From bf1d35cfe8b31cbac09a036ab36cd742b63031f1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 24 Jun 2016 14:01:12 -0400 Subject: [PATCH] Linux v4.6.3 --- ...-not-preserve-framebuffer-on-rmfb-v4.patch | 145 ----------------- ...d-opening-files-without-mmap-handler.patch | 59 ------- kernel.spec | 17 +- ...es-deal-with-bogus-nextoffset-values.patch | 150 ------------------ ...-prevent-stacking-filesystems-on-top.patch | 41 ----- sched-panic-on-corrupted-stack-end.patch | 36 ----- sources | 2 +- ...ock-before-parsing-nested-attributes.patch | 36 ----- 8 files changed, 5 insertions(+), 481 deletions(-) delete mode 100644 0006-drm-core-Do-not-preserve-framebuffer-on-rmfb-v4.patch delete mode 100644 ecryptfs-forbid-opening-files-without-mmap-handler.patch delete mode 100644 netfilter-x_tables-deal-with-bogus-nextoffset-values.patch delete mode 100644 proc-prevent-stacking-filesystems-on-top.patch delete mode 100644 sched-panic-on-corrupted-stack-end.patch delete mode 100644 tipc-check-nl-sock-before-parsing-nested-attributes.patch diff --git a/0006-drm-core-Do-not-preserve-framebuffer-on-rmfb-v4.patch b/0006-drm-core-Do-not-preserve-framebuffer-on-rmfb-v4.patch deleted file mode 100644 index 81936aca1..000000000 --- a/0006-drm-core-Do-not-preserve-framebuffer-on-rmfb-v4.patch +++ /dev/null @@ -1,145 +0,0 @@ -From b87459ac92803eafc8dd9f8a8ccc36190fe427f1 Mon Sep 17 00:00:00 2001 -From: Maarten Lankhorst -Date: Wed, 4 May 2016 14:38:26 +0200 -Subject: [PATCH 6/6] drm/core: Do not preserve framebuffer on rmfb, v4. - -Upstream since: 4.7-rc1 -commit f2d580b9a8149735cbc4b59c4a8df60173658140 - -It turns out that preserving framebuffers after the rmfb call breaks -vmwgfx userspace. This was originally introduced because it was thought -nobody relied on the behavior, but unfortunately it seems there are -exceptions. - -drm_framebuffer_remove may fail with -EINTR now, so a straight revert -is impossible. There is no way to remove the framebuffer from the lists -and active planes without introducing a race because of the different -locking requirements. Instead call drm_framebuffer_remove from a -workqueue, which is unaffected by signals. - -Changes since v1: -- Add comment. -Changes since v2: -- Add fastpath for refcount = 1. (danvet) -Changes since v3: -- Rebased. -- Restore lastclose framebuffer removal too. - -Cc: stable@vger.kernel.org #v4.4+ -Fixes: 13803132818c ("drm/core: Preserve the framebuffer after removing it.") -Testcase: kms_rmfb_basic -References: https://lists.freedesktop.org/archives/dri-devel/2016-March/102876.html -Cc: Thomas Hellstrom -Cc: David Herrmann -Reviewed-by: Daniel Vetter -Tested-by: Thomas Hellstrom #v3 -Tested-by: Tvrtko Ursulin -Signed-off-by: Daniel Vetter -Link: http://patchwork.freedesktop.org/patch/msgid/6c63ca37-0e7e-ac7f-a6d2-c7822e3d611f@linux.intel.com ---- - drivers/gpu/drm/drm_crtc.c | 60 ++++++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 55 insertions(+), 5 deletions(-) - -diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c -index e08f962..f30de80 100644 ---- a/drivers/gpu/drm/drm_crtc.c -+++ b/drivers/gpu/drm/drm_crtc.c -@@ -3434,6 +3434,24 @@ int drm_mode_addfb2(struct drm_device *dev, - return 0; - } - -+struct drm_mode_rmfb_work { -+ struct work_struct work; -+ struct list_head fbs; -+}; -+ -+static void drm_mode_rmfb_work_fn(struct work_struct *w) -+{ -+ struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work); -+ -+ while (!list_empty(&arg->fbs)) { -+ struct drm_framebuffer *fb = -+ list_first_entry(&arg->fbs, typeof(*fb), filp_head); -+ -+ list_del_init(&fb->filp_head); -+ drm_framebuffer_remove(fb); -+ } -+} -+ - /** - * drm_mode_rmfb - remove an FB from the configuration - * @dev: drm device for the ioctl -@@ -3474,7 +3492,25 @@ int drm_mode_rmfb(struct drm_device *dev, - mutex_unlock(&dev->mode_config.fb_lock); - mutex_unlock(&file_priv->fbs_lock); - -- drm_framebuffer_unreference(fb); -+ /* -+ * we now own the reference that was stored in the fbs list -+ * -+ * drm_framebuffer_remove may fail with -EINTR on pending signals, -+ * so run this in a separate stack as there's no way to correctly -+ * handle this after the fb is already removed from the lookup table. -+ */ -+ if (atomic_read(&fb->refcount.refcount) > 1) { -+ struct drm_mode_rmfb_work arg; -+ -+ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); -+ INIT_LIST_HEAD(&arg.fbs); -+ list_add_tail(&fb->filp_head, &arg.fbs); -+ -+ schedule_work(&arg.work); -+ flush_work(&arg.work); -+ destroy_work_on_stack(&arg.work); -+ } else -+ drm_framebuffer_unreference(fb); - - return 0; - -@@ -3627,7 +3663,6 @@ out_err1: - return ret; - } - -- - /** - * drm_fb_release - remove and free the FBs on this file - * @priv: drm file for the ioctl -@@ -3642,6 +3677,9 @@ out_err1: - void drm_fb_release(struct drm_file *priv) - { - struct drm_framebuffer *fb, *tfb; -+ struct drm_mode_rmfb_work arg; -+ -+ INIT_LIST_HEAD(&arg.fbs); - - /* - * When the file gets released that means no one else can access the fb -@@ -3654,10 +3692,22 @@ void drm_fb_release(struct drm_file *priv) - * at it any more. - */ - list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) { -- list_del_init(&fb->filp_head); -+ if (atomic_read(&fb->refcount.refcount) > 1) { -+ list_move_tail(&fb->filp_head, &arg.fbs); -+ } else { -+ list_del_init(&fb->filp_head); - -- /* This drops the fpriv->fbs reference. */ -- drm_framebuffer_unreference(fb); -+ /* This drops the fpriv->fbs reference. */ -+ drm_framebuffer_unreference(fb); -+ } -+ } -+ -+ if (!list_empty(&arg.fbs)) { -+ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); -+ -+ schedule_work(&arg.work); -+ flush_work(&arg.work); -+ destroy_work_on_stack(&arg.work); - } - } - --- -2.7.4 - diff --git a/ecryptfs-forbid-opening-files-without-mmap-handler.patch b/ecryptfs-forbid-opening-files-without-mmap-handler.patch deleted file mode 100644 index 2d40e68ed..000000000 --- a/ecryptfs-forbid-opening-files-without-mmap-handler.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001 -From: Jann Horn -Date: Wed, 1 Jun 2016 11:55:06 +0200 -Subject: [PATCH] ecryptfs: forbid opening files without mmap handler - -This prevents users from triggering a stack overflow through a recursive -invocation of pagefault handling that involves mapping procfs files into -virtual memory. - -Signed-off-by: Jann Horn -Acked-by: Tyler Hicks -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds ---- - fs/ecryptfs/kthread.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c -index 866bb18efefe..e818f5ac7a26 100644 ---- a/fs/ecryptfs/kthread.c -+++ b/fs/ecryptfs/kthread.c -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - #include "ecryptfs_kernel.h" - - struct ecryptfs_open_req { -@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file, - flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR; - (*lower_file) = dentry_open(&req.path, flags, cred); - if (!IS_ERR(*lower_file)) -- goto out; -+ goto have_file; - if ((flags & O_ACCMODE) == O_RDONLY) { - rc = PTR_ERR((*lower_file)); - goto out; -@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file, - mutex_unlock(&ecryptfs_kthread_ctl.mux); - wake_up(&ecryptfs_kthread_ctl.wait); - wait_for_completion(&req.done); -- if (IS_ERR(*lower_file)) -+ if (IS_ERR(*lower_file)) { - rc = PTR_ERR(*lower_file); -+ goto out; -+ } -+have_file: -+ if ((*lower_file)->f_op->mmap == NULL) { -+ fput(*lower_file); -+ *lower_file = NULL; -+ rc = -EMEDIUMTYPE; -+ } - out: - return rc; - } --- -2.5.5 - diff --git a/kernel.spec b/kernel.spec index 20d3ee049..3525f7180 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -604,9 +604,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch #Required for some persistent memory options Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch -#CVE-2016-3134 rhbz 1317383 1317384 -Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch - #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch @@ -618,20 +615,12 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-4440 rhbz 1337806 1337807 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch -#CVE-2016-4951 rhbz 1338625 1338626 -Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch - #CVE-2016-5243 rhbz 1343338 1343335 Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch #CVE-2016-5244 rhbz 1343338 1343337 Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt -#CVE-2016-1583 rhbz 1344721 1344722 -Patch723: proc-prevent-stacking-filesystems-on-top.patch -Patch725: ecryptfs-forbid-opening-files-without-mmap-handler.patch -Patch726: sched-panic-on-corrupted-stack-end.patch - #CVE-2016-4470 rhbz 1341716 1346626 Patch727: KEYS-potential-uninitialized-variable.patch @@ -663,7 +652,6 @@ Patch822: 0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch Patch823: 0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch Patch824: 0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch Patch825: 0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch -Patch826: 0006-drm-core-Do-not-preserve-framebuffer-on-rmfb-v4.patch # END OF PATCH DEFINITIONS @@ -2190,6 +2178,9 @@ fi # # %changelog +* Fri Jun 24 2016 Josh Boyer +- Linux v4.6.3 + * Tue Jun 21 2016 Peter Robinson - Update patch from 4.5 with missing bits for bcm238x support diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch deleted file mode 100644 index ebfe1716f..000000000 --- a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch +++ /dev/null @@ -1,150 +0,0 @@ -Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values -From: Florian Westphal -Date: 2016-03-10 0:56:02 - -Ben Hawkes says: - - In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it - is possible for a user-supplied ipt_entry structure to have a large - next_offset field. This field is not bounds checked prior to writing a - counter value at the supplied offset. - -Problem is that xt_entry_foreach() macro stops iterating once e->next_offset -is out of bounds, assuming this is the last entry. - -With malformed data thats not necessarily the case so we can -write outside of allocated area later as we might not have walked the -entire blob. - -Fix this by simplifying mark_source_chains -- it already has to check -if nextoff is in range to catch invalid jumps, so just do the check -when we move to a next entry as well. - -Signed-off-by: Florian Westphal ---- - net/ipv4/netfilter/arp_tables.c | 16 ++++++++-------- - net/ipv4/netfilter/ip_tables.c | 15 ++++++++------- - net/ipv6/netfilter/ip6_tables.c | 13 ++++++------- - 3 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index b488cac..5a0b591 100644 ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - - /* Move along one */ - size = e->next_offset; -+ -+ if (pos + size > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct arpt_entry *) - (entry0 + pos + size); - e->counters.pcnt = pos; -@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - if (strcmp(t->target.u.user.name, - XT_STANDARD_TARGET) == 0 && - newpos >= 0) { -- if (newpos > newinfo->size - -- sizeof(struct arpt_entry)) { -- duprintf("mark_source_chains: " -- "bad verdict (%i)\n", -- newpos); -- return 0; -- } -- - /* This a jump; chase it. */ - duprintf("Jump rule %u -> %u\n", - pos, newpos); -@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - /* ... this is a fallthru */ - newpos = pos + e->next_offset; - } -+ -+ if (newpos > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct arpt_entry *) - (entry0 + newpos); - e->counters.pcnt = pos; -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index b99affa..ceb995f 100644 ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - - /* Move along one */ - size = e->next_offset; -+ -+ if (pos + size > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct ipt_entry *) - (entry0 + pos + size); - e->counters.pcnt = pos; -@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo, - if (strcmp(t->target.u.user.name, - XT_STANDARD_TARGET) == 0 && - newpos >= 0) { -- if (newpos > newinfo->size - -- sizeof(struct ipt_entry)) { -- duprintf("mark_source_chains: " -- "bad verdict (%i)\n", -- newpos); -- return 0; -- } - /* This a jump; chase it. */ - duprintf("Jump rule %u -> %u\n", - pos, newpos); -@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - /* ... this is a fallthru */ - newpos = pos + e->next_offset; - } -+ -+ if (newpos > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct ipt_entry *) - (entry0 + newpos); - e->counters.pcnt = pos; -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index 99425cf..d88a794 100644 ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo, - - /* Move along one */ - size = e->next_offset; -+ if (pos + size > newinfo->size - sizeof(*e)) -+ return 0; - e = (struct ip6t_entry *) - (entry0 + pos + size); - e->counters.pcnt = pos; -@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo, - if (strcmp(t->target.u.user.name, - XT_STANDARD_TARGET) == 0 && - newpos >= 0) { -- if (newpos > newinfo->size - -- sizeof(struct ip6t_entry)) { -- duprintf("mark_source_chains: " -- "bad verdict (%i)\n", -- newpos); -- return 0; -- } - /* This a jump; chase it. */ - duprintf("Jump rule %u -> %u\n", - pos, newpos); -@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - /* ... this is a fallthru */ - newpos = pos + e->next_offset; - } -+ -+ if (newpos > newinfo->size - sizeof(*e)) -+ return 0; -+ - e = (struct ip6t_entry *) - (entry0 + newpos); - e->counters.pcnt = pos; --- -2.4.10 diff --git a/proc-prevent-stacking-filesystems-on-top.patch b/proc-prevent-stacking-filesystems-on-top.patch deleted file mode 100644 index 178aa3ba6..000000000 --- a/proc-prevent-stacking-filesystems-on-top.patch +++ /dev/null @@ -1,41 +0,0 @@ -From e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 Mon Sep 17 00:00:00 2001 -From: Jann Horn -Date: Wed, 1 Jun 2016 11:55:05 +0200 -Subject: [PATCH] proc: prevent stacking filesystems on top - -This prevents stacking filesystems (ecryptfs and overlayfs) from using -procfs as lower filesystem. There is too much magic going on inside -procfs, and there is no good reason to stack stuff on top of procfs. - -(For example, procfs does access checks in VFS open handlers, and -ecryptfs by design calls open handlers from a kernel thread that doesn't -drop privileges or so.) - -Signed-off-by: Jann Horn -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds ---- - fs/proc/root.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/fs/proc/root.c b/fs/proc/root.c -index 361ab4ee42fc..ec649c92d270 100644 ---- a/fs/proc/root.c -+++ b/fs/proc/root.c -@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type, - if (IS_ERR(sb)) - return ERR_CAST(sb); - -+ /* -+ * procfs isn't actually a stacking filesystem; however, there is -+ * too much magic going on inside it to permit stacking things on -+ * top of it -+ */ -+ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH; -+ - if (!proc_parse_options(options, ns)) { - deactivate_locked_super(sb); - return ERR_PTR(-EINVAL); --- -2.5.5 - diff --git a/sched-panic-on-corrupted-stack-end.patch b/sched-panic-on-corrupted-stack-end.patch deleted file mode 100644 index 1d6bbaf3d..000000000 --- a/sched-panic-on-corrupted-stack-end.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 29d6455178a09e1dc340380c582b13356227e8df Mon Sep 17 00:00:00 2001 -From: Jann Horn -Date: Wed, 1 Jun 2016 11:55:07 +0200 -Subject: [PATCH] sched: panic on corrupted stack end - -Until now, hitting this BUG_ON caused a recursive oops (because oops -handling involves do_exit(), which calls into the scheduler, which in -turn raises an oops), which caused stuff below the stack to be -overwritten until a panic happened (e.g. via an oops in interrupt -context, caused by the overwritten CPU index in the thread_info). - -Just panic directly. - -Signed-off-by: Jann Horn -Signed-off-by: Linus Torvalds ---- - kernel/sched/core.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index d1f7149f8704..11546a6ed5df 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(struct task_struct *prev) - static inline void schedule_debug(struct task_struct *prev) - { - #ifdef CONFIG_SCHED_STACK_END_CHECK -- BUG_ON(task_stack_end_corrupted(prev)); -+ if (task_stack_end_corrupted(prev)) -+ panic("corrupted stack end detected inside scheduler\n"); - #endif - - if (unlikely(in_atomic_preempt_off())) { --- -2.5.5 - diff --git a/sources b/sources index 97a63ff63..8debc8e12 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -c064bbe8108b8e5304f3db2130a96845 patch-4.6.2.xz +0d59cb81eb7c0daf0f5019deda65af90 patch-4.6.3.xz diff --git a/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/tipc-check-nl-sock-before-parsing-nested-attributes.patch deleted file mode 100644 index 09bfe1485..000000000 --- a/tipc-check-nl-sock-before-parsing-nested-attributes.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001 -From: Richard Alpe -Date: Mon, 16 May 2016 11:14:54 +0200 -Subject: [PATCH] tipc: check nl sock before parsing nested attributes - -Make sure the socket for which the user is listing publication exists -before parsing the socket netlink attributes. - -Prior to this patch a call without any socket caused a NULL pointer -dereference in tipc_nl_publ_dump(). - -Tested-and-reported-by: Baozeng Ding -Signed-off-by: Richard Alpe -Acked-by: Jon Maloy -Signed-off-by: David S. Miller ---- - net/tipc/socket.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index 12628890c219..3b7a79991d55 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) - if (err) - return err; - -+ if (!attrs[TIPC_NLA_SOCK]) -+ return -EINVAL; -+ - err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, - attrs[TIPC_NLA_SOCK], - tipc_nl_sock_policy); --- -2.5.5 -