From ae3c9b80899f7051076ac5548d3d97ab943b6174 Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Mar 09 2015 14:39:46 +0000 Subject: Linux v3.18.9 --- diff --git a/0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch b/0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch deleted file mode 100644 index 3d65d37..0000000 --- a/0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1079a4c2288cf33c13d2c6ca3e07d4039b1f39f0 Mon Sep 17 00:00:00 2001 -From: John Stultz -Date: Mon, 2 Feb 2015 10:57:56 -0800 -Subject: [PATCH] ntp: Fixup adjtimex freq validation on 32bit systems - -Additional validation of adjtimex freq values to avoid -potential multiplication overflows were added in commit -5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values) - -Unfortunately the patch used LONG_MAX/MIN instead of -LLONG_MAX/MIN, which was fine on 64bit systems, but caused -false positives on 32bit systems resulting in most direct -frequency adjustments to fail w/ EINVAL. - -ntpd only does driect frequency adjustments at startup, -so the issue was not easily observed there, but other sync -applications like ptpd and chrony were more effected by -the bug. - -Cc: Sasha Levin -Reported-by: Josh Boyer -Reported-by: George Joseph -Signed-off-by: John Stultz ---- - kernel/time/ntp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c -index 28bf91c..242774d 100644 ---- a/kernel/time/ntp.c -+++ b/kernel/time/ntp.c -@@ -634,9 +634,9 @@ int ntp_validate_timex(struct timex *txc) - return -EPERM; - - if (txc->modes & ADJ_FREQUENCY) { -- if (LONG_MIN / PPM_SCALE > txc->freq) -+ if (LLONG_MIN / PPM_SCALE > txc->freq) - return -EINVAL; -- if (LONG_MAX / PPM_SCALE < txc->freq) -+ if (LLONG_MAX / PPM_SCALE < txc->freq) - return -EINVAL; - } - --- -1.9.1 - diff --git a/ASLR-fix-stack-randomization-on-64-bit-systems.patch b/ASLR-fix-stack-randomization-on-64-bit-systems.patch deleted file mode 100644 index 077059a..0000000 --- a/ASLR-fix-stack-randomization-on-64-bit-systems.patch +++ /dev/null @@ -1,104 +0,0 @@ -From: Hector Marco-Gisbert -Date: Sat, 14 Feb 2015 09:33:50 -0800 -Subject: [PATCH] ASLR: fix stack randomization on 64-bit systems - -The issue is that the stack for processes is not properly randomized on 64 bit -architectures due to an integer overflow. - -The affected function is randomize_stack_top() in file "fs/binfmt_elf.c": - -static unsigned long randomize_stack_top(unsigned long stack_top) -{ - unsigned int random_variable = 0; - - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { - random_variable = get_random_int() & STACK_RND_MASK; - random_variable <<= PAGE_SHIFT; - } - return PAGE_ALIGN(stack_top) + random_variable; - return PAGE_ALIGN(stack_top) - random_variable; -} - -Note that, it declares the "random_variable" variable as "unsigned int". Since -the result of the shifting operation between STACK_RND_MASK (which is -0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64): - -random_variable <<= PAGE_SHIFT; - -then the two leftmost bits are dropped when storing the result in the -"random_variable". This variable shall be at least 34 bits long to hold the -(22+12) result. - -These two dropped bits have an impact on the entropy of process stack. -Concretely, the total stack entropy is reduced by four: from 2^28 to 2^30 (One -fourth of expected entropy). - -This patch restores back the entropy by correcting the types involved in the -operations in the functions randomize_stack_top() and stack_maxrandom_size(). - -The successful fix can be tested with: -$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done -7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack] -7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack] -7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack] -7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack] -... - -Once corrected, the leading bytes should be between 7ffc and 7fff, rather -than always being 7fff. - -CVE-2015-1593 - -Signed-off-by: Hector Marco-Gisbert -Signed-off-by: Ismael Ripoll -[kees: rebase, fix 80 char, clean up commit message, add test example, cve] -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org ---- - arch/x86/mm/mmap.c | 6 +++--- - fs/binfmt_elf.c | 5 +++-- - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c -index 919b91205cd4..df4552bd239e 100644 ---- a/arch/x86/mm/mmap.c -+++ b/arch/x86/mm/mmap.c -@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_align = { - .flags = -1, - }; - --static unsigned int stack_maxrandom_size(void) -+static unsigned long stack_maxrandom_size(void) - { -- unsigned int max = 0; -+ unsigned long max = 0; - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; -+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT; - } - - return max; -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index d8fc0605b9d2..e1efcaa1b245 100644 ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -554,11 +554,12 @@ out: - - static unsigned long randomize_stack_top(unsigned long stack_top) - { -- unsigned int random_variable = 0; -+ unsigned long random_variable = 0; - - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- random_variable = get_random_int() & STACK_RND_MASK; -+ random_variable = (unsigned long) get_random_int(); -+ random_variable &= STACK_RND_MASK; - random_variable <<= PAGE_SHIFT; - } - #ifdef CONFIG_STACK_GROWSUP --- -2.1.0 - diff --git a/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch deleted file mode 100644 index 0df8a04..0000000 --- a/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Seth Forshee -Date: Fri, 20 Feb 2015 17:45:11 -0500 -Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input - events - -d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ) -changed hid_get_input() to read ihid->bufsize bytes, which can be -more than wMaxInputLength. This is the case with the Dell XPS 13 -9343, and it is causing events to be missed. In some cases the -missed events are releases, which can cause the cursor to jump or -freeze, among other problems. Limit the number of bytes read to -min(wMaxInputLength, ihid->bufsize) to prevent such problems. - -Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ" -Cc: Benjamin Tissoires -Signed-off-by: Seth Forshee ---- - drivers/hid/i2c-hid/i2c-hid.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c -index 80e33e0abc52..6d7c9c580ceb 100644 ---- a/drivers/hid/i2c-hid/i2c-hid.c -+++ b/drivers/hid/i2c-hid/i2c-hid.c -@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client) - static void i2c_hid_get_input(struct i2c_hid *ihid) - { - int ret, ret_size; -- int size = ihid->bufsize; -+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); -+ -+ if (size > ihid->bufsize) -+ size = ihid->bufsize; - - ret = i2c_master_recv(ihid->client, ihid->inbuf, size); - if (ret != size) { --- -2.1.0 - diff --git a/kernel.spec b/kernel.spec index b28ae4e..68f979f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -619,8 +619,6 @@ Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch Patch26126: uas-Do-not-blacklist-ASM1153-disk-enclosures.patch Patch26127: uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch -#rhbz 1115713 -Patch26129: samsung-laptop-Add-use_native_backlight-quirk-and-en.patch #rhbz 1163574 Patch26130: acpi-video-Add-disable_native_backlight-quirk-for-De.patch #rhbz 1094948 @@ -632,15 +630,9 @@ Patch30000: kernel-arm64.patch # Fix for big-endian arches, already upstream Patch30001: mpssd-x86-only.patch -#rhbz 1188074 -Patch30003: 0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch - #rhbz 1186097 Patch30004: acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch -#CVE-2015-1593 rhbz 1192519 1192520 -Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch - #CVE-XXXX-XXXX rhbz 1189864 1192079 Patch26136: vhost-scsi-potential-memory-corruption.patch @@ -650,9 +642,6 @@ Patch26142: NFS-fix-clp-cl_revoked-list-deletion-causing-softloc.patch #CVE-2015-0275 rhbz 1193907 1195178 Patch26138: ext4-Allocate-entire-range-in-zero-range.patch -#rhbz 1188439 -Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch - #rhbz 1190947 Patch26141: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch @@ -1383,8 +1372,6 @@ ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch ApplyPatch uas-Do-not-blacklist-ASM1153-disk-enclosures.patch ApplyPatch uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch -#rhbz 1115713 -ApplyPatch samsung-laptop-Add-use_native_backlight-quirk-and-en.patch #rhbz 1163574 ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-De.patch #rhbz 1094948 @@ -1393,24 +1380,15 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch # Fix for big-endian arches, already upstream ApplyPatch mpssd-x86-only.patch -#rhbz 1188074 -ApplyPatch 0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch - #rhbz 1186097 ApplyPatch acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch -#CVE-2015-1593 rhbz 1192519 1192520 -ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch - #CVE-XXXX-XXXX rhbz 1189864 1192079 ApplyPatch vhost-scsi-potential-memory-corruption.patch #CVE-2015-0275 rhbz 1193907 1195178 ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch -#rhbz 1188439 -ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch - #rhbz 1190947 ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch @@ -2287,6 +2265,9 @@ fi # ||----w | # || || %changelog +* Mon Mar 09 2015 Justin M. Forbes - 3.18.9-200 +- Linux v3.18.9 + * Mon Mar 02 2015 Josh Boyer - Add patch to fix nfsd soft lockup (rhbz 1185519) - Enable ET131X driver (rhbz 1197842) diff --git a/samsung-laptop-Add-use_native_backlight-quirk-and-en.patch b/samsung-laptop-Add-use_native_backlight-quirk-and-en.patch deleted file mode 100644 index 30f5730..0000000 --- a/samsung-laptop-Add-use_native_backlight-quirk-and-en.patch +++ /dev/null @@ -1,107 +0,0 @@ -From: Hans de Goede -Date: Fri, 9 Jan 2015 14:51:21 +0100 -Subject: [PATCH] samsung-laptop: Add use_native_backlight quirk, and enable it - on some models - -Since kernel 3.14 the backlight control has been broken on various Samsung -Atom based netbooks. This has been bisected and this problem happens since -commit b35684b8fa94 ("drm/i915: do full backlight setup at enable time") - -This has been reported and discussed in detail here: -http://lists.freedesktop.org/archives/intel-gfx/2014-July/049395.html - -Unfortunately no-one has been able to fix this. This only affects Samsung -Atom netbooks, and the Linux kernel and the BIOS of those laptops have never -worked well together. All affected laptops already have a quirk to avoid using -the standard acpi-video interface and instead use the samsung specific SABI -interface which samsung-laptop uses. It seems that recent fixes to the i915 -driver have also broken backlight control through the SABI interface. - -The intel_backlight driver OTOH works fine, and also allows for finer grained -backlight control. So add a new use_native_backlight quirk, and replace the -broken_acpi_video quirk with this quirk for affected models. This new quirk -disables acpi-video as before and also stops samsung-laptop from registering -the SABI based samsung_laptop backlight interface, leaving only the working -intel_backlight interface. - -This commit enables this new quirk for 3 models which are known to be affected, -chances are that it needs to be used on other models too. - -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1094948 # N145P -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1115713 # N250P -Reported-by: Bertrik Sikken # N150P -Cc: stable@vger.kernel.org # 3.16 -Signed-off-by: Hans de Goede ---- - drivers/platform/x86/samsung-laptop.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c -index 864290243e46..477de0a9e1ee 100644 ---- a/drivers/platform/x86/samsung-laptop.c -+++ b/drivers/platform/x86/samsung-laptop.c -@@ -353,6 +353,7 @@ struct samsung_quirks { - bool broken_acpi_video; - bool four_kbd_backlight_levels; - bool enable_kbd_backlight; -+ bool use_native_backlight; - }; - - static struct samsung_quirks samsung_unknown = {}; -@@ -361,6 +362,10 @@ static struct samsung_quirks samsung_broken_acpi_video = { - .broken_acpi_video = true, - }; - -+static struct samsung_quirks samsung_use_native_backlight = { -+ .use_native_backlight = true, -+}; -+ - static struct samsung_quirks samsung_np740u3e = { - .four_kbd_backlight_levels = true, - .enable_kbd_backlight = true, -@@ -1507,7 +1512,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "N150P"), - DMI_MATCH(DMI_BOARD_NAME, "N150P"), - }, -- .driver_data = &samsung_broken_acpi_video, -+ .driver_data = &samsung_use_native_backlight, - }, - { - .callback = samsung_dmi_matched, -@@ -1517,7 +1522,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "N145P/N250P/N260P"), - DMI_MATCH(DMI_BOARD_NAME, "N145P/N250P/N260P"), - }, -- .driver_data = &samsung_broken_acpi_video, -+ .driver_data = &samsung_use_native_backlight, - }, - { - .callback = samsung_dmi_matched, -@@ -1557,7 +1562,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "N250P"), - DMI_MATCH(DMI_BOARD_NAME, "N250P"), - }, -- .driver_data = &samsung_broken_acpi_video, -+ .driver_data = &samsung_use_native_backlight, - }, - { - .callback = samsung_dmi_matched, -@@ -1626,6 +1631,15 @@ static int __init samsung_init(void) - pr_info("Disabling ACPI video driver\n"); - acpi_video_unregister(); - } -+ -+ if (samsung->quirks->use_native_backlight) { -+ pr_info("Using native backlight driver\n"); -+ /* Tell acpi-video to not handle the backlight */ -+ acpi_video_dmi_promote_vendor(); -+ acpi_video_unregister(); -+ /* And also do not handle it ourselves */ -+ samsung->handle_backlight = false; -+ } - #endif - - ret = samsung_platform_init(samsung); --- -2.1.0 - diff --git a/sources b/sources index ac09196..94123c7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9e854df51ca3fef8bfe566dbd7b89241 linux-3.18.tar.xz 813ccb96f0b379d656e57442c2587ca3 perf-man-3.18.tar.gz -b7bd36ce9f4bff165ee776e2b9263257 patch-3.18.8.xz +41077062d4b7beefd88d4df6e598e376 patch-3.18.9.xz