rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'f23' of ssh://pkgs.fedoraproject.org/kernel into f23-pf. Fedora 23 kernel 4.3.3

This commit is contained in:
Pavel Alexeev 2016-01-07 16:04:54 +03:00
parent 65e6c77904 af632165dd
commit 338e57dc54
85 changed files with 2981 additions and 755 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
View File

@ -1,76 +0,0 @@
From d856e14fb043b742f94170db36b812770a2591d0 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Thu, 15 Oct 2015 17:21:37 +0100
Subject: [PATCH 1/2] KEYS: Fix crash when attempt to garbage collect an
uninstantiated keyring
The following sequence of commands:
i=`keyctl add user a a @s`
keyctl request2 keyring foo bar @t
keyctl unlink $i @s
tries to invoke an upcall to instantiate a keyring if one doesn't already
exist by that name within the user's keyring set. However, if the upcall
fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
other error code. When the key is garbage collected, the key destroy
function is called unconditionally and keyring_destroy() uses list_empty()
on keyring->type_data.link - which is in a union with reject_error.
Subsequently, the kernel tries to unlink the keyring from the keyring names
list - which oopses like this:
BUG: unable to handle kernel paging request at 00000000ffffff8a
IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
...
Workqueue: events key_garbage_collector
...
RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
...
CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
...
Call Trace:
[<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
[<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
[<ffffffff8105ec9b>] process_one_work+0x28e/0x547
[<ffffffff8105fd17>] worker_thread+0x26e/0x361
[<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
[<ffffffff810648ad>] kthread+0xf3/0xfb
[<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
[<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
[<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
Note the value in RAX. This is a 32-bit representation of -ENOKEY.
The solution is to only call ->destroy() if the key was successfully
instantiated.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/gc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/keys/gc.c b/security/keys/gc.c
index c7952375ac53..11c36627adbf 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -149,7 +149,9 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
atomic_dec(&key->user->nikeys);
/* now throw away the key memory */
- if (key->type->destroy)
+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
+ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
+ key->type->destroy)
key->type->destroy(key);
key_user_put(key->user);
--
2.4.3

91
0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch Normal file
View File

@ -0,0 +1,91 @@
From 0d3f6d297bfb7af24d0508460fdb3d1ec4903fa3 Mon Sep 17 00:00:00 2001
From: Martin KaFai Lau <kafai@fb.com>
Date: Wed, 11 Nov 2015 11:51:06 -0800
Subject: [PATCH] ipv6: Avoid creating RTF_CACHE from a rt that is not managed
by fib6 tree
The original bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1272571
The setup has a IPv4 GRE tunnel running in a IPSec. The bug
happens when ndisc starts sending router solicitation at the gre
interface. The simplified oops stack is like:
__lock_acquire+0x1b2/0x1c30
lock_acquire+0xb9/0x140
_raw_write_lock_bh+0x3f/0x50
__ip6_ins_rt+0x2e/0x60
ip6_ins_rt+0x49/0x50
~~~~~~~~
__ip6_rt_update_pmtu.part.54+0x145/0x250
ip6_rt_update_pmtu+0x2e/0x40
~~~~~~~~
ip_tunnel_xmit+0x1f1/0xf40
__gre_xmit+0x7a/0x90
ipgre_xmit+0x15a/0x220
dev_hard_start_xmit+0x2bd/0x480
__dev_queue_xmit+0x696/0x730
dev_queue_xmit+0x10/0x20
neigh_direct_output+0x11/0x20
ip6_finish_output2+0x21f/0x770
ip6_finish_output+0xa7/0x1d0
ip6_output+0x56/0x190
~~~~~~~~
ndisc_send_skb+0x1d9/0x400
ndisc_send_rs+0x88/0xc0
~~~~~~~~
The rt passed to ip6_rt_update_pmtu() is created by
icmp6_dst_alloc() and it is not managed by the fib6 tree,
so its rt6i_table == NULL. When __ip6_rt_update_pmtu() creates
a RTF_CACHE clone, the newly created clone also has rt6i_table == NULL
and it causes the ip6_ins_rt() oops.
During pmtu update, we only want to create a RTF_CACHE clone
from a rt which is currently managed (or owned) by the
fib6 tree. It means either rt->rt6i_node != NULL or
rt is a RTF_PCPU clone.
It is worth to note that rt6i_table may not be NULL even it is
not (yet) managed by the fib6 tree (e.g. addrconf_dst_alloc()).
Hence, rt6i_node is a better check instead of rt6i_table.
Fixes: 45e4fd26683c ("ipv6: Only create RTF_CACHE routes after encountering pmtu")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Reported-by: Chris Siebenmann <cks-rhbugzilla@cs.toronto.edu>
Cc: Chris Siebenmann <cks-rhbugzilla@cs.toronto.edu>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv6/route.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c8bc9b4..74907c5 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1322,6 +1322,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu)
rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires);
}
+static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt)
+{
+ return !(rt->rt6i_flags & RTF_CACHE) &&
+ (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node);
+}
+
static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
const struct ipv6hdr *iph, u32 mtu)
{
@@ -1335,7 +1341,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
if (mtu >= dst_mtu(dst))
return;
- if (rt6->rt6i_flags & RTF_CACHE) {
+ if (!rt6_cache_allowed_for_pmtu(rt6)) {
rt6_do_update_pmtu(rt6, mtu);
} else {
const struct in6_addr *daddr, *saddr;
--
2.5.0

63
0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch Normal file
View File

@ -0,0 +1,63 @@
From 721ebb3cf4788107424f92ac2da6cfce20c67297 Mon Sep 17 00:00:00 2001
From: Peter Robinson <pbrobinson@gmail.com>
Date: Sun, 1 Nov 2015 23:54:08 +0000
Subject: [PATCH] watchdog: omap_wdt: fix null pointer dereference
Fix issue from two patches overlapping causing a kernel oops
[ 3569.297449] Unable to handle kernel NULL pointer dereference at virtual address 00000088
[ 3569.306272] pgd = dc894000
[ 3569.309287] [00000088] *pgd=00000000
[ 3569.313104] Internal error: Oops: 5 [#1] SMP ARM
[ 3569.317986] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge stp llc ebtables ip6table_security ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_filter ip6_tables iptable_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle musb_dsps cppi41 musb_hdrc phy_am335x udc_core phy_generic phy_am335x_control omap_sham omap_aes omap_rng omap_hwspinlock omap_mailbox hwspinlock_core musb_am335x omap_wdt at24 8250_omap leds_gpio cpufreq_dt smsc davinci_mdio mmc_block ti_cpsw cpsw_common ptp pps_core cpsw_ale davinci_cpdma omap_hsmmc omap_dma mmc_core i2c_dev
[ 3569.386293] CPU: 0 PID: 1429 Comm: wdctl Not tainted 4.3.0-0.rc7.git0.1.fc24.armv7hl #1
[ 3569.394740] Hardware name: Generic AM33XX (Flattened Device Tree)
[ 3569.401179] task: dbd11a00 ti: dbaac000 task.ti: dbaac000
[ 3569.406917] PC is at omap_wdt_get_timeleft+0xc/0x20 [omap_wdt]
[ 3569.413106] LR is at watchdog_ioctl+0x3cc/0x42c
[ 3569.417902] pc : [<bf0ab138>] lr : [<c0739c54>] psr: 600f0013
[ 3569.417902] sp : dbaadf18 ip : 00000003 fp : 7f5d3bbe
[ 3569.430014] r10: 00000000 r9 : 00000003 r8 : bef21ab8
[ 3569.435535] r7 : dbbc0f7c r6 : dbbc0f18 r5 : bef21ab8 r4 : 00000000
[ 3569.442427] r3 : 00000000 r2 : 00000000 r1 : 8004570a r0 : dbbc0f18
[ 3569.449323] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 3569.456858] Control: 10c5387d Table: 9c894019 DAC: 00000051
[ 3569.462927] Process wdctl (pid: 1429, stack limit = 0xdbaac220)
[ 3569.469179] Stack: (0xdbaadf18 to 0xdbaae000)
[ 3569.473790] df00: bef21ab8 dbf60e38
[ 3569.482441] df20: dc91b840 8004570a bef21ab8 c03988a4 dbaadf48 dc854000 00000000 dd313850
[ 3569.491092] df40: ddf033b8 0000570a dc91b80b dbaadf3c dbf60e38 00000020 c0df9250 c0df6c48
[ 3569.499741] df60: dc91b840 8004570a 00000000 dc91b840 dc91b840 8004570a bef21ab8 00000003
[ 3569.508389] df80: 00000000 c03989d4 bef21b74 7f5d3bad 00000003 00000036 c020fcc4 dbaac000
[ 3569.517037] dfa0: 00000000 c020fb00 bef21b74 7f5d3bad 00000003 8004570a bef21ab8 00000001
[ 3569.525685] dfc0: bef21b74 7f5d3bad 00000003 00000036 00000001 00000000 7f5e4eb0 7f5d3bbe
[ 3569.534334] dfe0: 7f5e4f10 bef21a3c 7f5d0a54 b6e97e0c a00f0010 00000003 00000000 00000000
[ 3569.543038] [<bf0ab138>] (omap_wdt_get_timeleft [omap_wdt]) from [<c0739c54>] (watchdog_ioctl+0x3cc/0x42c)
[ 3569.553266] [<c0739c54>] (watchdog_ioctl) from [<c03988a4>] (do_vfs_ioctl+0x5bc/0x698)
[ 3569.561648] [<c03988a4>] (do_vfs_ioctl) from [<c03989d4>] (SyS_ioctl+0x54/0x7c)
[ 3569.569400] [<c03989d4>] (SyS_ioctl) from [<c020fb00>] (ret_fast_syscall+0x0/0x3c)
[ 3569.577413] Code: e12fff1e e52de004 e8bd4000 e5903060 (e5933088)
[ 3569.584089] ---[ end trace cec3039bd3ae610a ]---
Cc: <stable@vger.kernel.org> # v4.2+
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
---
drivers/watchdog/omap_wdt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/watchdog/omap_wdt.c b/drivers/watchdog/omap_wdt.c
index d96bee0..6f17c93 100644
--- a/drivers/watchdog/omap_wdt.c
+++ b/drivers/watchdog/omap_wdt.c
@@ -205,7 +205,7 @@ static int omap_wdt_set_timeout(struct watchdog_device *wdog,
static unsigned int omap_wdt_get_timeleft(struct watchdog_device *wdog)
{
- struct omap_wdt_dev *wdev = watchdog_get_drvdata(wdog);
+ struct omap_wdt_dev *wdev = to_omap_wdt_dev(wdog);
void __iomem *base = wdev->base;
u32 value;
--
2.5.0

86
0001-x86-cpu-cacheinfo-Fix-teardown-path.patch Normal file
View File

@ -0,0 +1,86 @@
From 680ac028240f8747f31c03986fbcf18b2b521e93 Mon Sep 17 00:00:00 2001
From: Borislav Petkov <bp@suse.de>
Date: Mon, 27 Jul 2015 09:58:05 +0200
Subject: [PATCH] x86/cpu/cacheinfo: Fix teardown path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Philip Müller reported a hang when booting 32-bit 4.1 kernel on
an AMD box. A fragment of the splat was enough to pinpoint the
issue:
task: f58e0000 ti: f58e8000 task.ti: f58e800
EIP: 0060:[<c135a903>] EFLAGS: 00010206 CPU: 0
EIP is at free_cache_attributes+0x83/0xd0
EAX: 00000001 EBX: f589d46c ECX: 00000090 EDX: 360c2000
ESI: 00000000 EDI: c1724a80 EBP: f58e9ec0 ESP: f58e9ea0
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
CR0: 8005003b CR2: 000000ac CR3: 01731000 CR4: 000006d0
cache_shared_cpu_map_setup() did check sibling CPUs cacheinfo
descriptor while the respective teardown path
cache_shared_cpu_map_remove() didn't. Fix that.
From tglx's version: to be on the safe side, move the cacheinfo
descriptor check to free_cache_attributes(), thus cleaning up
the hotplug path a little and making this even more robust.
Reported-by: Philip Müller <philm@manjaro.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org> # v4.1+
Cc: Andre Przywara <andre.przywara@arm.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Cc: manjaro-dev@manjaro.org
Link: http://lkml.kernel.org/r/20150727075805.GA20416@nazgul.tnic
Link: https://lkml.kernel.org/r/55B47BB8.6080202@manjaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
drivers/base/cacheinfo.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
index 764280a91776..e9fd32e91668 100644
--- a/drivers/base/cacheinfo.c
+++ b/drivers/base/cacheinfo.c
@@ -148,7 +148,11 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
if (sibling == cpu) /* skip itself */
continue;
+
sib_cpu_ci = get_cpu_cacheinfo(sibling);
+ if (!sib_cpu_ci->info_list)
+ continue;
+
sib_leaf = sib_cpu_ci->info_list + index;
cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map);
cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map);
@@ -159,6 +163,9 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
static void free_cache_attributes(unsigned int cpu)
{
+ if (!per_cpu_cacheinfo(cpu))
+ return;
+
cache_shared_cpu_map_remove(cpu);
kfree(per_cpu_cacheinfo(cpu));
@@ -514,8 +521,7 @@ static int cacheinfo_cpu_callback(struct notifier_block *nfb,
break;
case CPU_DEAD:
cache_remove_dev(cpu);
- if (per_cpu_cacheinfo(cpu))
- free_cache_attributes(cpu);
+ free_cache_attributes(cpu);
break;
}
return notifier_from_errno(rc);
--
2.4.3

61
0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch
View File

@ -1,61 +0,0 @@
From fd7cd061adcf5f7503515ba52b6a724642a839c8 Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@fedoraproject.org>
Date: Mon, 12 Oct 2015 11:30:13 +0300
Subject: [PATCH] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers
We received several reports of systems rebooting and powering on
after an attempted shutdown. Testing showed that setting
XHCI_SPURIOUS_WAKEUP quirk in addition to the XHCI_SPURIOUS_REBOOT
quirk allowed the system to shutdown as expected for LynxPoint-LP
xHCI controllers. Set the quirk back.
Note that the quirk was originally introduced for LynxPoint and
LynxPoint-LP just for this same reason. See:
commit 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell")
It was later limited to only concern HP machines as it caused
regression on some machines, see both bug and commit:
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66171
commit 6962d914f317 ("xhci: Limit the spurious wakeup fix only to HP machines")
Later it was discovered that the powering on after shutdown
was limited to LynxPoint-LP (Haswell-ULT) and that some non-LP HP
machine suffered from spontaneous resume from S3 (which should
not be related to the SPURIOUS_WAKEUP quirk at all). An attempt
to fix this then removed the SPURIOUS_WAKEUP flag usage completely.
commit b45abacde3d5 ("xhci: no switching back on non-ULT Haswell")
Current understanding is that LynxPoint-LP (Haswell ULT) machines
need the SPURIOUS_WAKEUP quirk, otherwise they will restart, and
plain Lynxpoint (Haswell) machines may _not_ have the quirk
set otherwise they again will restart.
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Oliver Neukum <oneukum@suse.com>
[Added more history to commit message -Mathias]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index c79d336..c47d3e4 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -147,6 +147,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) {
xhci->quirks |= XHCI_SPURIOUS_REBOOT;
+ xhci->quirks |= XHCI_SPURIOUS_WAKEUP;
}
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
(pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
--
2.4.3

34
0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
View File

@ -1,34 +0,0 @@
From 93f27344ac019135dd5ff31a518f1ef2d9e4e4a1 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 19 Oct 2015 11:33:38 +0100
Subject: [PATCH 2/2] KEYS: Don't permit request_key() to construct a new
keyring
If request_key() is used to find a keyring, only do the search part - don't
do the construction part if the keyring was not found by the search. We
don't really want keyrings in the negative instantiated state since the
rejected/negative instantiation error value in the payload is unioned with
keyring metadata.
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/request_key.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 486ef6fa393b..0d6253124278 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
kenter("");
+ if (ctx->index_key.type == &key_type_keyring)
+ return ERR_PTR(-EPERM);
+
user = key_user_lookup(current_fsuid());
if (!user)
return ERR_PTR(-ENOMEM);
--
2.4.3

6
ACPI-Limit-access-to-custom_method.patch
View File

@ -1,6 +1,7 @@
From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:39:37 -0500
Subject: [PATCH] ACPI: Limit access to custom_method
Subject: [PATCH 04/20] ACPI: Limit access to custom_method
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
@ -25,3 +26,6 @@ index c68e72414a67..4277938af700 100644
if (!(*ppos)) {
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
--
2.4.3

6
Add-EFI-signature-data-types.patch
View File

@ -1,6 +1,7 @@
From 34e3e23e08fdccbf4637deab0cf03070d4f2226d Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH] Add EFI signature data types
Subject: [PATCH 15/20] Add EFI signature data types
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
@ -51,3 +52,6 @@ index de3e45088d4a..fac43c611614 100644
/*
* All runtime access to EFI goes through this structure:
*/
--
2.4.3

8
Add-an-EFI-signature-blob-parser-and-key-loader.patch
View File

@ -1,6 +1,7 @@
From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH] Add an EFI signature blob parser and key loader.
Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
@ -32,7 +33,7 @@ index 4870f28403f5..4a1b50d73b80 100644
+
endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index e47fcd9ac5e8..6512f6596785 100644
index cd1406f9b14a..d9db380bbe53 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o
@ -173,3 +174,6 @@ index fac43c611614..414c3c3d988d 100644
/**
* efi_range_is_wc - check the WC bit on an address range
* @start: starting kvirt address
--
2.4.3

32
Add-option-to-automatically-enforce-module-signature.patch
View File

@ -1,7 +1,8 @@
From 37431394b3eeb1ef6d38d0e6b2693210606c2c2c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400
Subject: [PATCH] Add option to automatically enforce module signatures when in
Secure Boot mode
Subject: [PATCH 10/20] Add option to automatically enforce module signatures
when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@ -20,10 +21,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
7 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
index 82fbdbc1e0b0..a811210ad486 100644
index 95a4d34af3fd..b8527c6b7646 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
@@ -30,6 +30,8 @@ Offset Proto Name Meaning
@@ -31,6 +31,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
@ -33,10 +34,10 @@ index 82fbdbc1e0b0..a811210ad486 100644
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 3dbb7e7909ca..4da6644b1fd0 100644
index cc0d73eac047..14db458f4774 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1703,6 +1703,16 @@ config EFI_MIXED
@@ -1734,6 +1734,16 @@ config EFI_MIXED
If unsure, say N.
@ -54,7 +55,7 @@ index 3dbb7e7909ca..4da6644b1fd0 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 2c82bd150d43..1ef8ea7f8ed9 100644
index ee1b6d346b98..b4de3faa3f29 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@ -115,7 +116,7 @@ index 2c82bd150d43..1ef8ea7f8ed9 100644
setup_efi_pci(boot_params);
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
index ab456dc233b5..74ba4083e7ce 100644
index 329254373479..b61f8533c0fd 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -134,7 +134,8 @@ struct boot_params {
@ -129,10 +130,10 @@ index ab456dc233b5..74ba4083e7ce 100644
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 80f874bf999e..c2e4f52cad30 100644
index baadbf90a7c5..1ac118146e90 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
@ -146,10 +147,10 @@ index 80f874bf999e..c2e4f52cad30 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/module.h b/include/linux/module.h
index 57474384b66b..b69d657c3700 100644
index db386349cd01..4b8df91f03cd 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -189,6 +189,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
struct notifier_block;
@ -163,10 +164,10 @@ index 57474384b66b..b69d657c3700 100644
extern int modules_disabled; /* for sysctl */
diff --git a/kernel/module.c b/kernel/module.c
index e9869c497175..87fa14fedc88 100644
index 7f045246e123..2b403ab0ef29 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -4084,6 +4084,13 @@ void module_layout(struct module *mod,
@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod,
EXPORT_SYMBOL(module_layout);
#endif
@ -180,3 +181,6 @@ index e9869c497175..87fa14fedc88 100644
bool secure_modules(void)
{
#ifdef CONFIG_MODULE_SIG
--
2.4.3

16
Add-secure_modules-call.patch
View File

@ -1,6 +1,7 @@
From a1aaf20cffb1a949c5d6b1198690c7c30cfda4d5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 17:58:15 -0400
Subject: [PATCH] Add secure_modules() call
Subject: [PATCH 01/20] Add secure_modules() call
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
@ -16,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
2 files changed, 16 insertions(+)
diff --git a/include/linux/module.h b/include/linux/module.h
index d67b1932cc59..57474384b66b 100644
index 3a19c79918e0..db386349cd01 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -551,6 +551,8 @@ static inline bool module_requested_async_probing(struct module *module)
@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module)
return module && module->async_probe_requested;
}
@ -28,7 +29,7 @@ index d67b1932cc59..57474384b66b 100644
#else /* !CONFIG_MODULES... */
/* Given an address, look for it in the exception tables. */
@@ -667,6 +669,10 @@ static inline bool module_requested_async_probing(struct module *module)
@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module)
return false;
}
@ -40,10 +41,10 @@ index d67b1932cc59..57474384b66b 100644
#ifdef CONFIG_SYSFS
diff --git a/kernel/module.c b/kernel/module.c
index 4d2b82e610e2..e9869c497175 100644
index b86b7bf1be38..7f045246e123 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -4083,3 +4083,13 @@ void module_layout(struct module *mod,
@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod,
}
EXPORT_SYMBOL(module_layout);
#endif
@ -57,3 +58,6 @@ index 4d2b82e610e2..e9869c497175 100644
+#endif
+}
+EXPORT_SYMBOL(secure_modules);
--
2.4.3

