Merge branch 'f22' of ssh://pkgs.fedoraproject.org/kernel into f22-pf - 4.2.5-201
This commit is contained in:
commit
548fa6279b
|
@ -0,0 +1,76 @@
|
|||
From d856e14fb043b742f94170db36b812770a2591d0 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Thu, 15 Oct 2015 17:21:37 +0100
|
||||
Subject: [PATCH 1/2] KEYS: Fix crash when attempt to garbage collect an
|
||||
uninstantiated keyring
|
||||
|
||||
The following sequence of commands:
|
||||
|
||||
i=`keyctl add user a a @s`
|
||||
keyctl request2 keyring foo bar @t
|
||||
keyctl unlink $i @s
|
||||
|
||||
tries to invoke an upcall to instantiate a keyring if one doesn't already
|
||||
exist by that name within the user's keyring set. However, if the upcall
|
||||
fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
|
||||
other error code. When the key is garbage collected, the key destroy
|
||||
function is called unconditionally and keyring_destroy() uses list_empty()
|
||||
on keyring->type_data.link - which is in a union with reject_error.
|
||||
Subsequently, the kernel tries to unlink the keyring from the keyring names
|
||||
list - which oopses like this:
|
||||
|
||||
BUG: unable to handle kernel paging request at 00000000ffffff8a
|
||||
IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
|
||||
...
|
||||
Workqueue: events key_garbage_collector
|
||||
...
|
||||
RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
|
||||
RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
|
||||
RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
|
||||
RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
|
||||
RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
|
||||
R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
|
||||
R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
|
||||
...
|
||||
CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
|
||||
[<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
|
||||
[<ffffffff8105ec9b>] process_one_work+0x28e/0x547
|
||||
[<ffffffff8105fd17>] worker_thread+0x26e/0x361
|
||||
[<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
|
||||
[<ffffffff810648ad>] kthread+0xf3/0xfb
|
||||
[<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
|
||||
[<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
|
||||
[<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
|
||||
|
||||
Note the value in RAX. This is a 32-bit representation of -ENOKEY.
|
||||
|
||||
The solution is to only call ->destroy() if the key was successfully
|
||||
instantiated.
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/keys/gc.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/security/keys/gc.c b/security/keys/gc.c
|
||||
index c7952375ac53..11c36627adbf 100644
|
||||
--- a/security/keys/gc.c
|
||||
+++ b/security/keys/gc.c
|
||||
@@ -149,7 +149,9 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
|
||||
atomic_dec(&key->user->nikeys);
|
||||
|
||||
/* now throw away the key memory */
|
||||
- if (key->type->destroy)
|
||||
+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
|
||||
+ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
|
||||
+ key->type->destroy)
|
||||
key->type->destroy(key);
|
||||
|
||||
key_user_put(key->user);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
From 680ac028240f8747f31c03986fbcf18b2b521e93 Mon Sep 17 00:00:00 2001
|
||||
From: Borislav Petkov <bp@suse.de>
|
||||
Date: Mon, 27 Jul 2015 09:58:05 +0200
|
||||
Subject: [PATCH] x86/cpu/cacheinfo: Fix teardown path
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Philip Müller reported a hang when booting 32-bit 4.1 kernel on
|
||||
an AMD box. A fragment of the splat was enough to pinpoint the
|
||||
issue:
|
||||
|
||||
task: f58e0000 ti: f58e8000 task.ti: f58e800
|
||||
EIP: 0060:[<c135a903>] EFLAGS: 00010206 CPU: 0
|
||||
EIP is at free_cache_attributes+0x83/0xd0
|
||||
EAX: 00000001 EBX: f589d46c ECX: 00000090 EDX: 360c2000
|
||||
ESI: 00000000 EDI: c1724a80 EBP: f58e9ec0 ESP: f58e9ea0
|
||||
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
|
||||
CR0: 8005003b CR2: 000000ac CR3: 01731000 CR4: 000006d0
|
||||
|
||||
cache_shared_cpu_map_setup() did check sibling CPUs cacheinfo
|
||||
descriptor while the respective teardown path
|
||||
cache_shared_cpu_map_remove() didn't. Fix that.
|
||||
|
||||
From tglx's version: to be on the safe side, move the cacheinfo
|
||||
descriptor check to free_cache_attributes(), thus cleaning up
|
||||
the hotplug path a little and making this even more robust.
|
||||
|
||||
Reported-by: Philip Müller <philm@manjaro.org>
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: <stable@vger.kernel.org> # v4.1+
|
||||
Cc: Andre Przywara <andre.przywara@arm.com>
|
||||
Cc: Guenter Roeck <linux@roeck-us.net>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Sudeep Holla <sudeep.holla@arm.com>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
Cc: manjaro-dev@manjaro.org
|
||||
Link: http://lkml.kernel.org/r/20150727075805.GA20416@nazgul.tnic
|
||||
Link: https://lkml.kernel.org/r/55B47BB8.6080202@manjaro.org
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
drivers/base/cacheinfo.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
|
||||
index 764280a91776..e9fd32e91668 100644
|
||||
--- a/drivers/base/cacheinfo.c
|
||||
+++ b/drivers/base/cacheinfo.c
|
||||
@@ -148,7 +148,11 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
|
||||
|
||||
if (sibling == cpu) /* skip itself */
|
||||
continue;
|
||||
+
|
||||
sib_cpu_ci = get_cpu_cacheinfo(sibling);
|
||||
+ if (!sib_cpu_ci->info_list)
|
||||
+ continue;
|
||||
+
|
||||
sib_leaf = sib_cpu_ci->info_list + index;
|
||||
cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map);
|
||||
cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map);
|
||||
@@ -159,6 +163,9 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
|
||||
|
||||
static void free_cache_attributes(unsigned int cpu)
|
||||
{
|
||||
+ if (!per_cpu_cacheinfo(cpu))
|
||||
+ return;
|
||||
+
|
||||
cache_shared_cpu_map_remove(cpu);
|
||||
|
||||
kfree(per_cpu_cacheinfo(cpu));
|
||||
@@ -514,8 +521,7 @@ static int cacheinfo_cpu_callback(struct notifier_block *nfb,
|
||||
break;
|
||||
case CPU_DEAD:
|
||||
cache_remove_dev(cpu);
|
||||
- if (per_cpu_cacheinfo(cpu))
|
||||
- free_cache_attributes(cpu);
|
||||
+ free_cache_attributes(cpu);
|
||||
break;
|
||||
}
|
||||
return notifier_from_errno(rc);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
From fd7cd061adcf5f7503515ba52b6a724642a839c8 Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Mon, 12 Oct 2015 11:30:13 +0300
|
||||
Subject: [PATCH] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers
|
||||
|
||||
We received several reports of systems rebooting and powering on
|
||||
after an attempted shutdown. Testing showed that setting
|
||||
XHCI_SPURIOUS_WAKEUP quirk in addition to the XHCI_SPURIOUS_REBOOT
|
||||
quirk allowed the system to shutdown as expected for LynxPoint-LP
|
||||
xHCI controllers. Set the quirk back.
|
||||
|
||||
Note that the quirk was originally introduced for LynxPoint and
|
||||
LynxPoint-LP just for this same reason. See:
|
||||
|
||||
commit 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell")
|
||||
|
||||
It was later limited to only concern HP machines as it caused
|
||||
regression on some machines, see both bug and commit:
|
||||
|
||||
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66171
|
||||
commit 6962d914f317 ("xhci: Limit the spurious wakeup fix only to HP machines")
|
||||
|
||||
Later it was discovered that the powering on after shutdown
|
||||
was limited to LynxPoint-LP (Haswell-ULT) and that some non-LP HP
|
||||
machine suffered from spontaneous resume from S3 (which should
|
||||
not be related to the SPURIOUS_WAKEUP quirk at all). An attempt
|
||||
to fix this then removed the SPURIOUS_WAKEUP flag usage completely.
|
||||
|
||||
commit b45abacde3d5 ("xhci: no switching back on non-ULT Haswell")
|
||||
|
||||
Current understanding is that LynxPoint-LP (Haswell ULT) machines
|
||||
need the SPURIOUS_WAKEUP quirk, otherwise they will restart, and
|
||||
plain Lynxpoint (Haswell) machines may _not_ have the quirk
|
||||
set otherwise they again will restart.
|
||||
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
Cc: Takashi Iwai <tiwai@suse.de>
|
||||
Cc: Oliver Neukum <oneukum@suse.com>
|
||||
[Added more history to commit message -Mathias]
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/usb/host/xhci-pci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
|
||||
index c79d336..c47d3e4 100644
|
||||
--- a/drivers/usb/host/xhci-pci.c
|
||||
+++ b/drivers/usb/host/xhci-pci.c
|
||||
@@ -147,6 +147,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
|
||||
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
|
||||
pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) {
|
||||
xhci->quirks |= XHCI_SPURIOUS_REBOOT;
|
||||
+ xhci->quirks |= XHCI_SPURIOUS_WAKEUP;
|
||||
}
|
||||
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
|
||||
(pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From 93f27344ac019135dd5ff31a518f1ef2d9e4e4a1 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 19 Oct 2015 11:33:38 +0100
|
||||
Subject: [PATCH 2/2] KEYS: Don't permit request_key() to construct a new
|
||||
keyring
|
||||
|
||||
If request_key() is used to find a keyring, only do the search part - don't
|
||||
do the construction part if the keyring was not found by the search. We
|
||||
don't really want keyrings in the negative instantiated state since the
|
||||
rejected/negative instantiation error value in the payload is unioned with
|
||||
keyring metadata.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/keys/request_key.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
|
||||
index 486ef6fa393b..0d6253124278 100644
|
||||
--- a/security/keys/request_key.c
|
||||
+++ b/security/keys/request_key.c
|
||||
@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
|
||||
|
||||
kenter("");
|
||||
|
||||
+ if (ctx->index_key.type == &key_type_keyring)
|
||||
+ return ERR_PTR(-EPERM);
|
||||
+
|
||||
user = key_user_lookup(current_fsuid());
|
||||
if (!user)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 6f501aed6a8ebecbc3a83fbd95d925ef522e0120 Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Thu, 1 Oct 2015 14:33:49 -0700
|
||||
Subject: [PATCH] ALSA: hda: Add dock support for ThinkPad T550
|
||||
To: Jaroslav Kysela <perex@perex.cz>
|
||||
To: Takashi Iwai <tiwai@suse.com>
|
||||
Cc: alsa-devel@alsa-project.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
|
||||
Much like all the other Lenovo laptops, add a quirk to make
|
||||
sound work with docking.
|
||||
|
||||
Reported-and-tested-by: lacknerflo@gmail.com
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
sound/pci/hda/patch_realtek.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
|
||||
index afec6dc..16b8dcb 100644
|
||||
--- a/sound/pci/hda/patch_realtek.c
|
||||
+++ b/sound/pci/hda/patch_realtek.c
|
||||
@@ -5306,6 +5306,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
|
||||
SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
|
||||
+ SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
|
||||
SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,117 +0,0 @@
|
|||
From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Wed, 30 Sep 2015 12:48:40 -0400
|
||||
Subject: [PATCH] Initialize msg/shm IPC objects before doing ipc_addid()
|
||||
|
||||
As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
|
||||
having initialized the IPC object state. Yes, we initialize the IPC
|
||||
object in a locked state, but with all the lockless RCU lookup work,
|
||||
that IPC object lock no longer means that the state cannot be seen.
|
||||
|
||||
We already did this for the IPC semaphore code (see commit e8577d1f0329:
|
||||
"ipc/sem.c: fully initialize sem_array before making it visible") but we
|
||||
clearly forgot about msg and shm.
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Cc: Manfred Spraul <manfred@colorfullife.com>
|
||||
Cc: Davidlohr Bueso <dbueso@suse.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
ipc/msg.c | 14 +++++++-------
|
||||
ipc/shm.c | 13 +++++++------
|
||||
ipc/util.c | 8 ++++----
|
||||
3 files changed, 18 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/ipc/msg.c b/ipc/msg.c
|
||||
index 66c4f567eb73..1471db9a7e61 100644
|
||||
--- a/ipc/msg.c
|
||||
+++ b/ipc/msg.c
|
||||
@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
return retval;
|
||||
}
|
||||
|
||||
- /* ipc_addid() locks msq upon success. */
|
||||
- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||
- if (id < 0) {
|
||||
- ipc_rcu_putref(msq, msg_rcu_free);
|
||||
- return id;
|
||||
- }
|
||||
-
|
||||
msq->q_stime = msq->q_rtime = 0;
|
||||
msq->q_ctime = get_seconds();
|
||||
msq->q_cbytes = msq->q_qnum = 0;
|
||||
@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
INIT_LIST_HEAD(&msq->q_receivers);
|
||||
INIT_LIST_HEAD(&msq->q_senders);
|
||||
|
||||
+ /* ipc_addid() locks msq upon success. */
|
||||
+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||
+ if (id < 0) {
|
||||
+ ipc_rcu_putref(msq, msg_rcu_free);
|
||||
+ return id;
|
||||
+ }
|
||||
+
|
||||
ipc_unlock_object(&msq->q_perm);
|
||||
rcu_read_unlock();
|
||||
|
||||
diff --git a/ipc/shm.c b/ipc/shm.c
|
||||
index 222131e8e38f..41787276e141 100644
|
||||
--- a/ipc/shm.c
|
||||
+++ b/ipc/shm.c
|
||||
@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
if (IS_ERR(file))
|
||||
goto no_file;
|
||||
|
||||
- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||
- if (id < 0) {
|
||||
- error = id;
|
||||
- goto no_id;
|
||||
- }
|
||||
-
|
||||
shp->shm_cprid = task_tgid_vnr(current);
|
||||
shp->shm_lprid = 0;
|
||||
shp->shm_atim = shp->shm_dtim = 0;
|
||||
@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
shp->shm_nattch = 0;
|
||||
shp->shm_file = file;
|
||||
shp->shm_creator = current;
|
||||
+
|
||||
+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||
+ if (id < 0) {
|
||||
+ error = id;
|
||||
+ goto no_id;
|
||||
+ }
|
||||
+
|
||||
list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist);
|
||||
|
||||
/*
|
||||
diff --git a/ipc/util.c b/ipc/util.c
|
||||
index be4230020a1f..0f401d94b7c6 100644
|
||||
--- a/ipc/util.c
|
||||
+++ b/ipc/util.c
|
||||
@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||
rcu_read_lock();
|
||||
spin_lock(&new->lock);
|
||||
|
||||
+ current_euid_egid(&euid, &egid);
|
||||
+ new->cuid = new->uid = euid;
|
||||
+ new->gid = new->cgid = egid;
|
||||
+
|
||||
id = idr_alloc(&ids->ipcs_idr, new,
|
||||
(next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
|
||||
GFP_NOWAIT);
|
||||
@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||
|
||||
ids->in_use++;
|
||||
|
||||
- current_euid_egid(&euid, &egid);
|
||||
- new->cuid = new->uid = euid;
|
||||
- new->gid = new->cgid = egid;
|
||||
-
|
||||
if (next_id < 0) {
|
||||
new->seq = ids->seq++;
|
||||
if (ids->seq > IPCID_SEQ_MAX)
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
From 09dca584f0b6b3bb4fc5f13a388274cd76b69f18 Mon Sep 17 00:00:00 2001
|
||||
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
|
||||
Date: Fri, 16 Oct 2015 17:11:42 +0200
|
||||
Subject: [PATCH] RDS: fix race condition when sending a message on unbound
|
||||
socket.
|
||||
|
||||
Sasha's found a NULL pointer dereference in the RDS connection code when
|
||||
sending a message to an apparently unbound socket. The problem is caused
|
||||
by the code checking if the socket is bound in rds_sendmsg(), which checks
|
||||
the rs_bound_addr field without taking a lock on the socket. This opens a
|
||||
race where rs_bound_addr is temporarily set but where the transport is not
|
||||
in rds_bind(), leading to a NULL pointer dereference when trying to
|
||||
dereference 'trans' in __rds_conn_create().
|
||||
|
||||
Vegard wrote a reproducer for this issue, so kindly ask him to share if
|
||||
you're interested.
|
||||
|
||||
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
|
||||
with this patch, whereas I could without.
|
||||
|
||||
Complete earlier incomplete fix to CVE-2015-6937:
|
||||
|
||||
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
|
||||
|
||||
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
|
||||
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
Cc: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: Chien Yen <chien.yen@oracle.com>
|
||||
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
|
||||
Cc: David S. Miller <davem@davemloft.net>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
net/rds/connection.c | 6 ------
|
||||
net/rds/send.c | 4 +++-
|
||||
2 files changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/net/rds/connection.c b/net/rds/connection.c
|
||||
index 9d66705f9d41..da6da57e5f36 100644
|
||||
--- a/net/rds/connection.c
|
||||
+++ b/net/rds/connection.c
|
||||
@@ -187,12 +187,6 @@ new_conn:
|
||||
}
|
||||
}
|
||||
|
||||
- if (trans == NULL) {
|
||||
- kmem_cache_free(rds_conn_slab, conn);
|
||||
- conn = ERR_PTR(-ENODEV);
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
conn->c_trans = trans;
|
||||
|
||||
ret = trans->conn_alloc(conn, gfp);
|
||||
diff --git a/net/rds/send.c b/net/rds/send.c
|
||||
index e9430f537f9c..7b30c0f3180d 100644
|
||||
--- a/net/rds/send.c
|
||||
+++ b/net/rds/send.c
|
||||
@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
|
||||
release_sock(sk);
|
||||
}
|
||||
|
||||
- /* racing with another thread binding seems ok here */
|
||||
+ lock_sock(sk);
|
||||
if (daddr == 0 || rs->rs_bound_addr == 0) {
|
||||
+ release_sock(sk);
|
||||
ret = -ENOTCONN; /* XXX not a great errno */
|
||||
goto out;
|
||||
}
|
||||
+ release_sock(sk);
|
||||
|
||||
/* size of rm including all sgs */
|
||||
ret = rds_rm_size(msg, payload_len);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,81 +0,0 @@
|
|||
From 10d98bced414c6fc1d09db123e7f762d91b5ebea Mon Sep 17 00:00:00 2001
|
||||
From: Johan Hovold <johan@kernel.org>
|
||||
Date: Wed, 23 Sep 2015 11:41:42 -0700
|
||||
Subject: [PATCH] USB: whiteheat: fix potential null-deref at probe
|
||||
|
||||
Fix potential null-pointer dereference at probe by making sure that the
|
||||
required endpoints are present.
|
||||
|
||||
The whiteheat driver assumes there are at least five pairs of bulk
|
||||
endpoints, of which the final pair is used for the "command port". An
|
||||
attempt to bind to an interface with fewer bulk endpoints would
|
||||
currently lead to an oops.
|
||||
|
||||
Fixes CVE-2015-5257.
|
||||
|
||||
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Johan Hovold <johan@kernel.org>
|
||||
---
|
||||
drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
|
||||
index 6c3734d2b45a..d3ea90bef84d 100644
|
||||
--- a/drivers/usb/serial/whiteheat.c
|
||||
+++ b/drivers/usb/serial/whiteheat.c
|
||||
@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
|
||||
static int whiteheat_firmware_attach(struct usb_serial *serial);
|
||||
|
||||
/* function prototypes for the Connect Tech WhiteHEAT serial converter */
|
||||
+static int whiteheat_probe(struct usb_serial *serial,
|
||||
+ const struct usb_device_id *id);
|
||||
static int whiteheat_attach(struct usb_serial *serial);
|
||||
static void whiteheat_release(struct usb_serial *serial);
|
||||
static int whiteheat_port_probe(struct usb_serial_port *port);
|
||||
@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
|
||||
.description = "Connect Tech - WhiteHEAT",
|
||||
.id_table = id_table_std,
|
||||
.num_ports = 4,
|
||||
+ .probe = whiteheat_probe,
|
||||
.attach = whiteheat_attach,
|
||||
.release = whiteheat_release,
|
||||
.port_probe = whiteheat_port_probe,
|
||||
@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
|
||||
/*****************************************************************************
|
||||
* Connect Tech's White Heat serial driver functions
|
||||
*****************************************************************************/
|
||||
+
|
||||
+static int whiteheat_probe(struct usb_serial *serial,
|
||||
+ const struct usb_device_id *id)
|
||||
+{
|
||||
+ struct usb_host_interface *iface_desc;
|
||||
+ struct usb_endpoint_descriptor *endpoint;
|
||||
+ size_t num_bulk_in = 0;
|
||||
+ size_t num_bulk_out = 0;
|
||||
+ size_t min_num_bulk;
|
||||
+ unsigned int i;
|
||||
+
|
||||
+ iface_desc = serial->interface->cur_altsetting;
|
||||
+
|
||||
+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
|
||||
+ endpoint = &iface_desc->endpoint[i].desc;
|
||||
+ if (usb_endpoint_is_bulk_in(endpoint))
|
||||
+ ++num_bulk_in;
|
||||
+ if (usb_endpoint_is_bulk_out(endpoint))
|
||||
+ ++num_bulk_out;
|
||||
+ }
|
||||
+
|
||||
+ min_num_bulk = COMMAND_PORT + 1;
|
||||
+ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int whiteheat_attach(struct usb_serial *serial)
|
||||
{
|
||||
struct usb_serial_port *command_port;
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Sat, 5 Sep 2015 15:47:36 -0400
|
||||
Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and
|
||||
->root_rl.blkg
|
||||
|
||||
While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always
|
||||
create the blkcg_gq for the root blkcg") removed the part which clears
|
||||
q->root_blkg and ->root_rl.blkg during q exit. This leaves the two
|
||||
pointers dangling after blkg_destroy_all(). blk-throttle exit path
|
||||
performs blkg traversals and dereferences ->root_blkg and can lead to
|
||||
the following oops.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000558
|
||||
IP: [<ffffffff81389746>] __blkg_lookup+0x26/0x70
|
||||
...
|
||||
task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000
|
||||
RIP: 0010:[<ffffffff81389746>] [<ffffffff81389746>] __blkg_lookup+0x26/0x70
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff8138d14a>] blk_throtl_drain+0x5a/0x110
|
||||
[<ffffffff8138a108>] blkcg_drain_queue+0x18/0x20
|
||||
[<ffffffff81369a70>] __blk_drain_queue+0xc0/0x170
|
||||
[<ffffffff8136a101>] blk_queue_bypass_start+0x61/0x80
|
||||
[<ffffffff81388c59>] blkcg_deactivate_policy+0x39/0x100
|
||||
[<ffffffff8138d328>] blk_throtl_exit+0x38/0x50
|
||||
[<ffffffff8138a14e>] blkcg_exit_queue+0x3e/0x50
|
||||
[<ffffffff8137016e>] blk_release_queue+0x1e/0xc0
|
||||
...
|
||||
|
||||
While the bug is a straigh-forward use-after-free bug, it is tricky to
|
||||
reproduce because blkg release is RCU protected and the rest of exit
|
||||
path usually finishes before RCU grace period.
|
||||
|
||||
This patch fixes the bug by updating blkg_destro_all() to clear
|
||||
q->root_blkg and ->root_rl.blkg.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Reported-by: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com
|
||||
Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg")
|
||||
Cc: stable@vger.kernel.org # v4.2+
|
||||
---
|
||||
block/blk-cgroup.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
|
||||
index d6283b3f5db5..9cc48d1d7abb 100644
|
||||
--- a/block/blk-cgroup.c
|
||||
+++ b/block/blk-cgroup.c
|
||||
@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q)
|
||||
blkg_destroy(blkg);
|
||||
spin_unlock(&blkcg->lock);
|
||||
}
|
||||
+
|
||||
+ q->root_blkg = NULL;
|
||||
+ q->root_rl.blkg = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -736,6 +736,8 @@ CONFIG_TMP006=m
|
|||
CONFIG_BMP085=y
|
||||
CONFIG_BMP085_I2C=m
|
||||
CONFIG_BMP085_SPI=m
|
||||
CONFIG_DHT11=m
|
||||
CONFIG_MPL3115=m
|
||||
CONFIG_SENSORS_AD7314=m
|
||||
CONFIG_SENSORS_ADCXX=m
|
||||
CONFIG_SENSORS_ADS7871=m
|
||||
|
@ -746,7 +748,10 @@ CONFIG_SENSORS_ISL29028=m
|
|||
CONFIG_SENSORS_LIS3_SPI=m
|
||||
CONFIG_SENSORS_LM70=m
|
||||
CONFIG_SENSORS_MAX1111=m
|
||||
CONFIG_SI7005=m
|
||||
CONFIG_SI7020=m
|
||||
|
||||
# LCD panels
|
||||
CONFIG_LCD_L4F00242T03=m
|
||||
CONFIG_LCD_LMS283GF05=m
|
||||
CONFIG_LCD_LTV350QV=m
|
||||
|
@ -815,9 +820,6 @@ CONFIG_UBIFS_FS_ADVANCED_COMPR=y
|
|||
CONFIG_UBIFS_FS_LZO=y
|
||||
CONFIG_UBIFS_FS_ZLIB=y
|
||||
|
||||
# Sensors
|
||||
CONFIG_SENSORS_HTU21=m
|
||||
|
||||
# Chromebook
|
||||
CONFIG_MFD_CROS_EC=m
|
||||
CONFIG_MFD_CROS_EC_I2C=m
|
||||
|
|
|
@ -1896,7 +1896,7 @@ CONFIG_IEEE802154_FAKELB=m
|
|||
CONFIG_IEEE802154_CC2520=m
|
||||
# CONFIG_IEEE802154_AT86RF230 is not set
|
||||
# CONFIG_IEEE802154_MRF24J40 is not set
|
||||
# CONFIG_IEEE802154_ATUSB is not set
|
||||
CONFIG_IEEE802154_ATUSB=m
|
||||
|
||||
CONFIG_MAC802154=m
|
||||
CONFIG_NET_MPLS_GSO=m
|
||||
|
|
|
@ -1,65 +0,0 @@
|
|||
From c0ea161a6e7158281f64bc6d41126da43cb08f14 Mon Sep 17 00:00:00 2001
|
||||
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Date: Sat, 15 Aug 2015 13:36:12 -0500
|
||||
Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path
|
||||
|
||||
commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
|
||||
|
||||
A rename can result in a dentry that by walking up d_parent
|
||||
will never reach it's mnt_root. For lack of a better term
|
||||
I call this an escaped path.
|
||||
|
||||
prepend_path is called by four different functions __d_path,
|
||||
d_absolute_path, d_path, and getcwd.
|
||||
|
||||
__d_path only wants to see paths are connected to the root it passes
|
||||
in. So __d_path needs prepend_path to return an error.
|
||||
|
||||
d_absolute_path similarly wants to see paths that are connected to
|
||||
some root. Escaped paths are not connected to any mnt_root so
|
||||
d_absolute_path needs prepend_path to return an error greater
|
||||
than 1. So escaped paths will be treated like paths on lazily
|
||||
unmounted mounts.
|
||||
|
||||
getcwd needs to prepend "(unreachable)" so getcwd also needs
|
||||
prepend_path to return an error.
|
||||
|
||||
d_path is the interesting hold out. d_path just wants to print
|
||||
something, and does not care about the weird cases. Which raises
|
||||
the question what should be printed?
|
||||
|
||||
Given that <escaped_path>/<anything> should result in -ENOENT I
|
||||
believe it is desirable for escaped paths to be printed as empty
|
||||
paths. As there are not really any meaninful path components when
|
||||
considered from the perspective of a mount tree.
|
||||
|
||||
So tweak prepend_path to return an empty path with an new error
|
||||
code of 3 when it encounters an escaped path.
|
||||
|
||||
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/dcache.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/fs/dcache.c b/fs/dcache.c
|
||||
index 9b5fe503f6cb..e3b44ca75a1b 100644
|
||||
--- a/fs/dcache.c
|
||||
+++ b/fs/dcache.c
|
||||
@@ -2926,6 +2926,13 @@ restart:
|
||||
|
||||
if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
|
||||
struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
|
||||
+ /* Escaped? */
|
||||
+ if (dentry != vfsmnt->mnt_root) {
|
||||
+ bptr = *buffer;
|
||||
+ blen = *buflen;
|
||||
+ error = 3;
|
||||
+ break;
|
||||
+ }
|
||||
/* Global root? */
|
||||
if (mnt != parent) {
|
||||
dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From 59f271755df42fce6d38ebdf5b7502666b1e0c36 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 1 Nov 2015 16:21:24 +0000
|
||||
Subject: [PATCH 1/2] isdn_ppp: Add checks for allocation failure in
|
||||
isdn_ppp_open()
|
||||
|
||||
Compile-tested only.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
|
||||
index c4198fa490bf..86f9abebcb72 100644
|
||||
--- a/drivers/isdn/i4l/isdn_ppp.c
|
||||
+++ b/drivers/isdn/i4l/isdn_ppp.c
|
||||
@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
|
||||
is->compflags = 0;
|
||||
|
||||
is->reset = isdn_ppp_ccp_reset_alloc(is);
|
||||
+ if (!is->reset)
|
||||
+ return -ENOMEM;
|
||||
|
||||
is->lp = NULL;
|
||||
is->mp_seqno = 0; /* MP sequence number */
|
||||
@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
|
||||
* VJ header compression init
|
||||
*/
|
||||
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
|
||||
+ if (!is->slcomp) {
|
||||
+ isdn_ppp_ccp_reset_free(is);
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
#endif
|
||||
#ifdef CONFIG_IPPP_FILTER
|
||||
is->pass_filter = NULL;
|
||||
--
|
||||
2.4.3
|
||||
|
111
kernel.spec
111
kernel.spec
|
@ -40,7 +40,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 200
|
||||
%global baserelease 201
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -52,8 +52,12 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
<<<<<<< HEAD
|
||||
#+Hu Pf against 4.2.3 v4.2-pf2: https://pf.natalenko.name/forum/index.php?topic=352.0
|
||||
%define stable_update 3
|
||||
=======
|
||||
%define stable_update 5
|
||||
>>>>>>> 8b2cbe93901e227770fad71989ed13d2327b1b8c
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -382,7 +386,7 @@ BuildRequires: net-tools, hostname, bc
|
|||
BuildRequires: sparse
|
||||
%endif
|
||||
%if %{with_perf}
|
||||
BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python-devel perl(ExtUtils::Embed) bison flex
|
||||
BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python-devel perl(ExtUtils::Embed) bison flex xz-devel
|
||||
BuildRequires: audit-libs-devel
|
||||
%ifnarch s390 s390x %{arm}
|
||||
BuildRequires: numactl-devel
|
||||
|
@ -571,6 +575,7 @@ Patch16000: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch
|
|||
Patch16001: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch
|
||||
Patch16002: arm64-avoid-needing-console-to-enable-serial-console.patch
|
||||
Patch16003: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch
|
||||
Patch16004: showmem-cma-correct-reserved-memory-calculation.patch
|
||||
|
||||
# ARMv7
|
||||
Patch16020: ARM-tegra-usb-no-reset.patch
|
||||
|
@ -645,33 +650,25 @@ Patch515: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
|
|||
Patch517: vmwgfx-Rework-device-initialization.patch
|
||||
Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
|
||||
|
||||
#rhbz 1237136
|
||||
Patch522: block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
|
||||
|
||||
#CVE-2015-6937 rhbz 1263139 1263140
|
||||
Patch523: RDS-verify-the-underlying-transport-exists-before-cr.patch
|
||||
|
||||
#rhbz 1263762
|
||||
Patch526: 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
|
||||
|
||||
#CVE-2015-5257 rhbz 1265607 1265612
|
||||
Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch
|
||||
|
||||
#CVE-2015-2925 rhbz 1209367 1209373
|
||||
Patch528: dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||
Patch529: vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||
|
||||
#CVE-2015-7613 rhbz 1268270 1268273
|
||||
Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||
|
||||
Patch533: net-inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
#CVE-2015-7990 rhbz 1276437 1276438
|
||||
Patch524: RDS-fix-race-condition-when-sending-a-message-on-unb.patch
|
||||
|
||||
#rhbz 1265978
|
||||
Patch536: si2168-Bounds-check-firmware.patch
|
||||
Patch537: si2157-Bounds-check-firmware.patch
|
||||
|
||||
#rhbz 1268037
|
||||
Patch538: ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
|
||||
#rhbz 1272172
|
||||
Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
|
||||
Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
|
||||
|
||||
#rhbz 1257131
|
||||
Patch542: 0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch
|
||||
|
||||
#CVE-2015-7799 rhbz 1271134 1271135
|
||||
Patch543: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
|
||||
Patch544: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -1256,6 +1253,8 @@ ApplyPatch amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch
|
|||
ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch
|
||||
ApplyPatch usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch
|
||||
|
||||
ApplyPatch showmem-cma-correct-reserved-memory-calculation.patch
|
||||
|
||||
#
|
||||
# ARM
|
||||
#
|
||||
|
@ -1417,35 +1416,27 @@ ApplyPatch nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
|
|||
ApplyPatch vmwgfx-Rework-device-initialization.patch
|
||||
ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
|
||||
|
||||
#rhbz 1237136
|
||||
ApplyPatch block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
|
||||
|
||||
#CVE-2015-6937 rhbz 1263139 1263140
|
||||
ApplyPatch RDS-verify-the-underlying-transport-exists-before-cr.patch
|
||||
|
||||
#rhbz 1263762
|
||||
ApplyPatch 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
|
||||
|
||||
#CVE-2015-5257 rhbz 1265607 1265612
|
||||
ApplyPatch USB-whiteheat-fix-potential-null-deref-at-probe.patch
|
||||
#CVE-2015-7990 rhbz 1276437 1276438
|
||||
ApplyPatch RDS-fix-race-condition-when-sending-a-message-on-unb.patch
|
||||
|
||||
ApplyPatch regulator-axp20x-module-alias.patch
|
||||
|
||||
#CVE-2015-2925 rhbz 1209367 1209373
|
||||
ApplyPatch dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||
ApplyPatch vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||
|
||||
#CVE-2015-7613 rhbz 1268270 1268273
|
||||
ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||
|
||||
ApplyPatch net-inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
|
||||
#rhbz 1265978
|
||||
ApplyPatch si2168-Bounds-check-firmware.patch
|
||||
ApplyPatch si2157-Bounds-check-firmware.patch
|
||||
|
||||
#rhbz 1268037
|
||||
ApplyPatch ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
|
||||
#rhbz 1272172
|
||||
ApplyPatch 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
|
||||
ApplyPatch 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
|
||||
|
||||
#rhbz 1257131
|
||||
ApplyPatch 0001-xhci-Add-spurious-wakeup-quirk-for-LynxPoint-LP-cont.patch
|
||||
|
||||
#CVE-2015-7799 rhbz 1271134 1271135
|
||||
ApplyPatch isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
|
||||
ApplyPatch ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2296,6 +2287,42 @@ fi
|
|||
# and build.
|
||||
#
|
||||
%changelog
|
||||
* Wed Nov 4 2015 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Enable some IIO sensors (temp/humidity) on ARMv7
|
||||
|
||||
* Tue Nov 03 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-7799 slip:crash when using PPP char dev driver (rhbz 1271134 1271135)
|
||||
|
||||
* Tue Nov 03 2015 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Add xz-devel builreq for perf (rhbz 1167457)
|
||||
|
||||
* Mon Nov 02 2015 Laura Abbott <labbott@fedoraproject.org>
|
||||
- Add spurious wakeup quirk for LynxPoint-LP controllers (rhbz 1257131)
|
||||
|
||||
* Thu Oct 29 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-7099 RDS: race condition on unbound socket null deref (rhbz 1276437 1276438)
|
||||
|
||||
* Tue Oct 27 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 4.2.5-201
|
||||
- Bump for build
|
||||
|
||||
* Tue Oct 27 2015 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- CMA memory patch to fix aarch64 builder lockups
|
||||
|
||||
* Mon Oct 26 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 4.2.5-200
|
||||
- Linux v4.2.5
|
||||
|
||||
* Fri Oct 23 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 4.2.4-200
|
||||
- Linux v4.2.4 (rhbz 1272645)
|
||||
|
||||
* Tue Oct 20 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Enable IEEE802154_ATUSB (rhbz 1272935)
|
||||
|
||||
* Mon Oct 19 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix crash in key garbage collector when using request_key (rhbz 1272172)
|
||||
|
||||
* Thu Oct 15 2015 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix for iscsi target issues (#rhbz 1271812)
|
||||
|
||||
* Sun Oct 11 2015 Pavel Alexeev <Pahan@Hubbitus.info> - 4.2.3-200.hu.1.pf2
|
||||
- 4.2.3-200.hu.1.pf2
|
||||
- pf v4.2-pf2 https://pf.natalenko.name/forum/index.php?topic=352.0
|
||||
|
|
|
@ -1,76 +0,0 @@
|
|||
From patchwork Thu Oct 1 12:39:26 2015
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [net] inet: fix race in reqsk_queue_unlink()
|
||||
From: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
X-Patchwork-Id: 524966
|
||||
Message-Id: <1443703166.32531.47.camel@edumazet-glaptop2.roam.corp.google.com>
|
||||
To: David Miller <davem@davemloft.net>
|
||||
Cc: netdev <netdev@vger.kernel.org>, Yuchung Cheng <ycheng@google.com>
|
||||
Date: Thu, 01 Oct 2015 05:39:26 -0700
|
||||
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
|
||||
reqsk_timer_handler() tests if icsk_accept_queue.listen_opt
|
||||
is NULL at its beginning.
|
||||
|
||||
By the time it calls inet_csk_reqsk_queue_drop() and
|
||||
reqsk_queue_unlink(), listener might have been closed and
|
||||
inet_csk_listen_stop() had called reqsk_queue_yank_acceptq()
|
||||
which sets icsk_accept_queue.listen_opt to NULL
|
||||
|
||||
We therefore need to correctly check listen_opt being NULL
|
||||
after holding syn_wait_lock for proper synchronization.
|
||||
|
||||
Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer")
|
||||
Fixes: b357a364c57c ("inet: fix possible panic in reqsk_queue_unlink()")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Cc: Yuchung Cheng <ycheng@google.com>
|
||||
---
|
||||
net/ipv4/inet_connection_sock.c | 19 ++++++++++---------
|
||||
1 file changed, 10 insertions(+), 9 deletions(-)
|
||||
|
||||
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe netdev" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
|
||||
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
|
||||
index 7bb9c39e0a4d..61b45a17fc73 100644
|
||||
--- a/net/ipv4/inet_connection_sock.c
|
||||
+++ b/net/ipv4/inet_connection_sock.c
|
||||
@@ -577,21 +577,22 @@ EXPORT_SYMBOL(inet_rtx_syn_ack);
|
||||
static bool reqsk_queue_unlink(struct request_sock_queue *queue,
|
||||
struct request_sock *req)
|
||||
{
|
||||
- struct listen_sock *lopt = queue->listen_opt;
|
||||
struct request_sock **prev;
|
||||
+ struct listen_sock *lopt;
|
||||
bool found = false;
|
||||
|
||||
spin_lock(&queue->syn_wait_lock);
|
||||
-
|
||||
- for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL;
|
||||
- prev = &(*prev)->dl_next) {
|
||||
- if (*prev == req) {
|
||||
- *prev = req->dl_next;
|
||||
- found = true;
|
||||
- break;
|
||||
+ lopt = queue->listen_opt;
|
||||
+ if (lopt) {
|
||||
+ for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL;
|
||||
+ prev = &(*prev)->dl_next) {
|
||||
+ if (*prev == req) {
|
||||
+ *prev = req->dl_next;
|
||||
+ found = true;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
-
|
||||
spin_unlock(&queue->syn_wait_lock);
|
||||
if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
|
||||
reqsk_put(req);
|
|
@ -0,0 +1,139 @@
|
|||
From a8bc90052f18348718412cebf7b569da95bad264 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 1 Nov 2015 16:22:53 +0000
|
||||
Subject: [PATCH 2/2] ppp, slip: Validate VJ compression slot parameters
|
||||
completely
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently slhc_init() treats out-of-range values of rslots and tslots
|
||||
as equivalent to 0, except that if tslots is too large it will
|
||||
dereference a null pointer (CVE-2015-7799).
|
||||
|
||||
Add a range-check at the top of the function and make it return an
|
||||
ERR_PTR() on error instead of NULL. Change the callers accordingly.
|
||||
|
||||
Compile-tested only.
|
||||
|
||||
Reported-by: 郭永刚 <guoyonggang@360.cn>
|
||||
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
|
||||
drivers/net/ppp/ppp_generic.c | 6 ++----
|
||||
drivers/net/slip/slhc.c | 12 ++++++++----
|
||||
drivers/net/slip/slip.c | 2 +-
|
||||
4 files changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
|
||||
index 86f9abebcb72..9c1e8adaf4fc 100644
|
||||
--- a/drivers/isdn/i4l/isdn_ppp.c
|
||||
+++ b/drivers/isdn/i4l/isdn_ppp.c
|
||||
@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file)
|
||||
* VJ header compression init
|
||||
*/
|
||||
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
|
||||
- if (!is->slcomp) {
|
||||
+ if (IS_ERR(is->slcomp)) {
|
||||
isdn_ppp_ccp_reset_free(is);
|
||||
- return -ENOMEM;
|
||||
+ return PTR_ERR(is->slcomp);
|
||||
}
|
||||
#endif
|
||||
#ifdef CONFIG_IPPP_FILTER
|
||||
@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
|
||||
is->maxcid = val;
|
||||
#ifdef CONFIG_ISDN_PPP_VJ
|
||||
sltmp = slhc_init(16, val);
|
||||
- if (!sltmp) {
|
||||
- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
|
||||
- return -ENOMEM;
|
||||
- }
|
||||
+ if (IS_ERR(sltmp))
|
||||
+ return PTR_ERR(sltmp);
|
||||
if (is->slcomp)
|
||||
slhc_free(is->slcomp);
|
||||
is->slcomp = sltmp;
|
||||
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
|
||||
index ed00446759b2..9a863c6a6a33 100644
|
||||
--- a/drivers/net/ppp/ppp_generic.c
|
||||
+++ b/drivers/net/ppp/ppp_generic.c
|
||||
@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
val &= 0xffff;
|
||||
}
|
||||
vj = slhc_init(val2+1, val+1);
|
||||
- if (!vj) {
|
||||
- netdev_err(ppp->dev,
|
||||
- "PPP: no memory (VJ compressor)\n");
|
||||
- err = -ENOMEM;
|
||||
+ if (IS_ERR(vj)) {
|
||||
+ err = PTR_ERR(vj);
|
||||
break;
|
||||
}
|
||||
ppp_lock(ppp);
|
||||
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
|
||||
index 079f7adfcde5..27ed25252aac 100644
|
||||
--- a/drivers/net/slip/slhc.c
|
||||
+++ b/drivers/net/slip/slhc.c
|
||||
@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
|
||||
static unsigned char * put16(unsigned char *cp, unsigned short x);
|
||||
static unsigned short pull16(unsigned char **cpp);
|
||||
|
||||
-/* Initialize compression data structure
|
||||
+/* Allocate compression data structure
|
||||
* slots must be in range 0 to 255 (zero meaning no compression)
|
||||
+ * Returns pointer to structure or ERR_PTR() on error.
|
||||
*/
|
||||
struct slcompress *
|
||||
slhc_init(int rslots, int tslots)
|
||||
@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
|
||||
register struct cstate *ts;
|
||||
struct slcompress *comp;
|
||||
|
||||
+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
|
||||
+ return ERR_PTR(-EINVAL);
|
||||
+
|
||||
comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
|
||||
if (! comp)
|
||||
goto out_fail;
|
||||
|
||||
- if ( rslots > 0 && rslots < 256 ) {
|
||||
+ if (rslots > 0) {
|
||||
size_t rsize = rslots * sizeof(struct cstate);
|
||||
comp->rstate = kzalloc(rsize, GFP_KERNEL);
|
||||
if (! comp->rstate)
|
||||
@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
|
||||
comp->rslot_limit = rslots - 1;
|
||||
}
|
||||
|
||||
- if ( tslots > 0 && tslots < 256 ) {
|
||||
+ if (tslots > 0) {
|
||||
size_t tsize = tslots * sizeof(struct cstate);
|
||||
comp->tstate = kzalloc(tsize, GFP_KERNEL);
|
||||
if (! comp->tstate)
|
||||
@@ -141,7 +145,7 @@ out_free2:
|
||||
out_free:
|
||||
kfree(comp);
|
||||
out_fail:
|
||||
- return NULL;
|
||||
+ return ERR_PTR(-ENOMEM);
|
||||
}
|
||||
|
||||
|
||||
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
|
||||
index 05387b1e2e95..a17d86a57734 100644
|
||||
--- a/drivers/net/slip/slip.c
|
||||
+++ b/drivers/net/slip/slip.c
|
||||
@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
|
||||
if (cbuff == NULL)
|
||||
goto err_exit;
|
||||
slcomp = slhc_init(16, 16);
|
||||
- if (slcomp == NULL)
|
||||
+ if (IS_ERR(slcomp))
|
||||
goto err_exit;
|
||||
#endif
|
||||
spin_lock_bh(&sl->lock);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
From 3a83eda52f34b97168b70098ef0e34dbcaeaaf8f Mon Sep 17 00:00:00 2001
|
||||
From: Vishnu Pratap Singh <vishnu.ps@samsung.com>
|
||||
Date: Tue, 25 Aug 2015 00:04:44 +0000
|
||||
Subject: lib/show_mem.c: correct reserved memory calculation
|
||||
|
||||
CMA reserved memory is not part of total reserved memory.
|
||||
Currently when we print the total reserve memory it considers
|
||||
cma as part of reserve memory and do minus of totalcma_pages
|
||||
from reserved, which is wrong. In cases where total reserved
|
||||
is less than cma reserved we will get negative values & while
|
||||
printing we print as unsigned and we will get a very large value.
|
||||
|
||||
Below is the show mem output on X86 ubuntu based system where
|
||||
CMA reserved is 100MB (25600 pages) & total reserved is ~40MB(10316 pages).
|
||||
And reserve memory shows a large value because of this bug.
