From f062445414ccd9ab1257c8e7a826ec9f723f6193 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Wed, 17 Feb 2016 15:07:55 -0800 Subject: [PATCH] Linux v4.4.2 --- ...dio-avoid-freeing-umidi-object-twice.patch | 34 ------- ...ix-input-mode-switching-on-some-Elan.patch | 94 ------------------- kernel.spec | 17 +--- ...e-Fix-5G-failure-when-EEPROM-is-inco.patch | 55 ----------- sources | 2 +- ...e-ldisc-reference-via-ioctl-TIOCGETD.patch | 68 -------------- 6 files changed, 5 insertions(+), 265 deletions(-) delete mode 100644 ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch delete mode 100644 HID-multitouch-fix-input-mode-switching-on-some-Elan.patch delete mode 100644 rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch delete mode 100644 tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch diff --git a/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch deleted file mode 100644 index c59d68361..000000000 --- a/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov -Date: Sat, 13 Feb 2016 11:08:06 +0300 -Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice - -The 'umidi' object will be free'd on the error path by snd_usbmidi_free() -when tearing down the rawmidi interface. So we shouldn't try to free it -in snd_usbmidi_create() after having registered the rawmidi interface. - -Found by KASAN. - -Signed-off-by: Andrey Konovalov -Acked-by: Clemens Ladisch -Cc: -Signed-off-by: Takashi Iwai ---- - sound/usb/midi.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/sound/usb/midi.c b/sound/usb/midi.c -index cc39f63299ef..007cf5831121 100644 ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card, - else - err = snd_usbmidi_create_endpoints(umidi, endpoints); - if (err < 0) { -- snd_usbmidi_free(umidi); - return err; - } - --- -2.5.0 - diff --git a/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch b/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch deleted file mode 100644 index c469460e5..000000000 --- a/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch +++ /dev/null @@ -1,94 +0,0 @@ -From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Tue, 1 Dec 2015 12:41:38 +0100 -Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels - -as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481 - -This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature -reports on demand for Win8 devices") as the origin of the problem but this -commit actually masked 2 firmware bugs that are annihilating each other: - -The report descriptor declares two features in reports 3 and 5: - -0x05, 0x0d, // Usage Page (Digitizers) 318 -0x09, 0x0e, // Usage (Device Configuration) 320 -0xa1, 0x01, // Collection (Application) 322 -0x85, 0x03, // Report ID (3) 324 -0x09, 0x22, // Usage (Finger) 326 -0xa1, 0x00, // Collection (Physical) 328 -0x09, 0x52, // Usage (Inputmode) 330 -0x15, 0x00, // Logical Minimum (0) 332 -0x25, 0x0a, // Logical Maximum (10) 334 -0x75, 0x08, // Report Size (8) 336 -0x95, 0x02, // Report Count (2) 338 -0xb1, 0x02, // Feature (Data,Var,Abs) 340 -0xc0, // End Collection 342 -0x09, 0x22, // Usage (Finger) 343 -0xa1, 0x00, // Collection (Physical) 345 -0x85, 0x05, // Report ID (5) 347 -0x09, 0x57, // Usage (Surface Switch) 349 -0x09, 0x58, // Usage (Button Switch) 351 -0x15, 0x00, // Logical Minimum (0) 353 -0x75, 0x01, // Report Size (1) 355 -0x95, 0x02, // Report Count (2) 357 -0x25, 0x03, // Logical Maximum (3) 359 -0xb1, 0x02, // Feature (Data,Var,Abs) 361 -0x95, 0x0e, // Report Count (14) 363 -0xb1, 0x03, // Feature (Cnst,Var,Abs) 365 -0xc0, // End Collection 367 - -The report ID 3 presents 2 input mode features, while only the first one -is handled by the device. Given that we did not checked if one was -previously assigned, we were dealing with the ignored featured and we -should never have been able to switch this panel into the multitouch mode. - -However, the firmware presents an other bugs which allowed 6d4f5440 -to counteract the faulty report descriptor. When we request the values -of the feature 5, the firmware answers "03 03 00". The fields are correct -but the report id is wrong. Before 6d4f5440, we retrieved all the features -and injected them in the system. So when we called report 5, we injected -in the system the report 3 with the values "03 00". -Setting the second input mode to 03 in this report changed it to "03 03" -and the touchpad switched to the mt mode. We could have set anything -in the second field because the actual value (the first 03 in this report) -was given by the query of report ID 5. - -To sum up: 2 bugs in the firmware were hiding that we were accessing the -wrong feature. - -Signed-off-by: Benjamin Tissoires -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-multitouch.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index ba94044cb859..d866720412cd 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev, - break; - } - -- td->inputmode = field->report->id; -- td->inputmode_index = usage->usage_index; -+ if (td->inputmode < 0) { -+ td->inputmode = field->report->id; -+ td->inputmode_index = usage->usage_index; -+ } else { -+ /* -+ * Some elan panels wrongly declare 2 input mode -+ * features, and silently ignore when we set the -+ * value in the second field. Skip the second feature -+ * and hope for the best. -+ */ -+ dev_info(&hdev->dev, -+ "Ignoring the extra HID_DG_INPUTMODE\n"); -+ } - - break; - case HID_DG_CONTACTMAX: --- -2.5.0 - diff --git a/kernel.spec b/kernel.spec index 954195596..d651d516c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -52,7 +52,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 1 +%define stable_update 2 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -603,15 +603,6 @@ Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch -#rhbz 1296677 -Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch - -#CVE-2016-0723 rhbz 1296253 1300224 -Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch - -#rhbz 1279653 -Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch - #rhbz 1083853 Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch @@ -631,9 +622,6 @@ Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch #CVE-2016-0617 rhbz 1305803 1305804 Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch -#CVE-2016-2384 rhbz 1308444 1308445 -Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch - #CVE-2016-2383 rhbz 1308452 1308453 Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch @@ -2083,6 +2071,9 @@ fi # # %changelog +* Wed Feb 17 2016 Laura Abbott +- Linux v4.4.2 + * Tue Feb 16 2016 Josh Boyer - Backport fix for elantech touchpads (rhbz 1306987) diff --git a/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch b/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch deleted file mode 100644 index eb44e1e08..000000000 --- a/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 933885ecca1a2b8fa03b5756ba1cbb9f094a5861 Mon Sep 17 00:00:00 2001 -From: Larry Finger -Date: Wed, 20 Jan 2016 21:26:18 -0600 -Subject: [PATCH] rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly - encoded - -Recently, it has been reported that D-Link DWA-582 cards, which use an -RTL8812AE chip are not able to scan for 5G networks. The problems started -with kernel 4.2, which is the first version that had commit d10101a60372 -("rtlwifi: rtl8821ae: Fix problem with regulatory information"). With this -patch, the driver went from setting a default channel plan to using -the value derived from EEPROM. - -Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and -https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this -problem. - -The problem was solved once I learned that the internal country code was -resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE -chips available to me, the country code was such that both 2.4 and 5 GHz -channels are allowed. The fix is to allow both bands even when the EEPROM -is incorrectly encoded. - -Fixes: d10101a60372 ("rtlwifi: rtl8821ae: Fix problem with regulatory information") -Signed-off-by: Larry Finger -Cc: littlesmartguy@gmail.com -Cc: gabe@codehaus.org -Cc: Stable [v4.2+] ---- - drivers/net/wireless/realtek/rtlwifi/regd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/realtek/rtlwifi/regd.c b/drivers/net/wireless/realtek/rtlwifi/regd.c -index a62bf0a65c32..5be34118e0af 100644 ---- a/drivers/net/wireless/realtek/rtlwifi/regd.c -+++ b/drivers/net/wireless/realtek/rtlwifi/regd.c -@@ -351,7 +351,6 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select( - case COUNTRY_CODE_SPAIN: - case COUNTRY_CODE_FRANCE: - case COUNTRY_CODE_ISRAEL: -- case COUNTRY_CODE_WORLD_WIDE_13: - return &rtl_regdom_12_13; - case COUNTRY_CODE_MKK: - case COUNTRY_CODE_MKK1: -@@ -360,6 +359,7 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select( - return &rtl_regdom_14_60_64; - case COUNTRY_CODE_GLOBAL_DOMAIN: - return &rtl_regdom_14; -+ case COUNTRY_CODE_WORLD_WIDE_13: - case COUNTRY_CODE_WORLD_WIDE_13_5G_ALL: - return &rtl_regdom_12_13_5g_all; - default: --- -2.5.0 - diff --git a/sources b/sources index 21a3807be..e2256619c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -d9e951895c8c249f0bf52d85f3e63bce patch-4.4.1.xz +abdfe599a4ea827f9975cf0631148e70 patch-4.4.2.xz diff --git a/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch deleted file mode 100644 index d169105db..000000000 --- a/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001 -From: Peter Hurley -Date: Sun, 10 Jan 2016 22:40:55 -0800 -Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) - -ioctl(TIOCGETD) retrieves the line discipline id directly from the -ldisc because the line discipline id (c_line) in termios is untrustworthy; -userspace may have set termios via ioctl(TCSETS*) without actually -changing the line discipline via ioctl(TIOCSETD). - -However, directly accessing the current ldisc via tty->ldisc is -unsafe; the ldisc ptr dereferenced may be stale if the line discipline -is changing via ioctl(TIOCSETD) or hangup. - -Wait for the line discipline reference (just like read() or write()) -to retrieve the "current" line discipline id. - -Cc: -Signed-off-by: Peter Hurley ---- - drivers/tty/tty_io.c | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index f435977de740..bd4027e36910 100644 ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p) - } - - /** -+ * tiocgetd - get line discipline -+ * @tty: tty device -+ * @p: pointer to user data -+ * -+ * Retrieves the line discipline id directly from the ldisc. -+ * -+ * Locking: waits for ldisc reference (in case the line discipline -+ * is changing or the tty is being hungup) -+ */ -+ -+static int tiocgetd(struct tty_struct *tty, int __user *p) -+{ -+ struct tty_ldisc *ld; -+ int ret; -+ -+ ld = tty_ldisc_ref_wait(tty); -+ ret = put_user(ld->ops->num, p); -+ tty_ldisc_deref(ld); -+ return ret; -+} -+ -+/** - * send_break - performed time break - * @tty: device to break on - * @duration: timeout in mS -@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - case TIOCGSID: - return tiocgsid(tty, real_tty, p); - case TIOCGETD: -- return put_user(tty->ldisc->ops->num, (int __user *)p); -+ return tiocgetd(tty, p); - case TIOCSETD: - return tiocsetd(tty, p); - case TIOCVHANGUP: --- -2.5.0 -