Merge branch 'f23' of ssh://pkgs.fedoraproject.org/kernel into f23-pf - 4.3.3-303
This commit is contained in:
commit
06bc18e2d3
|
@ -0,0 +1,119 @@
|
|||
From 259072b7a1c20f8612dcaa8e0e027004aa98f864 Mon Sep 17 00:00:00 2001
|
||||
From: Filipe Manana <fdmanana@suse.com>
|
||||
Date: Wed, 6 Jan 2016 22:42:35 +0000
|
||||
Subject: [PATCH 2/2] Btrfs: fix fitrim discarding device area reserved for
|
||||
boot loader's use
|
||||
|
||||
As of the 4.3 kernel release, the fitrim ioctl can now discard any region
|
||||
of a disk that is not allocated to any chunk/block group, including the
|
||||
first megabyte which is used for our primary superblock and by the boot
|
||||
loader (grub for example).
|
||||
|
||||
Fix this by not allowing to trim/discard any region in the device starting
|
||||
with an offset not greater than min(alloc_start_mount_option, 1Mb), just
|
||||
as it was not possible before 4.3.
|
||||
|
||||
A reproducer test case for xfstests follows.
|
||||
|
||||
seq=`basename $0`
|
||||
seqres=$RESULT_DIR/$seq
|
||||
echo "QA output created by $seq"
|
||||
tmp=/tmp/$$
|
||||
status=1 # failure is the default!
|
||||
trap "_cleanup; exit \$status" 0 1 2 3 15
|
||||
|
||||
_cleanup()
|
||||
{
|
||||
cd /
|
||||
rm -f $tmp.*
|
||||
}
|
||||
|
||||
# get standard environment, filters and checks
|
||||
. ./common/rc
|
||||
. ./common/filter
|
||||
|
||||
# real QA test starts here
|
||||
_need_to_be_root
|
||||
_supported_fs btrfs
|
||||
_supported_os Linux
|
||||
_require_scratch
|
||||
|
||||
rm -f $seqres.full
|
||||
|
||||
_scratch_mkfs >>$seqres.full 2>&1
|
||||
|
||||
# Write to the [0, 64Kb[ and [68Kb, 1Mb[ ranges of the device. These ranges are
|
||||
# reserved for a boot loader to use (GRUB for example) and btrfs should never
|
||||
# use them - neither for allocating metadata/data nor should trim/discard them.
|
||||
# The range [64Kb, 68Kb[ is used for the primary superblock of the filesystem.
|
||||
$XFS_IO_PROG -c "pwrite -S 0xfd 0 64K" $SCRATCH_DEV | _filter_xfs_io
|
||||
$XFS_IO_PROG -c "pwrite -S 0xfd 68K 956K" $SCRATCH_DEV | _filter_xfs_io
|
||||
|
||||
# Now mount the filesystem and perform a fitrim against it.
|
||||
_scratch_mount
|
||||
_require_batched_discard $SCRATCH_MNT
|
||||
$FSTRIM_PROG $SCRATCH_MNT
|
||||
|
||||
# Now unmount the filesystem and verify the content of the ranges was not
|
||||
# modified (no trim/discard happened on them).
|
||||
_scratch_unmount
|
||||
echo "Content of the ranges [0, 64Kb] and [68Kb, 1Mb[ after fitrim:"
|
||||
od -t x1 -N $((64 * 1024)) $SCRATCH_DEV
|
||||
od -t x1 -j $((68 * 1024)) -N $((956 * 1024)) $SCRATCH_DEV
|
||||
|
||||
status=0
|
||||
exit
|
||||
|
||||
Reported-by: Vincent Petry <PVince81@yahoo.fr>
|
||||
Reported-by: Andrei Borzenkov <arvidjaar@gmail.com>
|
||||
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109341
|
||||
Fixes: 499f377f49f0 (btrfs: iterate over unused chunk space in FITRIM)
|
||||
Cc: stable@vger.kernel.org # 4.3+
|
||||
Signed-off-by: Filipe Manana <fdmanana@suse.com>
|
||||
---
|
||||
fs/btrfs/volumes.c | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
|
||||
index b816b3a2e118..96f8c827d563 100644
|
||||
--- a/fs/btrfs/volumes.c
|
||||
+++ b/fs/btrfs/volumes.c
|
||||
@@ -1208,6 +1208,15 @@ int find_free_dev_extent_start(struct btrfs_transaction *transaction,
|
||||
int ret;
|
||||
int slot;
|
||||
struct extent_buffer *l;
|
||||
+ u64 min_search_start;
|
||||
+
|
||||
+ /*
|
||||
+ * We don't want to overwrite the superblock on the drive nor any area
|
||||
+ * used by the boot loader (grub for example), so we make sure to start
|
||||
+ * at an offset of at least 1MB.
|
||||
+ */
|
||||
+ min_search_start = max(root->fs_info->alloc_start, 1024ull * 1024);
|
||||
+ search_start = max(search_start, min_search_start);
|
||||
|
||||
path = btrfs_alloc_path();
|
||||
if (!path)
|
||||
@@ -1348,18 +1357,9 @@ int find_free_dev_extent(struct btrfs_trans_handle *trans,
|
||||
struct btrfs_device *device, u64 num_bytes,
|
||||
u64 *start, u64 *len)
|
||||
{
|
||||
- struct btrfs_root *root = device->dev_root;
|
||||
- u64 search_start;
|
||||
-
|
||||
/* FIXME use last free of some kind */
|
||||
-
|
||||
- /*
|
||||
- * we don't want to overwrite the superblock on the drive,
|
||||
- * so we make sure to start at an offset of at least 1MB
|
||||
- */
|
||||
- search_start = max(root->fs_info->alloc_start, 1024ull * 1024);
|
||||
return find_free_dev_extent_start(trans->transaction, device,
|
||||
- num_bytes, search_start, start, len);
|
||||
+ num_bytes, 0, start, len);
|
||||
}
|
||||
|
||||
static int btrfs_free_dev_extent(struct btrfs_trans_handle *trans,
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,78 @@
|
|||
From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 18 Jan 2016 10:53:31 +0000
|
||||
Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring()
|
||||
|
||||
This fixes CVE-2016-0728.
|
||||
|
||||
If a thread is asked to join as a session keyring the keyring that's already
|
||||
set as its session, we leak a keyring reference.
|
||||
|
||||
This can be tested with the following program:
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <keyutils.h>
|
||||
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int i = 0;
|
||||
key_serial_t serial;
|
||||
|
||||
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
|
||||
"leaked-keyring");
|
||||
if (serial < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (keyctl(KEYCTL_SETPERM, serial,
|
||||
KEY_POS_ALL | KEY_USR_ALL) < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
for (i = 0; i < 100; i++) {
|
||||
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
|
||||
"leaked-keyring");
|
||||
if (serial < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
If, after the program has run, there something like the following line in
|
||||
/proc/keys:
|
||||
|
||||
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
|
||||
|
||||
with a usage count of 100 * the number of times the program has been run,
|
||||
then the kernel is malfunctioning. If leaked-keyring has zero usages or
|
||||
has been garbage collected, then the problem is fixed.
|
||||
|
||||
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
RH-bugzilla: 1298036
|
||||
---
|
||||
security/keys/process_keys.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
|
||||
index 43b4cddbf2b3..7877e5cd4e23 100644
|
||||
--- a/security/keys/process_keys.c
|
||||
+++ b/security/keys/process_keys.c
|
||||
@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
|
||||
ret = PTR_ERR(keyring);
|
||||
goto error2;
|
||||
} else if (keyring == new->session_keyring) {
|
||||
+ key_put(keyring);
|
||||
ret = 0;
|
||||
goto error2;
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,119 @@
|
|||
From afa5b65015ff2a7f0b4ec8cab6f58fa47025259a Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 22 Jan 2016 08:11:46 -0500
|
||||
Subject: [PATCH] PNP: Add Haswell-ULT to Intel MCH size workaround
|
||||
|
||||
Add device ID 0x0a04 for Haswell-ULT to the list of devices with MCH
|
||||
problems.
|
||||
|
||||
From a Lenovo ThinkPad T440S:
|
||||
[ 0.188604] pnp: PnP ACPI init
|
||||
[ 0.189044] system 00:00: [mem 0x00000000-0x0009ffff] could not be reserved
|
||||
[ 0.189048] system 00:00: [mem 0x000c0000-0x000c3fff] could not be reserved
|
||||
[ 0.189050] system 00:00: [mem 0x000c4000-0x000c7fff] could not be reserved
|
||||
[ 0.189052] system 00:00: [mem 0x000c8000-0x000cbfff] could not be reserved
|
||||
[ 0.189054] system 00:00: [mem 0x000cc000-0x000cffff] could not be reserved
|
||||
[ 0.189056] system 00:00: [mem 0x000d0000-0x000d3fff] has been reserved
|
||||
[ 0.189058] system 00:00: [mem 0x000d4000-0x000d7fff] has been reserved
|
||||
[ 0.189060] system 00:00: [mem 0x000d8000-0x000dbfff] has been reserved
|
||||
[ 0.189061] system 00:00: [mem 0x000dc000-0x000dffff] has been reserved
|
||||
[ 0.189063] system 00:00: [mem 0x000e0000-0x000e3fff] could not be reserved
|
||||
[ 0.189065] system 00:00: [mem 0x000e4000-0x000e7fff] could not be reserved
|
||||
[ 0.189067] system 00:00: [mem 0x000e8000-0x000ebfff] could not be reserved
|
||||
[ 0.189069] system 00:00: [mem 0x000ec000-0x000effff] could not be reserved
|
||||
[ 0.189071] system 00:00: [mem 0x000f0000-0x000fffff] could not be reserved
|
||||
[ 0.189073] system 00:00: [mem 0x00100000-0xdf9fffff] could not be reserved
|
||||
[ 0.189075] system 00:00: [mem 0xfec00000-0xfed3ffff] could not be reserved
|
||||
[ 0.189078] system 00:00: [mem 0xfed4c000-0xffffffff] could not be reserved
|
||||
[ 0.189082] system 00:00: Plug and Play ACPI device, IDs PNP0c01 (active)
|
||||
[ 0.189216] system 00:01: [io 0x1800-0x189f] could not be reserved
|
||||
[ 0.189220] system 00:01: [io 0x0800-0x087f] has been reserved
|
||||
[ 0.189222] system 00:01: [io 0x0880-0x08ff] has been reserved
|
||||
[ 0.189224] system 00:01: [io 0x0900-0x097f] has been reserved
|
||||
[ 0.189226] system 00:01: [io 0x0980-0x09ff] has been reserved
|
||||
[ 0.189229] system 00:01: [io 0x0a00-0x0a7f] has been reserved
|
||||
[ 0.189231] system 00:01: [io 0x0a80-0x0aff] has been reserved
|
||||
[ 0.189233] system 00:01: [io 0x0b00-0x0b7f] has been reserved
|
||||
[ 0.189235] system 00:01: [io 0x0b80-0x0bff] has been reserved
|
||||
[ 0.189238] system 00:01: [io 0x15e0-0x15ef] has been reserved
|
||||
[ 0.189240] system 00:01: [io 0x1600-0x167f] has been reserved
|
||||
[ 0.189242] system 00:01: [io 0x1640-0x165f] has been reserved
|
||||
[ 0.189246] system 00:01: [mem 0xf8000000-0xfbffffff] could not be reserved
|
||||
[ 0.189249] system 00:01: [mem 0x00000000-0x00000fff] could not be reserved
|
||||
[ 0.189251] system 00:01: [mem 0xfed1c000-0xfed1ffff] has been reserved
|
||||
[ 0.189254] system 00:01: [mem 0xfed10000-0xfed13fff] has been reserved
|
||||
[ 0.189256] system 00:01: [mem 0xfed18000-0xfed18fff] has been reserved
|
||||
[ 0.189258] system 00:01: [mem 0xfed19000-0xfed19fff] has been reserved
|
||||
[ 0.189261] system 00:01: [mem 0xfed45000-0xfed4bfff] has been reserved
|
||||
[ 0.189264] system 00:01: Plug and Play ACPI device, IDs PNP0c02 (active)
|
||||
[....]
|
||||
[ 0.583653] resource sanity check: requesting [mem 0xfed10000-0xfed15fff], which spans more than pnp 00:01 [mem 0xfed10000-0xfed13fff]
|
||||
[ 0.583654] ------------[ cut here ]------------
|
||||
[ 0.583660] WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:198 __ioremap_caller+0x2c5/0x380()
|
||||
[ 0.583661] Info: mapping multiple BARs. Your kernel is fine.
|
||||
[ 0.583662] Modules linked in:
|
||||
|
||||
[ 0.583666] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.3.3-303.fc23.x86_64 #1
|
||||
[ 0.583668] Hardware name: LENOVO 20AR001GXS/20AR001GXS, BIOS GJET86WW (2.36 ) 12/04/2015
|
||||
[ 0.583670] 0000000000000000 0000000014cf7e59 ffff880214a1baf8 ffffffff813a625f
|
||||
[ 0.583673] ffff880214a1bb40 ffff880214a1bb30 ffffffff810a07c2 00000000fed10000
|
||||
[ 0.583675] ffffc90000cb8000 0000000000006000 0000000000000000 ffff8800d6381040
|
||||
[ 0.583678] Call Trace:
|
||||
[ 0.583683] [<ffffffff813a625f>] dump_stack+0x44/0x55
|
||||
[ 0.583686] [<ffffffff810a07c2>] warn_slowpath_common+0x82/0xc0
|
||||
[ 0.583688] [<ffffffff810a085c>] warn_slowpath_fmt+0x5c/0x80
|
||||
[ 0.583692] [<ffffffff810a6fba>] ? iomem_map_sanity_check+0xba/0xd0
|
||||
[ 0.583695] [<ffffffff81065835>] __ioremap_caller+0x2c5/0x380
|
||||
[ 0.583698] [<ffffffff81065907>] ioremap_nocache+0x17/0x20
|
||||
[ 0.583701] [<ffffffff8103a119>] snb_uncore_imc_init_box+0x79/0xb0
|
||||
[ 0.583705] [<ffffffff81038900>] uncore_pci_probe+0xd0/0x1b0
|
||||
[ 0.583707] [<ffffffff813efda5>] local_pci_probe+0x45/0xa0
|
||||
[ 0.583710] [<ffffffff813f118d>] pci_device_probe+0xfd/0x140
|
||||
[ 0.583713] [<ffffffff814d9b52>] driver_probe_device+0x222/0x480
|
||||
[ 0.583715] [<ffffffff814d9e34>] __driver_attach+0x84/0x90
|
||||
[ 0.583717] [<ffffffff814d9db0>] ? driver_probe_device+0x480/0x480
|
||||
[ 0.583720] [<ffffffff814d762c>] bus_for_each_dev+0x6c/0xc0
|
||||
[ 0.583722] [<ffffffff814d930e>] driver_attach+0x1e/0x20
|
||||
[ 0.583724] [<ffffffff814d8e4b>] bus_add_driver+0x1eb/0x280
|
||||
[ 0.583727] [<ffffffff81d6af1a>] ? uncore_cpu_setup+0x12/0x12
|
||||
[ 0.583729] [<ffffffff814da680>] driver_register+0x60/0xe0
|
||||
[ 0.583733] [<ffffffff813ef78c>] __pci_register_driver+0x4c/0x50
|
||||
[ 0.583736] [<ffffffff81d6affc>] intel_uncore_init+0xe2/0x2e6
|
||||
[ 0.583738] [<ffffffff81d6af1a>] ? uncore_cpu_setup+0x12/0x12
|
||||
[ 0.583741] [<ffffffff81002123>] do_one_initcall+0xb3/0x200
|
||||
[ 0.583745] [<ffffffff810be500>] ? parse_args+0x1a0/0x4a0
|
||||
[ 0.583749] [<ffffffff81d5c1c8>] kernel_init_freeable+0x189/0x223
|
||||
[ 0.583752] [<ffffffff81775c40>] ? rest_init+0x80/0x80
|
||||
[ 0.583754] [<ffffffff81775c4e>] kernel_init+0xe/0xe0
|
||||
[ 0.583758] [<ffffffff81781adf>] ret_from_fork+0x3f/0x70
|
||||
[ 0.583760] [<ffffffff81775c40>] ? rest_init+0x80/0x80
|
||||
[ 0.583765] ---[ end trace 077c426a39e018aa ]---
|
||||
|
||||
00:00.0 Host bridge [0600]: Intel Corporation Haswell-ULT DRAM Controller [8086:0a04] (rev 0b)
|
||||
Subsystem: Lenovo Device [17aa:220c]
|
||||
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
|
||||
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR- INTx-
|
||||
Latency: 0
|
||||
Capabilities: <access denied>
|
||||
Kernel driver in use: hsw_uncore
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/pnp/quirks.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c
|
||||
index f700723ca5d6..d28e3ab9479c 100644
|
||||
--- a/drivers/pnp/quirks.c
|
||||
+++ b/drivers/pnp/quirks.c
|
||||
@@ -342,6 +342,7 @@ static void quirk_amd_mmconfig_area(struct pnp_dev *dev)
|
||||
/* Device IDs of parts that have 32KB MCH space */
|
||||
static const unsigned int mch_quirk_devices[] = {
|
||||
0x0154, /* Ivy Bridge */
|
||||
+ 0x0a04, /* Haswell-ULT */
|
||||
0x0c00, /* Haswell */
|
||||
0x1604, /* Broadwell */
|
||||
};
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,140 @@
|
|||
From 4abc12dd59bed74aa1730c2b3129d1750604d530 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Stern <stern@rowland.harvard.edu>
|
||||
Date: Mon, 3 Aug 2015 11:57:29 -0400
|
||||
Subject: [PATCH 2/2] SCSI: fix bug in scsi_dev_info_list matching
|
||||
|
||||
The "compatible" matching algorithm used for looking up old-style
|
||||
blacklist entries in a scsi_dev_info_list is buggy. The core of the
|
||||
algorithm looks like this:
|
||||
|
||||
if (memcmp(devinfo->vendor, vendor,
|
||||
min(max, strlen(devinfo->vendor))))
|
||||
/* not a match */
|
||||
|
||||
where max is the length of the device's vendor string after leading
|
||||
spaces have been removed but trailing spaces have not. Because of the
|
||||
min() computation, either entry could be a proper substring of the
|
||||
other and the code would still think that they match.
|
||||
|
||||
In the case originally reported, the device's vendor and product
|
||||
strings were "Inateck " and " ". These matched against
|
||||
the following entry in the global device list:
|
||||
|
||||
{"", "Scanner", "1.80", BLIST_NOLUN}
|
||||
|
||||
because "" is a substring of "Inateck " and "" (the result of removing
|
||||
leading spaces from the device's product string) is a substring of
|
||||
"Scanner". The mistaken match prevented the system from scanning and
|
||||
finding the device's second Logical Unit.
|
||||
|
||||
This patch fixes the problem by making two changes. First, the code
|
||||
for leading-space removal is hoisted out of the loop. (This means it
|
||||
will sometimes run unnecessarily, but since a large percentage of all
|
||||
lookups involve the "compatible" entries in global device list, this
|
||||
should be an overall improvement.) Second and more importantly, the
|
||||
patch removes trailing spaces and adds a check to verify that the two
|
||||
resulting strings are exactly the same length. This prevents matches
|
||||
where one entry is a proper substring of the other.
|
||||
|
||||
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
||||
Reported-by: Giulio Bernardi <ugilio@gmail.com>
|
||||
Tested-by: Giulio Bernardi <ugilio@gmail.com>
|
||||
Signed-off-by: James Bottomley <JBottomley@Odin.com>
|
||||
---
|
||||
drivers/scsi/scsi_devinfo.c | 69 +++++++++++++++++++++++----------------------
|
||||
1 file changed, 35 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
|
||||
index 2f49a224462d..2c1160c7ec92 100644
|
||||
--- a/drivers/scsi/scsi_devinfo.c
|
||||
+++ b/drivers/scsi/scsi_devinfo.c
|
||||
@@ -407,51 +407,52 @@ static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor,
|
||||
struct scsi_dev_info_list *devinfo;
|
||||
struct scsi_dev_info_list_table *devinfo_table =
|
||||
scsi_devinfo_lookup_by_key(key);
|
||||
+ size_t vmax, mmax;
|
||||
+ const char *vskip, *mskip;
|
||||
|
||||
if (IS_ERR(devinfo_table))
|
||||
return (struct scsi_dev_info_list *) devinfo_table;
|
||||
|
||||
+ /* Prepare for "compatible" matches */
|
||||
+
|
||||
+ /*
|
||||
+ * XXX why skip leading spaces? If an odd INQUIRY
|
||||
+ * value, that should have been part of the
|
||||
+ * scsi_static_device_list[] entry, such as " FOO"
|
||||
+ * rather than "FOO". Since this code is already
|
||||
+ * here, and we don't know what device it is
|
||||
+ * trying to work with, leave it as-is.
|
||||
+ */
|
||||
+ vmax = 8; /* max length of vendor */
|
||||
+ vskip = vendor;
|
||||
+ while (vmax > 0 && *vskip == ' ') {
|
||||
+ vmax--;
|
||||
+ vskip++;
|
||||
+ }
|
||||
+ /* Also skip trailing spaces */
|
||||
+ while (vmax > 0 && vskip[vmax - 1] == ' ')
|
||||
+ --vmax;
|
||||
+
|
||||
+ mmax = 16; /* max length of model */
|
||||
+ mskip = model;
|
||||
+ while (mmax > 0 && *mskip == ' ') {
|
||||
+ mmax--;
|
||||
+ mskip++;
|
||||
+ }
|
||||
+ while (mmax > 0 && mskip[mmax - 1] == ' ')
|
||||
+ --mmax;
|
||||
+
|
||||
list_for_each_entry(devinfo, &devinfo_table->scsi_dev_info_list,
|
||||
dev_info_list) {
|
||||
if (devinfo->compatible) {
|
||||
/*
|
||||
* Behave like the older version of get_device_flags.
|
||||
*/
|
||||
- size_t max;
|
||||
- /*
|
||||
- * XXX why skip leading spaces? If an odd INQUIRY
|
||||
- * value, that should have been part of the
|
||||
- * scsi_static_device_list[] entry, such as " FOO"
|
||||
- * rather than "FOO". Since this code is already
|
||||
- * here, and we don't know what device it is
|
||||
- * trying to work with, leave it as-is.
|
||||
- */
|
||||
- max = 8; /* max length of vendor */
|
||||
- while ((max > 0) && *vendor == ' ') {
|
||||
- max--;
|
||||
- vendor++;
|
||||
- }
|
||||
- /*
|
||||
- * XXX removing the following strlen() would be
|
||||
- * good, using it means that for a an entry not in
|
||||
- * the list, we scan every byte of every vendor
|
||||
- * listed in scsi_static_device_list[], and never match
|
||||
- * a single one (and still have to compare at
|
||||
- * least the first byte of each vendor).
|
||||
- */
|
||||
- if (memcmp(devinfo->vendor, vendor,
|
||||
- min(max, strlen(devinfo->vendor))))
|
||||
+ if (memcmp(devinfo->vendor, vskip, vmax) ||
|
||||
+ devinfo->vendor[vmax])
|
||||
continue;
|
||||
- /*
|
||||
- * Skip spaces again.
|
||||
- */
|
||||
- max = 16; /* max length of model */
|
||||
- while ((max > 0) && *model == ' ') {
|
||||
- max--;
|
||||
- model++;
|
||||
- }
|
||||
- if (memcmp(devinfo->model, model,
|
||||
- min(max, strlen(devinfo->model))))
|
||||
+ if (memcmp(devinfo->model, mskip, mmax) ||
|
||||
+ devinfo->model[mmax])
|
||||
continue;
|
||||
return devinfo;
|
||||
} else {
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,183 @@
|
|||
From 26d61e8347b27a981d647d3ea4ec8c7f462c1fcf Mon Sep 17 00:00:00 2001
|
||||
From: Alan Stern <stern@rowland.harvard.edu>
|
||||
Date: Mon, 3 Aug 2015 11:57:21 -0400
|
||||
Subject: [PATCH 1/2] SCSI: refactor device-matching code in scsi_devinfo.c
|
||||
|
||||
In drivers/scsi/scsi_devinfo.c, the scsi_dev_info_list_del_keyed() and
|
||||
scsi_get_device_flags_keyed() routines contain a large amount of
|
||||
duplicate code for finding vendor/product matches in a
|
||||
scsi_dev_info_list. This patch factors out the duplicate code and
|
||||
puts it in a separate function, scsi_dev_info_list_find().
|
||||
|
||||
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
||||
Suggested-by: Giulio Bernardi <ugilio@gmail.com>
|
||||
Signed-off-by: James Bottomley <JBottomley@Odin.com>
|
||||
---
|
||||
drivers/scsi/scsi_devinfo.c | 112 ++++++++++++++++----------------------------
|
||||
1 file changed, 41 insertions(+), 71 deletions(-)
|
||||
|
||||
diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
|
||||
index 9f77d23239a2..2f49a224462d 100644
|
||||
--- a/drivers/scsi/scsi_devinfo.c
|
||||
+++ b/drivers/scsi/scsi_devinfo.c
|
||||
@@ -390,25 +390,26 @@ int scsi_dev_info_list_add_keyed(int compatible, char *vendor, char *model,
|
||||
EXPORT_SYMBOL(scsi_dev_info_list_add_keyed);
|
||||
|
||||
/**
|
||||
- * scsi_dev_info_list_del_keyed - remove one dev_info list entry.
|
||||
+ * scsi_dev_info_list_find - find a matching dev_info list entry.
|
||||
* @vendor: vendor string
|
||||
* @model: model (product) string
|
||||
* @key: specify list to use
|
||||
*
|
||||
* Description:
|
||||
- * Remove and destroy one dev_info entry for @vendor, @model
|
||||
+ * Finds the first dev_info entry matching @vendor, @model
|
||||
* in list specified by @key.
|
||||
*
|
||||
- * Returns: 0 OK, -error on failure.
|
||||
+ * Returns: pointer to matching entry, or ERR_PTR on failure.
|
||||
**/
|
||||
-int scsi_dev_info_list_del_keyed(char *vendor, char *model, int key)
|
||||
+static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor,
|
||||
+ const char *model, int key)
|
||||
{
|
||||
- struct scsi_dev_info_list *devinfo, *found = NULL;
|
||||
+ struct scsi_dev_info_list *devinfo;
|
||||
struct scsi_dev_info_list_table *devinfo_table =
|
||||
scsi_devinfo_lookup_by_key(key);
|
||||
|
||||
if (IS_ERR(devinfo_table))
|
||||
- return PTR_ERR(devinfo_table);
|
||||
+ return (struct scsi_dev_info_list *) devinfo_table;
|
||||
|
||||
list_for_each_entry(devinfo, &devinfo_table->scsi_dev_info_list,
|
||||
dev_info_list) {
|
||||
@@ -452,25 +453,42 @@ int scsi_dev_info_list_del_keyed(char *vendor, char *model, int key)
|
||||
if (memcmp(devinfo->model, model,
|
||||
min(max, strlen(devinfo->model))))
|
||||
continue;
|
||||
- found = devinfo;
|
||||
+ return devinfo;
|
||||
} else {
|
||||
if (!memcmp(devinfo->vendor, vendor,
|
||||
sizeof(devinfo->vendor)) &&
|
||||
!memcmp(devinfo->model, model,
|
||||
sizeof(devinfo->model)))
|
||||
- found = devinfo;
|
||||
+ return devinfo;
|
||||
}
|
||||
- if (found)
|
||||
- break;
|
||||
}
|
||||
|
||||
- if (found) {
|
||||
- list_del(&found->dev_info_list);
|
||||
- kfree(found);
|
||||
- return 0;
|
||||
- }
|
||||
+ return ERR_PTR(-ENOENT);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * scsi_dev_info_list_del_keyed - remove one dev_info list entry.
|
||||
+ * @vendor: vendor string
|
||||
+ * @model: model (product) string
|
||||
+ * @key: specify list to use
|
||||
+ *
|
||||
+ * Description:
|
||||
+ * Remove and destroy one dev_info entry for @vendor, @model
|
||||
+ * in list specified by @key.
|
||||
+ *
|
||||
+ * Returns: 0 OK, -error on failure.
|
||||
+ **/
|
||||
+int scsi_dev_info_list_del_keyed(char *vendor, char *model, int key)
|
||||
+{
|
||||
+ struct scsi_dev_info_list *found;
|
||||
|
||||
- return -ENOENT;
|
||||
+ found = scsi_dev_info_list_find(vendor, model, key);
|
||||
+ if (IS_ERR(found))
|
||||
+ return PTR_ERR(found);
|
||||
+
|
||||
+ list_del(&found->dev_info_list);
|
||||
+ kfree(found);
|
||||
+ return 0;
|
||||
}
|
||||
EXPORT_SYMBOL(scsi_dev_info_list_del_keyed);
|
||||
|
||||
@@ -565,64 +583,16 @@ int scsi_get_device_flags_keyed(struct scsi_device *sdev,
|
||||
int key)
|
||||
{
|
||||
struct scsi_dev_info_list *devinfo;
|
||||
- struct scsi_dev_info_list_table *devinfo_table;
|
||||
+ int err;
|
||||
|
||||
- devinfo_table = scsi_devinfo_lookup_by_key(key);
|
||||
+ devinfo = scsi_dev_info_list_find(vendor, model, key);
|
||||
+ if (!IS_ERR(devinfo))
|
||||
+ return devinfo->flags;
|
||||
|
||||
- if (IS_ERR(devinfo_table))
|
||||
- return PTR_ERR(devinfo_table);
|
||||
+ err = PTR_ERR(devinfo);
|
||||
+ if (err != -ENOENT)
|
||||
+ return err;
|
||||
|
||||
- list_for_each_entry(devinfo, &devinfo_table->scsi_dev_info_list,
|
||||
- dev_info_list) {
|
||||
- if (devinfo->compatible) {
|
||||
- /*
|
||||
- * Behave like the older version of get_device_flags.
|
||||
- */
|
||||
- size_t max;
|
||||
- /*
|
||||
- * XXX why skip leading spaces? If an odd INQUIRY
|
||||
- * value, that should have been part of the
|
||||
- * scsi_static_device_list[] entry, such as " FOO"
|
||||
- * rather than "FOO". Since this code is already
|
||||
- * here, and we don't know what device it is
|
||||
- * trying to work with, leave it as-is.
|
||||
- */
|
||||
- max = 8; /* max length of vendor */
|
||||
- while ((max > 0) && *vendor == ' ') {
|
||||
- max--;
|
||||
- vendor++;
|
||||
- }
|
||||
- /*
|
||||
- * XXX removing the following strlen() would be
|
||||
- * good, using it means that for a an entry not in
|
||||
- * the list, we scan every byte of every vendor
|
||||
- * listed in scsi_static_device_list[], and never match
|
||||
- * a single one (and still have to compare at
|
||||
- * least the first byte of each vendor).
|
||||
- */
|
||||
- if (memcmp(devinfo->vendor, vendor,
|
||||
- min(max, strlen(devinfo->vendor))))
|
||||
- continue;
|
||||
- /*
|
||||
- * Skip spaces again.
|
||||
- */
|
||||
- max = 16; /* max length of model */
|
||||
- while ((max > 0) && *model == ' ') {
|
||||
- max--;
|
||||
- model++;
|
||||
- }
|
||||
- if (memcmp(devinfo->model, model,
|
||||
- min(max, strlen(devinfo->model))))
|
||||
- continue;
|
||||
- return devinfo->flags;
|
||||
- } else {
|
||||
- if (!memcmp(devinfo->vendor, vendor,
|
||||
- sizeof(devinfo->vendor)) &&
|
||||
- !memcmp(devinfo->model, model,
|
||||
- sizeof(devinfo->model)))
|
||||
- return devinfo->flags;
|
||||
- }
|
||||
- }
|
||||
/* nothing found, return nothing */
|
||||
if (key != SCSI_DEVINFO_GLOBAL)
|
||||
return 0;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
From 5233252fce714053f0151680933571a2da9cbfb4 Mon Sep 17 00:00:00 2001
|
||||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Tue, 15 Dec 2015 15:39:08 -0500
|
||||
Subject: [PATCH] bluetooth: Validate socket address length in sco_sock_bind().
|
||||
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/bluetooth/sco.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
|
||||
index fe129663bd3f..f52bcbf2e58c 100644
|
||||
--- a/net/bluetooth/sco.c
|
||||
+++ b/net/bluetooth/sco.c
|
||||
@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
|
||||
if (!addr || addr->sa_family != AF_BLUETOOTH)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (addr_len < sizeof(struct sockaddr_sco))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
if (sk->sk_state != BT_OPEN) {
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,66 @@
|
|||
From 43d10880aa4ac713cf73dbac428be9671ef1bf9d Mon Sep 17 00:00:00 2001
|
||||
From: David Sterba <dsterba@suse.com>
|
||||
Date: Mon, 30 Nov 2015 17:27:06 +0100
|
||||
Subject: [PATCH 1/2] btrfs: handle invalid num_stripes in sys_array
|
||||
|
||||
We can handle the special case of num_stripes == 0 directly inside
|
||||
btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to
|
||||
catch other unhandled cases where we fail to validate external data.
|
||||
|
||||
A crafted or corrupted image crashes at mount time:
|
||||
|
||||
BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0
|
||||
BTRFS info (device loop0): disk space caching is enabled
|
||||
BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()!
|
||||
Kernel panic - not syncing: BUG!
|
||||
CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25
|
||||
Stack:
|
||||
637af890 60062489 602aeb2e 604192ba
|
||||
60387961 00000011 637af8a0 6038a835
|
||||
637af9c0 6038776b 634ef32b 00000000
|
||||
Call Trace:
|
||||
[<6001c86d>] show_stack+0xfe/0x15b
|
||||
[<6038a835>] dump_stack+0x2a/0x2c
|
||||
[<6038776b>] panic+0x13e/0x2b3
|
||||
[<6020f099>] btrfs_read_sys_array+0x25d/0x2ff
|
||||
[<601cfbbe>] open_ctree+0x192d/0x27af
|
||||
[<6019c2c1>] btrfs_mount+0x8f5/0xb9a
|
||||
[<600bc9a7>] mount_fs+0x11/0xf3
|
||||
[<600d5167>] vfs_kern_mount+0x75/0x11a
|
||||
[<6019bcb0>] btrfs_mount+0x2e4/0xb9a
|
||||
[<600bc9a7>] mount_fs+0x11/0xf3
|
||||
[<600d5167>] vfs_kern_mount+0x75/0x11a
|
||||
[<600d710b>] do_mount+0xa35/0xbc9
|
||||
[<600d7557>] SyS_mount+0x95/0xc8
|
||||
[<6001e884>] handle_syscall+0x6b/0x8e
|
||||
|
||||
Reported-by: Jiri Slaby <jslaby@suse.com>
|
||||
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
CC: stable@vger.kernel.org # 3.19+
|
||||
Signed-off-by: David Sterba <dsterba@suse.com>
|
||||
---
|
||||
fs/btrfs/volumes.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
|
||||
index 6fc735869c18..b816b3a2e118 100644
|
||||
--- a/fs/btrfs/volumes.c
|
||||
+++ b/fs/btrfs/volumes.c
|
||||
@@ -6399,6 +6399,14 @@ int btrfs_read_sys_array(struct btrfs_root *root)
|
||||
goto out_short_read;
|
||||
|
||||
num_stripes = btrfs_chunk_num_stripes(sb, chunk);
|
||||
+ if (!num_stripes) {
|
||||
+ printk(KERN_ERR
|
||||
+ "BTRFS: invalid number of stripes %u in sys_array at offset %u\n",
|
||||
+ num_stripes, cur_offset);
|
||||
+ ret = -EIO;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
len = btrfs_chunk_item_size(num_stripes);
|
||||
if (cur_offset + len > array_size)
|
||||
goto out_short_read;
|
||||
--
|
||||
2.5.0
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,40 @@
|
|||
From 90da345613c5c0910b54b72019664e0b2ada19f9 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 12 Jan 2016 07:54:39 -0500
|
||||
Subject: [PATCH] ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list
|
||||
|
||||
Like the Yoga 900 models the Lenovo Yoga 700 does not have a
|
||||
hw rfkill switch, and trying to read the hw rfkill switch through the
|
||||
ideapad module causes it to always reported blocking breaking wifi.
|
||||
|
||||
This commit adds the Lenovo Yoga 700 to the no_hw_rfkill dmi list, fixing
|
||||
the wifi breakage.
|
||||
|
||||
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1295272
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/platform/x86/ideapad-laptop.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
|
||||
index d28db0e793df..51178626305d 100644
|
||||
--- a/drivers/platform/x86/ideapad-laptop.c
|
||||
+++ b/drivers/platform/x86/ideapad-laptop.c
|
||||
@@ -900,6 +900,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = {
|
||||
},
|
||||
},
|
||||
{
|
||||
+ .ident = "Lenogo Yoga 700",
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 700"),
|
||||
+ },
|
||||
+ },
|
||||
+ {
|
||||
.ident = "Lenovo Yoga 900",
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
--
|
||||
2.5.0
|
||||
|
76
kernel.spec
76
kernel.spec
|
@ -40,7 +40,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 301
|
||||
%global baserelease 303
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -640,21 +640,12 @@ Patch574: ovl-fix-permission-checking-for-setattr.patch
