rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v4.3.6

This commit is contained in:
Josh Boyer 2016-02-21 14:52:14 -05:00
parent 8889aba817
commit 4988639cd8
10 changed files with 5 additions and 529 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
View File

@ -1,34 +0,0 @@
From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
From: Andrey Konovalov <andreyknvl@gmail.com>
Date: Sat, 13 Feb 2016 11:08:06 +0300
Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
when tearing down the rawmidi interface. So we shouldn't try to free it
in snd_usbmidi_create() after having registered the rawmidi interface.
Found by KASAN.
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/usb/midi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index cc39f63299ef..007cf5831121 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
else
err = snd_usbmidi_create_endpoints(umidi, endpoints);
if (err < 0) {
- snd_usbmidi_free(umidi);
return err;
}
--
2.5.0

133
HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
View File

@ -1,133 +0,0 @@
From 84ac7d370783d4819c5986da1c5d5c62d360dc8f Mon Sep 17 00:00:00 2001
From: Mika Westerberg <mika.westerberg@linux.intel.com>
Date: Wed, 7 Oct 2015 15:33:43 +0300
Subject: [PATCH] HID: multitouch: Fetch feature reports on demand for Win8
devices
Some newer Intel Skylake based Dell laptops with Win8 precision touchpad
fail when initial feature reports are fetched from it. Below is an example
output with some additional debug included:
i2c_hid i2c-DLL0704:01: Fetching the HID descriptor
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=20 00
i2c_hid i2c-DLL0704:01: HID Descriptor: 1e 00 00 01 99 02 21 00 24 ...
...
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 38 02 23 00
i2c_hid i2c-DLL0704:01: report (len=4): 04 00 08 05
i2c_hid i2c-DLL0704:01: report id 13
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 3d 02 23 00
i2c_hid i2c-DLL0704:01: failed to retrieve report from device.
i2c_hid i2c-DLL0704:01: report id 7
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 37 02 23 00
i2c_hid i2c-DLL0704:01: report (len=259): 03 01 07 fc 28 fe 84 40 ...
i2c_hid i2c-DLL0704:01: report id 4
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 34 02 23 00
We manage to fetch few reports but then the touchpad dies:
i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: lost arbitration
i2c_hid i2c-DLL0704:01: failed to retrieve report from device.
it eventually pulls the whole I2C bus low:
i2c_designware i2c_designware.1: controller timed out
i2c_hid i2c-DLL0704:01: failed to set a report to device.
Fix this by preventing initial feature report retrieval for Win8 devices.
Instead we fetch reports as needed in mt_feature_mapping(). This prevents
fetching reports which might cause problems with the device in question.
Suggested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-multitouch.c | 45 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 44 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 426b2f1a3450..4afe8d78b366 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -309,6 +309,41 @@ static struct attribute_group mt_attribute_group = {
.attrs = sysfs_attrs
};
+static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
+{
+ struct mt_device *td = hid_get_drvdata(hdev);
+ int ret, size = hid_report_len(report);
+ u8 *buf;
+
+ /*
+ * Only fetch the feature report if initial reports are not already
+ * been retrieved. Currently this is only done for Windows 8 touch
+ * devices.
+ */
+ if (!(hdev->quirks & HID_QUIRK_NO_INIT_REPORTS))
+ return;
+ if (td->mtclass.name != MT_CLS_WIN_8)
+ return;
+
+ buf = hid_alloc_report_buf(report, GFP_KERNEL);
+ if (!buf)
+ return;
+
+ ret = hid_hw_raw_request(hdev, report->id, buf, size,
+ HID_FEATURE_REPORT, HID_REQ_GET_REPORT);
+ if (ret < 0) {
+ dev_warn(&hdev->dev, "failed to fetch feature %d\n",
+ report->id);
+ } else {
+ ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
+ size, 0);
+ if (ret)
+ dev_warn(&hdev->dev, "failed to report feature\n");
+ }
+
+ kfree(buf);
+}
+
static void mt_feature_mapping(struct hid_device *hdev,
struct hid_field *field, struct hid_usage *usage)
{
@@ -327,6 +362,8 @@ static void mt_feature_mapping(struct hid_device *hdev,
break;
case HID_DG_CONTACTMAX:
+ mt_get_feature(hdev, field->report);
+
td->maxcontact_report_id = field->report->id;
td->maxcontacts = field->value[0];
if (!td->maxcontacts &&
@@ -343,6 +380,7 @@ static void mt_feature_mapping(struct hid_device *hdev,
break;
}
+ mt_get_feature(hdev, field->report);
if (field->value[usage->usage_index] == MT_BUTTONTYPE_CLICKPAD)
td->is_buttonpad = true;
@@ -1026,8 +1064,13 @@ static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id)
* reports. Fortunately, the Win8 spec says that all touches
* should be sent during each report, making the initialization
* of input reports unnecessary.
+ *
+ * In addition some touchpads do not behave well if we read
+ * all feature reports from them. Instead we prevent
+ * initial report fetching and then selectively fetch each
+ * report we are interested in.
*/
- hdev->quirks |= HID_QUIRK_NO_INIT_INPUT_REPORTS;
+ hdev->quirks |= HID_QUIRK_NO_INIT_REPORTS;
td = devm_kzalloc(&hdev->dev, sizeof(struct mt_device), GFP_KERNEL);
if (!td) {
--
2.5.0

