rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.18.9

This commit is contained in:
Justin M. Forbes 2015-03-09 09:39:46 -05:00
parent ac91ae055e
commit ae3c9b8089
6 changed files with 6 additions and 321 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch
View File

@ -1,46 +0,0 @@
From 1079a4c2288cf33c13d2c6ca3e07d4039b1f39f0 Mon Sep 17 00:00:00 2001
From: John Stultz <john.stultz@linaro.org>
Date: Mon, 2 Feb 2015 10:57:56 -0800
Subject: [PATCH] ntp: Fixup adjtimex freq validation on 32bit systems
Additional validation of adjtimex freq values to avoid
potential multiplication overflows were added in commit
5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values)
Unfortunately the patch used LONG_MAX/MIN instead of
LLONG_MAX/MIN, which was fine on 64bit systems, but caused
false positives on 32bit systems resulting in most direct
frequency adjustments to fail w/ EINVAL.
ntpd only does driect frequency adjustments at startup,
so the issue was not easily observed there, but other sync
applications like ptpd and chrony were more effected by
the bug.
Cc: Sasha Levin <sasha.levin@oracle.com>
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
Reported-by: George Joseph <george.joseph@fairview5.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
kernel/time/ntp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
index 28bf91c..242774d 100644
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -634,9 +634,9 @@ int ntp_validate_timex(struct timex *txc)
return -EPERM;
if (txc->modes & ADJ_FREQUENCY) {
- if (LONG_MIN / PPM_SCALE > txc->freq)
+ if (LLONG_MIN / PPM_SCALE > txc->freq)
return -EINVAL;
- if (LONG_MAX / PPM_SCALE < txc->freq)
+ if (LLONG_MAX / PPM_SCALE < txc->freq)
return -EINVAL;
}
--
1.9.1

104
ASLR-fix-stack-randomization-on-64-bit-systems.patch
View File

@ -1,104 +0,0 @@
From: Hector Marco-Gisbert <hecmargi@upv.es>
Date: Sat, 14 Feb 2015 09:33:50 -0800
Subject: [PATCH] ASLR: fix stack randomization on 64-bit systems
The issue is that the stack for processes is not properly randomized on 64 bit
architectures due to an integer overflow.
The affected function is randomize_stack_top() in file "fs/binfmt_elf.c":
static unsigned long randomize_stack_top(unsigned long stack_top)
{
unsigned int random_variable = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
random_variable = get_random_int() & STACK_RND_MASK;
random_variable <<= PAGE_SHIFT;
}
return PAGE_ALIGN(stack_top) + random_variable;
return PAGE_ALIGN(stack_top) - random_variable;
}
Note that, it declares the "random_variable" variable as "unsigned int". Since
the result of the shifting operation between STACK_RND_MASK (which is
0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
random_variable <<= PAGE_SHIFT;
then the two leftmost bits are dropped when storing the result in the
"random_variable". This variable shall be at least 34 bits long to hold the
(22+12) result.
These two dropped bits have an impact on the entropy of process stack.
Concretely, the total stack entropy is reduced by four: from 2^28 to 2^30 (One
fourth of expected entropy).
This patch restores back the entropy by correcting the types involved in the
operations in the functions randomize_stack_top() and stack_maxrandom_size().
The successful fix can be tested with:
$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack]
7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack]
7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack]
7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack]
...
Once corrected, the leading bytes should be between 7ffc and 7fff, rather
than always being 7fff.
CVE-2015-1593
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
[kees: rebase, fix 80 char, clean up commit message, add test example, cve]
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
---
arch/x86/mm/mmap.c | 6 +++---
fs/binfmt_elf.c | 5 +++--
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 919b91205cd4..df4552bd239e 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_align = {
.flags = -1,
};
-static unsigned int stack_maxrandom_size(void)
+static unsigned long stack_maxrandom_size(void)
{
- unsigned int max = 0;
+ unsigned long max = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
}
return max;
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index d8fc0605b9d2..e1efcaa1b245 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -554,11 +554,12 @@ out:
static unsigned long randomize_stack_top(unsigned long stack_top)
{
- unsigned int random_variable = 0;
+ unsigned long random_variable = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
- random_variable = get_random_int() & STACK_RND_MASK;
+ random_variable = (unsigned long) get_random_int();
+ random_variable &= STACK_RND_MASK;
random_variable <<= PAGE_SHIFT;
}
#ifdef CONFIG_STACK_GROWSUP
--
2.1.0

39
HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
View File

@ -1,39 +0,0 @@
From: Seth Forshee <seth.forshee () canonical ! com>
Date: Fri, 20 Feb 2015 17:45:11 -0500
Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input
events
d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
changed hid_get_input() to read ihid->bufsize bytes, which can be
more than wMaxInputLength. This is the case with the Dell XPS 13
9343, and it is causing events to be missed. In some cases the
missed events are releases, which can cause the cursor to jump or
freeze, among other problems. Limit the number of bytes read to
min(wMaxInputLength, ihid->bufsize) to prevent such problems.
Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
drivers/hid/i2c-hid/i2c-hid.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 80e33e0abc52..6d7c9c580ceb 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client)
static void i2c_hid_get_input(struct i2c_hid *ihid)
{
int ret, ret_size;
- int size = ihid->bufsize;
+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
+
+ if (size > ihid->bufsize)
+ size = ihid->bufsize;
ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
if (ret != size) {
--
2.1.0

29
kernel.spec
View File

@ -42,7 +42,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 201
%global baserelease 200
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -54,7 +54,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 8
%define stable_update 9
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@ -619,8 +619,6 @@ Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
Patch26126: uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
Patch26127: uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
#rhbz 1115713
Patch26129: samsung-laptop-Add-use_native_backlight-quirk-and-en.patch
#rhbz 1163574
Patch26130: acpi-video-Add-disable_native_backlight-quirk-for-De.patch
#rhbz 1094948
@ -632,15 +630,9 @@ Patch30000: kernel-arm64.patch
# Fix for big-endian arches, already upstream
Patch30001: mpssd-x86-only.patch
#rhbz 1188074
Patch30003: 0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch
#rhbz 1186097
Patch30004: acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch
#CVE-2015-1593 rhbz 1192519 1192520
Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
#CVE-XXXX-XXXX rhbz 1189864 1192079
Patch26136: vhost-scsi-potential-memory-corruption.patch
@ -650,9 +642,6 @@ Patch26142: NFS-fix-clp-cl_revoked-list-deletion-causing-softloc.patch
#CVE-2015-0275 rhbz 1193907 1195178
Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
#rhbz 1188439
Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
#rhbz 1190947
Patch26141: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
@ -1383,8 +1372,6 @@ ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
ApplyPatch uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
ApplyPatch uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
#rhbz 1115713
ApplyPatch samsung-laptop-Add-use_native_backlight-quirk-and-en.patch
#rhbz 1163574
ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-De.patch
#rhbz 1094948
@ -1393,24 +1380,15 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch
# Fix for big-endian arches, already upstream
ApplyPatch mpssd-x86-only.patch
#rhbz 1188074
ApplyPatch 0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch
#rhbz 1186097
ApplyPatch acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch
#CVE-2015-1593 rhbz 1192519 1192520
ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
#CVE-XXXX-XXXX rhbz 1189864 1192079
ApplyPatch vhost-scsi-potential-memory-corruption.patch
#CVE-2015-0275 rhbz 1193907 1195178
ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
#rhbz 1188439
ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
#rhbz 1190947
ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
@ -2287,6 +2265,9 @@ fi
# ||----w |
# || ||
%changelog
* Mon Mar 09 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.9-200
- Linux v3.18.9
* Mon Mar 02 2015 Josh Boyer <jwboyer@fedoraproject.org>
- Add patch to fix nfsd soft lockup (rhbz 1185519)
- Enable ET131X driver (rhbz 1197842)

107
samsung-laptop-Add-use_native_backlight-quirk-and-en.patch
View File

@ -1,107 +0,0 @@
From: Hans de Goede <hdegoede@redhat.com>
Date: Fri, 9 Jan 2015 14:51:21 +0100
Subject: [PATCH] samsung-laptop: Add use_native_backlight quirk, and enable it
on some models
Since kernel 3.14 the backlight control has been broken on various Samsung
Atom based netbooks. This has been bisected and this problem happens since
commit b35684b8fa94 ("drm/i915: do full backlight setup at enable time")
This has been reported and discussed in detail here:
http://lists.freedesktop.org/archives/intel-gfx/2014-July/049395.html
Unfortunately no-one has been able to fix this. This only affects Samsung
Atom netbooks, and the Linux kernel and the BIOS of those laptops have never
worked well together. All affected laptops already have a quirk to avoid using
the standard acpi-video interface and instead use the samsung specific SABI
interface which samsung-laptop uses. It seems that recent fixes to the i915
driver have also broken backlight control through the SABI interface.
The intel_backlight driver OTOH works fine, and also allows for finer grained
backlight control. So add a new use_native_backlight quirk, and replace the
broken_acpi_video quirk with this quirk for affected models. This new quirk
disables acpi-video as before and also stops samsung-laptop from registering
the SABI based samsung_laptop backlight interface, leaving only the working
intel_backlight interface.
This commit enables this new quirk for 3 models which are known to be affected,
chances are that it needs to be used on other models too.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1094948 # N145P
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1115713 # N250P
Reported-by: Bertrik Sikken <bertrik@sikken.nl> # N150P
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/platform/x86/samsung-laptop.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
index 864290243e46..477de0a9e1ee 100644
--- a/drivers/platform/x86/samsung-laptop.c
+++ b/drivers/platform/x86/samsung-laptop.c
@@ -353,6 +353,7 @@ struct samsung_quirks {
bool broken_acpi_video;
bool four_kbd_backlight_levels;
bool enable_kbd_backlight;
+ bool use_native_backlight;
};
static struct samsung_quirks samsung_unknown = {};
@@ -361,6 +362,10 @@ static struct samsung_quirks samsung_broken_acpi_video = {
.broken_acpi_video = true,
};
+static struct samsung_quirks samsung_use_native_backlight = {
+ .use_native_backlight = true,
+};
+
static struct samsung_quirks samsung_np740u3e = {
.four_kbd_backlight_levels = true,
.enable_kbd_backlight = true,
@@ -1507,7 +1512,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "N150P"),
DMI_MATCH(DMI_BOARD_NAME, "N150P"),
},
- .driver_data = &samsung_broken_acpi_video,
+ .driver_data = &samsung_use_native_backlight,
},
{
.callback = samsung_dmi_matched,
@@ -1517,7 +1522,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "N145P/N250P/N260P"),
DMI_MATCH(DMI_BOARD_NAME, "N145P/N250P/N260P"),
},
- .driver_data = &samsung_broken_acpi_video,
+ .driver_data = &samsung_use_native_backlight,
},
{
.callback = samsung_dmi_matched,
@@ -1557,7 +1562,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "N250P"),
DMI_MATCH(DMI_BOARD_NAME, "N250P"),
},
- .driver_data = &samsung_broken_acpi_video,
+ .driver_data = &samsung_use_native_backlight,
},
{
.callback = samsung_dmi_matched,
@@ -1626,6 +1631,15 @@ static int __init samsung_init(void)
pr_info("Disabling ACPI video driver\n");
acpi_video_unregister();
}
+
+ if (samsung->quirks->use_native_backlight) {
+ pr_info("Using native backlight driver\n");
+ /* Tell acpi-video to not handle the backlight */
+ acpi_video_dmi_promote_vendor();
+ acpi_video_unregister();
+ /* And also do not handle it ourselves */
+ samsung->handle_backlight = false;
+ }
#endif
ret = samsung_platform_init(samsung);
--
2.1.0

2
sources
View File

@ -1,3 +1,3 @@
9e854df51ca3fef8bfe566dbd7b89241 linux-3.18.tar.xz
813ccb96f0b379d656e57442c2587ca3 perf-man-3.18.tar.gz
b7bd36ce9f4bff165ee776e2b9263257 patch-3.18.8.xz
41077062d4b7beefd88d4df6e598e376 patch-3.18.9.xz