Linux v4.3.6
This commit is contained in:
parent
8889aba817
commit
4988639cd8
|
@ -1,34 +0,0 @@
|
|||
From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Konovalov <andreyknvl@gmail.com>
|
||||
Date: Sat, 13 Feb 2016 11:08:06 +0300
|
||||
Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
|
||||
|
||||
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
|
||||
when tearing down the rawmidi interface. So we shouldn't try to free it
|
||||
in snd_usbmidi_create() after having registered the rawmidi interface.
|
||||
|
||||
Found by KASAN.
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
|
||||
Acked-by: Clemens Ladisch <clemens@ladisch.de>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/midi.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
|
||||
index cc39f63299ef..007cf5831121 100644
|
||||
--- a/sound/usb/midi.c
|
||||
+++ b/sound/usb/midi.c
|
||||
@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
|
||||
else
|
||||
err = snd_usbmidi_create_endpoints(umidi, endpoints);
|
||||
if (err < 0) {
|
||||
- snd_usbmidi_free(umidi);
|
||||
return err;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,133 +0,0 @@
|
|||
From 84ac7d370783d4819c5986da1c5d5c62d360dc8f Mon Sep 17 00:00:00 2001
|
||||
From: Mika Westerberg <mika.westerberg@linux.intel.com>
|
||||
Date: Wed, 7 Oct 2015 15:33:43 +0300
|
||||
Subject: [PATCH] HID: multitouch: Fetch feature reports on demand for Win8
|
||||
devices
|
||||
|
||||
Some newer Intel Skylake based Dell laptops with Win8 precision touchpad
|
||||
fail when initial feature reports are fetched from it. Below is an example
|
||||
output with some additional debug included:
|
||||
|
||||
i2c_hid i2c-DLL0704:01: Fetching the HID descriptor
|
||||
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=20 00
|
||||
i2c_hid i2c-DLL0704:01: HID Descriptor: 1e 00 00 01 99 02 21 00 24 ...
|
||||
...
|
||||
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
|
||||
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 38 02 23 00
|
||||
i2c_hid i2c-DLL0704:01: report (len=4): 04 00 08 05
|
||||
i2c_hid i2c-DLL0704:01: report id 13
|
||||
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
|
||||
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 3d 02 23 00
|
||||
i2c_hid i2c-DLL0704:01: failed to retrieve report from device.
|
||||
i2c_hid i2c-DLL0704:01: report id 7
|
||||
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
|
||||
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 37 02 23 00
|
||||
i2c_hid i2c-DLL0704:01: report (len=259): 03 01 07 fc 28 fe 84 40 ...
|
||||
i2c_hid i2c-DLL0704:01: report id 4
|
||||
i2c_hid i2c-DLL0704:01: i2c_hid_get_report
|
||||
i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 34 02 23 00
|
||||
|
||||
We manage to fetch few reports but then the touchpad dies:
|
||||
|
||||
i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: lost arbitration
|
||||
i2c_hid i2c-DLL0704:01: failed to retrieve report from device.
|
||||
|
||||
it eventually pulls the whole I2C bus low:
|
||||
|
||||
i2c_designware i2c_designware.1: controller timed out
|
||||
i2c_hid i2c-DLL0704:01: failed to set a report to device.
|
||||
|
||||
Fix this by preventing initial feature report retrieval for Win8 devices.
|
||||
Instead we fetch reports as needed in mt_feature_mapping(). This prevents
|
||||
fetching reports which might cause problems with the device in question.
|
||||
|
||||
Suggested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
|
||||
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Tested-by: Seth Forshee <seth.forshee@canonical.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-multitouch.c | 45 +++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 44 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
|
||||
index 426b2f1a3450..4afe8d78b366 100644
|
||||
--- a/drivers/hid/hid-multitouch.c
|
||||
+++ b/drivers/hid/hid-multitouch.c
|
||||
@@ -309,6 +309,41 @@ static struct attribute_group mt_attribute_group = {
|
||||
.attrs = sysfs_attrs
|
||||
};
|
||||
|
||||
+static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
|
||||
+{
|
||||
+ struct mt_device *td = hid_get_drvdata(hdev);
|
||||
+ int ret, size = hid_report_len(report);
|
||||
+ u8 *buf;
|
||||
+
|
||||
+ /*
|
||||
+ * Only fetch the feature report if initial reports are not already
|
||||
+ * been retrieved. Currently this is only done for Windows 8 touch
|
||||
+ * devices.
