Linux v4.2.4
This commit is contained in:
parent
2087088084
commit
0687abbd86
|
@ -1,86 +0,0 @@
|
|||
From 680ac028240f8747f31c03986fbcf18b2b521e93 Mon Sep 17 00:00:00 2001
|
||||
From: Borislav Petkov <bp@suse.de>
|
||||
Date: Mon, 27 Jul 2015 09:58:05 +0200
|
||||
Subject: [PATCH] x86/cpu/cacheinfo: Fix teardown path
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Philip Müller reported a hang when booting 32-bit 4.1 kernel on
|
||||
an AMD box. A fragment of the splat was enough to pinpoint the
|
||||
issue:
|
||||
|
||||
task: f58e0000 ti: f58e8000 task.ti: f58e800
|
||||
EIP: 0060:[<c135a903>] EFLAGS: 00010206 CPU: 0
|
||||
EIP is at free_cache_attributes+0x83/0xd0
|
||||
EAX: 00000001 EBX: f589d46c ECX: 00000090 EDX: 360c2000
|
||||
ESI: 00000000 EDI: c1724a80 EBP: f58e9ec0 ESP: f58e9ea0
|
||||
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
|
||||
CR0: 8005003b CR2: 000000ac CR3: 01731000 CR4: 000006d0
|
||||
|
||||
cache_shared_cpu_map_setup() did check sibling CPUs cacheinfo
|
||||
descriptor while the respective teardown path
|
||||
cache_shared_cpu_map_remove() didn't. Fix that.
|
||||
|
||||
From tglx's version: to be on the safe side, move the cacheinfo
|
||||
descriptor check to free_cache_attributes(), thus cleaning up
|
||||
the hotplug path a little and making this even more robust.
|
||||
|
||||
Reported-by: Philip Müller <philm@manjaro.org>
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: <stable@vger.kernel.org> # v4.1+
|
||||
Cc: Andre Przywara <andre.przywara@arm.com>
|
||||
Cc: Guenter Roeck <linux@roeck-us.net>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Sudeep Holla <sudeep.holla@arm.com>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
Cc: manjaro-dev@manjaro.org
|
||||
Link: http://lkml.kernel.org/r/20150727075805.GA20416@nazgul.tnic
|
||||
Link: https://lkml.kernel.org/r/55B47BB8.6080202@manjaro.org
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
drivers/base/cacheinfo.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
|
||||
index 764280a91776..e9fd32e91668 100644
|
||||
--- a/drivers/base/cacheinfo.c
|
||||
+++ b/drivers/base/cacheinfo.c
|
||||
@@ -148,7 +148,11 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
|
||||
|
||||
if (sibling == cpu) /* skip itself */
|
||||
continue;
|
||||
+
|
||||
sib_cpu_ci = get_cpu_cacheinfo(sibling);
|
||||
+ if (!sib_cpu_ci->info_list)
|
||||
+ continue;
|
||||
+
|
||||
sib_leaf = sib_cpu_ci->info_list + index;
|
||||
cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map);
|
||||
cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map);
|
||||
@@ -159,6 +163,9 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
|
||||
|
||||
static void free_cache_attributes(unsigned int cpu)
|
||||
{
|
||||
+ if (!per_cpu_cacheinfo(cpu))
|
||||
+ return;
|
||||
+
|
||||
cache_shared_cpu_map_remove(cpu);
|
||||
|
||||
kfree(per_cpu_cacheinfo(cpu));
|
||||
@@ -514,8 +521,7 @@ static int cacheinfo_cpu_callback(struct notifier_block *nfb,
|
||||
break;
|
||||
case CPU_DEAD:
|
||||
cache_remove_dev(cpu);
|
||||
- if (per_cpu_cacheinfo(cpu))
|
||||
- free_cache_attributes(cpu);
|
||||
+ free_cache_attributes(cpu);
|
||||
break;
|
||||
}
|
||||
return notifier_from_errno(rc);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 6f501aed6a8ebecbc3a83fbd95d925ef522e0120 Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Thu, 1 Oct 2015 14:33:49 -0700
|
||||
Subject: [PATCH] ALSA: hda: Add dock support for ThinkPad T550
|
||||
To: Jaroslav Kysela <perex@perex.cz>
|
||||
To: Takashi Iwai <tiwai@suse.com>
|
||||
Cc: alsa-devel@alsa-project.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
|
||||
Much like all the other Lenovo laptops, add a quirk to make
|
||||
sound work with docking.
|
||||
|
||||
Reported-and-tested-by: lacknerflo@gmail.com
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
sound/pci/hda/patch_realtek.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
|
||||
index afec6dc..16b8dcb 100644
|
||||
--- a/sound/pci/hda/patch_realtek.c
|
||||
+++ b/sound/pci/hda/patch_realtek.c
|
||||
@@ -5306,6 +5306,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
|
||||
SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
|
||||
+ SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
|
||||
SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,117 +0,0 @@
|
|||
From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Wed, 30 Sep 2015 12:48:40 -0400
|
||||
Subject: [PATCH] Initialize msg/shm IPC objects before doing ipc_addid()
|
||||
|
||||
As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
|
||||
having initialized the IPC object state. Yes, we initialize the IPC
|
||||
object in a locked state, but with all the lockless RCU lookup work,
|
||||
that IPC object lock no longer means that the state cannot be seen.
|
||||
|
||||
We already did this for the IPC semaphore code (see commit e8577d1f0329:
|
||||
"ipc/sem.c: fully initialize sem_array before making it visible") but we
|
||||
clearly forgot about msg and shm.
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Cc: Manfred Spraul <manfred@colorfullife.com>
|
||||
Cc: Davidlohr Bueso <dbueso@suse.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
ipc/msg.c | 14 +++++++-------
|
||||
ipc/shm.c | 13 +++++++------
|
||||
ipc/util.c | 8 ++++----
|
||||
3 files changed, 18 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/ipc/msg.c b/ipc/msg.c
|
||||
index 66c4f567eb73..1471db9a7e61 100644
|
||||
--- a/ipc/msg.c
|
||||
+++ b/ipc/msg.c
|
||||
@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
return retval;
|
||||
}
|
||||
|
||||
- /* ipc_addid() locks msq upon success. */
|
||||
- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||
- if (id < 0) {
|
||||
- ipc_rcu_putref(msq, msg_rcu_free);
|
||||
- return id;
|
||||
- }
|
||||
-
|
||||
msq->q_stime = msq->q_rtime = 0;
|
||||
msq->q_ctime = get_seconds();
|
||||
msq->q_cbytes = msq->q_qnum = 0;
|
||||
@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
INIT_LIST_HEAD(&msq->q_receivers);
|
||||
INIT_LIST_HEAD(&msq->q_senders);
|
||||
|
||||
+ /* ipc_addid() locks msq upon success. */
|
||||
+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||
+ if (id < 0) {
|
||||
+ ipc_rcu_putref(msq, msg_rcu_free);
|
||||
+ return id;
|
||||
+ }
|
||||
+
|
||||
ipc_unlock_object(&msq->q_perm);
|
||||
rcu_read_unlock();
|
||||
|
||||
diff --git a/ipc/shm.c b/ipc/shm.c
|
||||
index 222131e8e38f..41787276e141 100644
|
||||
--- a/ipc/shm.c
|
||||
+++ b/ipc/shm.c
|
||||
@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
if (IS_ERR(file))
|
||||
goto no_file;
|
||||
|
||||
- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||
- if (id < 0) {
|
||||
- error = id;
|
||||
- goto no_id;
|
||||
- }
|
||||
-
|
||||
shp->shm_cprid = task_tgid_vnr(current);
|
||||
shp->shm_lprid = 0;
|
||||
shp->shm_atim = shp->shm_dtim = 0;
|
||||
@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
shp->shm_nattch = 0;
|
||||
shp->shm_file = file;
|
||||
shp->shm_creator = current;
|
||||
+
|
||||
+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||
+ if (id < 0) {
|
||||
+ error = id;
|
||||
+ goto no_id;
|
||||
+ }
|
||||
+
|
||||
list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist);
|
||||
|
||||
/*
|
||||
diff --git a/ipc/util.c b/ipc/util.c
|
||||
index be4230020a1f..0f401d94b7c6 100644
|
||||
--- a/ipc/util.c
|
||||
+++ b/ipc/util.c
|
||||
@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||
rcu_read_lock();
|
||||
spin_lock(&new->lock);
|
||||
|
||||
+ current_euid_egid(&euid, &egid);
|
||||
+ new->cuid = new->uid = euid;
|
||||
+ new->gid = new->cgid = egid;
|
||||
+
|
||||
id = idr_alloc(&ids->ipcs_idr, new,
|
||||
(next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
|
||||
GFP_NOWAIT);
|
||||
@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||
