4.13.13-300.fc27.gnu

7 files changed, 182 insertions, 8 deletions

diff --git a/freed-ora/current/f27/USB-ulpi-fix-bus-node-lookup.patch b/freed-ora/current/f27/USB-ulpi-fix-bus-node-lookup.patch
new file mode 100644
index 000000000..835cf2ab6
--- /dev/null
+++ b/freed-ora/current/f27/USB-ulpi-fix-bus-node-lookup.patch
@@ -0,0 +1,48 @@
+From patchwork Sat Nov 11 15:31:18 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: USB: ulpi: fix bus-node lookup
+From: Johan Hovold <johan@kernel.org>
+X-Patchwork-Id: 10054387
+Message-Id: <20171111153118.16038-1-johan@kernel.org>
+To: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
+ linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
+ linux-arm-msm@vger.kernel.org, Rob Clark <robdclark@gmail.com>,
+ Peter Robinson <pbrobinson@gmail.com>, Johan Hovold <johan@kernel.org>,
+ stable <stable@vger.kernel.org>
+Date: Sat, 11 Nov 2017 16:31:18 +0100
+
+Fix bus-node lookup during registration, which ended up searching the whole
+device tree depth-first starting at the parent (or grand parent) rather
+than just matching on its children.
+
+To make things worse, the parent (or grand-parent) node could end being
+prematurely freed as well.
+
+Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Reported-by: Stephen Boyd <sboyd@codeaurora.org>
+Cc: stable <stable@vger.kernel.org>     # 4.10
+Signed-off-by: Johan Hovold <johan@kernel.org>
+---
+ drivers/usb/common/ulpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/common/ulpi.c b/drivers/usb/common/ulpi.c
+index 8b351444cc40..9a2ab6751a23 100644
+--- a/drivers/usb/common/ulpi.c
++++ b/drivers/usb/common/ulpi.c
+@@ -180,9 +180,9 @@ static int ulpi_of_register(struct ulpi *ulpi)
+ 	/* Find a ulpi bus underneath the parent or the grandparent */
+ 	parent = ulpi->dev.parent;
+ 	if (parent->of_node)
+-		np = of_find_node_by_name(parent->of_node, "ulpi");
++		np = of_get_child_by_name(parent->of_node, "ulpi");
+ 	else if (parent->parent && parent->parent->of_node)
+-		np = of_find_node_by_name(parent->parent->of_node, "ulpi");
++		np = of_get_child_by_name(parent->parent->of_node, "ulpi");
+ 	if (!np)
+ 		return 0;
+ 
diff --git a/freed-ora/current/f27/kernel.spec b/freed-ora/current/f27/kernel.spec
index d932f7dcd..1fa024ef1 100644
--- a/freed-ora/current/f27/kernel.spec
+++ b/freed-ora/current/f27/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -668,6 +668,9 @@ Patch314: qcom-msm-ci_hdrc_msm_probe-missing-of_node_get.patch
 # Hack until interconnect API lands upstream
 Patch315: qcom-clk-gpu-msm.patch
 
+# https://patchwork.kernel.org/patch/10054387/
+Patch316: USB-ulpi-fix-bus-node-lookup.patch
+
 # Fix USB on the RPi https://patchwork.kernel.org/patch/9879371/
 Patch321: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe.patch
 
@@ -680,6 +683,8 @@ Patch323: bcm2837-bluetooth-support.patch
 
 Patch324: bcm283x-vc4-fixes.patch
 
+Patch325: rpi-graphics-fix.patch
+
 # https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=next-20170912&id=723288836628bc1c0855f3bb7b64b1803e4b9e4a
 Patch330: arm-of-restrict-dma-configuration.patch
 
@@ -709,6 +714,9 @@ Patch337: arm64-aw64-devices.patch
 # CVE-2017-7477 rhbz 1445207 1445208
 Patch502: CVE-2017-7477.patch
 
+# CVE-2017-15115 rhbz 1513346 1513345
+Patch503: sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
 Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch
@@ -2419,6 +2427,16 @@ fi
 #
 #
 %changelog
+* Thu Nov 16 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.13.13-gnu.
+
+* Wed Nov 15 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.13-300
+- Linux v4.13.13
+- Fix CVE-2017-15115 (rhbz 1513346 1513345)
+
+* Wed Nov 15 2017 Peter Robinson <pbrobinson@fedoraproject.org>
+- Add fix for vc4 interupts
+
 * Thu Nov  9 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.13.12-gnu.
 
diff --git a/freed-ora/current/f27/patch-4.13-gnu-4.13.12-gnu.xz.sign b/freed-ora/current/f27/patch-4.13-gnu-4.13.12-gnu.xz.sign
deleted file mode 100644
index 2008b822b..000000000
--- a/freed-ora/current/f27/patch-4.13-gnu-4.13.12-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWgQjBwAKCRC8t8+Hfn1H
-p6TmAKCBmYjDjf4YVp3/1Kn0K1IPGJJDugCeOXjRbfCpvnvIK/Hdm/PxRcKEU+I=
-=+nhL
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/patch-4.13-gnu-4.13.13-gnu.xz.sign b/freed-ora/current/f27/patch-4.13-gnu-4.13.13-gnu.xz.sign
new file mode 100644
index 000000000..8267f54b0
--- /dev/null
+++ b/freed-ora/current/f27/patch-4.13-gnu-4.13.13-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWgzvBQAKCRC8t8+Hfn1H
+p3I1AJ9YuWWXmI1xssfYKJzLs9wsc9zEGwCaAorF9bWRk8eNHbu775GEQ8sayG0=
+=a/7E
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/rpi-graphics-fix.patch b/freed-ora/current/f27/rpi-graphics-fix.patch
new file mode 100644
index 000000000..89bfaf9a5
--- /dev/null
+++ b/freed-ora/current/f27/rpi-graphics-fix.patch
@@ -0,0 +1,46 @@
+From 253696ccd613fbdaa5aba1de44c461a058e0a114 Mon Sep 17 00:00:00 2001
+From: Stefan Schake <stschake@gmail.com>
+Date: Fri, 10 Nov 2017 02:05:06 +0100
+Subject: drm/vc4: Account for interrupts in flight
+
+Synchronously disable the IRQ to make the following cancel_work_sync
+invocation effective.
+
+An interrupt in flight could enqueue further overflow mem work. As we
+free the binner BO immediately following vc4_irq_uninstall this caused
+a NULL pointer dereference in the work callback vc4_overflow_mem_work.
+
+Link: https://github.com/anholt/linux/issues/114
+Signed-off-by: Stefan Schake <stschake@gmail.com>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510275907-993-2-git-send-email-stschake@gmail.com
+
+diff --git a/drivers/gpu/drm/vc4/vc4_irq.c b/drivers/gpu/drm/vc4/vc4_irq.c
+index 7d7af3a..61b2e53 100644
+--- a/drivers/gpu/drm/vc4/vc4_irq.c
++++ b/drivers/gpu/drm/vc4/vc4_irq.c
+@@ -208,6 +208,9 @@ vc4_irq_postinstall(struct drm_device *dev)
+ {
+ 	struct vc4_dev *vc4 = to_vc4_dev(dev);
+ 
++	/* Undo the effects of a previous vc4_irq_uninstall. */
++	enable_irq(dev->irq);
++
+ 	/* Enable both the render done and out of memory interrupts. */
+ 	V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS);
+ 
+@@ -225,6 +228,9 @@ vc4_irq_uninstall(struct drm_device *dev)
+ 	/* Clear any pending interrupts we might have left. */
+ 	V3D_WRITE(V3D_INTCTL, V3D_DRIVER_IRQS);
+ 
++	/* Finish any interrupt handler still in flight. */
++	disable_irq(dev->irq);
++
+ 	cancel_work_sync(&vc4->overflow_mem_work);
+ }
+ 
+-- 
+cgit v0.10.2
+
diff --git a/freed-ora/current/f27/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch b/freed-ora/current/f27/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
new file mode 100644
index 000000000..d44f6cc28
--- /dev/null
+++ b/freed-ora/current/f27/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
@@ -0,0 +1,62 @@
+From df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 17 Oct 2017 23:26:10 +0800
+Subject: sctp: do not peel off an assoc from one netns to another one
+
+Now when peeling off an association to the sock in another netns, all
+transports in this assoc are not to be rehashed and keep use the old
+key in hashtable.
+
+As a transport uses sk->net as the hash key to insert into hashtable,
+it would miss removing these transports from hashtable due to the new
+netns when closing the sock and all transports are being freeed, then
+later an use-after-free issue could be caused when looking up an asoc
+and dereferencing those transports.
+
+This is a very old issue since very beginning, ChunYu found it with
+syzkaller fuzz testing with this series:
+
+  socket$inet6_sctp()
+  bind$inet6()
+  sendto$inet6()
+  unshare(0x40000000)
+  getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
+  getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
+
+This patch is to block this call when peeling one assoc off from one
+netns to another one, so that the netns of all transport would not
+go out-sync with the key in hashtable.
+
+Note that this patch didn't fix it by rehashing transports, as it's
+difficult to handle the situation when the tuple is already in use
+in the new netns. Besides, no one would like to peel off one assoc
+to another netns, considering ipaddrs, ifaces, etc. are usually
+different.
+
+Reported-by: ChunYu Wang <chunwang@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/sctp/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index d4730ad..17841ab 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
+ 	struct socket *sock;
+ 	int err = 0;
+ 
++	/* Do not peel off from one netns to another one. */
++	if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
++		return -EINVAL;
++
+ 	if (!asoc)
+ 		return -EINVAL;
+ 
+-- 
+cgit v1.1
+
diff --git a/freed-ora/current/f27/sources b/freed-ora/current/f27/sources
index 6745e43f1..d33877435 100644
--- a/freed-ora/current/f27/sources
+++ b/freed-ora/current/f27/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.13-gnu.tar.xz) = 9ad6866c68f29f7e4f8b53d0b857f9b3c7f6abd0054460675c76f3100db34a77c2777d7f4191831008b532cb2ab6f686d8c4f457a4d005226c73f90937963518
 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
-SHA512 (patch-4.13-gnu-4.13.12-gnu.xz) = 4a2363e4ff6a3d3752f2b830357fa0d22dcd2830ca39d6546d8edf3fb0c84f7d54129866fce765f8a82e39622489b61fa850dd547e3414281b877b3e7334b089
+SHA512 (patch-4.13-gnu-4.13.13-gnu.xz) = 9c4e753de1865778a5bdece95ed4487cedf55d23d383640ec3616db4b631e971bf1ac21d7019677dde2dbd9d7469ea20f58a7b11496f7e56d6c0162bcf2d657a