Linux v4.1.11
This commit is contained in:
parent
1e304cc6ed
commit
5de68c70f1
|
@ -1,86 +0,0 @@
|
|||
From 680ac028240f8747f31c03986fbcf18b2b521e93 Mon Sep 17 00:00:00 2001
|
||||
From: Borislav Petkov <bp@suse.de>
|
||||
Date: Mon, 27 Jul 2015 09:58:05 +0200
|
||||
Subject: [PATCH] x86/cpu/cacheinfo: Fix teardown path
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Philip Müller reported a hang when booting 32-bit 4.1 kernel on
|
||||
an AMD box. A fragment of the splat was enough to pinpoint the
|
||||
issue:
|
||||
|
||||
task: f58e0000 ti: f58e8000 task.ti: f58e800
|
||||
EIP: 0060:[<c135a903>] EFLAGS: 00010206 CPU: 0
|
||||
EIP is at free_cache_attributes+0x83/0xd0
|
||||
EAX: 00000001 EBX: f589d46c ECX: 00000090 EDX: 360c2000
|
||||
ESI: 00000000 EDI: c1724a80 EBP: f58e9ec0 ESP: f58e9ea0
|
||||
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
|
||||
CR0: 8005003b CR2: 000000ac CR3: 01731000 CR4: 000006d0
|
||||
|
||||
cache_shared_cpu_map_setup() did check sibling CPUs cacheinfo
|
||||
descriptor while the respective teardown path
|
||||
cache_shared_cpu_map_remove() didn't. Fix that.
|
||||
|
||||
From tglx's version: to be on the safe side, move the cacheinfo
|
||||
descriptor check to free_cache_attributes(), thus cleaning up
|
||||
the hotplug path a little and making this even more robust.
|
||||
|
||||
Reported-by: Philip Müller <philm@manjaro.org>
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: <stable@vger.kernel.org> # v4.1+
|
||||
Cc: Andre Przywara <andre.przywara@arm.com>
|
||||
Cc: Guenter Roeck <linux@roeck-us.net>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Sudeep Holla <sudeep.holla@arm.com>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
Cc: manjaro-dev@manjaro.org
|
||||
Link: http://lkml.kernel.org/r/20150727075805.GA20416@nazgul.tnic
|
||||
Link: https://lkml.kernel.org/r/55B47BB8.6080202@manjaro.org
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
drivers/base/cacheinfo.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
|
||||
index 764280a91776..e9fd32e91668 100644
|
||||
--- a/drivers/base/cacheinfo.c
|
||||
+++ b/drivers/base/cacheinfo.c
|
||||
@@ -148,7 +148,11 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
|
||||
|
||||
if (sibling == cpu) /* skip itself */
|
||||
continue;
|
||||
+
|
||||
sib_cpu_ci = get_cpu_cacheinfo(sibling);
|
||||
+ if (!sib_cpu_ci->info_list)
|
||||
+ continue;
|
||||
+
|
||||
sib_leaf = sib_cpu_ci->info_list + index;
|
||||
cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map);
|
||||
cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map);
|
||||
@@ -159,6 +163,9 @@ static void cache_shared_cpu_map_remove(unsigned int cpu)
|
||||
|
||||
static void free_cache_attributes(unsigned int cpu)
|
||||
{
|
||||
+ if (!per_cpu_cacheinfo(cpu))
|
||||
+ return;
|
||||
+
|
||||
cache_shared_cpu_map_remove(cpu);
|
||||
|
||||
kfree(per_cpu_cacheinfo(cpu));
|
||||
@@ -514,8 +521,7 @@ static int cacheinfo_cpu_callback(struct notifier_block *nfb,
|
||||
break;
|
||||
case CPU_DEAD:
|
||||
cache_remove_dev(cpu);
|
||||
- if (per_cpu_cacheinfo(cpu))
|
||||
- free_cache_attributes(cpu);
|
||||
+ free_cache_attributes(cpu);
|
||||
break;
|
||||
}
|
||||
return notifier_from_errno(rc);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 6f501aed6a8ebecbc3a83fbd95d925ef522e0120 Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Thu, 1 Oct 2015 14:33:49 -0700
|
||||
Subject: [PATCH] ALSA: hda: Add dock support for ThinkPad T550
|
||||
To: Jaroslav Kysela <perex@perex.cz>
|
||||
To: Takashi Iwai <tiwai@suse.com>
|
||||
Cc: alsa-devel@alsa-project.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
|
||||
Much like all the other Lenovo laptops, add a quirk to make
|
||||
sound work with docking.
|
||||
|
||||
Reported-and-tested-by: lacknerflo@gmail.com
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
sound/pci/hda/patch_realtek.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
|
||||
index afec6dc..16b8dcb 100644
|
||||
--- a/sound/pci/hda/patch_realtek.c
|
||||
+++ b/sound/pci/hda/patch_realtek.c
|
||||
@@ -5306,6 +5306,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
|
||||
SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
|
||||
+ SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
|
||||
SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
|
||||
SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,117 +0,0 @@
|
|||
From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Wed, 30 Sep 2015 12:48:40 -0400
|
||||
Subject: [PATCH] Initialize msg/shm IPC objects before doing ipc_addid()
|
||||
|
||||
As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
|
||||
having initialized the IPC object state. Yes, we initialize the IPC
|
||||
object in a locked state, but with all the lockless RCU lookup work,
|
||||
that IPC object lock no longer means that the state cannot be seen.
|
||||
|
||||
We already did this for the IPC semaphore code (see commit e8577d1f0329:
|
||||
"ipc/sem.c: fully initialize sem_array before making it visible") but we
|
||||
clearly forgot about msg and shm.
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Cc: Manfred Spraul <manfred@colorfullife.com>
|
||||
Cc: Davidlohr Bueso <dbueso@suse.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
ipc/msg.c | 14 +++++++-------
|
||||
ipc/shm.c | 13 +++++++------
|
||||
ipc/util.c | 8 ++++----
|
||||
3 files changed, 18 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/ipc/msg.c b/ipc/msg.c
|
||||
index 66c4f567eb73..1471db9a7e61 100644
|
||||
--- a/ipc/msg.c
|
||||
+++ b/ipc/msg.c
|
||||
@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
return retval;
|
||||
}
|
||||
|
||||
- /* ipc_addid() locks msq upon success. */
|
||||
- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||
- if (id < 0) {
|
||||
- ipc_rcu_putref(msq, msg_rcu_free);
|
||||
- return id;
|
||||
- }
|
||||
-
|
||||
msq->q_stime = msq->q_rtime = 0;
|
||||
msq->q_ctime = get_seconds();
|
||||
msq->q_cbytes = msq->q_qnum = 0;
|
||||
@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
INIT_LIST_HEAD(&msq->q_receivers);
|
||||
INIT_LIST_HEAD(&msq->q_senders);
|
||||
|
||||
+ /* ipc_addid() locks msq upon success. */
|
||||
+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
||||
+ if (id < 0) {
|
||||
+ ipc_rcu_putref(msq, msg_rcu_free);
|
||||
+ return id;
|
||||
+ }
|
||||
+
|
||||
ipc_unlock_object(&msq->q_perm);
|
||||
rcu_read_unlock();
|
||||
|
||||
diff --git a/ipc/shm.c b/ipc/shm.c
|
||||
index 222131e8e38f..41787276e141 100644
|
||||
--- a/ipc/shm.c
|
||||
+++ b/ipc/shm.c
|
||||
@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
if (IS_ERR(file))
|
||||
goto no_file;
|
||||
|
||||
- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||
- if (id < 0) {
|
||||
- error = id;
|
||||
- goto no_id;
|
||||
- }
|
||||
-
|
||||
shp->shm_cprid = task_tgid_vnr(current);
|
||||
shp->shm_lprid = 0;
|
||||
shp->shm_atim = shp->shm_dtim = 0;
|
||||
@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
shp->shm_nattch = 0;
|
||||
shp->shm_file = file;
|
||||
shp->shm_creator = current;
|
||||
+
|
||||
+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||
+ if (id < 0) {
|
||||
+ error = id;
|
||||
+ goto no_id;
|
||||
+ }
|
||||
+
|
||||
list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist);
|
||||
|
||||
/*
|
||||
diff --git a/ipc/util.c b/ipc/util.c
|
||||
index be4230020a1f..0f401d94b7c6 100644
|
||||
--- a/ipc/util.c
|
||||
+++ b/ipc/util.c
|
||||
@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||
rcu_read_lock();
|
||||
spin_lock(&new->lock);
|
||||
|
||||
+ current_euid_egid(&euid, &egid);
|
||||
+ new->cuid = new->uid = euid;
|
||||
+ new->gid = new->cgid = egid;
|
||||
+
|
||||
id = idr_alloc(&ids->ipcs_idr, new,
|
||||
(next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
|
||||
GFP_NOWAIT);
|
||||
@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
|
||||
|
||||
ids->in_use++;
|
||||
|
||||
- current_euid_egid(&euid, &egid);
|
||||
- new->cuid = new->uid = euid;
|
||||
- new->gid = new->cgid = egid;
|
||||
-
|
||||
if (next_id < 0) {
|
||||
new->seq = ids->seq++;
|
||||
if (ids->seq > IPCID_SEQ_MAX)
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,81 +0,0 @@
|
|||
From 10d98bced414c6fc1d09db123e7f762d91b5ebea Mon Sep 17 00:00:00 2001
|
||||
From: Johan Hovold <johan@kernel.org>
|
||||
Date: Wed, 23 Sep 2015 11:41:42 -0700
|
||||
Subject: [PATCH] USB: whiteheat: fix potential null-deref at probe
|
||||
|
||||
Fix potential null-pointer dereference at probe by making sure that the
|
||||
required endpoints are present.
|
||||
|
||||
The whiteheat driver assumes there are at least five pairs of bulk
|
||||
endpoints, of which the final pair is used for the "command port". An
|
||||
attempt to bind to an interface with fewer bulk endpoints would
|
||||
currently lead to an oops.
|
||||
|
||||
Fixes CVE-2015-5257.
|
||||
|
||||
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Johan Hovold <johan@kernel.org>
|
||||
---
|
||||
drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
|
||||
index 6c3734d2b45a..d3ea90bef84d 100644
|
||||
--- a/drivers/usb/serial/whiteheat.c
|
||||
+++ b/drivers/usb/serial/whiteheat.c
|
||||
@@ -80,6 +80,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
|
||||
static int whiteheat_firmware_attach(struct usb_serial *serial);
|
||||
|
||||
/* function prototypes for the Connect Tech WhiteHEAT serial converter */
|
||||
+static int whiteheat_probe(struct usb_serial *serial,
|
||||
+ const struct usb_device_id *id);
|
||||
static int whiteheat_attach(struct usb_serial *serial);
|
||||
static void whiteheat_release(struct usb_serial *serial);
|
||||
static int whiteheat_port_probe(struct usb_serial_port *port);
|
||||
@@ -116,6 +118,7 @@ static struct usb_serial_driver whiteheat_device = {
|
||||
.description = "Connect Tech - WhiteHEAT",
|
||||
.id_table = id_table_std,
|
||||
.num_ports = 4,
|
||||
+ .probe = whiteheat_probe,
|
||||
.attach = whiteheat_attach,
|
||||
.release = whiteheat_release,
|
||||
.port_probe = whiteheat_port_probe,
|
||||
@@ -217,6 +220,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
|
||||
/*****************************************************************************
|
||||
* Connect Tech's White Heat serial driver functions
|
||||
*****************************************************************************/
|
||||
+
|
||||
+static int whiteheat_probe(struct usb_serial *serial,
|
||||
+ const struct usb_device_id *id)
|
||||
+{
|
||||
+ struct usb_host_interface *iface_desc;
|
||||
+ struct usb_endpoint_descriptor *endpoint;
|
||||
+ size_t num_bulk_in = 0;
|
||||
+ size_t num_bulk_out = 0;
|
||||
+ size_t min_num_bulk;
|
||||
+ unsigned int i;
|
||||
+
|
||||
+ iface_desc = serial->interface->cur_altsetting;
|
||||
+
|
||||
+ for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
|
||||
+ endpoint = &iface_desc->endpoint[i].desc;
|
||||
+ if (usb_endpoint_is_bulk_in(endpoint))
|
||||
+ ++num_bulk_in;
|
||||
+ if (usb_endpoint_is_bulk_out(endpoint))
|
||||
+ ++num_bulk_out;
|
||||
+ }
|
||||
+
|
||||
+ min_num_bulk = COMMAND_PORT + 1;
|
||||
+ if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int whiteheat_attach(struct usb_serial *serial)
|
||||
{
|
||||
struct usb_serial_port *command_port;
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
From 0e9ff3b71d0b2866f8f4ce408043f3f06792aad3 Mon Sep 17 00:00:00 2001
|
||||
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Date: Sat, 15 Aug 2015 13:36:12 -0500
|
||||
Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path
|
||||
|
||||
commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
|
||||
|
||||
A rename can result in a dentry that by walking up d_parent
|
||||
will never reach it's mnt_root. For lack of a better term
|
||||
I call this an escaped path.
|
||||
|
||||
prepend_path is called by four different functions __d_path,
|
||||
d_absolute_path, d_path, and getcwd.
|
||||
|
||||
__d_path only wants to see paths are connected to the root it passes
|
||||
in. So __d_path needs prepend_path to return an error.
|
||||
|
||||
d_absolute_path similarly wants to see paths that are connected to
|
||||
some root. Escaped paths are not connected to any mnt_root so
|
||||
d_absolute_path needs prepend_path to return an error greater
|
||||
than 1. So escaped paths will be treated like paths on lazily
|
||||
unmounted mounts.
|
||||
|
||||
getcwd needs to prepend "(unreachable)" so getcwd also needs
|
||||
prepend_path to return an error.
|
||||
|
||||
d_path is the interesting hold out. d_path just wants to print
|
||||
something, and does not care about the weird cases. Which raises
|
||||
the question what should be printed?
|
||||
|
||||
Given that <escaped_path>/<anything> should result in -ENOENT I
|
||||
believe it is desirable for escaped paths to be printed as empty
|
||||
paths. As there are not really any meaninful path components when
|
||||
considered from the perspective of a mount tree.
|
||||
|
||||
So tweak prepend_path to return an empty path with an new error
|
||||
code of 3 when it encounters an escaped path.
|
||||
|
||||
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/dcache.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/fs/dcache.c b/fs/dcache.c
|
||||
index 5d03eb0ec0ac..2e8ddc1d09e9 100644
|
||||
--- a/fs/dcache.c
|
||||
+++ b/fs/dcache.c
|
||||
@@ -2923,6 +2923,13 @@ restart:
|
||||
|
||||
if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
|
||||
struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
|
||||
+ /* Escaped? */
|
||||
+ if (dentry != vfsmnt->mnt_root) {
|
||||
+ bptr = *buffer;
|
||||
+ blen = *buflen;
|
||||
+ error = 3;
|
||||
+ break;
|
||||
+ }
|
||||
/* Global root? */
|
||||
if (mnt != parent) {
|
||||
dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From 05676fe53c9f26fe703c57b14bdd0807e23cc33b Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Thu, 13 Aug 2015 15:44:51 -0700
|
||||
Subject: [PATCH 1/2] inet: fix potential deadlock in reqsk_queue_unlink()
|
||||
|
||||
When replacing del_timer() with del_timer_sync(), I introduced
|
||||
a deadlock condition :
|
||||
|
||||
reqsk_queue_unlink() is called from inet_csk_reqsk_queue_drop()
|
||||
|
||||
inet_csk_reqsk_queue_drop() can be called from many contexts,
|
||||
one being the timer handler itself (reqsk_timer_handler()).
|
||||
|
||||
In this case, del_timer_sync() loops forever.
|
||||
|
||||
Simple fix is to test if timer is pending.
|
||||
|
||||
Fixes: 2235f2ac75fd ("inet: fix races with reqsk timers")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/inet_connection_sock.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
|
||||
index b27fc401c6a9..e664706b350c 100644
|
||||
--- a/net/ipv4/inet_connection_sock.c
|
||||
+++ b/net/ipv4/inet_connection_sock.c
|
||||
@@ -584,7 +584,7 @@ static bool reqsk_queue_unlink(struct request_sock_queue *queue,
|
||||
}
|
||||
|
||||
spin_unlock(&queue->syn_wait_lock);
|
||||
- if (del_timer_sync(&req->rsk_timer))
|
||||
+ if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
|
||||
reqsk_put(req);
|
||||
return found;
|
||||
}
|
||||
--
|
||||
2.4.3
|
||||
|
45
kernel.spec
45
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 10
|
||||
%define stable_update 11
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -640,9 +640,6 @@ Patch511: iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch
|
|||
#CVE-2015-6666 rhbz 1256746 1256753
|
||||
Patch513: Revert-sched-x86_64-Don-t-save-flags-on-context-swit.patch
|
||||
|
||||
#rhbz 1256281
|
||||
Patch26266: mmc-sdhci-fix-dma-memory-leak-in-sdhci_pre_req.patch
|
||||
|
||||
#rhbz 1257534
|
||||
Patch515: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
|
||||
|
||||
|
@ -653,30 +650,13 @@ Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
|
|||
#CVE-2015-6937 rhbz 1263139 1263140
|
||||
Patch523: RDS-verify-the-underlying-transport-exists-before-cr.patch
|
||||
|
||||
#rhbz 1263762
|
||||
Patch526: 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
|
||||
|
||||
#CVE-2015-5257 rhbz 1265607 1265612
|
||||
Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch
|
||||
|
||||
#CVE-2015-2925 rhbz 1209367 1209373
|
||||
Patch528: dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||
Patch529: vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||
|
||||
#CVE-2015-7613 rhbz 1268270 1268273
|
||||
Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||
|
||||
#rhbz 1266691
|
||||
Patch534: inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
|
||||
Patch535: inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
|
||||
#rhbz 1265978
|
||||
Patch536: si2168-Bounds-check-firmware.patch
|
||||
Patch537: si2157-Bounds-check-firmware.patch
|
||||
|
||||
#rhbz 1268037
|
||||
Patch538: ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
|
||||
|
||||
#CVE-2015-5156 rhbz 1243852 1266515
|
||||
Patch539: virtio-net-drop-NETIF_F_FRAGLIST.patch
|
||||
|
||||
|
@ -1430,9 +1410,6 @@ ApplyPatch iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch
|
|||
#CVE-2015-6666 rhbz 1256746 1256753
|
||||
ApplyPatch Revert-sched-x86_64-Don-t-save-flags-on-context-swit.patch
|
||||
|
||||
#rhbz 1256281
|
||||
ApplyPatch mmc-sdhci-fix-dma-memory-leak-in-sdhci_pre_req.patch
|
||||
|
||||
#rhbz 1257534
|
||||
ApplyPatch nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
|
||||
|
||||
|
@ -1443,30 +1420,13 @@ ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
|
|||
#CVE-2015-6937 rhbz 1263139 1263140
|
||||
ApplyPatch RDS-verify-the-underlying-transport-exists-before-cr.patch
|
||||
|
||||
#rhbz 1263762
|
||||
ApplyPatch 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
|
||||
|
||||
#CVE-2015-5257 rhbz 1265607 1265612
|
||||
ApplyPatch USB-whiteheat-fix-potential-null-deref-at-probe.patch
|
||||
|
||||
#CVE-2015-2925 rhbz 1209367 1209373
|
||||
ApplyPatch dcache-Handle-escaped-paths-in-prepend_path.patch
|
||||
ApplyPatch vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
|
||||
|
||||
#CVE-2015-7613 rhbz 1268270 1268273
|
||||
ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
||||
|
||||
#rhbz 1266691
|
||||
ApplyPatch inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
|
||||
ApplyPatch inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
|
||||
#rhbz 1265978
|
||||
ApplyPatch si2168-Bounds-check-firmware.patch
|
||||
ApplyPatch si2157-Bounds-check-firmware.patch
|
||||
|
||||
#rhbz 1268037
|
||||
ApplyPatch ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch
|
||||
|
||||
#CVE-2015-5156 rhbz 1243852 1266515
|
||||
ApplyPatch virtio-net-drop-NETIF_F_FRAGLIST.patch
|
||||
|
||||
|
@ -2333,6 +2293,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Oct 23 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.1.11
|
||||
- Linux v4.1.11
|
||||
|
||||
* Mon Oct 19 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix crash in key garbage collector when using request_key (rhbz 1272172)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
fe9dc0f6729f36400ea81aa41d614c37 linux-4.1.tar.xz
|
||||
5b4d0e18c713a479a7b4c1aa53a7432b perf-man-4.1.tar.gz
|
||||
599cb082ef44d8fb76ad8fd49d1b50fc patch-4.1.10.xz
|
||||
46a403b167416719901565190298e680 patch-4.1.11.xz
|
||||
|
|
|
@ -1,121 +0,0 @@
|
|||
From 74038ebc44da6e3f9c918f2525f9111e10c8efc2 Mon Sep 17 00:00:00 2001
|
||||
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Date: Sat, 15 Aug 2015 20:27:13 -0500
|
||||
Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from
|
||||
their mnt_root
|
||||
|
||||
commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
|
||||
|
||||
In rare cases a directory can be renamed out from under a bind mount.
|
||||
In those cases without special handling it becomes possible to walk up
|
||||
the directory tree to the root dentry of the filesystem and down
|
||||
from the root dentry to every other file or directory on the filesystem.
|
||||
|
||||
Like division by zero .. from an unconnected path can not be given
|
||||
a useful semantic as there is no predicting at which path component
|
||||
the code will realize it is unconnected. We certainly can not match
|
||||
the current behavior as the current behavior is a security hole.
|
||||
|
||||
Therefore when encounting .. when following an unconnected path
|
||||
return -ENOENT.
|
||||
|
||||
- Add a function path_connected to verify path->dentry is reachable
|
||||
from path->mnt.mnt_root. AKA to validate that rename did not do
|
||||
something nasty to the bind mount.
|
||||
|
||||
To avoid races path_connected must be called after following a path
|
||||
component to it's next path component.
|
||||
|
||||
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/namei.c | 31 ++++++++++++++++++++++++++++---
|
||||
1 file changed, 28 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/namei.c b/fs/namei.c
|
||||
index fe30d3be43a8..acdab610521b 100644
|
||||
--- a/fs/namei.c
|
||||
+++ b/fs/namei.c
|
||||
@@ -505,6 +505,24 @@ struct nameidata {
|
||||
char *saved_names[MAX_NESTED_LINKS + 1];
|
||||
};
|
||||
|
||||
+/**
|
||||
+ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
|
||||
+ * @path: nameidate to verify
|
||||
+ *
|
||||
+ * Rename can sometimes move a file or directory outside of a bind
|
||||
+ * mount, path_connected allows those cases to be detected.
|
||||
+ */
|
||||
+static bool path_connected(const struct path *path)
|
||||
+{
|
||||
+ struct vfsmount *mnt = path->mnt;
|
||||
+
|
||||
+ /* Only bind mounts can have disconnected paths */
|
||||
+ if (mnt->mnt_root == mnt->mnt_sb->s_root)
|
||||
+ return true;
|
||||
+
|
||||
+ return is_subdir(path->dentry, mnt->mnt_root);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Path walking has 2 modes, rcu-walk and ref-walk (see
|
||||
* Documentation/filesystems/path-lookup.txt). In situations when we can't
|
||||
@@ -1194,6 +1212,8 @@ static int follow_dotdot_rcu(struct nameidata *nd)
|
||||
goto failed;
|
||||
nd->path.dentry = parent;
|
||||
nd->seq = seq;
|
||||
+ if (unlikely(!path_connected(&nd->path)))
|
||||
+ goto failed;
|
||||
break;
|
||||
}
|
||||
if (!follow_up_rcu(&nd->path))
|
||||
@@ -1290,7 +1310,7 @@ static void follow_mount(struct path *path)
|
||||
}
|
||||
}
|
||||
|
||||
-static void follow_dotdot(struct nameidata *nd)
|
||||
+static int follow_dotdot(struct nameidata *nd)
|
||||
{
|
||||
if (!nd->root.mnt)
|
||||
set_root(nd);
|
||||
@@ -1306,6 +1326,10 @@ static void follow_dotdot(struct nameidata *nd)
|
||||
/* rare case of legitimate dget_parent()... */
|
||||
nd->path.dentry = dget_parent(nd->path.dentry);
|
||||
dput(old);
|
||||
+ if (unlikely(!path_connected(&nd->path))) {
|
||||
+ path_put(&nd->path);
|
||||
+ return -ENOENT;
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
if (!follow_up(&nd->path))
|
||||
@@ -1313,6 +1337,7 @@ static void follow_dotdot(struct nameidata *nd)
|
||||
}
|
||||
follow_mount(&nd->path);
|
||||
nd->inode = nd->path.dentry->d_inode;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1541,7 +1566,7 @@ static inline int handle_dots(struct nameidata *nd, int type)
|
||||
if (follow_dotdot_rcu(nd))
|
||||
return -ECHILD;
|
||||
} else
|
||||
- follow_dotdot(nd);
|
||||
+ return follow_dotdot(nd);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@@ -2290,7 +2315,7 @@ mountpoint_last(struct nameidata *nd, struct path *path)
|
||||
if (unlikely(nd->last_type != LAST_NORM)) {
|
||||
error = handle_dots(nd, nd->last_type);
|
||||
if (error)
|
||||
- goto out;
|
||||
+ return error;
|
||||
dentry = dget(nd->path.dentry);
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.4.3
|
||||
|
Loading…
Reference in New Issue