|
||||
ids->in_use++;
|
||||
|
||||
- current_euid_egid(&euid, &egid);
|
||||
- new->cuid = new->uid = euid;
|
||||
- new->gid = new->cgid = egid;
|
||||
-
|
||||
if (next_id < 0) {
|
||||
new->seq = ids->seq++;
|
||||
if (ids->seq > IPCID_SEQ_MAX)
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,81 +0,0 @@
|
|||
From 10d98bced414c6fc1d09db123e7f762d91b5ebea Mon Sep 17 00:00:00 2001
|
||||
From: Johan Hovold <johan@kernel.org>
|
||||
Date: Wed, 23 Sep 2015 11:41:42 -0700
|
||||
Subject: [PATCH] USB: whiteheat: fix potential null-deref at probe
|
||||
|
||||
Fix potential null-pointer dereference at probe by making sure that the
|
||||
required endpoints are present.
|
||||
|
||||
The whiteheat driver assumes there are at least five pairs of bulk
|
||||
endpoints, of which the final pair is used for the "command port". An
|
||||
attempt to bind to an interface with fewer bulk endpoints would
|
||||
currently lead to an oops.
|
||||
|
||||
Fixes CVE-2015-5257.
|
||||
|
||||
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Johan Hovold <johan@kernel.org>
|
||||
---
|
||||
drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
|
||||
index 6c3734d2b45a..d3ea90bef84d 100644
|
||||
--- a/drivers/usb/serial/whiteheat.c
|
||||
+++ b/drivers/usb/serial/whiteheat.c
|
||||
@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
|
||||
static int whiteheat_firmware_attach(struct usb_serial *serial);
|
||||
|
||||
/* function prototypes for the Connect Tech WhiteHEAT serial converter */
|
||||
+static int whiteheat_probe(struct usb_serial *serial,
|
||||
+ const struct usb_device_id *id);
|
||||
static int whiteheat_attach(struct usb_serial *serial);
|
||||
static void whiteheat_release(struct usb_serial *serial);
|
||||
static int whiteheat_port_probe(struct usb_serial_port *port);
|
||||
@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
|
||||
.description = "Connect Tech - WhiteHEAT",
|
||||
.id_table = id_table_std,
|
||||
.num_ports = 4,
|
||||
+ .probe = whiteheat_probe,
|
||||
.attach = whiteheat_attach,
|
||||
.release = whiteheat_release,
|
||||
.port_probe = whiteheat_port_probe,
|
||||
@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
|
||||
/*****************************************************************************
|
||||
* Connect Tech's White Heat serial driver functions
|
||||
*****************************************************************************/
|
||||
+
|
||||
+static int whiteheat_probe(struct usb_serial *serial,
|
||||
+ const struct usb_device_id *id)
|
||||
+{
|
||||
+ struct usb_host_interface *iface_desc;
|
||||
+ struct usb_endpoint_descriptor *endpoint;
|
||||
+ size_t num_bulk_in = 0;
|
||||
+ size_t num_bulk_out = 0;
|
||||
+ size_t min_num_bulk;
|
||||
+ unsigned int i;
|
||||
+
|
||||
+ iface_desc = serial->interface->cur_altsetting;
|
||||
+
|
||||
+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
|
||||
+ endpoint = &iface_desc->endpoint[i].desc;
|
||||
+ if (usb_endpoint_is_bulk_in(endpoint))
|
||||
+ ++num_bulk_in;
|
||||
+ if (usb_endpoint_is_bulk_out(endpoint))
|
||||
+ ++num_bulk_out;
|
||||
+ }
|
||||
+
|
||||
+ min_num_bulk = COMMAND_PORT + 1;
|
||||
+ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int whiteheat_attach(struct usb_serial *serial)
|
||||
{
|
||||
struct usb_serial_port *command_port;
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Sat, 5 Sep 2015 15:47:36 -0400
|
||||
Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and
|
||||
->root_rl.blkg
|
||||
|
||||
While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always
|
||||
create the blkcg_gq for the root blkcg") removed the part which clears
|
||||
q->root_blkg and ->root_rl.blkg during q exit. This leaves the two
|
||||
pointers dangling after blkg_destroy_all(). blk-throttle exit path
|
||||
performs blkg traversals and dereferences ->root_blkg and can lead to
|
||||
the following oops.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000558
|
||||
IP: [<ffffffff81389746>] __blkg_lookup+0x26/0x70
|
||||
...
|
||||
task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000
|
||||
RIP: 0010:[<ffffffff81389746>] [<ffffffff81389746>] __blkg_lookup+0x26/0x70
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff8138d14a>] blk_throtl_drain+0x5a/0x110
|
||||
[<ffffffff8138a108>] blkcg_drain_queue+0x18/0x20
|
||||
[<ffffffff81369a70>] __blk_drain_queue+0xc0/0x170
|
||||
[<ffffffff8136a101>] blk_queue_bypass_start+0x61/0x80
|
||||
[<ffffffff81388c59>] blkcg_deactivate_policy+0x39/0x100
|
||||
[<ffffffff8138d328>] blk_throtl_exit+0x38/0x50
|
||||
[<ffffffff8138a14e>] blkcg_exit_queue+0x3e/0x50
|
||||
[<ffffffff8137016e>] blk_release_queue+0x1e/0xc0
|
||||
...
|
||||
|
||||
While the bug is a straigh-forward use-after-free bug, it is tricky to
|
||||
reproduce because blkg release is RCU protected and the rest of exit
|
||||
path usually finishes before RCU grace period.
|
||||
|
||||
This patch fixes the bug by updating blkg_destro_all() to clear
|
||||
q->root_blkg and ->root_rl.blkg.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Reported-by: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com
|
||||
Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg")
|
||||
Cc: stable@vger.kernel.org # v4.2+
|
||||
---
|
||||
block/blk-cgroup.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
|
||||
index d6283b3f5db5..9cc48d1d7abb 100644
|
||||
--- a/block/blk-cgroup.c
|
||||
+++ b/block/blk-cgroup.c
|
||||
@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q)
|
||||
blkg_destroy(blkg);
|
||||
spin_unlock(&blkcg->lock);
|
||||
}
|
||||
+
|
||||
+ q->root_blkg = NULL;
|
||||
+ q->root_rl.blkg = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
From c0ea161a6e7158281f64bc6d41126da43cb08f14 Mon Sep 17 00:00:00 2001
|
||||
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Date: Sat, 15 Aug 2015 13:36:12 -0500
|
||||
Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path
|
||||
|
||||
commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
|
||||
|
||||
A rename can result in a dentry that by walking up d_parent
|
||||
will never reach it's mnt_root. For lack of a better term
|
||||
I call this an escaped path.
|
||||
|
||||
prepend_path is called by four different functions __d_path,
|
||||
d_absolute_path, d_path, and getcwd.
|
||||
|
||||
__d_path only wants to see paths are connected to the root it passes
|
||||
in. So __d_path needs prepend_path to return an error.
|
||||
|
||||
d_absolute_path similarly wants to see paths that are connected to
|
||||
some root. Escaped paths are not connected to any mnt_root so
|
||||
d_absolute_path needs prepend_path to return an error greater
|
||||
than 1. So escaped paths will be treated like paths on lazily
|
||||
unmounted mounts.
|
||||
|
||||
getcwd needs to prepend "(unreachable)" so getcwd also needs
|
||||
prepend_path to return an error.
