Linux v4.6-6148-g03b979d

- Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges
2016-05-20 11:23:45 -07:00 · 2016-05-20 11:23:45 -07:00 · 8a052bf240
parent e8f3f4f939
commit 8a052bf240
13 changed files with 37 additions and 177 deletions
--- a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
+++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
@ -1,33 +0,0 @@
-From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:07 -0400
-Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “tread” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 6469bedda2f3..964f5ebf495e 100644
--- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
- 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
- 		if (tu->tread) {
- 			struct snd_timer_tread tread;
-+			memset(&tread, 0, sizeof(tread));
- 			tread.event = SNDRV_TIMER_EVENT_EARLY;
- 			tread.tstamp.tv_sec = 0;
- 			tread.tstamp.tv_nsec = 0;
-- 
-2.5.5
-
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
@ -1,34 +0,0 @@
-From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:20 -0400
-Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
- snd_timer_user_ccallback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 964f5ebf495e..e98fa5feb731 100644
--- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
- 		tu->tstamp = *tstamp;
- 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
- 		return;
-+	memset(&r1, 0, sizeof(r1));
- 	r1.event = event;
- 	r1.tstamp = *tstamp;
- 	r1.val = resolution;
-- 
-2.5.5
-
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
@ -1,34 +0,0 @@
-From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:32 -0400
-Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
- snd_timer_user_tinterrupt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index e98fa5feb731..c69a27155433 100644
--- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
- 	}
- 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
- 	    tu->last_resolution != resolution) {
-+		memset(&r1, 0, sizeof(r1));
- 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
- 		r1.tstamp = tstamp;
- 		r1.val = resolution;
-- 
-2.5.5
-
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@ -1,4 +1,4 @@
-From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
+From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
 Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
@ -6,20 +6,21 @@ Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.

+[labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED]
 Signed-off-by: David Howells <dhowells@redhat.com>
 ---
 crypto/asymmetric_keys/Kconfig      |   8 +++
 crypto/asymmetric_keys/Makefile     |   1 +
- crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
+ crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++
 include/linux/efi.h                 |   4 ++
- 4 files changed, 122 insertions(+)
+ 4 files changed, 121 insertions(+)
 create mode 100644 crypto/asymmetric_keys/efi_parser.c

 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index 4870f28403f5..4a1b50d73b80 100644
+index e28e912..94024e8 100644
 --- a/crypto/asymmetric_keys/Kconfig
 +++ b/crypto/asymmetric_keys/Kconfig
-@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
+@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
 	  This option provides support for verifying the signature(s) on a
 	  signed PE binary.
 
@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644
 +
 endif # ASYMMETRIC_KEY_TYPE
 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index cd1406f9b14a..d9db380bbe53 100644
+index 6516855..c099fe1 100644
 --- a/crypto/asymmetric_keys/Makefile
 +++ b/crypto/asymmetric_keys/Makefile
-@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o
+@@ -10,6 +10,7 @@ asymmetric_keys-y := \
+ 	signature.o
 
 obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
 +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644
 # X.509 Certificate handling
 diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 new file mode 100644
-index 000000000000..424896a0b169
+index 0000000..636feb1
 --- /dev/null
 +++ b/crypto/asymmetric_keys/efi_parser.c
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,108 @@
 +/* EFI signature/key/certificate list parser
 + *
 + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
@ -139,8 +141,7 @@ index 000000000000..424896a0b169
 +				esize - sizeof(*elem),
 +				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				KEY_USR_VIEW,
-+				KEY_ALLOC_NOT_IN_QUOTA |
-+				KEY_ALLOC_TRUSTED);
+				KEY_ALLOC_NOT_IN_QUOTA);
 +
 +			if (IS_ERR(key))
 +				pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
@ -159,10 +160,10 @@ index 000000000000..424896a0b169
 +	return 0;
 +}
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fac43c611614..414c3c3d988d 100644
+index b80227a..18443e3 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void);
+@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
 char * __init efi_md_typeattr_format(char *buf, size_t size,
 				     const efi_memory_desc_t *md);
 
@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644
  * efi_range_is_wc - check the WC bit on an address range
  * @start: starting kvirt address
 -- 
-2.4.3
+2.5.5

--- a/KVM-MTRR-remove-MSR-0x2f8.patch
+++ b/KVM-MTRR-remove-MSR-0x2f8.patch
@ -1,49 +0,0 @@
-From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
-Date: Mon, 16 May 2016 09:45:35 -0400
-Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
-was introduced by 9ba075a664df ("KVM: MTRR support").
-
-0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
-size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
-which made access to index 124 out of bounds.  The surrounding code only
-WARNs in this situation, thus the guest gained a limited read/write
-access to struct kvm_arch_vcpu.
-
-0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
-MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
-was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
-not implemented in KVM, therefore 0x2f8 could never do anything useful
-and getting rid of it is safe.
-
-This fixes CVE-2016-TBD.
-
-Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
-Cc: stable@vger.kernel.org
-Reported-by: David Matlack <dmatlack@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
---
- arch/x86/kvm/mtrr.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
-index 3f8c732117ec..c146f3c262c3 100644
--- a/arch/x86/kvm/mtrr.c
-+++ b/arch/x86/kvm/mtrr.c
-@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
- 	case MSR_MTRRdefType:
- 	case MSR_IA32_CR_PAT:
- 		return true;
-	case 0x2f8:
-		return true;
- 	}
- 	return false;
- }
-- 
-2.5.5
-
--- a/3
+++ b/3
@ -547,3 +547,6 @@ CONFIG_CHECKPOINT_RESTORE=y

 # CONFIG_HW_RANDOM_HISI is not set
 # CONFIG_QRTR is not set
+
+# This Xilinx option is now built for arm64 as well as ARM
+CONFIG_XILINX_VDMA=m
--- a/1
+++ b/1
@ -587,7 +587,6 @@ CONFIG_SPI_CADENCE=m
 CONFIG_I2C_CADENCE=m
 CONFIG_XILINX_WATCHDOG=m
 CONFIG_XILINX_XADC=m
-CONFIG_XILINX_VDMA=m
 CONFIG_SND_SOC_ADI=m
 CONFIG_SND_SOC_ADI_AXI_I2S=m
 CONFIG_SND_SOC_ADI_AXI_SPDIF=m
--- a/1
+++ b/1
@ -461,6 +461,7 @@ CONFIG_RTC_DRV_ARMADA38X=m
 CONFIG_LEDS_NS2=m
 CONFIG_SERIAL_MVEBU_UART=y
 # CONFIG_SERIAL_MVEBU_CONSOLE is not set
+# CONFIG_PCIE_ARMADA_8K is not set

 # DRM panels
 CONFIG_DRM_PANEL=y
--- a/6
+++ b/6
@ -111,6 +111,7 @@ CONFIG_HOTPLUG_PCI=y
 # CONFIG_HOTPLUG_PCI_SHPC is not set
 CONFIG_HOTPLUG_PCI_PCIE=y
 # CONFIG_PCIE_DW_PLAT is not set
+CONFIG_PCIE_DPC=m

 # CONFIG_SGI_IOC4 is not set

@ -4935,6 +4936,7 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_AUDIT=y
 CONFIG_AUDITSYSCALL=y
@ -5071,6 +5073,7 @@ CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_BIG_KEYS=y
 CONFIG_TRUSTED_KEYS=m
 CONFIG_ENCRYPTED_KEYS=m
+CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
@ -5920,6 +5923,7 @@ CONFIG_MODULE_SIG_SHA256=y
 CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
 CONFIG_PKCS7_MESSAGE_PARSER=y
 # CONFIG_PKCS7_TEST_KEY is not set
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y
@ -5955,3 +5959,5 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 # The kernel code has a nice comment
 # WARNING: Do not even assume this interface is staying stable!
 # CONFIG_MCE_AMD_INJ is not set
+
+# CONFIG_EZNPS_GIC is not set
--- a/1
+++ b/1
@ -575,6 +575,7 @@ CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m
+CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
 CONFIG_SND_SOC_AC97_CODEC=m
 # CONFIG_SND_SOC_TAS571X is not set
 # CONFIG_SND_SUN4I_CODEC is not set
--- a/2
+++ b/2
@ -1 +1 @@
-2600a46ee0ed57c0e0a382c2a37ebac64d374d20
+03b979dd0323ace8e29a0561cd5232f73a060c09
--- a/kernel.spec
+++ b/kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 4
+%define gitrev 5
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@ -562,7 +562,10 @@ Patch487: Add-EFI-signature-data-types.patch

 Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch

-Patch489: KEYS-Add-a-system-blacklist-keyring.patch
+# This doesn't apply. It seems like it could be replaced by
+# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c
+# which has an explicit line about blacklisting
+# Patch489: KEYS-Add-a-system-blacklist-keyring.patch

 Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch

@ -606,14 +609,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 #CVE-2016-4482 rhbz 1332931 1332932
 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch

-#CVE-2016-4569 rhbz 1334643 1334645
-Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
-Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
-Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
-
-#CVE-2016-3713 rhbz 1332139 1336410
-Patch717: KVM-MTRR-remove-MSR-0x2f8.patch
-
 #CVE-2016-4440 rhbz 1337806 1337807
 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch

@ -2142,6 +2137,10 @@ fi
 #
 # 
 %changelog
+* Fri May 20 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git5.1
+- Linux v4.6-6148-g03b979d
+- Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges
+
 * Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807)

--- a/2
+++ b/2
@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-be912d5f22aba6286ac2e205e2ce1202  patch-4.6-git4.xz
+9bcfe711504d6e532084a2c2cc610b73  patch-4.6-git5.xz