diff options
Diffstat (limited to 'freed-ora/current/f22')
18 files changed, 1048 insertions, 1 deletions
diff --git a/freed-ora/current/f22/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch b/freed-ora/current/f22/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch new file mode 100644 index 000000000..52b082b36 --- /dev/null +++ b/freed-ora/current/f22/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch @@ -0,0 +1,31 @@ +From cb6fcfe5a7e9197ceb7e9eec56e9c526e4e76354 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Date: Mon, 14 Mar 2016 19:37:12 +0100 +Subject: [PATCH] Input: synaptics - handle spurious release of trackstick + buttons, again + +Looks like the fimware 8.2 stall has the extra buttons spurious release +bug. + +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +--- + drivers/input/mouse/synaptics.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index 6025eb4..4ef8d7a 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -863,7 +863,8 @@ static void synaptics_report_ext_buttons(struct psmouse *psmouse, + return; + + /* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */ +- if (SYN_ID_FULL(priv->identity) == 0x801 && ++ if ((SYN_ID_FULL(priv->identity) == 0x801 || ++ SYN_ID_FULL(priv->identity) == 0x802) && + !((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02)) + return; + +-- +2.5.0 + diff --git a/freed-ora/current/f22/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch b/freed-ora/current/f22/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch new file mode 100644 index 000000000..b6c446829 --- /dev/null +++ b/freed-ora/current/f22/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch @@ -0,0 +1,45 @@ +From 79abe2bd501d628b165f323098d6972d69bd13d7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Wed, 16 Mar 2016 13:20:51 +0100 +Subject: [PATCH] uas: Limit qdepth at the scsi-host level + +Commit 64d513ac31bd ("scsi: use host wide tags by default") causes +the scsi-core to queue more cmnds then we can handle on devices with +multiple LUNs, limit the qdepth at the scsi-host level instead of +per slave to fix this. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013 +Cc: stable@vger.kernel.org # 4.4.x and 4.5.x +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +--- + drivers/usb/storage/uas.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index c90a7e4..b5cb7ab 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -800,7 +800,6 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_BROKEN_FUA) + sdev->broken_fua = 1; + +- scsi_change_queue_depth(sdev, devinfo->qdepth - 2); + return 0; + } + +@@ -932,6 +931,12 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id) + if (result) + goto set_alt0; + ++ /* ++ * 1 tag is reserved for untagged commands + ++ * 1 tag to avoid of by one errors in some bridge firmwares ++ */ ++ shost->can_queue = devinfo->qdepth - 2; ++ + usb_set_intfdata(intf, shost); + result = scsi_add_host(shost, &intf->dev); + if (result) +-- +2.7.3 + diff --git a/freed-ora/current/f22/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch b/freed-ora/current/f22/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch new file mode 100644 index 000000000..e2dbabe83 --- /dev/null +++ b/freed-ora/current/f22/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch @@ -0,0 +1,58 @@ +From patchwork Mon Nov 23 09:32:42 2015 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [09/29] drm/udl: Use unlocked gem unreferencing +From: Daniel Vetter <daniel.vetter@ffwll.ch> +X-Patchwork-Id: 65722 +Message-Id: <1448271183-20523-10-git-send-email-daniel.vetter@ffwll.ch> +To: DRI Development <dri-devel@lists.freedesktop.org> +Cc: Daniel Vetter <daniel.vetter@intel.com>, + Daniel Vetter <daniel.vetter@ffwll.ch>, + Intel Graphics Development <intel-gfx@lists.freedesktop.org>, + Dave Airlie <airlied@redhat.com> +Date: Mon, 23 Nov 2015 10:32:42 +0100 + +For drm_gem_object_unreference callers are required to hold +dev->struct_mutex, which these paths don't. Enforcing this requirement +has become a bit more strict with + +commit ef4c6270bf2867e2f8032e9614d1a8cfc6c71663 +Author: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Thu Oct 15 09:36:25 2015 +0200 + + drm/gem: Check locking in drm_gem_object_unreference + +Cc: Dave Airlie <airlied@redhat.com> +Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> +--- + drivers/gpu/drm/udl/udl_fb.c | 2 +- + drivers/gpu/drm/udl/udl_gem.