Linux v4.17.4
This commit is contained in:
parent
f17b62cb59
commit
d7febc550b
|
@ -1,95 +0,0 @@
|
|||
From f620d1d7afc7db57ab59f35000752840c91f67e7 Mon Sep 17 00:00:00 2001
|
||||
From: ming_qian <ming_qian@realsil.com.cn>
|
||||
Date: Tue, 8 May 2018 22:13:08 -0400
|
||||
Subject: [PATCH] media: uvcvideo: Support realtek's UVC 1.5 device
|
||||
|
||||
media: uvcvideo: Support UVC 1.5 video probe & commit controls
|
||||
|
||||
The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1.
|
||||
Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be
|
||||
recognized.
|
||||
|
||||
More changes to the driver are needed for full UVC 1.5 compatibility.
|
||||
However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been
|
||||
reported to work well.
|
||||
|
||||
[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks]
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: ming_qian <ming_qian@realsil.com.cn>
|
||||
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
|
||||
Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
|
||||
Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
||||
---
|
||||
drivers/media/usb/uvc/uvc_video.c | 24 ++++++++++++++++++------
|
||||
1 file changed, 18 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
|
||||
index aa0082fe5833..b28c997a7ab0 100644
|
||||
--- a/drivers/media/usb/uvc/uvc_video.c
|
||||
+++ b/drivers/media/usb/uvc/uvc_video.c
|
||||
@@ -163,14 +163,27 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
|
||||
}
|
||||
}
|
||||
|
||||
+static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
|
||||
+{
|
||||
+ /*
|
||||
+ * Return the size of the video probe and commit controls, which depends
|
||||
+ * on the protocol version.
|
||||
+ */
|
||||
+ if (stream->dev->uvc_version < 0x0110)
|
||||
+ return 26;
|
||||
+ else if (stream->dev->uvc_version < 0x0150)
|
||||
+ return 34;
|
||||
+ else
|
||||
+ return 48;
|
||||
+}
|
||||
+
|
||||
static int uvc_get_video_ctrl(struct uvc_streaming *stream,
|
||||
struct uvc_streaming_control *ctrl, int probe, u8 query)
|
||||
{
|
||||
+ u16 size = uvc_video_ctrl_size(stream);
|
||||
u8 *data;
|
||||
- u16 size;
|
||||
int ret;
|
||||
|
||||
- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
|
||||
if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) &&
|
||||
query == UVC_GET_DEF)
|
||||
return -EIO;
|
||||
@@ -225,7 +238,7 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream,
|
||||
ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]);
|
||||
ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]);
|
||||
|
||||
- if (size == 34) {
|
||||
+ if (size >= 34) {
|
||||
ctrl->dwClockFrequency = get_unaligned_le32(&data[26]);
|
||||
ctrl->bmFramingInfo = data[30];
|
||||
ctrl->bPreferedVersion = data[31];
|
||||
@@ -254,11 +267,10 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream,
|
||||
static int uvc_set_video_ctrl(struct uvc_streaming *stream,
|
||||
struct uvc_streaming_control *ctrl, int probe)
|
||||
{
|
||||
+ u16 size = uvc_video_ctrl_size(stream);
|
||||
u8 *data;
|
||||
- u16 size;
|
||||
int ret;
|
||||
|
||||
- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
|
||||
data = kzalloc(size, GFP_KERNEL);
|
||||
if (data == NULL)
|
||||
return -ENOMEM;
|
||||
@@ -275,7 +287,7 @@ static int uvc_set_video_ctrl(struct uvc_streaming *stream,
|
||||
put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]);
|
||||
put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]);
|
||||
|
||||
- if (size == 34) {
|
||||
+ if (size >= 34) {
|
||||
put_unaligned_le32(ctrl->dwClockFrequency, &data[26]);
|
||||
data[30] = ctrl->bmFramingInfo;
|
||||
data[31] = ctrl->bPreferedVersion;
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
From bd23a7269834dc7c1f93e83535d16ebc44b75eba Mon Sep 17 00:00:00 2001
|
||||
From: Wenwen Wang <wang6495@umn.edu>
|
||||
Date: Tue, 8 May 2018 08:50:28 -0500
|
||||
Subject: [PATCH] virt: vbox: Only copy_from_user the request-header once
|
||||
|
||||
In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
|
||||
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
|
||||
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
|
||||
|
||||
Before this commit, after the checks a buffer for the entire request would
|
||||
be allocated and then all data including the verified header would be
|
||||
copied from the userspace 'arg' pointer again.
|
||||
|
||||
Given that the 'arg' pointer resides in userspace, a malicious userspace
|
||||
process can race to change the data pointed to by 'arg' between the two
|
||||
copies. By doing so, the user can bypass the verifications on the ioctl
|
||||
argument.
|
||||
|
||||
This commit fixes this by using the already checked copy of the header
|
||||
to fill the header part of the allocated buffer and only copying the
|
||||
remainder of the data from userspace.
|
||||
|
||||
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
index 398d22693234..6e2a9619192d 100644
|
||||
--- a/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req,
|
||||
if (!buf)
|
||||
return -ENOMEM;
|
||||
|
||||
- if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
|
||||
+ *((struct vbg_ioctl_hdr *)buf) = hdr;
|
||||
+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
|
||||
+ hdr.size_in - sizeof(hdr))) {
|
||||
ret = -EFAULT;
|
||||
goto out;
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001
|
||||
From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
|
||||
Date: Thu, 21 Jun 2018 13:20:53 -0400
|
||||
Subject: [PATCH] tracing: Check for no filter when processing event filters
|
||||
|
||||
The syzkaller detected a out-of-bounds issue with the events filter code,
|
||||
specifically here:
|
||||
|
||||
prog[N].pred = NULL; /* #13 */
|
||||
prog[N].target = 1; /* TRUE */
|
||||
prog[N+1].pred = NULL;
|
||||
prog[N+1].target = 0; /* FALSE */
|
||||
-> prog[N-1].target = N;
|
||||
prog[N-1].when_to_branch = false;
|
||||
|
||||
As that's the first reference to a "N-1" index, it appears that the code got
|
||||
here with N = 0, which means the filter parser found no filter to parse
|
||||
(which shouldn't ever happen, but apparently it did).
|
||||
|
||||
Add a new error to the parsing code that will check to make sure that N is
|
||||
not zero before going into this part of the code. If N = 0, then -EINVAL is
|
||||
returned, and a error message is added to the filter.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
|
||||
Reported-by: air icy <icytxw@gmail.com>
|
||||
bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
|
||||
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
|
||||
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
||||
---
|
||||
kernel/trace/trace_events_filter.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
|
||||
index e1c818dbc0d7..0dceb77d1d42 100644
|
||||
--- a/kernel/trace/trace_events_filter.c
|
||||
+++ b/kernel/trace/trace_events_filter.c
|
||||
@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
|
||||
C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \
|
||||
C(INVALID_FILTER, "Meaningless filter expression"), \
|
||||
C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \
|
||||
- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"),
|
||||
+ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \
|
||||
+ C(NO_FILTER, "No filter found"),
|
||||
|
||||
#undef C
|
||||
#define C(a, b) FILT_ERR_##a
|
||||
@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
+ if (!N) {
|
||||
+ /* No program? */
|
||||
+ ret = -EINVAL;
|
||||
+ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
|
||||
+ goto out_free;
|
||||
+ }
|
||||
+
|
||||
prog[N].pred = NULL; /* #13 */
|
||||
prog[N].target = 1; /* TRUE */
|
||||
prog[N+1].pred = NULL;
|
||||
--
|
||||
2.17.1
|
||||
|
14
kernel.spec
14
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -643,18 +643,9 @@ Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch
|
|||
Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch
|
||||
Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch
|
||||
|
||||
# CVE-2018-12633 rhbz 1594170 1594172
|
||||
Patch512: 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch
|
||||
|
||||
# rhbz 1592454
|
||||
Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
|
||||
|
||||
# rhbz 1591516
|
||||
Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch
|
||||
|
||||
# CVE-2018-12714 rhbz 1595835 1595837
|
||||
Patch516: CVE-2018-12714.patch
|
||||
|
||||
# rhbz 1572944
|
||||
Patch517: Revert-the-random-series-for-4.16.4.patch
|
||||
|
||||
|
@ -1907,6 +1898,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Jul 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.4-200
|
||||
- Linux v4.17.4
|
||||
|
||||
* Fri Jun 29 2018 Jeremy Cline <jeremy@jcline.org>
|
||||
- Revert the CRNG init patches (rhbz 1572944)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
|
||||
SHA512 (patch-4.17.3.xz) = c0b3dfb1c1d64edc74cb3b35a4d6160ccf80b5b58d19e5a11dde372ab515c350576f8981b3816e4e8689da38b792eb85b3ef46581d65d7c51c72943dea7409f4
|
||||
SHA512 (patch-4.17.4.xz) = 0a9f976e7cf2c2cc9ba29b5eb45a6b9722059674efa99153bf449537e022426138a0848cfdb69e1df4a1a3b71ee7c9de92b4086799d0e15f44f8356b2fd63754
|
||||
|
|
Loading…
Reference in New Issue