Linux v4.13.16
This commit is contained in:
parent
1cf74e2eb3
commit
b79b0786b5
13
kernel.spec
13
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 15
|
||||
%define stable_update 16
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -640,8 +640,8 @@ Patch332: arm64-cavium-fixes.patch
|
|||
# CVE-2017-7477 rhbz 1445207 1445208
|
||||
Patch502: CVE-2017-7477.patch
|
||||
|
||||
# CVE-2017-15115 rhbz 1513346 1513345
|
||||
Patch503: sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
|
||||
# CVE-2017-16644 rhbz 1516273 1516274
|
||||
Patch503: media-hdpvr-Fix-an-error-handling-path-in-hdpvr_probe.patch
|
||||
|
||||
# 600 - Patches for improved Bay and Cherry Trail device support
|
||||
# Below patches are submitted upstream, awaiting review / merging
|
||||
|
@ -2283,6 +2283,13 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Nov 27 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.16-200
|
||||
- Linux v4.13.16
|
||||
- Fix CVE-2017-16649 (rhbz 1516267 1516274)
|
||||
- Fix CVE-2017-16650 (rhbz 1516265 1516274)
|
||||
- Fix CVE-2017-16644 (rhbz 1516273 1516274)
|
||||
- Fix CVE-2017-16647 (rhbz 1516270 1516274)
|
||||
|
||||
* Tue Nov 21 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix cursor issues with QXL (rhbz 1507931)
|
||||
|
||||
|
|
|
@ -0,0 +1,106 @@
|
|||
From patchwork Fri Sep 22 13:07:06 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [media] hdpvr: Fix an error handling path in hdpvr_probe()
|
||||
From: Arvind Yadav <arvind.yadav.cs@gmail.com>
|
||||
X-Patchwork-Id: 9966135
|
||||
Message-Id: <b5c06a8e071d38fc4b4df20b7f9c8fb25d5408fe.1506085151.git.arvind.yadav.cs@gmail.com>
|
||||
To: andreyknvl@google.com, hverkuil@xs4all.nl, mchehab@kernel.org,
|
||||
laurent.pinchart@ideasonboard.com, dvyukov@google.com,
|
||||
kcc@google.com, syzkaller@googlegroups.com
|
||||
Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
|
||||
Date: Fri, 22 Sep 2017 18:37:06 +0530
|
||||
|
||||
Here, hdpvr_register_videodev() is responsible for setup and
|
||||
register a video device. Also defining and initializing a worker.
|
||||
hdpvr_register_videodev() is calling by hdpvr_probe at last.
|
||||
So No need to flash any work here.
|
||||
Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
|
||||
|
||||
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
---
|
||||
drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++-----------
|
||||
1 file changed, 15 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
|
||||
index dbe29c6..1e8cbaf 100644
|
||||
--- a/drivers/media/usb/hdpvr/hdpvr-core.c
|
||||
+++ b/drivers/media/usb/hdpvr/hdpvr-core.c
|
||||
@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interface *interface,
|
||||
/* register v4l2_device early so it can be used for printks */
|
||||
if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
|
||||
dev_err(&interface->dev, "v4l2_device_register failed\n");
|
||||
- goto error;
|
||||
+ goto error_free_dev;
|
||||
}
|
||||
|
||||
mutex_init(&dev->io_mutex);
|
||||
@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interface *interface,
|
||||
dev->usbc_buf = kmalloc(64, GFP_KERNEL);
|
||||
if (!dev->usbc_buf) {
|
||||
v4l2_err(&dev->v4l2_dev, "Out of memory\n");
|
||||
- goto error;
|
||||
+ goto error_v4l2_unregister;
|
||||
}
|
||||
|
||||
init_waitqueue_head(&dev->wait_buffer);
|
||||
@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interface *interface,
|
||||
}
|
||||
if (!dev->bulk_in_endpointAddr) {
|
||||
v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
|
||||
- goto error;
|
||||
+ goto error_put_usb;
|
||||
}
|
||||
|
||||
/* init the device */
|
||||
if (hdpvr_device_init(dev)) {
|
||||
v4l2_err(&dev->v4l2_dev, "device init failed\n");
|
||||
- goto error;
|
||||
+ goto error_put_usb;
|
||||
}
|
||||
|
||||
mutex_lock(&dev->io_mutex);
|
||||
@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interface *interface,
|
||||
mutex_unlock(&dev->io_mutex);
|
||||
v4l2_err(&dev->v4l2_dev,
|
||||
"allocating transfer buffers failed\n");
|
||||
- goto error;
|
||||
+ goto error_put_usb;
|
||||
}
|
||||
mutex_unlock(&dev->io_mutex);
|
||||
|
||||
@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interface *interface,
|
||||
retval = hdpvr_register_i2c_adapter(dev);
|
||||
if (retval < 0) {
|
||||
v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
|
||||
- goto error;
|
||||
+ goto error_free_buffers;
|
||||
}
|
||||
|
||||
client = hdpvr_register_ir_rx_i2c(dev);
|
||||
@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interface *interface,
|
||||
reg_fail:
|
||||
#if IS_ENABLED(CONFIG_I2C)
|
||||
i2c_del_adapter(&dev->i2c_adapter);
|
||||
+error_free_buffers:
|
||||
#endif
|
||||
+ hdpvr_free_buffers(dev);
|
||||
+error_put_usb:
|
||||
+ usb_put_dev(dev->udev);
|
||||
+ kfree(dev->usbc_buf);
|
||||
+error_v4l2_unregister:
|
||||
+ v4l2_device_unregister(&dev->v4l2_dev);
|
||||
+error_free_dev:
|
||||
+ kfree(dev);
|
||||
error:
|
||||
- if (dev) {
|
||||
- flush_work(&dev->worker);
|
||||
- /* this frees allocated memory */
|
||||
- hdpvr_delete(dev);
|
||||
- }
|
||||
return retval;
|
||||
}
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 Mon Sep 17 00:00:00 2001
|
||||
From: Xin Long <lucien.xin@gmail.com>
|
||||
Date: Tue, 17 Oct 2017 23:26:10 +0800
|
||||
Subject: sctp: do not peel off an assoc from one netns to another one
|
||||
|
||||
Now when peeling off an association to the sock in another netns, all
|
||||
transports in this assoc are not to be rehashed and keep use the old
|
||||
key in hashtable.
|
||||
|
||||
As a transport uses sk->net as the hash key to insert into hashtable,
|
||||
it would miss removing these transports from hashtable due to the new
|
||||
netns when closing the sock and all transports are being freeed, then
|
||||
later an use-after-free issue could be caused when looking up an asoc
|
||||
and dereferencing those transports.
|
||||
|
||||
This is a very old issue since very beginning, ChunYu found it with
|
||||
syzkaller fuzz testing with this series:
|
||||
|
||||
socket$inet6_sctp()
|
||||
bind$inet6()
|
||||
sendto$inet6()
|
||||
unshare(0x40000000)
|
||||
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
|
||||
getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
|
||||
|
||||
This patch is to block this call when peeling one assoc off from one
|
||||
netns to another one, so that the netns of all transport would not
|
||||
go out-sync with the key in hashtable.
|
||||
|
||||
Note that this patch didn't fix it by rehashing transports, as it's
|
||||
difficult to handle the situation when the tuple is already in use
|
||||
in the new netns. Besides, no one would like to peel off one assoc
|
||||
to another netns, considering ipaddrs, ifaces, etc. are usually
|
||||
different.
|
||||
|
||||
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
||||
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
||||
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/socket.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||
index d4730ad..17841ab 100644
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
|
||||
struct socket *sock;
|
||||
int err = 0;
|
||||
|
||||
+ /* Do not peel off from one netns to another one. */
|
||||
+ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!asoc)
|
||||
return -EINVAL;
|
||||
|
||||
--
|
||||
cgit v1.1
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2
|
||||
SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
|
||||
SHA512 (patch-4.13.15.xz) = 54e1d3b526984efe90a5c759b35ac849ac65525c977b3982ef32b0fbb83e73f1fca92d73c3ffb1f23643d9f72a3083eeb4edb54768b105138722434811f622c4
|
||||
SHA512 (patch-4.13.16.xz) = 6d9e6593477fb7aa663e6b9cdccb1d30df8d3bb3721b93afa9ddefce539d267bee062809dd6c50135ba113cf5220ef4b2799f25eca73c791ff59f4480189d211
|
||||
|
|
Loading…
Reference in New Issue