Linux v4.4.2
This commit is contained in:
parent
f4eecca420
commit
f062445414
|
@ -1,34 +0,0 @@
|
|||
From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Konovalov <andreyknvl@gmail.com>
|
||||
Date: Sat, 13 Feb 2016 11:08:06 +0300
|
||||
Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
|
||||
|
||||
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
|
||||
when tearing down the rawmidi interface. So we shouldn't try to free it
|
||||
in snd_usbmidi_create() after having registered the rawmidi interface.
|
||||
|
||||
Found by KASAN.
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
|
||||
Acked-by: Clemens Ladisch <clemens@ladisch.de>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/usb/midi.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
|
||||
index cc39f63299ef..007cf5831121 100644
|
||||
--- a/sound/usb/midi.c
|
||||
+++ b/sound/usb/midi.c
|
||||
@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
|
||||
else
|
||||
err = snd_usbmidi_create_endpoints(umidi, endpoints);
|
||||
if (err < 0) {
|
||||
- snd_usbmidi_free(umidi);
|
||||
return err;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Tue, 1 Dec 2015 12:41:38 +0100
|
||||
Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels
|
||||
|
||||
as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481
|
||||
|
||||
This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature
|
||||
reports on demand for Win8 devices") as the origin of the problem but this
|
||||
commit actually masked 2 firmware bugs that are annihilating each other:
|
||||
|
||||
The report descriptor declares two features in reports 3 and 5:
|
||||
|
||||
0x05, 0x0d, // Usage Page (Digitizers) 318
|
||||
0x09, 0x0e, // Usage (Device Configuration) 320
|
||||
0xa1, 0x01, // Collection (Application) 322
|
||||
0x85, 0x03, // Report ID (3) 324
|
||||
0x09, 0x22, // Usage (Finger) 326
|
||||
0xa1, 0x00, // Collection (Physical) 328
|
||||
0x09, 0x52, // Usage (Inputmode) 330
|
||||
0x15, 0x00, // Logical Minimum (0) 332
|
||||
0x25, 0x0a, // Logical Maximum (10) 334
|
||||
0x75, 0x08, // Report Size (8) 336
|
||||
0x95, 0x02, // Report Count (2) 338
|
||||
0xb1, 0x02, // Feature (Data,Var,Abs) 340
|
||||
0xc0, // End Collection 342
|
||||
0x09, 0x22, // Usage (Finger) 343
|
||||
0xa1, 0x00, // Collection (Physical) 345
|
||||
0x85, 0x05, // Report ID (5) 347
|
||||
0x09, 0x57, // Usage (Surface Switch) 349
|
||||
0x09, 0x58, // Usage (Button Switch) 351
|
||||
0x15, 0x00, // Logical Minimum (0) 353
|
||||
0x75, 0x01, // Report Size (1) 355
|
||||
0x95, 0x02, // Report Count (2) 357
|
||||
0x25, 0x03, // Logical Maximum (3) 359
|
||||
0xb1, 0x02, // Feature (Data,Var,Abs) 361
|
||||
0x95, 0x0e, // Report Count (14) 363
|
||||
0xb1, 0x03, // Feature (Cnst,Var,Abs) 365
|
||||
0xc0, // End Collection 367
|
||||
|
||||
The report ID 3 presents 2 input mode features, while only the first one
|
||||
is handled by the device. Given that we did not checked if one was
|
||||
previously assigned, we were dealing with the ignored featured and we
|
||||
should never have been able to switch this panel into the multitouch mode.
|
||||
|
||||
However, the firmware presents an other bugs which allowed 6d4f5440
|
||||
to counteract the faulty report descriptor. When we request the values
|
||||
of the feature 5, the firmware answers "03 03 00". The fields are correct
|
||||
but the report id is wrong. Before 6d4f5440, we retrieved all the features
|
||||
and injected them in the system. So when we called report 5, we injected
|
||||
in the system the report 3 with the values "03 00".
|
||||
Setting the second input mode to 03 in this report changed it to "03 03"
|
||||
and the touchpad switched to the mt mode. We could have set anything
|
||||
in the second field because the actual value (the first 03 in this report)
|
||||
was given by the query of report ID 5.
|
||||
|
||||
To sum up: 2 bugs in the firmware were hiding that we were accessing the
|
||||
wrong feature.
|
||||
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-multitouch.c | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
|
||||
index ba94044cb859..d866720412cd 100644
|
||||
--- a/drivers/hid/hid-multitouch.c
|
||||
+++ b/drivers/hid/hid-multitouch.c
|
||||
@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev,
|
||||
break;
|
||||
}
|
||||
|
||||
- td->inputmode = field->report->id;
|
||||
- td->inputmode_index = usage->usage_index;
|
||||
+ if (td->inputmode < 0) {
|
||||
+ td->inputmode = field->report->id;
|
||||
+ td->inputmode_index = usage->usage_index;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * Some elan panels wrongly declare 2 input mode
|
||||
+ * features, and silently ignore when we set the
|
||||
+ * value in the second field. Skip the second feature
|
||||
+ * and hope for the best.
|
||||
+ */
|
||||
+ dev_info(&hdev->dev,
|
||||
+ "Ignoring the extra HID_DG_INPUTMODE\n");
|
||||
+ }
|
||||
|
||||
break;
|
||||
case HID_DG_CONTACTMAX:
|
||||
--
|
||||
2.5.0
|
||||
|
17
kernel.spec
17
kernel.spec
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 1
|
||||
%define stable_update 2
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -603,15 +603,6 @@ Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
|||
|
||||
Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
|
||||
#rhbz 1296677
|
||||
Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
|
||||
|
||||
#CVE-2016-0723 rhbz 1296253 1300224
|
||||
Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
|
||||
|
||||
#rhbz 1279653
|
||||
Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
|
||||
|
||||
#rhbz 1083853
|
||||
Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
|
||||
|
||||
|
@ -631,9 +622,6 @@ Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
|||
#CVE-2016-0617 rhbz 1305803 1305804
|
||||
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||
|
||||
#CVE-2016-2384 rhbz 1308444 1308445
|
||||
Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
|
||||
|
||||
#CVE-2016-2383 rhbz 1308452 1308453
|
||||
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
|
||||
|
@ -2083,6 +2071,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Feb 17 2016 Laura Abbott <labbott@fedoraproject.org>
|
||||
- Linux v4.4.2
|
||||
|
||||
* Tue Feb 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Backport fix for elantech touchpads (rhbz 1306987)
|
||||
|
||||
|
|
|
@ -1,55 +0,0 @@
|
|||
From 933885ecca1a2b8fa03b5756ba1cbb9f094a5861 Mon Sep 17 00:00:00 2001
|
||||
From: Larry Finger <Larry.Finger@lwfinger.net>
|
||||
Date: Wed, 20 Jan 2016 21:26:18 -0600
|
||||
Subject: [PATCH] rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly
|
||||
encoded
|
||||
|
||||
Recently, it has been reported that D-Link DWA-582 cards, which use an
|
||||
RTL8812AE chip are not able to scan for 5G networks. The problems started
|
||||
with kernel 4.2, which is the first version that had commit d10101a60372
|
||||
("rtlwifi: rtl8821ae: Fix problem with regulatory information"). With this
|
||||
patch, the driver went from setting a default channel plan to using
|
||||
the value derived from EEPROM.
|
||||
|
||||
Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this
|
||||
problem.
|
||||
|
||||
The problem was solved once I learned that the internal country code was
|
||||
resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE
|
||||
chips available to me, the country code was such that both 2.4 and 5 GHz
|
||||
channels are allowed. The fix is to allow both bands even when the EEPROM
|
||||
is incorrectly encoded.
|
||||
|
||||
Fixes: d10101a60372 ("rtlwifi: rtl8821ae: Fix problem with regulatory information")
|
||||
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
|
||||
Cc: littlesmartguy@gmail.com
|
||||
Cc: gabe@codehaus.org
|
||||
Cc: Stable <stable@vger.kernel.org> [v4.2+]
|
||||
---
|
||||
drivers/net/wireless/realtek/rtlwifi/regd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/realtek/rtlwifi/regd.c b/drivers/net/wireless/realtek/rtlwifi/regd.c
|
||||
index a62bf0a65c32..5be34118e0af 100644
|
||||
--- a/drivers/net/wireless/realtek/rtlwifi/regd.c
|
||||
+++ b/drivers/net/wireless/realtek/rtlwifi/regd.c
|
||||
@@ -351,7 +351,6 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
|
||||
case COUNTRY_CODE_SPAIN:
|
||||
case COUNTRY_CODE_FRANCE:
|
||||
case COUNTRY_CODE_ISRAEL:
|
||||
- case COUNTRY_CODE_WORLD_WIDE_13:
|
||||
return &rtl_regdom_12_13;
|
||||
case COUNTRY_CODE_MKK:
|
||||
case COUNTRY_CODE_MKK1:
|
||||
@@ -360,6 +359,7 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
|
||||
return &rtl_regdom_14_60_64;
|
||||
case COUNTRY_CODE_GLOBAL_DOMAIN:
|
||||
return &rtl_regdom_14;
|
||||
+ case COUNTRY_CODE_WORLD_WIDE_13:
|
||||
case COUNTRY_CODE_WORLD_WIDE_13_5G_ALL:
|
||||
return &rtl_regdom_12_13_5g_all;
|
||||
default:
|
||||
--
|
||||
2.5.0
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
|
||||
dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz
|
||||
d9e951895c8c249f0bf52d85f3e63bce patch-4.4.1.xz
|
||||
abdfe599a4ea827f9975cf0631148e70 patch-4.4.2.xz
|
||||
|
|
|
@ -1,68 +0,0 @@
|
|||
From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hurley <peter@hurleysoftware.com>
|
||||
Date: Sun, 10 Jan 2016 22:40:55 -0800
|
||||
Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
|
||||
|
||||
ioctl(TIOCGETD) retrieves the line discipline id directly from the
|
||||
ldisc because the line discipline id (c_line) in termios is untrustworthy;
|
||||
userspace may have set termios via ioctl(TCSETS*) without actually
|
||||
changing the line discipline via ioctl(TIOCSETD).
|
||||
|
||||
However, directly accessing the current ldisc via tty->ldisc is
|
||||
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
|
||||
is changing via ioctl(TIOCSETD) or hangup.
|
||||
|
||||
Wait for the line discipline reference (just like read() or write())
|
||||
to retrieve the "current" line discipline id.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|
||||
---
|
||||
drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
|
||||
index f435977de740..bd4027e36910 100644
|
||||
--- a/drivers/tty/tty_io.c
|
||||
+++ b/drivers/tty/tty_io.c
|
||||
@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
|
||||
}
|
||||
|
||||
/**
|
||||
+ * tiocgetd - get line discipline
|
||||
+ * @tty: tty device
|
||||
+ * @p: pointer to user data
|
||||
+ *
|
||||
+ * Retrieves the line discipline id directly from the ldisc.
|
||||
+ *
|
||||
+ * Locking: waits for ldisc reference (in case the line discipline
|
||||
+ * is changing or the tty is being hungup)
|
||||
+ */
|
||||
+
|
||||
+static int tiocgetd(struct tty_struct *tty, int __user *p)
|
||||
+{
|
||||
+ struct tty_ldisc *ld;
|
||||
+ int ret;
|
||||
+
|
||||
+ ld = tty_ldisc_ref_wait(tty);
|
||||
+ ret = put_user(ld->ops->num, p);
|
||||
+ tty_ldisc_deref(ld);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
* send_break - performed time break
|
||||
* @tty: device to break on
|
||||
* @duration: timeout in mS
|
||||
@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
case TIOCGSID:
|
||||
return tiocgsid(tty, real_tty, p);
|
||||
case TIOCGETD:
|
||||
- return put_user(tty->ldisc->ops->num, (int __user *)p);
|
||||
+ return tiocgetd(tty, p);
|
||||
case TIOCSETD:
|
||||
return tiocsetd(tty, p);
|
||||
case TIOCVHANGUP:
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue