v4.4-pf8
This commit is contained in:
commit
decfa719c1
|
@ -0,0 +1,31 @@
|
|||
From cb6fcfe5a7e9197ceb7e9eec56e9c526e4e76354 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Mon, 14 Mar 2016 19:37:12 +0100
|
||||
Subject: [PATCH] Input: synaptics - handle spurious release of trackstick
|
||||
buttons, again
|
||||
|
||||
Looks like the fimware 8.2 stall has the extra buttons spurious release
|
||||
bug.
|
||||
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
---
|
||||
drivers/input/mouse/synaptics.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
|
||||
index 6025eb4..4ef8d7a 100644
|
||||
--- a/drivers/input/mouse/synaptics.c
|
||||
+++ b/drivers/input/mouse/synaptics.c
|
||||
@@ -863,7 +863,8 @@ static void synaptics_report_ext_buttons(struct psmouse *psmouse,
|
||||
return;
|
||||
|
||||
/* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */
|
||||
- if (SYN_ID_FULL(priv->identity) == 0x801 &&
|
||||
+ if ((SYN_ID_FULL(priv->identity) == 0x801 ||
|
||||
+ SYN_ID_FULL(priv->identity) == 0x802) &&
|
||||
!((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02))
|
||||
return;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
From bb4d91481dd2122351866e500b46cff9399f579d Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Thu, 25 Feb 2016 11:40:07 -0800
|
||||
Subject: [PATCH] Test ata fix
|
||||
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
drivers/ata/libahci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
|
||||
index 1f225cc..998c6a8 100644
|
||||
--- a/drivers/ata/libahci.c
|
||||
+++ b/drivers/ata/libahci.c
|
||||
@@ -1142,8 +1142,7 @@ static void ahci_port_init(struct device *dev, struct ata_port *ap,
|
||||
|
||||
/* mark esata ports */
|
||||
tmp = readl(port_mmio + PORT_CMD);
|
||||
- if ((tmp & PORT_CMD_HPCP) ||
|
||||
- ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS)))
|
||||
+ if ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS))
|
||||
ap->pflags |= ATA_PFLAG_EXTERNAL;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From 29c6dd591bbd592472247441de9fa694acdabae8 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Thu, 7 Jan 2016 11:01:00 +0100
|
||||
Subject: [PATCH] cdc-acm: fix NULL pointer reference
|
||||
|
||||
The union descriptor must be checked. Its usage was conditional
|
||||
before the parser was introduced. This is important, because
|
||||
many RNDIS device, which also use the common parser, have
|
||||
bogus extra descriptors.
|
||||
|
||||
Signed-off-by: Oliver Neukum <oneukum@suse.com>
|
||||
Tested-by: Vasily Galkin <galkin-vv@yandex.ru>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/usb/cdc_ether.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
|
||||
index 3da70bf..7cba2c3 100644
|
||||
--- a/drivers/net/usb/cdc_ether.c
|
||||
+++ b/drivers/net/usb/cdc_ether.c
|
||||
@@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
|
||||
info->u = header.usb_cdc_union_desc;
|
||||
info->header = header.usb_cdc_header_desc;
|
||||
info->ether = header.usb_cdc_ether_desc;
|
||||
+ if (!info->u) {
|
||||
+ if (rndis)
|
||||
+ goto skip;
|
||||
+ else /* in that case a quirk is mandatory */
|
||||
+ goto bad_desc;
|
||||
+ }
|
||||
/* we need a master/control interface (what we're
|
||||
* probed with) and a slave/data interface; union
|
||||
* descriptors sort this all out.
|
||||
@@ -256,7 +262,7 @@ skip:
|
||||
goto bad_desc;
|
||||
}
|
||||
|
||||
- } else if (!info->header || !info->u || (!rndis && !info->ether)) {
|
||||
+ } else if (!info->header || (!rndis && !info->ether)) {
|
||||
dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n",
|
||||
info->header ? "" : "header ",
|
||||
info->u ? "" : "union ",
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
From 79abe2bd501d628b165f323098d6972d69bd13d7 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Wed, 16 Mar 2016 13:20:51 +0100
|
||||
Subject: [PATCH] uas: Limit qdepth at the scsi-host level
|
||||
|
||||
Commit 64d513ac31bd ("scsi: use host wide tags by default") causes
|
||||
the scsi-core to queue more cmnds then we can handle on devices with
|
||||
multiple LUNs, limit the qdepth at the scsi-host level instead of
|
||||
per slave to fix this.
|
||||
|
||||
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013
|
||||
Cc: stable@vger.kernel.org # 4.4.x and 4.5.x
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
drivers/usb/storage/uas.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
|
||||
index c90a7e4..b5cb7ab 100644
|
||||
--- a/drivers/usb/storage/uas.c
|
||||
+++ b/drivers/usb/storage/uas.c
|
||||
@@ -800,7 +800,6 @@ static int uas_slave_configure(struct scsi_device *sdev)
|
||||
if (devinfo->flags & US_FL_BROKEN_FUA)
|
||||
sdev->broken_fua = 1;
|
||||
|
||||
- scsi_change_queue_depth(sdev, devinfo->qdepth - 2);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -932,6 +931,12 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id)
|
||||
if (result)
|
||||
goto set_alt0;
|
||||
|
||||
+ /*
|
||||
+ * 1 tag is reserved for untagged commands +
|
||||
+ * 1 tag to avoid of by one errors in some bridge firmwares
|
||||
+ */
|
||||
+ shost->can_queue = devinfo->qdepth - 2;
|
||||
+
|
||||
usb_set_intfdata(intf, shost);
|
||||
result = scsi_add_host(shost, &intf->dev);
|
||||
if (result)
|
||||
--
|
||||
2.7.3
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 15 Mar 2016 15:20:58 +0100
|
||||
Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses
|
||||
|
||||
Add some sanity check codes before actually accessing the endpoint via
|
||||
get_endpoint() in order to avoid the invalid access through a
|
||||
malformed USB descriptor. Mostly just checking bNumEndpoints, but in
|
||||
one place (snd_microii_spdif_default_get()), the validity of iface and
|
||||
altsetting index is checked as well.
|
||||
|
||||
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/clock.c | 2 ++
|
||||
sound/usb/endpoint.c | 3 +++
|
||||
sound/usb/mixer_quirks.c | 4 ++++
|
||||
sound/usb/pcm.c | 2 ++
|
||||
4 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
|
||||
index 2ed260b10f6d..7ccbcaf6a147 100644
|
||||
--- a/sound/usb/clock.c
|
||||
+++ b/sound/usb/clock.c
|
||||
@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
|
||||
unsigned char data[3];
|
||||
int err, crate;
|
||||
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
/* if endpoint doesn't have sampling rate control, bail out */
|
||||
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
|
||||
index e6f71894ecdc..c2131b851602 100644
|
||||
--- a/sound/usb/endpoint.c
|
||||
+++ b/sound/usb/endpoint.c
|
||||
@@ -415,6 +415,9 @@ exit_clear:
|
||||
*
|
||||
* New endpoints will be added to chip->ep_list and must be freed by
|
||||
* calling snd_usb_endpoint_free().
|
||||
+ *
|
||||
+ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
|
||||
+ * bNumEndpoints > 1 beforehand.
|
||||
*/
|
||||
struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
|
||||
struct usb_host_interface *alts,
|
||||
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
|
||||
index d3608c0a29f3..2d724e3c4cc0 100644
|
||||
--- a/sound/usb/mixer_quirks.c
|
||||
+++ b/sound/usb/mixer_quirks.c
|
||||
@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,
|
||||
|
||||
/* use known values for that card: interface#1 altsetting#1 */
|
||||
iface = usb_ifnum_to_if(chip->dev, 1);
|
||||
+ if (!iface || iface->num_altsetting < 2)
|
||||
+ return -EINVAL;
|
||||
alts = &iface->altsetting[1];
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
err = snd_usb_ctl_msg(chip->dev,
|
||||
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
|
||||
index cdac5179db3f..4da64896df6d 100644
|
||||
--- a/sound/usb/pcm.c
|
||||
+++ b/sound/usb/pcm.c
|
||||
@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
|
||||
unsigned char data[1];
|
||||
int err;
|
||||
|
||||
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
ep = get_endpoint(alts, 0)->bEndpointAddress;
|
||||
|
||||
data[0] = 1;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 15 Mar 2016 12:09:10 +0100
|
||||
Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in
|
||||
create_fixed_stream_quirk()
|
||||
|
||||
create_fixed_stream_quirk() may cause a NULL-pointer dereference by
|
||||
accessing the non-existing endpoint when a USB device with a malformed
|
||||
USB descriptor is used.
|
||||
|
||||
This patch avoids it simply by adding a sanity check of bNumEndpoints
|
||||
before the accesses.
|
||||
|
||||
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/quirks.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
|
||||
index eef9b8e4b949..e128ca62eb44 100644
|
||||
--- a/sound/usb/quirks.c
|
||||
+++ b/sound/usb/quirks.c
|
||||
@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
}
|
||||
alts = &iface->altsetting[fp->altset_idx];
|
||||
altsd = get_iface_desc(alts);
|
||||
+ if (altsd->bNumEndpoints < 1) {
|
||||
+ kfree(fp);
|
||||
+ kfree(rate_table);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
fp->protocol = altsd->bInterfaceProtocol;
|
||||
|
||||
if (fp->datainterval == 0)
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 14 Mar 2016 10:02:51 -0400
|
||||
Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
|
||||
descriptors
|
||||
|
||||
The powermate driver expects at least one valid USB endpoint in its
|
||||
probe function. If given malicious descriptors that specify 0 for
|
||||
the number of endpoints, it will crash. Validate the number of
|
||||
endpoints on the interface before using them.
|
||||
|
||||
The full report for this issue can be found here:
|
||||
http://seclists.org/bugtraq/2016/Mar/85
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/input/misc/powermate.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
|
||||
index 63b539d3daba..84909a12ff36 100644
|
||||
--- a/drivers/input/misc/powermate.c
|
||||
+++ b/drivers/input/misc/powermate.c
|
||||
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
|
||||
int error = -ENOMEM;
|
||||
|
||||
interface = intf->cur_altsetting;
|
||||
+ if (interface->desc.bNumEndpoints < 1)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
endpoint = &interface->endpoint[0].desc;
|
||||
if (!usb_endpoint_is_int_in(endpoint))
|
||||
return -EIO;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 14 Mar 2016 10:38:31 -0400
|
||||
Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors
|
||||
|
||||
The iowarrior driver expects at least one valid endpoint. If given
|
||||
malicious descriptors that specify 0 for the number of endpoints,
|
||||
it will crash in the probe function. Ensure there is at least
|
||||
one endpoint on the interface before using it.
|
||||
|
||||
The full report of this issue can be found here:
|
||||
http://seclists.org/bugtraq/2016/Mar/87
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/usb/misc/iowarrior.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
|
||||
index c6bfd13f6c92..1950e87b4219 100644
|
||||
--- a/drivers/usb/misc/iowarrior.c
|
||||
+++ b/drivers/usb/misc/iowarrior.c
|
||||
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
|
||||
iface_desc = interface->cur_altsetting;
|
||||
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
|
||||
|
||||
+ if (iface_desc->desc.bNumEndpoints < 1) {
|
||||
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
|
||||
+ retval = -EINVAL;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
/* set up the endpoint information */
|
||||
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
|
||||
endpoint = &iface_desc->endpoint[i].desc;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
From 94c78c81df3056e573fb84000a32512e9c16e555 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Thu, 10 Mar 2016 08:49:02 -0500
|
||||
Subject: [PATCH] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU
|
||||
devices
|
||||
|
||||
A Fedora user reports that the ftdi_sio driver works properly for the
|
||||
ICP DAS I-7561U device. Further, the user manual for these devices
|
||||
instructs users to load the driver and add the ids using the sysfs
|
||||
interface.
|
||||
|
||||
Add support for these in the driver directly so that the devices work
|
||||
out of the box instead of needing manual configuration.
|
||||
|
||||
Reported-by: <thesource@mail.ru>
|
||||
CC: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
drivers/usb/serial/ftdi_sio.c | 4 ++++
|
||||
drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++
|
||||
2 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
|
||||
index 8c660ae401d8..b61f12160d37 100644
|
||||
--- a/drivers/usb/serial/ftdi_sio.c
|
||||
+++ b/drivers/usb/serial/ftdi_sio.c
|
||||
@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_table_combined[] = {
|
||||
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
|
||||
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
|
||||
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
|
||||
+ /* ICP DAS I-756xU devices */
|
||||
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
|
||||
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
|
||||
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
|
||||
{ } /* Terminating entry */
|
||||
};
|
||||
|
||||
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
|
||||
index a84df2513994..a4ec24ce6a11 100644
|
||||
--- a/drivers/usb/serial/ftdi_sio_ids.h
|
||||
+++ b/drivers/usb/serial/ftdi_sio_ids.h
|
||||
@@ -872,6 +872,14 @@
|
||||
#define NOVITUS_BONO_E_PID 0x6010
|
||||
|
||||
/*
|
||||
+ * ICPDAS I-756*U devices
|
||||
+ */
|
||||
+#define ICPDAS_VID 0x1b5c
|
||||
+#define ICPDAS_I7560U_PID 0x0103
|
||||
+#define ICPDAS_I7561U_PID 0x0104
|
||||
+#define ICPDAS_I7563U_PID 0x0105
|
||||
+
|
||||
+/*
|
||||
* RT Systems programming cables for various ham radios
|
||||
*/
|
||||
#define RTSYSTEMS_VID 0x2100 /* Vendor ID */
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
From e6a87f147002fa16adcbafebbc458ff90a463474 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Tue, 15 Mar 2016 10:14:04 +0100
|
||||
Subject: [PATCH] cdc-acm: more sanity checking
|
||||
|
||||
An attack has become available which pretends to be a quirky
|
||||
device circumventing normal sanity checks and crashes the kernel
|
||||
by an insufficient number of interfaces. This patch adds a check
|
||||
to the code path for quirky devices.
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
---
|
||||
drivers/usb/class/cdc-acm.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
|
||||
index 26ca4f910cb0..a7732f80a912 100644
|
||||
--- a/drivers/usb/class/cdc-acm.c
|
||||
+++ b/drivers/usb/class/cdc-acm.c
|
||||
@@ -1113,6 +1113,9 @@ static int acm_probe(struct usb_interface *intf,
|
||||
if (quirks == NO_UNION_NORMAL) {
|
||||
data_interface = usb_ifnum_to_if(usb_dev, 1);
|
||||
control_interface = usb_ifnum_to_if(usb_dev, 0);
|
||||
+ /* we would crash */
|
||||
+ if (!data_interface || !control_interface)
|
||||
+ return -ENODEV;
|
||||
goto skip_normal_probe;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
From cb150b9d23be6ee7f3a0fff29784f1c5b5ac514d Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Wed, 27 Jan 2016 13:29:34 +0100
|
||||
Subject: cfg80211/wext: fix message ordering
|
||||
|
||||
Since cfg80211 frequently takes actions from its netdev notifier
|
||||
call, wireless extensions messages could still be ordered badly
|
||||
since the wext netdev notifier, since wext is built into the
|
||||
kernel, runs before the cfg80211 netdev notifier. For example,
|
||||
the following can happen:
|
||||
|
||||
5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
|
||||
link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
|
||||
5: wlan1: <BROADCAST,MULTICAST,UP>
|
||||
link/ether
|
||||
|
||||
when setting the interface down causes the wext message.
|
||||
|
||||
To also fix this, export the wireless_nlevent_flush() function
|
||||
and also call it from the cfg80211 notifier.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
include/net/iw_handler.h | 6 ++++++
|
||||
net/wireless/core.c | 2 ++
|
||||
net/wireless/wext-core.c | 3 ++-
|
||||
3 files changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h
|
||||
index 8f81bbb..e0f4109 100644
|
||||
--- a/include/net/iw_handler.h
|
||||
+++ b/include/net/iw_handler.h
|
||||
@@ -439,6 +439,12 @@ int dev_get_wireless_info(char *buffer, char **start, off_t offset, int length);
|
||||
/* Send a single event to user space */
|
||||
void wireless_send_event(struct net_device *dev, unsigned int cmd,
|
||||
union iwreq_data *wrqu, const char *extra);
|
||||
+#ifdef CONFIG_WEXT_CORE
|
||||
+/* flush all previous wext events - if work is done from netdev notifiers */
|
||||
+void wireless_nlevent_flush(void);
|
||||
+#else
|
||||
+static inline void wireless_nlevent_flush(void) {}
|
||||
+#endif
|
||||
|
||||
/* We may need a function to send a stream of events to user space.
|
||||
* More on that later... */
|
||||
diff --git a/net/wireless/core.c b/net/wireless/core.c
|
||||
index b091551..8f0bac7 100644
|
||||
--- a/net/wireless/core.c
|
||||
+++ b/net/wireless/core.c
|
||||
@@ -1147,6 +1147,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
|
||||
return NOTIFY_DONE;
|
||||
}
|
||||
|
||||
+ wireless_nlevent_flush();
|
||||
+
|
||||
return NOTIFY_OK;
|
||||
}
|
||||
|
||||
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
|
||||
index 87dd619..b50ee5d 100644
|
||||
--- a/net/wireless/wext-core.c
|
||||
+++ b/net/wireless/wext-core.c
|
||||
@@ -342,7 +342,7 @@ static const int compat_event_type_size[] = {
|
||||
|
||||
/* IW event code */
|
||||
|
||||
-static void wireless_nlevent_flush(void)
|
||||
+void wireless_nlevent_flush(void)
|
||||
{
|
||||
struct sk_buff *skb;
|
||||
struct net *net;
|
||||
@@ -355,6 +355,7 @@ static void wireless_nlevent_flush(void)
|
||||
GFP_KERNEL);
|
||||
}
|
||||
}
|
||||
+EXPORT_SYMBOL_GPL(wireless_nlevent_flush);
|
||||
|
||||
static int wext_netdev_notifier_call(struct notifier_block *nb,
|
||||
unsigned long state, void *ptr)
|
||||
--
|
||||
cgit v0.12
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Thu, 17 Mar 2016 16:25:33 +0100
|
||||
Subject: [PATCH] cypress_m8: add sanity checking
|
||||
|
||||
An attack using missing endpoints exists.
|
||||
CVE-2016-3137
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
|
||||
v1 - add sanity check
|
||||
v2 - add error logging
|
||||
v3 - correct error message
|
||||
---
|
||||
drivers/usb/serial/cypress_m8.c | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
|
||||
index 01bf53392819..5e25443fe4ef 100644
|
||||
--- a/drivers/usb/serial/cypress_m8.c
|
||||
+++ b/drivers/usb/serial/cypress_m8.c
|
||||
@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
|
||||
struct usb_serial *serial = port->serial;
|
||||
struct cypress_private *priv;
|
||||
|
||||
+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
|
||||
+ dev_err(&port->dev, "A required endpoint is missing\n");
|
||||
+ return -ENODEV;
|
||||
+ }
|
||||
+
|
||||
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
|
||||
if (!priv)
|
||||
return -ENOMEM;
|
||||
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
|
||||
cypress_set_termios(tty, port, &priv->tmp_termios);
|
||||
|
||||
/* setup the port and start reading from the device */
|
||||
- if (!port->interrupt_in_urb) {
|
||||
- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
|
||||
- __func__);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
|
||||
usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
|
||||
port->interrupt_in_urb->transfer_buffer,
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Mon, 14 Mar 2016 15:53:38 +0100
|
||||
Subject: [PATCH v2] digi_acceleport: do sanity checking for the number of ports
|
||||
|
||||
The driver can be crashed with devices that expose crafted
|
||||
descriptors with too few endpoints.
|
||||
See:
|
||||
http://seclists.org/bugtraq/2016/Mar/61
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
|
||||
v1 - added sanity checks
|
||||
v2 - moved them to probe() to fix problems Johan pointed out
|
||||
---
|
||||
drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++-----
|
||||
1 file changed, 19 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
|
||||
index 12b0e67..dab1dcf 100644
|
||||
--- a/drivers/usb/serial/digi_acceleport.c
|
||||
+++ b/drivers/usb/serial/digi_acceleport.c
|
||||
@@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
|
||||
static int digi_startup(struct usb_serial *serial)
|
||||
{
|
||||
struct digi_serial *serial_priv;
|
||||
- int ret;
|
||||
+ int ret = -ENODEV;
|
||||
+ int i;
|
||||
|
||||
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
|
||||
if (!serial_priv)
|
||||
@@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial)
|
||||
|
||||
spin_lock_init(&serial_priv->ds_serial_lock);
|
||||
serial_priv->ds_oob_port_num = serial->type->num_ports;
|
||||
+
|
||||
+ /* Check whether the expected number of ports matches the device */
|
||||
+ if (serial->num_ports < serial_priv->ds_oob_port_num)
|
||||
+ goto error;
|
||||
+ /* all features must be present */
|
||||
+ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
|
||||
+ if (!serial->port[i]->read_urb)
|
||||
+ goto error;
|
||||
+ if (!serial->port[i]->write_urb)
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
|
||||
|
||||
ret = digi_port_init(serial_priv->ds_oob_port,
|
||||
serial_priv->ds_oob_port_num);
|
||||
- if (ret) {
|
||||
- kfree(serial_priv);
|
||||
- return ret;
|
||||
- }
|
||||
+ if (ret)
|
||||
+ goto error;
|
||||
|
||||
usb_set_serial_data(serial, serial_priv);
|
||||
|
||||
return 0;
|
||||
+error:
|
||||
+ kfree(serial_priv);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.1.4
|
|
@ -0,0 +1,39 @@
|
|||
From a4200b7eb26271108586d3a7cf34a2f16d460e48 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Thu, 17 Mar 2016 15:10:47 +0100
|
||||
Subject: [PATCH] ims-pcu: sanity check against missing interfaces
|
||||
|
||||
A malicious device missing interface can make the driver oops.
|
||||
Add sanity checking.
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
---
|
||||
drivers/input/misc/ims-pcu.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
|
||||
index ac1fa5f44580..9c0ea36913b4 100644
|
||||
--- a/drivers/input/misc/ims-pcu.c
|
||||
+++ b/drivers/input/misc/ims-pcu.c
|
||||
@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
|
||||
|
||||
pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
|
||||
union_desc->bMasterInterface0);
|
||||
+ if (!pcu->ctrl_intf)
|
||||
+ return -EINVAL;
|
||||
|
||||
alt = pcu->ctrl_intf->cur_altsetting;
|
||||
pcu->ep_ctrl = &alt->endpoint[0].desc;
|
||||
@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
|
||||
|
||||
pcu->data_intf = usb_ifnum_to_if(pcu->udev,
|
||||
union_desc->bSlaveInterface0);
|
||||
+ if (!pcu->data_intf)
|
||||
+ return -EINVAL;
|
||||
|
||||
alt = pcu->data_intf->cur_altsetting;
|
||||
if (alt->desc.bNumEndpoints != 2) {
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints
|
||||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: 2016-03-18 18:35:00
|
||||
|
||||
The gtco driver expects at least one valid endpoint. If given
|
||||
malicious descriptors that specify 0 for the number of endpoints,
|
||||
it will crash in the probe function. Ensure there is at least
|
||||
one endpoint on the interface before using it. Fix minor coding
|
||||
style issue.
|
||||
|
||||
The full report of this issue can be found here:
|
||||
http://seclists.org/bugtraq/2016/Mar/86
|
||||
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
drivers/input/tablet/gtco.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
|
||||
index 3a7f3a4..7c18249 100644
|
||||
--- a/drivers/input/tablet/gtco.c
|
||||
+++ b/drivers/input/tablet/gtco.c
|
||||
@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
||||
goto err_free_buf;
|
||||
}
|
||||
|
||||
+ /* Sanity check that a device has an endpoint */
|
||||
+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
|
||||
+ dev_err(&usbinterface->dev,
|
||||
+ "Invalid number of endpoints\n");
|
||||
+ error = -EINVAL;
|
||||
+ goto err_free_urb;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* The endpoint is always altsetting 0, we know this since we know
|
||||
* this device only has one interrupt endpoint
|
||||
@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
||||
* HID report descriptor
|
||||
*/
|
||||
if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
|
||||
- HID_DEVICE_TYPE, &hid_desc) != 0){
|
||||
+ HID_DEVICE_TYPE, &hid_desc) != 0) {
|
||||
dev_err(&usbinterface->dev,
|
||||
"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
|
||||
error = -EIO;
|
||||
--
|
||||
2.5.0
|
|
@ -1,92 +0,0 @@
|
|||
From b91309eedd77374fdecc379942c44f903e2dedff Mon Sep 17 00:00:00 2001
|
||||
From: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
|
||||
Date: Tue, 23 Feb 2016 13:03:30 +0100
|
||||
Subject: [PATCH] iommu/amd: Fix boot warning when device 00:00.0 is not iommu
|
||||
covered
|
||||
|
||||
The setup code for the performance counters in the AMD IOMMU driver
|
||||
tests whether the counters can be written. It tests to setup a counter
|
||||
for device 00:00.0, which fails on systems where this particular device
|
||||
is not covered by the IOMMU.
|
||||
|
||||
Fix this by not relying on device 00:00.0 but only on the IOMMU being
|
||||
present.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
|
||||
Signed-off-by: Joerg Roedel <jroedel@suse.de>
|
||||
---
|
||||
drivers/iommu/amd_iommu_init.c | 34 ++++++++++++++++++++++------------
|
||||
1 file changed, 22 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
|
||||
index 013bdff..d06a6d9 100644
|
||||
--- a/drivers/iommu/amd_iommu_init.c
|
||||
+++ b/drivers/iommu/amd_iommu_init.c
|
||||
@@ -228,6 +228,10 @@ static int amd_iommu_enable_interrupts(void);
|
||||
static int __init iommu_go_to_state(enum iommu_init_state state);
|
||||
static void init_device_table_dma(void);
|
||||
|
||||
+static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu,
|
||||
+ u8 bank, u8 cntr, u8 fxn,
|
||||
+ u64 *value, bool is_write);
|
||||
+
|
||||
static inline void update_last_devid(u16 devid)
|
||||
{
|
||||
if (devid > amd_iommu_last_bdf)
|
||||
@@ -1142,8 +1146,8 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu)
|
||||
amd_iommu_pc_present = true;
|
||||
|
||||
/* Check if the performance counters can be written to */
|
||||
- if ((0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val, true)) ||
|
||||
- (0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val2, false)) ||
|
||||
+ if ((0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val, true)) ||
|
||||
+ (0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val2, false)) ||
|
||||
(val != val2)) {
|
||||
pr_err("AMD-Vi: Unable to write to IOMMU perf counter.\n");
|
||||
amd_iommu_pc_present = false;
|
||||
@@ -2283,22 +2287,15 @@ u8 amd_iommu_pc_get_max_counters(u16 devid)
|
||||
}
|
||||
EXPORT_SYMBOL(amd_iommu_pc_get_max_counters);
|
||||
|
||||
-int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn,
|
||||
+static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu,
|
||||
+ u8 bank, u8 cntr, u8 fxn,
|
||||
u64 *value, bool is_write)
|
||||
{
|
||||
- struct amd_iommu *iommu;
|
||||
u32 offset;
|
||||
u32 max_offset_lim;
|
||||
|
||||
- /* Make sure the IOMMU PC resource is available */
|
||||
- if (!amd_iommu_pc_present)
|
||||
- return -ENODEV;
|
||||
-
|
||||
- /* Locate the iommu associated with the device ID */
|
||||
- iommu = amd_iommu_rlookup_table[devid];
|
||||
-
|
||||
/* Check for valid iommu and pc register indexing */
|
||||
- if (WARN_ON((iommu == NULL) || (fxn > 0x28) || (fxn & 7)))
|
||||
+ if (WARN_ON((fxn > 0x28) || (fxn & 7)))
|
||||
return -ENODEV;
|
||||
|
||||
offset = (u32)(((0x40|bank) << 12) | (cntr << 8) | fxn);
|
||||
@@ -2322,3 +2319,16 @@ int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn,
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL(amd_iommu_pc_get_set_reg_val);
|
||||
+
|
||||
+int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn,
|
||||
+ u64 *value, bool is_write)
|
||||
+{
|
||||
+ struct amd_iommu *iommu = amd_iommu_rlookup_table[devid];
|
||||
+
|
||||
+ /* Make sure the IOMMU PC resource is available */
|
||||
+ if (!amd_iommu_pc_present || iommu == NULL)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ return iommu_pc_get_set_reg_val(iommu, bank, cntr, fxn,
|
||||
+ value, is_write);
|
||||
+}
|
||||
--
|
||||
1.8.4.5
|
|
@ -0,0 +1,97 @@
|
|||
From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001
|
||||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Sun, 13 Mar 2016 23:28:00 -0400
|
||||
Subject: ipv4: Don't do expensive useless work during inetdev destroy.
|
||||
|
||||
When an inetdev is destroyed, every address assigned to the interface
|
||||
is removed. And in this scenerio we do two pointless things which can
|
||||
be very expensive if the number of assigned interfaces is large:
|
||||
|
||||
1) Address promotion. We are deleting all addresses, so there is no
|
||||
point in doing this.
|
||||
|
||||
2) A full nf conntrack table purge for every address. We only need to
|
||||
do this once, as is already caught by the existing
|
||||
masq_dev_notifier so masq_inet_event() can skip this.
|
||||
|
||||
Reported-by: Solar Designer <solar@openwall.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
|
||||
---
|
||||
net/ipv4/devinet.c | 4 ++++
|
||||
net/ipv4/fib_frontend.c | 4 ++++
|
||||
net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++--
|
||||
3 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
|
||||
index 65e76a4..e333bc8 100644
|
||||
--- a/net/ipv4/devinet.c
|
||||
+++ b/net/ipv4/devinet.c
|
||||
@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
|
||||
|
||||
ASSERT_RTNL();
|
||||
|
||||
+ if (in_dev->dead)
|
||||
+ goto no_promotions;
|
||||
+
|
||||
/* 1. Deleting primary ifaddr forces deletion all secondaries
|
||||
* unless alias promotion is set
|
||||
**/
|
||||
@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
|
||||
fib_del_ifaddr(ifa, ifa1);
|
||||
}
|
||||
|
||||
+no_promotions:
|
||||
/* 2. Unlink it */
|
||||
|
||||
*ifap = ifa1->ifa_next;
|
||||
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
|
||||
index 4734475..21add55 100644
|
||||
--- a/net/ipv4/fib_frontend.c
|
||||
+++ b/net/ipv4/fib_frontend.c
|
||||
@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
|
||||
subnet = 1;
|
||||
}
|
||||
|
||||
+ if (in_dev->dead)
|
||||
+ goto no_promotions;
|
||||
+
|
||||
/* Deletion is more complicated than add.
|
||||
* We should take care of not to delete too much :-)
|
||||
*
|
||||
@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
|
||||
}
|
||||
}
|
||||
|
||||
+no_promotions:
|
||||
if (!(ok & BRD_OK))
|
||||
fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
|
||||
if (subnet && ifa->ifa_prefixlen < 31) {
|
||||
diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
|
||||
index c6eb421..ea91058 100644
|
||||
--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
|
||||
+++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
|
||||
@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this,
|
||||
unsigned long event,
|
||||
void *ptr)
|
||||
{
|
||||
- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
|
||||
+ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
|
||||
struct netdev_notifier_info info;
|
||||
|
||||
- netdev_notifier_info_init(&info, dev);
|
||||
+ /* The masq_dev_notifier will catch the case of the device going
|
||||
+ * down. So if the inetdev is dead and being destroyed we have
|
||||
+ * no work to do. Otherwise this is an individual address removal
|
||||
+ * and we have to perform the flush.
|
||||
+ */
|
||||
+ if (idev->dead)
|
||||
+ return NOTIFY_DONE;
|
||||
+
|
||||
+ netdev_notifier_info_init(&info, idev->dev);
|
||||
return masq_device_event(this, event, &info);
|
||||
}
|
||||
|
||||
--
|
||||
cgit v0.12
|
||||
|
120
kernel.spec
120
kernel.spec
|
@ -22,7 +22,7 @@ Summary: The Linux kernel
|
|||
%global zipsed -e 's/\.ko$/\.ko.xz/'
|
||||
%endif
|
||||
|
||||
%define buildid .hu.1.pf6
|
||||
%define buildid .hu.1.pf8
|
||||
|
||||
# baserelease defines which build revision of this kernel version we're
|
||||
# building. We used to call this fedora_build, but the magical name
|
||||
|
@ -40,7 +40,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 301
|
||||
%global baserelease 300
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -52,8 +52,8 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
#+Hu Pf against 4.4.4 v4.4-pf6: https://pf.natalenko.name/news/?p=161
|
||||
%define stable_update 4
|
||||
#+Hu Pf against 4.4.5 v4.4-pf8: https://pf.natalenko.name/news/?p=166, https://pf.natalenko.name/news/?p=165
|
||||
%define stable_update 5
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -469,7 +469,7 @@ Source2001: cpupower.config
|
|||
%if 0%{?stable_update}
|
||||
%if 0%{?stable_base}
|
||||
#%%define stable_patch_00 patch-4.%%{base_sublevel}.%%{stable_base}.xz
|
||||
%global stable_patch_00 https://pf.natalenko.name/sources/4.4/patch-4.4-pf6.xz
|
||||
%global stable_patch_00 https://pf.natalenko.name/sources/4.4/patch-4.4-pf8.xz
|
||||
Source5000: %{stable_patch_00}
|
||||
%endif
|
||||
|
||||
|
@ -631,28 +631,72 @@ Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
|
|||
#rhbz 1278942
|
||||
Patch643: media-ivtv-avoid-going-past-input-audio-array.patch
|
||||
|
||||
#rhbz 1302037
|
||||
Patch644: wext-fix-message-delay-ordering.patch
|
||||
Patch645: cfg80211-wext-fix-message-ordering.patch
|
||||
|
||||
#rhbz 1255325
|
||||
Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||
|
||||
#Known use after free, possibly rhbz 1310579
|
||||
Patch654: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
|
||||
|
||||
#rhbz 1310258
|
||||
Patch655: iommu-fix.patch
|
||||
|
||||
#rhbz 1310682
|
||||
Patch657: 0001-Test-ata-fix.patch
|
||||
|
||||
#Mitigates CVE-2013-4312 rhbz 1313428 1313433
|
||||
Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
|
||||
|
||||
#rhbz 1310252 1313318
|
||||
Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch
|
||||
|
||||
#rhbz 1316719
|
||||
Patch662: 0001-cdc-acm-fix-NULL-pointer-reference.patch
|
||||
|
||||
#rhbz 1316136
|
||||
Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
|
||||
|
||||
#CVE-2016-3135 rhbz 1317386 1317387
|
||||
Patch664: netfilter-x_tables-check-for-size-overflow.patch
|
||||
|
||||
#CVE-2016-3134 rhbz 1317383 1317384
|
||||
Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
||||
|
||||
#CVE-2016-3135 rhbz 1318172 1318270
|
||||
Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
|
||||
|
||||
#CVE-2016-2184 rhbz 1317012 1317470
|
||||
Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
|
||||
Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
|
||||
|
||||
#CVE-2016-3137 rhbz 1317010 1316996
|
||||
Patch672: cypress_m8-add-sanity-checking.patch
|
||||
|
||||
#CVE-2016-2186 rhbz 1317015 1317464
|
||||
Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
|
||||
|
||||
#CVE-2016-2188 rhbz 1317018 1317467
|
||||
Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
|
||||
|
||||
#CVE-2016-2185 rhbz 1317014 1317471
|
||||
Patch675: usb_driver_claim_interface-add-sanity-checking.patch
|
||||
|
||||
#CVE-2016-3138 rhbz 1317010 1316204
|
||||
Patch676: cdc-acm-more-sanity-checking.patch
|
||||
|
||||
#CVE-2016-3140 rhbz 1317010 1316995
|
||||
Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch
|
||||
|
||||
Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch
|
||||
|
||||
#rhbz 1315013
|
||||
Patch679: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch
|
||||
|
||||
#rhbz 1317190
|
||||
Patch680: thermal-fix.patch
|
||||
|
||||
#rhbz 1318079
|
||||
Patch681: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
|
||||
|
||||
#CVE-2016-2187 rhbz 1317017 1317010
|
||||
Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
|
||||
|
||||
#CVE-2016-3136 rhbz 1317007 1317010
|
||||
Patch687: mct_u232-sanity-checking-in-probe.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
%endif
|
||||
|
||||
|
@ -2101,6 +2145,52 @@ fi
|
|||
# and build.
|
||||
#
|
||||
%changelog
|
||||
* Wed Mar 23 2016 Pavel Alexeev <Pahan@Hubbitus.info> - 4.4.5-300.hu.1.pf8
|
||||
- Merge upstream changes (4.4.6).
|
||||
- Update pf patch to v4.4-pf8, but it stick on 4.4.5 (https://pf.natalenko.name/news/?p=166, https://pf.natalenko.name/news/?p=165)
|
||||
|
||||
* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
|
||||
- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
|
||||
|
||||
* Mon Mar 21 2016 Laura Abbott <labbott@fedoraproject.org>
|
||||
- uas: Limit qdepth at the scsi-host level (rhbz 1315013)
|
||||
- Fix for performance regression caused by thermal (rhbz 1317190)
|
||||
- Input: synaptics - handle spurious release of trackstick buttons, again (rhbz 1318079)
|
||||
|
||||
* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- ims-pcu: sanity checking on missing interfaces
|
||||
- CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995)
|
||||
- CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204)
|
||||
- CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)
|
||||
- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
|
||||
- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
|
||||
- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
|
||||
- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
|
||||
|
||||
* Wed Mar 16 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-300
|
||||
- Linux v4.4.6
|
||||
|
||||
* Wed Mar 16 2016 Laura Abbott <labbott@redhat.com>
|
||||
- Revert patch causing radeon breakage (rhbz 1317300 1317179)
|
||||
|
||||
* Wed Mar 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-3135 ipv4: DoS when destroying a network interface (rhbz 1318172 1318270)
|
||||
|
||||
* Mon Mar 14 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-3134 netfilter: missing bounds check in ipt_entry struct (rhbz 1317383 1317384)
|
||||
- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387)
|
||||
|
||||
* Fri Mar 11 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Add patch for ICP DAS I-756xU devices (rhbz 1316136)
|
||||
|
||||
* Thu Mar 10 2016 Laura Abbott <labbott@redhat.com>
|
||||
- cdc-acm: fix NULL pointer reference (rhbz 1316719)
|
||||
|
||||
* Wed Mar 09 2016 Laura Abbott <labbott@redhat.com> - 4.4.5-300
|
||||
- Linux v4.4.5
|
||||
- Fix for known arm64 bootup issue
|
||||
|
||||
* Tue Mar 08 2016 Pavel Alexeev <Pahan@Hubbitus.info> - 4.4.4-301.hu.1.pf6
|
||||
- Merge Fedora changes.
|
||||
- Step to kernel 4.4.4.
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
Subject: [PATCH v2] mct_u232: sanity checking in probe
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: 2016-03-21 13:14:37
|
||||
|
||||
An attack using the lack of sanity checking in probe
|
||||
is known. This patch checks for the existance of a
|
||||
second port.
|
||||
CVE-2016-3136
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
|
||||
v1 - add sanity check for presence of a second port
|
||||
v2 - add sanity check for an interrupt endpoint
|
||||
---
|
||||
drivers/usb/serial/mct_u232.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
|
||||
index 4446b8d..3e64538 100644
|
||||
--- a/drivers/usb/serial/mct_u232.c
|
||||
+++ b/drivers/usb/serial/mct_u232.c
|
||||
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
|
||||
{
|
||||
struct mct_u232_private *priv;
|
||||
|
||||
+ /* check first to simplify error handling */
|
||||
+ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
||||
if (!priv)
|
||||
return -ENOMEM;
|
||||
--
|
||||
2.1.4
|
|
@ -0,0 +1,31 @@
|
|||
Subject: [PATCH nf] netfilter: x_tables: check for size overflow
|
||||
From: Florian Westphal <fw () strlen ! de>
|
||||
Date: 2016-03-10 0:56:23
|
||||
|
||||
Ben Hawkes says:
|
||||
integer overflow in xt_alloc_table_info, which on 32-bit systems can
|
||||
lead to small structure allocation and a copy_from_user based heap
|
||||
corruption.
|
||||
|
||||
Reported-by: Ben Hawkes <hawkes@google.com>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
net/netfilter/x_tables.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
|
||||
index c8a0b7d..17a9a9f 100644
|
||||
--- a/net/netfilter/x_tables.c
|
||||
+++ b/net/netfilter/x_tables.c
|
||||
@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
|
||||
struct xt_table_info *info = NULL;
|
||||
size_t sz = sizeof(*info) + size;
|
||||
|
||||
+ if (sz < sizeof(*info))
|
||||
+ return NULL;
|
||||
+
|
||||
/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
|
||||
if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
|
||||
return NULL;
|
||||
--
|
||||
2.4.10
|
|
@ -0,0 +1,150 @@
|
|||
Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values
|
||||
From: Florian Westphal <fw () strlen ! de>
|
||||
Date: 2016-03-10 0:56:02
|
||||
|
||||
Ben Hawkes says:
|
||||
|
||||
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
|
||||
is possible for a user-supplied ipt_entry structure to have a large
|
||||
next_offset field. This field is not bounds checked prior to writing a
|
||||
counter value at the supplied offset.
|
||||
|
||||
Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
|
||||
is out of bounds, assuming this is the last entry.
|
||||
|
||||
With malformed data thats not necessarily the case so we can
|
||||
write outside of allocated area later as we might not have walked the
|
||||
entire blob.
|
||||
|
||||
Fix this by simplifying mark_source_chains -- it already has to check
|
||||
if nextoff is in range to catch invalid jumps, so just do the check
|
||||
when we move to a next entry as well.
|
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
net/ipv4/netfilter/arp_tables.c | 16 ++++++++--------
|
||||
net/ipv4/netfilter/ip_tables.c | 15 ++++++++-------
|
||||
net/ipv6/netfilter/ip6_tables.c | 13 ++++++-------
|
||||
3 files changed, 22 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
|
||||
index b488cac..5a0b591 100644
|
||||
--- a/net/ipv4/netfilter/arp_tables.c
|
||||
+++ b/net/ipv4/netfilter/arp_tables.c
|
||||
@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
|
||||
|
||||
/* Move along one */
|
||||
size = e->next_offset;
|
||||
+
|
||||
+ if (pos + size > newinfo->size - sizeof(*e))
|
||||
+ return 0;
|
||||
+
|
||||
e = (struct arpt_entry *)
|
||||
(entry0 + pos + size);
|
||||
e->counters.pcnt = pos;
|
||||
@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
|
||||
if (strcmp(t->target.u.user.name,
|
||||
XT_STANDARD_TARGET) == 0 &&
|
||||
newpos >= 0) {
|
||||
- if (newpos > newinfo->size -
|
||||
- sizeof(struct arpt_entry)) {
|
||||
- duprintf("mark_source_chains: "
|
||||
- "bad verdict (%i)\n",
|
||||
- newpos);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
/* This a jump; chase it. */
|
||||
duprintf("Jump rule %u -> %u\n",
|
||||
pos, newpos);
|
||||
@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
|
||||
/* ... this is a fallthru */
|
||||
newpos = pos + e->next_offset;
|
||||
}
|
||||
+
|
||||
+ if (newpos > newinfo->size - sizeof(*e))
|
||||
+ return 0;
|
||||
+
|
||||
e = (struct arpt_entry *)
|
||||
(entry0 + newpos);
|
||||
e->counters.pcnt = pos;
|
||||
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
|
||||
index b99affa..ceb995f 100644
|
||||
--- a/net/ipv4/netfilter/ip_tables.c
|
||||
+++ b/net/ipv4/netfilter/ip_tables.c
|
||||
@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
||||
|
||||
/* Move along one */
|
||||
size = e->next_offset;
|
||||
+
|
||||
+ if (pos + size > newinfo->size - sizeof(*e))
|
||||
+ return 0;
|
||||
+
|
||||
e = (struct ipt_entry *)
|
||||
(entry0 + pos + size);
|
||||
e->counters.pcnt = pos;
|
||||
@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
||||
if (strcmp(t->target.u.user.name,
|
||||
XT_STANDARD_TARGET) == 0 &&
|
||||
newpos >= 0) {
|
||||
- if (newpos > newinfo->size -
|
||||
- sizeof(struct ipt_entry)) {
|
||||
- duprintf("mark_source_chains: "
|
||||
- "bad verdict (%i)\n",
|
||||
- newpos);
|
||||
- return 0;
|
||||
- }
|
||||
/* This a jump; chase it. */
|
||||
duprintf("Jump rule %u -> %u\n",
|
||||
pos, newpos);
|
||||
@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
||||
/* ... this is a fallthru */
|
||||
newpos = pos + e->next_offset;
|
||||
}
|
||||
+
|
||||
+ if (newpos > newinfo->size - sizeof(*e))
|
||||
+ return 0;
|
||||
+
|
||||
e = (struct ipt_entry *)
|
||||
(entry0 + newpos);
|
||||
e->counters.pcnt = pos;
|
||||
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
|
||||
index 99425cf..d88a794 100644
|
||||
--- a/net/ipv6/netfilter/ip6_tables.c
|
||||
+++ b/net/ipv6/netfilter/ip6_tables.c
|
||||
@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
||||
|
||||
/* Move along one */
|
||||
size = e->next_offset;
|
||||
+ if (pos + size > newinfo->size - sizeof(*e))
|
||||
+ return 0;
|
||||
e = (struct ip6t_entry *)
|
||||
(entry0 + pos + size);
|
||||
e->counters.pcnt = pos;
|
||||
@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
||||
if (strcmp(t->target.u.user.name,
|
||||
XT_STANDARD_TARGET) == 0 &&
|
||||
newpos >= 0) {
|
||||
- if (newpos > newinfo->size -
|
||||
- sizeof(struct ip6t_entry)) {
|
||||
- duprintf("mark_source_chains: "
|
||||
- "bad verdict (%i)\n",
|
||||
- newpos);
|
||||
- return 0;
|
||||
- }
|
||||
/* This a jump; chase it. */
|
||||
duprintf("Jump rule %u -> %u\n",
|
||||
pos, newpos);
|
||||
@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
||||
/* ... this is a fallthru */
|
||||
newpos = pos + e->next_offset;
|
||||
}
|
||||
+
|
||||
+ if (newpos > newinfo->size - sizeof(*e))
|
||||
+ return 0;
|
||||
+
|
||||
e = (struct ip6t_entry *)
|
||||
(entry0 + newpos);
|
||||
e->counters.pcnt = pos;
|
||||
--
|
||||
2.4.10
|
BIN
patch-4.4-pf6.xz
BIN
patch-4.4-pf6.xz
Binary file not shown.
Binary file not shown.
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
|
||||
dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz
|
||||
07e9b2c5d0daf7fc2a1ee26a52adcbc0 patch-4.4.4.xz
|
||||
d48f09bf61f2500d70f839e190dc7c5a patch-4.4.6.xz
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
From 81ad4276b505e987dd8ebbdf63605f92cd172b52 Mon Sep 17 00:00:00 2001
|
||||
From: Zhang Rui <rui.zhang@intel.com>
|
||||
Date: Fri, 18 Mar 2016 10:03:24 +0800
|
||||
Subject: [PATCH] Thermal: Ignore invalid trip points
|
||||
|
||||
In some cases, platform thermal driver may report invalid trip points,
|
||||
thermal core should not take any action for these trip points.
|
||||
|
||||
CC: <stable@vger.kernel.org> #3.18+
|
||||
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317190
|
||||
Link: https://bugzilla.kernel.org/show_bug.cgi?id=114551
|
||||
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
|
||||
---
|
||||
drivers/thermal/thermal_core.c | 13 ++++++++++++-
|
||||
include/linux/thermal.h | 2 ++
|
||||
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
|
||||
index a0a8fd1..d4b5465 100644
|
||||
--- a/drivers/thermal/thermal_core.c
|
||||
+++ b/drivers/thermal/thermal_core.c
|
||||
@@ -454,6 +454,10 @@ static void handle_thermal_trip(struct thermal_zone_device *tz, int trip)
|
||||
{
|
||||
enum thermal_trip_type type;
|
||||
|
||||
+ /* Ignore disabled trip points */
|
||||
+ if (test_bit(trip, &tz->trips_disabled))
|
||||
+ return;
|
||||
+
|
||||
tz->ops->get_trip_type(tz, trip, &type);
|
||||
|
||||
if (type == THERMAL_TRIP_CRITICAL || type == THERMAL_TRIP_HOT)
|
||||
@@ -1800,6 +1804,7 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
|
||||
{
|
||||
struct thermal_zone_device *tz;
|
||||
enum thermal_trip_type trip_type;
|
||||
+ int trip_temp;
|
||||
int result;
|
||||
int count;
|
||||
int passive = 0;
|
||||
@@ -1871,9 +1876,15 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
|
||||
goto unregister;
|
||||
|
||||
for (count = 0; count < trips; count++) {
|
||||
- tz->ops->get_trip_type(tz, count, &trip_type);
|
||||
+ if (tz->ops->get_trip_type(tz, count, &trip_type))
|
||||
+ set_bit(count, &tz->trips_disabled);
|
||||
if (trip_type == THERMAL_TRIP_PASSIVE)
|
||||
passive = 1;
|
||||
+ if (tz->ops->get_trip_temp(tz, count, &trip_temp))
|
||||
+ set_bit(count, &tz->trips_disabled);
|
||||
+ /* Check for bogus trip points */
|
||||
+ if (trip_temp == 0)
|
||||
+ set_bit(count, &tz->trips_disabled);
|
||||
}
|
||||
|
||||
if (!passive) {
|
||||
diff --git a/include/linux/thermal.h b/include/linux/thermal.h
|
||||
index 9c48199..a55d052 100644
|
||||
--- a/include/linux/thermal.h
|
||||
+++ b/include/linux/thermal.h
|
||||
@@ -156,6 +156,7 @@ struct thermal_attr {
|
||||
* @trip_hyst_attrs: attributes for trip points for sysfs: trip hysteresis
|
||||
* @devdata: private pointer for device private data
|
||||
* @trips: number of trip points the thermal zone supports
|
||||
+ * @trips_disabled; bitmap for disabled trips
|
||||
* @passive_delay: number of milliseconds to wait between polls when
|
||||
* performing passive cooling.
|
||||
* @polling_delay: number of milliseconds to wait between polls when
|
||||
@@ -191,6 +192,7 @@ struct thermal_zone_device {
|
||||
struct thermal_attr *trip_hyst_attrs;
|
||||
void *devdata;
|
||||
int trips;
|
||||
+ unsigned long trips_disabled; /* bitmap for disabled trips */
|
||||
int passive_delay;
|
||||
int polling_delay;
|
||||
int temperature;
|
|
@ -0,0 +1,39 @@
|
|||
From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Wed, 16 Mar 2016 12:26:17 -0400
|
||||
Subject: [PATCH] usb_driver_claim_interface: add sanity checking
|
||||
|
||||
Attacks that trick drivers into passing a NULL pointer
|
||||
to usb_driver_claim_interface() using forged descriptors are
|
||||
known. This thwarts them by sanity checking.
|
||||
|
||||
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
||||
CC: stable@vger.kernel.org
|
||||
---
|
||||
drivers/usb/core/driver.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
|
||||
index 6b5063e7943f..e2d242b68d4b 100644
|
||||
--- a/drivers/usb/core/driver.c
|
||||
+++ b/drivers/usb/core/driver.c
|
||||
@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev)
|
||||
int usb_driver_claim_interface(struct usb_driver *driver,
|
||||
struct usb_interface *iface, void *priv)
|
||||
{
|
||||
- struct device *dev = &iface->dev;
|
||||
+ struct device *dev;
|
||||
struct usb_device *udev;
|
||||
int retval = 0;
|
||||
int lpm_disable_error;
|
||||
|
||||
+ if (!iface)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ dev = &iface->dev;
|
||||
if (dev->driver)
|
||||
return -EBUSY;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,122 +0,0 @@
|
|||
From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Wed, 27 Jan 2016 12:37:52 +0100
|
||||
Subject: wext: fix message delay/ordering
|
||||
|
||||
Beniamino reported that he was getting an RTM_NEWLINK message for a
|
||||
given interface, after the RTM_DELLINK for it. It turns out that the
|
||||
message is a wireless extensions message, which was sent because the
|
||||
interface had been connected and disconnection while it was deleted
|
||||
caused a wext message.
|
||||
|
||||
For its netlink messages, wext uses RTM_NEWLINK, but the message is
|
||||
without all the regular rtnetlink attributes, so "ip monitor link"
|
||||
prints just rudimentary information:
|
||||
|
||||
5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
|
||||
link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
|
||||
Deleted 5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
|
||||
link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
|
||||
5: wlan1: <BROADCAST,MULTICAST,UP>
|
||||
link/ether
|
||||
(from my hwsim reproduction)
|
||||
|
||||
This can cause userspace to get confused since it doesn't expect an
|
||||
RTM_NEWLINK message after RTM_DELLINK.
|
||||
|
||||
The reason for this is that wext schedules a worker to send out the
|
||||
messages, and the scheduling delay can cause the messages to get out
|
||||
to userspace in different order.
|
||||
|
||||
To fix this, have wext register a netdevice notifier and flush out
|
||||
any pending messages when netdevice state changes. This fixes any
|
||||
ordering whenever the original message wasn't sent by a notifier
|
||||
itself.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Beniamino Galvani <bgalvani@redhat.com>
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
net/wireless/wext-core.c | 51 +++++++++++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 40 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
|
||||
index c8717c1..87dd619 100644
|
||||
--- a/net/wireless/wext-core.c
|
||||
+++ b/net/wireless/wext-core.c
|
||||
@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = {
|
||||
|
||||
/* IW event code */
|
||||
|
||||
+static void wireless_nlevent_flush(void)
|
||||
+{
|
||||
+ struct sk_buff *skb;
|
||||
+ struct net *net;
|
||||
+
|
||||
+ ASSERT_RTNL();
|
||||
+
|
||||
+ for_each_net(net) {
|
||||
+ while ((skb = skb_dequeue(&net->wext_nlevents)))
|
||||
+ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
|
||||
+ GFP_KERNEL);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int wext_netdev_notifier_call(struct notifier_block *nb,
|
||||
+ unsigned long state, void *ptr)
|
||||
+{
|
||||
+ /*
|
||||
+ * When a netdev changes state in any way, flush all pending messages
|
||||
+ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after
|
||||
+ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close()
|
||||
+ * or similar - all of which could otherwise happen due to delays from
|
||||
+ * schedule_work().
|
||||
+ */
|
||||
+ wireless_nlevent_flush();
|
||||
+
|
||||
+ return NOTIFY_OK;
|
||||
+}
|
||||
+
|
||||
+static struct notifier_block wext_netdev_notifier = {
|
||||
+ .notifier_call = wext_netdev_notifier_call,
|
||||
+};
|
||||
+
|
||||
static int __net_init wext_pernet_init(struct net *net)
|
||||
{
|
||||
skb_queue_head_init(&net->wext_nlevents);
|
||||
@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = {
|
||||
|
||||
static int __init wireless_nlevent_init(void)
|
||||
{
|
||||
- return register_pernet_subsys(&wext_pernet_ops);
|
||||
+ int err = register_pernet_subsys(&wext_pernet_ops);
|
||||
+
|
||||
+ if (err)
|
||||
+ return err;
|
||||
+
|
||||
+ return register_netdevice_notifier(&wext_netdev_notifier);
|
||||
}
|
||||
|
||||
subsys_initcall(wireless_nlevent_init);
|
||||
@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init);
|
||||
/* Process events generated by the wireless layer or the driver. */
|
||||
static void wireless_nlevent_process(struct work_struct *work)
|
||||
{
|
||||
- struct sk_buff *skb;
|
||||
- struct net *net;
|
||||
-
|
||||
rtnl_lock();
|
||||
-
|
||||
- for_each_net(net) {
|
||||
- while ((skb = skb_dequeue(&net->wext_nlevents)))
|
||||
- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
|
||||
- GFP_KERNEL);
|
||||
- }
|
||||
-
|
||||
+ wireless_nlevent_flush();
|
||||
rtnl_unlock();
|
||||
}
|
||||
|
||||
--
|
||||
cgit v0.12
|
||||
|
Loading…
Reference in New Issue