Linux v3.16.7
This commit is contained in:
parent
9c5c6d86e2
commit
0c45118133
|
@ -1,105 +0,0 @@
|
|||
From 5b65c2a0296644dd3dbdd590d6f00174d18c96b3 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Wed, 10 Sep 2014 18:02:37 -0700
|
||||
Subject: HID: rmi: check sanity of the incoming report
|
||||
|
||||
In the Dell XPS 13 9333, it appears that sometimes the bus get confused
|
||||
and corrupts the incoming data. It fills the input report with the
|
||||
sentinel value "ff". Synaptics told us that such behavior does not comes
|
||||
from the touchpad itself, so we filter out such reports here.
|
||||
|
||||
Unfortunately, we can not simply discard the incoming data because they
|
||||
may contain useful information. Most of the time, the misbehavior is
|
||||
quite near the end of the report, so we can still use the valid part of
|
||||
it.
|
||||
|
||||
Fixes:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1123584
|
||||
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
|
||||
diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
|
||||
index 8389e81..3cccff7 100644
|
||||
--- a/drivers/hid/hid-rmi.c
|
||||
+++ b/drivers/hid/hid-rmi.c
|
||||
@@ -320,10 +320,7 @@ static int rmi_f11_input_event(struct hid_device *hdev, u8 irq, u8 *data,
|
||||
int offset;
|
||||
int i;
|
||||
|
||||
- if (size < hdata->f11.report_size)
|
||||
- return 0;
|
||||
-
|
||||
- if (!(irq & hdata->f11.irq_mask))
|
||||
+ if (!(irq & hdata->f11.irq_mask) || size <= 0)
|
||||
return 0;
|
||||
|
||||
offset = (hdata->max_fingers >> 2) + 1;
|
||||
@@ -332,9 +329,19 @@ static int rmi_f11_input_event(struct hid_device *hdev, u8 irq, u8 *data,
|
||||
int fs_bit_position = (i & 0x3) << 1;
|
||||
int finger_state = (data[fs_byte_position] >> fs_bit_position) &
|
||||
0x03;
|
||||
+ int position = offset + 5 * i;
|
||||
+
|
||||
+ if (position + 5 > size) {
|
||||
+ /* partial report, go on with what we received */
|
||||
+ printk_once(KERN_WARNING
|
||||
+ "%s %s: Detected incomplete finger report. Finger reports may occasionally get dropped on this platform.\n",
|
||||
+ dev_driver_string(&hdev->dev),
|
||||
+ dev_name(&hdev->dev));
|
||||
+ hid_dbg(hdev, "Incomplete finger report\n");
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
- rmi_f11_process_touch(hdata, i, finger_state,
|
||||
- &data[offset + 5 * i]);
|
||||
+ rmi_f11_process_touch(hdata, i, finger_state, &data[position]);
|
||||
}
|
||||
input_mt_sync_frame(hdata->input);
|
||||
input_sync(hdata->input);
|
||||
@@ -352,6 +359,11 @@ static int rmi_f30_input_event(struct hid_device *hdev, u8 irq, u8 *data,
|
||||
if (!(irq & hdata->f30.irq_mask))
|
||||
return 0;
|
||||
|
||||
+ if (size < (int)hdata->f30.report_size) {
|
||||
+ hid_warn(hdev, "Click Button pressed, but the click data is missing\n");
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < hdata->gpio_led_count; i++) {
|
||||
if (test_bit(i, &hdata->button_mask)) {
|
||||
value = (data[i / 8] >> (i & 0x07)) & BIT(0);
|
||||
@@ -412,9 +424,29 @@ static int rmi_read_data_event(struct hid_device *hdev, u8 *data, int size)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int rmi_check_sanity(struct hid_device *hdev, u8 *data, int size)
|
||||
+{
|
||||
+ int valid_size = size;
|
||||
+ /*
|
||||
+ * On the Dell XPS 13 9333, the bus sometimes get confused and fills
|
||||
+ * the report with a sentinel value "ff". Synaptics told us that such
|
||||
+ * behavior does not comes from the touchpad itself, so we filter out
|
||||
+ * such reports here.