|
||||
+ */
|
||||
+ if (!(hdev->quirks & HID_QUIRK_NO_INIT_REPORTS))
|
||||
+ return;
|
||||
+ if (td->mtclass.name != MT_CLS_WIN_8)
|
||||
+ return;
|
||||
+
|
||||
+ buf = hid_alloc_report_buf(report, GFP_KERNEL);
|
||||
+ if (!buf)
|
||||
+ return;
|
||||
+
|
||||
+ ret = hid_hw_raw_request(hdev, report->id, buf, size,
|
||||
+ HID_FEATURE_REPORT, HID_REQ_GET_REPORT);
|
||||
+ if (ret < 0) {
|
||||
+ dev_warn(&hdev->dev, "failed to fetch feature %d\n",
|
||||
+ report->id);
|
||||
+ } else {
|
||||
+ ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
|
||||
+ size, 0);
|
||||
+ if (ret)
|
||||
+ dev_warn(&hdev->dev, "failed to report feature\n");
|
||||
+ }
|
||||
+
|
||||
+ kfree(buf);
|
||||
+}
|
||||
+
|
||||
static void mt_feature_mapping(struct hid_device *hdev,
|
||||
struct hid_field *field, struct hid_usage *usage)
|
||||
{
|
||||
@@ -327,6 +362,8 @@ static void mt_feature_mapping(struct hid_device *hdev,
|
||||
|
||||
break;
|
||||
case HID_DG_CONTACTMAX:
|
||||
+ mt_get_feature(hdev, field->report);
|
||||
+
|
||||
td->maxcontact_report_id = field->report->id;
|
||||
td->maxcontacts = field->value[0];
|
||||
if (!td->maxcontacts &&
|
||||
@@ -343,6 +380,7 @@ static void mt_feature_mapping(struct hid_device *hdev,
|
||||
break;
|
||||
}
|
||||
|
||||
+ mt_get_feature(hdev, field->report);
|
||||
if (field->value[usage->usage_index] == MT_BUTTONTYPE_CLICKPAD)
|
||||
td->is_buttonpad = true;
|
||||
|
||||
@@ -1026,8 +1064,13 @@ static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id)
|
||||
* reports. Fortunately, the Win8 spec says that all touches
|
||||
* should be sent during each report, making the initialization
|
||||
* of input reports unnecessary.
|
||||
+ *
|
||||
+ * In addition some touchpads do not behave well if we read
|
||||
+ * all feature reports from them. Instead we prevent
|
||||
+ * initial report fetching and then selectively fetch each
|
||||
+ * report we are interested in.
|
||||
*/
|
||||
- hdev->quirks |= HID_QUIRK_NO_INIT_INPUT_REPORTS;
|
||||
+ hdev->quirks |= HID_QUIRK_NO_INIT_REPORTS;
|
||||
|
||||
td = devm_kzalloc(&hdev->dev, sizeof(struct mt_device), GFP_KERNEL);
|
||||
if (!td) {
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Tue, 1 Dec 2015 12:41:38 +0100
|
||||
Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels
|
||||
|
||||
as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481
|
||||
|
||||
This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature
|
||||
reports on demand for Win8 devices") as the origin of the problem but this
|
||||
commit actually masked 2 firmware bugs that are annihilating each other:
|
||||
|
||||
The report descriptor declares two features in reports 3 and 5:
|
||||
|
||||
0x05, 0x0d, // Usage Page (Digitizers) 318
|
||||
0x09, 0x0e, // Usage (Device Configuration) 320
|
||||
0xa1, 0x01, // Collection (Application) 322
|
||||
0x85, 0x03, // Report ID (3) 324
|
||||
0x09, 0x22, // Usage (Finger) 326
|
||||
0xa1, 0x00, // Collection (Physical) 328
|
||||
0x09, 0x52, // Usage (Inputmode) 330
|
||||
0x15, 0x00, // Logical Minimum (0) 332
|
||||
0x25, 0x0a, // Logical Maximum (10) 334
|
||||
0x75, 0x08, // Report Size (8) 336
|
||||
0x95, 0x02, // Report Count (2) 338
|
||||
0xb1, 0x02, // Feature (Data,Var,Abs) 340
|
||||
0xc0, // End Collection 342
|
||||
0x09, 0x22, // Usage (Finger) 343
|
||||
0xa1, 0x00, // Collection (Physical) 345
|
||||
0x85, 0x05, // Report ID (5) 347
|
||||
0x09, 0x57, // Usage (Surface Switch) 349
|
||||
0x09, 0x58, // Usage (Button Switch) 351
|
||||
0x15, 0x00, // Logical Minimum (0) 353
|
||||
0x75, 0x01, // Report Size (1) 355
|
||||
0x95, 0x02, // Report Count (2) 357
|
||||
0x25, 0x03, // Logical Maximum (3) 359
|
||||
0xb1, 0x02, // Feature (Data,Var,Abs) 361
|
||||
0x95, 0x0e, // Report Count (14) 363
|
||||
0xb1, 0x03, // Feature (Cnst,Var,Abs) 365
|
||||
0xc0, // End Collection 367
|
||||
|
||||
The report ID 3 presents 2 input mode features, while only the first one
|
||||
is handled by the device. Given that we did not checked if one was
|
||||
previously assigned, we were dealing with the ignored featured and we
|
||||
should never have been able to switch this panel into the multitouch mode.
|
||||
|
||||
However, the firmware presents an other bugs which allowed 6d4f5440
|
||||
to counteract the faulty report descriptor. When we request the values
|
||||
of the feature 5, the firmware answers "03 03 00". The fields are correct
|
||||
but the report id is wrong. Before 6d4f5440, we retrieved all the features
|
||||
and injected them in the system. So when we called report 5, we injected
|
||||
in the system the report 3 with the values "03 00".
|
||||
Setting the second input mode to 03 in this report changed it to "03 03"
|
||||
and the touchpad switched to the mt mode. We could have set anything
|
||||
in the second field because the actual value (the first 03 in this report)
|
||||
was given by the query of report ID 5.
|
||||
|
||||
To sum up: 2 bugs in the firmware were hiding that we were accessing the
|
||||
wrong feature.
|
||||
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-multitouch.c | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
|
||||
index ba94044cb859..d866720412cd 100644
|
||||
--- a/drivers/hid/hid-multitouch.c
|
||||
+++ b/drivers/hid/hid-multitouch.c
|
||||
@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev,
|
||||
break;
|
||||
}
|
||||
|
||||
- td->inputmode = field->report->id;
|
||||
- td->inputmode_index = usage->usage_index;
|
||||
+ if (td->inputmode < 0) {
|
||||
+ td->inputmode = field->report->id;
|
||||
+ td->inputmode_index = usage->usage_index;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * Some elan panels wrongly declare 2 input mode
|
||||
+ * features, and silently ignore when we set the
|
||||
+ * value in the second field. Skip the second feature
|
||||
+ * and hope for the best.
|
||||
+ */
|
||||
+ dev_info(&hdev->dev,
|
||||
+ "Ignoring the extra HID_DG_INPUTMODE\n");
|
||||
+ }
|
||||
|
||||
break;
|
||||
case HID_DG_CONTACTMAX:
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From 23688bf4f830a89866fd0ed3501e342a7360fe4f Mon Sep 17 00:00:00 2001
|
||||
From: Junichi Nomura <j-nomura@ce.jp.nec.com>
|
||||
Date: Tue, 22 Dec 2015 10:23:44 -0700
|
||||
Subject: [PATCH] block: ensure to split after potentially bouncing a bio
|
||||
|
||||
blk_queue_bio() does split then bounce, which makes the segment
|
||||
counting based on pages before bouncing and could go wrong. Move
|
||||
the split to after bouncing, like we do for blk-mq, and the we
|
||||
fix the issue of having the bio count for segments be wrong.
|
||||
|
||||
Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios")
|
||||
Cc: stable@vger.kernel.org
|
||||
Tested-by: Artem S. Tashkinov <t.artem@lycos.com>
|
||||
Signed-off-by: Jens Axboe <axboe@fb.com>
|
||||
---
|
||||
block/blk-core.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/block/blk-core.c b/block/blk-core.c
|
||||
index 3636be469fa2..c487b94c59e3 100644
|
||||
--- a/block/blk-core.c
|
||||
+++ b/block/blk-core.c
|
||||
@@ -1689,8 +1689,6 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio)
|
||||
struct request *req;
|
||||
unsigned int request_count = 0;
|
||||
|
||||
- blk_queue_split(q, &bio, q->bio_split);
|
||||
-
|
||||
/*
|
||||
* low level driver can indicate that it wants pages above a
|
||||
* certain limit bounced to low memory (ie for highmem, or even
|
||||
@@ -1698,6 +1696,8 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio)
|
||||
*/
|
||||
blk_queue_bounce(q, &bio);
|
||||
|
||||
+ blk_queue_split(q, &bio, q->bio_split);
|
||||
+
|
||||
if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) {
|
||||
bio->bi_error = -EIO;
|
||||
bio_endio(bio);
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
From 65fbb05cbbf9ef7f531712634c3e914b54171707 Mon Sep 17 00:00:00 2001
|
||||
From: Alexandre Courbot <acourbot@nvidia.com>
|
||||
Date: Thu, 3 Sep 2015 17:39:52 +0900
|
||||
Subject: [PATCH] drm/nouveau/pmu: do not assume a PMU is present
|
||||
|
||||
Some devices may not have a PMU. Avoid a NULL pointer dereference in
|
||||
such cases by checking whether the pointer given to nvkm_pmu_pgob() is
|
||||
valid.
|
||||
|
||||
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
---
|
||||
drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
|
||||
index 27a79c0c3888..d95eb8659d1b 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
|
||||
@@ -28,7 +28,7 @@
|
||||
void
|
||||
nvkm_pmu_pgob(struct nvkm_pmu *pmu, bool enable)
|
||||
{
|
||||
- if (pmu->func->pgob)
|
||||
+ if (pmu && pmu->func->pgob)
|
||||
pmu->func->pgob(pmu, enable);
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
55
kernel.spec
55
kernel.spec
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 5
|
||||
%define stable_update 6
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -633,33 +633,15 @@ Patch574: ovl-fix-permission-checking-for-setattr.patch
|
|||
#CVE-2015-8709 rhbz 1295287 1295288
|
||||
Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
||||
|
||||
#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
|
||||
#CVE-2015-7513 rhbz 1284847 1296142
|
||||
Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
|
||||
|
||||
#rhbz 1296677
|
||||
Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
|
||||
Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
|
||||
|
||||
#rhbz 1281368
|
||||
Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
|
||||
|
||||
#rhbz 1296820
|
||||
Patch608: drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch
|
||||
|
||||
#rhbz 1083853
|
||||
Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
|
||||
|
||||
#CVE-2015-7566 rhbz 1296466 1297517
|
||||
Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch
|
||||
|
||||
#rhbz 1298309
|
||||
#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
|
||||
|
||||
#rhbz 1298996
|
||||
Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch
|
||||
|
||||
#rhbz 1298192
|
||||
Patch626: selinux-fix-bug-in-conditional-rules-handling.patch
|
||||
|
||||
|
@ -676,9 +658,6 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
|
|||
Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
|
||||
Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
|
||||
|
||||
#CVE-2016-0723 rhbz 1296253 1300224
|
||||
Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
|
||||
|
||||
#rhbz 1279653
|
||||
Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
|
||||
|
||||
|
@ -689,7 +668,6 @@ Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
|
|||
Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
|
||||
|
||||
#rhbz 1278942
|
||||
Patch642: media-Revert-media-ivtv-avoid-going-past-input-audio.patch
|
||||
Patch643: media-ivtv-avoid-going-past-input-audio-array.patch
|
||||
|
||||
#rhbz 1302037
|
||||
|
@ -705,9 +683,6 @@ Patch647: rtlwifi-fix-memory-leak-for-USB-device.patch
|
|||
#CVE-2016-0617 rhbz 1305803 1305804
|
||||
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||
|
||||
#CVE-2016-2384 rhbz 1308444 1308445
|
||||
Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
|
||||
|
||||
#CVE-2016-2383 rhbz 1308452 1308453
|
||||
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
|
||||
|
@ -1417,33 +1392,15 @@ ApplyPatch ovl-fix-permission-checking-for-setattr.patch
|
|||
#CVE-2015-8709 rhbz 1295287 1295288
|
||||
ApplyPatch ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
||||
|
||||
#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
|
||||
#CVE-2015-7513 rhbz 1284847 1296142
|
||||
ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
|
||||
|
||||
#rhbz 1296677
|
||||
ApplyPatch HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
|
||||
ApplyPatch HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
|
||||
|
||||
#rhbz 1281368
|
||||
ApplyPatch drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
|
||||
|
||||
#rhbz 1296820
|
||||
ApplyPatch drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch
|
||||
|
||||
#rhbz 1083853
|
||||
ApplyPatch PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
|
||||
|
||||
#CVE-2015-7566 rhbz 1296466 1297517
|
||||
ApplyPatch usb-serial-visor-fix-crash-on-detecting-device-witho.patch
|
||||
|
||||
#rhbz 1298309
|
||||
#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
|
||||
|
||||
#rhbz 1298996
|
||||
ApplyPatch block-ensure-to-split-after-potentially-bouncing-a-b.patch
|
||||
|
||||
#rhbz 1298192
|
||||
ApplyPatch selinux-fix-bug-in-conditional-rules-handling.patch
|
||||
|
||||
|
@ -1460,9 +1417,6 @@ ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
|
|||
ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch
|
||||
ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
|
||||
|
||||
#CVE-2016-0723 rhbz 1296253 1300224
|
||||
ApplyPatch tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
|
||||
|
||||
#rhbz 1279653
|
||||
ApplyPatch rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
|
||||
|
||||
|
@ -1473,7 +1427,6 @@ ApplyPatch netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
|
|||
ApplyPatch PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
|
||||
|
||||
#rhbz 1278942
|
||||
ApplyPatch media-Revert-media-ivtv-avoid-going-past-input-audio.patch
|
||||
ApplyPatch media-ivtv-avoid-going-past-input-audio-array.patch
|
||||
|
||||
#rhbz 1302037
|
||||
|
@ -1489,9 +1442,6 @@ ApplyPatch rtlwifi-fix-memory-leak-for-USB-device.patch
|
|||
#CVE-2016-0617 rhbz 1305803 1305804
|
||||
ApplyPatch fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||
|
||||
#CVE-2016-2384 rhbz 1308444 1308445
|
||||
ApplyPatch ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
|
||||
|
||||
#CVE-2016-2383 rhbz 1308452 1308453
|
||||
ApplyPatch bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
|
||||
|
@ -2353,6 +2303,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Sat Feb 20 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.6-200
|
||||
- Linux v4.3.6
|
||||
|
||||
* Thu Feb 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-8812 cxgb3 use after free (rhbz 1303532 1309548)
|
||||
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
From 823873481b2a17ce5900899f8ef85118f8407b67 Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
Date: Wed, 11 Nov 2015 09:22:36 -0200
|
||||
Subject: [PATCH] [media] Revert "[media] ivtv: avoid going past input/audio
|
||||
array"
|
||||
|
||||
This patch broke ivtv logic, as reported at
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1278942
|
||||
|
||||
This reverts commit 09290cc885937cab3b2d60a6d48fe3d2d3e04061.
|
||||
|
||||
Cc: stable@vger.kernel.org # for v4.1 and upper
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/pci/ivtv/ivtv-driver.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
|
||||
index 8616fa8193bc..c2e60b4f292d 100644
|
||||
--- a/drivers/media/pci/ivtv/ivtv-driver.c
|
||||
+++ b/drivers/media/pci/ivtv/ivtv-driver.c
|
||||
@@ -805,11 +805,11 @@ static void ivtv_init_struct2(struct ivtv *itv)
|
||||
{
|
||||
int i;
|
||||
|
||||
- for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS - 1; i++)
|
||||
+ for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS; i++)
|
||||
if (itv->card->video_inputs[i].video_type == 0)
|
||||
break;
|
||||
itv->nof_inputs = i;
|
||||
- for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS - 1; i++)
|
||||
+ for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS; i++)
|
||||
if (itv->card->audio_inputs[i].audio_type == 0)
|
||||
break;
|
||||
itv->nof_audio_inputs = i;
|
||||
--
|
||||
2.5.0
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz
|
||||
7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz
|
||||
4786a4b42da54527d6ca0d1fc1f0fade patch-4.3.5.xz
|
||||
d31631a3d05d66054fbb988f05ddfa6d patch-4.3.6.xz
|
||||
|
|
|
@ -1,68 +0,0 @@
|
|||
From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hurley <peter@hurleysoftware.com>
|
||||
Date: Sun, 10 Jan 2016 22:40:55 -0800
|
||||
Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
|
||||
|
||||
ioctl(TIOCGETD) retrieves the line discipline id directly from the
|
||||
ldisc because the line discipline id (c_line) in termios is untrustworthy;
|
||||
userspace may have set termios via ioctl(TCSETS*) without actually
|
||||
changing the line discipline via ioctl(TIOCSETD).
|
||||
|
||||
However, directly accessing the current ldisc via tty->ldisc is
|
||||
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
|
||||
is changing via ioctl(TIOCSETD) or hangup.
|
||||
|
||||
Wait for the line discipline reference (just like read() or write())
|
||||
to retrieve the "current" line discipline id.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|
||||
---
|
||||
drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
|
||||
index f435977de740..bd4027e36910 100644
|
||||
--- a/drivers/tty/tty_io.c
|
||||
+++ b/drivers/tty/tty_io.c
|
||||
@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
|
||||
}
|
||||
|
||||
/**
|
||||
+ * tiocgetd - get line discipline
|
||||
+ * @tty: tty device
|
||||
+ * @p: pointer to user data
|
||||
+ *
|
||||
+ * Retrieves the line discipline id directly from the ldisc.
|
||||
+ *
|
||||
+ * Locking: waits for ldisc reference (in case the line discipline
|
||||
+ * is changing or the tty is being hungup)
|
||||
+ */
|
||||
+
|
||||
+static int tiocgetd(struct tty_struct *tty, int __user *p)
|
||||
+{
|
||||
+ struct tty_ldisc *ld;
|
||||
+ int ret;
|
||||
+
|
||||
+ ld = tty_ldisc_ref_wait(tty);
|
||||
+ ret = put_user(ld->ops->num, p);
|
||||
+ tty_ldisc_deref(ld);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
* send_break - performed time break
|
||||
* @tty: device to break on
|
||||
* @duration: timeout in mS
|
||||
@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
case TIOCGSID:
|
||||
return tiocgsid(tty, real_tty, p);
|
||||
case TIOCGETD:
|
||||
- return put_user(tty->ldisc->ops->num, (int __user *)p);
|
||||
+ return tiocgetd(tty, p);
|
||||
case TIOCSETD:
|
||||
return tiocsetd(tty, p);
|
||||
case TIOCVHANGUP:
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From b2476fe4c16be5c2b7ee950e50677cfaa9ab9bae Mon Sep 17 00:00:00 2001
|
||||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Tue, 12 Jan 2016 14:10:50 -0500
|
||||
Subject: [PATCH] usb: serial: visor: fix crash on detecting device without
|
||||
write_urbs
|
||||
|
||||
The visor driver crashes in clie_5_attach() when a specially crafted USB
|
||||
device without bulk-out endpoint is detected. This fix adds a check that
|
||||
the device has proper configuration expected by the driver.
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
drivers/usb/serial/visor.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
|
||||
index 60afb39eb73c..bbc90c059002 100644
|
||||
--- a/drivers/usb/serial/visor.c
|
||||
+++ b/drivers/usb/serial/visor.c
|
||||
@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_serial *serial)
|
||||
*/
|
||||
|
||||
/* some sanity check */
|
||||
- if (serial->num_ports < 2)
|
||||
- return -1;
|
||||
+ if (serial->num_bulk_out < 2) {
|
||||
+ dev_err(&serial->interface->dev, "missing bulk out endpoints\n");
|
||||
+ return -ENODEV;
|
||||
+ }
|
||||
|
||||
/* port 0 now uses the modified endpoint Address */
|
||||
port = serial->port[0];
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue