4.13.16-100.fc25.gnu

6 files changed, 126 insertions, 72 deletions

diff --git a/freed-ora/current/f25/kernel.spec b/freed-ora/current/f25/kernel.spec
index ab96a67a4..b0126b7db 100644
--- a/freed-ora/current/f25/kernel.spec
+++ b/freed-ora/current/f25/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 15
+%define stable_update 16
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -680,8 +680,8 @@ Patch331: arm64-xgene-acpi-fix.patch
 # CVE-2017-7477 rhbz 1445207 1445208
 Patch502: CVE-2017-7477.patch
 
-# CVE-2017-15115 rhbz 1513346 1513345
-Patch503: sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+# CVE-2017-16644 rhbz 1516273 1516274
+Patch503: media-hdpvr-Fix-an-error-handling-path-in-hdpvr_probe.patch
 
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
@@ -2416,6 +2416,16 @@ fi
 #
 #
 %changelog
+* Mon Nov 27 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.13.16-gnu.
+
+* Mon Nov 27 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.16-100
+- Linux v4.13.16
+- Fix CVE-2017-16649 (rhbz 1516267 1516274)
+- Fix CVE-2017-16650 (rhbz 1516265 1516274)
+- Fix CVE-2017-16644 (rhbz 1516273 1516274)
+- Fix CVE-2017-16647 (rhbz 1516270 1516274)
+
 * Tue Nov 21 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.13.15-gnu.
 
diff --git a/freed-ora/current/f25/media-hdpvr-Fix-an-error-handling-path-in-hdpvr_probe.patch b/freed-ora/current/f25/media-hdpvr-Fix-an-error-handling-path-in-hdpvr_probe.patch
new file mode 100644
index 000000000..703b0d246
--- /dev/null
+++ b/freed-ora/current/f25/media-hdpvr-Fix-an-error-handling-path-in-hdpvr_probe.patch
@@ -0,0 +1,106 @@
+From patchwork Fri Sep 22 13:07:06 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [media] hdpvr: Fix an error handling path in hdpvr_probe()
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+X-Patchwork-Id: 9966135
+Message-Id: <b5c06a8e071d38fc4b4df20b7f9c8fb25d5408fe.1506085151.git.arvind.yadav.cs@gmail.com>
+To: andreyknvl@google.com, hverkuil@xs4all.nl, mchehab@kernel.org,
+ laurent.pinchart@ideasonboard.com, dvyukov@google.com,
+ kcc@google.com, syzkaller@googlegroups.com
+Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
+Date: Fri, 22 Sep 2017 18:37:06 +0530
+
+Here, hdpvr_register_videodev() is responsible for setup and
+register a video device. Also defining and initializing a worker.
+hdpvr_register_videodev() is calling by hdpvr_probe at last.
+So No need to flash any work here.
+Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
+index dbe29c6..1e8cbaf 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	/* register v4l2_device early so it can be used for printks */
+ 	if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
+ 		dev_err(&interface->dev, "v4l2_device_register failed\n");
+-		goto error;
++		goto error_free_dev;
+ 	}
+ 
+ 	mutex_init(&dev->io_mutex);
+@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	dev->usbc_buf = kmalloc(64, GFP_KERNEL);
+ 	if (!dev->usbc_buf) {
+ 		v4l2_err(&dev->v4l2_dev, "Out of memory\n");
+-		goto error;
++		goto error_v4l2_unregister;
+ 	}
+ 
+ 	init_waitqueue_head(&dev->wait_buffer);
+@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	}
+ 	if (!dev->bulk_in_endpointAddr) {
+ 		v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
+-		goto error;
++		goto error_put_usb;
+ 	}
+ 
+ 	/* init the device */
+ 	if (hdpvr_device_init(dev)) {
+ 		v4l2_err(&dev->v4l2_dev, "device init failed\n");
+-		goto error;
++		goto error_put_usb;
+ 	}
+ 
+ 	mutex_lock(&dev->io_mutex);
+@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 		mutex_unlock(&dev->io_mutex);
+ 		v4l2_err(&dev->v4l2_dev,
+ 			 "allocating transfer buffers failed\n");
+-		goto error;
++		goto error_put_usb;
+ 	}
+ 	mutex_unlock(&dev->io_mutex);
+ 
+@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	retval = hdpvr_register_i2c_adapter(dev);
+ 	if (retval < 0) {
+ 		v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
+-		goto error;
++		goto error_free_buffers;
+ 	}
+ 
+ 	client = hdpvr_register_ir_rx_i2c(dev);
+@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interface *interface,
+ reg_fail:
+ #if IS_ENABLED(CONFIG_I2C)
+ 	i2c_del_adapter(&dev->i2c_adapter);
++error_free_buffers:
+ #endif
++	hdpvr_free_buffers(dev);
++error_put_usb:
++	usb_put_dev(dev->udev);
++	kfree(dev->usbc_buf);
++error_v4l2_unregister:
++	v4l2_device_unregister(&dev->v4l2_dev);
++error_free_dev:
++	kfree(dev);
+ error:
+-	if (dev) {
+-		flush_work(&dev->worker);
+-		/* this frees allocated memory */
+-		hdpvr_delete(dev);
+-	}
+ 	return retval;
+ }
+ 
diff --git a/freed-ora/current/f25/patch-4.13-gnu-4.13.15-gnu.xz.sign b/freed-ora/current/f25/patch-4.13-gnu-4.13.15-gnu.xz.sign
deleted file mode 100644
index 9511b5e27..000000000
--- a/freed-ora/current/f25/patch-4.13-gnu-4.13.15-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWhSFAgAKCRC8t8+Hfn1H
-p5XHAJ9TQ8eDoFjGGpQ7q+likLlUK14bDQCeK4oDCqEkqjO2N+sroCtdT9vEpgo=
-=WYwS
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/patch-4.13-gnu-4.13.16-gnu.xz.sign b/freed-ora/current/f25/patch-4.13-gnu-4.13.16-gnu.xz.sign
new file mode 100644
index 000000000..35f1cc193
--- /dev/null
+++ b/freed-ora/current/f25/patch-4.13-gnu-4.13.16-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWhjaagAKCRC8t8+Hfn1H
+p04LAKCZ1S+QEtnR7JgWmST9db/X8s+lYgCZAbraz7uZabmDmcVRSgjjIOi8YH0=
+=yhM9
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch b/freed-ora/current/f25/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
deleted file mode 100644
index d44f6cc28..000000000
--- a/freed-ora/current/f25/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 Mon Sep 17 00:00:00 2001
-From: Xin Long <lucien.xin@gmail.com>
-Date: Tue, 17 Oct 2017 23:26:10 +0800
-Subject: sctp: do not peel off an assoc from one netns to another one
-
-Now when peeling off an association to the sock in another netns, all
-transports in this assoc are not to be rehashed and keep use the old
-key in hashtable.
-
-As a transport uses sk->net as the hash key to insert into hashtable,
-it would miss removing these transports from hashtable due to the new
-netns when closing the sock and all transports are being freeed, then
-later an use-after-free issue could be caused when looking up an asoc
-and dereferencing those transports.
-
-This is a very old issue since very beginning, ChunYu found it with
-syzkaller fuzz testing with this series:
-
-  socket$inet6_sctp()
-  bind$inet6()
-  sendto$inet6()
-  unshare(0x40000000)
-  getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
-  getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
-
-This patch is to block this call when peeling one assoc off from one
-netns to another one, so that the netns of all transport would not
-go out-sync with the key in hashtable.
-
-Note that this patch didn't fix it by rehashing transports, as it's
-difficult to handle the situation when the tuple is already in use
-in the new netns. Besides, no one would like to peel off one assoc
-to another netns, considering ipaddrs, ifaces, etc. are usually
-different.
-
-Reported-by: ChunYu Wang <chunwang@redhat.com>
-Signed-off-by: Xin Long <lucien.xin@gmail.com>
-Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Acked-by: Neil Horman <nhorman@tuxdriver.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/socket.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index d4730ad..17841ab 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
- 	struct socket *sock;
- 	int err = 0;
- 
-+	/* Do not peel off from one netns to another one. */
-+	if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
-+		return -EINVAL;
-+
- 	if (!asoc)
- 		return -EINVAL;
- 
--- 
-cgit v1.1
-
diff --git a/freed-ora/current/f25/sources b/freed-ora/current/f25/sources
index 1cd99cf73..bc8cdd7ac 100644
--- a/freed-ora/current/f25/sources
+++ b/freed-ora/current/f25/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.13-gnu.tar.xz) = 9ad6866c68f29f7e4f8b53d0b857f9b3c7f6abd0054460675c76f3100db34a77c2777d7f4191831008b532cb2ab6f686d8c4f457a4d005226c73f90937963518
 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
-SHA512 (patch-4.13-gnu-4.13.15-gnu.xz) = 62ac015aa1853b28546447b8028d122a52ad3c0783c2ae8cf6152a7d689941077c1629699edcac07dd7477e30bba43be24599a9779a17f75adc141c24d955905
+SHA512 (patch-4.13-gnu-4.13.16-gnu.xz) = 751c29a56114586cdbda0a6faafff97dfefa3e5a8f9d3e93bd1a37b7d9e5d9db5c9a574e601e252ea3d61ad9d4ce4544ff1d6a31ce12aaba7c4333296979f40a