd2122351866e500b46cff9399f579d Mon Sep 17 00:00:00 2001 -From: Laura Abbott -Date: Thu, 25 Feb 2016 11:40:07 -0800 -Subject: [PATCH] Test ata fix - -Signed-off-by: Laura Abbott ---- - drivers/ata/libahci.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c -index 1f225cc..998c6a8 100644 ---- a/drivers/ata/libahci.c -+++ b/drivers/ata/libahci.c -@@ -1142,8 +1142,7 @@ static void ahci_port_init(struct device *dev, struct ata_port *ap, - - /* mark esata ports */ - tmp = readl(port_mmio + PORT_CMD); -- if ((tmp & PORT_CMD_HPCP) || -- ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS))) -+ if ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS)) - ap->pflags |= ATA_PFLAG_EXTERNAL; - } - --- -2.5.0 - diff --git a/0001-cdc-acm-fix-NULL-pointer-reference.patch b/0001-cdc-acm-fix-NULL-pointer-reference.patch new file mode 100644 index 000000000..3d63411c0 --- /dev/null +++ b/0001-cdc-acm-fix-NULL-pointer-reference.patch @@ -0,0 +1,46 @@ +From 29c6dd591bbd592472247441de9fa694acdabae8 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 7 Jan 2016 11:01:00 +0100 +Subject: [PATCH] cdc-acm: fix NULL pointer reference + +The union descriptor must be checked. Its usage was conditional +before the parser was introduced. This is important, because +many RNDIS device, which also use the common parser, have +bogus extra descriptors. + +Signed-off-by: Oliver Neukum +Tested-by: Vasily Galkin +Signed-off-by: David S. Miller +--- + drivers/net/usb/cdc_ether.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c +index 3da70bf..7cba2c3 100644 +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) + info->u = header.usb_cdc_union_desc; + info->header = header.usb_cdc_header_desc; + info->ether = header.usb_cdc_ether_desc; ++ if (!info->u) { ++ if (rndis) ++ goto skip; ++ else /* in that case a quirk is mandatory */ ++ goto bad_desc; ++ } + /* we need a master/control interface (what we're + * probed with) and a slave/data interface; union + * descriptors sort this all out. +@@ -256,7 +262,7 @@ skip: + goto bad_desc; + } + +- } else if (!info->header || !info->u || (!rndis && !info->ether)) { ++ } else if (!info->header || (!rndis && !info->ether)) { + dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n", + info->header ? "" : "header ", + info->u ? "" : "union ", +-- +2.5.0 + diff --git a/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch b/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch new file mode 100644 index 000000000..b6c446829 --- /dev/null +++ b/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch @@ -0,0 +1,45 @@ +From 79abe2bd501d628b165f323098d6972d69bd13d7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 16 Mar 2016 13:20:51 +0100 +Subject: [PATCH] uas: Limit qdepth at the scsi-host level + +Commit 64d513ac31bd ("scsi: use host wide tags by default") causes +the scsi-core to queue more cmnds then we can handle on devices with +multiple LUNs, limit the qdepth at the scsi-host level instead of +per slave to fix this. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013 +Cc: stable@vger.kernel.org # 4.4.x and 4.5.x +Signed-off-by: Hans de Goede +--- + drivers/usb/storage/uas.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index c90a7e4..b5cb7ab 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -800,7 +800,6 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_BROKEN_FUA) + sdev->broken_fua = 1; + +- scsi_change_queue_depth(sdev, devinfo->qdepth - 2); + return 0; + } + +@@ -932,6 +931,12 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id) + if (result) + goto set_alt0; + ++ /* ++ * 1 tag is reserved for untagged commands + ++ * 1 tag to avoid of by one errors in some bridge firmwares ++ */ ++ shost->can_queue = devinfo->qdepth - 2; ++ + usb_set_intfdata(intf, shost); + result = scsi_add_host(shost, &intf->dev); + if (result) +-- +2.7.3 + diff --git a/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch b/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch new file mode 100644 index 000000000..801434a26 --- /dev/null +++ b/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch @@ -0,0 +1,80 @@ +From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2016 15:20:58 +0100 +Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses + +Add some sanity check codes before actually accessing the endpoint via +get_endpoint() in order to avoid the invalid access through a +malformed USB descriptor. Mostly just checking bNumEndpoints, but in +one place (snd_microii_spdif_default_get()), the validity of iface and +altsetting index is checked as well. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Cc: +Signed-off-by: Takashi Iwai +--- + sound/usb/clock.c | 2 ++ + sound/usb/endpoint.c | 3 +++ + sound/usb/mixer_quirks.c | 4 ++++ + sound/usb/pcm.c | 2 ++ + 4 files changed, 11 insertions(+) + +diff --git a/sound/usb/clock.c b/sound/usb/clock.c +index 2ed260b10f6d..7ccbcaf6a147 100644 +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[3]; + int err, crate; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + /* if endpoint doesn't have sampling rate control, bail out */ +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index e6f71894ecdc..c2131b851602 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -415,6 +415,9 @@ exit_clear: + * + * New endpoints will be added to chip->ep_list and must be freed by + * calling snd_usb_endpoint_free(). ++ * ++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that ++ * bNumEndpoints > 1 beforehand. + */ + struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip, + struct usb_host_interface *alts, +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index d3608c0a29f3..2d724e3c4cc0 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol, + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(chip->dev, 1); ++ if (!iface || iface->num_altsetting < 2) ++ return -EINVAL; + alts = &iface->altsetting[1]; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(chip->dev, +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index cdac5179db3f..4da64896df6d 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[1]; + int err; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + data[0] = 1; +-- +2.5.0 + diff --git a/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch b/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch new file mode 100644 index 000000000..37cdb213a --- /dev/null +++ b/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch @@ -0,0 +1,40 @@ +From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2016 12:09:10 +0100 +Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in + create_fixed_stream_quirk() + +create_fixed_stream_quirk() may cause a NULL-pointer dereference by +accessing the non-existing endpoint when a USB device with a malformed +USB descriptor is used. + +This patch avoids it simply by adding a sanity check of bNumEndpoints +before the accesses. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Cc: +Signed-off-by: Takashi Iwai +--- + sound/usb/quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index eef9b8e4b949..e128ca62eb44 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); ++ if (altsd->bNumEndpoints < 1) { ++ kfree(fp); ++ kfree(rate_table); ++ return -EINVAL; ++ } ++ + fp->protocol = altsd->bInterfaceProtocol; + + if (fp->datainterval == 0) +-- +2.5.0 + diff --git a/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch new file mode 100644 index 000000000..7de890e1b --- /dev/null +++ b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch @@ -0,0 +1,38 @@ +From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 14 Mar 2016 10:02:51 -0400 +Subject: [PATCH] USB: input: powermate: fix oops with malicious USB + descriptors + +The powermate driver expects at least one valid USB endpoint in its +probe function. If given malicious descriptors that specify 0 for +the number of endpoints, it will crash. Validate the number of +endpoints on the interface before using them. + +The full report for this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/85 + +Reported-by: Ralf Spenneberg +Cc: stable +Signed-off-by: Josh Boyer +--- + drivers/input/misc/powermate.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c +index 63b539d3daba..84909a12ff36 100644 +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ if (interface->desc.bNumEndpoints < 1) ++ return -EINVAL; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -EIO; +-- +2.5.0 + diff --git a/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch b/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch new file mode 100644 index 000000000..7df3af2b1 --- /dev/null +++ b/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch @@ -0,0 +1,40 @@ +From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 14 Mar 2016 10:38:31 -0400 +Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors + +The iowarrior driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/87 + +Reported-by: Ralf Spenneberg +Cc: stable +Signed-off-by: Josh Boyer +--- + drivers/usb/misc/iowarrior.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c +index c6bfd13f6c92..1950e87b4219 100644 +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface, + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + ++ if (iface_desc->desc.bNumEndpoints < 1) { ++ dev_err(&interface->dev, "Invalid number of endpoints\n"); ++ retval = -EINVAL; ++ goto error; ++ } ++ + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; +-- +2.5.0 + diff --git a/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch new file mode 100644 index 000000000..ac8e71c72 --- /dev/null +++ b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch @@ -0,0 +1,59 @@ +From 94c78c81df3056e573fb84000a32512e9c16e555 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Thu, 10 Mar 2016 08:49:02 -0500 +Subject: [PATCH] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU + devices + +A Fedora user reports that the ftdi_sio driver works properly for the +ICP DAS I-7561U device. Further, the user manual for these devices +instructs users to load the driver and add the ids using the sysfs +interface. + +Add support for these in the driver directly so that the devices work +out of the box instead of needing manual configuration. + +Reported-by: +CC: stable +Signed-off-by: Josh Boyer +--- + drivers/usb/serial/ftdi_sio.c | 4 ++++ + drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 8c660ae401d8..b61f12160d37 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) }, ++ /* ICP DAS I-756xU devices */ ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index a84df2513994..a4ec24ce6a11 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -872,6 +872,14 @@ + #define NOVITUS_BONO_E_PID 0x6010 + + /* ++ * ICPDAS I-756*U devices ++ */ ++#define ICPDAS_VID 0x1b5c ++#define ICPDAS_I7560U_PID 0x0103 ++#define ICPDAS_I7561U_PID 0x0104 ++#define ICPDAS_I7563U_PID 0x0105 ++ ++/* + * RT Systems programming cables for various ham radios + */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ +-- +2.5.0 + diff --git a/cdc-acm-more-sanity-checking.patch b/cdc-acm-more-sanity-checking.patch new file mode 100644 index 000000000..99ad43416 --- /dev/null +++ b/cdc-acm-more-sanity-checking.patch @@ -0,0 +1,33 @@ +From e6a87f147002fa16adcbafebbc458ff90a463474 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 15 Mar 2016 10:14:04 +0100 +Subject: [PATCH] cdc-acm: more sanity checking + +An attack has become available which pretends to be a quirky +device circumventing normal sanity checks and crashes the kernel +by an insufficient number of interfaces. This patch adds a check +to the code path for quirky devices. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 26ca4f910cb0..a7732f80a912 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1113,6 +1113,9 @@ static int acm_probe(struct usb_interface *intf, + if (quirks == NO_UNION_NORMAL) { + data_interface = usb_ifnum_to_if(usb_dev, 1); + control_interface = usb_ifnum_to_if(usb_dev, 0); ++ /* we would crash */ ++ if (!data_interface || !control_interface) ++ return -ENODEV; + goto skip_normal_probe; + } + +-- +2.5.0 + diff --git a/cfg80211-wext-fix-message-ordering.patch b/cfg80211-wext-fix-message-ordering.patch deleted file mode 100644 index 8d3cdfdda..000000000 --- a/cfg80211-wext-fix-message-ordering.patch +++ /dev/null @@ -1,83 +0,0 @@ -From cb150b9d23be6ee7f3a0fff29784f1c5b5ac514d Mon Sep 17 00:00:00 2001 -From: Johannes Berg -Date: Wed, 27 Jan 2016 13:29:34 +0100 -Subject: cfg80211/wext: fix message ordering - -Since cfg80211 frequently takes actions from its netdev notifier -call, wireless extensions messages could still be ordered badly -since the wext netdev notifier, since wext is built into the -kernel, runs before the cfg80211 netdev notifier. For example, -the following can happen: - -5: wlan1: mtu 1500 qdisc mq state DOWN group default - link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff -5: wlan1: - link/ether - -when setting the interface down causes the wext message. - -To also fix this, export the wireless_nlevent_flush() function -and also call it from the cfg80211 notifier. - -Cc: stable@vger.kernel.org -Signed-off-by: Johannes Berg ---- - include/net/iw_handler.h | 6 ++++++ - net/wireless/core.c | 2 ++ - net/wireless/wext-core.c | 3 ++- - 3 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h -index 8f81bbb..e0f4109 100644 ---- a/include/net/iw_handler.h -+++ b/include/net/iw_handler.h -@@ -439,6 +439,12 @@ int dev_get_wireless_info(char *buffer, char **start, off_t offset, int length); - /* Send a single event to user space */ - void wireless_send_event(struct net_device *dev, unsigned int cmd, - union iwreq_data *wrqu, const char *extra); -+#ifdef CONFIG_WEXT_CORE -+/* flush all previous wext events - if work is done from netdev notifiers */ -+void wireless_nlevent_flush(void); -+#else -+static inline void wireless_nlevent_flush(void) {} -+#endif - - /* We may need a function to send a stream of events to user space. - * More on that later... */ -diff --git a/net/wireless/core.c b/net/wireless/core.c -index b091551..8f0bac7 100644 ---- a/net/wireless/core.c -+++ b/net/wireless/core.c -@@ -1147,6 +1147,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb, - return NOTIFY_DONE; - } - -+ wireless_nlevent_flush(); -+ - return NOTIFY_OK; - } - -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index 87dd619..b50ee5d 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -342,7 +342,7 @@ static const int compat_event_type_size[] = { - - /* IW event code */ - --static void wireless_nlevent_flush(void) -+void wireless_nlevent_flush(void) - { - struct sk_buff *skb; - struct net *net; -@@ -355,6 +355,7 @@ static void wireless_nlevent_flush(void) - GFP_KERNEL); - } - } -+EXPORT_SYMBOL_GPL(wireless_nlevent_flush); - - static int wext_netdev_notifier_call(struct notifier_block *nb, - unsigned long state, void *ptr) --- -cgit v0.12 - diff --git a/cypress_m8-add-sanity-checking.patch b/cypress_m8-add-sanity-checking.patch new file mode 100644 index 000000000..fa8513f94 --- /dev/null +++ b/cypress_m8-add-sanity-checking.patch @@ -0,0 +1,50 @@ +From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 17 Mar 2016 16:25:33 +0100 +Subject: [PATCH] cypress_m8: add sanity checking + +An attack using missing endpoints exists. +CVE-2016-3137 + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org + +v1 - add sanity check +v2 - add error logging +v3 - correct error message +--- + drivers/usb/serial/cypress_m8.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c +index 01bf53392819..5e25443fe4ef 100644 +--- a/drivers/usb/serial/cypress_m8.c ++++ b/drivers/usb/serial/cypress_m8.c +@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) + struct usb_serial *serial = port->serial; + struct cypress_private *priv; + ++ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { ++ dev_err(&port->dev, "A required endpoint is missing\n"); ++ return -ENODEV; ++ } ++ + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); + if (!priv) + return -ENOMEM; +@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) + cypress_set_termios(tty, port, &priv->tmp_termios); + + /* setup the port and start reading from the device */ +- if (!port->interrupt_in_urb) { +- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", +- __func__); +- return -1; +- } +- + usb_fill_int_urb(port->interrupt_in_urb, serial->dev, + usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), + port->interrupt_in_urb->transfer_buffer, +-- +2.5.0 + diff --git a/digi_acceleport-do-sanity-checking-for-the-number-of.patch b/digi_acceleport-do-sanity-checking-for-the-number-of.patch new file mode 100644 index 000000000..eb060eb08 --- /dev/null +++ b/digi_acceleport-do-sanity-checking-for-the-number-of.patch @@ -0,0 +1,70 @@ +From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 14 Mar 2016 15:53:38 +0100 +Subject: [PATCH v2] digi_acceleport: do sanity checking for the number of ports + +The driver can be crashed with devices that expose crafted +descriptors with too few endpoints. +See: +http://seclists.org/bugtraq/2016/Mar/61 + +Signed-off-by: Oliver Neukum + +v1 - added sanity checks +v2 - moved them to probe() to fix problems Johan pointed out +--- + drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c +index 12b0e67..dab1dcf 100644 +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) + static int digi_startup(struct usb_serial *serial) + { + struct digi_serial *serial_priv; +- int ret; ++ int ret = -ENODEV; ++ int i; + + serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); + if (!serial_priv) +@@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial) + + spin_lock_init(&serial_priv->ds_serial_lock); + serial_priv->ds_oob_port_num = serial->type->num_ports; ++ ++ /* Check whether the expected number of ports matches the device */ ++ if (serial->num_ports < serial_priv->ds_oob_port_num) ++ goto error; ++ /* all features must be present */ ++ for (i = 0; i < serial->type->num_ports + 1 ; i++) { ++ if (!serial->port[i]->read_urb) ++ goto error; ++ if (!serial->port[i]->write_urb) ++ goto error; ++ } ++ + serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num]; + + ret = digi_port_init(serial_priv->ds_oob_port, + serial_priv->ds_oob_port_num); +- if (ret) { +- kfree(serial_priv); +- return ret; +- } ++ if (ret) ++ goto error; + + usb_set_serial_data(serial, serial_priv); + + return 0; ++error: ++ kfree(serial_priv); ++ return ret; + } + + +-- +2.1.4 diff --git a/ims-pcu-sanity-check-against-missing-interfaces.patch b/ims-pcu-sanity-check-against-missing-interfaces.patch new file mode 100644 index 000000000..827a2b7ee --- /dev/null +++ b/ims-pcu-sanity-check-against-missing-interfaces.patch @@ -0,0 +1,39 @@ +From a4200b7eb26271108586d3a7cf34a2f16d460e48 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 17 Mar 2016 15:10:47 +0100 +Subject: [PATCH] ims-pcu: sanity check against missing interfaces + +A malicious device missing interface can make the driver oops. +Add sanity checking. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +--- + drivers/input/misc/ims-pcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index ac1fa5f44580..9c0ea36913b4 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bMasterInterface0); ++ if (!pcu->ctrl_intf) ++ return -EINVAL; + + alt = pcu->ctrl_intf->cur_altsetting; + pcu->ep_ctrl = &alt->endpoint[0].desc; +@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->data_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bSlaveInterface0); ++ if (!pcu->data_intf) ++ return -EINVAL; + + alt = pcu->data_intf->cur_altsetting; + if (alt->desc.bNumEndpoints != 2) { +-- +2.5.0 + diff --git a/input-gtco-fix-crash-on-detecting-device-without-end.patch b/input-gtco-fix-crash-on-detecting-device-without-end.patch new file mode 100644 index 000000000..849f607a5 --- /dev/null +++ b/input-gtco-fix-crash-on-detecting-device-without-end.patch @@ -0,0 +1,49 @@ +Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints +From: Vladis Dronov +Date: 2016-03-18 18:35:00 + +The gtco driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. Fix minor coding +style issue. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/86 + +Reported-by: Ralf Spenneberg +Signed-off-by: Vladis Dronov +--- + drivers/input/tablet/gtco.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 3a7f3a4..7c18249 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; +-- +2.5.0 diff --git a/iommu-fix.patch b/iommu-fix.patch deleted file mode 100644 index 08cdafd1a..000000000 --- a/iommu-fix.patch +++ /dev/null @@ -1,92 +0,0 @@ -From b91309eedd77374fdecc379942c44f903e2dedff Mon Sep 17 00:00:00 2001 -From: Suravee Suthikulpanit -Date: Tue, 23 Feb 2016 13:03:30 +0100 -Subject: [PATCH] iommu/amd: Fix boot warning when device 00:00.0 is not iommu - covered - -The setup code for the performance counters in the AMD IOMMU driver -tests whether the counters can be written. It tests to setup a counter -for device 00:00.0, which fails on systems where this particular device -is not covered by the IOMMU. - -Fix this by not relying on device 00:00.0 but only on the IOMMU being -present. - -Cc: stable@vger.kernel.org -Signed-off-by: Suravee Suthikulpanit -Signed-off-by: Joerg Roedel ---- - drivers/iommu/amd_iommu_init.c | 34 ++++++++++++++++++++++------------ - 1 file changed, 22 insertions(+), 12 deletions(-) - -diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c -index 013bdff..d06a6d9 100644 ---- a/drivers/iommu/amd_iommu_init.c -+++ b/drivers/iommu/amd_iommu_init.c -@@ -228,6 +228,10 @@ static int amd_iommu_enable_interrupts(void); - static int __init iommu_go_to_state(enum iommu_init_state state); - static void init_device_table_dma(void); - -+static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu, -+ u8 bank, u8 cntr, u8 fxn, -+ u64 *value, bool is_write); -+ - static inline void update_last_devid(u16 devid) - { - if (devid > amd_iommu_last_bdf) -@@ -1142,8 +1146,8 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu) - amd_iommu_pc_present = true; - - /* Check if the performance counters can be written to */ -- if ((0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val, true)) || -- (0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val2, false)) || -+ if ((0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val, true)) || -+ (0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val2, false)) || - (val != val2)) { - pr_err("AMD-Vi: Unable to write to IOMMU perf counter.\n"); - amd_iommu_pc_present = false; -@@ -2283,22 +2287,15 @@ u8 amd_iommu_pc_get_max_counters(u16 devid) - } - EXPORT_SYMBOL(amd_iommu_pc_get_max_counters); - --int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn, -+static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu, -+ u8 bank, u8 cntr, u8 fxn, - u64 *value, bool is_write) - { -- struct amd_iommu *iommu; - u32 offset; - u32 max_offset_lim; - -- /* Make sure the IOMMU PC resource is available */ -- if (!amd_iommu_pc_present) -- return -ENODEV; -- -- /* Locate the iommu associated with the device ID */ -- iommu = amd_iommu_rlookup_table[devid]; -- - /* Check for valid iommu and pc register indexing */ -- if (WARN_ON((iommu == NULL) || (fxn > 0x28) || (fxn & 7))) -+ if (WARN_ON((fxn > 0x28) || (fxn & 7))) - return -ENODEV; - - offset = (u32)(((0x40|bank) << 12) | (cntr << 8) | fxn); -@@ -2322,3 +2319,16 @@ int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn, - return 0; - } - EXPORT_SYMBOL(amd_iommu_pc_get_set_reg_val); -+ -+int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn, -+ u64 *value, bool is_write) -+{ -+ struct amd_iommu *iommu = amd_iommu_rlookup_table[devid]; -+ -+ /* Make sure the IOMMU PC resource is available */ -+ if (!amd_iommu_pc_present || iommu == NULL) -+ return -ENODEV; -+ -+ return iommu_pc_get_set_reg_val(iommu, bank, cntr, fxn, -+ value, is_write); -+} --- -1.8.4.5 diff --git a/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch new file mode 100644 index 000000000..48e4762e3 --- /dev/null +++ b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch @@ -0,0 +1,97 @@ +From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Sun, 13 Mar 2016 23:28:00 -0400 +Subject: ipv4: Don't do expensive useless work during inetdev destroy. + +When an inetdev is destroyed, every address assigned to the interface +is removed. And in this scenerio we do two pointless things which can +be very expensive if the number of assigned interfaces is large: + +1) Address promotion. We are deleting all addresses, so there is no + point in doing this. + +2) A full nf conntrack table purge for every address. We only need to + do this once, as is already caught by the existing + masq_dev_notifier so masq_inet_event() can skip this. + +Reported-by: Solar Designer +Signed-off-by: David S. Miller +Tested-by: Cyrill Gorcunov +--- + net/ipv4/devinet.c | 4 ++++ + net/ipv4/fib_frontend.c | 4 ++++ + net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++-- + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 65e76a4..e333bc8 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, + + ASSERT_RTNL(); + ++ if (in_dev->dead) ++ goto no_promotions; ++ + /* 1. Deleting primary ifaddr forces deletion all secondaries + * unless alias promotion is set + **/ +@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, + fib_del_ifaddr(ifa, ifa1); + } + ++no_promotions: + /* 2. Unlink it */ + + *ifap = ifa1->ifa_next; +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 4734475..21add55 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) + subnet = 1; + } + ++ if (in_dev->dead) ++ goto no_promotions; ++ + /* Deletion is more complicated than add. + * We should take care of not to delete too much :-) + * +@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) + } + } + ++no_promotions: + if (!(ok & BRD_OK)) + fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim); + if (subnet && ifa->ifa_prefixlen < 31) { +diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +index c6eb421..ea91058 100644 +--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c ++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this, + unsigned long event, + void *ptr) + { +- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev; ++ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev; + struct netdev_notifier_info info; + +- netdev_notifier_info_init(&info, dev); ++ /* The masq_dev_notifier will catch the case of the device going ++ * down. So if the inetdev is dead and being destroyed we have ++ * no work to do. Otherwise this is an individual address removal ++ * and we have to perform the flush. ++ */ ++ if (idev->dead) ++ return NOTIFY_DONE; ++ ++ netdev_notifier_info_init(&info, idev->dev); + return masq_device_event(this, event, &info); + } + +-- +cgit v0.12 + diff --git a/kernel.spec b/kernel.spec index fe48d979c..7bfd49360 100644 --- a/kernel.spec +++ b/kernel.spec @@ -22,7 +22,7 @@ Summary: The Linux kernel %global zipsed -e 's/\.ko$/\.ko.xz/' %endif -%define buildid .hu.1.pf6 +%define buildid .hu.1.pf8 # baserelease defines which build revision of this kernel version we're # building. We used to call this fedora_build, but the magical name @@ -40,7 +40,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -52,8 +52,8 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -#+Hu Pf against 4.4.4 v4.4-pf6: https://pf.natalenko.name/news/?p=161 -%define stable_update 4 +#+Hu Pf against 4.4.5 v4.4-pf8: https://pf.natalenko.name/news/?p=166, https://pf.natalenko.name/news/?p=165 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -469,7 +469,7 @@ Source2001: cpupower.config %if 0%{?stable_update} %if 0%{?stable_base} #%%define stable_patch_00 patch-4.%%{base_sublevel}.