|
||||
|
||||
Before:
|
||||
[ 127.066430] 898908 pages RAM
|
||||
[ 127.066432] 671682 pages HighMem/MovableOnly
|
||||
[ 127.066434] 4294952012 pages reserved
|
||||
[ 127.066436] 25600 pages cma reserved
|
||||
|
||||
After:
|
||||
[ 44.663129] 898908 pages RAM
|
||||
[ 44.663130] 671682 pages HighMem/MovableOnly
|
||||
[ 44.663130] 10316 pages reserved
|
||||
[ 44.663131] 25600 pages cma reserved
|
||||
|
||||
Signed-off-by: Vishnu Pratap Singh <vishnu.ps@samsung.com>
|
||||
Cc: Michal Nazarewicz <mina86@mina86.com>
|
||||
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
|
||||
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
|
||||
Cc: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
|
||||
Cc: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: Danesh Petigara <dpetigara@broadcom.com>
|
||||
Cc: Laura Abbott <lauraa@codeaurora.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
lib/show_mem.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/show_mem.c b/lib/show_mem.c
|
||||
index adc98e18..1feed6a 100644
|
||||
--- a/lib/show_mem.c
|
||||
+++ b/lib/show_mem.c
|
||||
@@ -38,11 +38,9 @@ void show_mem(unsigned int filter)
|
||||
|
||||
printk("%lu pages RAM\n", total);
|
||||
printk("%lu pages HighMem/MovableOnly\n", highmem);
|
||||
+ printk("%lu pages reserved\n", reserved);
|
||||
#ifdef CONFIG_CMA
|
||||
- printk("%lu pages reserved\n", (reserved - totalcma_pages));
|
||||
printk("%lu pages cma reserved\n", totalcma_pages);
|
||||
-#else
|
||||
- printk("%lu pages reserved\n", reserved);
|
||||
#endif
|
||||
#ifdef CONFIG_QUICKLIST
|
||||
printk("%lu pages in pagetable cache\n",
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
3d5ea06d767e2f35c999eeadafc76523 linux-4.2.tar.xz
|
||||
4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz
|
||||
6a7355d968116129c19dc053fb2d557a patch-4.2.3.xz
|
||||
19e47863ca441b2e11f90f25fb6c41ec patch-4.2.5.xz
|
||||
|
|
|
@ -1,110 +0,0 @@
|
|||
From 14588dfe2e411056df5ba85ef88ad51730a2fa0a Mon Sep 17 00:00:00 2001
|
||||
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Date: Sat, 15 Aug 2015 20:27:13 -0500
|
||||
Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from
|
||||
their mnt_root
|
||||
|
||||
commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
|
||||
|
||||
In rare cases a directory can be renamed out from under a bind mount.
|
||||
In those cases without special handling it becomes possible to walk up
|
||||
the directory tree to the root dentry of the filesystem and down
|
||||
from the root dentry to every other file or directory on the filesystem.
|
||||
|
||||
Like division by zero .. from an unconnected path can not be given
|
||||
a useful semantic as there is no predicting at which path component
|
||||
the code will realize it is unconnected. We certainly can not match
|
||||
the current behavior as the current behavior is a security hole.
|
||||
|
||||
Therefore when encounting .. when following an unconnected path
|
||||
return -ENOENT.
|
||||
|
||||
- Add a function path_connected to verify path->dentry is reachable
|
||||
from path->mnt.mnt_root. AKA to validate that rename did not do
|
||||
something nasty to the bind mount.
|
||||
|
||||
To avoid races path_connected must be called after following a path
|
||||
component to it's next path component.
|
||||
|
||||
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/namei.c | 27 +++++++++++++++++++++++++--
|
||||
1 file changed, 25 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/namei.c b/fs/namei.c
|
||||
index 1c2105ed20c5..29b927938b8c 100644
|
||||
--- a/fs/namei.c
|
||||
+++ b/fs/namei.c
|
||||
@@ -560,6 +560,24 @@ static int __nd_alloc_stack(struct nameidata *nd)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
|
||||
+ * @path: nameidate to verify
|
||||
+ *
|
||||
+ * Rename can sometimes move a file or directory outside of a bind
|
||||
+ * mount, path_connected allows those cases to be detected.
|
||||
+ */
|
||||
+static bool path_connected(const struct path *path)
|
||||
+{
|
||||
+ struct vfsmount *mnt = path->mnt;
|
||||
+
|
||||
+ /* Only bind mounts can have disconnected paths */
|
||||
+ if (mnt->mnt_root == mnt->mnt_sb->s_root)
|
||||
+ return true;
|
||||
+
|
||||
+ return is_subdir(path->dentry, mnt->mnt_root);
|
||||
+}
|
||||
+
|
||||
static inline int nd_alloc_stack(struct nameidata *nd)
|
||||
{
|
||||
if (likely(nd->depth != EMBEDDED_LEVELS))
|
||||
@@ -1296,6 +1314,8 @@ static int follow_dotdot_rcu(struct nameidata *nd)
|
||||
return -ECHILD;
|
||||
nd->path.dentry = parent;
|
||||
nd->seq = seq;
|
||||
+ if (unlikely(!path_connected(&nd->path)))
|
||||
+ return -ENOENT;
|
||||
break;
|
||||
} else {
|
||||
struct mount *mnt = real_mount(nd->path.mnt);
|
||||
@@ -1396,7 +1416,7 @@ static void follow_mount(struct path *path)
|
||||
}
|
||||
}
|
||||
|
||||
-static void follow_dotdot(struct nameidata *nd)
|
||||
+static int follow_dotdot(struct nameidata *nd)
|
||||
{
|
||||
if (!nd->root.mnt)
|
||||
set_root(nd);
|
||||
@@ -1412,6 +1432,8 @@ static void follow_dotdot(struct nameidata *nd)
|
||||
/* rare case of legitimate dget_parent()... */
|
||||
nd->path.dentry = dget_parent(nd->path.dentry);
|
||||
dput(old);
|
||||
+ if (unlikely(!path_connected(&nd->path)))
|
||||
+ return -ENOENT;
|
||||
break;
|
||||
}
|
||||
if (!follow_up(&nd->path))
|
||||
@@ -1419,6 +1441,7 @@ static void follow_dotdot(struct nameidata *nd)
|
||||
}
|
||||
follow_mount(&nd->path);
|
||||
nd->inode = nd->path.dentry->d_inode;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1634,7 +1657,7 @@ static inline int handle_dots(struct nameidata *nd, int type)
|
||||
if (nd->flags & LOOKUP_RCU) {
|
||||
return follow_dotdot_rcu(nd);
|
||||
} else
|
||||
- follow_dotdot(nd);
|
||||
+ return follow_dotdot(nd);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.4.3
|
||||
|
Loading…
Reference in New Issue