Linux v4.4.7
This commit is contained in:
parent
fd0bbc149b
commit
0a25633606
|
@ -1,31 +0,0 @@
|
|||
From cb6fcfe5a7e9197ceb7e9eec56e9c526e4e76354 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Mon, 14 Mar 2016 19:37:12 +0100
|
||||
Subject: [PATCH] Input: synaptics - handle spurious release of trackstick
|
||||
buttons, again
|
||||
|
||||
Looks like the fimware 8.2 stall has the extra buttons spurious release
|
||||
bug.
|
||||
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
---
|
||||
drivers/input/mouse/synaptics.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
|
||||
index 6025eb4..4ef8d7a 100644
|
||||
--- a/drivers/input/mouse/synaptics.c
|
||||
+++ b/drivers/input/mouse/synaptics.c
|
||||
@@ -863,7 +863,8 @@ static void synaptics_report_ext_buttons(struct psmouse *psmouse,
|
||||
return;
|
||||
|
||||
/* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */
|
||||
- if (SYN_ID_FULL(priv->identity) == 0x801 &&
|
||||
+ if ((SYN_ID_FULL(priv->identity) == 0x801 ||
|
||||
+ SYN_ID_FULL(priv->identity) == 0x802) &&
|
||||
!((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02))
|
||||
return;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 15 Mar 2016 15:20:58 +0100
|
||||
Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses
|
||||
|
||||
Add some sanity check codes before actually accessing the endpoint via
|
||||
get_endpoint() in order to avoid the invalid access through a
|
||||
malformed USB descriptor. Mostly just checking bNumEndpoints, but in
|
||||
one place (snd_microii_spdif_default_get()), the validity of iface and
|
||||
altsetting index is checked as well.
|
||||
|
||||
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/clock.c | 2 ++
|
||||
sound/usb/endpoint.c | 3 +++
|
||||
sound/usb/mixer_quirks.c | 4 ++++
|
||||
sound/usb/pcm.c | 2 ++
|
||||
4 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
|
||||
index 2ed260b10f6d..7ccbcaf6a147 100644
|
||||
--- a/sound/usb/clock.c
|
||||
+++ b/sound/usb/clock.c
|
||||
@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
|
||||
unsigned char data[3];
|
||||
int err, crate;
|
||||
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
/* if endpoint doesn't have sampling rate control, bail out */
|
||||
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
|
||||
index e6f71894ecdc..c2131b851602 100644
|
||||
--- a/sound/usb/endpoint.c
|
||||
+++ b/sound/usb/endpoint.c
|
||||
@@ -415,6 +415,9 @@ exit_clear:
|
||||
*
|
||||
* New endpoints will be added to chip->ep_list and must be freed by
|
||||
* calling snd_usb_endpoint_free().
|
||||
+ *
|
||||
+ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
|
||||
+ * bNumEndpoints > 1 beforehand.
|
||||
*/
|
||||
struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
|
||||
struct usb_host_interface *alts,
|
||||
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
|
||||
index d3608c0a29f3..2d724e3c4cc0 100644
|
||||
--- a/sound/usb/mixer_quirks.c
|
||||
+++ b/sound/usb/mixer_quirks.c
|
||||
@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,
|
||||
|
||||
/* use known values for that card: interface#1 altsetting#1 */
|
||||
iface = usb_ifnum_to_if(chip->dev, 1);
|
||||
+ if (!iface || iface->num_altsetting < 2)
|
||||
+ return -EINVAL;
|
||||
alts = &iface->altsetting[1];
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
err = snd_usb_ctl_msg(chip->dev,
|
||||
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
|
||||
index cdac5179db3f..4da64896df6d 100644
|
||||
--- a/sound/usb/pcm.c
|
||||
+++ b/sound/usb/pcm.c
|
||||
@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
|
||||
unsigned char data[1];
|
||||
int err;
|
||||
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
data[0] = 1;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 15 Mar 2016 12:09:10 +0100
|
||||
Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in
|
||||
create_fixed_stream_quirk()
|
||||
|
||||
create_fixed_stream_quirk() may cause a NULL-pointer dereference by
|
||||
accessing the non-existing endpoint when a USB device with a malformed
|
||||
USB descriptor is used.
|
||||
|
||||
This patch avoids it simply by adding a sanity check of bNumEndpoints
|
||||
before the accesses.
|
||||
|
||||
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/quirks.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
|
||||
index eef9b8e4b949..e128ca62eb44 100644
|
||||
--- a/sound/usb/quirks.c
|
||||
+++ b/sound/usb/quirks.c
|
||||
@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
}
|
||||
alts = &iface->altsetting[fp->altset_idx];
|
||||
altsd = get_iface_desc(alts);
|
||||
+ if (altsd->bNumEndpoints < 1) {
|
||||
+ kfree(fp);
|
||||
+ kfree(rate_table);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
fp->protocol = altsd->bInterfaceProtocol;
|
||||
|
||||
if (fp->datainterval == 0)
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,100 +0,0 @@
|
|||
From 1b9e866417f77622b03f5b9c4e2845133054e670 Mon Sep 17 00:00:00 2001
|
||||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Thu, 31 Mar 2016 12:05:43 -0400
|
||||
Subject: [PATCH 2/2] ALSA: usb-audio: Fix double-free in error paths after
|
||||
snd_usb_add_audio_stream() call
|
||||
|
||||
create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
|
||||
create_uaxx_quirk() functions allocate the audioformat object by themselves
|
||||
and free it upon error before returning. However, once the object is linked
|
||||
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
|
||||
double-freed, eventually resulting in a memory corruption.
|
||||
|
||||
This patch fixes these failures in the error paths by unlinking the audioformat
|
||||
object before freeing it.
|
||||
|
||||
Based on a patch by Takashi Iwai" <tiwai@suse.de>
|
||||
|
||||
[Note for stable backports:
|
||||
this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
|
||||
code cleanup in create_fixed_stream_quirk()')]
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: <stable@vger.kernel.org> # see the note above
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
sound/usb/quirks.c | 4 ++++
|
||||
sound/usb/stream.c | 6 +++++-
|
||||
2 files changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
|
||||
index 2f0bbc43f902..6f68ba9bda8a 100644
|
||||
--- a/sound/usb/quirks.c
|
||||
+++ b/sound/usb/quirks.c
|
||||
@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
usb_audio_err(chip, "cannot memdup\n");
|
||||
return -ENOMEM;
|
||||
}
|
||||
+ INIT_LIST_HEAD(&fp->list);
|
||||
if (fp->nr_rates > MAX_NR_RATES) {
|
||||
kfree(fp);
|
||||
return -EINVAL;
|
||||
@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
return 0;
|
||||
|
||||
error:
|
||||
+ list_del(&fp->list); /* unlink for avoiding double-free */
|
||||
kfree(fp);
|
||||
kfree(rate_table);
|
||||
return err;
|
||||
@@ -468,6 +470,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
|
||||
fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
|
||||
fp->datainterval = 0;
|
||||
fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
|
||||
+ INIT_LIST_HEAD(&fp->list);
|
||||
|
||||
switch (fp->maxpacksize) {
|
||||
case 0x120:
|
||||
@@ -491,6 +494,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
|
||||
? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
|
||||
err = snd_usb_add_audio_stream(chip, stream, fp);
|
||||
if (err < 0) {
|
||||
+ list_del(&fp->list); /* unlink for avoiding double-free */
|
||||
kfree(fp);
|
||||
return err;
|
||||
}
|
||||
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
|
||||
index 8ee14f2365e7..3b23102230c0 100644
|
||||
--- a/sound/usb/stream.c
|
||||
+++ b/sound/usb/stream.c
|
||||
@@ -316,7 +316,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits,
|
||||
/*
|
||||
* add this endpoint to the chip instance.
|
||||
* if a stream with the same endpoint already exists, append to it.
|
||||
- * if not, create a new pcm stream.
|
||||
+ * if not, create a new pcm stream. note, fp is added to the substream
|
||||
+ * fmt_list and will be freed on the chip instance release. do not free
|
||||
+ * fp or do remove it from the substream fmt_list to avoid double-free.
|
||||
*/
|
||||
int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
|
||||
int stream,
|
||||
@@ -677,6 +679,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
|
||||
* (fp->maxpacksize & 0x7ff);
|
||||
fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
|
||||
fp->clock = clock;
|
||||
+ INIT_LIST_HEAD(&fp->list);
|
||||
|
||||
/* some quirks for attributes here */
|
||||
|
||||
@@ -725,6 +728,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
|
||||
dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
|
||||
err = snd_usb_add_audio_stream(chip, stream, fp);
|
||||
if (err < 0) {
|
||||
+ list_del(&fp->list); /* unlink for avoiding double-free */
|
||||
kfree(fp->rate_table);
|
||||
kfree(fp->chmap);
|
||||
kfree(fp);
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From aa6c68ed429ba354b904554d396326bfd9ab96bf Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 15 Mar 2016 12:14:49 +0100
|
||||
Subject: [PATCH 1/2] ALSA: usb-audio: Minor code cleanup in
|
||||
create_fixed_stream_quirk()
|
||||
|
||||
Just a minor code cleanup: unify the error paths.
|
||||
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/quirks.c | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
|
||||
index f2e4eebdf76d..2f0bbc43f902 100644
|
||||
--- a/sound/usb/quirks.c
|
||||
+++ b/sound/usb/quirks.c
|
||||
@@ -167,23 +167,18 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
stream = (fp->endpoint & USB_DIR_IN)
|
||||
? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
|
||||
err = snd_usb_add_audio_stream(chip, stream, fp);
|
||||
- if (err < 0) {
|
||||
- kfree(fp);
|
||||
- kfree(rate_table);
|
||||
- return err;
|
||||
- }
|
||||
+ if (err < 0)
|
||||
+ goto error;
|
||||
if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
|
||||
fp->altset_idx >= iface->num_altsetting) {
|
||||
- kfree(fp);
|
||||
- kfree(rate_table);
|
||||
- return -EINVAL;
|
||||
+ err = -EINVAL;
|
||||
+ goto error;
|
||||
}
|
||||
alts = &iface->altsetting[fp->altset_idx];
|
||||
altsd = get_iface_desc(alts);
|
||||
if (altsd->bNumEndpoints < 1) {
|
||||
- kfree(fp);
|
||||
- kfree(rate_table);
|
||||
- return -EINVAL;
|
||||
+ err = -EINVAL;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
fp->protocol = altsd->bInterfaceProtocol;
|
||||
@@ -196,6 +191,11 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
snd_usb_init_pitch(chip, fp->iface, alts, fp);
|
||||
snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max);
|
||||
return 0;
|
||||
+
|
||||
+ error:
|
||||
+ kfree(fp);
|
||||
+ kfree(rate_table);
|
||||
+ return err;
|
||||
}
|
||||
|
||||
static int create_auto_pcm_quirk(struct snd_usb_audio *chip,
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,107 +0,0 @@
|
|||
From 0f8536022831faaba3a952fa633902d9686f535f Mon Sep 17 00:00:00 2001
|
||||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Wed, 23 Mar 2016 15:53:07 -0400
|
||||
Subject: [PATCH] Input: ati_remote2: fix crashes on detecting device with
|
||||
invalid descriptor
|
||||
|
||||
The ati_remote2 driver expects at least two interfaces with one
|
||||
endpoint each. If given malicious descriptor that specify one
|
||||
interface or no endpoints, it will crash in the probe function.
|
||||
Ensure there is at least two interfaces and one endpoint for each
|
||||
interface before using it.
|
||||
|
||||
The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
|
||||
1 file changed, 30 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
|
||||
index cfd58e87da26..cf5d1e8d92c7 100644
|
||||
--- a/drivers/input/misc/ati_remote2.c
|
||||
+++ b/drivers/input/misc/ati_remote2.c
|
||||
@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
|
||||
|
||||
ar2->udev = udev;
|
||||
|
||||
+ /* Sanity check, first interface must have an endpoint */
|
||||
+ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
|
||||
+ dev_err(&interface->dev,
|
||||
+ "%s(): interface 0 must have an endpoint\n", __func__);
|
||||
+ r = -ENODEV;
|
||||
+ goto fail1;
|
||||
+ }
|
||||
ar2->intf[0] = interface;
|
||||
ar2->ep[0] = &alt->endpoint[0].desc;
|
||||
|
||||
+ /* Sanity check, the device must have two interfaces */
|
||||
ar2->intf[1] = usb_ifnum_to_if(udev, 1);
|
||||
+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
|
||||
+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
|
||||
+ __func__, udev->actconfig->desc.bNumInterfaces);
|
||||
+ r = -ENODEV;
|
||||
+ goto fail1;
|
||||
+ }
|
||||
+
|
||||
r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
|
||||
if (r)
|
||||
goto fail1;
|
||||
+
|
||||
+ /* Sanity check, second interface must have an endpoint */
|
||||
alt = ar2->intf[1]->cur_altsetting;
|
||||
+ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
|
||||
+ dev_err(&interface->dev,
|
||||
+ "%s(): interface 1 must have an endpoint\n", __func__);
|
||||
+ r = -ENODEV;
|
||||
+ goto fail2;
|
||||
+ }
|
||||
ar2->ep[1] = &alt->endpoint[0].desc;
|
||||
|
||||
r = ati_remote2_urb_init(ar2);
|
||||
if (r)
|
||||
- goto fail2;
|
||||
+ goto fail3;
|
||||
|
||||
ar2->channel_mask = channel_mask;
|
||||
ar2->mode_mask = mode_mask;
|
||||
|
||||
r = ati_remote2_setup(ar2, ar2->channel_mask);
|
||||
if (r)
|
||||
- goto fail2;
|
||||
+ goto fail3;
|
||||
|
||||
usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
|
||||
strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
|
||||
@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
|
||||
|
||||
r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
|
||||
if (r)
|
||||
- goto fail2;
|
||||
+ goto fail3;
|
||||
|
||||
r = ati_remote2_input_init(ar2);
|
||||
if (r)
|
||||
- goto fail3;
|
||||
+ goto fail4;
|
||||
|
||||
usb_set_intfdata(interface, ar2);
|
||||
|
||||
@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
|
||||
|
||||
return 0;
|
||||
|
||||
- fail3:
|
||||
+ fail4:
|
||||
sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
|
||||
- fail2:
|
||||
+ fail3:
|
||||
ati_remote2_urb_cleanup(ar2);
|
||||
+ fail2:
|
||||
usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
|
||||
fail1:
|
||||
kfree(ar2);
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 14 Mar 2016 10:02:51 -0400
|
||||
Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
|
||||
descriptors
|
||||
|
||||
The powermate driver expects at least one valid USB endpoint in its
|
||||
probe function. If given malicious descriptors that specify 0 for
|
||||
the number of endpoints, it will crash. Validate the number of
|
||||
endpoints on the interface before using them.
|
||||
|
||||
The full report for this issue can be found here:
|
||||
http://seclists.org/bugtraq/2016/Mar/85
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/input/misc/powermate.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
|
||||
index 63b539d3daba..84909a12ff36 100644
|
||||
--- a/drivers/input/misc/powermate.c
|
||||
+++ b/drivers/input/misc/powermate.c
|
||||
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
|
||||
int error = -ENOMEM;
|
||||
|
||||
interface = intf->cur_altsetting;
|
||||
+ if (interface->desc.bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
endpoint = &interface->endpoint[0].desc;
|
||||
if (!usb_endpoint_is_int_in(endpoint))
|
||||
return -EIO;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 14 Mar 2016 10:38:31 -0400
|
||||
Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors
|
||||
|
||||
The iowarrior driver expects at least one valid endpoint. If given
|
||||
malicious descriptors that specify 0 for the number of endpoints,
|
||||
it will crash in the probe function. Ensure there is at least
|
||||
one endpoint on the interface before using it.
|
||||
|
||||
The full report of this issue can be found here:
|
||||
http://seclists.org/bugtraq/2016/Mar/87
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/usb/misc/iowarrior.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
|
||||
index c6bfd13f6c92..1950e87b4219 100644
|
||||
--- a/drivers/usb/misc/iowarrior.c
|
||||
+++ b/drivers/usb/misc/iowarrior.c
|
||||
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
|
||||
iface_desc = interface->cur_altsetting;
|
||||
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
|
||||
|
||||
+ if (iface_desc->desc.bNumEndpoints < 1) {
|
||||
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
|
||||
+ retval = -EINVAL;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
/* set up the endpoint information */
|
||||
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
|
||||
endpoint = &iface_desc->endpoint[i].desc;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
From 94c78c81df3056e573fb84000a32512e9c16e555 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Thu, 10 Mar 2016 08:49:02 -0500
|
||||
Subject: [PATCH] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU
|
||||
devices
|
||||
|
||||
A Fedora user reports that the ftdi_sio driver works properly for the
|
||||
ICP DAS I-7561U device. Further, the user manual for these devices
|
||||
instructs users to load the driver and add the ids using the sysfs
|
||||
interface.
|
||||
|
||||
Add support for these in the driver directly so that the devices work
|
||||
out of the box instead of needing manual configuration.
|
||||
|
||||
Reported-by: <thesource@mail.ru>
|
||||
CC: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/usb/serial/ftdi_sio.c | 4 ++++
|
||||
drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++
|
||||
2 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
|
||||
index 8c660ae401d8..b61f12160d37 100644
|
||||
--- a/drivers/usb/serial/ftdi_sio.c
|
||||
+++ b/drivers/usb/serial/ftdi_sio.c
|
||||
@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_table_combined[] = {
|
||||
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
|
||||
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
|
||||
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
|
||||
+ /* ICP DAS I-756xU devices */
|
||||
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
|
||||
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
|
||||
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
|
||||
{ } /* Terminating entry */
|
||||
};
|
||||
|
||||
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
|
||||
index a84df2513994..a4ec24ce6a11 100644
|
||||
--- a/drivers/usb/serial/ftdi_sio_ids.h
|
||||
+++ b/drivers/usb/serial/ftdi_sio_ids.h
|
||||
@@ -872,6 +872,14 @@
|
||||
#define NOVITUS_BONO_E_PID 0x6010
|
||||
|
||||
/*
|
||||
+ * ICPDAS I-756*U devices
|
||||
+ */
|
||||
+#define ICPDAS_VID 0x1b5c
|
||||
+#define ICPDAS_I7560U_PID 0x0103
|
||||
+#define ICPDAS_I7561U_PID 0x0104
|
||||
+#define ICPDAS_I7563U_PID 0x0105
|
||||
+
|
||||
+/*
|
||||
* RT Systems programming cables for various ham radios
|
||||
*/
|
||||
#define RTSYSTEMS_VID 0x2100 /* Vendor ID */
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From e6a87f147002fa16adcbafebbc458ff90a463474 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Tue, 15 Mar 2016 10:14:04 +0100
|
||||
Subject: [PATCH] cdc-acm: more sanity checking
|
||||
|
||||
An attack has become available which pretends to be a quirky
|
||||
device circumventing normal sanity checks and crashes the kernel
|
||||
by an insufficient number of interfaces. This patch adds a check
|
||||
to the code path for quirky devices.
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
---
|
||||
drivers/usb/class/cdc-acm.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
|
||||
index 26ca4f910cb0..a7732f80a912 100644
|
||||
--- a/drivers/usb/class/cdc-acm.c
|
||||
+++ b/drivers/usb/class/cdc-acm.c
|
||||
@@ -1113,6 +1113,9 @@ static int acm_probe(struct usb_interface *intf,
|
||||
if (quirks == NO_UNION_NORMAL) {
|
||||
data_interface = usb_ifnum_to_if(usb_dev, 1);
|
||||
control_interface = usb_ifnum_to_if(usb_dev, 0);
|
||||
+ /* we would crash */
|
||||
+ if (!data_interface || !control_interface)
|
||||
+ return -ENODEV;
|
||||
goto skip_normal_probe;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,50 +0,0 @@
|
|||
From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Thu, 17 Mar 2016 16:25:33 +0100
|
||||
Subject: [PATCH] cypress_m8: add sanity checking
|
||||
|
||||
An attack using missing endpoints exists.
|
||||
CVE-2016-3137
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
|
||||
v1 - add sanity check
|
||||
v2 - add error logging
|
||||
v3 - correct error message
|
||||
---
|
||||
drivers/usb/serial/cypress_m8.c | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
|
||||
index 01bf53392819..5e25443fe4ef 100644
|
||||
--- a/drivers/usb/serial/cypress_m8.c
|
||||
+++ b/drivers/usb/serial/cypress_m8.c
|
||||
@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
|
||||
struct usb_serial *serial = port->serial;
|
||||
struct cypress_private *priv;
|
||||
|
||||
+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
|
||||
+ dev_err(&port->dev, "A required endpoint is missing\n");
|
||||
+ return -ENODEV;
|
||||
+ }
|
||||
+
|
||||
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
|
||||
if (!priv)
|
||||
return -ENOMEM;
|
||||
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
|
||||
cypress_set_termios(tty, port, &priv->tmp_termios);
|
||||
|
||||
/* setup the port and start reading from the device */
|
||||
- if (!port->interrupt_in_urb) {
|
||||
- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
|
||||
- __func__);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
|
||||
usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
|
||||
port->interrupt_in_urb->transfer_buffer,
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Mon, 14 Mar 2016 15:53:38 +0100
|
||||
Subject: [PATCH v2] digi_acceleport: do sanity checking for the number of ports
|
||||
|
||||
The driver can be crashed with devices that expose crafted
|
||||
descriptors with too few endpoints.
|
||||
See:
|
||||
http://seclists.org/bugtraq/2016/Mar/61
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
|
||||
v1 - added sanity checks
|
||||
v2 - moved them to probe() to fix problems Johan pointed out
|
||||
---
|
||||
drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++-----
|
||||
1 file changed, 19 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
|
||||
index 12b0e67..dab1dcf 100644
|
||||
--- a/drivers/usb/serial/digi_acceleport.c
|
||||
+++ b/drivers/usb/serial/digi_acceleport.c
|
||||
@@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
|
||||
static int digi_startup(struct usb_serial *serial)
|
||||
{
|
||||
struct digi_serial *serial_priv;
|
||||
- int ret;
|
||||
+ int ret = -ENODEV;
|
||||
+ int i;
|
||||
|
||||
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
|
||||
if (!serial_priv)
|
||||
@@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial)
|
||||
|
||||
spin_lock_init(&serial_priv->ds_serial_lock);
|
||||
serial_priv->ds_oob_port_num = serial->type->num_ports;
|
||||
+
|
||||
+ /* Check whether the expected number of ports matches the device */
|
||||
+ if (serial->num_ports < serial_priv->ds_oob_port_num)
|
||||
+ goto error;
|
||||
+ /* all features must be present */
|
||||
+ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
|
||||
+ if (!serial->port[i]->read_urb)
|
||||
+ goto error;
|
||||
+ if (!serial->port[i]->write_urb)
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
|
||||
|
||||
ret = digi_port_init(serial_priv->ds_oob_port,
|
||||
serial_priv->ds_oob_port_num);
|
||||
- if (ret) {
|
||||
- kfree(serial_priv);
|
||||
- return ret;
|
||||
- }
|
||||
+ if (ret)
|
||||
+ goto error;
|
||||
|
||||
usb_set_serial_data(serial, serial_priv);
|
||||
|
||||
return 0;
|
||||
+error:
|
||||
+ kfree(serial_priv);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.1.4
|
|
@ -1,39 +0,0 @@
|
|||
From a4200b7eb26271108586d3a7cf34a2f16d460e48 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Thu, 17 Mar 2016 15:10:47 +0100
|
||||
Subject: [PATCH] ims-pcu: sanity check against missing interfaces
|
||||
|
||||
A malicious device missing interface can make the driver oops.
|
||||
Add sanity checking.
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
---
|
||||
drivers/input/misc/ims-pcu.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
|
||||
index ac1fa5f44580..9c0ea36913b4 100644
|
||||
--- a/drivers/input/misc/ims-pcu.c
|
||||
+++ b/drivers/input/misc/ims-pcu.c
|
||||
@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
|
||||
|
||||
pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
|
||||
union_desc->bMasterInterface0);
|
||||
+ if (!pcu->ctrl_intf)
|
||||
+ return -EINVAL;
|
||||
|
||||
alt = pcu->ctrl_intf->cur_altsetting;
|
||||
pcu->ep_ctrl = &alt->endpoint[0].desc;
|
||||
@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
|
||||
|
||||
pcu->data_intf = usb_ifnum_to_if(pcu->udev,
|
||||
union_desc->bSlaveInterface0);
|
||||
+ if (!pcu->data_intf)
|
||||
+ return -EINVAL;
|
||||
|
||||
alt = pcu->data_intf->cur_altsetting;
|
||||
if (alt->desc.bNumEndpoints != 2) {
|
||||
--
|
||||
2.5.0
|
||||
|
49
kernel.spec
49
kernel.spec
|
@ -40,7 +40,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 6
|
||||
%define stable_update 7
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -624,9 +624,6 @@ Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch
|
|||
#rhbz 1316719
|
||||
Patch662: 0001-cdc-acm-fix-NULL-pointer-reference.patch
|
||||
|
||||
#rhbz 1316136
|
||||
Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
|
||||
|
||||
#CVE-2016-3135 rhbz 1317386 1317387
|
||||
Patch664: netfilter-x_tables-check-for-size-overflow.patch
|
||||
|
||||
|
@ -636,54 +633,15 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
|||
#CVE-2016-3135 rhbz 1318172 1318270
|
||||
Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
|
||||
|
||||
#CVE-2016-2184 rhbz 1317012 1317470
|
||||
Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
|
||||
Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
|
||||
Patch667: ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch
|
||||
Patch668: ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
|
||||
|
||||
#CVE-2016-3137 rhbz 1317010 1316996
|
||||
Patch672: cypress_m8-add-sanity-checking.patch
|
||||
|
||||
#CVE-2016-2186 rhbz 1317015 1317464
|
||||
Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
|
||||
|
||||
#CVE-2016-2188 rhbz 1317018 1317467
|
||||
Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
|
||||
|
||||
#CVE-2016-2185 rhbz 1317014 1317471
|
||||
Patch675: usb_driver_claim_interface-add-sanity-checking.patch
|
||||
Patch669: Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
|
||||
|
||||
#CVE-2016-3138 rhbz 1317010 1316204
|
||||
Patch676: cdc-acm-more-sanity-checking.patch
|
||||
|
||||
#CVE-2016-3140 rhbz 1317010 1316995
|
||||
Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch
|
||||
|
||||
Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch
|
||||
|
||||
#rhbz 1315013
|
||||
Patch679: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch
|
||||
|
||||
#rhbz 1317190
|
||||
Patch680: thermal-fix.patch
|
||||
|
||||
#rhbz 1318079
|
||||
Patch681: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
|
||||
|
||||
#CVE-2016-2187 rhbz 1317017 1317010
|
||||
Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
|
||||
|
||||
#CVE-2016-3136 rhbz 1317007 1317010
|
||||
Patch687: mct_u232-sanity-checking-in-probe.patch
|
||||
|
||||
#rhbz 1295646
|
||||
Patch688: 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch
|
||||
|
||||
# CVE-2016-3157 rhbz 1315711 1321948
|
||||
Patch689: x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
|
||||
|
||||
# CVE-2016-3672 rhbz 1324749 1324750
|
||||
Patch690: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch
|
||||
|
||||
|
@ -2312,6 +2270,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Apr 12 2016 Laura Abbott <labbott@redhat.com> - 4.4.7-200
|
||||
- Linux v4.4.7
|
||||
|
||||
* Tue Apr 12 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix Bamboo ONE issues (rhbz 1317116)
|
||||
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
Subject: [PATCH v2] mct_u232: sanity checking in probe
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: 2016-03-21 13:14:37
|
||||
|
||||
An attack using the lack of sanity checking in probe
|
||||
is known. This patch checks for the existance of a
|
||||
second port.
|
||||
CVE-2016-3136
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
|
||||
v1 - add sanity check for presence of a second port
|
||||
v2 - add sanity check for an interrupt endpoint
|
||||
---
|
||||
drivers/usb/serial/mct_u232.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
|
||||
index 4446b8d..3e64538 100644
|
||||
--- a/drivers/usb/serial/mct_u232.c
|
||||
+++ b/drivers/usb/serial/mct_u232.c
|
||||
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
|
||||
{
|
||||
struct mct_u232_private *priv;
|
||||
|
||||
+ /* check first to simplify error handling */
|
||||
+ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
||||
if (!priv)
|
||||
return -ENOMEM;
|
||||
--
|
||||
2.1.4
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
|
||||
dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz
|
||||
d48f09bf61f2500d70f839e190dc7c5a patch-4.4.6.xz
|
||||
2286314f215706401dd51bf07b179ae4 patch-4.4.7.xz
|
||||
|
|
|
@ -1,77 +0,0 @@
|
|||
From 81ad4276b505e987dd8ebbdf63605f92cd172b52 Mon Sep 17 00:00:00 2001
|
||||
From: Zhang Rui <rui.zhang@intel.com>
|
||||
Date: Fri, 18 Mar 2016 10:03:24 +0800
|
||||
Subject: [PATCH] Thermal: Ignore invalid trip points
|
||||
|
||||
In some cases, platform thermal driver may report invalid trip points,
|
||||
thermal core should not take any action for these trip points.
|
||||
|
||||
CC: <stable@vger.kernel.org> #3.18+
|
||||
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317190
|
||||
Link: https://bugzilla.kernel.org/show_bug.cgi?id=114551
|
||||
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
|
||||
---
|
||||
drivers/thermal/thermal_core.c | 13 ++++++++++++-
|
||||
include/linux/thermal.h | 2 ++
|
||||
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
|
||||
index a0a8fd1..d4b5465 100644
|
||||
--- a/drivers/thermal/thermal_core.c
|
||||
+++ b/drivers/thermal/thermal_core.c
|
||||
@@ -454,6 +454,10 @@ static void handle_thermal_trip(struct thermal_zone_device *tz, int trip)
|
||||
{
|
||||
enum thermal_trip_type type;
|
||||
|
||||
+ /* Ignore disabled trip points */
|
||||
+ if (test_bit(trip, &tz->trips_disabled))
|
||||
+ return;
|
||||
+
|
||||
tz->ops->get_trip_type(tz, trip, &type);
|
||||
|
||||
if (type == THERMAL_TRIP_CRITICAL || type == THERMAL_TRIP_HOT)
|
||||
@@ -1800,6 +1804,7 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
|
||||
{
|
||||
struct thermal_zone_device *tz;
|
||||
enum thermal_trip_type trip_type;
|
||||
+ int trip_temp;
|
||||
int result;
|
||||
int count;
|
||||
int passive = 0;
|
||||
@@ -1871,9 +1876,15 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
|
||||
goto unregister;
|
||||
|
||||
for (count = 0; count < trips; count++) {
|
||||
- tz->ops->get_trip_type(tz, count, &trip_type);
|
||||
+ if (tz->ops->get_trip_type(tz, count, &trip_type))
|
||||
+ set_bit(count, &tz->trips_disabled);
|
||||
if (trip_type == THERMAL_TRIP_PASSIVE)
|
||||
passive = 1;
|
||||
+ if (tz->ops->get_trip_temp(tz, count, &trip_temp))
|
||||
+ set_bit(count, &tz->trips_disabled);
|
||||
+ /* Check for bogus trip points */
|
||||
+ if (trip_temp == 0)
|
||||
+ set_bit(count, &tz->trips_disabled);
|
||||
}
|
||||
|
||||
if (!passive) {
|
||||
diff --git a/include/linux/thermal.h b/include/linux/thermal.h
|
||||
index 9c48199..a55d052 100644
|
||||
--- a/include/linux/thermal.h
|
||||
+++ b/include/linux/thermal.h
|
||||
@@ -156,6 +156,7 @@ struct thermal_attr {
|
||||
* @trip_hyst_attrs: attributes for trip points for sysfs: trip hysteresis
|
||||
* @devdata: private pointer for device private data
|
||||
* @trips: number of trip points the thermal zone supports
|
||||
+ * @trips_disabled; bitmap for disabled trips
|
||||
* @passive_delay: number of milliseconds to wait between polls when
|
||||
* performing passive cooling.
|
||||
* @polling_delay: number of milliseconds to wait between polls when
|
||||
@@ -191,6 +192,7 @@ struct thermal_zone_device {
|
||||
struct thermal_attr *trip_hyst_attrs;
|
||||
void *devdata;
|
||||
int trips;
|
||||
+ unsigned long trips_disabled; /* bitmap for disabled trips */
|
||||
int passive_delay;
|
||||
int polling_delay;
|
||||
int temperature;
|
|
@ -1,39 +0,0 @@
|
|||
From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Wed, 16 Mar 2016 12:26:17 -0400
|
||||
Subject: [PATCH] usb_driver_claim_interface: add sanity checking
|
||||
|
||||
Attacks that trick drivers into passing a NULL pointer
|
||||
to usb_driver_claim_interface() using forged descriptors are
|
||||
known. This thwarts them by sanity checking.
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
---
|
||||
drivers/usb/core/driver.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
|
||||
index 6b5063e7943f..e2d242b68d4b 100644
|
||||
--- a/drivers/usb/core/driver.c
|
||||
+++ b/drivers/usb/core/driver.c
|
||||
@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev)
|
||||
int usb_driver_claim_interface(struct usb_driver *driver,
|
||||
struct usb_interface *iface, void *priv)
|
||||
{
|
||||
- struct device *dev = &iface->dev;
|
||||
+ struct device *dev;
|
||||
struct usb_device *udev;
|
||||
int retval = 0;
|
||||
int lpm_disable_error;
|
||||
|
||||
+ if (!iface)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ dev = &iface->dev;
|
||||
if (dev->driver)
|
||||
return -EBUSY;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,8 +1,7 @@
|
|||
From 7a3cdd26e6d38031338a6cb591ec2f3faaa9234b Mon Sep 17 00:00:00 2001
|
||||
From 8010b5eb4680df797575e6306d4d891200e303ab Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
|
||||
enabled
|
||||
Subject: [PATCH] x86: Lock down IO port access when module security is enabled
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
registers, which in turn (on a lot of hardware) give access to MMIO register
|
||||
|
@ -16,7 +15,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|||
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
|
||||
index 37dae792dbbe..1ecc03ca3c15 100644
|
||||
index 589b3193f102..ab8372443efb 100644
|
||||
--- a/arch/x86/kernel/ioport.c
|
||||
+++ b/arch/x86/kernel/ioport.c
|
||||
@@ -15,6 +15,7 @@
|
||||
|
@ -36,7 +35,7 @@ index 37dae792dbbe..1ecc03ca3c15 100644
|
|||
return -EPERM;
|
||||
|
||||
/*
|
||||
@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
|
||||
@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
|
||||
return -EINVAL;
|
||||
/* Trying to gain more privileges? */
|
||||
if (level > old) {
|
||||
|
@ -44,9 +43,9 @@ index 37dae792dbbe..1ecc03ca3c15 100644
|
|||
+ if (!capable(CAP_SYS_RAWIO) || secure_modules())
|
||||
return -EPERM;
|
||||
}
|
||||
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
|
||||
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 6b1721f978c2..53fe675f9bd7 100644
|
||||
index 71025c2f6bbb..86e5bfa91563 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -27,6 +27,7 @@
|
||||
|
@ -68,5 +67,5 @@ index 6b1721f978c2..53fe675f9bd7 100644
|
|||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
|
|
@ -1,96 +0,0 @@
|
|||
From b7a584598aea7ca73140cb87b40319944dd3393f Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@kernel.org>
|
||||
Date: Wed, 16 Mar 2016 14:14:21 -0700
|
||||
Subject: [PATCH] x86/iopl/64: Properly context-switch IOPL on Xen PV
|
||||
|
||||
On Xen PV, regs->flags doesn't reliably reflect IOPL and the
|
||||
exit-to-userspace code doesn't change IOPL. We need to context
|
||||
switch it manually.
|
||||
|
||||
I'm doing this without going through paravirt because this is
|
||||
specific to Xen PV. After the dust settles, we can merge this with
|
||||
the 32-bit code, tidy up the iopl syscall implementation, and remove
|
||||
the set_iopl pvop entirely.
|
||||
|
||||
Fixes XSA-171.
|
||||
|
||||
Reviewewd-by: Jan Beulich <JBeulich@suse.com>
|
||||
Signed-off-by: Andy Lutomirski <luto@kernel.org>
|
||||
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
|
||||
Cc: Borislav Petkov <bp@alien8.de>
|
||||
Cc: Brian Gerst <brgerst@gmail.com>
|
||||
Cc: David Vrabel <david.vrabel@citrix.com>
|
||||
Cc: Denys Vlasenko <dvlasenk@redhat.com>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Jan Beulich <JBeulich@suse.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
arch/x86/include/asm/xen/hypervisor.h | 2 ++
|
||||
arch/x86/kernel/process_64.c | 12 ++++++++++++
|
||||
arch/x86/xen/enlighten.c | 2 +-
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h
|
||||
index 8b2d4bea9962..39171b3646bb 100644
|
||||
--- a/arch/x86/include/asm/xen/hypervisor.h
|
||||
+++ b/arch/x86/include/asm/xen/hypervisor.h
|
||||
@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num);
|
||||
void xen_arch_unregister_cpu(int num);
|
||||
#endif
|
||||
|
||||
+extern void xen_set_iopl_mask(unsigned mask);
|
||||
+
|
||||
#endif /* _ASM_X86_XEN_HYPERVISOR_H */
|
||||
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
|
||||
index b9d99e0f82c4..9f751876066f 100644
|
||||
--- a/arch/x86/kernel/process_64.c
|
||||
+++ b/arch/x86/kernel/process_64.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include <asm/syscalls.h>
|
||||
#include <asm/debugreg.h>
|
||||
#include <asm/switch_to.h>
|
||||
+#include <asm/xen/hypervisor.h>
|
||||
|
||||
asmlinkage extern void ret_from_fork(void);
|
||||
|
||||
@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
|
||||
task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
|
||||
__switch_to_xtra(prev_p, next_p, tss);
|
||||
|
||||
+#ifdef CONFIG_XEN
|
||||
+ /*
|
||||
+ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
|
||||
+ * current_pt_regs()->flags may not match the current task's
|
||||
+ * intended IOPL. We need to switch it manually.
|
||||
+ */
|
||||
+ if (unlikely(static_cpu_has(X86_FEATURE_XENPV) &&
|
||||
+ prev->iopl != next->iopl))
|
||||
+ xen_set_iopl_mask(next->iopl);
|
||||
+#endif
|
||||
+
|
||||
if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) {
|
||||
/*
|
||||
* AMD CPUs have a misfeature: SYSRET sets the SS selector but
|
||||
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
|
||||
index 2c261082eadf..8381fb990c7f 100644
|
||||
--- a/arch/x86/xen/enlighten.c
|
||||
+++ b/arch/x86/xen/enlighten.c
|
||||
@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_struct *tss,
|
||||
tss->x86_tss.sp0 = thread->sp0;
|
||||
}
|
||||
|
||||
-static void xen_set_iopl_mask(unsigned mask)
|
||||
+void xen_set_iopl_mask(unsigned mask)
|
||||
{
|
||||
struct physdev_set_iopl set_iopl;
|
||||
|
||||
--
|
||||
2.5.5
|
||||
|
Loading…
Reference in New Issue