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c +index 200419d4d43c..18a2acbccb7d 100644 +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -538,7 +538,7 @@ static int udlfb_create(struct drm_fb_helper *helper, + out_destroy_fbi: + drm_fb_helper_release_fbi(helper); + out_gfree: +- drm_gem_object_unreference(&ufbdev->ufb.obj->base); ++ drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base); + out: + return ret; + } +diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c +index 2a0a784ab6ee..d7528e0d8442 100644 +--- a/drivers/gpu/drm/udl/udl_gem.c ++++ b/drivers/gpu/drm/udl/udl_gem.c +@@ -52,7 +52,7 @@ udl_gem_create(struct drm_file *file, + return ret; + } + +- drm_gem_object_unreference(&obj->base); ++ drm_gem_object_unreference_unlocked(&obj->base); + *handle_p = handle; + return 0; + } diff --git a/freed-ora/current/f22/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch b/freed-ora/current/f22/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch new file mode 100644 index 000000000..801434a26 --- /dev/null +++ b/freed-ora/current/f22/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch @@ -0,0 +1,80 @@ +From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 15 Mar 2016 15:20:58 +0100 +Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses + +Add some sanity check codes before actually accessing the endpoint via +get_endpoint() in order to avoid the invalid access through a +malformed USB descriptor. Mostly just checking bNumEndpoints, but in +one place (snd_microii_spdif_default_get()), the validity of iface and +altsetting index is checked as well. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/usb/clock.c | 2 ++ + sound/usb/endpoint.c | 3 +++ + sound/usb/mixer_quirks.c | 4 ++++ + sound/usb/pcm.c | 2 ++ + 4 files changed, 11 insertions(+) + +diff --git a/sound/usb/clock.c b/sound/usb/clock.c +index 2ed260b10f6d..7ccbcaf6a147 100644 +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[3]; + int err, crate; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + /* if endpoint doesn't have sampling rate control, bail out */ +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index e6f71894ecdc..c2131b851602 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -415,6 +415,9 @@ exit_clear: + * + * New endpoints will be added to chip->ep_list and must be freed by + * calling snd_usb_endpoint_free(). ++ * ++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that ++ * bNumEndpoints > 1 beforehand. + */ + struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip, + struct usb_host_interface *alts, +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index d3608c0a29f3..2d724e3c4cc0 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol, + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(chip->dev, 1); ++ if (!iface || iface->num_altsetting < 2) ++ return -EINVAL; + alts = &iface->altsetting[1]; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(chip->dev, +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index cdac5179db3f..4da64896df6d 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface, + unsigned char data[1]; + int err; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + data[0] = 1; +-- +2.5.0 + diff --git a/freed-ora/current/f22/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch b/freed-ora/current/f22/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch new file mode 100644 index 000000000..37cdb213a --- /dev/null +++ b/freed-ora/current/f22/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch @@ -0,0 +1,40 @@ +From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 15 Mar 2016 12:09:10 +0100 +Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in + create_fixed_stream_quirk() + +create_fixed_stream_quirk() may cause a NULL-pointer dereference by +accessing the non-existing endpoint when a USB device with a malformed +USB descriptor is used. + +This patch avoids it simply by adding a sanity check of bNumEndpoints +before the accesses. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/usb/quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index eef9b8e4b949..e128ca62eb44 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); ++ if (altsd->bNumEndpoints < 1) { ++ kfree(fp); ++ kfree(rate_table); ++ return -EINVAL; ++ } ++ + fp->protocol = altsd->bInterfaceProtocol; + + if (fp->datainterval == 0) +-- +2.5.0 + diff --git a/freed-ora/current/f22/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch b/freed-ora/current/f22/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch new file mode 100644 index 000000000..c7a461de8 --- /dev/null +++ b/freed-ora/current/f22/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch @@ -0,0 +1,107 @@ +From 0f8536022831faaba3a952fa633902d9686f535f Mon Sep 17 00:00:00 2001 +From: Vladis Dronov <vdronov@redhat.com> +Date: Wed, 23 Mar 2016 15:53:07 -0400 +Subject: [PATCH] Input: ati_remote2: fix crashes on detecting device with + invalid descriptor + +The ati_remote2 driver expects at least two interfaces with one +endpoint each. If given malicious descriptor that specify one +interface or no endpoints, it will crash in the probe function. +Ensure there is at least two interfaces and one endpoint for each +interface before using it. + +The full disclosure: http://seclists.org/bugtraq/2016/Mar/90 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c +index cfd58e87da26..cf5d1e8d92c7 100644 +--- a/drivers/input/misc/ati_remote2.c ++++ b/drivers/input/misc/ati_remote2.c +@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + ar2->udev = udev; + ++ /* Sanity check, first interface must have an endpoint */ ++ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) { ++ dev_err(&interface->dev, ++ "%s(): interface 0 must have an endpoint\n", __func__); ++ r = -ENODEV; ++ goto fail1; ++ } + ar2->intf[0] = interface; + ar2->ep[0] = &alt->endpoint[0].desc; + ++ /* Sanity check, the device must have two interfaces */ + ar2->intf[1] = usb_ifnum_to_if(udev, 1); ++ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { ++ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", ++ __func__, udev->actconfig->desc.bNumInterfaces); ++ r = -ENODEV; ++ goto fail1; ++ } ++ + r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); + if (r) + goto fail1; ++ ++ /* Sanity check, second interface must have an endpoint */ + alt = ar2->intf[1]->cur_altsetting; ++ if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) { ++ dev_err(&interface->dev, ++ "%s(): interface 1 must have an endpoint\n", __func__); ++ r = -ENODEV; ++ goto fail2; ++ } + ar2->ep[1] = &alt->endpoint[0].desc; + + r = ati_remote2_urb_init(ar2); + if (r) +- goto fail2; ++ goto fail3; + + ar2->channel_mask = channel_mask; + ar2->mode_mask = mode_mask; + + r = ati_remote2_setup(ar2, ar2->channel_mask); + if (r) +- goto fail2; ++ goto fail3; + + usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); + strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); +@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); + if (r) +- goto fail2; ++ goto fail3; + + r = ati_remote2_input_init(ar2); + if (r) +- goto fail3; ++ goto fail4; + + usb_set_intfdata(interface, ar2); + +@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d + + return 0; + +- fail3: ++ fail4: + sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); +- fail2: ++ fail3: + ati_remote2_urb_cleanup(ar2); ++ fail2: + usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); + fail1: + kfree(ar2); +-- +2.5.0 + diff --git a/freed-ora/current/f22/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch b/freed-ora/current/f22/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch new file mode 100644 index 000000000..7de890e1b --- /dev/null +++ b/freed-ora/current/f22/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch @@ -0,0 +1,38 @@ +From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Mon, 14 Mar 2016 10:02:51 -0400 +Subject: [PATCH] USB: input: powermate: fix oops with malicious USB + descriptors + +The powermate driver expects at least one valid USB endpoint in its +probe function. If given malicious descriptors that specify 0 for +the number of endpoints, it will crash. Validate the number of +endpoints on the interface before using them. + +The full report for this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/85 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/input/misc/powermate.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c +index 63b539d3daba..84909a12ff36 100644 +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ if (interface->desc.bNumEndpoints < 1) ++ return -EINVAL; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -EIO; +-- +2.5.0 + diff --git a/freed-ora/current/f22/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch b/freed-ora/current/f22/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch new file mode 100644 index 000000000..7df3af2b1 --- /dev/null +++ b/freed-ora/current/f22/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch @@ -0,0 +1,40 @@ +From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Mon, 14 Mar 2016 10:38:31 -0400 +Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors + +The iowarrior driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/87 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/usb/misc/iowarrior.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c +index c6bfd13f6c92..1950e87b4219 100644 +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface, + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + ++ if (iface_desc->desc.bNumEndpoints < 1) { ++ dev_err(&interface->dev, "Invalid number of endpoints\n"); ++ retval = -EINVAL; ++ goto error; ++ } ++ + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; +-- +2.5.0 + diff --git a/freed-ora/current/f22/cdc-acm-more-sanity-checking.patch b/freed-ora/current/f22/cdc-acm-more-sanity-checking.patch new file mode 100644 index 000000000..99ad43416 --- /dev/null +++ b/freed-ora/current/f22/cdc-acm-more-sanity-checking.patch @@ -0,0 +1,33 @@ +From e6a87f147002fa16adcbafebbc458ff90a463474 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Tue, 15 Mar 2016 10:14:04 +0100 +Subject: [PATCH] cdc-acm: more sanity checking + +An attack has become available which pretends to be a quirky +device circumventing normal sanity checks and crashes the kernel +by an insufficient number of interfaces. This patch adds a check +to the code path for quirky devices. + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 26ca4f910cb0..a7732f80a912 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1113,6 +1113,9 @@ static int acm_probe(struct usb_interface *intf, + if (quirks == NO_UNION_NORMAL) { + data_interface = usb_ifnum_to_if(usb_dev, 1); + control_interface = usb_ifnum_to_if(usb_dev, 0); ++ /* we would crash */ ++ if (!data_interface || !control_interface) ++ return -ENODEV; + goto skip_normal_probe; + } + +-- +2.5.0 + diff --git a/freed-ora/current/f22/cypress_m8-add-sanity-checking.patch b/freed-ora/current/f22/cypress_m8-add-sanity-checking.patch new file mode 100644 index 000000000..fa8513f94 --- /dev/null +++ b/freed-ora/current/f22/cypress_m8-add-sanity-checking.patch @@ -0,0 +1,50 @@ +From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 17 Mar 2016 16:25:33 +0100 +Subject: [PATCH] cypress_m8: add sanity checking + +An attack using missing endpoints exists. +CVE-2016-3137 + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org + +v1 - add sanity check +v2 - add error logging +v3 - correct error message +--- + drivers/usb/serial/cypress_m8.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c +index 01bf53392819..5e25443fe4ef 100644 +--- a/drivers/usb/serial/cypress_m8.c ++++ b/drivers/usb/serial/cypress_m8.c +@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) + struct usb_serial *serial = port->serial; + struct cypress_private *priv; + ++ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { ++ dev_err(&port->dev, "A required endpoint is missing\n"); ++ return -ENODEV; ++ } ++ + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); + if (!priv) + return -ENOMEM; +@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) + cypress_set_termios(tty, port, &priv->tmp_termios); + + /* setup the port and start reading from the device */ +- if (!port->interrupt_in_urb) { +- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", +- __func__); +- return -1; +- } +- + usb_fill_int_urb(port->interrupt_in_urb, serial->dev, + usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), + port->interrupt_in_urb->transfer_buffer, +-- +2.5.0 + diff --git a/freed-ora/current/f22/digi_acceleport-do-sanity-checking-for-the-number-of.patch b/freed-ora/current/f22/digi_acceleport-do-sanity-checking-for-the-number-of.patch new file mode 100644 index 000000000..eb060eb08 --- /dev/null +++ b/freed-ora/current/f22/digi_acceleport-do-sanity-checking-for-the-number-of.patch @@ -0,0 +1,70 @@ +From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Mon, 14 Mar 2016 15:53:38 +0100 +Subject: [PATCH v2] digi_acceleport: do sanity checking for the number of ports + +The driver can be crashed with devices that expose crafted +descriptors with too few endpoints. +See: +http://seclists.org/bugtraq/2016/Mar/61 + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> + +v1 - added sanity checks +v2 - moved them to probe() to fix problems Johan pointed out +--- + drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c +index 12b0e67..dab1dcf 100644 +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) + static int digi_startup(struct usb_serial *serial) + { + struct digi_serial *serial_priv; +- int ret; ++ int ret = -ENODEV; ++ int i; + + serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); + if (!serial_priv) +@@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial) + + spin_lock_init(&serial_priv->ds_serial_lock); + serial_priv->ds_oob_port_num = serial->type->num_ports; ++ ++ /* Check whether the expected number of ports matches the device */ ++ if (serial->num_ports < serial_priv->ds_oob_port_num) ++ goto error; ++ /* all features must be present */ ++ for (i = 0; i < serial->type->num_ports + 1 ; i++) { ++ if (!serial->port[i]->read_urb) ++ goto error; ++ if (!serial->port[i]->write_urb) ++ goto error; ++ } ++ + serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num]; + + ret = digi_port_init(serial_priv->ds_oob_port, + serial_priv->ds_oob_port_num); +- if (ret) { +- kfree(serial_priv); +- return ret; +- } ++ if (ret) ++ goto error; + + usb_set_serial_data(serial, serial_priv); + + return 0; ++error: ++ kfree(serial_priv); ++ return ret; + } + + +-- +2.1.4 diff --git a/freed-ora/current/f22/ims-pcu-sanity-check-against-missing-interfaces.patch b/freed-ora/current/f22/ims-pcu-sanity-check-against-missing-interfaces.patch new file mode 100644 index 000000000..827a2b7ee --- /dev/null +++ b/freed-ora/current/f22/ims-pcu-sanity-check-against-missing-interfaces.patch @@ -0,0 +1,39 @@ +From a4200b7eb26271108586d3a7cf34a2f16d460e48 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 17 Mar 2016 15:10:47 +0100 +Subject: [PATCH] ims-pcu: sanity check against missing interfaces + +A malicious device missing interface can make the driver oops. +Add sanity checking. + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org +--- + drivers/input/misc/ims-pcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index ac1fa5f44580..9c0ea36913b4 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bMasterInterface0); ++ if (!pcu->ctrl_intf) ++ return -EINVAL; + + alt = pcu->ctrl_intf->cur_altsetting; + pcu->ep_ctrl = &alt->endpoint[0].desc; +@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc + + pcu->data_intf = usb_ifnum_to_if(pcu->udev, + union_desc->bSlaveInterface0); ++ if (!pcu->data_intf) ++ return -EINVAL; + + alt = pcu->data_intf->cur_altsetting; + if (alt->desc.bNumEndpoints != 2) { +-- +2.5.0 + diff --git a/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch b/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch new file mode 100644 index 000000000..849f607a5 --- /dev/null +++ b/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch @@ -0,0 +1,49 @@ +Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints +From: Vladis Dronov <vdronov@redhat.com> +Date: 2016-03-18 18:35:00 + +The gtco driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. Fix minor coding +style issue. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/86 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/input/tablet/gtco.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 3a7f3a4..7c18249 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; +-- +2.5.0 diff --git a/freed-ora/current/f22/kernel.spec b/freed-ora/current/f22/kernel.spec index 7873b2dfc..d86f21397 100644 --- a/freed-ora/current/f22/kernel.spec +++ b/freed-ora/current/f22/kernel.spec @@ -40,7 +40,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -684,6 +684,52 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch #CVE-2016-3135 rhbz 1318172 1318270 Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch +#CVE-2016-2184 rhbz 1317012 1317470 +Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch +Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch + +#CVE-2016-3137 rhbz 1317010 1316996 +Patch672: cypress_m8-add-sanity-checking.patch + +#CVE-2016-2186 rhbz 1317015 1317464 +Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch + +#CVE-2016-2188 rhbz 1317018 1317467 +Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch + +#CVE-2016-2185 rhbz 1317014 1317471 +Patch675: usb_driver_claim_interface-add-sanity-checking.patch +Patch669: Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch + +#CVE-2016-3138 rhbz 1317010 1316204 +Patch676: cdc-acm-more-sanity-checking.patch + +#CVE-2016-3140 rhbz 1317010 1316995 +Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch + +Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch + +#rhbz 1315013 +Patch679: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch + +#rhbz 1317190 +Patch680: thermal-fix.patch + +#rhbz 1318079 +Patch681: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch + +#CVE-2016-2187 rhbz 1317017 1317010 +Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch + +#CVE-2016-3136 rhbz 1317007 1317010 +Patch687: mct_u232-sanity-checking-in-probe.patch + +#rhbz 1295646 +Patch688: 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch + +# CVE-2016-3157 rhbz 1315711 1321948 +Patch689: x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch + # END OF PATCH DEFINITIONS %endif @@ -1468,6 +1514,52 @@ ApplyPatch netfilter-x_tables-deal-with-bogus-nextoffset-values.patch #CVE-2016-3135 rhbz 1318172 1318270 ApplyPatch ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch +#CVE-2016-2184 rhbz 1317012 1317470 +ApplyPatch ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch +ApplyPatch ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch + +#CVE-2016-3137 rhbz 1317010 1316996 +ApplyPatch cypress_m8-add-sanity-checking.patch + +#CVE-2016-2186 rhbz 1317015 1317464 +ApplyPatch USB-input-powermate-fix-oops-with-malicious-USB-desc.patch + +#CVE-2016-2188 rhbz 1317018 1317467 +ApplyPatch USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch + +#CVE-2016-2185 rhbz 1317014 1317471 +ApplyPatch usb_driver_claim_interface-add-sanity-checking.patch +ApplyPatch Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch + +#CVE-2016-3138 rhbz 1317010 1316204 +ApplyPatch cdc-acm-more-sanity-checking.patch + +#CVE-2016-3140 rhbz 1317010 1316995 +ApplyPatch digi_acceleport-do-sanity-checking-for-the-number-of.patch + +ApplyPatch ims-pcu-sanity-check-against-missing-interfaces.patch + +#rhbz 1315013 +ApplyPatch 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch + +#rhbz 1317190 +ApplyPatch thermal-fix.patch + +#rhbz 1318079 +ApplyPatch 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch + +#CVE-2016-2187 rhbz 1317017 1317010 +ApplyPatch input-gtco-fix-crash-on-detecting-device-without-end.patch + +#CVE-2016-3136 rhbz 1317007 1317010 +ApplyPatch mct_u232-sanity-checking-in-probe.patch + +#rhbz 1295646 +ApplyPatch 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch + +# CVE-2016-3157 rhbz 1315711 1321948 +ApplyPatch x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch + # END OF PATCH APPLICATIONS %endif @@ -2330,6 +2422,34 @@ fi # # %changelog +* Wed Mar 30 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-201 +- Bump and build + +* Tue Mar 29 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port access (rhbz 1315711 1321948) + +* Wed Mar 23 2016 Laura Abbott <labbott@fedoraproject.org> +- drm/udl: Use unlocked gem unreferencing (rhbz 1295646) + +* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010) +- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010) + +* Mon Mar 21 2016 Laura Abbott <labbott@fedoraproject.org> +- uas: Limit qdepth at the scsi-host level (rhbz 1315013) +- Fix for performance regression caused by thermal (rhbz 1317190) +- Input: synaptics - handle spurious release of trackstick buttons, again (rhbz 1318079) + +* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org> +- ims-pcu: sanity checking on missing interfaces +- CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995) +- CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204) +- CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471) +- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467) +- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464) +- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996) +- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470) + * Fri Mar 18 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre - GNU Linux-libre 4.4.6-gnu. diff --git a/freed-ora/current/f22/mct_u232-sanity-checking-in-probe.patch b/freed-ora/current/f22/mct_u232-sanity-checking-in-probe.patch new file mode 100644 index 000000000..006faf15f --- /dev/null +++ b/freed-ora/current/f22/mct_u232-sanity-checking-in-probe.patch @@ -0,0 +1,35 @@ +Subject: [PATCH v2] mct_u232: sanity checking in probe +From: Oliver Neukum <oneukum@suse.com> +Date: 2016-03-21 13:14:37 + +An attack using the lack of sanity checking in probe +is known. This patch checks for the existance of a +second port. +CVE-2016-3136 + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org + +v1 - add sanity check for presence of a second port +v2 - add sanity check for an interrupt endpoint +--- + drivers/usb/serial/mct_u232.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c +index 4446b8d..3e64538 100644 +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + { + struct mct_u232_private *priv; + ++ /* check first to simplify error handling */ ++ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb) ++ return -ENODEV; ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; +-- +2.1.4 diff --git a/freed-ora/current/f22/thermal-fix.patch b/freed-ora/current/f22/thermal-fix.patch new file mode 100644 index 000000000..bca27cfbe --- /dev/null +++ b/freed-ora/current/f22/thermal-fix.patch @@ -0,0 +1,77 @@ +From 81ad4276b505e987dd8ebbdf63605f92cd172b52 Mon Sep 17 00:00:00 2001 +From: Zhang Rui <rui.zhang@intel.com> +Date: Fri, 18 Mar 2016 10:03:24 +0800 +Subject: [PATCH] Thermal: Ignore invalid trip points + +In some cases, platform thermal driver may report invalid trip points, +thermal core should not take any action for these trip points. + +CC: <stable@vger.kernel.org> #3.18+ +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317190 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=114551 +Signed-off-by: Zhang Rui <rui.zhang@intel.com> +--- + drivers/thermal/thermal_core.c | 13 ++++++++++++- + include/linux/thermal.h | 2 ++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index a0a8fd1..d4b5465 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -454,6 +454,10 @@ static void handle_thermal_trip(struct thermal_zone_device *tz, int trip) + { + enum thermal_trip_type type; + ++ /* Ignore disabled trip points */ ++ if (test_bit(trip, &tz->trips_disabled)) ++ return; ++ + tz->ops->get_trip_type(tz, trip, &type); + + if (type == THERMAL_TRIP_CRITICAL || type == THERMAL_TRIP_HOT) +@@ -1800,6 +1804,7 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type, + { + struct thermal_zone_device *tz; + enum thermal_trip_type trip_type; ++ int trip_temp; + int result; + int count; + int passive = 0; +@@ -1871,9 +1876,15 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type, + goto unregister; + + for (count = 0; count < trips; count++) { +- tz->ops->get_trip_type(tz, count, &trip_type); ++ if (tz->ops->get_trip_type(tz, count, &trip_type)) ++ set_bit(count, &tz->trips_disabled); + if (trip_type == THERMAL_TRIP_PASSIVE) + passive = 1; ++ if (tz->ops->get_trip_temp(tz, count, &trip_temp)) ++ set_bit(count, &tz->trips_disabled); ++ /* Check for bogus trip points */ ++ if (trip_temp == 0) ++ set_bit(count, &tz->trips_disabled); + } + + if (!passive) { +diff --git a/include/linux/thermal.h b/include/linux/thermal.h +index 9c48199..a55d052 100644 +--- a/include/linux/thermal.h ++++ b/include/linux/thermal.h +@@ -156,6 +156,7 @@ struct thermal_attr { + * @trip_hyst_attrs: attributes for trip points for sysfs: trip hysteresis + * @devdata: private pointer for device private data + * @trips: number of trip points the thermal zone supports ++ * @trips_disabled; bitmap for disabled trips + * @passive_delay: number of milliseconds to wait between polls when + * performing passive cooling. + * @polling_delay: number of milliseconds to wait between polls when +@@ -191,6 +192,7 @@ struct thermal_zone_device { + struct thermal_attr *trip_hyst_attrs; + void *devdata; + int trips; ++ unsigned long trips_disabled; /* bitmap for disabled trips */ + int passive_delay; + int polling_delay; + int temperature; diff --git a/freed-ora/current/f22/usb_driver_claim_interface-add-sanity-checking.patch b/freed-ora/current/f22/usb_driver_claim_interface-add-sanity-checking.patch new file mode 100644 index 000000000..079ff03fd --- /dev/null +++ b/freed-ora/current/f22/usb_driver_claim_interface-add-sanity-checking.patch @@ -0,0 +1,39 @@ +From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Wed, 16 Mar 2016 12:26:17 -0400 +Subject: [PATCH] usb_driver_claim_interface: add sanity checking + +Attacks that trick drivers into passing a NULL pointer +to usb_driver_claim_interface() using forged descriptors are +known. This thwarts them by sanity checking. + +Signed-off-by: Oliver Neukum <ONeukum@suse.com> +CC: stable@vger.kernel.org +--- + drivers/usb/core/driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index 6b5063e7943f..e2d242b68d4b 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev) + int usb_driver_claim_interface(struct usb_driver *driver, + struct usb_interface *iface, void *priv) + { +- struct device *dev = &iface->dev; ++ struct device *dev; + struct usb_device *udev; + int retval = 0; + int lpm_disable_error; + ++ if (!iface) ++ return -ENODEV; ++ ++ dev = &iface->dev; + if (dev->driver) + return -EBUSY; + +-- +2.5.0 + diff --git a/freed-ora/current/f22/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch b/freed-ora/current/f22/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch new file mode 100644 index 000000000..38f7bfbb0 --- /dev/null +++ b/freed-ora/current/f22/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch @@ -0,0 +1,96 @@ +From b7a584598aea7ca73140cb87b40319944dd3393f Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski <luto@kernel.org> +Date: Wed, 16 Mar 2016 14:14:21 -0700 +Subject: [PATCH] x86/iopl/64: Properly context-switch IOPL on Xen PV + +On Xen PV, regs->flags doesn't reliably reflect IOPL and the +exit-to-userspace code doesn't change IOPL. We need to context +switch it manually. + +I'm doing this without going through paravirt because this is +specific to Xen PV. After the dust settles, we can merge this with +the 32-bit code, tidy up the iopl syscall implementation, and remove +the set_iopl pvop entirely. + +Fixes XSA-171. + +Reviewewd-by: Jan Beulich <JBeulich@suse.com> +Signed-off-by: Andy Lutomirski <luto@kernel.org> +Cc: Andrew Cooper <andrew.cooper3@citrix.com> +Cc: Andy Lutomirski <luto@amacapital.net> +Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: David Vrabel <david.vrabel@citrix.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Jan Beulich <JBeulich@suse.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/include/asm/xen/hypervisor.h | 2 ++ + arch/x86/kernel/process_64.c | 12 ++++++++++++ + arch/x86/xen/enlighten.c | 2 +- + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h +index 8b2d4bea9962..39171b3646bb 100644 +--- a/arch/x86/include/asm/xen/hypervisor.h ++++ b/arch/x86/include/asm/xen/hypervisor.h +@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num); + void xen_arch_unregister_cpu(int num); + #endif + ++extern void xen_set_iopl_mask(unsigned mask); ++ + #endif /* _ASM_X86_XEN_HYPERVISOR_H */ +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index b9d99e0f82c4..9f751876066f 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -48,6 +48,7 @@ + #include <asm/syscalls.h> + #include <asm/debugreg.h> + #include <asm/switch_to.h> ++#include <asm/xen/hypervisor.h> + + asmlinkage extern void ret_from_fork(void); + +@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV)) + __switch_to_xtra(prev_p, next_p, tss); + ++#ifdef CONFIG_XEN ++ /* ++ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and ++ * current_pt_regs()->flags may not match the current task's ++ * intended IOPL. We need to switch it manually. ++ */ ++ if (unlikely(static_cpu_has(X86_FEATURE_XENPV) && ++ prev->iopl != next->iopl)) ++ xen_set_iopl_mask(next->iopl); ++#endif ++ + if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) { + /* + * AMD CPUs have a misfeature: SYSRET sets the SS selector but +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 2c261082eadf..8381fb990c7f 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_struct *tss, + tss->x86_tss.sp0 = thread->sp0; + } + +-static void xen_set_iopl_mask(unsigned mask) ++void xen_set_iopl_mask(unsigned mask) + { + struct physdev_set_iopl set_iopl; + +-- +2.5.5 + |