32
Add-sysrq-option-to-disable-secure-boot-mode.patch
View File

@ -1,6 +1,7 @@
From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Fri, 30 Aug 2013 09:28:51 -0400
Subject: [PATCH] Add sysrq option to disable secure boot mode
Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
Bugzilla: N/A
Upstream-status: Fedora mustard
@ -15,7 +16,7 @@ Upstream-status: Fedora mustard
7 files changed, 64 insertions(+), 9 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 5def6b4143fa..1eac9d22cb0b 100644
index f93826b8522c..41679b1aca83 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -70,6 +70,11 @@
@ -30,7 +31,7 @@ index 5def6b4143fa..1eac9d22cb0b 100644
#include <video/edid.h>
#include <asm/mtrr.h>
@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void)
@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void)
#endif /* CONFIG_X86_32 */
@ -69,10 +70,10 @@ index 5def6b4143fa..1eac9d22cb0b 100644
.notifier_call = dump_kernel_offset
};
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 421e29e4cd81..61c1eb97806c 100644
index 345df9b03aed..dea6a6c4a39b 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
if (!udev->dev)
return -ENOMEM;
@ -81,10 +82,10 @@ index 421e29e4cd81..61c1eb97806c 100644
input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index b5b427888b24..289c7898a3b0 100644
index 95b330a9ea98..dfa3e154a719 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -465,6 +465,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
@ -92,7 +93,7 @@ index b5b427888b24..289c7898a3b0 100644
NULL, /* x */
/* y: May be registered on sparc64 for global register dump */
NULL, /* y */
@@ -508,7 +509,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
sysrq_key_table[i] = op_p;
}
@ -101,7 +102,7 @@ index b5b427888b24..289c7898a3b0 100644
{
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -528,11 +529,15 @@ void __handle_sysrq(int key, bool check_mask)
@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask)
op_p = __sysrq_get_key_op(key);
if (op_p) {
@ -118,7 +119,7 @@ index b5b427888b24..289c7898a3b0 100644
pr_cont("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
@@ -564,7 +569,7 @@ void __handle_sysrq(int key, bool check_mask)
@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask)
void handle_sysrq(int key)
{
if (sysrq_on())
@ -127,7 +128,7 @@ index b5b427888b24..289c7898a3b0 100644
}
EXPORT_SYMBOL(handle_sysrq);
@@ -645,7 +650,7 @@ static void sysrq_do_reset(unsigned long _state)
@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state)
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
@ -136,7 +137,7 @@ index b5b427888b24..289c7898a3b0 100644
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
@@ -796,8 +801,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
default:
if (sysrq->active && value && value != 2) {
@ -148,7 +149,7 @@ index b5b427888b24..289c7898a3b0 100644
}
break;
}
@@ -1077,7 +1084,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
if (get_user(c, buf))
return -EFAULT;
@ -228,7 +229,7 @@ index 4121345498e0..0ff3cef5df96 100644
return 0;
diff --git a/kernel/module.c b/kernel/module.c
index 87fa14fedc88..61385e686d49 100644
index 2b403ab0ef29..7818c110e95c 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void)
@ -240,3 +241,6 @@ index 87fa14fedc88..61385e686d49 100644
#ifndef CONFIG_MODULE_SIG_FORCE
module_param(sig_enforce, bool_enable_only, 0644);
#endif /* !CONFIG_MODULE_SIG_FORCE */
--
2.4.3

41
HID-multitouch-enable-palm-rejection-if-device-imple.patch Normal file
View File

@ -0,0 +1,41 @@
From 37e81f1a82ba4f214c05c4cc3807378753c7a867 Mon Sep 17 00:00:00 2001
From: Allen Hung <allen_hung@dell.com>
Date: Fri, 20 Nov 2015 18:21:06 +0800
Subject: [PATCH] HID: multitouch: enable palm rejection if device implements
confidence usage
The usage Confidence is mandary to Windows Precision Touchpad devices. The
appearance of this usage is checked in hidinput_connect but the quirk
MT_QUIRK_VALID_IS_CONFIDENCE is not applied to device accordingly.
Apply this quirk and also remove quirk MT_QUIRK_ALWAYS_VALID to enable palm
rejection for the WIN 8 touchpad devices which have implemented usage
Confidence in its input reports.
Tested on Dell XPS 13 laptop.
Signed-off-by: Allen Hung <allen_hung@dell.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-multitouch.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 7c811252c1ce..0c94348a168d 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -448,6 +448,11 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi,
mt_store_field(usage, td, hi);
return 1;
case HID_DG_CONFIDENCE:
+ if (cls->name == MT_CLS_WIN_8 &&
+ field->application == HID_DG_TOUCHPAD) {
+ cls->quirks &= ~MT_QUIRK_ALWAYS_VALID;
+ cls->quirks |= MT_QUIRK_VALID_IS_CONFIDENCE;
+ }
mt_store_field(usage, td, hi);
return 1;
case HID_DG_TIPSWITCH:
--
2.5.0

117
Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch Normal file
View File

@ -0,0 +1,117 @@
From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed, 30 Sep 2015 12:48:40 -0400
Subject: [PATCH] Initialize msg/shm IPC objects before doing ipc_addid()
As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
having initialized the IPC object state. Yes, we initialize the IPC
object in a locked state, but with all the lockless RCU lookup work,
that IPC object lock no longer means that the state cannot be seen.
We already did this for the IPC semaphore code (see commit e8577d1f0329:
"ipc/sem.c: fully initialize sem_array before making it visible") but we
clearly forgot about msg and shm.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
ipc/msg.c | 14 +++++++-------
ipc/shm.c | 13 +++++++------
ipc/util.c | 8 ++++----
3 files changed, 18 insertions(+), 17 deletions(-)
diff --git a/ipc/msg.c b/ipc/msg.c
index 66c4f567eb73..1471db9a7e61 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
return retval;
}
- /* ipc_addid() locks msq upon success. */
- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
- if (id < 0) {
- ipc_rcu_putref(msq, msg_rcu_free);
- return id;
- }
-
msq->q_stime = msq->q_rtime = 0;
msq->q_ctime = get_seconds();
msq->q_cbytes = msq->q_qnum = 0;
@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
INIT_LIST_HEAD(&msq->q_receivers);
INIT_LIST_HEAD(&msq->q_senders);
+ /* ipc_addid() locks msq upon success. */
+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
+ if (id < 0) {
+ ipc_rcu_putref(msq, msg_rcu_free);
+ return id;
+ }
+
ipc_unlock_object(&msq->q_perm);
rcu_read_unlock();
diff --git a/ipc/shm.c b/ipc/shm.c
index 222131e8e38f..41787276e141 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
if (IS_ERR(file))
goto no_file;
- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
- if (id < 0) {
- error = id;
- goto no_id;
- }
-
shp->shm_cprid = task_tgid_vnr(current);
shp->shm_lprid = 0;
shp->shm_atim = shp->shm_dtim = 0;
@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
shp->shm_nattch = 0;
shp->shm_file = file;
shp->shm_creator = current;
+
+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
+ if (id < 0) {
+ error = id;
+ goto no_id;
+ }
+
list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
/*
diff --git a/ipc/util.c b/ipc/util.c
index be4230020a1f..0f401d94b7c6 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
rcu_read_lock();
spin_lock(&new->lock);
+ current_euid_egid(&euid, &egid);
+ new->cuid = new->uid = euid;
+ new->gid = new->cgid = egid;
+
id = idr_alloc(&ids->ipcs_idr, new,
(next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
GFP_NOWAIT);
@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
ids->in_use++;
- current_euid_egid(&euid, &egid);
- new->cuid = new->uid = euid;
- new->gid = new->cgid = egid;
-
if (next_id < 0) {
new->seq = ids->seq++;
if (ids->seq > IPCID_SEQ_MAX)
--
2.4.3

48
Input-aiptek-fix-crash-on-detecting-device-without-e.patch Normal file
View File

@ -0,0 +1,48 @@
From a0edc539fda3f0a4a271f47a0fcf79d1305c1444 Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Wed, 25 Nov 2015 16:31:35 +0100
Subject: [PATCH] Input: aiptek: fix crash on detecting device without
endpoints
The aiptek driver crashes in aiptek_probe() when a specially crafted usb device
without endpoints is detected. This fix adds a check that the device has proper
configuration expected by the driver. Also an error return value is changed to
more matching one in one of the error paths.
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
drivers/input/tablet/aiptek.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
index e7f966da6efa..78c0732fbb57 100644
--- a/drivers/input/tablet/aiptek.c
+++ b/drivers/input/tablet/aiptek.c
@@ -1819,6 +1819,15 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+ /* Verify that a device really has an endpoint
+ */
+ if (intf->altsetting[0].desc.bNumEndpoints < 1) {
+ dev_warn(&intf->dev,
+ "interface has %d endpoints, but must have minimum 1\n",
+ intf->altsetting[0].desc.bNumEndpoints);
+ err = -ENODEV;
+ goto fail3;
+ }
endpoint = &intf->altsetting[0].endpoint[0].desc;
/* Go set up our URB, which is called when the tablet receives
@@ -1861,6 +1870,7 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
if (i == ARRAY_SIZE(speeds)) {
dev_info(&intf->dev,
"Aiptek tried all speeds, no sane response\n");
+ err = -ENODEV;
goto fail3;
}
--
2.5.0

127
KEYS-Add-a-system-blacklist-keyring.patch
View File

@ -1,6 +1,7 @@
From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH] KEYS: Add a system blacklist keyring
Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
@ -9,72 +10,15 @@ useful in cases where third party certificates are used for module signing.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
certs/system_keyring.c | 27 +++++++++++++++++++++++++++
include/keys/system_keyring.h | 4 ++++
init/Kconfig | 9 +++++++++
kernel/module_signing.c | 12 ++++++++++++
kernel/system_keyring.c | 17 +++++++++++++++++
4 files changed, 42 insertions(+)
3 files changed, 40 insertions(+)
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 72665eb80692..2c7b80d31366 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void)
}
#endif
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+extern struct key *system_blacklist_keyring;
+#endif
+
#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/init/Kconfig b/init/Kconfig
index af09b4fb43d2..62f6fd191e4f 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1752,6 +1752,15 @@ config SYSTEM_TRUSTED_KEYRING
Keys in this keyring are used by module signature checking.
+config SYSTEM_BLACKLIST_KEYRING
+ bool "Provide system-wide ring of blacklisted keys"
+ depends on KEYS
+ help
+ Provide a system keyring to which blacklisted keys can be added.
+ Keys in the keyring are considered entirely untrusted. Keys in this
+ keyring are used by the module signature checking to reject loading
+ of modules signed with a blacklisted key.
+
config PROFILING
bool "Profiling support"
help
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index be5b8fac4bd0..fed815fcdaf2 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
pr_debug("Look up: \"%s\"\n", id);
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
+ &key_type_asymmetric, id);
+ if (!IS_ERR(key)) {
+ /* module is signed with a cert in the blacklist. reject */
+ pr_err("Module key '%s' is in blacklist\n", id);
+ key_ref_put(key);
+ kfree(id);
+ return ERR_PTR(-EKEYREJECTED);
+ }
+#endif
+
key = keyring_search(make_key_ref(system_trusted_keyring, 1),
&key_type_asymmetric, id);
if (IS_ERR(key))
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
index 875f64e8935b..c15e93f5a418 100644
--- a/kernel/system_keyring.c
+++ b/kernel/system_keyring.c
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 2570598b784d..53733822993f 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -20,6 +20,9 @@
struct key *system_trusted_keyring;
@ -90,7 +34,7 @@ index 875f64e8935b..c15e93f5a418 100644
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
+
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
@ -106,3 +50,56 @@ index 875f64e8935b..c15e93f5a418 100644
return 0;
}
@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
if (ret < 0)
goto error;
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
+ if (!ret) {
+ /* module is signed with a cert in the blacklist. reject */
+ pr_err("Module key is in the blacklist\n");
+ ret = -EKEYREJECTED;
+ goto error;
+ }
+#endif
+
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
if (ret < 0)
goto error;
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index b20cd885c1fd..51d8ddc60e0f 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -35,4 +35,8 @@ extern int system_verify_data(const void *data, unsigned long len,
enum key_being_used_for usage);
#endif
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+extern struct key *system_blacklist_keyring;
+#endif
+
#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/init/Kconfig b/init/Kconfig
index 02da9f1fd9df..782d26f02885 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
module verification, kexec image verification and firmware blob
verification.
+config SYSTEM_BLACKLIST_KEYRING
+ bool "Provide system-wide ring of blacklisted keys"
+ depends on KEYS
+ help
+ Provide a system keyring to which blacklisted keys can be added.
+ Keys in the keyring are considered entirely untrusted. Keys in this
+ keyring are used by the module signature checking to reject loading
+ of modules signed with a blacklisted key.
+
config PROFILING
bool "Profiling support"
help
--
2.4.3

125
KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch Normal file
View File

@ -0,0 +1,125 @@
From 3b34bea74e636583d34c8e472237a0bea1e3ba93 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 24 Nov 2015 21:36:31 +0000
Subject: [PATCH] KEYS: Fix handling of stored error in a negatively
instantiated user key
If a user key gets negatively instantiated, an error code is cached in the
payload area. A negatively instantiated key may be then be positively
instantiated by updating it with valid data. However, the ->update key
type method must be aware that the error code may be there.
The following may be used to trigger the bug in the user key type:
keyctl request2 user user "" @u
keyctl add user user "a" @u
which manifests itself as:
BUG: unable to handle kernel paging request at 00000000ffffff8a
IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
PGD 7cc30067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
RIP: 0010:[<ffffffff810a376f>] [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
[<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
RSP: 0018:ffff88003dd8bdb0 EFLAGS: 00010246
RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
FS: 0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
Stack:
ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
Call Trace:
[<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
[<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
[< inline >] __key_update security/keys/key.c:730
[<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
[< inline >] SYSC_add_key security/keys/keyctl.c:125
[<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
[<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
Note the error code (-ENOKEY) in EDX.
A similar bug can be tripped by:
keyctl request2 trusted user "" @u
keyctl add trusted user "a" @u
This should also affect encrypted keys - but that has to be correctly
parameterised or it will fail with EINVAL before getting to the bit that
will crashes.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
---
security/keys/encrypted-keys/encrypted.c | 2 ++
security/keys/trusted.c | 5 ++++-
security/keys/user_defined.c | 5 ++++-
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 7bed4ad7cd76..0a374a2ce030 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -845,6 +845,8 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
size_t datalen = prep->datalen;
int ret = 0;
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+ return -ENOKEY;
if (datalen <= 0 || datalen > 32767 || !prep->data)
return -EINVAL;
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index c0594cb07ada..aeb38f1a12e7 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -984,13 +984,16 @@ static void trusted_rcu_free(struct rcu_head *rcu)
*/
static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
{
- struct trusted_key_payload *p = key->payload.data;
+ struct trusted_key_payload *p;
struct trusted_key_payload *new_p;
struct trusted_key_options *new_o;
size_t datalen = prep->datalen;
char *datablob;
int ret = 0;
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+ return -ENOKEY;
+ p = key->payload.data;
if (!p->migratable)
return -EPERM;
if (datalen <= 0 || datalen > 32767 || !prep->data)
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 36b47bbd3d8c..7cf22260bdff 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -120,7 +120,10 @@ int user_update(struct key *key, struct key_preparsed_payload *prep)
if (ret == 0) {
/* attach the new data, displacing the old */
- zap = key->payload.data;
+ if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+ zap = key->payload.data;
+ else
+ zap = NULL;
rcu_assign_keypointer(key, upayload);
key->expiry = 0;
}
--
2.5.0

108
KEYS-Fix-race-between-read-and-revoke.patch Normal file
View File

@ -0,0 +1,108 @@
From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 14 Dec 2015 10:36:31 -0500
Subject: [PATCH] KEYS: Fix race between read and revoke
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.
This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.
Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.
This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller). Here's a cleaned up version:
#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}
Build as:
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
Run as:
while keyctl-race; do :; done
as it may need several iterations to crash the kernel. The crash can be
summarised as:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
...
Call Trace:
[<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
[<ffffffff81277815>] SyS_keyctl+0x83/0xe0
[<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/keyctl.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index fb111eafcb89..1c3872aeed14 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
/* the key is probably readable - now try to read it */
can_read_key:
- ret = key_validate(key);
- if (ret == 0) {
- ret = -EOPNOTSUPP;
- if (key->type->read) {
- /* read the data with the semaphore held (since we
- * might sleep) */
- down_read(&key->sem);
+ ret = -EOPNOTSUPP;
+ if (key->type->read) {
+ /* Read the data with the semaphore held (since we might sleep)
+ * to protect against the key being updated or revoked.
+ */
+ down_read(&key->sem);
+ ret = key_validate(key);
+ if (ret == 0)
ret = key->type->read(key, buffer, buflen);
- up_read(&key->sem);
- }
+ up_read(&key->sem);
}
error2:
--
2.5.0

80
KVM-svm-unconditionally-intercept-DB.patch Normal file
View File

@ -0,0 +1,80 @@
From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 10 Nov 2015 13:22:53 +0100
Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB
This is needed to avoid the possibility that the guest triggers
an infinite stream of #DB exceptions (CVE-2015-8104).
VMX is not affected: because it does not save DR6 in the VMCS,
it already intercepts #DB unconditionally.
Reported-by: Jan Beulich <jbeulich@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/svm.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 7203b3cc71b5..184e50b3c35a 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm)
set_exception_intercept(svm, UD_VECTOR);
set_exception_intercept(svm, MC_VECTOR);
set_exception_intercept(svm, AC_VECTOR);
+ set_exception_intercept(svm, DB_VECTOR);
set_intercept(svm, INTERCEPT_INTR);
set_intercept(svm, INTERCEPT_NMI);
@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
mark_dirty(svm->vmcb, VMCB_SEG);
}
-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
+static void update_bp_intercept(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
- clr_exception_intercept(svm, DB_VECTOR);
clr_exception_intercept(svm, BP_VECTOR);
- if (svm->nmi_singlestep)
- set_exception_intercept(svm, DB_VECTOR);
-
if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
- if (vcpu->guest_debug &
- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
- set_exception_intercept(svm, DB_VECTOR);
if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
set_exception_intercept(svm, BP_VECTOR);
} else
@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm)
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
svm->vmcb->save.rflags &=
~(X86_EFLAGS_TF | X86_EFLAGS_RF);
- update_db_bp_intercept(&svm->vcpu);
}
if (svm->vcpu.guest_debug &
@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
*/
svm->nmi_singlestep = true;
svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
- update_db_bp_intercept(vcpu);
}
static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = {
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
- .update_db_bp_intercept = update_db_bp_intercept,
+ .update_db_bp_intercept = update_bp_intercept,
.get_msr = svm_get_msr,
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,
--
2.4.3

34
MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
View File

@ -1,3 +1,4 @@
From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
@ -25,12 +26,12 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
create mode 100644 kernel/modsign_uefi.c
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 414c3c3d988d..d920a6be6c8b 100644
index 85ef051ac6fb..a042b2ece788 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -601,6 +601,12 @@ void efi_native_runtime_setup(void);
#define EFI_CERT_X509_GUID \
EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )
@@ -600,6 +600,12 @@ typedef struct {
u64 table;
} efi_config_table_64_t;
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f )
@ -40,12 +41,12 @@ index 414c3c3d988d..d920a6be6c8b 100644
+
typedef struct {
efi_guid_t guid;
u64 table;
u32 table;
diff --git a/init/Kconfig b/init/Kconfig
index 62f6fd191e4f..648bb79d6b73 100644
index 02da9f1fd9df..90c73a0564b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1906,6 +1906,15 @@ config MODULE_SIG_ALL
@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@ -62,26 +63,26 @@ index 62f6fd191e4f..648bb79d6b73 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
index 43c4c920f30a..3193574387ac 100644
index d4988410b410..55e886239e7e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -48,6 +48,7 @@ obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
@@ -47,6 +47,7 @@ endif
obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
@@ -101,6 +102,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
$(obj)/configs.o: $(obj)/config_data.h
obj-$(CONFIG_HAS_IOMEM) += memremap.o
+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar
+
$(obj)/configs.o: $(obj)/config_data.h
# config_data.h contains the same information as ikconfig.h but gzipped.
# Info from config_data can be extracted from /proc/config*
targets += config_data.gz
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
new file mode 100644
index 000000000000..94b0eb38a284
@ -180,3 +181,6 @@ index 000000000000..94b0eb38a284
+ return rc;
+}
+late_initcall(load_uefi_certs);
--
2.4.3

6
MODSIGN-Support-not-importing-certs-from-db.patch
View File

@ -1,6 +1,7 @@
From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
Subject: [PATCH] MODSIGN: Support not importing certs from db
Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@ -78,3 +79,6 @@ index 94b0eb38a284..ae28b974d49a 100644
}
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
--
2.4.3

7
PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
View File

@ -1,6 +1,8 @@
From 655fbf360e1481db4f06001f893d388c15ac307f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:10:38 -0500
Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
enabled
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
@ -111,3 +113,6 @@ index b91c4da68365..98f5637304d1 100644
return -EPERM;
dev = pci_get_bus_and_slot(bus, dfn);
--
2.4.3

77
RDS-fix-race-condition-when-sending-a-message-on-unb.patch
View File

@ -1,77 +0,0 @@
From 09dca584f0b6b3bb4fc5f13a388274cd76b69f18 Mon Sep 17 00:00:00 2001
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Fri, 16 Oct 2015 17:11:42 +0200
Subject: [PATCH] RDS: fix race condition when sending a message on unbound
socket.
Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket. The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket. This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().
Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.
Complete earlier incomplete fix to CVE-2015-6937:
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Chien Yen <chien.yen@oracle.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
---
net/rds/connection.c | 6 ------
net/rds/send.c | 4 +++-
2 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/net/rds/connection.c b/net/rds/connection.c
index 9d66705f9d41..da6da57e5f36 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -187,12 +187,6 @@ new_conn:
}
}
- if (trans == NULL) {
- kmem_cache_free(rds_conn_slab, conn);
- conn = ERR_PTR(-ENODEV);
- goto out;
- }
-
conn->c_trans = trans;
ret = trans->conn_alloc(conn, gfp);
diff --git a/net/rds/send.c b/net/rds/send.c
index e9430f537f9c..7b30c0f3180d 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
release_sock(sk);
}
- /* racing with another thread binding seems ok here */
+ lock_sock(sk);
if (daddr == 0 || rs->rs_bound_addr == 0) {
+ release_sock(sk);
ret = -ENOTCONN; /* XXX not a great errno */
goto out;
}
+ release_sock(sk);
/* size of rm including all sgs */
ret = rds_rm_size(msg, payload_len);
--
2.4.3

6
Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
View File

@ -1,6 +1,7 @@
From d4ae417828427de74e9f857f9caa49580aecf1fe Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 09:28:15 -0500
Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
restricted
Allowing users to write to address space makes it possible for the kernel
@ -36,3 +37,6 @@ index 53fe675f9bd7..b52c88860532 100644
if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
--
2.4.3

81
USB-whiteheat-fix-potential-null-deref-at-probe.patch Normal file
View File

@ -0,0 +1,81 @@
From 10d98bced414c6fc1d09db123e7f762d91b5ebea Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@kernel.org>
Date: Wed, 23 Sep 2015 11:41:42 -0700
Subject: [PATCH] USB: whiteheat: fix potential null-deref at probe
Fix potential null-pointer dereference at probe by making sure that the
required endpoints are present.
The whiteheat driver assumes there are at least five pairs of bulk
endpoints, of which the final pair is used for the "command port". An
attempt to bind to an interface with fewer bulk endpoints would
currently lead to an oops.
Fixes CVE-2015-5257.
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
index 6c3734d2b45a..d3ea90bef84d 100644
--- a/drivers/usb/serial/whiteheat.c
+++ b/drivers/usb/serial/whiteheat.c
@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
static int whiteheat_firmware_attach(struct usb_serial *serial);
/* function prototypes for the Connect Tech WhiteHEAT serial converter */
+static int whiteheat_probe(struct usb_serial *serial,
+ const struct usb_device_id *id);
static int whiteheat_attach(struct usb_serial *serial);
static void whiteheat_release(struct usb_serial *serial);
static int whiteheat_port_probe(struct usb_serial_port *port);
@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
.description = "Connect Tech - WhiteHEAT",
.id_table = id_table_std,
.num_ports = 4,
+ .probe = whiteheat_probe,
.attach = whiteheat_attach,
.release = whiteheat_release,
.port_probe = whiteheat_port_probe,
@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
/*****************************************************************************
* Connect Tech's White Heat serial driver functions
*****************************************************************************/
+
+static int whiteheat_probe(struct usb_serial *serial,
+ const struct usb_device_id *id)
+{
+ struct usb_host_interface *iface_desc;
+ struct usb_endpoint_descriptor *endpoint;
+ size_t num_bulk_in = 0;
+ size_t num_bulk_out = 0;
+ size_t min_num_bulk;
+ unsigned int i;
+
+ iface_desc = serial->interface->cur_altsetting;
+
+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
+ endpoint = &iface_desc->endpoint[i].desc;
+ if (usb_endpoint_is_bulk_in(endpoint))
+ ++num_bulk_in;
+ if (usb_endpoint_is_bulk_out(endpoint))
+ ++num_bulk_out;
+ }
+
+ min_num_bulk = COMMAND_PORT + 1;
+ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
+ return -ENODEV;
+
+ return 0;
+}
+
static int whiteheat_attach(struct usb_serial *serial)
{
struct usb_serial_port *command_port;
--
2.4.3

14
acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
View File

@ -1,7 +1,8 @@
From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400
Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading
is restricted
Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to circumvent any restrictions imposed on
@ -13,10 +14,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 3b8963f21b36..a5ae6a7fef5e 100644
index 739a4a6b3b9b..9ef2a020a7a9 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -44,6 +44,7 @@
@@ -40,6 +40,7 @@
#include <linux/list.h>
#include <linux/jiffies.h>
#include <linux/semaphore.h>
@ -24,7 +25,7 @@ index 3b8963f21b36..a5ae6a7fef5e 100644
#include <asm/io.h>
#include <asm/uaccess.h>
@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
acpi_physical_address __init acpi_os_get_root_pointer(void)
{
#ifdef CONFIG_KEXEC
@ -33,3 +34,6 @@ index 3b8963f21b36..a5ae6a7fef5e 100644
return acpi_rsdp;
#endif
--
2.4.3

41
alua_fix.patch Normal file
View File

@ -0,0 +1,41 @@
From 221255aee67ec1c752001080aafec0c4e9390d95 Mon Sep 17 00:00:00 2001
From: Hannes Reinecke <hare@suse.de>
Date: Tue, 1 Dec 2015 10:16:42 +0100
Subject: scsi: ignore errors from scsi_dh_add_device()
device handler initialisation might fail due to a number of
reasons. But as device_handlers are optional this shouldn't
cause us to disable the device entirely.
So just ignore errors from scsi_dh_add_device().
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/scsi/scsi_sysfs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index fc3cd26..d015374 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1120,11 +1120,12 @@ int scsi_sysfs_add_sdev(struct scsi_device *sdev)
}
error = scsi_dh_add_device(sdev);
- if (error) {
+ if (error)
+ /*
+ * device_handler is optional, so any error can be ignored
+ */
sdev_printk(KERN_INFO, sdev,
"failed to add device handler: %d\n", error);
- return error;
- }
device_enable_async_suspend(&sdev->sdev_dev);
error = device_add(&sdev->sdev_dev);
--
cgit v0.11.2

8
asus-wmi-Restrict-debugfs-interface-when-module-load.patch
View File

@ -1,7 +1,8 @@
From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:46:50 -0500
Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is
restricted
Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
loading is restricted
We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
@ -48,3 +49,6 @@ index efbc3f0c592b..071171be4b7f 100644
status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
1, asus->debug.method_id,
&input, &output);
--
2.4.3

64
block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch Normal file
View File

@ -0,0 +1,64 @@
From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001
From: Tejun Heo <tj@kernel.org>
Date: Sat, 5 Sep 2015 15:47:36 -0400
Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and
->root_rl.blkg
While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always
create the blkcg_gq for the root blkcg") removed the part which clears
q->root_blkg and ->root_rl.blkg during q exit. This leaves the two
pointers dangling after blkg_destroy_all(). blk-throttle exit path
performs blkg traversals and dereferences ->root_blkg and can lead to
the following oops.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000558
IP: [<ffffffff81389746>] __blkg_lookup+0x26/0x70
...
task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000
RIP: 0010:[<ffffffff81389746>] [<ffffffff81389746>] __blkg_lookup+0x26/0x70
...
Call Trace:
[<ffffffff8138d14a>] blk_throtl_drain+0x5a/0x110
[<ffffffff8138a108>] blkcg_drain_queue+0x18/0x20
[<ffffffff81369a70>] __blk_drain_queue+0xc0/0x170
[<ffffffff8136a101>] blk_queue_bypass_start+0x61/0x80
[<ffffffff81388c59>] blkcg_deactivate_policy+0x39/0x100
[<ffffffff8138d328>] blk_throtl_exit+0x38/0x50
[<ffffffff8138a14e>] blkcg_exit_queue+0x3e/0x50
[<ffffffff8137016e>] blk_release_queue+0x1e/0xc0
...
While the bug is a straigh-forward use-after-free bug, it is tricky to
reproduce because blkg release is RCU protected and the rest of exit
path usually finishes before RCU grace period.
This patch fixes the bug by updating blkg_destro_all() to clear
q->root_blkg and ->root_rl.blkg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: "Richard W.M. Jones" <rjones@redhat.com>
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com
Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg")
Cc: stable@vger.kernel.org # v4.2+
---
block/blk-cgroup.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index d6283b3f5db5..9cc48d1d7abb 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q)
blkg_destroy(blkg);
spin_unlock(&blkcg->lock);
}
+
+ q->root_blkg = NULL;
+ q->root_rl.blkg = NULL;
}
/*
--
2.4.3

27
bluetooth-Validate-socket-address-length-in-sco_sock.patch Normal file
View File

@ -0,0 +1,27 @@
From 5233252fce714053f0151680933571a2da9cbfb4 Mon Sep 17 00:00:00 2001
From: "David S. Miller" <davem@davemloft.net>
Date: Tue, 15 Dec 2015 15:39:08 -0500
Subject: [PATCH] bluetooth: Validate socket address length in sco_sock_bind().
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/bluetooth/sco.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index fe129663bd3f..f52bcbf2e58c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
+ if (addr_len < sizeof(struct sockaddr_sco))
+ return -EINVAL;
+
lock_sock(sk);
if (sk->sk_state != BT_OPEN) {
--
2.5.0

29
config-arm-generic
View File

@ -40,6 +40,8 @@ CONFIG_FB_SIMPLE=y
CONFIG_HAVE_PERF_REGS=y
CONFIG_HAVE_PERF_USER_STACK_DUMP=y
CONFIG_ARM_PMU=y
# ARM AMBA generic HW
CONFIG_ARM_AMBA=y
CONFIG_KERNEL_MODE_NEON=y
@ -64,6 +66,17 @@ CONFIG_RTC_DRV_PL031=y
CONFIG_PL330_DMA=m
CONFIG_GPIO_PL061=y
CONFIG_USB_ISP1760=m
CONFIG_ARM_PL172_MPMC=m
# HW crypto and rng
CONFIG_ARM_CRYPTO=y
CONFIG_CRYPTO_AES_ARM=y
CONFIG_CRYPTO_AES_ARM_BS=y
CONFIG_CRYPTO_SHA1_ARM=y
CONFIG_CRYPTO_SHA256_ARM=y
CONFIG_CRYPTO_SHA1_ARM_NEON=y
CONFIG_CRYPTO_SHA512_ARM_NEON=y
CONFIG_CRYPTO_SHA512_ARM=y
# ARM VExpress
CONFIG_ARCH_VEXPRESS=y
@ -106,6 +119,8 @@ CONFIG_OF_NET=y
CONFIG_OF_OVERLAY=y
CONFIG_OF_PCI_IRQ=m
CONFIG_OF_PCI=m
# CONFIG_PCI_HOST_GENERIC is not set
# CONFIG_PCIE_IPROC is not set
CONFIG_OF_RESERVED_MEM=y
CONFIG_OF_RESOLVE=y
CONFIG_PM_GENERIC_DOMAINS_OF=y
@ -122,15 +137,6 @@ CONFIG_MAILBOX=y
CONFIG_ARM_MHU=m
# CONFIG_PL320_MBOX is not set
# HW crypto and rng
CONFIG_ARM_CRYPTO=y
CONFIG_CRYPTO_AES_ARM=m
# CONFIG_CRYPTO_AES_ARM_BS is not set
CONFIG_CRYPTO_SHA1_ARM=m
CONFIG_CRYPTO_SHA256_ARM=m
CONFIG_CRYPTO_SHA1_ARM_NEON=m
CONFIG_CRYPTO_SHA512_ARM_NEON=m
CONFIG_CRYPTO_SHA512_ARM=m
# USB
CONFIG_USB_OHCI_HCD_PLATFORM=m
CONFIG_USB_EHCI_HCD_PLATFORM=m
@ -213,6 +219,7 @@ CONFIG_I2C_MUX_GPIO=m
CONFIG_I2C_MUX_PINCTRL=m
CONFIG_I2C_MUX_PCA9541=m
CONFIG_I2C_MUX_PCA954x=m
CONFIG_I2C_MUX_REG=m
# spi
CONFIG_SPI_PL022=m
@ -280,6 +287,7 @@ CONFIG_VFIO_AMBA=m
# CONFIG_KEYBOARD_OMAP4 is not set
# CONFIG_KEYBOARD_BCM is not set
# CONFIG_PHY_SAMSUNG_USB2 is not set
# CONFIG_OMAP_GPMC_DEBUG is not set
### turn off things which make no sense on embedded SoC
@ -349,3 +357,6 @@ CONFIG_VFIO_AMBA=m
# CONFIG_BMP085_SPI is not set
# CONFIG_TI_DAC7512 is not set
# CONFIG_SPI_ROCKCHIP is not set
# https://fedoraproject.org/wiki/Features/Checkpoint_Restore
CONFIG_CHECKPOINT_RESTORE=y

26
config-arm64
View File

@ -18,6 +18,10 @@ CONFIG_ARCH_XGENE=y
# CONFIG_ARCH_QCOM is not set
# CONFIG_ARCH_SPRD is not set
# CONFIG_ARCH_ZYNQMP is not set
# CONFIG_ARCH_BCM_IPROC is not set
# CONFIG_ARCH_BERLIN is not set
# CONFIG_ARCH_ROCKCHIP is not set
# Erratum
CONFIG_ARM64_ERRATUM_826319=y
@ -36,7 +40,10 @@ CONFIG_ARM_SMMU_V3=y
CONFIG_ARCH_HAS_HOLES_MEMORYMODEL=y
CONFIG_ARCH_REQUIRE_GPIOLIB=y
CONFIG_ARM64_64K_PAGES=y
# CONFIG_COMPAT is not set
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_PAN=y
CONFIG_ARM64_LSE_ATOMICS=y
CONFIG_BCMA_POSSIBLE=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
@ -83,13 +90,13 @@ CONFIG_ACPI_NFIT=m
CONFIG_PCC=y
CONFIG_ARM64_CRYPTO=y
CONFIG_CRYPTO_SHA1_ARM64_CE=m
CONFIG_CRYPTO_SHA2_ARM64_CE=m
CONFIG_CRYPTO_SHA1_ARM64_CE=y
CONFIG_CRYPTO_SHA2_ARM64_CE=y
CONFIG_CRYPTO_GHASH_ARM64_CE=m
CONFIG_CRYPTO_AES_ARM64_CE=m
CONFIG_CRYPTO_AES_ARM64_CE_CCM=m
CONFIG_CRYPTO_AES_ARM64_CE_BLK=m
CONFIG_CRYPTO_AES_ARM64_NEON_BLK=m
CONFIG_CRYPTO_AES_ARM64_CE=y
CONFIG_CRYPTO_AES_ARM64_CE_CCM=y
CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
CONFIG_CRYPTO_AES_ARM64_NEON_BLK=y
CONFIG_CRYPTO_CRC32_ARM64=m
CONFIG_CRYPTO_DEV_CCP=y
CONFIG_CRYPTO_DEV_CCP_DD=m
@ -138,6 +145,10 @@ CONFIG_AMD_XGBE_PHY=m
# HiSilicon
CONFIG_POWER_RESET_HISI=y
CONFIG_HISI_THERMAL=m
CONFIG_STUB_CLK_HI6220=y
# ThunderX
# CONFIG_MDIO_OCTEON is not set
CONFIG_NET_VENDOR_MELLANOX=y
CONFIG_MLX4_EN=m
@ -165,3 +176,4 @@ CONFIG_ND_BLK=m
CONFIG_DEBUG_SECTION_MISMATCH=y
# CONFIG_FSL_MC_BUS is not set
# CONFIG_FUJITSU_ES is not set

16
config-armv7
View File

@ -25,8 +25,6 @@ CONFIG_SOC_OMAP3430=y
CONFIG_SOC_TI81XX=y
# CONFIG_MACH_NOKIA_RX51 is not set
# CONFIG_MACH_OMAP_LDP is not set
# CONFIG_MACH_OMAP3530_LV_SOM is not set
# CONFIG_MACH_OMAP3_TORPEDO is not set
# CONFIG_MACH_OMAP3517EVM is not set
# CONFIG_MACH_OMAP3_PANDORA is not set
@ -284,6 +282,7 @@ CONFIG_PINCTRL_MSM8960=m
CONFIG_PINCTRL_MSM8X74=m
CONFIG_PINCTRL_MSM8916=m
CONFIG_PINCTRL_QCOM_SPMI_PMIC=m
CONFIG_PINCTRL_QCOM_SSBI_PMIC=m
CONFIG_COMMON_CLK_QCOM=m
# CONFIG_MSM_GCC_8916 is not set
# CONFIG_IPQ_LCC_806X is not set
@ -339,6 +338,13 @@ CONFIG_SND_SOC_LPASS_PLATFORM=m
CONFIG_SND_SOC_STORM=m
CONFIG_PHY_QCOM_UFS=m
CONFIG_HWSPINLOCK_QCOM=m
CONFIG_QCOM_COINCELL=m
CONFIG_USB_QCOM_8X16_PHY=m
CONFIG_QCOM_SMD=m
CONFIG_QCOM_SMD_RPM=m
CONFIG_QCOM_SMEM=m
CONFIG_REGULATOR_QCOM_SMD_RPM=m
# CONFIG_QCOM_SMEM is not set
# i.MX
# CONFIG_MXC_DEBUG_BOARD is not set
@ -348,6 +354,7 @@ CONFIG_SOC_IMX53=y
CONFIG_SOC_IMX6Q=y
CONFIG_SOC_IMX6SL=y
CONFIG_SOC_IMX6SX=y
CONFIG_SOC_IMX6UL=y
CONFIG_SOC_IMX7D=y
# CONFIG_SOC_LS1021A is not set
# CONFIG_SOC_VF610 is not set
@ -371,6 +378,7 @@ CONFIG_NET_VENDOR_FREESCALE=y
CONFIG_FEC=m
# CONFIG_FSL_PQ_MDIO is not set
# CONFIG_FSL_XGMAC_MDIO is not set
CONFIG_KEYBOARD_SNVS_PWRKEY=m
CONFIG_KEYBOARD_IMX=m
CONFIG_KEYBOARD_STMPE=m
CONFIG_TOUCHSCREEN_STMPE=m
@ -404,6 +412,7 @@ CONFIG_RTC_DRV_SNVS=m
CONFIG_FB_MXS=m
# CONFIG_FB_MX3 is not set
# CONFIG_FB_IMX is not set
CONFIG_TOUCHSCREEN_IMX6UL_TSC=m
CONFIG_SND_IMX_SOC=m
CONFIG_SND_SOC_FSL_ASOC_CARD=m
@ -493,8 +502,6 @@ CONFIG_ARCH_EXYNOS4=y
CONFIG_SOC_EXYNOS4212=y
CONFIG_SOC_EXYNOS4412=y
CONFIG_SOC_EXYNOS4415=y
CONFIG_ARM_EXYNOS4210_CPUFREQ=y
CONFIG_ARM_EXYNOS4X12_CPUFREQ=y
CONFIG_AK8975=m
CONFIG_CM36651=m
CONFIG_KEYBOARD_SAMSUNG=m
@ -620,6 +627,7 @@ CONFIG_CADENCE_WATCHDOG=m
CONFIG_REGULATOR_ISL9305=m
CONFIG_EDAC_SYNOPSYS=m
CONFIG_PINCTRL_ZYNQ=y
CONFIG_AXI_DMAC=m
# Multi function devices
CONFIG_MFD_88PM800=m

19
config-armv7-generic
View File

@ -33,6 +33,7 @@ CONFIG_XZ_DEC_ARMTHUMB=y
CONFIG_ARCH_HAS_TICK_BROADCAST=y
CONFIG_IRQ_CROSSBAR=y
CONFIG_IOMMU_IO_PGTABLE_LPAE=y
CONFIG_CPU_SW_DOMAIN_PAN=y
# CONFIG_MCPM is not set
# CONFIG_OABI_COMPAT is not set
@ -141,7 +142,6 @@ CONFIG_XZ_DEC_ARM=y
CONFIG_PCI_HOST_GENERIC=y
# CONFIG_PCI_LAYERSCAPE is not set
# CONFIG_PCIE_IPROC is not set
# Do NOT enable this, it breaks stuff and makes things go slow
# CONFIG_UACCESS_WITH_MEMCPY is not set
@ -183,6 +183,7 @@ CONFIG_MACH_SUN7I=y
CONFIG_MACH_SUN8I=y
# CONFIG_MACH_SUN9I is not set
CONFIG_SUNXI_SRAM=y
CONFIG_DMA_SUN4I=m
CONFIG_DMA_SUN6I=m
CONFIG_SUNXI_WATCHDOG=m
CONFIG_NET_VENDOR_ALLWINNER=y
@ -215,6 +216,8 @@ CONFIG_MTD_NAND_SUNXI=m
CONFIG_SERIO_SUN4I_PS2=m
CONFIG_KEYBOARD_SUN4I_LRADC=m
CONFIG_PWM_SUN4I=m
CONFIG_USB_MUSB_SUNXI=m
CONFIG_CRYPTO_DEV_SUN4I_SS=m
# Exynos
CONFIG_ARCH_EXYNOS3=y
@ -229,8 +232,6 @@ CONFIG_SOC_EXYNOS5410=y
CONFIG_SOC_EXYNOS5800=y
CONFIG_SERIAL_SAMSUNG=y
CONFIG_SERIAL_SAMSUNG_CONSOLE=y
CONFIG_ARM_EXYNOS_CPUFREQ=m
CONFIG_ARM_EXYNOS5250_CPUFREQ=y
CONFIG_ARM_EXYNOS5440_CPUFREQ=m
CONFIG_ARM_EXYNOS_CPU_FREQ_BOOST_SW=y
# CONFIG_ARM_EXYNOS_CPUIDLE is not set
@ -352,6 +353,9 @@ CONFIG_DRM_ROCKCHIP=m
CONFIG_ROCKCHIP_DW_HDMI=m
CONFIG_PHY_ROCKCHIP_USB=m
CONFIG_DWMAC_ROCKCHIP=m
CONFIG_SND_SOC_ROCKCHIP_MAX98090=m
CONFIG_SND_SOC_ROCKCHIP_RT5645=m
CONFIG_REGULATOR_ACT8865=m
# Tegra
CONFIG_ARCH_TEGRA_114_SOC=y
@ -393,6 +397,8 @@ CONFIG_TEGRA_SOCTHERM=m
CONFIG_TEGRA_MC=y
CONFIG_TEGRA124_EMC=y
CONFIG_ARM_TEGRA_DEVFREQ=m
# CONFIG_ARM_TEGRA20_CPUFREQ is not set
CONFIG_ARM_TEGRA124_CPUFREQ=m
# Jetson TK1
CONFIG_PINCTRL_AS3722=y
@ -457,6 +463,7 @@ CONFIG_COMMON_CLK_SI5351=m
CONFIG_RTC_DRV_ARMADA38X=m
# CONFIG_CACHE_FEROCEON_L2 is not set
# CONFIG_CACHE_FEROCEON_L2_WRITETHROUGH is not set
CONFIG_LEDS_NS2=m
# DRM panels
CONFIG_DRM_PANEL=y
@ -464,6 +471,9 @@ CONFIG_DRM_PANEL_SIMPLE=m
CONFIG_DRM_PANEL_LD9040=m
CONFIG_DRM_PANEL_S6E8AA0=m
CONFIG_DRM_PANEL_SHARP_LQ101R1SX01=m
CONFIG_DRM_PANEL_LG_LG4573=m
CONFIG_DRM_PANEL_SAMSUNG_LD9040=m
CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0=m
CONFIG_DRM_DW_HDMI=m
# regmap
@ -718,6 +728,7 @@ CONFIG_REGULATOR_DA9211=m
CONFIG_REGULATOR_ISL9305=m
CONFIG_REGULATOR_MAX77802=m
CONFIG_REGULATOR_PWM=m
# CONFIG_REGULATOR_MT6311 is not set
CONFIG_SENSORS_LTC2978_REGULATOR=y
CONFIG_POWER_AVS=y
@ -748,6 +759,7 @@ CONFIG_SENSORS_ISL29028=m
CONFIG_SENSORS_LIS3_SPI=m
CONFIG_SENSORS_LM70=m
CONFIG_SENSORS_MAX1111=m
CONFIG_MPL3115=m
CONFIG_SI7005=m
CONFIG_SI7020=m
@ -856,6 +868,7 @@ CONFIG_R8188EU=m
# CONFIG_DRM_TILCDC is not set
# CONFIG_DRM_IMX is not set
# CONFIG_DRM_STI is not set
# CONFIG_DRM_FSL_DCU is not set
# CONFIG_AHCI_IMX is not set
# CONFIG_IMX_THERMAL is not set
# CONFIG_TI_DAC7512 is not set

1
config-armv7-lpae
View File

@ -12,6 +12,7 @@ CONFIG_ARCH_KEYSTONE=y
# CONFIG_ARCH_AXXIA is not set
CONFIG_ARM_LPAE=y
# CONFIG_CPU_SW_DOMAIN_PAN is not set
CONFIG_SYS_SUPPORTS_HUGETLBFS=y
CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
CONFIG_ARM_VIRT_EXT=y

2
config-debug
View File

@ -90,7 +90,7 @@ CONFIG_RTLWIFI_DEBUG=y
CONFIG_DEBUG_OBJECTS_WORK=y
CONFIG_DMADEVICES_DEBUG=y
CONFIG_DMADEVICES_VDEBUG=y
# CONFIG_DMADEVICES_VDEBUG is not set
CONFIG_PM_ADVANCED_DEBUG=y

82
config-generic
View File

@ -51,8 +51,10 @@ CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_FUTEX=y
# CONFIG_FAIL_FUTEX is not set
CONFIG_EPOLL=y
CONFIG_BPF_SYSCALL=y
CONFIG_USERFAULTFD=y
CONFIG_IOSCHED_NOOP=y
CONFIG_IOSCHED_DEADLINE=y
CONFIG_IOSCHED_CFQ=y
@ -67,6 +69,7 @@ CONFIG_NET_NS=y
CONFIG_USER_NS=y
CONFIG_POSIX_MQUEUE=y
CONFIG_KDBUS=m
# CONFIG_PREEMPT_NONE is not set
CONFIG_PREEMPT_VOLUNTARY=y
# CONFIG_PREEMPT is not set
@ -143,6 +146,8 @@ CONFIG_MMC_TIFM_SD=m
CONFIG_MMC_WBSD=m
CONFIG_MMC_VIA_SDMMC=m
CONFIG_MMC_SDHCI_PLTFM=m
# CONFIG_MMC_SDHCI_OF is not set
# CONFIG_MMC_SDHCI_OF_AT91 is not set
CONFIG_MMC_CB710=m
CONFIG_MMC_RICOH_MMC=y
CONFIG_MMC_USHC=m
@ -172,10 +177,12 @@ CONFIG_INFINIBAND_SRPT=m
CONFIG_INFINIBAND_USER_MAD=m
CONFIG_INFINIBAND_USER_ACCESS=m
CONFIG_INFINIBAND_ON_DEMAND_PAGING=y
CONFIG_INFINIBAND_IPATH=m
# Deprecated and moved to staging
# CONFIG_INFINIBAND_IPATH is not set
CONFIG_INFINIBAND_ISER=m
CONFIG_INFINIBAND_ISERT=m
CONFIG_INFINIBAND_AMSO1100=m
# Deprecated and moved to staging
# CONFIG_INFINIBAND_AMSO1100 is not set
# CONFIG_INFINIBAND_AMSO1100_DEBUG is not set
CONFIG_INFINIBAND_CXGB3=m
CONFIG_INFINIBAND_CXGB4=m
@ -320,6 +327,8 @@ CONFIG_MTD_CFI_I2=y
# CONFIG_MTD_NAND_ECC_BCH is not set
# CONFIG_MTD_NAND_DISKONCHIP is not set
# CONFIG_MTD_NAND_HISI504 is not set
# CONFIG_MTD_NAND_DENALI_PCI is not set
# CONFIG_MTD_NAND_DENALI_DT is not set
# CONFIG_MTD_LPDDR is not set
CONFIG_MTD_UBI=m
CONFIG_MTD_UBI_WL_THRESHOLD=4096
@ -349,6 +358,7 @@ CONFIG_HOTPLUG_PCI_ACPI_IBM=m
# CONFIG_ND_BLK is not set
# CONFIG_BTT is not set
# CONFIG_NVMEM is not set
#
# Block devices
@ -382,6 +392,7 @@ CONFIG_BLK_DEV_RAM_SIZE=16384
CONFIG_BLK_DEV_PMEM=m
CONFIG_BLK_DEV_INITRD=y
CONFIG_BLK_DEV_IO_TRACE=y
CONFIG_BLK_DEV_RAM_DAX=y
CONFIG_BLK_DEV_BSG=y
CONFIG_BLK_DEV_BSGLIB=y
@ -818,6 +829,7 @@ CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_PROTO_SCTP=y
CONFIG_IP_VS_FO=m
CONFIG_IP_VS_OVF=m
CONFIG_IP_VS_IPV6=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
@ -846,6 +858,7 @@ CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MIP6=y
CONFIG_IPV6_ILA=m
CONFIG_IPV6_VTI=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
@ -1073,8 +1086,12 @@ CONFIG_NFT_REJECT=m
CONFIG_NFT_COMPAT=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NF_DUP_IPV4=m
CONFIG_NF_DUP_IPV6=m
CONFIG_NF_REJECT_IPV6=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_DUP_IPV4=m
CONFIG_NFT_DUP_IPV6=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NF_TABLES_ARP=m
@ -1262,6 +1279,7 @@ CONFIG_BATMAN_ADV_MCAST=y
# CONFIG_BATMAN_ADV_DEBUG is not set
CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_CONNTRACK=y
CONFIG_OPENVSWITCH_GRE=y
CONFIG_OPENVSWITCH_VXLAN=y
CONFIG_OPENVSWITCH_GENEVE=y
@ -1300,6 +1318,7 @@ CONFIG_TUN=m
# CONFIG_TUN_VNET_CROSS_LE is not set
CONFIG_VETH=m
CONFIG_NLMON=m
CONFIG_NET_VRF=m
#
# ATM
@ -1353,6 +1372,8 @@ CONFIG_L2TP_ETH=m
# CONFIG_CAIF is not set
CONFIG_LWTUNNEL=y
CONFIG_RFKILL=m
CONFIG_RFKILL_GPIO=m
CONFIG_RFKILL_INPUT=y
@ -1574,6 +1595,9 @@ CONFIG_SUNGEM=m
CONFIG_CASSINI=m
CONFIG_NIU=m
# CONFIG_NET_VENDOR_SYNOPSYS is not set
# CONFIG_SYNOPSYS_DWC_ETH_QOS is not set
CONFIG_NET_VENDOR_TEHUTI=y
CONFIG_TEHUTI=m
@ -1600,6 +1624,7 @@ CONFIG_BCM87XX_PHY=m
CONFIG_CICADA_PHY=m
CONFIG_DAVICOM_PHY=m
CONFIG_DP83640_PHY=m
CONFIG_MICROCHIP_PHY=m
CONFIG_FIXED_PHY=y
CONFIG_MDIO_BITBANG=m
CONFIG_MDIO_BCM_UNIMAC=m
@ -1617,7 +1642,10 @@ CONFIG_STE10XP=m
CONFIG_VITESSE_PHY=m
CONFIG_MICREL_PHY=m
CONFIG_DP83867_PHY=m
CONFIG_DP83848_PHY=m
# CONFIG_MICREL_KS8995MA is not set
CONFIG_AQUANTIA_PHY=m
CONFIG_TERANETICS_PHY=m
CONFIG_MII=m
CONFIG_NET_CORE=y
@ -1632,6 +1660,7 @@ CONFIG_BCMGENET=m
CONFIG_BNX2=m
CONFIG_BNX2X=m
CONFIG_BNX2X_SRIOV=y
CONFIG_BNX2X_VXLAN=y
CONFIG_CNIC=m
CONFIG_FEALNX=m
CONFIG_ETHOC=m
@ -1649,6 +1678,7 @@ CONFIG_JME=m
# CONFIG_MLX4_EN is not set
# CONFIG_MLX4_EN_VXLAN is not set
# CONFIG_MLX5_CORE is not set
# CONFIG_MLXSW_CORE is not set
# CONFIG_SFC is not set
# CONFIG_FDDI is not set
@ -1861,6 +1891,7 @@ CONFIG_USB_NET_RNDIS_WLAN=m
CONFIG_USB_NET_KALMIA=m
CONFIG_USB_NET_QMI_WWAN=m
CONFIG_USB_NET_SMSC75XX=m
CONFIG_USB_NET_CH9200=m
# CONFIG_WL_TI is not set
CONFIG_ZD1211RW=m
# CONFIG_ZD1211RW_DEBUG is not set
@ -1893,14 +1924,15 @@ CONFIG_IEEE802154_SOCKET=m
CONFIG_IEEE802154_6LOWPAN=m
CONFIG_IEEE802154_DRIVERS=m
CONFIG_IEEE802154_FAKELB=m
CONFIG_IEEE802154_ATUSB=m
CONFIG_IEEE802154_CC2520=m
# CONFIG_IEEE802154_AT86RF230 is not set
# CONFIG_IEEE802154_MRF24J40 is not set
CONFIG_IEEE802154_ATUSB=m
CONFIG_MAC802154=m
CONFIG_NET_MPLS_GSO=m
CONFIG_MPLS_ROUTING=m
CONFIG_MPLS_IPTUNNEL=m
CONFIG_NET_SWITCHDEV=y
@ -2017,6 +2049,7 @@ CONFIG_NFC_ST21NFCA_I2C=m
# CONFIG_NFC_NCI_SPI is not set
# CONFIG_NFC_NCI_UART is not set
# CONFIG_NFC_ST_NCI is not set
# CONFIG_NFC_S3FWRN5_I2C is not set
#
@ -2062,6 +2095,7 @@ CONFIG_WINBOND_FIR=m
#
CONFIG_BT=m
CONFIG_BT_BREDR=y
CONFIG_BT_HS=y
CONFIG_BT_LE=y
CONFIG_BT_6LOWPAN=m
# CONFIG_BT_SELFTEST is not set
@ -2090,6 +2124,7 @@ CONFIG_BT_HCIUART_ATH3K=y
CONFIG_BT_HCIUART_3WIRE=y
CONFIG_BT_HCIUART_INTEL=y
CONFIG_BT_HCIUART_BCM=y
CONFIG_BT_HCIUART_QCA=y
CONFIG_BT_HCIDTL1=m
CONFIG_BT_HCIBT3C=m
CONFIG_BT_HCIBLUECARD=m
@ -2103,6 +2138,7 @@ CONFIG_BT_HCIUART_LL=y
CONFIG_BT_MRVL=m
CONFIG_BT_MRVL_SDIO=m
CONFIG_BT_ATH3K=m
CONFIG_BT_QCA=m
CONFIG_BT_WILINK=m
#
@ -2420,6 +2456,7 @@ CONFIG_TOUCHSCREEN_ZFORCE=m
# CONFIG_TOUCHSCREEN_CHIPONE_ICN8318 is not set
# CONFIG_TOUCHSCREEN_SX8654 is not set
# CONFIG_TOUCHSCREEN_WDT87XX_I2C is not set
# CONFIG_TOUCHSCREEN_IMX6UL_TSC is not set
CONFIG_INPUT_MISC=y
CONFIG_INPUT_E3X0_BUTTON=m
@ -2503,6 +2540,7 @@ CONFIG_SERIAL_JSM=m
# CONFIG_SERIAL_ALTERA_JTAGUART is not set
# CONFIG_SERIAL_ALTERA_UART is not set
# CONFIG_SERIAL_UARTLITE is not set
#
# Non-8250 serial port support
@ -2542,6 +2580,7 @@ CONFIG_I2C_CHARDEV=m
# CONFIG_I2C_MUX_GPIO is not set
# CONFIG_I2C_MUX_PCA9541 is not set
# CONFIG_I2C_MUX_PINCTRL is not set
# CONFIG_I2C_MUX_REG is not set
#
#
@ -2570,6 +2609,7 @@ CONFIG_I2C_ALGOPCA=m
# CONFIG_I2C_NFORCE2_S4985 is not set
# CONFIG_I2C_EG20T is not set
# CONFIG_I2C_CBUS_GPIO is not set
# CONFIG_I2C_EMEV2 is not set
CONFIG_I2C_VIPERBOARD=m
CONFIG_EEPROM_AT24=m
@ -2761,6 +2801,7 @@ CONFIG_SENSORS_AD7314=m
CONFIG_PMBUS=m
CONFIG_SENSORS_PMBUS=m
CONFIG_SENSORS_MAX16064=m
CONFIG_SENSORS_MAX20751=m
CONFIG_SENSORS_LM25066=m
CONFIG_SENSORS_LTC2978=m
CONFIG_SENSORS_MAX34440=m
@ -2788,7 +2829,7 @@ CONFIG_HID_SENSOR_IIO_TRIGGER=m
# CONFIG_AD5380 is not set
# CONFIG_AD5064 is not set
# CONFIG_BMA180 is not set
# CONFIG_BMC150_ACCEL is not set
CONFIG_BMC150_ACCEL=m
# CONFIG_MAX1363 is not set
# CONFIG_MAX517 is not set
# CONFIG_MAX5821 is not set
@ -2882,6 +2923,9 @@ CONFIG_ACPI_ALS=m
CONFIG_KXCJK1013=m
# CONFIG_ISL29125 is not set
# CONFIG_JSA1212 is not set
CONFIG_RPR0521=m
CONFIG_OPT3001=m
CONFIG_PA12203001=m
# CONFIG_TCS3414 is not set
# CONFIG_AK09911 is not set
# CONFIG_T5403 is not set
@ -3106,6 +3150,7 @@ CONFIG_RTC_DRV_PCF85063=m
# CONFIG_RTC_DRV_ISL12057 is not set
# CONFIG_RTC_DRV_XGENE is not set
# CONFIG_RTC_DRV_ABB5ZES3 is not set
# CONFIG_RTC_DRV_ZYNQMP is not set
CONFIG_R3964=m
# CONFIG_APPLICOM is not set
@ -3131,6 +3176,7 @@ CONFIG_VGA_ARB_MAX_GPUS=16
CONFIG_DRM=m
CONFIG_DRM_FBDEV_EMULATION=y
CONFIG_DRM_LOAD_EDID_FIRMWARE=y
CONFIG_DRM_AST=m # do not enable on f17 or older
CONFIG_DRM_CIRRUS_QEMU=m # do not enable on f17 or older
@ -3159,6 +3205,8 @@ CONFIG_DRM_NOUVEAU_BACKLIGHT=y
CONFIG_DRM_I2C_ADV7511=m
CONFIG_DRM_I2C_CH7006=m
CONFIG_DRM_I2C_SIL164=m
# CONFIG_DRM_NXP_PTN3460 is not set
# CONFIG_DRM_PARADE_PS8622 is not set
CONFIG_DRM_I2C_NXP_TDA998X=m
CONFIG_DRM_UDL=m
CONFIG_DRM_VMWGFX=m
@ -3171,6 +3219,7 @@ CONFIG_DRM_PS8622=m
# CONFIG_DRM_PANEL is not set
# CONFIG_DRM_PANEL_SIMPLE is not set
# CONFIG_DRM_PANEL_S6E8AA0 is not set
# CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0 is not set
CONFIG_DRM_VGEM=m
#
@ -3342,6 +3391,7 @@ CONFIG_DVB_FIREDTV=m
CONFIG_DVB_NGENE=m
CONFIG_DVB_DDBRIDGE=m
CONFIG_DVB_SMIPCIE=m
CONFIG_DVB_NETUP_UNIDVB=m
CONFIG_DVB_USB_TECHNISAT_USB2=m
CONFIG_DVB_USB_V2=m
@ -3443,6 +3493,7 @@ CONFIG_V4L_MEM2MEM_DRIVERS=y
# CONFIG_VIDEO_SH_VEU is not set
# CONFIG_VIDEO_RENESAS_VSP1 is not set
# CONFIG_V4L_TEST_DRIVERS is not set
# CONFIG_DVB_PLATFORM_DRIVERS is not set
#
# Broadcom Crystal HD video decoder driver
@ -3525,6 +3576,7 @@ CONFIG_FB_EFI=y
# CONFIG_FB_UDL is not set
# CONFIG_FB_GOLDFISH is not set
# CONFIG_FB_OPENCORES is not set
# CONFIG_FB_SM712 is not set
# CONFIG_FIRMWARE_EDID is not set
@ -3765,6 +3817,7 @@ CONFIG_USB_SL811_HCD_ISO=y
# CONFIG_USB_SL811_CS is not set
# CONFIG_USB_R8A66597_HCD is not set
CONFIG_USB_XHCI_HCD=y
# CONFIG_USB_XHCI_PLATFORM is not set
# CONFIG_USB_MAX3421_HCD is not set
#
@ -3873,6 +3926,7 @@ CONFIG_HID_EMS_FF=m
CONFIG_HID_ELECOM=m
CONFIG_HID_ELO=m
CONFIG_HID_EZKEY=m
CONFIG_HID_GEMBIRD=m
CONFIG_HID_UCLOGIC=m
CONFIG_HID_WALTOP=m
CONFIG_HID_ACRUX=m
@ -3976,6 +4030,7 @@ CONFIG_USB_KAWETH=m
CONFIG_USB_PEGASUS=m
CONFIG_USB_RTL8150=m
CONFIG_USB_RTL8152=m
CONFIG_USB_LAN78XX=m
CONFIG_USB_USBNET=m
CONFIG_USB_SPEEDTOUCH=m
CONFIG_USB_NET_AX8817X=m
@ -4260,6 +4315,7 @@ CONFIG_MFD_VIPERBOARD=m
# CONFIG_MFD_RT5033 is not set
# CONFIG_MFD_SKY81452 is not set
# CONFIG_MFD_MAX77843 is not set
# CONFIG_MFD_DA9062 is not set
# CONFIG_EZX_PCAP is not set
# CONFIG_INTEL_SOC_PMIC is not set
@ -4273,7 +4329,7 @@ CONFIG_MISC_FILESYSTEMS=y
# CONFIG_EXT2_FS is not set
# CONFIG_EXT3_FS is not set
CONFIG_EXT4_FS=y
CONFIG_EXT4_USE_FOR_EXT23=y
CONFIG_EXT4_USE_FOR_EXT2=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
# CONFIG_EXT4_ENCRYPTION is not set
@ -4310,7 +4366,7 @@ CONFIG_AUTOFS4_FS=y
# CONFIG_EXOFS_FS is not set
# CONFIG_EXOFS_DEBUG is not set
CONFIG_NILFS2_FS=m
# CONFIG_FS_DAX is not set
CONFIG_FS_DAX=y
# CONFIG_LOGFS is not set
CONFIG_CEPH_FS=m
CONFIG_CEPH_FSCACHE=y
@ -4609,6 +4665,7 @@ CONFIG_HEADERS_CHECK=y
# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
# CONFIG_DEBUG_LOCKDEP is not set
# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
# CONFIG_STATIC_KEYS_SELFTEST is not set
# DEBUG options that don't get enabled/disabled with 'make debug/release'
@ -4846,6 +4903,7 @@ CONFIG_BACKLIGHT_LP855X=m
# CONFIG_BACKLIGHT_GPIO is not set
# CONFIG_BACKLIGHT_LV5207LP is not set
# CONFIG_BACKLIGHT_BD6107 is not set
# CONFIG_BACKLIGHT_PM8941_WLED is not set
CONFIG_LCD_CLASS_DEVICE=m
CONFIG_LCD_PLATFORM=m
@ -4879,6 +4937,7 @@ CONFIG_CGROUPS=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_SCHED=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
@ -5065,6 +5124,10 @@ CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y
# CONFIG_SND_SOC_TS3A227E is not set
# CONFIG_SND_SOC_XTFPGA_I2S is not set
# CONFIG_SND_SOC_STA32X is not set
# CONFIG_SND_SOC_CS4349 is not set
# CONFIG_SND_SOC_GTM601 is not set
# CONFIG_SND_SOC_STI_SAS is not set
#
CONFIG_BALLOON_COMPACTION=y
CONFIG_COMPACTION=y
@ -5128,6 +5191,7 @@ CONFIG_DMA_ENGINE=y
CONFIG_DW_DMAC_CORE=m
CONFIG_DW_DMAC=m
CONFIG_DW_DMAC_PCI=m
# CONFIG_IDMA64 is not set
# CONFIG_DW_DMAC_BIG_ENDIAN_IO is not set
# CONFIG_TIMB_DMA is not set
# CONFIG_DMATEST is not set
@ -5353,6 +5417,7 @@ CONFIG_STAGING_MEDIA=y
# CONFIG_I2C_BCM2048 is not set
# CONFIG_DT3155 is not set
# CONFIG_PRISM2_USB is not set
# CONFIG_MOST is not set
CONFIG_USB_ATMEL=m
# CONFIG_COMEDI is not set
# CONFIG_PANEL is not set
@ -5404,6 +5469,7 @@ CONFIG_USBIP_HOST=m
# CONFIG_FB_SM7XX is not set
# CONFIG_FB_TFT is not set
# CONFIG_FB_SM750 is not set
# CONFIG_STAGING_RDMA is not set
# END OF STAGING
#
@ -5481,6 +5547,8 @@ CONFIG_ZSMALLOC=y
# CONFIG_ZSMALLOC_STAT is not set
# CONFIG_PGTABLE_MAPPING is not set
# CONFIG_IDLE_PAGE_TRACKING is not set
# CONFIG_MDIO_GPIO is not set
# CONFIG_KEYBOARD_GPIO is not set
# CONFIG_KEYBOARD_GPIO_POLLED is not set
@ -5528,6 +5596,7 @@ CONFIG_GPIO_VIPERBOARD=m
# CONFIG_GPIO_MCP23S08 is not set
# CONFIG_GPIO_XILINX is not set
# CONFIG_GPIO_ALTERA is not set
# CONFIG_GPIO_ZX is not set
# FIXME: Why?
@ -5568,6 +5637,7 @@ CONFIG_PSTORE_RAM=m
# CONFIG_MEMTEST is not set
# CONFIG_TEST_HEXDUMP is not set
# CONFIG_TEST_RHASHTABLE is not set
# CONFIG_TEST_STATIC_KEYS is not set
# CONFIG_AVERAGE is not set
# CONFIG_VMXNET3 is not set

5
config-powerpc64-generic
View File

@ -14,6 +14,7 @@ CONFIG_PPC_PSERIES=y
# CONFIG_PPC_PMAC is not set
# CONFIG_PPC_PMAC64 is not set
# CONFIG_PPC_PS3 is not set
CONFIG_HIBERNATION=n
CONFIG_EXTRA_TARGETS=""
@ -127,6 +128,7 @@ CONFIG_MTD_POWERNV_FLASH=m
CONFIG_PPC_TRANSACTIONAL_MEM=y
CONFIG_BLK_DEV_RSXX=m
CONFIG_CXL=m
CONFIG_CXLFLASH=m
CONFIG_IBMEBUS=y
CONFIG_EHEA=m
CONFIG_INFINIBAND_EHCA=m
@ -209,6 +211,7 @@ CONFIG_CAPI_EICON=y
CONFIG_LEDS_TRIGGER_TIMER=m
CONFIG_LEDS_TRIGGER_HEARTBEAT=m
CONFIG_LEDS_TRIGGER_GPIO=m
CONFIG_LEDS_POWERNV=m
CONFIG_USB_EHCI_HCD_PPC_OF=y
CONFIG_USB_OHCI_HCD_PCI=y
@ -358,6 +361,8 @@ CONFIG_I2C_MPC=m
# CONFIG_NET_VENDOR_PASEMI is not set
# CONFIG_NET_VENDOR_TOSHIBA is not set
CONFIG_MDIO_OCTEON=m
# CONFIG_OF_UNITTEST is not set
# CONFIG_OF_OVERLAY is not set
# CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set

3
config-powerpc64le
View File

@ -1,3 +1,6 @@
CONFIG_CPU_LITTLE_ENDIAN=y
CONFIG_POWER7_CPU=y
# https://fedoraproject.org/wiki/Features/Checkpoint_Restore
CONFIG_CHECKPOINT_RESTORE=y

2
config-s390x
View File

@ -201,6 +201,7 @@ CONFIG_VMCP=y
CONFIG_SCHED_MC=y
CONFIG_SCHED_BOOK=y
CONFIG_SCHED_TOPOLOGY=y
# CONFIG_NUMA is not set
# CONFIG_WARN_DYNAMIC_STACK is not set
@ -290,6 +291,7 @@ CONFIG_HOTPLUG_PCI_S390=y
# CONFIG_SH_ETH is not set
# CONFIG_NET_VENDOR_VIA is not set
# CONFIG_IEEE802154_DRIVERS is not set
# CONFIG_MDIO_OCTEON is not set
# CONFIG_FMC is not set

22
config-x86-generic
View File

@ -4,6 +4,8 @@ CONFIG_X86_EXTENDED_PLATFORM=y
CONFIG_X86_GENERIC=y
# CONFIG_X86_LEGACY_VM86 is not set
CONFIG_HPET=y
CONFIG_HPET_TIMER=y
# CONFIG_HPET_MMAP is not set
@ -34,9 +36,7 @@ CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
CONFIG_X86_PAT=y
CONFIG_X86_PM_TIMER=y
# This requires changes to binutils and the compiler. Plus you can't actually
# buy hardware with MPX yet. So... leave it off until all of that seems set.
# CONFIG_X86_INTEL_MPX is not set
CONFIG_X86_INTEL_MPX=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
@ -111,6 +111,7 @@ CONFIG_XPOWER_PMIC_OPREGION=y
CONFIG_GPIO_CRYSTAL_COVE=y
CONFIG_AXP288_ADC=y
CONFIG_AXP288_FUEL_GAUGE=y
# CONFIG_PWM_CRC is not set
CONFIG_X86_INTEL_PSTATE=y
@ -133,6 +134,7 @@ CONFIG_CRYPTO_DEV_CCP=y
CONFIG_CRYPTO_DEV_CCP_DD=m
CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
CONFIG_GENERIC_ISA_DMA=y
@ -310,6 +312,9 @@ CONFIG_XEN_PCIDEV_BACKEND=m
CONFIG_XEN_ACPI_PROCESSOR=m
# CONFIG_XEN_SCSI_FRONTEND is not set
# CONFIG_XEN_SCSI_BACKEND is not set
CONFIG_XEN_SYMS=y
CONFIG_SPI_PXA2XX=m
CONFIG_MTD_ESB2ROM=m
CONFIG_MTD_CK804XROM=m
@ -457,6 +462,8 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m
CONFIG_HP_ACCEL=m
CONFIG_SURFACE_PRO3_BUTTON=m
# CONFIG_RAPIDIO is not set
CONFIG_SCHED_SMT=y
@ -498,10 +505,14 @@ CONFIG_NFC_MICROREAD_MEI=m
# CONFIG_X86_GOLDFISH is not set
CONFIG_X86_INTEL_LPSS=y
CONFIG_IDMA64=m
# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
CONFIG_MFD_INTEL_LPSS_ACPI=m
CONFIG_MFD_INTEL_LPSS_PCI=m
CONFIG_IOSF_MBI=m
# CONFIG_IOSF_MBI_DEBUG is not set
CONFIG_PWM_LPSS=m
@ -536,6 +547,7 @@ CONFIG_X86_PKG_TEMP_THERMAL=m
CONFIG_INTEL_SOC_DTS_THERMAL=m
CONFIG_INT340X_THERMAL=m
CONFIG_INTEL_RAPL=m
CONFIG_INTEL_PCH_THERMAL=m
CONFIG_VMWARE_VMCI=m
CONFIG_VMWARE_VMCI_VSOCKETS=m
@ -554,6 +566,8 @@ CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
CONFIG_EFI_SIGNATURE_LIST_PARSER=y
@ -563,9 +577,11 @@ CONFIG_EFI_SIGNATURE_LIST_PARSER=y
CONFIG_MODULE_SIG_UEFI=y
CONFIG_VMXNET3=m
CONFIG_FUJITSU_ES=m
CONFIG_VFIO_PCI_VGA=y
CONFIG_PCH_CAN=m
# CONFIG_X86_DEBUG_FPU is not set
# CONFIG_PUNIT_ATOM_DEBUG is not set
# CONFIG_AMD_MCE_INJ is not set

5
config-x86_64-generic
View File

@ -86,6 +86,8 @@ CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
CONFIG_CRYPTO_DES3_EDE_X86_64=m
CONFIG_CRYPTO_POLY1305_X86_64=m
CONFIG_CRYPTO_CHACHA20_X86_64=m
# staging crypto
# CONFIG_CRYPTO_SKEIN is not set
@ -134,6 +136,7 @@ CONFIG_XEN_SYS_HYPERVISOR=y
# CONFIG_XEN_MCE_LOG is not set
# CONFIG_XEN_STUB is not set
# CONFIG_XEN_PVH is not set
CONFIG_XEN_512GB=y
CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
@ -199,6 +202,8 @@ CONFIG_BTT=y
CONFIG_ND_BTT=m
CONFIG_ND_BLK=m
CONFIG_MDIO_OCTEON=m
CONFIG_NO_HZ_FULL=y
# CONFIG_NO_HZ_IDLE is not set
# CONFIG_NO_HZ_FULL_ALL is not set

65
dcache-Handle-escaped-paths-in-prepend_path.patch Normal file
View File

@ -0,0 +1,65 @@
From c0ea161a6e7158281f64bc6d41126da43cb08f14 Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Sat, 15 Aug 2015 13:36:12 -0500
Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path
commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
A rename can result in a dentry that by walking up d_parent
will never reach it's mnt_root. For lack of a better term
I call this an escaped path.
prepend_path is called by four different functions __d_path,
d_absolute_path, d_path, and getcwd.
__d_path only wants to see paths are connected to the root it passes
in. So __d_path needs prepend_path to return an error.
d_absolute_path similarly wants to see paths that are connected to
some root. Escaped paths are not connected to any mnt_root so
d_absolute_path needs prepend_path to return an error greater
than 1. So escaped paths will be treated like paths on lazily
unmounted mounts.
getcwd needs to prepend "(unreachable)" so getcwd also needs
prepend_path to return an error.
d_path is the interesting hold out. d_path just wants to print
something, and does not care about the weird cases. Which raises
the question what should be printed?
Given that <escaped_path>/<anything> should result in -ENOENT I
believe it is desirable for escaped paths to be printed as empty
paths. As there are not really any meaninful path components when
considered from the perspective of a mount tree.
So tweak prepend_path to return an empty path with an new error
code of 3 when it encounters an escaped path.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/dcache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/dcache.c b/fs/dcache.c
index 9b5fe503f6cb..e3b44ca75a1b 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2926,6 +2926,13 @@ restart:
if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
+ /* Escaped? */
+ if (dentry != vfsmnt->mnt_root) {
+ bptr = *buffer;
+ blen = *buflen;
+ error = 3;
+ break;
+ }
/* Global root? */
if (mnt != parent) {
dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
--
2.4.3

12
disable-i8042-check-on-apple-mac.patch
View File

@ -1,3 +1,4 @@
From 31e64826785b5bafef7a6361516c060be2bca253 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 20 May 2010 10:30:31 -0400
Subject: [PATCH] disable i8042 check on apple mac
@ -17,11 +18,11 @@ Signed-off-by: Bastien Nocera <hadess@hadess.net>
1 file changed, 22 insertions(+)
diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
index 4022b75eaad7..1aaf06aa7b0f 100644
index c9c98f0ab284..5137185e14a9 100644
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1506,6 +1506,22 @@ static struct platform_driver i8042_driver = {
.shutdown = i8042_shutdown,
@@ -1540,6 +1540,22 @@ static struct notifier_block i8042_kbd_bind_notifier_block = {
.notifier_call = i8042_kbd_bind_notifier,
};
+#ifdef CONFIG_DMI
@ -43,7 +44,7 @@ index 4022b75eaad7..1aaf06aa7b0f 100644
static int __init i8042_init(void)
{
struct platform_device *pdev;
@@ -1513,6 +1529,12 @@ static int __init i8042_init(void)
@@ -1547,6 +1563,12 @@ static int __init i8042_init(void)
dbg_init();
@ -56,3 +57,6 @@ index 4022b75eaad7..1aaf06aa7b0f 100644
err = i8042_platform_init();
if (err)
return err;
--
2.4.3

18
drm-i915-hush-check-crtc-state.patch
View File

@ -1,3 +1,4 @@
From 02f47b49ab1cdbe62ceb71b658e2c469799ae368 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 13 Nov 2013 10:17:24 -0500
Subject: [PATCH] drm/i915: hush check crtc state
@ -14,15 +15,18 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 647b1404c441..e102a06f26e0 100644
index ca9278be49f7..308ac0539a87 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -12322,7 +12322,7 @@ check_crtc_state(struct drm_device *dev)
if (active &&
!intel_pipe_config_compare(dev, crtc->config, &pipe_config)) {
@@ -12688,7 +12688,7 @@ check_crtc_state(struct drm_device *dev, struct drm_atomic_state *old_state)
sw_config = to_intel_crtc_state(crtc->state);
if (!intel_pipe_config_compare(dev, sw_config,
pipe_config, false)) {
- I915_STATE_WARN(1, "pipe state doesn't match!\n");
+ DRM_DEBUG_KMS("pipe state doesn't match!\n");
intel_dump_pipe_config(crtc, &pipe_config,
intel_dump_pipe_config(intel_crtc, pipe_config,
"[hw state]");
intel_dump_pipe_config(crtc, crtc->config,
intel_dump_pipe_config(intel_crtc, sw_config,
--
2.4.3

62
drm-radeon-fix-dpms-when-driver-backlight-control-is.patch
View File

@ -1,62 +0,0 @@
From ae93580ee59c02395c1711d3e6b90546b8137b86 Mon Sep 17 00:00:00 2001
From: Alex Deucher <alexander.deucher@amd.com>
Date: Tue, 27 Oct 2015 10:56:44 -0400
Subject: [PATCH 2/2] drm/radeon: fix dpms when driver backlight control is
disabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If driver backlight control is disabled, either by driver
parameter or default per-asic setting, revert to the old behavior.
Fixes a regression in commit:
4281f46ef839050d2ef60348f661eb463c21cc2e
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/radeon/atombios_encoders.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
index 933fd1bc849b..bb292143997e 100644
--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -1625,9 +1625,14 @@ radeon_atom_encoder_dpms_avivo(struct drm_encoder *encoder, int mode)
} else
atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args);
if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) {
- struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+ if (rdev->mode_info.bl_encoder) {
+ struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
- atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
+ atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
+ } else {
+ args.ucAction = ATOM_LCD_BLON;
+ atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args);
+ }
}
break;
case DRM_MODE_DPMS_STANDBY:
@@ -1707,8 +1712,13 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
if (ASIC_IS_DCE4(rdev))
atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_ON, 0);
}
- if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT))
- atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
+ if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) {
+ if (rdev->mode_info.bl_encoder)
+ atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
+ else
+ atombios_dig_transmitter_setup(encoder,
+ ATOM_TRANSMITTER_ACTION_LCD_BLON, 0, 0);
+ }
if (ext_encoder)
atombios_external_encoder_setup(encoder, ext_encoder, ATOM_ENABLE);
break;
--
2.4.3

59
drm-radeon-move-bl-encoder-assignment-into-bl-init.patch
View File

@ -1,59 +0,0 @@
From 4cee6a9057d5e13911f0cb6e143d11dc1a3245dd Mon Sep 17 00:00:00 2001
From: Alex Deucher <alexander.deucher@amd.com>
Date: Wed, 28 Oct 2015 14:26:32 -0400
Subject: [PATCH 1/2] drm/radeon: move bl encoder assignment into bl init
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
So that the bl encoder will be null if the GPU does not
control the backlight.
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/radeon/atombios_encoders.c | 1 +
drivers/gpu/drm/radeon/radeon_encoders.c | 1 -
drivers/gpu/drm/radeon/radeon_legacy_encoders.c | 1 +
3 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
index 65adb9c72377..933fd1bc849b 100644
--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -237,6 +237,7 @@ void radeon_atom_backlight_init(struct radeon_encoder *radeon_encoder,
backlight_update_status(bd);
DRM_INFO("radeon atom DIG backlight initialized\n");
+ rdev->mode_info.bl_encoder = radeon_encoder;
return;
diff --git a/drivers/gpu/drm/radeon/radeon_encoders.c b/drivers/gpu/drm/radeon/radeon_encoders.c
index ef99917f000d..c6ee80216cf4 100644
--- a/drivers/gpu/drm/radeon/radeon_encoders.c
+++ b/drivers/gpu/drm/radeon/radeon_encoders.c
@@ -194,7 +194,6 @@ static void radeon_encoder_add_backlight(struct radeon_encoder *radeon_encoder,
radeon_atom_backlight_init(radeon_encoder, connector);
else
radeon_legacy_backlight_init(radeon_encoder, connector);
- rdev->mode_info.bl_encoder = radeon_encoder;
}
}
diff --git a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
index 45715307db71..30de43366eae 100644
--- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
+++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
@@ -441,6 +441,7 @@ void radeon_legacy_backlight_init(struct radeon_encoder *radeon_encoder,
backlight_update_status(bd);
DRM_INFO("radeon legacy LVDS backlight initialized\n");
+ rdev->mode_info.bl_encoder = radeon_encoder;
return;
--
2.4.3

10
efi-Add-EFI_SECURE_BOOT-bit.patch
View File

@ -1,6 +1,7 @@
From b4467813ec088c13bd8c9f1eafb7c29d889d7c8f Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400
Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit
Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.
@ -12,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
2 files changed, 3 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index c2e4f52cad30..5def6b4143fa 100644
index 1ac118146e90..f93826b8522c 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot) {
@ -37,3 +38,6 @@ index 85ef051ac6fb..de3e45088d4a 100644
#ifdef CONFIG_EFI
/*
--
2.4.3

8
efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
View File

@ -1,6 +1,7 @@
From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
@ -14,7 +15,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 1ef8ea7f8ed9..d82dc9c1c19e 100644
index b4de3faa3f29..5cc2ef570390 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -830,8 +830,9 @@ out:
@ -52,3 +53,6 @@ index 1ef8ea7f8ed9..d82dc9c1c19e 100644
return 1;
}
--
2.4.3

10
efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
View File

@ -1,6 +1,7 @@
From 0081083434db41c15b72eced975da0bd9b80566b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:28:43 -0400
Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Subject: [PATCH 12/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
The functionality of the config option is dependent upon the platform being
UEFI based. Reflect this in the config deps.
@ -11,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4da6644b1fd0..341a1457f7c7 100644
index 14db458f4774..f6ff0a86d841 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1704,7 +1704,8 @@ config EFI_MIXED
@@ -1735,7 +1735,8 @@ config EFI_MIXED
If unsure, say N.
config EFI_SECURE_BOOT_SIG_ENFORCE
@ -24,3 +25,6 @@ index 4da6644b1fd0..341a1457f7c7 100644
prompt "Force module signing when UEFI Secure Boot is enabled"
---help---
UEFI Secure Boot provides a mechanism for ensuring that the
--
2.4.3

0
filter-aarch64.sh Normal file → Executable file
View File

0
filter-armv7hl.sh Normal file → Executable file
View File

0
filter-i686.sh Normal file → Executable file
View File

0
filter-ppc64.sh Normal file → Executable file
View File

0
filter-ppc64le.sh Normal file → Executable file
View File

0
filter-ppc64p7.sh Normal file → Executable file
View File

0
filter-s390x.sh Normal file → Executable file
View File

0
filter-x86_64.sh Normal file → Executable file
View File

6
hibernate-Disable-in-a-signed-modules-environment.patch
View File

@ -1,6 +1,7 @@
From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
Subject: [PATCH] hibernate: Disable in a signed modules environment
Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
@ -33,3 +34,6 @@ index 690f78f210f2..037303a1cba9 100644
}
/**
--
2.4.3

40
ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch
View File

@ -1,40 +0,0 @@
From 72695420d48c264b3ca0dacccda1a4789a52c2f6 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Fri, 24 Jul 2015 11:45:28 +0200
Subject: [PATCH] ideapad-laptop: Add Lenovo Yoga 3 14 to no_hw_rfkill dmi list
Like some of the other Yoga models the Lenovo Yoga 3 14 does not have a
hw rfkill switch, and trying to read the hw rfkill switch through the
ideapad module causes it to always reported blocking breaking wifi.
This commit adds the Lenovo Yoga 3 14 to the no_hw_rfkill dmi list, fixing
the wifi breakage.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1239050
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/platform/x86/ideapad-laptop.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
index 76b57388d01b..81c3e582309a 100644
--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -853,6 +853,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = {
},
},
{
+ .ident = "Lenovo Yoga 3 14",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 3 14"),
+ },
+ },
+ {
.ident = "Lenovo Yoga 3 Pro 1370",
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
--
2.4.3

41
ideapad-laptop-Add-Lenovo-Yoga-900-to-no_hw_rfkill-d.patch Normal file
View File

@ -0,0 +1,41 @@
From 332faabbaab64876396be48f1a1cf72b31d53a9d Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Mon, 9 Nov 2015 17:09:05 +0100
Subject: [PATCH] ideapad-laptop: Add Lenovo Yoga 900 to no_hw_rfkill dmi list
Like some of the other Yoga models the Lenovo Yoga 900 does not have a
hw rfkill switch, and trying to read the hw rfkill switch through the
ideapad module causes it to always reported blocking breaking wifi.
This commit adds the Lenovo Yoga 900 to the no_hw_rfkill dmi list, fixing
the wifi breakage.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1275490
Cc: stable@vger.kernel.org
Reported-and-tested-by: Kevin Fenzi <kevin@scrye.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/platform/x86/ideapad-laptop.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
index fce49f3c6ed6..d4a48b4d161a 100644
--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -873,6 +873,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = {
DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 3 Pro-1370"),
},
},
+ {
+ .ident = "Lenovo Yoga 900",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 900"),
+ },
+ },
{}
};
--
2.4.3

40
ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch Normal file
View File

@ -0,0 +1,40 @@
From 14b627c610f93c2700f9a3825ac10c35d51acfe4 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 7 Dec 2015 13:50:38 -0500
Subject: [PATCH] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill
dmi list
One of the newest ideapad models also lacks a physical hw rfkill switch,
and trying to read the hw rfkill switch through the ideapad module
causes it to always reported blocking breaking wifi.
Fix it by adding this model to the DMI list.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293
Cc: stable@vger.kernel.org
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
drivers/platform/x86/ideapad-laptop.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
index a313dfc0245f..d28db0e793df 100644
--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -865,6 +865,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = {
},
},
{
+ .ident = "Lenovo ideapad Y700-17ISK",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"),
+ },
+ },
+ {
.ident = "Lenovo Yoga 2 11 / 13 / Pro",
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
--
2.5.0

8
input-silence-i8042-noise.patch
View File

@ -16,10 +16,10 @@ Upstream-status: Fedora mustard
3 files changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 30b7bbfdc558..95863902627f 100644
index 9717d5f20139..a3101d2fd936 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -123,8 +123,6 @@ void device_pm_unlock(void)
@@ -122,8 +122,6 @@ void device_pm_unlock(void)
*/
void device_pm_add(struct device *dev)
{
@ -29,7 +29,7 @@ index 30b7bbfdc558..95863902627f 100644
if (dev->parent && dev->parent->power.is_prepared)
dev_warn(dev, "parent %s should not be sleeping\n",
diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
index cb5ece77fd7d..4022b75eaad7 100644
index 986a71c614b0..bfb0b2280df0 100644
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -871,7 +871,6 @@ static int __init i8042_check_aux(void)
@ -41,7 +41,7 @@ index cb5ece77fd7d..4022b75eaad7 100644
}
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 7933e62a7318..96a911003af7 100644
index 32d710eaf1fc..af4a20b86ee7 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -155,13 +155,9 @@ static int can_create(struct net *net, struct socket *sock, int protocol,

12
kbuild-AFTER_LINK.patch
View File

@ -1,3 +1,4 @@
From 7877d76b409181af38d307b98d8fed1024f3c9c2 Mon Sep 17 00:00:00 2001
From: Roland McGrath <roland@redhat.com>
Date: Mon, 6 Oct 2008 23:03:03 -0700
Subject: [PATCH] kbuild: AFTER_LINK
@ -62,7 +63,7 @@ index effca9404b17..713891a92d23 100644
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile
index 8ad2b34ad151..e153572ab351 100644
index ee8a18e50a25..63e33fa049f8 100644
--- a/arch/s390/kernel/vdso32/Makefile
+++ b/arch/s390/kernel/vdso32/Makefile
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
@ -76,7 +77,7 @@ index 8ad2b34ad151..e153572ab351 100644
cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile
index 2a8ddfd12a5b..452ca53561fe 100644
index c4b03f9ed228..550450fc2f95 100644
--- a/arch/s390/kernel/vdso64/Makefile
+++ b/arch/s390/kernel/vdso64/Makefile
@@ -43,7 +43,8 @@ $(obj-vdso64): %.o: %.S
@ -90,7 +91,7 @@ index 2a8ddfd12a5b..452ca53561fe 100644
cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index e97032069f88..9ea82f444dea 100644
index a3d0767a6b29..078c9be1db8f 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -172,8 +172,9 @@ $(vdso32-images:%=$(obj)/%.dbg): $(obj)/vdso32-%.so.dbg: FORCE \
@ -103,7 +104,7 @@ index e97032069f88..9ea82f444dea 100644
+ $(if $(AFTER_LINK),; $(AFTER_LINK)) && \
+ sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
$(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
index 1a10d8ac8162..092d0c0cf72c 100755
@ -120,3 +121,6 @@ index 1a10d8ac8162..092d0c0cf72c 100755
}
--
2.4.3

205
kernel.spec
View File

@ -46,14 +46,14 @@ Summary: The Linux kernel
# base_sublevel is the kernel version we're starting with and patching
# on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base,
# which yields a base_sublevel of 0.
%define base_sublevel 2
%define base_sublevel 3
## If this is a released kernel ##
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
#+Hu Pf against 4.2.5 v4.2-pf3: https://pf.natalenko.name/forum/index.php?topic=363.0
%define stable_update 5
#+Hu Pf against 4.3.3 v4.3-pf3: https://pf.natalenko.name/news/?p=111
%define stable_update 3
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@ -392,8 +392,12 @@ BuildRequires: rpm-build, elfutils
%define debuginfo_args --strict-build-id -r
%endif
%ifarch %{ix86} x86_64
# MODULE_SIG is enabled in config-x86-generic and needs these:
BuildRequires: openssl openssl-devel
%endif
%if %{signmodules}
BuildRequires: openssl
BuildRequires: pesign >= 0.10-4
%endif
@ -508,15 +512,13 @@ Patch455: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch
Patch456: arm64-acpi-drop-expert-patch.patch
Patch457: showmem-cma-correct-reserved-memory-calculation.patch
Patch457: ARM-tegra-usb-no-reset.patch
Patch458: ARM-tegra-usb-no-reset.patch
Patch458: ARM-dts-Add-am335x-bonegreen.patch
Patch459: regulator-axp20x-module-alias.patch
Patch459: 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch
Patch460: regulator-anatop-module-alias.patch
Patch461: ARM-dts-Add-am335x-bonegreen.patch
Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
Patch463: arm-i.MX6-Utilite-device-dtb.patch
@ -526,8 +528,6 @@ Patch467: die-floppy-die.patch
Patch468: no-pcspkr-modalias.patch
Patch469: input-silence-i8042-noise.patch
Patch470: silence-fbcon-logo.patch
Patch471: Kbuild-Add-an-option-to-enable-GCC-VTA.patch
@ -596,47 +596,63 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
Patch503: drm-i915-turn-off-wc-mmaps.patch
#rhbz 1244511
Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
#rhbz 1239050
Patch509: ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch
#rhbz 1253789
Patch510: iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch
#rhbz 1257534
Patch513: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
#rhbz 1257500
Patch517: vmwgfx-Rework-device-initialization.patch
Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
#CVE-2015-6937 rhbz 1263139 1263140
Patch523: RDS-verify-the-underlying-transport-exists-before-cr.patch
#CVE-2015-7990 rhbz 1276437 1276438
Patch524: RDS-fix-race-condition-when-sending-a-message-on-unb.patch
#rhbz 1265978
Patch536: si2168-Bounds-check-firmware.patch
Patch537: si2157-Bounds-check-firmware.patch
#rhbz 1272172
Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
#rhbz 1257131
Patch542: 0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch
#CVE-2015-7799 rhbz 1271134 1271135
Patch543: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
Patch544: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
Patch512: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
Patch513: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
#rhbz 1278407
Patch545: drm-radeon-move-bl-encoder-assignment-into-bl-init.patch
Patch546: drm-radeon-fix-dpms-when-driver-backlight-control-is.patch
#CVE-2015-8104 rhbz 1278496 1279691
Patch551: KVM-svm-unconditionally-intercept-DB.patch
#rhbz 1269300
Patch552: megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch
#rhbz 1275490
Patch553: ideapad-laptop-Add-Lenovo-Yoga-900-to-no_hw_rfkill-d.patch
#rhbz 1279189
Patch556: netfilter-ipset-Fix-extension-alignment.patch
Patch557: netfilter-ipset-Fix-hash-type-expiration.patch
Patch558: netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch
#rhbz 1284059
Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
#CVE-2015-7833 rhbz 1270158 1270160
Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch
#CVE-2015-7515 rhbz 1285326 1285331
Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch
#rhbz 1287819
Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch
#rhbz 1286293
Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
#rhbz 1288687
Patch572: alua_fix.patch
#CVE-XXXX-XXXX rhbz 1291329 1291332
Patch574: ovl-fix-permission-checking-for-setattr.patch
#CVE-2015-7550 rhbz 1291197 1291198
Patch575: KEYS-Fix-race-between-read-and-revoke.patch
#CVE-2015-8543 rhbz 1290475 1290477
Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch
#CVE-2015-8569 rhbz 1292045 1292047
Patch600: pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
Patch601: vrf-fix-memory-leak-on-registration.patch
#CVE-2015-8575 rhbz 1292840 1292841
Patch602: bluetooth-Validate-socket-address-length-in-sco_sock.patch
#CVE-2015-8709 rhbz 1295287 1295288
Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
################# Hubbitus patches
@ -1371,11 +1387,9 @@ BuildKernel() {
cp configs/$Config .config
%if %{signmodules}
cp %{SOURCE11} .
cp %{SOURCE11} certs/.
%endif
chmod +x scripts/sign-file
Arch=`head -1 .config | cut -b 3-`
echo USING ARCH=$Arch
@ -1617,8 +1631,8 @@ BuildKernel() {
%if %{signmodules}
# Save the signing keys so we can sign the modules in __modsign_install_post
cp signing_key.priv signing_key.priv.sign${Flav}
cp signing_key.x509 signing_key.x509.sign${Flav}
cp certs/signing_key.pem certs/signing_key.pem.sign${Flav}
cp certs/signing_key.x509 certs/signing_key.x509.sign${Flav}
%endif
# Move the devel headers out of the root file system
@ -1713,16 +1727,16 @@ popd
%define __modsign_install_post \
if [ "%{signmodules}" -eq "1" ]; then \
if [ "%{with_pae}" -ne "0" ]; then \
%{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
%{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
fi \
if [ "%{with_debug}" -ne "0" ]; then \
%{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
%{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
fi \
if [ "%{with_pae_debug}" -ne "0" ]; then \
%{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
%{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
fi \
if [ "%{with_up}" -ne "0" ]; then \
%{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
%{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
fi \
fi \
if [ "%{zipmodules}" -eq "1" ]; then \
@ -1983,6 +1997,7 @@ fi
%{_libdir}/traceevent/plugins/*
%dir %{_libexecdir}/perf-core
%{_libexecdir}/perf-core/*
%{_datadir}/perf-core/*
%{_mandir}/man[1-8]/perf*
%{_sysconfdir}/bash_completion.d/perf
%doc linux-%{KVERREL}/tools/perf/Documentation/examples.txt
@ -2111,6 +2126,80 @@ fi
# and build.
#
%changelog
* Tue Jan 05 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-8709 ptrace: potential priv escalation with userns (rhbz 1295287 1295288)
- Merge 4.3.3 from stabilization branch
* Fri Dec 18 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-8575 information leak in sco_sock_bind (rhbz 1292840 1292841)
* Thu Dec 17 2015 Justin M. Forbes <jforbes@fedoraproject.org>
- Fix for memory leak in vrf
* Thu Dec 17 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-8569 info leak from getsockname (rhbz 1292045 1292047)
* Tue Dec 15 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.8-300
- Linux v4.2.8
* Tue Dec 15 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-8543 ipv6: DoS via NULL pointer dereference (rhbz 1290475 1290477)
* Mon Dec 14 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-7550 Race between read and revoke keys (rhbz 1291197 1291198)
- CVE-XXXX-XXXX permission bypass on overlayfs (rhbz 1291329 1291332)
* Fri Dec 11 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2013-7446 unix sockects use after free (rhbz 1282688 1282712)
* Thu Dec 10 2015 Laura Abbott <labbott@redhat.com>
- Ignore errors from scsi_dh_add_device (rhbz 1288687)
* Thu Dec 10 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Fix rfkill issues on ideapad Y700-17ISK (rhbz 1286293)
* Wed Dec 09 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.7-300
- Linux v4.2.7
* Thu Dec 03 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Add patch to fix palm rejection on certain touchpads (rhbz 1287819)
- Add new PCI ids for wireless, including Lenovo Yoga (rhbz 1275490)
* Tue Dec 01 2015 Laura Abbott <labbott@redhat.com>
- Enable CONFIG_X86_INTEL_MPX (rhbz 1287279)
* Tue Dec 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-7515 aiptek: crash on invalid device descriptors (rhbz 1285326 1285331)
- CVE-2015-7833 usbvision: crash on invalid device descriptors (rhbz 1270158 1270160)
* Mon Nov 30 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Fix crash in add_key (rhbz 1284059)
- CVE-2015-8374 btrfs: info leak when truncating compressed/inlined extents (rhbz 1286261 1286262)
* Sun Nov 22 2015 Peter Robinson <pbrobinson@fedoraproject.org>
- Fix sound issue on some ARM devices (tested on Arndale)
* Fri Nov 20 2015 Justin M. Forbes <jmforbes@fedoraproject.org> - 4.2.6-301
- Fix for GRE tunnel running in IPSec (rhbz 1272571)
- Fix KVM on specific hardware (rhbz 1278688)
* Mon Nov 16 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Fix ipset netfilter issues (rhbz 1279189)
* Thu Nov 12 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-5327 x509 time validation
* Tue Nov 10 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Fix Yoga 900 rfkill switch issues (rhbz 1275490)
* Tue Nov 10 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 4.2.6-300
- Linux v4.2.6
* Tue Nov 10 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Fix incorrect size calculations in megaraid with 64K pages (rhbz 1269300)
- CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691)
- CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688)
* Sat Nov 07 2015 Pavel Alexeev <Pahan@Hubbitus.info> - 4.2.5-300.hu.1.pf3
- Update to Fedora23.
- Merge fc23 branch.

22
kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
View File

@ -1,3 +1,4 @@
From 6306cad6e5663424c08e5ebdfdcfd799c5537bfe Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 03:33:56 -0400
Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
@ -13,18 +14,18 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 8 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index a785c1015e25..81d6b404f33c 100644
index 4c5edc357923..db431971dbd4 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -36,6 +36,7 @@
#include <linux/syscore_ops.h>
#include <linux/compiler.h>
#include <linux/hugetlb.h>
@@ -10,6 +10,7 @@
#include <linux/mm.h>
#include <linux/file.h>
#include <linux/kexec.h>
+#include <linux/module.h>
#include <asm/page.h>
#include <asm/uaccess.h>
@@ -1258,6 +1259,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
#include <linux/mutex.h>
#include <linux/list.h>
#include <linux/syscalls.h>
@@ -133,6 +134,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
return -EPERM;
/*
@ -38,3 +39,6 @@ index a785c1015e25..81d6b404f33c 100644
* Verify we have a legal set of flags
* This leaves us room for future extensions.
*/
--
2.4.3

50
megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch Normal file
View File

@ -0,0 +1,50 @@
From c6f081c88ab76d5a40365b94c1f5839e099b2b2b Mon Sep 17 00:00:00 2001
From: "sumit.saxena@avagotech.com" <sumit.saxena@avagotech.com>
Date: Thu, 15 Oct 2015 13:40:04 +0530
Subject: [PATCH] megaraid_sas: Do not use PAGE_SIZE for max_sectors
Do not use PAGE_SIZE marco to calculate max_sectors per I/O
request. Driver code assumes PAGE_SIZE will be always 4096 which can
lead to wrongly calculated value if PAGE_SIZE is not 4096. This issue
was reported in Ubuntu Bugzilla Bug #1475166.
Cc: <stable@vger.kernel.org>
Signed-off-by: Sumit Saxena <sumit.saxena@avagotech.com>
Signed-off-by: Kashyap Desai <kashyap.desai@avagotech.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/scsi/megaraid/megaraid_sas.h | 2 ++
drivers/scsi/megaraid/megaraid_sas_base.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h
index 20c37541963f..ebf821b94cb6 100644
--- a/drivers/scsi/megaraid/megaraid_sas.h
+++ b/drivers/scsi/megaraid/megaraid_sas.h
@@ -364,6 +364,8 @@ enum MR_EVT_ARGS {
MR_EVT_ARGS_GENERIC,
};
+
+#define SGE_BUFFER_SIZE 4096
/*
* define constants for device list query options
*/
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index eaa81e552fd2..a9eb10ebc6ed 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -4752,7 +4752,7 @@ static int megasas_init_fw(struct megasas_instance *instance)
instance->max_sectors_per_req = instance->max_num_sge *
- PAGE_SIZE / 512;
+ SGE_BUFFER_SIZE / 512;
if (tmp_sectors && (instance->max_sectors_per_req > tmp_sectors))
instance->max_sectors_per_req = tmp_sectors;
--
2.4.3

28
mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch Normal file
View File

@ -0,0 +1,28 @@
From 567a18f57213647e2c31bbdc7f6b8f9991d22fad Mon Sep 17 00:00:00 2001
From: Peter Robinson <pbrobinson@gmail.com>
Date: Fri, 13 Nov 2015 19:03:29 +0000
Subject: [PATCH] mfd: wm8994: Ensure that the whole MFD is built into a single
module
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
---
drivers/mfd/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mfd/Makefile b/drivers/mfd/Makefile
index a59e3fc..4a767ef 100644
--- a/drivers/mfd/Makefile
+++ b/drivers/mfd/Makefile
@@ -61,7 +61,8 @@ wm8350-objs := wm8350-core.o wm8350-regmap.o wm8350-gpio.o
wm8350-objs += wm8350-irq.o
obj-$(CONFIG_MFD_WM8350) += wm8350.o
obj-$(CONFIG_MFD_WM8350_I2C) += wm8350-i2c.o
-obj-$(CONFIG_MFD_WM8994) += wm8994-core.o wm8994-irq.o wm8994-regmap.o
+wm8994-objs := wm8994-core.o wm8994-irq.o wm8994-regmap.o
+obj-$(CONFIG_MFD_WM8994) += wm8994.o
obj-$(CONFIG_TPS6105X) += tps6105x.o
obj-$(CONFIG_TPS65010) += tps65010.o
--
2.5.0

139
net-add-validation-for-the-socket-syscall-protocol-a.patch Normal file
View File

@ -0,0 +1,139 @@
From 4da7dc22c91ad2c3144cb1d0d96e9611bc86da47 Mon Sep 17 00:00:00 2001
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Mon, 14 Dec 2015 22:03:39 +0100
Subject: [PATCH] net: add validation for the socket syscall protocol argument
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
郭永刚 reported that one could simply crash the kernel as root by
using a simple program:
int socket_fd;
struct sockaddr_in addr;
addr.sin_port = 0;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_family = 10;
socket_fd = socket(10,3,0x40000000);
connect(socket_fd , &addr,16);
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.
This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.
kernel: Call Trace:
kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
I found no particular commit which introduced this problem.
CVE: CVE-2015-8543
Cc: Cong Wang <cwang@twopensource.com>
Reported-by: 郭永刚 <guoyonggang@360.cn>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/net/sock.h | 1 +
net/ax25/af_ax25.c | 3 +++
net/decnet/af_decnet.c | 3 +++
net/ipv4/af_inet.c | 3 +++
net/ipv6/af_inet6.c | 3 +++
net/irda/af_irda.c | 3 +++
6 files changed, 16 insertions(+)
diff --git a/include/net/sock.h b/include/net/sock.h
index 52d27ee924f4..2fa1fc00e8cb 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -403,6 +403,7 @@ struct sock {
sk_no_check_rx : 1,
sk_userlocks : 4,
sk_protocol : 8,
+#define SK_PROTOCOL_MAX U8_MAX
sk_type : 16;
kmemcheck_bitfield_end(flags);
int sk_wmem_queued;
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index ae3a47f9d1d5..fbd0acf80b13 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
struct sock *sk;
ax25_cb *ax25;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (!net_eq(net, &init_net))
return -EAFNOSUPPORT;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index eebf5ac8ce18..13d6b1a6e0fc 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
{
struct sock *sk;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (!net_eq(net, &init_net))
return -EAFNOSUPPORT;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 11c4ca13ec3b..5c5db6636704 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
int try_loading_module = 0;
int err;
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
+ return -EINVAL;
+
sock->state = SS_UNCONNECTED;
/* Look for the requested type/protocol pair. */
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 8ec0df75f1c4..9f5137cd604e 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
int try_loading_module = 0;
int err;
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
+ return -EINVAL;
+
/* Look for the requested type/protocol pair. */
lookup_protocol:
err = -ESOCKTNOSUPPORT;
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index e6aa48b5395c..923abd6b3064 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
struct sock *sk;
struct irda_sock *self;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (net != &init_net)
return -EAFNOSUPPORT;
--
2.5.0

76
net-inet-fix-race-in-reqsk_queue_unlink.patch Normal file
View File

@ -0,0 +1,76 @@
From patchwork Thu Oct 1 12:39:26 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [net] inet: fix race in reqsk_queue_unlink()
From: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 524966
Message-Id: <1443703166.32531.47.camel@edumazet-glaptop2.roam.corp.google.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>, Yuchung Cheng <ycheng@google.com>
Date: Thu, 01 Oct 2015 05:39:26 -0700
From: Eric Dumazet <edumazet@google.com>
reqsk_timer_handler() tests if icsk_accept_queue.listen_opt
is NULL at its beginning.
By the time it calls inet_csk_reqsk_queue_drop() and
reqsk_queue_unlink(), listener might have been closed and
inet_csk_listen_stop() had called reqsk_queue_yank_acceptq()
which sets icsk_accept_queue.listen_opt to NULL
We therefore need to correctly check listen_opt being NULL
after holding syn_wait_lock for proper synchronization.
Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer")
Fixes: b357a364c57c ("inet: fix possible panic in reqsk_queue_unlink()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
---
net/ipv4/inet_connection_sock.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 7bb9c39e0a4d..61b45a17fc73 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -577,21 +577,22 @@ EXPORT_SYMBOL(inet_rtx_syn_ack);
static bool reqsk_queue_unlink(struct request_sock_queue *queue,
struct request_sock *req)
{
- struct listen_sock *lopt = queue->listen_opt;
struct request_sock **prev;
+ struct listen_sock *lopt;
bool found = false;
spin_lock(&queue->syn_wait_lock);
-
- for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL;
- prev = &(*prev)->dl_next) {
- if (*prev == req) {
- *prev = req->dl_next;
- found = true;
- break;
+ lopt = queue->listen_opt;
+ if (lopt) {
+ for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL;
+ prev = &(*prev)->dl_next) {
+ if (*prev == req) {
+ *prev = req->dl_next;
+ found = true;
+ break;
+ }
}
}
-
spin_unlock(&queue->syn_wait_lock);
if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
reqsk_put(req);

481
netfilter-ipset-Fix-extension-alignment.patch Normal file
View File

@ -0,0 +1,481 @@
From 55301931f78c0fdbb8f76dfdb3f914e9eef1f273 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Sat, 7 Nov 2015 11:21:47 +0100
Subject: [PATCH 1/3] netfilter: ipset: Fix extension alignment
The data extensions in ipset lacked the proper memory alignment and
thus could lead to kernel crash on several architectures. Therefore
the structures have been reorganized and alignment attributes added
where needed. The patch was tested on armv7h by Gerhard Wiesinger and
on x86_64, sparc64 by Jozsef Kadlecsik.
Reported-by: Gerhard Wiesinger <lists@wiesinger.com>
Tested-by: Gerhard Wiesinger <lists@wiesinger.com>
Tested-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 2 +-
net/netfilter/ipset/ip_set_bitmap_gen.h | 17 +++-----
net/netfilter/ipset/ip_set_bitmap_ip.c | 14 ++-----
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 64 ++++++++++++++-----------------
net/netfilter/ipset/ip_set_bitmap_port.c | 18 ++++-----
net/netfilter/ipset/ip_set_core.c | 14 ++++---
net/netfilter/ipset/ip_set_hash_gen.h | 11 ++++--
net/netfilter/ipset/ip_set_list_set.c | 5 ++-
8 files changed, 65 insertions(+), 80 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 48bb01edcf30..0e1f433cc4b7 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -421,7 +421,7 @@ extern void ip_set_free(void *members);
extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr);
extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr);
extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[],
- size_t len);
+ size_t len, size_t align);
extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
struct ip_set_ext *ext);
diff --git a/net/netfilter/ipset/ip_set_bitmap_gen.h b/net/netfilter/ipset/ip_set_bitmap_gen.h
index d05e759ed0fa..b0bc475f641e 100644
--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
+++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
@@ -33,7 +33,7 @@
#define mtype_gc IPSET_TOKEN(MTYPE, _gc)
#define mtype MTYPE
-#define get_ext(set, map, id) ((map)->extensions + (set)->dsize * (id))
+#define get_ext(set, map, id) ((map)->extensions + ((set)->dsize * (id)))
static void
mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
@@ -67,12 +67,9 @@ mtype_destroy(struct ip_set *set)
del_timer_sync(&map->gc);
ip_set_free(map->members);
- if (set->dsize) {
- if (set->extensions & IPSET_EXT_DESTROY)
- mtype_ext_cleanup(set);
- ip_set_free(map->extensions);
- }
- kfree(map);
+ if (set->dsize && set->extensions & IPSET_EXT_DESTROY)
+ mtype_ext_cleanup(set);
+ ip_set_free(map);
set->data = NULL;
}
@@ -92,16 +89,14 @@ mtype_head(struct ip_set *set, struct sk_buff *skb)
{
const struct mtype *map = set->data;
struct nlattr *nested;
+ size_t memsize = sizeof(*map) + map->memsize;
nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
if (!nested)
goto nla_put_failure;
if (mtype_do_head(skb, map) ||
nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
- nla_put_net32(skb, IPSET_ATTR_MEMSIZE,
- htonl(sizeof(*map) +
- map->memsize +
- set->dsize * map->elements)))
+ nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)))
goto nla_put_failure;
if (unlikely(ip_set_put_flags(skb, set)))
goto nla_put_failure;
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index 64a564334418..4783efff0bde 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -41,7 +41,6 @@ MODULE_ALIAS("ip_set_bitmap:ip");
/* Type structure */
struct bitmap_ip {
void *members; /* the set members */
- void *extensions; /* data extensions */
u32 first_ip; /* host byte order, included in range */
u32 last_ip; /* host byte order, included in range */
u32 elements; /* number of max elements in the set */
@@ -49,6 +48,8 @@ struct bitmap_ip {
size_t memsize; /* members size */
u8 netmask; /* subnet netmask */
struct timer_list gc; /* garbage collection */
+ unsigned char extensions[0] /* data extensions */
+ __aligned(__alignof__(u64));
};
/* ADT structure for generic function args */
@@ -224,13 +225,6 @@ init_map_ip(struct ip_set *set, struct bitmap_ip *map,
map->members = ip_set_alloc(map->memsize);
if (!map->members)
return false;
- if (set->dsize) {
- map->extensions = ip_set_alloc(set->dsize * elements);
- if (!map->extensions) {
- kfree(map->members);
- return false;
- }
- }
map->first_ip = first_ip;
map->last_ip = last_ip;
map->elements = elements;
@@ -316,13 +310,13 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
pr_debug("hosts %u, elements %llu\n",
hosts, (unsigned long long)elements);
- map = kzalloc(sizeof(*map), GFP_KERNEL);
+ set->dsize = ip_set_elem_len(set, tb, 0, 0);
+ map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
if (!map)
return -ENOMEM;
map->memsize = bitmap_bytes(0, elements - 1);
set->variant = &bitmap_ip;
- set->dsize = ip_set_elem_len(set, tb, 0);
if (!init_map_ip(set, map, first_ip, last_ip,
elements, hosts, netmask)) {
kfree(map);
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 1430535118fb..29dde208381d 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -47,24 +47,26 @@ enum {
/* Type structure */
struct bitmap_ipmac {
void *members; /* the set members */
- void *extensions; /* MAC + data extensions */
u32 first_ip; /* host byte order, included in range */
u32 last_ip; /* host byte order, included in range */
u32 elements; /* number of max elements in the set */
size_t memsize; /* members size */
struct timer_list gc; /* garbage collector */
+ unsigned char extensions[0] /* MAC + data extensions */
+ __aligned(__alignof__(u64));
};
/* ADT structure for generic function args */
struct bitmap_ipmac_adt_elem {
+ unsigned char ether[ETH_ALEN] __aligned(2);
u16 id;
- unsigned char *ether;
+ u16 add_mac;
};
struct bitmap_ipmac_elem {
unsigned char ether[ETH_ALEN];
unsigned char filled;
-} __attribute__ ((aligned));
+} __aligned(__alignof__(u64));
static inline u32
ip_to_id(const struct bitmap_ipmac *m, u32 ip)
@@ -72,11 +74,11 @@ ip_to_id(const struct bitmap_ipmac *m, u32 ip)
return ip - m->first_ip;
}
-static inline struct bitmap_ipmac_elem *
-get_elem(void *extensions, u16 id, size_t dsize)
-{
- return (struct bitmap_ipmac_elem *)(extensions + id * dsize);
-}
+#define get_elem(extensions, id, dsize) \
+ (struct bitmap_ipmac_elem *)(extensions + (id) * (dsize))
+
+#define get_const_elem(extensions, id, dsize) \
+ (const struct bitmap_ipmac_elem *)(extensions + (id) * (dsize))
/* Common functions */
@@ -88,10 +90,9 @@ bitmap_ipmac_do_test(const struct bitmap_ipmac_adt_elem *e,
if (!test_bit(e->id, map->members))
return 0;
- elem = get_elem(map->extensions, e->id, dsize);
- if (elem->filled == MAC_FILLED)
- return !e->ether ||
- ether_addr_equal(e->ether, elem->ether);
+ elem = get_const_elem(map->extensions, e->id, dsize);
+ if (e->add_mac && elem->filled == MAC_FILLED)
+ return ether_addr_equal(e->ether, elem->ether);
/* Trigger kernel to fill out the ethernet address */
return -EAGAIN;
}
@@ -103,7 +104,7 @@ bitmap_ipmac_gc_test(u16 id, const struct bitmap_ipmac *map, size_t dsize)
if (!test_bit(id, map->members))
return 0;
- elem = get_elem(map->extensions, id, dsize);
+ elem = get_const_elem(map->extensions, id, dsize);
/* Timer not started for the incomplete elements */
return elem->filled == MAC_FILLED;
}
@@ -133,7 +134,7 @@ bitmap_ipmac_add_timeout(unsigned long *timeout,
* and we can reuse it later when MAC is filled out,
* possibly by the kernel
*/
- if (e->ether)
+ if (e->add_mac)
ip_set_timeout_set(timeout, t);
else
*timeout = t;
@@ -150,7 +151,7 @@ bitmap_ipmac_do_add(const struct bitmap_ipmac_adt_elem *e,
elem = get_elem(map->extensions, e->id, dsize);
if (test_bit(e->id, map->members)) {
if (elem->filled == MAC_FILLED) {
- if (e->ether &&
+ if (e->add_mac &&
(flags & IPSET_FLAG_EXIST) &&
!ether_addr_equal(e->ether, elem->ether)) {
/* memcpy isn't atomic */
@@ -159,7 +160,7 @@ bitmap_ipmac_do_add(const struct bitmap_ipmac_adt_elem *e,
ether_addr_copy(elem->ether, e->ether);
}
return IPSET_ADD_FAILED;
- } else if (!e->ether)
+ } else if (!e->add_mac)
/* Already added without ethernet address */
return IPSET_ADD_FAILED;
/* Fill the MAC address and trigger the timer activation */
@@ -168,7 +169,7 @@ bitmap_ipmac_do_add(const struct bitmap_ipmac_adt_elem *e,
ether_addr_copy(elem->ether, e->ether);
elem->filled = MAC_FILLED;
return IPSET_ADD_START_STORED_TIMEOUT;
- } else if (e->ether) {
+ } else if (e->add_mac) {
/* We can store MAC too */
ether_addr_copy(elem->ether, e->ether);
elem->filled = MAC_FILLED;
@@ -191,7 +192,7 @@ bitmap_ipmac_do_list(struct sk_buff *skb, const struct bitmap_ipmac *map,
u32 id, size_t dsize)
{
const struct bitmap_ipmac_elem *elem =
- get_elem(map->extensions, id, dsize);
+ get_const_elem(map->extensions, id, dsize);
return nla_put_ipaddr4(skb, IPSET_ATTR_IP,
htonl(map->first_ip + id)) ||
@@ -213,7 +214,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
{
struct bitmap_ipmac *map = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
- struct bitmap_ipmac_adt_elem e = { .id = 0 };
+ struct bitmap_ipmac_adt_elem e = { .id = 0, .add_mac = 1 };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
u32 ip;
@@ -231,7 +232,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
return -EINVAL;
e.id = ip_to_id(map, ip);
- e.ether = eth_hdr(skb)->h_source;
+ memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN);
return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
}
@@ -265,11 +266,10 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
return -IPSET_ERR_BITMAP_RANGE;
e.id = ip_to_id(map, ip);
- if (tb[IPSET_ATTR_ETHER])
- e.ether = nla_data(tb[IPSET_ATTR_ETHER]);
- else
- e.ether = NULL;
-
+ if (tb[IPSET_ATTR_ETHER]) {
+ memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
+ e.add_mac = 1;
+ }
ret = adtfn(set, &e, &ext, &ext, flags);
return ip_set_eexist(ret, flags) ? 0 : ret;
@@ -300,13 +300,6 @@ init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
map->members = ip_set_alloc(map->memsize);
if (!map->members)
return false;
- if (set->dsize) {
- map->extensions = ip_set_alloc(set->dsize * elements);
- if (!map->extensions) {
- kfree(map->members);
- return false;
- }
- }
map->first_ip = first_ip;
map->last_ip = last_ip;
map->elements = elements;
@@ -361,14 +354,15 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
if (elements > IPSET_BITMAP_MAX_RANGE + 1)
return -IPSET_ERR_BITMAP_RANGE_SIZE;
- map = kzalloc(sizeof(*map), GFP_KERNEL);
+ set->dsize = ip_set_elem_len(set, tb,
+ sizeof(struct bitmap_ipmac_elem),
+ __alignof__(struct bitmap_ipmac_elem));
+ map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
if (!map)
return -ENOMEM;
map->memsize = bitmap_bytes(0, elements - 1);
set->variant = &bitmap_ipmac;
- set->dsize = ip_set_elem_len(set, tb,
- sizeof(struct bitmap_ipmac_elem));
if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
kfree(map);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
index 5338ccd5da46..7f0c733358a4 100644
--- a/net/netfilter/ipset/ip_set_bitmap_port.c
+++ b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -35,12 +35,13 @@ MODULE_ALIAS("ip_set_bitmap:port");
/* Type structure */
struct bitmap_port {
void *members; /* the set members */
- void *extensions; /* data extensions */
u16 first_port; /* host byte order, included in range */
u16 last_port; /* host byte order, included in range */
u32 elements; /* number of max elements in the set */
size_t memsize; /* members size */
struct timer_list gc; /* garbage collection */
+ unsigned char extensions[0] /* data extensions */
+ __aligned(__alignof__(u64));
};
/* ADT structure for generic function args */
@@ -209,13 +210,6 @@ init_map_port(struct ip_set *set, struct bitmap_port *map,
map->members = ip_set_alloc(map->memsize);
if (!map->members)
return false;
- if (set->dsize) {
- map->extensions = ip_set_alloc(set->dsize * map->elements);
- if (!map->extensions) {
- kfree(map->members);
- return false;
- }
- }
map->first_port = first_port;
map->last_port = last_port;
set->timeout = IPSET_NO_TIMEOUT;
@@ -232,6 +226,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
{
struct bitmap_port *map;
u16 first_port, last_port;
+ u32 elements;
if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT_TO) ||
@@ -248,14 +243,15 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
last_port = tmp;
}
- map = kzalloc(sizeof(*map), GFP_KERNEL);
+ elements = last_port - first_port + 1;
+ set->dsize = ip_set_elem_len(set, tb, 0, 0);
+ map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
if (!map)
return -ENOMEM;
- map->elements = last_port - first_port + 1;
+ map->elements = elements;
map->memsize = bitmap_bytes(0, map->elements);
set->variant = &bitmap_port;
- set->dsize = ip_set_elem_len(set, tb, 0);
if (!init_map_port(set, map, first_port, last_port)) {
kfree(map);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 338b4047776f..cab4bc06cddd 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -364,25 +364,27 @@ add_extension(enum ip_set_ext_id id, u32 flags, struct nlattr *tb[])
}
size_t
-ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len)
+ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
+ size_t align)
{
enum ip_set_ext_id id;
- size_t offset = len;
u32 cadt_flags = 0;
if (tb[IPSET_ATTR_CADT_FLAGS])
cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_WITH_FORCEADD)
set->flags |= IPSET_CREATE_FLAG_FORCEADD;
+ if (!align)
+ align = 1;
for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
if (!add_extension(id, cadt_flags, tb))
continue;
- offset = ALIGN(offset, ip_set_extensions[id].align);
- set->offset[id] = offset;
+ len = ALIGN(len, ip_set_extensions[id].align);
+ set->offset[id] = len;
set->extensions |= ip_set_extensions[id].type;
- offset += ip_set_extensions[id].len;
+ len += ip_set_extensions[id].len;
}
- return offset;
+ return ALIGN(len, align);
}
EXPORT_SYMBOL_GPL(ip_set_elem_len);
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 691b54fcaf2a..4ff22194ce55 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -72,8 +72,9 @@ struct hbucket {
DECLARE_BITMAP(used, AHASH_MAX_TUNED);
u8 size; /* size of the array */
u8 pos; /* position of the first free entry */
- unsigned char value[0]; /* the array of the values */
-} __attribute__ ((aligned));
+ unsigned char value[0] /* the array of the values */
+ __aligned(__alignof__(u64));
+};
/* The hash table: the table size stored here in order to make resizing easy */
struct htable {
@@ -1323,12 +1324,14 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
#endif
set->variant = &IPSET_TOKEN(HTYPE, 4_variant);
set->dsize = ip_set_elem_len(set, tb,
- sizeof(struct IPSET_TOKEN(HTYPE, 4_elem)));
+ sizeof(struct IPSET_TOKEN(HTYPE, 4_elem)),
+ __alignof__(struct IPSET_TOKEN(HTYPE, 4_elem)));
#ifndef IP_SET_PROTO_UNDEF
} else {
set->variant = &IPSET_TOKEN(HTYPE, 6_variant);
set->dsize = ip_set_elem_len(set, tb,
- sizeof(struct IPSET_TOKEN(HTYPE, 6_elem)));
+ sizeof(struct IPSET_TOKEN(HTYPE, 6_elem)),
+ __alignof__(struct IPSET_TOKEN(HTYPE, 6_elem)));
}
#endif
if (tb[IPSET_ATTR_TIMEOUT]) {
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 5a30ce6e8c90..bbede95c9f68 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -31,7 +31,7 @@ struct set_elem {
struct rcu_head rcu;
struct list_head list;
ip_set_id_t id;
-};
+} __aligned(__alignof__(u64));
struct set_adt_elem {
ip_set_id_t id;
@@ -618,7 +618,8 @@ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
size = IP_SET_LIST_MIN_SIZE;
set->variant = &set_variant;
- set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem));
+ set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem),
+ __alignof__(struct set_elem));
if (!init_list_set(net, set, size))
return -ENOMEM;
if (tb[IPSET_ATTR_TIMEOUT]) {
--
2.4.3

30
netfilter-ipset-Fix-hash-type-expiration.patch Normal file
View File

@ -0,0 +1,30 @@
From 7210b25e452780f0792e04dd9f84f3a02c582ab7 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Sat, 7 Nov 2015 11:23:34 +0100
Subject: [PATCH 2/3] netfilter: ipset: Fix hash:* type expiration
Incorrect index was used when the data blob was shrinked at expiration,
which could lead to falsely expired entries and memory leak when
the comment extension was used too.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 4ff22194ce55..fa4f6374bb73 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -523,7 +523,7 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
continue;
data = ahash_data(n, j, dsize);
memcpy(tmp->value + d * dsize, data, dsize);
- set_bit(j, tmp->used);
+ set_bit(d, tmp->used);
d++;
}
tmp->pos = d;
--
2.4.3

47
netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch Normal file
View File

@ -0,0 +1,47 @@
From 03fdcf282c8fe212efae0d1229fb8594ffe60b17 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Sat, 7 Nov 2015 11:24:51 +0100
Subject: [PATCH 3/3] netfilter: ipset: Fix hash type expire: release empty
hash bucket block
When all entries are expired/all slots are empty, release the bucket.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index fa4f6374bb73..e5336ab36d67 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -476,7 +476,7 @@ static void
mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
{
struct htable *t;
- struct hbucket *n;
+ struct hbucket *n, *tmp;
struct mtype_elem *data;
u32 i, j, d;
#ifdef IP_SET_HASH_WITH_NETS
@@ -511,9 +511,14 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
}
}
if (d >= AHASH_INIT_SIZE) {
- struct hbucket *tmp = kzalloc(sizeof(*tmp) +
- (n->size - AHASH_INIT_SIZE) * dsize,
- GFP_ATOMIC);
+ if (d >= n->size) {
+ rcu_assign_pointer(hbucket(t, i), NULL);
+ kfree_rcu(n, rcu);
+ continue;
+ }
+ tmp = kzalloc(sizeof(*tmp) +
+ (n->size - AHASH_INIT_SIZE) * dsize,
+ GFP_ATOMIC);
if (!tmp)
/* Still try to delete expired elements */
continue;
--
2.4.3

46
ovl-fix-permission-checking-for-setattr.patch Normal file
View File

@ -0,0 +1,46 @@
From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <miklos@szeredi.hu>
Date: Fri, 4 Dec 2015 19:18:48 +0100
Subject: [PATCH] ovl: fix permission checking for setattr
[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
(with the former being always safe and the latter failing in case of
insufficient permissions) it tries to combine these two. Note that copyup
itself will have to do ->setattr() anyway; _that_ is where the elevated
capabilities are right. Having these two ->setattr() (one to set verbatim
copy of metadata, another to do what overlayfs ->setattr() had been asked
to do in the first place) combined is where it breaks.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/overlayfs/inode.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index ec0c2a050043..961284936917 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
if (err)
goto out;
- upperdentry = ovl_dentry_upper(dentry);
- if (upperdentry) {
+ err = ovl_copy_up(dentry);
+ if (!err) {
+ upperdentry = ovl_dentry_upper(dentry);
+
mutex_lock(&upperdentry->d_inode->i_mutex);
err = notify_change(upperdentry, attr, NULL);
mutex_unlock(&upperdentry->d_inode->i_mutex);
- } else {
- err = ovl_copy_up_last(dentry, attr, false);
}
ovl_drop_write(dentry);
out:
--
2.5.0

34
pinctrl-pinctrl-single-must-be-initialized-early.patch Normal file
View File

@ -0,0 +1,34 @@
From: Pantelis Antoniou <panto@antoniou-consulting.com>
Date: Sat, 15 Sep 2012 12:00:41 +0300
Subject: [PATCH] pinctrl: pinctrl-single must be initialized early.
When using pinctrl-single to handle i2c initialization, it has
to be done early. Whether this is the best way to do so, is an
exercise left to the reader.
---
drivers/pinctrl/pinctrl-single.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
index 69e84427f913..f21cf4291476 100644
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -2025,7 +2025,17 @@ static struct platform_driver pcs_driver = {
#endif
};
-module_platform_driver(pcs_driver);
+static int __init pcs_init(void)
+{
+ return platform_driver_register(&pcs_driver);
+}
+postcore_initcall(pcs_init);
+
+static void __exit pcs_exit(void)
+{
+ platform_driver_unregister(&pcs_driver);
+}
+module_exit(pcs_exit);
MODULE_AUTHOR("Tony Lindgren <tony@atomide.com>");
MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver");

39
pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch Normal file
View File

@ -0,0 +1,39 @@
From 16c5a158e97d5b1f6c8bf86b006c1349f025d4e0 Mon Sep 17 00:00:00 2001
From: WANG Cong <xiyou.wangcong@gmail.com>
Date: Mon, 14 Dec 2015 13:48:36 -0800
Subject: [PATCH] pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/ppp/pptp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index fc69e41d0950..597c53e0a2ec 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
struct pptp_opt *opt = &po->proto.pptp;
int error = 0;
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
+ return -EINVAL;
+
lock_sock(sk);
opt->src_addr = sp->sa_addr.pptp;
@@ -440,6 +443,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
struct flowi4 fl4;
int error = 0;
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
+ return -EINVAL;
+
if (sp->sa_protocol != PX_PROTO_PPTP)
return -EINVAL;
--
2.5.0

108
ptrace-being-capable-wrt-a-process-requires-mapped-u.patch Normal file
View File

@ -0,0 +1,108 @@
From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sat, 26 Dec 2015 03:52:31 +0100
Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids
ptrace_has_cap() checks whether the current process should be
treated as having a certain capability for ptrace checks
against another process. Until now, this was equivalent to
has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
However, if a root-owned process wants to enter a user
namespace for some reason without knowing who owns it and
therefore can't change to the namespace owner's uid and gid
before entering, as soon as it has entered the namespace,
the namespace owner can attach to it via ptrace and thereby
gain access to its uid and gid.
While it is possible for the entering process to switch to
the uid of a claimed namespace owner before entering,
causing the attempt to enter to fail if the claimed uid is
wrong, this doesn't solve the problem of determining an
appropriate gid.
With this change, the entering process can first enter the
namespace and then safely inspect the namespace's
properties, e.g. through /proc/self/{uid_map,gid_map},
assuming that the namespace owner doesn't have access to
uid 0.
Changed in v2: The caller needs to be capable in the
namespace into which tcred's uids/gids can be mapped.
Signed-off-by: Jann Horn <jann@thejh.net>
---
kernel/ptrace.c | 33 ++++++++++++++++++++++++++++-----
1 file changed, 28 insertions(+), 5 deletions(-)
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 787320de68e0..407c382b45c8 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -20,6 +20,7 @@
#include <linux/uio.h>
#include <linux/audit.h>
#include <linux/pid_namespace.h>
+#include <linux/user_namespace.h>
#include <linux/syscalls.h>
#include <linux/uaccess.h>
#include <linux/regset.h>
@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
return ret;
}
-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
+static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
{
+ struct user_namespace *tns = tcred->user_ns;
+
+ /* When a root-owned process enters a user namespace created by a
+ * malicious user, the user shouldn't be able to execute code under
+ * uid 0 by attaching to the root-owned process via ptrace.
+ * Therefore, similar to the capable_wrt_inode_uidgid() check,
+ * verify that all the uids and gids of the target process are
+ * mapped into a namespace below the current one in which the caller
+ * is capable.
+ * No fsuid/fsgid check because __ptrace_may_access doesn't do it
+ * either.
+ */
+ while (
+ !kuid_has_mapping(tns, tcred->euid) ||
+ !kuid_has_mapping(tns, tcred->suid) ||
+ !kuid_has_mapping(tns, tcred->uid) ||
+ !kgid_has_mapping(tns, tcred->egid) ||
+ !kgid_has_mapping(tns, tcred->sgid) ||
+ !kgid_has_mapping(tns, tcred->gid)) {
+ tns = tns->parent;
+ }
+
if (mode & PTRACE_MODE_NOAUDIT)
- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
+ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
else
- return has_ns_capability(current, ns, CAP_SYS_PTRACE);
+ return has_ns_capability(current, tns, CAP_SYS_PTRACE);
}
/* Returns 0 on success, -errno on denial. */
@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
gid_eq(cred->gid, tcred->sgid) &&
gid_eq(cred->gid, tcred->gid))
goto ok;
- if (ptrace_has_cap(tcred->user_ns, mode))
+ if (ptrace_has_cap(tcred, mode))
goto ok;
rcu_read_unlock();
return -EPERM;
@@ -252,7 +275,7 @@ ok:
dumpable = get_dumpable(task->mm);
rcu_read_lock();
if (dumpable != SUID_DUMP_USER &&
- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
+ !ptrace_has_cap(__task_cred(task), mode)) {
rcu_read_unlock();
return -EPERM;
}
--
2.5.0

24
regulator-anatop-module-alias.patch
View File

@ -1,24 +0,0 @@
From d702ffd4d1df73b9c620af1654af42ff5b8d5c09 Fri Sep 18 19:09:07 2015
From: Luis de Bethencourt <luis@debethencourt.com>
Date: Fri Sep 18 19:09:07 2015 +0200
regulator: anatop: Fix module autoload for OF platform driver
This platform driver has a OF device ID table but the OF module
alias information is not created so module autoloading won't work.
Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
diff --git a/drivers/regulator/anatop-regulator.c b/drivers/regulator/anatop-regulator.c
index 738adfa..52ea605 100644
--- a/drivers/regulator/anatop-regulator.c
+++ b/drivers/regulator/anatop-regulator.c
@@ -318,6 +318,7 @@ static const struct of_device_id of_anatop_regulator_match_tbl[] = {
{ .compatible = "fsl,anatop-regulator", },
{ /* end */ }
};
+MODULE_DEVICE_TABLE(of, of_anatop_regulator_match_tbl);
static struct platform_driver anatop_regulator_driver = {
.driver = {

61
showmem-cma-correct-reserved-memory-calculation.patch
View File

@ -1,61 +0,0 @@
From 3a83eda52f34b97168b70098ef0e34dbcaeaaf8f Mon Sep 17 00:00:00 2001
From: Vishnu Pratap Singh <vishnu.ps@samsung.com>
Date: Tue, 25 Aug 2015 00:04:44 +0000
Subject: lib/show_mem.c: correct reserved memory calculation
CMA reserved memory is not part of total reserved memory.
Currently when we print the total reserve memory it considers
cma as part of reserve memory and do minus of totalcma_pages
from reserved, which is wrong. In cases where total reserved
is less than cma reserved we will get negative values & while
printing we print as unsigned and we will get a very large value.
Below is the show mem output on X86 ubuntu based system where
CMA reserved is 100MB (25600 pages) & total reserved is ~40MB(10316 pages).
And reserve memory shows a large value because of this bug.
Before:
[ 127.066430] 898908 pages RAM
[ 127.066432] 671682 pages HighMem/MovableOnly
[ 127.066434] 4294952012 pages reserved
[ 127.066436] 25600 pages cma reserved
After:
[ 44.663129] 898908 pages RAM
[ 44.663130] 671682 pages HighMem/MovableOnly
[ 44.663130] 10316 pages reserved
[ 44.663131] 25600 pages cma reserved
Signed-off-by: Vishnu Pratap Singh <vishnu.ps@samsung.com>
Cc: Michal Nazarewicz <mina86@mina86.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Danesh Petigara <dpetigara@broadcom.com>
Cc: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
lib/show_mem.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/lib/show_mem.c b/lib/show_mem.c
index adc98e18..1feed6a 100644
--- a/lib/show_mem.c
+++ b/lib/show_mem.c
@@ -38,11 +38,9 @@ void show_mem(unsigned int filter)
printk("%lu pages RAM\n", total);
printk("%lu pages HighMem/MovableOnly\n", highmem);
+ printk("%lu pages reserved\n", reserved);
#ifdef CONFIG_CMA
- printk("%lu pages reserved\n", (reserved - totalcma_pages));
printk("%lu pages cma reserved\n", totalcma_pages);
-#else
- printk("%lu pages reserved\n", reserved);
#endif
#ifdef CONFIG_QUICKLIST
printk("%lu pages in pagetable cache\n",
--
cgit v0.11.2

6
sources
View File

@ -1,3 +1,3 @@
3d5ea06d767e2f35c999eeadafc76523 linux-4.2.tar.xz
4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz
19e47863ca441b2e11f90f25fb6c41ec patch-4.2.5.xz
58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz
7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz
d3235b3640ae6ac1ab579171943fda4b patch-4.3.3.xz

49
usbvision-fix-crash-on-detecting-device-with-invalid.patch Normal file
View File

@ -0,0 +1,49 @@
From 2ea39fc263c6a7589e15edb7d2d1c89fa569be53 Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Mon, 16 Nov 2015 15:55:11 -0200
Subject: [PATCH] usbvision: fix crash on detecting device with invalid
configuration
The usbvision driver crashes when a specially crafted usb device with invalid
number of interfaces or endpoints is detected. This fix adds checks that the
device has proper configuration expected by the driver.
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
index b693206f66dd..d1dc1a198e3e 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1463,9 +1463,23 @@ static int usbvision_probe(struct usb_interface *intf,
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
- else
+ else if (ifnum < dev->actconfig->desc.bNumInterfaces)
interface = &dev->actconfig->interface[ifnum]->altsetting[0];
+ else {
+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
+ ifnum, dev->actconfig->desc.bNumInterfaces - 1);
+ ret = -ENODEV;
+ goto err_usb;
+ }
+
+ if (interface->desc.bNumEndpoints < 2) {
+ dev_err(&intf->dev, "interface %d has %d endpoints, but must"
+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
+ ret = -ENODEV;
+ goto err_usb;
+ }
endpoint = &interface->endpoint[1].desc;
+
if (!usb_endpoint_xfer_isoc(endpoint)) {
dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
__func__, ifnum);
--
2.5.0

110
vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch Normal file
View File

@ -0,0 +1,110 @@
From 14588dfe2e411056df5ba85ef88ad51730a2fa0a Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Sat, 15 Aug 2015 20:27:13 -0500
Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from
their mnt_root
commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
In rare cases a directory can be renamed out from under a bind mount.
In those cases without special handling it becomes possible to walk up
the directory tree to the root dentry of the filesystem and down
from the root dentry to every other file or directory on the filesystem.
Like division by zero .. from an unconnected path can not be given
a useful semantic as there is no predicting at which path component
the code will realize it is unconnected. We certainly can not match
the current behavior as the current behavior is a security hole.
Therefore when encounting .. when following an unconnected path
return -ENOENT.
- Add a function path_connected to verify path->dentry is reachable
from path->mnt.mnt_root. AKA to validate that rename did not do
something nasty to the bind mount.
To avoid races path_connected must be called after following a path
component to it's next path component.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/namei.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 1c2105ed20c5..29b927938b8c 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -560,6 +560,24 @@ static int __nd_alloc_stack(struct nameidata *nd)
return 0;
}
+/**
+ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
+ * @path: nameidate to verify
+ *
+ * Rename can sometimes move a file or directory outside of a bind
+ * mount, path_connected allows those cases to be detected.
+ */
+static bool path_connected(const struct path *path)
+{
+ struct vfsmount *mnt = path->mnt;
+
+ /* Only bind mounts can have disconnected paths */
+ if (mnt->mnt_root == mnt->mnt_sb->s_root)
+ return true;
+
+ return is_subdir(path->dentry, mnt->mnt_root);
+}
+
static inline int nd_alloc_stack(struct nameidata *nd)
{
if (likely(nd->depth != EMBEDDED_LEVELS))
@@ -1296,6 +1314,8 @@ static int follow_dotdot_rcu(struct nameidata *nd)
return -ECHILD;
nd->path.dentry = parent;
nd->seq = seq;
+ if (unlikely(!path_connected(&nd->path)))
+ return -ENOENT;
break;
} else {
struct mount *mnt = real_mount(nd->path.mnt);
@@ -1396,7 +1416,7 @@ static void follow_mount(struct path *path)
}
}
-static void follow_dotdot(struct nameidata *nd)
+static int follow_dotdot(struct nameidata *nd)
{
if (!nd->root.mnt)
set_root(nd);
@@ -1412,6 +1432,8 @@ static void follow_dotdot(struct nameidata *nd)
/* rare case of legitimate dget_parent()... */
nd->path.dentry = dget_parent(nd->path.dentry);
dput(old);
+ if (unlikely(!path_connected(&nd->path)))
+ return -ENOENT;
break;
}
if (!follow_up(&nd->path))
@@ -1419,6 +1441,7 @@ static void follow_dotdot(struct nameidata *nd)
}
follow_mount(&nd->path);
nd->inode = nd->path.dentry->d_inode;
+ return 0;
}
/*
@@ -1634,7 +1657,7 @@ static inline int handle_dots(struct nameidata *nd, int type)
if (nd->flags & LOOKUP_RCU) {
return follow_dotdot_rcu(nd);
} else
- follow_dotdot(nd);
+ return follow_dotdot(nd);
}
return 0;
}
--
2.4.3

42
vrf-fix-memory-leak-on-registration.patch Normal file
View File

@ -0,0 +1,42 @@
From 5780068e17af44a98d432d31448bb18a99ce64dc Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 15 Dec 2015 15:12:43 +0000
Subject: [PATCH] vrf: Fix memory leak on registration failure in vrf_newlink()
The backported version of commit 7f109f7cc371 ("vrf: fix double free
and memory corruption on register_netdevice failure") incorrectly
removed a kfree() from the failure path as well as the free_netdev().
Add that back.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/vrf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index c9e309c..6c25fd0 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
{
struct net_vrf *vrf = netdev_priv(dev);
struct net_vrf_dev *vrf_ptr;
+ int err;
if (!data || !data[IFLA_VRF_TABLE])
return -EINVAL;
@@ -598,7 +599,10 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
- return register_netdev(dev);
+ err = register_netdev(dev);
+ if (err)
+ kfree(vrf_ptr);
+ return err;
}
static size_t vrf_nl_getsize(const struct net_device *dev)
--
2.5.0

7
x86-Lock-down-IO-port-access-when-module-security-is.patch
View File

@ -1,6 +1,8 @@
From 7a3cdd26e6d38031338a6cb591ec2f3faaa9234b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:35:59 -0500
Subject: [PATCH] x86: Lock down IO port access when module security is enabled
Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
enabled
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
@ -65,3 +67,6 @@ index 6b1721f978c2..53fe675f9bd7 100644
if (!access_ok(VERIFY_READ, buf, count))
return -EFAULT;
while (count-- > 0 && i < 65536) {
--
2.4.3

7
x86-Restrict-MSR-access-when-module-loading-is-restr.patch
View File

@ -1,6 +1,8 @@
From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH] x86: Restrict MSR access when module loading is restricted
Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
restricted
Writing to MSRs should not be allowed if module loading is restricted,
since it could lead to execution of arbitrary code in kernel mode. Based
@ -37,3 +39,6 @@ index 113e70784854..26c2f83fc470 100644
if (copy_from_user(&regs, uregs, sizeof regs)) {
err = -EFAULT;
break;
--
2.4.3