%%{stable_base}.xz -%global stable_patch_00 https://pf.natalenko.name/sources/4.4/patch-4.4-pf6.xz +%global stable_patch_00 https://pf.natalenko.name/sources/4.4/patch-4.4-pf8.xz Source5000: %{stable_patch_00} %endif @@ -631,28 +631,72 @@ Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch #rhbz 1278942 Patch643: media-ivtv-avoid-going-past-input-audio-array.patch -#rhbz 1302037 -Patch644: wext-fix-message-delay-ordering.patch -Patch645: cfg80211-wext-fix-message-ordering.patch - #rhbz 1255325 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch #Known use after free, possibly rhbz 1310579 Patch654: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch -#rhbz 1310258 -Patch655: iommu-fix.patch - -#rhbz 1310682 -Patch657: 0001-Test-ata-fix.patch - #Mitigates CVE-2013-4312 rhbz 1313428 1313433 Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch #rhbz 1310252 1313318 Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch +#rhbz 1316719 +Patch662: 0001-cdc-acm-fix-NULL-pointer-reference.patch + +#rhbz 1316136 +Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch + +#CVE-2016-3135 rhbz 1317386 1317387 +Patch664: netfilter-x_tables-check-for-size-overflow.patch + +#CVE-2016-3134 rhbz 1317383 1317384 +Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch + +#CVE-2016-3135 rhbz 1318172 1318270 +Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch + +#CVE-2016-2184 rhbz 1317012 1317470 +Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch +Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch + +#CVE-2016-3137 rhbz 1317010 1316996 +Patch672: cypress_m8-add-sanity-checking.patch + +#CVE-2016-2186 rhbz 1317015 1317464 +Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch + +#CVE-2016-2188 rhbz 1317018 1317467 +Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch + +#CVE-2016-2185 rhbz 1317014 1317471 +Patch675: usb_driver_claim_interface-add-sanity-checking.patch + +#CVE-2016-3138 rhbz 1317010 1316204 +Patch676: cdc-acm-more-sanity-checking.patch + +#CVE-2016-3140 rhbz 1317010 1316995 +Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch + +Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch + +#rhbz 1315013 +Patch679: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch + +#rhbz 1317190 +Patch680: thermal-fix.patch + +#rhbz 1318079 +Patch681: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch + +#CVE-2016-2187 rhbz 1317017 1317010 +Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch + +#CVE-2016-3136 rhbz 1317007 1317010 +Patch687: mct_u232-sanity-checking-in-probe.patch + # END OF PATCH DEFINITIONS %endif @@ -2101,6 +2145,52 @@ fi # and build. # %changelog +* Wed Mar 23 2016 Pavel Alexeev - 4.4.5-300.hu.1.pf8 +- Merge upstream changes (4.4.6). +- Update pf patch to v4.4-pf8, but it stick on 4.4.5 (https://pf.natalenko.name/news/?p=166, https://pf.natalenko.name/news/?p=165) + +* Tue Mar 22 2016 Josh Boyer +- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010) +- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010) + +* Mon Mar 21 2016 Laura Abbott +- uas: Limit qdepth at the scsi-host level (rhbz 1315013) +- Fix for performance regression caused by thermal (rhbz 1317190) +- Input: synaptics - handle spurious release of trackstick buttons, again (rhbz 1318079) + +* Fri Mar 18 2016 Josh Boyer +- ims-pcu: sanity checking on missing interfaces +- CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995) +- CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204) +- CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471) +- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467) +- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) +- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996) +- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) + +* Wed Mar 16 2016 Laura Abbott - 4.4.6-300 +- Linux v4.4.6 + +* Wed Mar 16 2016 Laura Abbott +- Revert patch causing radeon breakage (rhbz 1317300 1317179) + +* Wed Mar 16 2016 Josh Boyer +- CVE-2016-3135 ipv4: DoS when destroying a network interface (rhbz 1318172 1318270) + +* Mon Mar 14 2016 Josh Boyer +- CVE-2016-3134 netfilter: missing bounds check in ipt_entry struct (rhbz 1317383 1317384) +- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387) + +* Fri Mar 11 2016 Josh Boyer +- Add patch for ICP DAS I-756xU devices (rhbz 1316136) + +* Thu Mar 10 2016 Laura Abbott +- cdc-acm: fix NULL pointer reference (rhbz 1316719) + +* Wed Mar 09 2016 Laura Abbott - 4.4.5-300 +- Linux v4.4.5 +- Fix for known arm64 bootup issue + * Tue Mar 08 2016 Pavel Alexeev - 4.4.4-301.hu.1.pf6 - Merge Fedora changes. - Step to kernel 4.4.4. diff --git a/mct_u232-sanity-checking-in-probe.patch b/mct_u232-sanity-checking-in-probe.patch new file mode 100644 index 000000000..006faf15f --- /dev/null +++ b/mct_u232-sanity-checking-in-probe.patch @@ -0,0 +1,35 @@ +Subject: [PATCH v2] mct_u232: sanity checking in probe +From: Oliver Neukum +Date: 2016-03-21 13:14:37 + +An attack using the lack of sanity checking in probe +is known. This patch checks for the existance of a +second port. +CVE-2016-3136 + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org + +v1 - add sanity check for presence of a second port +v2 - add sanity check for an interrupt endpoint +--- + drivers/usb/serial/mct_u232.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c +index 4446b8d..3e64538 100644 +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + { + struct mct_u232_private *priv; + ++ /* check first to simplify error handling */ ++ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb) ++ return -ENODEV; ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; +-- +2.1.4 diff --git a/netfilter-x_tables-check-for-size-overflow.patch b/netfilter-x_tables-check-for-size-overflow.patch new file mode 100644 index 000000000..81e3d36fa --- /dev/null +++ b/netfilter-x_tables-check-for-size-overflow.patch @@ -0,0 +1,31 @@ +Subject: [PATCH nf] netfilter: x_tables: check for size overflow +From: Florian Westphal +Date: 2016-03-10 0:56:23 + +Ben Hawkes says: + integer overflow in xt_alloc_table_info, which on 32-bit systems can + lead to small structure allocation and a copy_from_user based heap + corruption. + +Reported-by: Ben Hawkes +Signed-off-by: Florian Westphal +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index c8a0b7d..17a9a9f 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) + struct xt_table_info *info = NULL; + size_t sz = sizeof(*info) + size; + ++ if (sz < sizeof(*info)) ++ return NULL; ++ + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ + if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) + return NULL; +-- +2.4.10 diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch new file mode 100644 index 000000000..ebfe1716f --- /dev/null +++ b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch @@ -0,0 +1,150 @@ +Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values +From: Florian Westphal +Date: 2016-03-10 0:56:02 + +Ben Hawkes says: + + In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it + is possible for a user-supplied ipt_entry structure to have a large + next_offset field. This field is not bounds checked prior to writing a + counter value at the supplied offset. + +Problem is that xt_entry_foreach() macro stops iterating once e->next_offset +is out of bounds, assuming this is the last entry. + +With malformed data thats not necessarily the case so we can +write outside of allocated area later as we might not have walked the +entire blob. + +Fix this by simplifying mark_source_chains -- it already has to check +if nextoff is in range to catch invalid jumps, so just do the check +when we move to a next entry as well. + +Signed-off-by: Florian Westphal +--- + net/ipv4/netfilter/arp_tables.c | 16 ++++++++-------- + net/ipv4/netfilter/ip_tables.c | 15 ++++++++------- + net/ipv6/netfilter/ip6_tables.c | 13 ++++++------- + 3 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index b488cac..5a0b591 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct arpt_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct arpt_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } +- + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct arpt_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index b99affa..ceb995f 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ipt_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct ipt_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ipt_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 99425cf..d88a794 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; + e = (struct ip6t_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct ip6t_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ip6t_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +-- +2.4.10 diff --git a/patch-4.4-pf6.xz b/patch-4.4-pf6.xz deleted file mode 100644 index b969f811f..000000000 Binary files a/patch-4.4-pf6.xz and /dev/null differ diff --git a/patch-4.4-pf8.xz b/patch-4.4-pf8.xz new file mode 100644 index 000000000..fb9c3bf0c Binary files /dev/null and b/patch-4.4-pf8.xz differ diff --git a/sources b/sources index 7da2ff0c0..680e50713 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -07e9b2c5d0daf7fc2a1ee26a52adcbc0 patch-4.4.4.xz +d48f09bf61f2500d70f839e190dc7c5a patch-4.4.6.xz diff --git a/thermal-fix.patch b/thermal-fix.patch new file mode 100644 index 000000000..bca27cfbe --- /dev/null +++ b/thermal-fix.patch @@ -0,0 +1,77 @@ +From 81ad4276b505e987dd8ebbdf63605f92cd172b52 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Fri, 18 Mar 2016 10:03:24 +0800 +Subject: [PATCH] Thermal: Ignore invalid trip points + +In some cases, platform thermal driver may report invalid trip points, +thermal core should not take any action for these trip points. + +CC: #3.18+ +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317190 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=114551 +Signed-off-by: Zhang Rui +--- + drivers/thermal/thermal_core.c | 13 ++++++++++++- + include/linux/thermal.h | 2 ++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index a0a8fd1..d4b5465 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -454,6 +454,10 @@ static void handle_thermal_trip(struct thermal_zone_device *tz, int trip) + { + enum thermal_trip_type type; + ++ /* Ignore disabled trip points */ ++ if (test_bit(trip, &tz->trips_disabled)) ++ return; ++ + tz->ops->get_trip_type(tz, trip, &type); + + if (type == THERMAL_TRIP_CRITICAL || type == THERMAL_TRIP_HOT) +@@ -1800,6 +1804,7 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type, + { + struct thermal_zone_device *tz; + enum thermal_trip_type trip_type; ++ int trip_temp; + int result; + int count; + int passive = 0; +@@ -1871,9 +1876,15 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type, + goto unregister; + + for (count = 0; count < trips; count++) { +- tz->ops->get_trip_type(tz, count, &trip_type); ++ if (tz->ops->get_trip_type(tz, count, &trip_type)) ++ set_bit(count, &tz->trips_disabled); + if (trip_type == THERMAL_TRIP_PASSIVE) + passive = 1; ++ if (tz->ops->get_trip_temp(tz, count, &trip_temp)) ++ set_bit(count, &tz->trips_disabled); ++ /* Check for bogus trip points */ ++ if (trip_temp == 0) ++ set_bit(count, &tz->trips_disabled); + } + + if (!passive) { +diff --git a/include/linux/thermal.h b/include/linux/thermal.h +index 9c48199..a55d052 100644 +--- a/include/linux/thermal.h ++++ b/include/linux/thermal.h +@@ -156,6 +156,7 @@ struct thermal_attr { + * @trip_hyst_attrs: attributes for trip points for sysfs: trip hysteresis + * @devdata: private pointer for device private data + * @trips: number of trip points the thermal zone supports ++ * @trips_disabled; bitmap for disabled trips + * @passive_delay: number of milliseconds to wait between polls when + * performing passive cooling. + * @polling_delay: number of milliseconds to wait between polls when +@@ -191,6 +192,7 @@ struct thermal_zone_device { + struct thermal_attr *trip_hyst_attrs; + void *devdata; + int trips; ++ unsigned long trips_disabled; /* bitmap for disabled trips */ + int passive_delay; + int polling_delay; + int temperature; diff --git a/usb_driver_claim_interface-add-sanity-checking.patch b/usb_driver_claim_interface-add-sanity-checking.patch new file mode 100644 index 000000000..079ff03fd --- /dev/null +++ b/usb_driver_claim_interface-add-sanity-checking.patch @@ -0,0 +1,39 @@ +From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 16 Mar 2016 12:26:17 -0400 +Subject: [PATCH] usb_driver_claim_interface: add sanity checking + +Attacks that trick drivers into passing a NULL pointer +to usb_driver_claim_interface() using forged descriptors are +known. This thwarts them by sanity checking. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +--- + drivers/usb/core/driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index 6b5063e7943f..e2d242b68d4b 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev) + int usb_driver_claim_interface(struct usb_driver *driver, + struct usb_interface *iface, void *priv) + { +- struct device *dev = &iface->dev; ++ struct device *dev; + struct usb_device *udev; + int retval = 0; + int lpm_disable_error; + ++ if (!iface) ++ return -ENODEV; ++ ++ dev = &iface->dev; + if (dev->driver) + return -EBUSY; + +-- +2.5.0 + diff --git a/wext-fix-message-delay-ordering.patch b/wext-fix-message-delay-ordering.patch deleted file mode 100644 index 109b68da3..000000000 --- a/wext-fix-message-delay-ordering.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001 -From: Johannes Berg -Date: Wed, 27 Jan 2016 12:37:52 +0100 -Subject: wext: fix message delay/ordering - -Beniamino reported that he was getting an RTM_NEWLINK message for a -given interface, after the RTM_DELLINK for it. It turns out that the -message is a wireless extensions message, which was sent because the -interface had been connected and disconnection while it was deleted -caused a wext message. - -For its netlink messages, wext uses RTM_NEWLINK, but the message is -without all the regular rtnetlink attributes, so "ip monitor link" -prints just rudimentary information: - -5: wlan1: mtu 1500 qdisc mq state DOWN group default - link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff -Deleted 5: wlan1: mtu 1500 qdisc noop state DOWN group default - link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff -5: wlan1: - link/ether -(from my hwsim reproduction) - -This can cause userspace to get confused since it doesn't expect an -RTM_NEWLINK message after RTM_DELLINK. - -The reason for this is that wext schedules a worker to send out the -messages, and the scheduling delay can cause the messages to get out -to userspace in different order. - -To fix this, have wext register a netdevice notifier and flush out -any pending messages when netdevice state changes. This fixes any -ordering whenever the original message wasn't sent by a notifier -itself. - -Cc: stable@vger.kernel.org -Reported-by: Beniamino Galvani -Signed-off-by: Johannes Berg ---- - net/wireless/wext-core.c | 51 +++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 40 insertions(+), 11 deletions(-) - -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index c8717c1..87dd619 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = { - - /* IW event code */ - -+static void wireless_nlevent_flush(void) -+{ -+ struct sk_buff *skb; -+ struct net *net; -+ -+ ASSERT_RTNL(); -+ -+ for_each_net(net) { -+ while ((skb = skb_dequeue(&net->wext_nlevents))) -+ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -+ GFP_KERNEL); -+ } -+} -+ -+static int wext_netdev_notifier_call(struct notifier_block *nb, -+ unsigned long state, void *ptr) -+{ -+ /* -+ * When a netdev changes state in any way, flush all pending messages -+ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after -+ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() -+ * or similar - all of which could otherwise happen due to delays from -+ * schedule_work(). -+ */ -+ wireless_nlevent_flush(); -+ -+ return NOTIFY_OK; -+} -+ -+static struct notifier_block wext_netdev_notifier = { -+ .notifier_call = wext_netdev_notifier_call, -+}; -+ - static int __net_init wext_pernet_init(struct net *net) - { - skb_queue_head_init(&net->wext_nlevents); -@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = { - - static int __init wireless_nlevent_init(void) - { -- return register_pernet_subsys(&wext_pernet_ops); -+ int err = register_pernet_subsys(&wext_pernet_ops); -+ -+ if (err) -+ return err; -+ -+ return register_netdevice_notifier(&wext_netdev_notifier); - } - - subsys_initcall(wireless_nlevent_init); -@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); - /* Process events generated by the wireless layer or the driver. */ - static void wireless_nlevent_process(struct work_struct *work) - { -- struct sk_buff *skb; -- struct net *net; -- - rtnl_lock(); -- -- for_each_net(net) { -- while ((skb = skb_dequeue(&net->wext_nlevents))) -- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -- GFP_KERNEL); -- } -- -+ wireless_nlevent_flush(); - rtnl_unlock(); - } - --- -cgit v0.12 -