94
HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
View File

@ -1,94 +0,0 @@
From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Date: Tue, 1 Dec 2015 12:41:38 +0100
Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels
as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481
This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature
reports on demand for Win8 devices") as the origin of the problem but this
commit actually masked 2 firmware bugs that are annihilating each other:
The report descriptor declares two features in reports 3 and 5:
0x05, 0x0d, // Usage Page (Digitizers) 318
0x09, 0x0e, // Usage (Device Configuration) 320
0xa1, 0x01, // Collection (Application) 322
0x85, 0x03, // Report ID (3) 324
0x09, 0x22, // Usage (Finger) 326
0xa1, 0x00, // Collection (Physical) 328
0x09, 0x52, // Usage (Inputmode) 330
0x15, 0x00, // Logical Minimum (0) 332
0x25, 0x0a, // Logical Maximum (10) 334
0x75, 0x08, // Report Size (8) 336
0x95, 0x02, // Report Count (2) 338
0xb1, 0x02, // Feature (Data,Var,Abs) 340
0xc0, // End Collection 342
0x09, 0x22, // Usage (Finger) 343
0xa1, 0x00, // Collection (Physical) 345
0x85, 0x05, // Report ID (5) 347
0x09, 0x57, // Usage (Surface Switch) 349
0x09, 0x58, // Usage (Button Switch) 351
0x15, 0x00, // Logical Minimum (0) 353
0x75, 0x01, // Report Size (1) 355
0x95, 0x02, // Report Count (2) 357
0x25, 0x03, // Logical Maximum (3) 359
0xb1, 0x02, // Feature (Data,Var,Abs) 361
0x95, 0x0e, // Report Count (14) 363
0xb1, 0x03, // Feature (Cnst,Var,Abs) 365
0xc0, // End Collection 367
The report ID 3 presents 2 input mode features, while only the first one
is handled by the device. Given that we did not checked if one was
previously assigned, we were dealing with the ignored featured and we
should never have been able to switch this panel into the multitouch mode.
However, the firmware presents an other bugs which allowed 6d4f5440
to counteract the faulty report descriptor. When we request the values
of the feature 5, the firmware answers "03 03 00". The fields are correct
but the report id is wrong. Before 6d4f5440, we retrieved all the features
and injected them in the system. So when we called report 5, we injected
in the system the report 3 with the values "03 00".
Setting the second input mode to 03 in this report changed it to "03 03"
and the touchpad switched to the mt mode. We could have set anything
in the second field because the actual value (the first 03 in this report)
was given by the query of report ID 5.
To sum up: 2 bugs in the firmware were hiding that we were accessing the
wrong feature.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-multitouch.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index ba94044cb859..d866720412cd 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev,
break;
}
- td->inputmode = field->report->id;
- td->inputmode_index = usage->usage_index;
+ if (td->inputmode < 0) {
+ td->inputmode = field->report->id;
+ td->inputmode_index = usage->usage_index;
+ } else {
+ /*
+ * Some elan panels wrongly declare 2 input mode
+ * features, and silently ignore when we set the
+ * value in the second field. Skip the second feature
+ * and hope for the best.
+ */
+ dev_info(&hdev->dev,
+ "Ignoring the extra HID_DG_INPUTMODE\n");
+ }
break;
case HID_DG_CONTACTMAX:
--
2.5.0

43
block-ensure-to-split-after-potentially-bouncing-a-b.patch
View File

@ -1,43 +0,0 @@
From 23688bf4f830a89866fd0ed3501e342a7360fe4f Mon Sep 17 00:00:00 2001
From: Junichi Nomura <j-nomura@ce.jp.nec.com>
Date: Tue, 22 Dec 2015 10:23:44 -0700
Subject: [PATCH] block: ensure to split after potentially bouncing a bio
blk_queue_bio() does split then bounce, which makes the segment
counting based on pages before bouncing and could go wrong. Move
the split to after bouncing, like we do for blk-mq, and the we
fix the issue of having the bio count for segments be wrong.
Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios")
Cc: stable@vger.kernel.org
Tested-by: Artem S. Tashkinov <t.artem@lycos.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
---
block/blk-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/blk-core.c b/block/blk-core.c
index 3636be469fa2..c487b94c59e3 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -1689,8 +1689,6 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio)
struct request *req;
unsigned int request_count = 0;
- blk_queue_split(q, &bio, q->bio_split);
-
/*
* low level driver can indicate that it wants pages above a
* certain limit bounced to low memory (ie for highmem, or even
@@ -1698,6 +1696,8 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio)
*/
blk_queue_bounce(q, &bio);
+ blk_queue_split(q, &bio, q->bio_split);
+
if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) {
bio->bi_error = -EIO;
bio_endio(bio);
--
2.5.0

31
drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch
View File

@ -1,31 +0,0 @@
From 65fbb05cbbf9ef7f531712634c3e914b54171707 Mon Sep 17 00:00:00 2001
From: Alexandre Courbot <acourbot@nvidia.com>
Date: Thu, 3 Sep 2015 17:39:52 +0900
Subject: [PATCH] drm/nouveau/pmu: do not assume a PMU is present
Some devices may not have a PMU. Avoid a NULL pointer dereference in
such cases by checking whether the pointer given to nvkm_pmu_pgob() is
valid.
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
---
drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
index 27a79c0c3888..d95eb8659d1b 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
@@ -28,7 +28,7 @@
void
nvkm_pmu_pgob(struct nvkm_pmu *pmu, bool enable)
{
- if (pmu->func->pgob)
+ if (pmu && pmu->func->pgob)
pmu->func->pgob(pmu, enable);
}
--
2.5.0

55
kernel.spec
View File

@ -52,7 +52,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 5
%define stable_update 6
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@ -633,33 +633,15 @@ Patch574: ovl-fix-permission-checking-for-setattr.patch
#CVE-2015-8709 rhbz 1295287 1295288
Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
#CVE-2015-7513 rhbz 1284847 1296142
Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
#rhbz 1296677
Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
#rhbz 1281368
Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
#rhbz 1296820
Patch608: drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch
#rhbz 1083853
Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
#CVE-2015-7566 rhbz 1296466 1297517
Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch
#rhbz 1298309
#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
#rhbz 1298996
Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch
#rhbz 1298192
Patch626: selinux-fix-bug-in-conditional-rules-handling.patch
@ -676,9 +658,6 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
#CVE-2016-0723 rhbz 1296253 1300224
Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
#rhbz 1279653
Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
@ -689,7 +668,6 @@ Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
#rhbz 1278942
Patch642: media-Revert-media-ivtv-avoid-going-past-input-audio.patch
Patch643: media-ivtv-avoid-going-past-input-audio-array.patch
#rhbz 1302037
@ -705,9 +683,6 @@ Patch647: rtlwifi-fix-memory-leak-for-USB-device.patch
#CVE-2016-0617 rhbz 1305803 1305804
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
#CVE-2016-2384 rhbz 1308444 1308445
Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
#CVE-2016-2383 rhbz 1308452 1308453
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
@ -1417,33 +1392,15 @@ ApplyPatch ovl-fix-permission-checking-for-setattr.patch
#CVE-2015-8709 rhbz 1295287 1295288
ApplyPatch ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
#CVE-2015-7513 rhbz 1284847 1296142
ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
#rhbz 1296677
ApplyPatch HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
ApplyPatch HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
#rhbz 1281368
ApplyPatch drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
#rhbz 1296820
ApplyPatch drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch
#rhbz 1083853
ApplyPatch PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
#CVE-2015-7566 rhbz 1296466 1297517
ApplyPatch usb-serial-visor-fix-crash-on-detecting-device-witho.patch
#rhbz 1298309
#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
#rhbz 1298996
ApplyPatch block-ensure-to-split-after-potentially-bouncing-a-b.patch
#rhbz 1298192
ApplyPatch selinux-fix-bug-in-conditional-rules-handling.patch
@ -1460,9 +1417,6 @@ ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch
ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
#CVE-2016-0723 rhbz 1296253 1300224
ApplyPatch tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
#rhbz 1279653
ApplyPatch rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
@ -1473,7 +1427,6 @@ ApplyPatch netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
ApplyPatch PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
#rhbz 1278942
ApplyPatch media-Revert-media-ivtv-avoid-going-past-input-audio.patch
ApplyPatch media-ivtv-avoid-going-past-input-audio-array.patch
#rhbz 1302037
@ -1489,9 +1442,6 @@ ApplyPatch rtlwifi-fix-memory-leak-for-USB-device.patch
#CVE-2016-0617 rhbz 1305803 1305804
ApplyPatch fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
#CVE-2016-2384 rhbz 1308444 1308445
ApplyPatch ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
#CVE-2016-2383 rhbz 1308452 1308453
ApplyPatch bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
@ -2353,6 +2303,9 @@ fi
#
#
%changelog
* Sat Feb 20 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.6-200
- Linux v4.3.6
* Thu Feb 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-8812 cxgb3 use after free (rhbz 1303532 1309548)

38
media-Revert-media-ivtv-avoid-going-past-input-audio.patch
View File

@ -1,38 +0,0 @@
From 823873481b2a17ce5900899f8ef85118f8407b67 Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Date: Wed, 11 Nov 2015 09:22:36 -0200
Subject: [PATCH] [media] Revert "[media] ivtv: avoid going past input/audio
array"
This patch broke ivtv logic, as reported at
https://bugzilla.redhat.com/show_bug.cgi?id=1278942
This reverts commit 09290cc885937cab3b2d60a6d48fe3d2d3e04061.
Cc: stable@vger.kernel.org # for v4.1 and upper
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
drivers/media/pci/ivtv/ivtv-driver.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
index 8616fa8193bc..c2e60b4f292d 100644
--- a/drivers/media/pci/ivtv/ivtv-driver.c
+++ b/drivers/media/pci/ivtv/ivtv-driver.c
@@ -805,11 +805,11 @@ static void ivtv_init_struct2(struct ivtv *itv)
{
int i;
- for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS - 1; i++)
+ for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS; i++)
if (itv->card->video_inputs[i].video_type == 0)
break;
itv->nof_inputs = i;
- for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS - 1; i++)
+ for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS; i++)
if (itv->card->audio_inputs[i].audio_type == 0)
break;
itv->nof_audio_inputs = i;
--
2.5.0

2
sources
View File

@ -1,3 +1,3 @@
58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz
7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz
4786a4b42da54527d6ca0d1fc1f0fade patch-4.3.5.xz
d31631a3d05d66054fbb988f05ddfa6d patch-4.3.6.xz

68
tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
View File

@ -1,68 +0,0 @@
From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
From: Peter Hurley <peter@hurleysoftware.com>
Date: Sun, 10 Jan 2016 22:40:55 -0800
Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
ioctl(TIOCGETD) retrieves the line discipline id directly from the
ldisc because the line discipline id (c_line) in termios is untrustworthy;
userspace may have set termios via ioctl(TCSETS*) without actually
changing the line discipline via ioctl(TIOCSETD).
However, directly accessing the current ldisc via tty->ldisc is
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
is changing via ioctl(TIOCSETD) or hangup.
Wait for the line discipline reference (just like read() or write())
to retrieve the "current" line discipline id.
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index f435977de740..bd4027e36910 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
}
/**
+ * tiocgetd - get line discipline
+ * @tty: tty device
+ * @p: pointer to user data
+ *
+ * Retrieves the line discipline id directly from the ldisc.
+ *
+ * Locking: waits for ldisc reference (in case the line discipline
+ * is changing or the tty is being hungup)
+ */
+
+static int tiocgetd(struct tty_struct *tty, int __user *p)
+{
+ struct tty_ldisc *ld;
+ int ret;
+
+ ld = tty_ldisc_ref_wait(tty);
+ ret = put_user(ld->ops->num, p);
+ tty_ldisc_deref(ld);
+ return ret;
+}
+
+/**
* send_break - performed time break
* @tty: device to break on
* @duration: timeout in mS
@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
case TIOCGSID:
return tiocgsid(tty, real_tty, p);
case TIOCGETD:
- return put_user(tty->ldisc->ops->num, (int __user *)p);
+ return tiocgetd(tty, p);
case TIOCSETD:
return tiocsetd(tty, p);
case TIOCVHANGUP:
--
2.5.0

36
usb-serial-visor-fix-crash-on-detecting-device-witho.patch
View File

@ -1,36 +0,0 @@
From b2476fe4c16be5c2b7ee950e50677cfaa9ab9bae Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Tue, 12 Jan 2016 14:10:50 -0500
Subject: [PATCH] usb: serial: visor: fix crash on detecting device without
write_urbs
The visor driver crashes in clie_5_attach() when a specially crafted USB
device without bulk-out endpoint is detected. This fix adds a check that
the device has proper configuration expected by the driver.
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
drivers/usb/serial/visor.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
index 60afb39eb73c..bbc90c059002 100644
--- a/drivers/usb/serial/visor.c
+++ b/drivers/usb/serial/visor.c
@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_serial *serial)
*/
/* some sanity check */
- if (serial->num_ports < 2)
- return -1;
+ if (serial->num_bulk_out < 2) {
+ dev_err(&serial->interface->dev, "missing bulk out endpoints\n");
+ return -ENODEV;
+ }
/* port 0 now uses the modified endpoint Address */
port = serial->port[0];
--
2.5.0