Linux v4.17.3

0001-media-uvcvideo-Prevent-setting-unavailable-flags.patch

@@ -1,65 +0,0 @@
-From 0dc68cabdb626e33d02561529e6a4c681b72a784 Mon Sep 17 00:00:00 2001
-From: Kieran Bingham <kieran.bingham@ideasonboard.com>
-Date: Wed, 21 Mar 2018 11:43:08 -0400
-Subject: [PATCH] media: uvcvideo: Prevent setting unavailable flags
-
-The addition of an extra operation to use the GET_INFO command
-overwrites all existing flags from the uvc_ctrls table. This includes
-setting all controls as supporting GET_MIN, GET_MAX, GET_RES, and
-GET_DEF regardless of whether they do or not.
-
-Move the initialisation of these control capabilities directly to the
-uvc_ctrl_fill_xu_info() call where they were originally located in that
-use case, and ensure that the new functionality in uvc_ctrl_get_flags()
-will only set flags based on their reported capability from the GET_INFO
-call.
-
-Fixes: 859086ae3636 ("media: uvcvideo: Apply flags from device to actual properties")
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
-Tested-by: Guennadi Liakhovetski <guennadi.liakhovetski@intel.com>
-Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
----
- drivers/media/usb/uvc/uvc_ctrl.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
-index 102594ec3e97..a36b4fb949fa 100644
---- a/drivers/media/usb/uvc/uvc_ctrl.c
-+++ b/drivers/media/usb/uvc/uvc_ctrl.c
-@@ -1607,14 +1607,12 @@ static int uvc_ctrl_get_flags(struct uvc_device *dev,
- 	ret = uvc_query_ctrl(dev, UVC_GET_INFO, ctrl->entity->id, dev->intfnum,
- 			     info->selector, data, 1);
- 	if (!ret)
--		info->flags = UVC_CTRL_FLAG_GET_MIN | UVC_CTRL_FLAG_GET_MAX
--			    | UVC_CTRL_FLAG_GET_RES | UVC_CTRL_FLAG_GET_DEF
--			    | (data[0] & UVC_CONTROL_CAP_GET ?
--			       UVC_CTRL_FLAG_GET_CUR : 0)
--			    | (data[0] & UVC_CONTROL_CAP_SET ?
--			       UVC_CTRL_FLAG_SET_CUR : 0)
--			    | (data[0] & UVC_CONTROL_CAP_AUTOUPDATE ?
--			       UVC_CTRL_FLAG_AUTO_UPDATE : 0);
-+		info->flags |= (data[0] & UVC_CONTROL_CAP_GET ?
-+				UVC_CTRL_FLAG_GET_CUR : 0)
-+			    |  (data[0] & UVC_CONTROL_CAP_SET ?
-+				UVC_CTRL_FLAG_SET_CUR : 0)
-+			    |  (data[0] & UVC_CONTROL_CAP_AUTOUPDATE ?
-+				UVC_CTRL_FLAG_AUTO_UPDATE : 0);
- 
- 	kfree(data);
- 	return ret;
-@@ -1689,6 +1687,9 @@ static int uvc_ctrl_fill_xu_info(struct uvc_device *dev,
- 
- 	info->size = le16_to_cpup((__le16 *)data);
- 
-+	info->flags = UVC_CTRL_FLAG_GET_MIN | UVC_CTRL_FLAG_GET_MAX
-+		    | UVC_CTRL_FLAG_GET_RES | UVC_CTRL_FLAG_GET_DEF;
-+
- 	ret = uvc_ctrl_get_flags(dev, ctrl, info);
- 	if (ret < 0) {
- 		uvc_trace(UVC_TRACE_CONTROL,
--- 
-2.17.1
-

0001-socket-close-race-condition-between-sock_close-and-s.patch

@@ -1,91 +0,0 @@
-From 6d8c50dcb029872b298eea68cc6209c866fd3e14 Mon Sep 17 00:00:00 2001
-From: Cong Wang <xiyou.wangcong@gmail.com>
-Date: Thu, 7 Jun 2018 13:39:49 -0700
-Subject: [PATCH] socket: close race condition between sock_close() and
- sockfs_setattr()
-
-fchownat() doesn't even hold refcnt of fd until it figures out
-fd is really needed (otherwise is ignored) and releases it after
-it resolves the path. This means sock_close() could race with
-sockfs_setattr(), which leads to a NULL pointer dereference
-since typically we set sock->sk to NULL in ->release().
-
-As pointed out by Al, this is unique to sockfs. So we can fix this
-in socket layer by acquiring inode_lock in sock_close() and
-checking against NULL in sockfs_setattr().
-
-sock_release() is called in many places, only the sock_close()
-path matters here. And fortunately, this should not affect normal
-sock_close() as it is only called when the last fd refcnt is gone.
-It only affects sock_close() with a parallel sockfs_setattr() in
-progress, which is not common.
-
-Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
-Reported-by: shankarapailoor <shankarapailoor@gmail.com>
-Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
-Cc: Lorenzo Colitti <lorenzo@google.com>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/socket.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/net/socket.c b/net/socket.c
-index af57d85bcb48..8a109012608a 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -541,7 +541,10 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
- 	if (!err && (iattr->ia_valid & ATTR_UID)) {
- 		struct socket *sock = SOCKET_I(d_inode(dentry));
-
--		sock->sk->sk_uid = iattr->ia_uid;
-+		if (sock->sk)
-+			sock->sk->sk_uid = iattr->ia_uid;
-+		else
-+			err = -ENOENT;
- 	}
-
- 	return err;
-@@ -590,12 +593,16 @@ EXPORT_SYMBOL(sock_alloc);
-  *	an inode not a file.
-  */
-
--void sock_release(struct socket *sock)
-+static void __sock_release(struct socket *sock, struct inode *inode)
- {
- 	if (sock->ops) {
- 		struct module *owner = sock->ops->owner;
-
-+		if (inode)
-+			inode_lock(inode);
- 		sock->ops->release(sock);
-+		if (inode)
-+			inode_unlock(inode);
- 		sock->ops = NULL;
- 		module_put(owner);
- 	}
-@@ -609,6 +616,11 @@ void sock_release(struct socket *sock)
- 	}
- 	sock->file = NULL;
- }
-+
-+void sock_release(struct socket *sock)
-+{
-+	__sock_release(sock, NULL);
-+}
- EXPORT_SYMBOL(sock_release);
-
- void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags)
-@@ -1171,7 +1183,7 @@ static int sock_mmap(struct file *file, struct vm_area_struct *vma)
-
- static int sock_close(struct inode *inode, struct file *filp)
- {
--	sock_release(SOCKET_I(inode));
-+	__sock_release(SOCKET_I(inode), inode);
- 	return 0;
- }
-
--- 
-2.17.1
-

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -633,9 +633,6 @@ Patch503: kexec-bzimage-verify-pe-signature-fix.patch
 # https://www.spinics.net/lists/linux-acpi/msg82405.html
 Patch504: mailbox-ACPI-erroneous-error-message-when-parsing-ACPI.patch
 
-# CVE-2018-12232 rhbz 1590215 1590216
-Patch506: 0001-socket-close-race-condition-between-sock_close-and-s.patch
-
 # https://www.spinics.net/lists/platform-driver-x86/msg15719.html
 Patch507: platform-x86-dell-laptop-Fix-keyboard-backlight-time.patch
 
@@ -654,9 +651,6 @@ Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch
 # CVE-2018-12633 rhbz 1594170 1594172
 Patch512: 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch
 
-# rhbz 1590304
-Patch513: 0001-media-uvcvideo-Prevent-setting-unavailable-flags.patch
-
 # rhbz 1592454
 Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
 
@@ -1912,6 +1906,9 @@ fi
 #
 #
 %changelog
+* Tue Jun 26 2018 Jeremy Cline <jcline@redhat.com> - 4.17.3-200
+- Linux v4.17.3
+
 * Mon Jun 25 2018 Laura Abbott <labbott@fedoraproject.org>
 - Some webcam fixes (rhbz 1592454 1590304)
 - Fix for armv7 siginfo ABI regression (rhbz 1591516)

sources

@@ -1,2 +1,2 @@
 SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
-SHA512 (patch-4.17.2.xz) = d85fc2637720c19320e82fa221e0e8e2b640d2b8c6faf4678f3902ca8a634a1e2cdcac1242628da9d9500921a41c6c8cec7371098533e5035034a1faa2373c65
+SHA512 (patch-4.17.3.xz) = c0b3dfb1c1d64edc74cb3b35a4d6160ccf80b5b58d19e5a11dde372ab515c350576f8981b3816e4e8689da38b792eb85b3ef46581d65d7c51c72943dea7409f4