|
||||
+ */
|
||||
+
|
||||
+ while ((data[valid_size - 1] == 0xff) && valid_size > 0)
|
||||
+ valid_size--;
|
||||
+
|
||||
+ return valid_size;
|
||||
+}
|
||||
+
|
||||
static int rmi_raw_event(struct hid_device *hdev,
|
||||
struct hid_report *report, u8 *data, int size)
|
||||
{
|
||||
+ size = rmi_check_sanity(hdev, data, size);
|
||||
+ if (size < 2)
|
||||
+ return 0;
|
||||
+
|
||||
switch (data[0]) {
|
||||
case RMI_READ_DATA_REPORT_ID:
|
||||
return rmi_read_data_event(hdev, data, size);
|
||||
--
|
||||
cgit v0.10.1
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Wed, 8 Oct 2014 12:37:46 -0700
|
||||
Subject: [PATCH] fs: Add a missing permission check to do_umount
|
||||
|
||||
Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
|
||||
only one of the two call sites was appropriately protected.
|
||||
|
||||
Fixes CVE-2014-7975.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
---
|
||||
fs/namespace.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/fs/namespace.c b/fs/namespace.c
|
||||
index c8e3034ff4b2..fbba8b17330d 100644
|
||||
--- a/fs/namespace.c
|
||||
+++ b/fs/namespace.c
|
||||
@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags)
|
||||
* Special case for "unmounting" root ...
|
||||
* we just try to remount it readonly.
|
||||
*/
|
||||
+ if (!capable(CAP_SYS_ADMIN))
|
||||
+ return -EPERM;
|
||||
down_write(&sb->s_umount);
|
||||
if (!(sb->s_flags & MS_RDONLY))
|
||||
retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
|
||||
--
|
||||
1.9.3
|
||||
|
25
kernel.spec
25
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 203
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 6
|
||||
%define stable_update 7
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -712,9 +712,6 @@ Patch26023: psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
|
|||
#rhbz 1143812
|
||||
Patch26027: HID-i2c-hid-call-the-hid-driver-s-suspend-and-resume.patch
|
||||
|
||||
#rhbz 1123584
|
||||
Patch26028: HID-rmi-check-sanity-of-incoming-report.patch
|
||||
|
||||
Patch26030: GFS2-Make-rename-not-save-dirent-location.patch
|
||||
|
||||
#CVE-2014-7970 rhbz 1151095 1151484
|
||||
|
@ -733,9 +730,6 @@ Patch26039: HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-00.patch
|
|||
Patch26040: USB-quirks-device-qualifier-quirk-for-another-Elan-t.patch
|
||||
Patch26041: HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-01.patch
|
||||
|
||||
#CVE-2014-7975 rhbz 1151108 1152025
|
||||
Patch26042: fs-Add-a-missing-permission-check-to-do_umount.patch
|
||||
|
||||
#CVE-2014-8086 rhbz 1151353 1152608
|
||||
Patch26056: ext4-fix-race-between-write-and-fcntl-F_SETFL.patch
|
||||
|
||||
|
@ -745,9 +739,6 @@ Patch26058: asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
|
|||
#rhbz 1153381
|
||||
Patch26059: Input-synaptics-gate-forcepad-support-by-DMI-check.patch
|
||||
|
||||
# CVE-2014-3690 rhbz 1153322 1155372
|
||||
Patch26060: x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
|
||||
|
||||
#CVE-2014-3688 rhbz 1155745 1155751
|
||||
Patch26061: net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
|
||||
|
||||
|
@ -1460,9 +1451,6 @@ ApplyPatch psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
|
|||
#rhbz 1143812
|
||||
ApplyPatch HID-i2c-hid-call-the-hid-driver-s-suspend-and-resume.patch
|
||||
|
||||
#rhbz 1123584
|
||||
ApplyPatch HID-rmi-check-sanity-of-incoming-report.patch
|
||||
|
||||
ApplyPatch GFS2-Make-rename-not-save-dirent-location.patch
|
||||
|
||||
#CVE-2014-7970 rhbz 1151095 1151484
|
||||
|
@ -1481,9 +1469,6 @@ ApplyPatch HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-00.patch
|
|||
ApplyPatch USB-quirks-device-qualifier-quirk-for-another-Elan-t.patch
|
||||
ApplyPatch HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-01.patch
|
||||
|
||||
#CVE-2014-7975 rhbz 1151108 1152025
|
||||
ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch
|
||||
|
||||
#CVE-2014-8086 rhbz 1151353 1152608
|
||||
ApplyPatch ext4-fix-race-between-write-and-fcntl-F_SETFL.patch
|
||||
|
||||
|
@ -1493,9 +1478,6 @@ ApplyPatch asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
|
|||
#rhbz 1153381
|
||||
ApplyPatch Input-synaptics-gate-forcepad-support-by-DMI-check.patch
|
||||
|
||||
#CVE-2014-3690 rhbz 1153322 1155372
|
||||
ApplyPatch x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
|
||||
|
||||
#CVE-2014-3688 rhbz 1155745 1155751
|
||||
ApplyPatch net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
|
||||
|
||||
|
@ -2346,6 +2328,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Thu Oct 30 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.16.7-200
|
||||
- Linux v3.16.7
|
||||
|
||||
* Wed Oct 29 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix DVB-T cxusb firmware loading (rhbz 1154454)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
5c569ed649a0c9711879f333e90c5386 linux-3.16.tar.xz
|
||||
49868ce6467b35cd9ffea1120d129462 perf-man-3.16.tar.gz
|
||||
c83d2b26c8282e91b227f6810beb332e patch-3.16.6.xz
|
||||
062f41ed40a33485605d98bad4bcc5a1 patch-3.16.7.xz
|
||||
|
|
|
@ -1,81 +0,0 @@
|
|||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Wed, 8 Oct 2014 09:02:13 -0700
|
||||
Subject: [PATCH] x86,kvm,vmx: Preserve CR4 across VM entry
|
||||
|
||||
CR4 isn't constant; at least the TSD and PCE bits can vary.
