Linux v4.4.2
This commit is contained in:
parent
f4eecca420
commit
f062445414
|
@ -1,34 +0,0 @@
|
||||||
From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andrey Konovalov <andreyknvl@gmail.com>
|
|
||||||
Date: Sat, 13 Feb 2016 11:08:06 +0300
|
|
||||||
Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
|
|
||||||
|
|
||||||
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
|
|
||||||
when tearing down the rawmidi interface. So we shouldn't try to free it
|
|
||||||
in snd_usbmidi_create() after having registered the rawmidi interface.
|
|
||||||
|
|
||||||
Found by KASAN.
|
|
||||||
|
|
||||||
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
|
|
||||||
Acked-by: Clemens Ladisch <clemens@ladisch.de>
|
|
||||||
Cc: <stable@vger.kernel.org>
|
|
||||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
||||||
---
|
|
||||||
sound/usb/midi.c | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
|
|
||||||
index cc39f63299ef..007cf5831121 100644
|
|
||||||
--- a/sound/usb/midi.c
|
|
||||||
+++ b/sound/usb/midi.c
|
|
||||||
@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
|
|
||||||
else
|
|
||||||
err = snd_usbmidi_create_endpoints(umidi, endpoints);
|
|
||||||
if (err < 0) {
|
|
||||||
- snd_usbmidi_free(umidi);
|
|
||||||
return err;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.5.0
|
|
||||||
|
|
|
@ -1,94 +0,0 @@
|
||||||
From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
||||||
Date: Tue, 1 Dec 2015 12:41:38 +0100
|
|
||||||
Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels
|
|
||||||
|
|
||||||
as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481
|
|
||||||
|
|
||||||
This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature
|
|
||||||
reports on demand for Win8 devices") as the origin of the problem but this
|
|
||||||
commit actually masked 2 firmware bugs that are annihilating each other:
|
|
||||||
|
|
||||||
The report descriptor declares two features in reports 3 and 5:
|
|
||||||
|
|
||||||
0x05, 0x0d, // Usage Page (Digitizers) 318
|
|
||||||
0x09, 0x0e, // Usage (Device Configuration) 320
|
|
||||||
0xa1, 0x01, // Collection (Application) 322
|
|
||||||
0x85, 0x03, // Report ID (3) 324
|
|
||||||
0x09, 0x22, // Usage (Finger) 326
|
|
||||||
0xa1, 0x00, // Collection (Physical) 328
|
|
||||||
0x09, 0x52, // Usage (Inputmode) 330
|
|
||||||
0x15, 0x00, // Logical Minimum (0) 332
|
|
||||||
0x25, 0x0a, // Logical Maximum (10) 334
|
|
||||||
0x75, 0x08, // Report Size (8) 336
|
|
||||||
0x95, 0x02, // Report Count (2) 338
|
|
||||||
0xb1, 0x02, // Feature (Data,Var,Abs) 340
|
|
||||||
0xc0, // End Collection 342
|
|
||||||
0x09, 0x22, // Usage (Finger) 343
|
|
||||||
0xa1, 0x00, // Collection (Physical) 345
|
|
||||||
0x85, 0x05, // Report ID (5) 347
|
|
||||||
0x09, 0x57, // Usage (Surface Switch) 349
|
|
||||||
0x09, 0x58, // Usage (Button Switch) 351
|
|
||||||
0x15, 0x00, // Logical Minimum (0) 353
|
|
||||||
0x75, 0x01, // Report Size (1) 355
|
|
||||||
0x95, 0x02, // Report Count (2) 357
|
|
||||||
0x25, 0x03, // Logical Maximum (3) 359
|
|
||||||
0xb1, 0x02, // Feature (Data,Var,Abs) 361
|
|
||||||
0x95, 0x0e, // Report Count (14) 363
|
|
||||||
0xb1, 0x03, // Feature (Cnst,Var,Abs) 365
|
|
||||||
0xc0, // End Collection 367
|
|
||||||
|
|
||||||
The report ID 3 presents 2 input mode features, while only the first one
|
|
||||||
is handled by the device. Given that we did not checked if one was
|
|
||||||
previously assigned, we were dealing with the ignored featured and we
|
|
||||||
should never have been able to switch this panel into the multitouch mode.
|
|
||||||
|
|
||||||
However, the firmware presents an other bugs which allowed 6d4f5440
|
|
||||||
to counteract the faulty report descriptor. When we request the values
|
|
||||||
of the feature 5, the firmware answers "03 03 00". The fields are correct
|
|
||||||
but the report id is wrong. Before 6d4f5440, we retrieved all the features
|
|
||||||
and injected them in the system. So when we called report 5, we injected
|
|
||||||
in the system the report 3 with the values "03 00".
|
|
||||||
Setting the second input mode to 03 in this report changed it to "03 03"
|
|
||||||
and the touchpad switched to the mt mode. We could have set anything
|
|
||||||
in the second field because the actual value (the first 03 in this report)
|
|
||||||
was given by the query of report ID 5.
|
|
||||||
|
|
||||||
To sum up: 2 bugs in the firmware were hiding that we were accessing the
|
|
||||||
wrong feature.
|
|
||||||
|
|
||||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
||||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
||||||
---
|
|
||||||
drivers/hid/hid-multitouch.c | 15 +++++++++++++--
|
|
||||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
|
|
||||||
index ba94044cb859..d866720412cd 100644
|
|
||||||
--- a/drivers/hid/hid-multitouch.c
|
|
||||||
+++ b/drivers/hid/hid-multitouch.c
|
|
||||||
@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
- td->inputmode = field->report->id;
|
|
||||||
- td->inputmode_index = usage->usage_index;
|
|
||||||
+ if (td->inputmode < 0) {
|
|
||||||
+ td->inputmode = field->report->id;
|
|
||||||
+ td->inputmode_index = usage->usage_index;
|
|
||||||
+ } else {
|
|
||||||
+ /*
|
|
||||||
+ * Some elan panels wrongly declare 2 input mode
|
|
||||||
+ * features, and silently ignore when we set the
|
|
||||||
+ * value in the second field. Skip the second feature
|
|
||||||
+ * and hope for the best.
|
|
||||||
+ */
|
|
||||||
+ dev_info(&hdev->dev,
|
|
||||||
+ "Ignoring the extra HID_DG_INPUTMODE\n");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
break;
|
|
||||||
case HID_DG_CONTACTMAX:
|
|
||||||
--
|
|
||||||
2.5.0
|
|
||||||
|
|
17
kernel.spec
17
kernel.spec
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
||||||
%if 0%{?released_kernel}
|
%if 0%{?released_kernel}
|
||||||
|
|
||||||
# Do we have a -stable update to apply?
|
# Do we have a -stable update to apply?
|
||||||
%define stable_update 1
|
%define stable_update 2
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%if 0%{?stable_update}
|
%if 0%{?stable_update}
|
||||||
%define stablerev %{stable_update}
|
%define stablerev %{stable_update}
|
||||||
|
@ -603,15 +603,6 @@ Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
||||||
|
|
||||||
Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||||
|
|
||||||
#rhbz 1296677
|
|
||||||
Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
|
|
||||||
|
|
||||||
#CVE-2016-0723 rhbz 1296253 1300224
|
|
||||||
Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
|
|
||||||
|
|
||||||
#rhbz 1279653
|
|
||||||
Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
|
|
||||||
|
|
||||||
#rhbz 1083853
|
#rhbz 1083853
|
||||||
Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
|
Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
|
||||||
|
|
||||||
|
@ -631,9 +622,6 @@ Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||||
#CVE-2016-0617 rhbz 1305803 1305804
|
#CVE-2016-0617 rhbz 1305803 1305804
|
||||||
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||||
|
|
||||||
#CVE-2016-2384 rhbz 1308444 1308445
|
|
||||||
Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
|
|
||||||
|
|
||||||
#CVE-2016-2383 rhbz 1308452 1308453
|
#CVE-2016-2383 rhbz 1308452 1308453
|
||||||
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||||
|
|
||||||
|
@ -2083,6 +2071,9 @@ fi
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 17 2016 Laura Abbott <labbott@fedoraproject.org>
|
||||||
|
- Linux v4.4.2
|
||||||
|
|
||||||
* Tue Feb 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
* Tue Feb 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
- Backport fix for elantech touchpads (rhbz 1306987)
|
- Backport fix for elantech touchpads (rhbz 1306987)
|
||||||
|
|
||||||
|
|
|
@ -1,55 +0,0 @@
|
||||||
From 933885ecca1a2b8fa03b5756ba1cbb9f094a5861 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Larry Finger <Larry.Finger@lwfinger.net>
|
|
||||||
Date: Wed, 20 Jan 2016 21:26:18 -0600
|
|
||||||
Subject: [PATCH] rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly
|
|
||||||
encoded
|
|
||||||
|
|
||||||
Recently, it has been reported that D-Link DWA-582 cards, which use an
|
|
||||||
RTL8812AE chip are not able to scan for 5G networks. The problems started
|
|
||||||
with kernel 4.2, which is the first version that had commit d10101a60372
|
|
||||||
("rtlwifi: rtl8821ae: Fix problem with regulatory information"). With this
|
|
||||||
patch, the driver went from setting a default channel plan to using
|
|
||||||
the value derived from EEPROM.
|
|
||||||
|
|
||||||
Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this
|
|
||||||
problem.
|
|
||||||
|
|
||||||
The problem was solved once I learned that the internal country code was
|
|
||||||
resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE
|
|
||||||
chips available to me, the country code was such that both 2.4 and 5 GHz
|
|
||||||
channels are allowed. The fix is to allow both bands even when the EEPROM
|
|
||||||
is incorrectly encoded.
|
|
||||||
|
|
||||||
Fixes: d10101a60372 ("rtlwifi: rtl8821ae: Fix problem with regulatory information")
|
|
||||||
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
|
|
||||||
Cc: littlesmartguy@gmail.com
|
|
||||||
Cc: gabe@codehaus.org
|
|
||||||
Cc: Stable <stable@vger.kernel.org> [v4.2+]
|
|
||||||
---
|
|
||||||
drivers/net/wireless/realtek/rtlwifi/regd.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/net/wireless/realtek/rtlwifi/regd.c b/drivers/net/wireless/realtek/rtlwifi/regd.c
|
|
||||||
index a62bf0a65c32..5be34118e0af 100644
|
|
||||||
--- a/drivers/net/wireless/realtek/rtlwifi/regd.c
|
|
||||||
+++ b/drivers/net/wireless/realtek/rtlwifi/regd.c
|
|
||||||
@@ -351,7 +351,6 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
|
|
||||||
case COUNTRY_CODE_SPAIN:
|
|
||||||
case COUNTRY_CODE_FRANCE:
|
|
||||||
case COUNTRY_CODE_ISRAEL:
|
|
||||||
- case COUNTRY_CODE_WORLD_WIDE_13:
|
|
||||||
return &rtl_regdom_12_13;
|
|
||||||
case COUNTRY_CODE_MKK:
|
|
||||||
case COUNTRY_CODE_MKK1:
|
|
||||||
@@ -360,6 +359,7 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
|
|
||||||
return &rtl_regdom_14_60_64;
|
|
||||||
case COUNTRY_CODE_GLOBAL_DOMAIN:
|
|
||||||
return &rtl_regdom_14;
|
|
||||||
+ case COUNTRY_CODE_WORLD_WIDE_13:
|
|
||||||
case COUNTRY_CODE_WORLD_WIDE_13_5G_ALL:
|
|
||||||
return &rtl_regdom_12_13_5g_all;
|
|
||||||
default:
|
|
||||||
--
|
|
||||||
2.5.0
|
|
||||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
||||||
9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
|
9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
|
||||||
dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz
|
dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz
|
||||||
d9e951895c8c249f0bf52d85f3e63bce patch-4.4.1.xz
|
abdfe599a4ea827f9975cf0631148e70 patch-4.4.2.xz
|
||||||
|
|
|
@ -1,68 +0,0 @@
|
||||||
From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hurley <peter@hurleysoftware.com>
|
|
||||||
Date: Sun, 10 Jan 2016 22:40:55 -0800
|
|
||||||
Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
|
|
||||||
|
|
||||||
ioctl(TIOCGETD) retrieves the line discipline id directly from the
|
|
||||||
ldisc because the line discipline id (c_line) in termios is untrustworthy;
|
|
||||||
userspace may have set termios via ioctl(TCSETS*) without actually
|
|
||||||
changing the line discipline via ioctl(TIOCSETD).
|
|
||||||
|
|
||||||
However, directly accessing the current ldisc via tty->ldisc is
|
|
||||||
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
|
|
||||||
is changing via ioctl(TIOCSETD) or hangup.
|
|
||||||
|
|
||||||
Wait for the line discipline reference (just like read() or write())
|
|
||||||
to retrieve the "current" line discipline id.
|
|
||||||
|
|
||||||
Cc: <stable@vger.kernel.org>
|
|
||||||
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|
|
||||||
---
|
|
||||||
drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
|
|
||||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
|
|
||||||
index f435977de740..bd4027e36910 100644
|
|
||||||
--- a/drivers/tty/tty_io.c
|
|
||||||
+++ b/drivers/tty/tty_io.c
|
|
||||||
@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * tiocgetd - get line discipline
|
|
||||||
+ * @tty: tty device
|
|
||||||
+ * @p: pointer to user data
|
|
||||||
+ *
|
|
||||||
+ * Retrieves the line discipline id directly from the ldisc.
|
|
||||||
+ *
|
|
||||||
+ * Locking: waits for ldisc reference (in case the line discipline
|
|
||||||
+ * is changing or the tty is being hungup)
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static int tiocgetd(struct tty_struct *tty, int __user *p)
|
|
||||||
+{
|
|
||||||
+ struct tty_ldisc *ld;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ ld = tty_ldisc_ref_wait(tty);
|
|
||||||
+ ret = put_user(ld->ops->num, p);
|
|
||||||
+ tty_ldisc_deref(ld);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
* send_break - performed time break
|
|
||||||
* @tty: device to break on
|
|
||||||
* @duration: timeout in mS
|
|
||||||
@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
|
||||||
case TIOCGSID:
|
|
||||||
return tiocgsid(tty, real_tty, p);
|
|
||||||
case TIOCGETD:
|
|
||||||
- return put_user(tty->ldisc->ops->num, (int __user *)p);
|
|
||||||
+ return tiocgetd(tty, p);
|
|
||||||
case TIOCSETD:
|
|
||||||
return tiocsetd(tty, p);
|
|
||||||
case TIOCVHANGUP:
|
|
||||||
--
|
|
||||||
2.5.0
|
|
||||||
|
|
Loading…
Reference in New Issue