From 8a052bf240d0b95d9c255ca9291a0669e5e28ac5 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Fri, 20 May 2016 11:23:45 -0700 Subject: [PATCH] Linux v4.6-6148-g03b979d - Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges --- ...Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | 33 ------------- ...eak-in-events-via-snd_timer_user_cca.patch | 34 ------------- ...eak-in-events-via-snd_timer_user_tin.patch | 34 ------------- ...signature-blob-parser-and-key-loader.patch | 29 +++++------ KVM-MTRR-remove-MSR-0x2f8.patch | 49 ------------------- config-arm-generic | 3 ++ config-armv7 | 1 - config-armv7-generic | 1 + config-generic | 6 +++ config-x86-generic | 1 + gitrev | 2 +- kernel.spec | 19 ++++--- sources | 2 +- 13 files changed, 37 insertions(+), 177 deletions(-) delete mode 100644 ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch delete mode 100644 ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch delete mode 100644 ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch delete mode 100644 KVM-MTRR-remove-MSR-0x2f8.patch diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch deleted file mode 100644 index 3eb8bf183..000000000 --- a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu -Date: Tue, 3 May 2016 16:44:07 -0400 -Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “tread” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu -Signed-off-by: Takashi Iwai ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 6469bedda2f3..964f5ebf495e 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file, - if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { - if (tu->tread) { - struct snd_timer_tread tread; -+ memset(&tread, 0, sizeof(tread)); - tread.event = SNDRV_TIMER_EVENT_EARLY; - tread.tstamp.tv_sec = 0; - tread.tstamp.tv_nsec = 0; --- -2.5.5 - diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch deleted file mode 100644 index e6f46f8a8..000000000 --- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +++ /dev/null @@ -1,34 +0,0 @@ -From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu -Date: Tue, 3 May 2016 16:44:20 -0400 -Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via - snd_timer_user_ccallback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu -Signed-off-by: Takashi Iwai ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 964f5ebf495e..e98fa5feb731 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, - tu->tstamp = *tstamp; - if ((tu->filter & (1 << event)) == 0 || !tu->tread) - return; -+ memset(&r1, 0, sizeof(r1)); - r1.event = event; - r1.tstamp = *tstamp; - r1.val = resolution; --- -2.5.5 - diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch deleted file mode 100644 index 7851c55a2..000000000 --- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 -From: Kangjie Lu -Date: Tue, 3 May 2016 16:44:32 -0400 -Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via - snd_timer_user_tinterrupt -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu -Signed-off-by: Takashi Iwai ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index e98fa5feb731..c69a27155433 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, - } - if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && - tu->last_resolution != resolution) { -+ memset(&r1, 0, sizeof(r1)); - r1.event = SNDRV_TIMER_EVENT_RESOLUTION; - r1.tstamp = tstamp; - r1.val = resolution; --- -2.5.5 - diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index 86a285581..78f482b39 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,4 +1,4 @@ -From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001 +From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:36:28 -0400 Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. @@ -6,20 +6,21 @@ Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. +[labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED] Signed-off-by: David Howells --- crypto/asymmetric_keys/Kconfig | 8 +++ crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ + crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ include/linux/efi.h | 4 ++ - 4 files changed, 122 insertions(+) + 4 files changed, 121 insertions(+) create mode 100644 crypto/asymmetric_keys/efi_parser.c diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 4870f28403f5..4a1b50d73b80 100644 +index e28e912..94024e8 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig -@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION +@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. @@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644 + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index cd1406f9b14a..d9db380bbe53 100644 +index 6516855..c099fe1 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile -@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o +@@ -10,6 +10,7 @@ asymmetric_keys-y := \ + signature.o obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o @@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644 # X.509 Certificate handling diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c new file mode 100644 -index 000000000000..424896a0b169 +index 0000000..636feb1 --- /dev/null +++ b/crypto/asymmetric_keys/efi_parser.c -@@ -0,0 +1,109 @@ +@@ -0,0 +1,108 @@ +/* EFI signature/key/certificate list parser + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. @@ -139,8 +141,7 @@ index 000000000000..424896a0b169 + esize - sizeof(*elem), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA | -+ KEY_ALLOC_TRUSTED); ++ KEY_ALLOC_NOT_IN_QUOTA); + + if (IS_ERR(key)) + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", @@ -159,10 +160,10 @@ index 000000000000..424896a0b169 + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index fac43c611614..414c3c3d988d 100644 +index b80227a..18443e3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void); +@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, char * __init efi_md_typeattr_format(char *buf, size_t size, const efi_memory_desc_t *md); @@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -2.4.3 +2.5.5 diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch deleted file mode 100644 index 8066b2e8f..000000000 --- a/KVM-MTRR-remove-MSR-0x2f8.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= -Date: Mon, 16 May 2016 09:45:35 -0400 -Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support -was introduced by 9ba075a664df ("KVM: MTRR support"). - -0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the -size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, -which made access to index 124 out of bounds. The surrounding code only -WARNs in this situation, thus the guest gained a limited read/write -access to struct kvm_arch_vcpu. - -0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR -MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 -was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was -not implemented in KVM, therefore 0x2f8 could never do anything useful -and getting rid of it is safe. - -This fixes CVE-2016-TBD. - -Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") -Cc: stable@vger.kernel.org -Reported-by: David Matlack -Signed-off-by: Radim Krčmář ---- - arch/x86/kvm/mtrr.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c -index 3f8c732117ec..c146f3c262c3 100644 ---- a/arch/x86/kvm/mtrr.c -+++ b/arch/x86/kvm/mtrr.c -@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) - case MSR_MTRRdefType: - case MSR_IA32_CR_PAT: - return true; -- case 0x2f8: -- return true; - } - return false; - } --- -2.5.5 - diff --git a/config-arm-generic b/config-arm-generic index 1963d5ee3..2b71fa092 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -547,3 +547,6 @@ CONFIG_CHECKPOINT_RESTORE=y # CONFIG_HW_RANDOM_HISI is not set # CONFIG_QRTR is not set + +# This Xilinx option is now built for arm64 as well as ARM +CONFIG_XILINX_VDMA=m diff --git a/config-armv7 b/config-armv7 index 755cefa99..d2191cee9 100644 --- a/config-armv7 +++ b/config-armv7 @@ -587,7 +587,6 @@ CONFIG_SPI_CADENCE=m CONFIG_I2C_CADENCE=m CONFIG_XILINX_WATCHDOG=m CONFIG_XILINX_XADC=m -CONFIG_XILINX_VDMA=m CONFIG_SND_SOC_ADI=m CONFIG_SND_SOC_ADI_AXI_I2S=m CONFIG_SND_SOC_ADI_AXI_SPDIF=m diff --git a/config-armv7-generic b/config-armv7-generic index ea045c1c3..0b99be151 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -461,6 +461,7 @@ CONFIG_RTC_DRV_ARMADA38X=m CONFIG_LEDS_NS2=m CONFIG_SERIAL_MVEBU_UART=y # CONFIG_SERIAL_MVEBU_CONSOLE is not set +# CONFIG_PCIE_ARMADA_8K is not set # DRM panels CONFIG_DRM_PANEL=y diff --git a/config-generic b/config-generic index 8030ba4f4..9601b58d2 100644 --- a/config-generic +++ b/config-generic @@ -111,6 +111,7 @@ CONFIG_HOTPLUG_PCI=y # CONFIG_HOTPLUG_PCI_SHPC is not set CONFIG_HOTPLUG_PCI_PCIE=y # CONFIG_PCIE_DW_PLAT is not set +CONFIG_PCIE_DPC=m # CONFIG_SGI_IOC4 is not set @@ -4935,6 +4936,7 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_YAMA=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y @@ -5071,6 +5073,7 @@ CONFIG_PERSISTENT_KEYRINGS=y CONFIG_BIG_KEYS=y CONFIG_TRUSTED_KEYS=m CONFIG_ENCRYPTED_KEYS=m +CONFIG_KEY_DH_OPERATIONS=y CONFIG_CDROM_PKTCDVD=m CONFIG_CDROM_PKTCDVD_BUFFERS=8 # CONFIG_CDROM_PKTCDVD_WCACHE is not set @@ -5920,6 +5923,7 @@ CONFIG_MODULE_SIG_SHA256=y CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_SYSTEM_TRUSTED_KEYS="" # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +CONFIG_SECONDARY_TRUSTED_KEYRING=y CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set CONFIG_SIGNED_PE_FILE_VERIFICATION=y @@ -5955,3 +5959,5 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y # The kernel code has a nice comment # WARNING: Do not even assume this interface is staying stable! # CONFIG_MCE_AMD_INJ is not set + +# CONFIG_EZNPS_GIC is not set diff --git a/config-x86-generic b/config-x86-generic index 328f40020..5418ee7ab 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -575,6 +575,7 @@ CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH=m CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m +CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m CONFIG_SND_SOC_AC97_CODEC=m # CONFIG_SND_SOC_TAS571X is not set # CONFIG_SND_SUN4I_CODEC is not set diff --git a/gitrev b/gitrev index 3b79c3867..3ddae4b99 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -2600a46ee0ed57c0e0a382c2a37ebac64d374d20 +03b979dd0323ace8e29a0561cd5232f73a060c09 diff --git a/kernel.spec b/kernel.spec index 0e0988151..2fcb59930 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 4 +%define gitrev 5 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -562,7 +562,10 @@ Patch487: Add-EFI-signature-data-types.patch Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch -Patch489: KEYS-Add-a-system-blacklist-keyring.patch +# This doesn't apply. It seems like it could be replaced by +# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c +# which has an explicit line about blacklisting +# Patch489: KEYS-Add-a-system-blacklist-keyring.patch Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -606,14 +609,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4569 rhbz 1334643 1334645 -Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch -Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch -Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch - -#CVE-2016-3713 rhbz 1332139 1336410 -Patch717: KVM-MTRR-remove-MSR-0x2f8.patch - #CVE-2016-4440 rhbz 1337806 1337807 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch @@ -2142,6 +2137,10 @@ fi # # %changelog +* Fri May 20 2016 Laura Abbott - 4.7.0-0.rc0.git5.1 +- Linux v4.6-6148-g03b979d +- Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges + * Fri May 20 2016 Josh Boyer - CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807) diff --git a/sources b/sources index ab2baebf7..89eacce1f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -be912d5f22aba6286ac2e205e2ce1202 patch-4.6-git4.xz +9bcfe711504d6e532084a2c2cc610b73 patch-4.6-git5.xz