|
||||
|
||||
TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks
|
||||
like it's correct.
|
||||
|
||||
This adds a branch and a read from cr4 to each vm entry. Because it is
|
||||
extremely likely that consecutive entries into the same vcpu will have
|
||||
the same host cr4 value, this fixes up the vmcs instead of restoring cr4
|
||||
after the fact. A subsequent patch will add a kernel-wide cr4 shadow,
|
||||
reducing the overhead in the common case to just two memory reads and a
|
||||
branch.
|
||||
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Petr Matousek <pmatouse@redhat.com>
|
||||
Cc: Gleb Natapov <gleb@kernel.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
arch/x86/kvm/vmx.c | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
||||
index bfe11cf124a1..6a118fa378b5 100644
|
||||
--- a/arch/x86/kvm/vmx.c
|
||||
+++ b/arch/x86/kvm/vmx.c
|
||||
@@ -453,6 +453,7 @@ struct vcpu_vmx {
|
||||
int gs_ldt_reload_needed;
|
||||
int fs_reload_needed;
|
||||
u64 msr_host_bndcfgs;
|
||||
+ unsigned long vmcs_host_cr4; /* May not match real cr4 */
|
||||
} host_state;
|
||||
struct {
|
||||
int vm86_active;
|
||||
@@ -4235,11 +4236,16 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
|
||||
u32 low32, high32;
|
||||
unsigned long tmpl;
|
||||
struct desc_ptr dt;
|
||||
+ unsigned long cr4;
|
||||
|
||||
vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
|
||||
- vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */
|
||||
vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
|
||||
|
||||
+ /* Save the most likely value for this task's CR4 in the VMCS. */
|
||||
+ cr4 = read_cr4();
|
||||
+ vmcs_writel(HOST_CR4, cr4); /* 22.2.3, 22.2.5 */
|
||||
+ vmx->host_state.vmcs_host_cr4 = cr4;
|
||||
+
|
||||
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */
|
||||
#ifdef CONFIG_X86_64
|
||||
/*
|
||||
@@ -7376,7 +7382,7 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx)
|
||||
static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
struct vcpu_vmx *vmx = to_vmx(vcpu);
|
||||
- unsigned long debugctlmsr;
|
||||
+ unsigned long debugctlmsr, cr4;
|
||||
|
||||
/* Record the guest's net vcpu time for enforced NMI injections. */
|
||||
if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked))
|
||||
@@ -7397,6 +7403,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
|
||||
if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty))
|
||||
vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]);
|
||||
|
||||
+ cr4 = read_cr4();
|
||||
+ if (unlikely(cr4 != vmx->host_state.vmcs_host_cr4)) {
|
||||
+ vmcs_writel(HOST_CR4, cr4);
|
||||
+ vmx->host_state.vmcs_host_cr4 = cr4;
|
||||
+ }
|
||||
+
|
||||
/* When single-stepping over STI and MOV SS, we must clear the
|
||||
* corresponding interruptibility bits in the guest state. Otherwise
|
||||
* vmentry fails as it then expects bit 14 (BS) in pending debug
|
||||
--
|
||||
1.9.3
|
||||
|
Loading…
Reference in New Issue