Linux v4.6-6148-g03b979d

- Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges
2016-05-20 11:23:45 -07:00 · 2016-05-20 11:23:45 -07:00 · 8a052bf240
commit 8a052bf240
parent e8f3f4f939
13 changed files with 37 additions and 177 deletions
--- a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
+++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
@ -1,33 +0,0 @@
 From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
 From: Kangjie Lu <kangjielu@gmail.com>
 Date: Tue, 3 May 2016 16:44:07 -0400
 Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The stack object “tread” has a total size of 32 bytes. Its field
 “event” and “val” both contain 4 bytes padding. These 8 bytes
 padding bytes are sent to user without being initialized.
 Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
 Signed-off-by: Takashi Iwai <tiwai@suse.de>
 ---
 sound/core/timer.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/sound/core/timer.c b/sound/core/timer.c
 index 6469bedda2f3..964f5ebf495e 100644
 --- a/sound/core/timer.c
 +++ b/sound/core/timer.c
@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
 		if (tu->tread) {
 			struct snd_timer_tread tread;
 +			memset(&tread, 0, sizeof(tread));
 			tread.event = SNDRV_TIMER_EVENT_EARLY;
 			tread.tstamp.tv_sec = 0;
 			tread.tstamp.tv_nsec = 0;
 -- 
 2.5.5
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
@ -1,34 +0,0 @@
 From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
 From: Kangjie Lu <kangjielu@gmail.com>
 Date: Tue, 3 May 2016 16:44:20 -0400
 Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
 snd_timer_user_ccallback
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The stack object “r1” has a total size of 32 bytes. Its field
 “event” and “val” both contain 4 bytes padding. These 8 bytes
 padding bytes are sent to user without being initialized.
 Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
 Signed-off-by: Takashi Iwai <tiwai@suse.de>
 ---
 sound/core/timer.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/sound/core/timer.c b/sound/core/timer.c
 index 964f5ebf495e..e98fa5feb731 100644
 --- a/sound/core/timer.c
 +++ b/sound/core/timer.c
@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
 		tu->tstamp = *tstamp;
 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
 		return;
 +	memset(&r1, 0, sizeof(r1));
 	r1.event = event;
 	r1.tstamp = *tstamp;
 	r1.val = resolution;
 -- 
 2.5.5
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
@ -1,34 +0,0 @@
 From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
 From: Kangjie Lu <kangjielu@gmail.com>
 Date: Tue, 3 May 2016 16:44:32 -0400
 Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
 snd_timer_user_tinterrupt
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The stack object “r1” has a total size of 32 bytes. Its field
 “event” and “val” both contain 4 bytes padding. These 8 bytes
 padding bytes are sent to user without being initialized.
 Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
 Signed-off-by: Takashi Iwai <tiwai@suse.de>
 ---
 sound/core/timer.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/sound/core/timer.c b/sound/core/timer.c
 index e98fa5feb731..c69a27155433 100644
 --- a/sound/core/timer.c
 +++ b/sound/core/timer.c
@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
 	}
 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
 	    tu->last_resolution != resolution) {
 +		memset(&r1, 0, sizeof(r1));
 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
 		r1.tstamp = tstamp;
 		r1.val = resolution;
 -- 
 2.5.5
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@ -1,4 +1,4 @@
-From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
+From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
 Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
@ -6,20 +6,21 @@ Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.
 [labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED]
 Signed-off-by: David Howells <dhowells@redhat.com>
 ---
 crypto/asymmetric_keys/Kconfig      |   8 +++
 crypto/asymmetric_keys/Makefile     |   1 +
- crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
+ crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++
 include/linux/efi.h                 |   4 ++
- 4 files changed, 122 insertions(+)
+ 4 files changed, 121 insertions(+)
 create mode 100644 crypto/asymmetric_keys/efi_parser.c
 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index 4870f28403f5..4a1b50d73b80 100644
+index e28e912..94024e8 100644
 --- a/crypto/asymmetric_keys/Kconfig
 +++ b/crypto/asymmetric_keys/Kconfig
-@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
+@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
 	  This option provides support for verifying the signature(s) on a
 	  signed PE binary.
@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644
 +
 endif # ASYMMETRIC_KEY_TYPE
 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index cd1406f9b14a..d9db380bbe53 100644
+index 6516855..c099fe1 100644
 --- a/crypto/asymmetric_keys/Makefile
 +++ b/crypto/asymmetric_keys/Makefile
-@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o
+@@ -10,6 +10,7 @@ asymmetric_keys-y := \
 	signature.o
 obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
 +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644
 # X.509 Certificate handling
 diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 new file mode 100644
-index 000000000000..424896a0b169
+index 0000000..636feb1
 --- /dev/null
 +++ b/crypto/asymmetric_keys/efi_parser.c
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,108 @@
 +/* EFI signature/key/certificate list parser
 + *
 + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
@ -139,8 +141,7 @@ index 000000000000..424896a0b169
 +				esize - sizeof(*elem),
 +				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				KEY_USR_VIEW,
-+				KEY_ALLOC_NOT_IN_QUOTA |
+				KEY_ALLOC_NOT_IN_QUOTA);
 +				KEY_ALLOC_TRUSTED);
 +
 +			if (IS_ERR(key))
 +				pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
@ -159,10 +160,10 @@ index 000000000000..424896a0b169
 +	return 0;
 +}
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fac43c611614..414c3c3d988d 100644
+index b80227a..18443e3 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void);
+@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
 char * __init efi_md_typeattr_format(char *buf, size_t size,
 				     const efi_memory_desc_t *md);
@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644
  * efi_range_is_wc - check the WC bit on an address range
  * @start: starting kvirt address
 -- 
-2.4.3
+2.5.5
--- a/KVM-MTRR-remove-MSR-0x2f8.patch
+++ b/KVM-MTRR-remove-MSR-0x2f8.patch
@ -1,49 +0,0 @@
 From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
 Date: Mon, 16 May 2016 09:45:35 -0400
 Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
 was introduced by 9ba075a664df ("KVM: MTRR support").
 0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
 size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
 which made access to index 124 out of bounds.  The surrounding code only
 WARNs in this situation, thus the guest gained a limited read/write
 access to struct kvm_arch_vcpu.
 0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
 MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
 was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
 not implemented in KVM, therefore 0x2f8 could never do anything useful
 and getting rid of it is safe.
 This fixes CVE-2016-TBD.
 Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
 Cc: stable@vger.kernel.org
 Reported-by: David Matlack <dmatlack@google.com>
 Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
 ---
 arch/x86/kvm/mtrr.c | 2 --
 1 file changed, 2 deletions(-)
 diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
 index 3f8c732117ec..c146f3c262c3 100644
 --- a/arch/x86/kvm/mtrr.c
 +++ b/arch/x86/kvm/mtrr.c
@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
 	case MSR_MTRRdefType:
 	case MSR_IA32_CR_PAT:
 		return true;
 -	case 0x2f8:
 -		return true;
 	}
 	return false;
 }
 -- 
 2.5.5
--- a/3
+++ b/3
@ -547,3 +547,6 @@ CONFIG_CHECKPOINT_RESTORE=y
 # CONFIG_HW_RANDOM_HISI is not set
 # CONFIG_QRTR is not set
 # This Xilinx option is now built for arm64 as well as ARM
 CONFIG_XILINX_VDMA=m
--- a/1
+++ b/1
@ -587,7 +587,6 @@ CONFIG_SPI_CADENCE=m
 CONFIG_I2C_CADENCE=m
 CONFIG_XILINX_WATCHDOG=m
 CONFIG_XILINX_XADC=m
 CONFIG_XILINX_VDMA=m
 CONFIG_SND_SOC_ADI=m
 CONFIG_SND_SOC_ADI_AXI_I2S=m
 CONFIG_SND_SOC_ADI_AXI_SPDIF=m
--- a/1
+++ b/1
@ -461,6 +461,7 @@ CONFIG_RTC_DRV_ARMADA38X=m
 CONFIG_LEDS_NS2=m
 CONFIG_SERIAL_MVEBU_UART=y
 # CONFIG_SERIAL_MVEBU_CONSOLE is not set
 # CONFIG_PCIE_ARMADA_8K is not set
 # DRM panels
 CONFIG_DRM_PANEL=y
--- a/6
+++ b/6
@ -111,6 +111,7 @@ CONFIG_HOTPLUG_PCI=y
 # CONFIG_HOTPLUG_PCI_SHPC is not set
 CONFIG_HOTPLUG_PCI_PCIE=y
 # CONFIG_PCIE_DW_PLAT is not set
 CONFIG_PCIE_DPC=m
 # CONFIG_SGI_IOC4 is not set
@ -4935,6 +4936,7 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_AUDIT=y
 CONFIG_AUDITSYSCALL=y
@ -5071,6 +5073,7 @@ CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_BIG_KEYS=y
 CONFIG_TRUSTED_KEYS=m
 CONFIG_ENCRYPTED_KEYS=m
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
@ -5920,6 +5923,7 @@ CONFIG_MODULE_SIG_SHA256=y
 CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
 CONFIG_SECONDARY_TRUSTED_KEYRING=y
 CONFIG_PKCS7_MESSAGE_PARSER=y
 # CONFIG_PKCS7_TEST_KEY is not set
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y
@ -5955,3 +5959,5 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 # The kernel code has a nice comment
 # WARNING: Do not even assume this interface is staying stable!
 # CONFIG_MCE_AMD_INJ is not set
 # CONFIG_EZNPS_GIC is not set
--- a/1
+++ b/1
@ -575,6 +575,7 @@ CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
 CONFIG_SND_SOC_AC97_CODEC=m
 # CONFIG_SND_SOC_TAS571X is not set
 # CONFIG_SND_SUN4I_CODEC is not set
--- a/2
+++ b/2
@ -1 +1 @@
-2600a46ee0ed57c0e0a382c2a37ebac64d374d20
+03b979dd0323ace8e29a0561cd5232f73a060c09
--- a/kernel.spec
+++ b/kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 4
+%define gitrev 5
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@ -562,7 +562,10 @@ Patch487: Add-EFI-signature-data-types.patch
 Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch
-Patch489: KEYS-Add-a-system-blacklist-keyring.patch
+# This doesn't apply. It seems like it could be replaced by
 # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c
 # which has an explicit line about blacklisting
 # Patch489: KEYS-Add-a-system-blacklist-keyring.patch
 Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@ -606,14 +609,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 #CVE-2016-4482 rhbz 1332931 1332932
 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
 #CVE-2016-4569 rhbz 1334643 1334645
 Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
 Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
 Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
 #CVE-2016-3713 rhbz 1332139 1336410
 Patch717: KVM-MTRR-remove-MSR-0x2f8.patch
 #CVE-2016-4440 rhbz 1337806 1337807
 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
@ -2142,6 +2137,10 @@ fi
 #
 # 
 %changelog
 * Fri May 20 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git5.1
 - Linux v4.6-6148-g03b979d
 - Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges
 * Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807)
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-be912d5f22aba6286ac2e205e2ce1202  patch-4.6-git4.xz
+9bcfe711504d6e532084a2c2cc610b73  patch-4.6-git5.xz
`@ -1 +1 @@`
	`2600a46ee0ed57c0e0a382c2a37ebac64d374d20`	`03b979dd0323ace8e29a0561cd5232f73a060c09`