|
||||
|
||||
d_path is the interesting hold out. d_path just wants to print
|
||||
something, and does not care about the weird cases. Which raises
|
||||
the question what should be printed?
|
||||
|
||||
Given that <escaped_path>/<anything> should result in -ENOENT I
|
||||
believe it is desirable for escaped paths to be printed as empty
|
||||
paths. As there are not really any meaninful path components when
|
||||
considered from the perspective of a mount tree.
|
||||
|
||||
So tweak prepend_path to return an empty path with an new error
|
||||
code of 3 when it encounters an escaped path.
|
||||
|
||||
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/dcache.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/fs/dcache.c b/fs/dcache.c
|
||||
index 9b5fe503f6cb..e3b44ca75a1b 100644
|
||||
--- a/fs/dcache.c
|
||||
+++ b/fs/dcache.c
|
||||
@@ -2926,6 +2926,13 @@ restart:
|
||||
|
||||
if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
|
||||
struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
|
||||
+ /* Escaped? */
|
||||
+ if (dentry != vfsmnt->mnt_root) {
|
||||
+ bptr = *buffer;
|
||||
+ blen = *buflen;
|
||||
+ error = 3;
|
||||
+ break;
|
||||
+ }
|
||||
/* Global root? */
|
||||
if (mnt != parent) {
|
||||
dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
From 673681cafa99776e334c3e61cafa2cf115950c32 Mon Sep 17 00:00:00 2001
|
||||
From: Nicholas Bellinger <nab@linux-iscsi.org>
|
||||
Date: Tue, 22 Sep 2015 22:32:14 -0700
|
||||
Subject: [PATCH] iscsi-target: Avoid OFMarker + IFMarker negotiation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch fixes a v4.2+ regression introduced by commit c04a6091
|
||||
that removed support for obsolete sync-and-steering markers usage
|
||||
as originally defined in RFC-3720.
|
||||
|
||||
The regression would involve attempting to send OFMarker=No +
|
||||
IFMarker=No keys during opertional negotiation login phase,
|
||||
including when initiators did not actually propose these keys.
|
||||
|
||||
The result for MSFT iSCSI initiators would be random junk in
|
||||
TCP stream after the last successful login request was been sent
|
||||
signaling the move to full feature phase (FFP) operation.
|
||||
|
||||
To address this bug, go ahead and avoid negotiating these keys
|
||||
by default unless the initiator explicitly proposes them, but
|
||||
still respond to them with 'No' if they are proposed.
|
||||
|
||||
Reported-by: Dragan Milivojević <galileo@pkm-inc.com>
|
||||
Bisected-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
|
||||
Tested-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
|
||||
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
||||
---
|
||||
drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
index e8a52f7..51d1734 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
@@ -407,6 +407,7 @@ int iscsi_create_default_params(struct iscsi_param_list **param_list_ptr)
|
||||
TYPERANGE_UTF8, USE_INITIAL_ONLY);
|
||||
if (!param)
|
||||
goto out;
|
||||
+
|
||||
/*
|
||||
* Extra parameters for ISER from RFC-5046
|
||||
*/
|
||||
@@ -496,9 +497,9 @@ int iscsi_set_keys_to_negotiate(
|
||||
} else if (!strcmp(param->name, SESSIONTYPE)) {
|
||||
SET_PSTATE_NEGOTIATE(param);
|
||||
} else if (!strcmp(param->name, IFMARKER)) {
|
||||
- SET_PSTATE_NEGOTIATE(param);
|
||||
+ SET_PSTATE_REJECT(param);
|
||||
} else if (!strcmp(param->name, OFMARKER)) {
|
||||
- SET_PSTATE_NEGOTIATE(param);
|
||||
+ SET_PSTATE_REJECT(param);
|
||||
} else if (!strcmp(param->name, IFMARKINT)) {
|
||||
SET_PSTATE_REJECT(param);
|
||||
} else if (!strcmp(param->name, OFMARKINT)) {
|
||||
--
|
||||
2.4.3
|
||||
|
49
kernel.spec
49
kernel.spec
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -616,37 +616,15 @@ Patch515: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
|
|||
Patch517: vmwgfx-Rework-device-initialization.patch
|
||||
Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
|
||||
|
||||
#rhbz 1237136
|
||||
Patch522: block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
|
||||
|
||||
#CVE-2015-6937 rhbz 1263139 1263140
|
||||
Patch523: RDS-verify-the-underlying-transport-exists-before-cr.patch
|
||||
|
||||
#rhbz 1263762
|
||||
Patch526: 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
|
||||
|
||||
#CVE-2015-5257 rhbz 1265607 1265612
|
||||
Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch
|
||||
|
||||
#CVE-2015-2925 rhbz 1209367 1209373
|
||||
Patch528: dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||
Patch529: vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||
|
||||
#CVE-2015-7613 rhbz 1268270 1268273
|
||||
Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||
|
||||
Patch533: net-inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
|
||||
#rhbz 1265978
|
||||
Patch536: si2168-Bounds-check-firmware.patch
|
||||
Patch537: si2157-Bounds-check-firmware.patch
|
||||
|
||||
#rhbz 1268037
|
||||
Patch538: ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
|
||||
|
||||
#rhbz 1271812
|
||||
Patch539: iscsi-target-Avoid-OFMarker-IFMarker-negotiation.patch
|
||||
|
||||
#rhbz 1272172
|
||||
Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
|
||||
Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
|
||||
|
@ -1384,39 +1362,17 @@ ApplyPatch nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
|
|||
ApplyPatch vmwgfx-Rework-device-initialization.patch
|
||||
ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
|
||||
|
||||
#rhbz 1237136
|
||||
ApplyPatch block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
|
||||
|
||||
#CVE-2015-6937 rhbz 1263139 1263140
|
||||
ApplyPatch RDS-verify-the-underlying-transport-exists-before-cr.patch
|
||||
|
||||
#rhbz 1263762
|
||||
ApplyPatch 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
|
||||
|
||||
#CVE-2015-5257 rhbz 1265607 1265612
|
||||
ApplyPatch USB-whiteheat-fix-potential-null-deref-at-probe.patch
|
||||
|
||||
ApplyPatch regulator-axp20x-module-alias.patch
|
||||
|
||||
#CVE-2015-2925 rhbz 1209367 1209373
|
||||
ApplyPatch dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||
ApplyPatch vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||
|
||||
#CVE-2015-7613 rhbz 1268270 1268273
|
||||
ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||
|
||||
ApplyPatch net-inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
|
||||
#rhbz 1265978
|
||||
ApplyPatch si2168-Bounds-check-firmware.patch
|
||||
ApplyPatch si2157-Bounds-check-firmware.patch
|
||||
|
||||
#rhbz 1268037
|
||||
ApplyPatch ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
|
||||
|
||||
#rhbz 1271812
|
||||
ApplyPatch iscsi-target-Avoid-OFMarker-IFMarker-negotiation.patch
|
||||
|
||||
#rhbz 1272172
|
||||
ApplyPatch 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
|
||||
ApplyPatch 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
|
||||
|
@ -2271,6 +2227,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Oct 23 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 4.2.4-200
|
||||
- Linux v4.2.4 (rhbz 1272645)
|
||||
|
||||
* Tue Oct 20 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Enable IEEE802154_ATUSB (rhbz 1272935)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
3d5ea06d767e2f35c999eeadafc76523 linux-4.2.tar.xz
|
||||
4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz
|
||||
6a7355d968116129c19dc053fb2d557a patch-4.2.3.xz
|
||||
1289fdb357a552edc672208ce729d9c6 patch-4.2.4.xz
|
||||
|
|
|
@ -1,110 +0,0 @@
|
|||
From 14588dfe2e411056df5ba85ef88ad51730a2fa0a Mon Sep 17 00:00:00 2001
|
||||
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Date: Sat, 15 Aug 2015 20:27:13 -0500
|
||||
Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from
|
||||
their mnt_root
|
||||
|
||||
commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
|
||||
|
||||
In rare cases a directory can be renamed out from under a bind mount.
|
||||
In those cases without special handling it becomes possible to walk up
|
||||
the directory tree to the root dentry of the filesystem and down
|
||||
from the root dentry to every other file or directory on the filesystem.
|
||||
|
||||
Like division by zero .. from an unconnected path can not be given
|
||||
a useful semantic as there is no predicting at which path component
|
||||
the code will realize it is unconnected. We certainly can not match
|
||||
the current behavior as the current behavior is a security hole.
|
||||
|
||||
Therefore when encounting .. when following an unconnected path
|
||||
return -ENOENT.
|
||||
|
||||
- Add a function path_connected to verify path->dentry is reachable
|
||||
from path->mnt.mnt_root. AKA to validate that rename did not do
|
||||
something nasty to the bind mount.
|
||||
|
||||
To avoid races path_connected must be called after following a path
|
||||
component to it's next path component.
|
||||
|
||||
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/namei.c | 27 +++++++++++++++++++++++++--
|
||||
1 file changed, 25 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/namei.c b/fs/namei.c
|
||||
index 1c2105ed20c5..29b927938b8c 100644
|
||||
--- a/fs/namei.c
|
||||
+++ b/fs/namei.c
|
||||
@@ -560,6 +560,24 @@ static int __nd_alloc_stack(struct nameidata *nd)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
|
||||
+ * @path: nameidate to verify
|
||||
+ *
|
||||
+ * Rename can sometimes move a file or directory outside of a bind
|
||||
+ * mount, path_connected allows those cases to be detected.
|
||||
+ */
|
||||
+static bool path_connected(const struct path *path)
|
||||
+{
|
||||
+ struct vfsmount *mnt = path->mnt;
|
||||
+
|
||||
+ /* Only bind mounts can have disconnected paths */
|
||||
+ if (mnt->mnt_root == mnt->mnt_sb->s_root)
|
||||
+ return true;
|
||||
+
|
||||
+ return is_subdir(path->dentry, mnt->mnt_root);
|
||||
+}
|
||||
+
|
||||
static inline int nd_alloc_stack(struct nameidata *nd)
|
||||
{
|
||||
if (likely(nd->depth != EMBEDDED_LEVELS))
|
||||
@@ -1296,6 +1314,8 @@ static int follow_dotdot_rcu(struct nameidata *nd)
|
||||
return -ECHILD;
|
||||
nd->path.dentry = parent;
|
||||
nd->seq = seq;
|
||||
+ if (unlikely(!path_connected(&nd->path)))
|
||||
+ return -ENOENT;
|
||||
break;
|
||||
} else {
|
||||
struct mount *mnt = real_mount(nd->path.mnt);
|
||||
@@ -1396,7 +1416,7 @@ static void follow_mount(struct path *path)
|
||||
}
|
||||
}
|
||||
|
||||
-static void follow_dotdot(struct nameidata *nd)
|
||||
+static int follow_dotdot(struct nameidata *nd)
|
||||
{
|
||||
if (!nd->root.mnt)
|
||||
set_root(nd);
|
||||
@@ -1412,6 +1432,8 @@ static void follow_dotdot(struct nameidata *nd)
|
||||
/* rare case of legitimate dget_parent()... */
|
||||
nd->path.dentry = dget_parent(nd->path.dentry);
|
||||
dput(old);
|
||||
+ if (unlikely(!path_connected(&nd->path)))
|
||||
+ return -ENOENT;
|
||||
break;
|
||||
}
|
||||
if (!follow_up(&nd->path))
|
||||
@@ -1419,6 +1441,7 @@ static void follow_dotdot(struct nameidata *nd)
|
||||
}
|
||||
follow_mount(&nd->path);
|
||||
nd->inode = nd->path.dentry->d_inode;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1634,7 +1657,7 @@ static inline int handle_dots(struct nameidata *nd, int type)
|
||||
if (nd->flags & LOOKUP_RCU) {
|
||||
return follow_dotdot_rcu(nd);
|
||||
} else
|
||||
- follow_dotdot(nd);
|
||||
+ return follow_dotdot(nd);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.4.3
|
||||
|
Loading…
Reference in New Issue