|
|||
#CVE-2015-7550 rhbz 1291197 1291198
|
||||
Patch575: KEYS-Fix-race-between-read-and-revoke.patch
|
||||
|
||||
#CVE-2015-8543 rhbz 1290475 1290477
|
||||
Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch
|
||||
|
||||
#CVE-2015-8569 rhbz 1292045 1292047
|
||||
Patch600: pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
|
||||
|
||||
Patch601: vrf-fix-memory-leak-on-registration.patch
|
||||
|
||||
#CVE-2015-8575 rhbz 1292840 1292841
|
||||
Patch602: bluetooth-Validate-socket-address-length-in-sco_sock.patch
|
||||
|
||||
#CVE-2015-8709 rhbz 1295287 1295288
|
||||
Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
||||
|
||||
Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
|
||||
#CVE-2015-7513 rhbz 1284847 1296142
|
||||
Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
|
||||
|
@ -675,12 +666,11 @@ Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
|
|||
Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch
|
||||
|
||||
#rhbz 1298309
|
||||
Patch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
|
||||
#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
|
||||
|
||||
#rhbz 1298996
|
||||
Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch
|
||||
|
||||
|
||||
################# Hubbitus patches
|
||||
# My patch to resolve compile problem:
|
||||
#+ make -s ARCH=x86_64 V=1 -j3 bzImage
|
||||
|
@ -703,6 +693,41 @@ Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch
|
|||
#? Patch30008: tuxonice-function_trace_stop-undefined-compilation-problem.patch
|
||||
#//////////////// end Hubbitus patches
|
||||
|
||||
#rhbz 1298192
|
||||
Patch626: selinux-fix-bug-in-conditional-rules-handling.patch
|
||||
|
||||
#rhbz 1295272
|
||||
Patch627: ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch
|
||||
|
||||
Patch628: i915-stable-backports.patch
|
||||
Patch635: nouveau-stable-backports.patch
|
||||
|
||||
#rhbz 1299810
|
||||
Patch629: SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch
|
||||
Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
|
||||
|
||||
Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
|
||||
Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
|
||||
|
||||
Patch633: net_43.mbox
|
||||
|
||||
#CVE-2016-0728 rhbz 1296623 1297475
|
||||
Patch634: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
|
||||
|
||||
#CVE-2013-4312 rhbz 1297813 1300216
|
||||
Patch636: unix-properly-account-for-FDs-passed-over-unix-socke.patch
|
||||
|
||||
#CVE-2016-0723 rhbz 1296253 1300224
|
||||
Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
|
||||
|
||||
#rhbz 1279653
|
||||
Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
|
||||
|
||||
#CVE-XXXX-XXXX rhbz 1300731 1300732
|
||||
Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
|
||||
|
||||
#rhbz 1300955
|
||||
Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -2152,11 +2177,34 @@ fi
|
|||
# and build.
|
||||
#
|
||||
%changelog
|
||||
* Fri Jan 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix backtrace from PNP conflict on Haswell-ULT (rhbz 1300955)
|
||||
|
||||
* Thu Jan 21 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-XXXX-XXXX missing null ptr check in nf_nat_redirect_ipv4 (rhbz 1300731 1300732)
|
||||
- Fix incorrect country code issue on RTL8812AE devices (rhbz 1279653)
|
||||
|
||||
* Wed Jan 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224)
|
||||
- CVE-2013-4312 file descr passed over unix sockects not properly accounted (rhbz 1297813 1300216)
|
||||
|
||||
* Tue Jan 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.3-303
|
||||
- Backport nouveau stable fixes (rhbz 1299349)
|
||||
- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623 1297475)
|
||||
- Add currently queued networking stable patches
|
||||
- Add a couple btrfs patches cc'd to stable upstream
|
||||
- Add SCSI patches to avoid blacklist false positives (rhbz 1299810)
|
||||
|
||||
* Mon Jan 18 2016 Pavel Alexeev <Pahan@Hubbitus.info> - 4.3.3-301.hu.1.pf4
|
||||
- Merge Fedora 4.3.3-301
|
||||
- Update to 4.3-pf4 (https://pf.natalenko.name/news/?p=139)
|
||||
|
||||
* Sat Jan 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
* Mon Jan 18 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.3-302
|
||||
- Backport stable fixed marked in upstream 4.4
|
||||
- Fix rfkill issues on Yoga 700 (rhbz 1295272)
|
||||
- Fix SELinux issue with conditional rules (rhbz 1298192)
|
||||
|
||||
* Fri Jan 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix block errors on PAE machines (rhbz 1298996)
|
||||
|
||||
* Wed Jan 13 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.3-301
|
||||
|
|
|
@ -1,139 +0,0 @@
|
|||
From 4da7dc22c91ad2c3144cb1d0d96e9611bc86da47 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Mon, 14 Dec 2015 22:03:39 +0100
|
||||
Subject: [PATCH] net: add validation for the socket syscall protocol argument
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
郭永刚 reported that one could simply crash the kernel as root by
|
||||
using a simple program:
|
||||
|
||||
int socket_fd;
|
||||
struct sockaddr_in addr;
|
||||
addr.sin_port = 0;
|
||||
addr.sin_addr.s_addr = INADDR_ANY;
|
||||
addr.sin_family = 10;
|
||||
|
||||
socket_fd = socket(10,3,0x40000000);
|
||||
connect(socket_fd , &addr,16);
|
||||
|
||||
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
|
||||
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
|
||||
thus larger protocol identifiers simply cut off the higher bits and
|
||||
store a zero in the protocol fields.
|
||||
|
||||
This could lead to e.g. NULL function pointer because as a result of
|
||||
the cut off inet_num is zero and we call down to inet_autobind, which
|
||||
is NULL for raw sockets.
|
||||
|
||||
kernel: Call Trace:
|
||||
kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
|
||||
kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
|
||||
kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
|
||||
kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
|
||||
kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
|
||||
kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
|
||||
kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
|
||||
|
||||
I found no particular commit which introduced this problem.
|
||||
|
||||
CVE: CVE-2015-8543
|
||||
Cc: Cong Wang <cwang@twopensource.com>
|
||||
Reported-by: 郭永刚 <guoyonggang@360.cn>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/sock.h | 1 +
|
||||
net/ax25/af_ax25.c | 3 +++
|
||||
net/decnet/af_decnet.c | 3 +++
|
||||
net/ipv4/af_inet.c | 3 +++
|
||||
net/ipv6/af_inet6.c | 3 +++
|
||||
net/irda/af_irda.c | 3 +++
|
||||
6 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/include/net/sock.h b/include/net/sock.h
|
||||
index 52d27ee924f4..2fa1fc00e8cb 100644
|
||||
--- a/include/net/sock.h
|
||||
+++ b/include/net/sock.h
|
||||
@@ -403,6 +403,7 @@ struct sock {
|
||||
sk_no_check_rx : 1,
|
||||
sk_userlocks : 4,
|
||||
sk_protocol : 8,
|
||||
+#define SK_PROTOCOL_MAX U8_MAX
|
||||
sk_type : 16;
|
||||
kmemcheck_bitfield_end(flags);
|
||||
int sk_wmem_queued;
|
||||
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
|
||||
index ae3a47f9d1d5..fbd0acf80b13 100644
|
||||
--- a/net/ax25/af_ax25.c
|
||||
+++ b/net/ax25/af_ax25.c
|
||||
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
|
||||
struct sock *sk;
|
||||
ax25_cb *ax25;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!net_eq(net, &init_net))
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
|
||||
index eebf5ac8ce18..13d6b1a6e0fc 100644
|
||||
--- a/net/decnet/af_decnet.c
|
||||
+++ b/net/decnet/af_decnet.c
|
||||
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
|
||||
{
|
||||
struct sock *sk;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!net_eq(net, &init_net))
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
|
||||
index 11c4ca13ec3b..5c5db6636704 100644
|
||||
--- a/net/ipv4/af_inet.c
|
||||
+++ b/net/ipv4/af_inet.c
|
||||
@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
sock->state = SS_UNCONNECTED;
|
||||
|
||||
/* Look for the requested type/protocol pair. */
|
||||
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
|
||||
index 8ec0df75f1c4..9f5137cd604e 100644
|
||||
--- a/net/ipv6/af_inet6.c
|
||||
+++ b/net/ipv6/af_inet6.c
|
||||
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/* Look for the requested type/protocol pair. */
|
||||
lookup_protocol:
|
||||
err = -ESOCKTNOSUPPORT;
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index e6aa48b5395c..923abd6b3064 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
|
||||
struct sock *sk;
|
||||
struct irda_sock *self;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (net != &init_net)
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,83 @@
|
|||
From f9688b8f6755c3c2eb5c7e2e22ab168d0cb97644 Mon Sep 17 00:00:00 2001
|
||||
From: Munehisa Kamata <kamatam@amazon.com>
|
||||
Date: Mon, 26 Oct 2015 19:10:52 -0700
|
||||
Subject: [PATCH] netfilter: nf_nat_redirect: add missing NULL pointer check
|
||||
|
||||
Upstream commit 94f9cd81436c85d8c3a318ba92e236ede73752fc
|
||||
|
||||
Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
|
||||
redirect IPv4 to use it from nf_tables") has introduced a trivial logic
|
||||
change which can result in the following crash.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
|
||||
IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect]
|
||||
PGD 3ba662067 PUD 3ba661067 PMD 0
|
||||
Oops: 0000 [#1] SMP
|
||||
Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
|
||||
CPU: 0 PID: 2536 Comm: ip Tainted: G E 4.1.7-15.23.amzn1.x86_64 #1
|
||||
Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015
|
||||
task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000
|
||||
[...]
|
||||
Call Trace:
|
||||
<IRQ>
|
||||
[<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT]
|
||||
[<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables]
|
||||
[<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat]
|
||||
[<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4]
|
||||
[<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
|
||||
[<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4]
|
||||
[<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat]
|
||||
[<ffffffff81449137>] nf_iterate+0x57/0x80
|
||||
[<ffffffff814491f7>] nf_hook_slow+0x97/0x100
|
||||
[<ffffffff814504d4>] ip_rcv+0x314/0x400
|
||||
|
||||
unsigned int
|
||||
nf_nat_redirect_ipv4(struct sk_buff *skb,
|
||||
...
|
||||
{
|
||||
...
|
||||
rcu_read_lock();
|
||||
indev = __in_dev_get_rcu(skb->dev);
|
||||
if (indev != NULL) {
|
||||
ifa = indev->ifa_list;
|
||||
newdst = ifa->ifa_local; <---
|
||||
}
|
||||
rcu_read_unlock();
|
||||
...
|
||||
}
|
||||
|
||||
Before the commit, 'ifa' had been always checked before access. After the
|
||||
commit, however, it could be accessed even if it's NULL. Interestingly,
|
||||
this was once fixed in 2003.
|
||||
|
||||
http://marc.info/?l=netfilter-devel&m=106668497403047&w=2
|
||||
|
||||
In addition to the original one, we have seen the crash when packets that
|
||||
need to be redirected somehow arrive on an interface which hasn't been
|
||||
yet fully configured.
|
||||
|
||||
This change just reverts the logic to the old behavior to avoid the crash.
|
||||
|
||||
Fixes: 8b13eddfdf04 ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables")
|
||||
Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/nf_nat_redirect.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
|
||||
index 97b75f9bfbcd..d43869879fcf 100644
|
||||
--- a/net/netfilter/nf_nat_redirect.c
|
||||
+++ b/net/netfilter/nf_nat_redirect.c
|
||||
@@ -55,7 +55,7 @@ nf_nat_redirect_ipv4(struct sk_buff *skb,
|
||||
|
||||
rcu_read_lock();
|
||||
indev = __in_dev_get_rcu(skb->dev);
|
||||
- if (indev != NULL) {
|
||||
+ if (indev && indev->ifa_list) {
|
||||
ifa = indev->ifa_list;
|
||||
newdst = ifa->ifa_local;
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,105 @@
|
|||
From fe9c94340928d8ec3ea1ae74f99c3c9b18684129 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Peres <martin.peres@free.fr>
|
||||
Date: Sun, 29 Nov 2015 16:10:18 +0200
|
||||
Subject: [PATCH 1/3] drm/nouveau/bios/fan: hardcode the fan mode to linear
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is an oversight that made use of the trip-point-based fan managenent on
|
||||
cards that never expose those. This led the fan to stay at fan_min.
|
||||
|
||||
Fortunately, the emergency code would kick when the temperature would reach
|
||||
90°C.
|
||||
|
||||
Reported-by: Tom Englund <tomenglund26@gmail.com>
|
||||
Tested-by: Tom Englund <tomenglund26@gmail.com>
|
||||
Signed-off-by: Martin Peres <martin.peres@free.fr>
|
||||
Tested-by: Daemon32 <lnf.purple@gmail.com>
|
||||
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92126
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
|
||||
index 43006db6fd58..80fed7e78dcb 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c
|
||||
@@ -83,6 +83,7 @@ nvbios_fan_parse(struct nvkm_bios *bios, struct nvbios_therm_fan *fan)
|
||||
fan->type = NVBIOS_THERM_FAN_UNK;
|
||||
}
|
||||
|
||||
+ fan->fan_mode = NVBIOS_THERM_FAN_LINEAR;
|
||||
fan->min_duty = nvbios_rd08(bios, data + 0x02);
|
||||
fan->max_duty = nvbios_rd08(bios, data + 0x03);
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
||||
From acdc10375119fc5dd76d7051a5ae4a41f61c45aa Mon Sep 17 00:00:00 2001
|
||||
From: Ben Skeggs <bskeggs@redhat.com>
|
||||
Date: Mon, 4 Jan 2016 09:01:13 +1000
|
||||
Subject: [PATCH 2/3] drm/nouveau/gr/nv40: fix oops in interrupt handler
|
||||
|
||||
fdo#93557
|
||||
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c
|
||||
index ffa902ece872..05a895496fc6 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c
|
||||
@@ -156,6 +156,7 @@ nv40_gr_chan_new(struct nvkm_gr *base, struct nvkm_fifo_chan *fifoch,
|
||||
return -ENOMEM;
|
||||
nvkm_object_ctor(&nv40_gr_chan, oclass, &chan->object);
|
||||
chan->gr = gr;
|
||||
+ chan->fifo = fifoch;
|
||||
*pobject = &chan->object;
|
||||
|
||||
spin_lock_irqsave(&chan->gr->base.engine.lock, flags);
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
||||
From c5d07dcb6d6260a51a2309d5f62c3391637afa86 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Skeggs <bskeggs@redhat.com>
|
||||
Date: Fri, 8 Jan 2016 08:56:51 +1000
|
||||
Subject: [PATCH 3/3] drm/nouveau/kms: take mode_config mutex in connector
|
||||
hotplug path
|
||||
|
||||
fdo#93634
|
||||
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
|
||||
index 2e7cbe933533..2a5ed7460354 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
|
||||
@@ -969,10 +969,13 @@ nouveau_connector_hotplug(struct nvif_notify *notify)
|
||||
|
||||
NV_DEBUG(drm, "%splugged %s\n", plugged ? "" : "un", name);
|
||||
|
||||
+ mutex_lock(&drm->dev->mode_config.mutex);
|
||||
if (plugged)
|
||||
drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
|
||||
else
|
||||
drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
|
||||
+ mutex_unlock(&drm->dev->mode_config.mutex);
|
||||
+
|
||||
drm_helper_hpd_irq_event(connector->dev);
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From 16c5a158e97d5b1f6c8bf86b006c1349f025d4e0 Mon Sep 17 00:00:00 2001
|
||||
From: WANG Cong <xiyou.wangcong@gmail.com>
|
||||
Date: Mon, 14 Dec 2015 13:48:36 -0800
|
||||
Subject: [PATCH] pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
|
||||
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/ppp/pptp.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
|
||||
index fc69e41d0950..597c53e0a2ec 100644
|
||||
--- a/drivers/net/ppp/pptp.c
|
||||
+++ b/drivers/net/ppp/pptp.c
|
||||
@@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
|
||||
struct pptp_opt *opt = &po->proto.pptp;
|
||||
int error = 0;
|
||||
|
||||
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
opt->src_addr = sp->sa_addr.pptp;
|
||||
@@ -440,6 +443,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
|
||||
struct flowi4 fl4;
|
||||
int error = 0;
|
||||
|
||||
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (sp->sa_protocol != PX_PROTO_PPTP)
|
||||
return -EINVAL;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
From 1bd0c273bcf537adadedd7cc69408b99afd1534c Mon Sep 17 00:00:00 2001
|
||||
From: Larry Finger <Larry.Finger@lwfinger.net>
|
||||
Date: Wed, 20 Jan 2016 21:26:18 -0600
|
||||
Subject: [PATCH] rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly
|
||||
encoded
|
||||
|
||||
Recently, it has been reported that D-Link DWA-582 cards, which use an
|
||||
RTL8812AE chip are not able to scan for 5G networks. The problems started
|
||||
with kernel 4.2, which is the first version that had commit d10101a60372
|
||||
("rtlwifi: rtl8821ae: Fix problem with regulatory information"). With this
|
||||
patch, the driver went from setting a default channel plan to using
|
||||
the value derived from EEPROM.
|
||||
|
||||
Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this
|
||||
problem.
|
||||
|
||||
The problem was solved once I learned that the internal country code was
|
||||
resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE
|
||||
chips available to me, the country code was such that both 2.4 and 5 GHz
|
||||
channels are allowed. The fix is to allow both bands even when the EEPROM
|
||||
is incorrectly encoded.
|
||||
|
||||
Fixes: d10101a60372 ("rtlwifi: rtl8821ae: Fix problem with regulatory information")
|
||||
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
|
||||
Cc: littlesmartguy@gmail.com
|
||||
Cc: gabe@codehaus.org
|
||||
Cc: Stable <stable@vger.kernel.org> [v4.2+]
|
||||
---
|
||||
drivers/net/wireless/rtlwifi/regd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/rtlwifi/regd.c b/drivers/net/wireless/rtlwifi/regd.c
|
||||
index a62bf0a65c32..5be34118e0af 100644
|
||||
--- a/drivers/net/wireless/rtlwifi/regd.c
|
||||
+++ b/drivers/net/wireless/rtlwifi/regd.c
|
||||
@@ -351,7 +351,6 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
|
||||
case COUNTRY_CODE_SPAIN:
|
||||
case COUNTRY_CODE_FRANCE:
|
||||
case COUNTRY_CODE_ISRAEL:
|
||||
- case COUNTRY_CODE_WORLD_WIDE_13:
|
||||
return &rtl_regdom_12_13;
|
||||
case COUNTRY_CODE_MKK:
|
||||
case COUNTRY_CODE_MKK1:
|
||||
@@ -360,6 +359,7 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
|
||||
return &rtl_regdom_14_60_64;
|
||||
case COUNTRY_CODE_GLOBAL_DOMAIN:
|
||||
return &rtl_regdom_14;
|
||||
+ case COUNTRY_CODE_WORLD_WIDE_13:
|
||||
case COUNTRY_CODE_WORLD_WIDE_13_5G_ALL:
|
||||
return &rtl_regdom_12_13_5g_all;
|
||||
default:
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From f3bef67992e8698897b584616535803887c4a73e Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Date: Mon, 23 Nov 2015 16:07:41 -0500
|
||||
Subject: [PATCH] selinux: fix bug in conditional rules handling
|
||||
|
||||
commit fa1aa143ac4a ("selinux: extended permissions for ioctls")
|
||||
introduced a bug into the handling of conditional rules, skipping the
|
||||
processing entirely when the caller does not provide an extended
|
||||
permissions (xperms) structure. Access checks from userspace using
|
||||
/sys/fs/selinux/access do not include such a structure since that
|
||||
interface does not presently expose extended permission information.
|
||||
As a result, conditional rules were being ignored entirely on userspace
|
||||
access requests, producing denials when access was allowed by
|
||||
conditional rules in the policy. Fix the bug by only skipping
|
||||
computation of extended permissions in this situation, not the entire
|
||||
conditional rules processing.
|
||||
|
||||
Reported-by: Laurent Bigonville <bigon@debian.org>
|
||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
[PM: fixed long lines in patch description]
|
||||
Cc: stable@vger.kernel.org # 4.3
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
---
|
||||
security/selinux/ss/conditional.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
|
||||
index 18643bf9894d..456e1a9bcfde 100644
|
||||
--- a/security/selinux/ss/conditional.c
|
||||
+++ b/security/selinux/ss/conditional.c
|
||||
@@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
|
||||
{
|
||||
struct avtab_node *node;
|
||||
|
||||
- if (!ctab || !key || !avd || !xperms)
|
||||
+ if (!ctab || !key || !avd)
|
||||
return;
|
||||
|
||||
for (node = avtab_search_node(ctab, key); node;
|
||||
@@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
|
||||
if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
|
||||
avd->auditallow |= node->datum.u.data;
|
||||
- if ((node->key.specified & AVTAB_ENABLED) &&
|
||||
+ if (xperms && (node->key.specified & AVTAB_ENABLED) &&
|
||||
(node->key.specified & AVTAB_XPERMS))
|
||||
services_compute_xperms_drivers(xperms, node);
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hurley <peter@hurleysoftware.com>
|
||||
Date: Sun, 10 Jan 2016 22:40:55 -0800
|
||||
Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
|
||||
|
||||
ioctl(TIOCGETD) retrieves the line discipline id directly from the
|
||||
ldisc because the line discipline id (c_line) in termios is untrustworthy;
|
||||
userspace may have set termios via ioctl(TCSETS*) without actually
|
||||
changing the line discipline via ioctl(TIOCSETD).
|
||||
|
||||
However, directly accessing the current ldisc via tty->ldisc is
|
||||
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
|
||||
is changing via ioctl(TIOCSETD) or hangup.
|
||||
|
||||
Wait for the line discipline reference (just like read() or write())
|
||||
to retrieve the "current" line discipline id.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|
||||
---
|
||||
drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
|
||||
index f435977de740..bd4027e36910 100644
|
||||
--- a/drivers/tty/tty_io.c
|
||||
+++ b/drivers/tty/tty_io.c
|
||||
@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
|
||||
}
|
||||
|
||||
/**
|
||||
+ * tiocgetd - get line discipline
|
||||
+ * @tty: tty device
|
||||
+ * @p: pointer to user data
|
||||
+ *
|
||||
+ * Retrieves the line discipline id directly from the ldisc.
|
||||
+ *
|
||||
+ * Locking: waits for ldisc reference (in case the line discipline
|
||||
+ * is changing or the tty is being hungup)
|
||||
+ */
|
||||
+
|
||||
+static int tiocgetd(struct tty_struct *tty, int __user *p)
|
||||
+{
|
||||
+ struct tty_ldisc *ld;
|
||||
+ int ret;
|
||||
+
|
||||
+ ld = tty_ldisc_ref_wait(tty);
|
||||
+ ret = put_user(ld->ops->num, p);
|
||||
+ tty_ldisc_deref(ld);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
* send_break - performed time break
|
||||
* @tty: device to break on
|
||||
* @duration: timeout in mS
|
||||
@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
case TIOCGSID:
|
||||
return tiocgsid(tty, real_tty, p);
|
||||
case TIOCGETD:
|
||||
- return put_user(tty->ldisc->ops->num, (int __user *)p);
|
||||
+ return tiocgetd(tty, p);
|
||||
case TIOCSETD:
|
||||
return tiocsetd(tty, p);
|
||||
case TIOCVHANGUP:
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,140 @@
|
|||
From 0cd038d23b86853d68993c94f3c713e4375fd61f Mon Sep 17 00:00:00 2001
|
||||
From: willy tarreau <w@1wt.eu>
|
||||
Date: Sun, 10 Jan 2016 07:54:56 +0100
|
||||
Subject: [PATCH] unix: properly account for FDs passed over unix sockets
|
||||
|
||||
It is possible for a process to allocate and accumulate far more FDs than
|
||||
the process' limit by sending them over a unix socket then closing them
|
||||
to keep the process' fd count low.
|
||||
|
||||
This change addresses this problem by keeping track of the number of FDs
|
||||
in flight per user and preventing non-privileged processes from having
|
||||
more FDs in flight than their configured FD limit.
|
||||
|
||||
Reported-by: socketpair@gmail.com
|
||||
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
||||
Mitigates: CVE-2013-4312 (Linux 2.0+)
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/linux/sched.h | 1 +
|
||||
net/unix/af_unix.c | 24 ++++++++++++++++++++----
|
||||
net/unix/garbage.c | 13 ++++++++-----
|
||||
3 files changed, 29 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/include/linux/sched.h b/include/linux/sched.h
|
||||
index b7b9501b41af..f477e87ca46f 100644
|
||||
--- a/include/linux/sched.h
|
||||
+++ b/include/linux/sched.h
|
||||
@@ -830,6 +830,7 @@ struct user_struct {
|
||||
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
|
||||
#endif
|
||||
unsigned long locked_shm; /* How many pages of mlocked shm ? */
|
||||
+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
|
||||
|
||||
#ifdef CONFIG_KEYS
|
||||
struct key *uid_keyring; /* UID specific keyring */
|
||||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
|
||||
index 128b0982c96b..9085de63bb81 100644
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1498,6 +1498,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
|
||||
sock_wfree(skb);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * The "user->unix_inflight" variable is protected by the garbage
|
||||
+ * collection lock, and we just read it locklessly here. If you go
|
||||
+ * over the limit, there might be a tiny race in actually noticing
|
||||
+ * it across threads. Tough.
|
||||
+ */
|
||||
+static inline bool too_many_unix_fds(struct task_struct *p)
|
||||
+{
|
||||
+ struct user_struct *user = current_user();
|
||||
+
|
||||
+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
|
||||
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
#define MAX_RECURSION_LEVEL 4
|
||||
|
||||
static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
@@ -1506,6 +1521,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
unsigned char max_level = 0;
|
||||
int unix_sock_count = 0;
|
||||
|
||||
+ if (too_many_unix_fds(current))
|
||||
+ return -ETOOMANYREFS;
|
||||
+
|
||||
for (i = scm->fp->count - 1; i >= 0; i--) {
|
||||
struct sock *sk = unix_get_socket(scm->fp->fp[i]);
|
||||
|
||||
@@ -1527,10 +1545,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
if (!UNIXCB(skb).fp)
|
||||
return -ENOMEM;
|
||||
|
||||
- if (unix_sock_count) {
|
||||
- for (i = scm->fp->count - 1; i >= 0; i--)
|
||||
- unix_inflight(scm->fp->fp[i]);
|
||||
- }
|
||||
+ for (i = scm->fp->count - 1; i >= 0; i--)
|
||||
+ unix_inflight(scm->fp->fp[i]);
|
||||
return max_level;
|
||||
}
|
||||
|
||||
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
|
||||
index a73a226f2d33..8fcdc2283af5 100644
|
||||
--- a/net/unix/garbage.c
|
||||
+++ b/net/unix/garbage.c
|
||||
@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
+ spin_lock(&unix_gc_lock);
|
||||
+
|
||||
if (s) {
|
||||
struct unix_sock *u = unix_sk(s);
|
||||
|
||||
- spin_lock(&unix_gc_lock);
|
||||
-
|
||||
if (atomic_long_inc_return(&u->inflight) == 1) {
|
||||
BUG_ON(!list_empty(&u->link));
|
||||
list_add_tail(&u->link, &gc_inflight_list);
|
||||
@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
|
||||
BUG_ON(list_empty(&u->link));
|
||||
}
|
||||
unix_tot_inflight++;
|
||||
- spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
+ fp->f_cred->user->unix_inflight++;
|
||||
+ spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
void unix_notinflight(struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
+ spin_lock(&unix_gc_lock);
|
||||
+
|
||||
if (s) {
|
||||
struct unix_sock *u = unix_sk(s);
|
||||
|
||||
- spin_lock(&unix_gc_lock);
|
||||
BUG_ON(list_empty(&u->link));
|
||||
|
||||
if (atomic_long_dec_and_test(&u->inflight))
|
||||
list_del_init(&u->link);
|
||||
unix_tot_inflight--;
|
||||
- spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
+ fp->f_cred->user->unix_inflight--;
|
||||
+ spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue