Linux v4.9-rc3-261-g577f12c

2016-11-04 08:00:53 -06:00 · 2016-11-04 08:00:53 -06:00 · c1ca5717a0
commit c1ca5717a0
parent 07611bcea1
4 changed files with 6 additions and 108 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0c183d92b20b5c84ca655b45ef57b3318b83eb9e
+577f12c07e4edd54730dc559a9c7bc44d22bf7dc
--- a/kernel.spec
+++ b/kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %global rcrev 3
 # The git snapshot level
-%define gitrev 1
+%define gitrev 2
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@ -616,9 +616,6 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
 #ongoing complaint, full discussion delayed until ksummit/plumbers
 Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch

-# CVE-2016-9083 CVE-2016-9084 rhbz 1389258 1389259 1389285
-Patch850: v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
-
 # END OF PATCH DEFINITIONS

 %endif
@ -2157,6 +2154,9 @@ fi
 #
 #
 %changelog
+* Fri Nov 04 2016 Laura Abbott <labbott@redhat.com> - 4.9.0-0.rc3.git2.1
+- Linux v4.9-rc3-261-g577f12c
+
 * Wed Nov  2 2016 Peter Robinson <pbrobinson@fedoraproject.org>
 - Some OMAP4 fixes
 - ARM64 fix for NUMA
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 c1af0afbd3df35c1ccdc7a5118cd2d07  linux-4.8.tar.xz
 0dad03f586e835d538d3e0d2cbdb9a28  perf-man-4.8.tar.gz
 bf2eeea112993a992434d0151b0e9db8  patch-4.9-rc3.xz
-e494de724a883883d2d99c87140c6208  patch-4.9-rc3-git1.xz
+036b044a6daa15a7dc463ffe5d1c390c  patch-4.9-rc3-git2.xz
--- a/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
+++ b/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
@ -1,102 +0,0 @@
-From patchwork Wed Oct 12 16:51:24 2016
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [v3] vfio/pci: Fix integer overflows, bitmask check
-From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
-X-Patchwork-Id: 9373631
-Message-Id: <1476291084-50737-1-git-send-email-vlad@tsyrklevich.net>
-To: kvm@vger.kernel.org
-Cc: alex.williamson@redhat.com, Vlad Tsyrklevich <vlad@tsyrklevich.net>
-Date: Wed, 12 Oct 2016 18:51:24 +0200
-
-The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
-user-supplied integers, potentially allowing memory corruption. This
-patch adds appropriate integer overflow checks, checks the range bounds
-for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
-in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
-VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
-vfio_pci_set_irqs_ioctl().
-
-Furthermore, a kzalloc is changed to a kcalloc because the use of a
-kzalloc with an integer multiplication allowed an integer overflow
-condition to be reached without this patch. kcalloc checks for overflow
-and should prevent a similar occurrence.
-
-Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
---
- drivers/vfio/pci/vfio_pci.c       | 33 +++++++++++++++++++++------------
- drivers/vfio/pci/vfio_pci_intrs.c |  2 +-
- 2 files changed, 22 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
-index d624a52..031bc08 100644
--- a/drivers/vfio/pci/vfio_pci.c
-+++ b/drivers/vfio/pci/vfio_pci.c
-@@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data,
- 
- 	} else if (cmd == VFIO_DEVICE_SET_IRQS) {
- 		struct vfio_irq_set hdr;
-+		size_t size;
- 		u8 *data = NULL;
-		int ret = 0;
-+		int max, ret = 0;
- 
- 		minsz = offsetofend(struct vfio_irq_set, count);
- 
-@@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data,
- 			return -EFAULT;
- 
- 		if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
-+		    hdr.count >= (U32_MAX - hdr.start) ||
- 		    hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
- 				  VFIO_IRQ_SET_ACTION_TYPE_MASK))
- 			return -EINVAL;
- 
-		if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
-			size_t size;
-			int max = vfio_pci_get_irq_count(vdev, hdr.index);
-+		max = vfio_pci_get_irq_count(vdev, hdr.index);
-+		if (hdr.start >= max || hdr.start + hdr.count > max)
-+			return -EINVAL;
- 
-			if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
-				size = sizeof(uint8_t);
-			else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
-				size = sizeof(int32_t);
-			else
-				return -EINVAL;
-+		switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
-+		case VFIO_IRQ_SET_DATA_NONE:
-+			size = 0;
-+			break;
-+		case VFIO_IRQ_SET_DATA_BOOL:
-+			size = sizeof(uint8_t);
-+			break;
-+		case VFIO_IRQ_SET_DATA_EVENTFD:
-+			size = sizeof(int32_t);
-+			break;
-+		default:
-+			return -EINVAL;
-+		}
- 
-			if (hdr.argsz - minsz < hdr.count * size ||
-			    hdr.start >= max || hdr.start + hdr.count > max)
-+		if (size) {
-+			if (hdr.argsz - minsz < hdr.count * size)
- 				return -EINVAL;
- 
- 			data = memdup_user((void __user *)(arg + minsz),
-diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
-index c2e6089..1c46045 100644
--- a/drivers/vfio/pci/vfio_pci_intrs.c
-+++ b/drivers/vfio/pci/vfio_pci_intrs.c
-@@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
- 	if (!is_irq_none(vdev))
- 		return -EINVAL;
- 
-	vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
-+	vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
- 	if (!vdev->ctx)
- 		return -ENOMEM;
-