From b61169ac06e6c26ec5a8bee4415ebd38026a5e89 Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Sep 27 2013 12:28:53 +0000 Subject: Linux v3.11.2 --- diff --git a/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch b/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch deleted file mode 100644 index b7bbf77..0000000 --- a/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 0adb9c2c5ed42f199cb2a630c37d18dee385fae2 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Mon, 15 Jul 2013 10:12:18 +0200 -Subject: [PATCH] HID: kye: Add report fixup for Genius Gx Imperator Keyboard - -Genius Gx Imperator Keyboard presents the same problem in its report -descriptors than Genius Gila Gaming Mouse. -Use the same fixup for both. - -Fixes: -https://bugzilla.redhat.com/show_bug.cgi?id=928561 - -Reported-and-tested-by: Honza Brazdil -Signed-off-by: Benjamin Tissoires -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 1 + - drivers/hid/hid-ids.h | 1 + - drivers/hid/hid-kye.c | 45 ++++++++++++++++++++++++++++----------------- - 3 files changed, 30 insertions(+), 17 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 8de5cb8..b0f2f45 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1594,6 +1594,7 @@ static const struct hid_device_id hid_have_special_driver[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index c5aea29..0288531 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -479,6 +479,7 @@ - #define USB_VENDOR_ID_KYE 0x0458 - #define USB_DEVICE_ID_KYE_ERGO_525V 0x0087 - #define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138 -+#define USB_DEVICE_ID_GENIUS_GX_IMPERATOR 0x4018 - #define USB_DEVICE_ID_KYE_GPEN_560 0x5003 - #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010 - #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011 -diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c -index 1e2ee2aa..7384512 100644 ---- a/drivers/hid/hid-kye.c -+++ b/drivers/hid/hid-kye.c -@@ -268,6 +268,26 @@ static __u8 easypen_m610x_rdesc_fixed[] = { - 0xC0 /* End Collection */ - }; - -+static __u8 *kye_consumer_control_fixup(struct hid_device *hdev, __u8 *rdesc, -+ unsigned int *rsize, int offset, const char *device_name) { -+ /* -+ * the fixup that need to be done: -+ * - change Usage Maximum in the Comsumer Control -+ * (report ID 3) to a reasonable value -+ */ -+ if (*rsize >= offset + 31 && -+ /* Usage Page (Consumer Devices) */ -+ rdesc[offset] == 0x05 && rdesc[offset + 1] == 0x0c && -+ /* Usage (Consumer Control) */ -+ rdesc[offset + 2] == 0x09 && rdesc[offset + 3] == 0x01 && -+ /* Usage Maximum > 12287 */ -+ rdesc[offset + 10] == 0x2a && rdesc[offset + 12] > 0x2f) { -+ hid_info(hdev, "fixing up %s report descriptor\n", device_name); -+ rdesc[offset + 12] = 0x2f; -+ } -+ return rdesc; -+} -+ - static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - unsigned int *rsize) - { -@@ -315,23 +335,12 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - } - break; - case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE: -- /* -- * the fixup that need to be done: -- * - change Usage Maximum in the Comsumer Control -- * (report ID 3) to a reasonable value -- */ -- if (*rsize >= 135 && -- /* Usage Page (Consumer Devices) */ -- rdesc[104] == 0x05 && rdesc[105] == 0x0c && -- /* Usage (Consumer Control) */ -- rdesc[106] == 0x09 && rdesc[107] == 0x01 && -- /* Usage Maximum > 12287 */ -- rdesc[114] == 0x2a && rdesc[116] > 0x2f) { -- hid_info(hdev, -- "fixing up Genius Gila Gaming Mouse " -- "report descriptor\n"); -- rdesc[116] = 0x2f; -- } -+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 104, -+ "Genius Gila Gaming Mouse"); -+ break; -+ case USB_DEVICE_ID_GENIUS_GX_IMPERATOR: -+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 83, -+ "Genius Gx Imperator Keyboard"); - break; - } - return rdesc; -@@ -428,6 +437,8 @@ static const struct hid_device_id kye_devices[] = { - USB_DEVICE_ID_KYE_EASYPEN_M610X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, - USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, -+ USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, - { } - }; - MODULE_DEVICE_TABLE(hid, kye_devices); --- -1.8.3.1 - diff --git a/HID-CVE-fixes-3.11.patch b/HID-CVE-fixes-3.11.patch index b2d7f19..4cdc594 100644 --- a/HID-CVE-fixes-3.11.patch +++ b/HID-CVE-fixes-3.11.patch @@ -1,83 +1,3 @@ -From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:29:55 +0200 -Subject: [PATCH 01/16] HID: validate HID report id size - -The "Report ID" field of a HID report is used to build indexes of -reports. The kernel's index of these is limited to 256 entries, so any -malicious device that sets a Report ID greater than 255 will trigger -memory corruption on the host: - -[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 -[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b - -CVE-2013-2888 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 10 +++++++--- - include/linux/hid.h | 4 +++- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 36668d1..5ea7d51 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, - struct hid_report_enum *report_enum = device->report_enum + type; - struct hid_report *report; - -+ if (id >= HID_MAX_IDS) -+ return NULL; - if (report_enum->report_id_hash[id]) - return report_enum->report_id_hash[id]; - -@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) - - case HID_GLOBAL_ITEM_TAG_REPORT_ID: - parser->global.report_id = item_udata(item); -- if (parser->global.report_id == 0) { -- hid_err(parser->device, "report_id 0 is invalid\n"); -+ if (parser->global.report_id == 0 || -+ parser->global.report_id >= HID_MAX_IDS) { -+ hid_err(parser->device, "report_id %u is invalid\n", -+ parser->global.report_id); - return -1; - } - return 0; -@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) - for (i = 0; i < HID_REPORT_TYPES; i++) { - struct hid_report_enum *report_enum = device->report_enum + i; - -- for (j = 0; j < 256; j++) { -+ for (j = 0; j < HID_MAX_IDS; j++) { - struct hid_report *report = report_enum->report_id_hash[j]; - if (report) - hid_free_report(report); -diff --git a/include/linux/hid.h b/include/linux/hid.h -index 0c48991..ff545cc 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -393,10 +393,12 @@ struct hid_report { - struct hid_device *device; /* associated device */ - }; - -+#define HID_MAX_IDS 256 -+ - struct hid_report_enum { - unsigned numbered; - struct list_head report_list; -- struct hid_report *report_id_hash[256]; -+ struct hid_report *report_id_hash[HID_MAX_IDS]; - }; - - #define HID_REPORT_TYPES 3 --- -1.8.3.1 - - From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 11 Sep 2013 21:56:50 +0200 @@ -906,214 +826,3 @@ index 762d988..31cf29a 100644 -- 1.8.3.1 - - -From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:32:01 +0200 -Subject: [PATCH 12/16] HID: check for NULL field when setting values - -Defensively check that the field to be worked on is not NULL. - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 08500bc..e331cb1 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); - - int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) - { -- unsigned size = field->report_size; -+ unsigned size; -+ -+ if (!field) -+ return -1; -+ -+ size = field->report_size; - - hid_dump_input(field->report->device, field->usage + offset, value); - --- -1.8.3.1 - - -From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:30:49 +0200 -Subject: [PATCH 13/16] HID: pantherlord: validate output report details - -A HID device could send a malicious output report that would cause the -pantherlord HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 -... -[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2892 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-pl.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c -index d29112f..2dcd7d9 100644 ---- a/drivers/hid/hid-pl.c -+++ b/drivers/hid/hid-pl.c -@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) - strong = &report->field[0]->value[2]; - weak = &report->field[0]->value[3]; - debug("detected single-field device"); -- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && -- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { -+ } else if (report->field[0]->maxusage == 1 && -+ report->field[0]->usage[0].hid == -+ (HID_UP_LED | 0x43) && -+ report->maxfield >= 4 && -+ report->field[0]->report_count >= 1 && -+ report->field[1]->report_count >= 1 && -+ report->field[2]->report_count >= 1 && -+ report->field[3]->report_count >= 1) { - report->field[0]->value[0] = 0x00; - report->field[1]->value[0] = 0x00; - strong = &report->field[2]->value[0]; --- -1.8.3.1 - - -From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:28 +0200 -Subject: [PATCH 14/16] HID: ntrig: validate feature report details - -A HID device could send a malicious feature report that would cause the -ntrig HID driver to trigger a NULL dereference during initialization: - -[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 -... -[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 -[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] - -CVE-2013-2896 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Rafi Rubin -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-ntrig.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c -index ef95102..5482156 100644 ---- a/drivers/hid/hid-ntrig.c -+++ b/drivers/hid/hid-ntrig.c -@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) - struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. - report_id_hash[0x0d]; - -- if (!report) -+ if (!report || report->maxfield < 1 || -+ report->field[0]->report_count < 1) - return -EINVAL; - - hid_hw_request(hdev, report, HID_REQ_GET_REPORT); --- -1.8.3.1 - - -From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:44 +0200 -Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details - -A HID device could send a malicious feature report that would cause the -sensor-hub HID driver to read past the end of heap allocation, leaking -kernel memory contents to the caller. - -CVE-2013-2898 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Reviewed-by: Mika Westerberg -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-sensor-hub.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c -index ca749810..aa34755 100644 ---- a/drivers/hid/hid-sensor-hub.c -+++ b/drivers/hid/hid-sensor-hub.c -@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, - - mutex_lock(&data->mutex); - report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); -- if (!report || (field_index >= report->maxfield)) { -+ if (!report || (field_index >= report->maxfield) || -+ report->field[field_index]->report_count < 1) { - ret = -EINVAL; - goto done_proc; - } --- -1.8.3.1 - - -From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:52 +0200 -Subject: [PATCH 16/16] HID: picolcd_core: validate output report details -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -A HID device could send a malicious output report that would cause the -picolcd HID driver to trigger a NULL dereference during attr file writing. - -[jkosina@suse.cz: changed - - report->maxfield < 1 - -to - - report->maxfield != 1 - -as suggested by Bruno]. - -CVE-2013-2899 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Reviewed-by: Bruno Prémont -Acked-by: Bruno Prémont -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-picolcd_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c -index b48092d..acbb0210 100644 ---- a/drivers/hid/hid-picolcd_core.c -+++ b/drivers/hid/hid-picolcd_core.c -@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, - buf += 10; - cnt -= 10; - } -- if (!report) -+ if (!report || report->maxfield != 1) - return -EINVAL; - - while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) --- -1.8.3.1 - diff --git a/acpi-pcie-hotplug-conflict.patch b/acpi-pcie-hotplug-conflict.patch deleted file mode 100644 index 4815b99..0000000 --- a/acpi-pcie-hotplug-conflict.patch +++ /dev/null @@ -1,149 +0,0 @@ -commit 3dc48af310709b85d07c8b0d3aa8f1ead02829d3 -Author: Neil Horman -Date: Thu Aug 29 16:17:05 2013 -0400 - - PCI/ACPI: Fix _OSC ordering to allow PCIe hotplug use when available - - This fixes the problem of acpiphp claiming slots that should be managed - by pciehp, which may keep ExpressCard slots from working. - - The acpiphp driver claims PCIe slots unless the BIOS has granted us - control of PCIe native hotplug via _OSC. Prior to v3.10, the acpiphp - .add method (add_bridge()) was always called *after* we had requested - native hotplug control with _OSC. - - But after 3b63aaa70e ("PCI: acpiphp: Do not use ACPI PCI subdriver - mechanism"), which appeared in v3.10, acpiphp initialization is done - during the bus scan via the pcibios_add_bus() hook, and this happens - *before* we request native hotplug control. - - Therefore, acpiphp doesn't know yet whether the BIOS will grant control, - and it claims slots that we should be handling with native hotplug. - - This patch requests native hotplug control earlier, so we know whether - the BIOS granted it to us before we initialize acpiphp. - - To avoid reintroducing the ASPM issue fixed by b8178f130e ('Revert - "PCI/ACPI: Request _OSC control before scanning PCI root bus"'), we run - _OSC earlier but defer the actual ASPM calls until after the bus scan is - complete. - - Tested successfully by myself. - - [bhelgaas: changelog, mark for stable] - Reference: https://bugzilla.kernel.org/show_bug.cgi?id=60736 - Signed-off-by: Neil Horman - Signed-off-by: Bjorn Helgaas - Acked-by: Yinghai Lu - CC: stable@vger.kernel.org # v3.10+ - CC: Len Brown - CC: "Rafael J. Wysocki" - -diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c -index 5917839..a67853e 100644 ---- a/drivers/acpi/pci_root.c -+++ b/drivers/acpi/pci_root.c -@@ -378,6 +378,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - struct acpi_pci_root *root; - u32 flags, base_flags; - acpi_handle handle = device->handle; -+ bool no_aspm = false, clear_aspm = false; - - root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL); - if (!root) -@@ -437,27 +438,6 @@ static int acpi_pci_root_add(struct acpi_device *device, - flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT; - acpi_pci_osc_support(root, flags); - -- /* -- * TBD: Need PCI interface for enumeration/configuration of roots. -- */ -- -- /* -- * Scan the Root Bridge -- * -------------------- -- * Must do this prior to any attempt to bind the root device, as the -- * PCI namespace does not get created until this call is made (and -- * thus the root bridge's pci_dev does not exist). -- */ -- root->bus = pci_acpi_scan_root(root); -- if (!root->bus) { -- dev_err(&device->dev, -- "Bus %04x:%02x not present in PCI namespace\n", -- root->segment, (unsigned int)root->secondary.start); -- result = -ENODEV; -- goto end; -- } -- -- /* Indicate support for various _OSC capabilities. */ - if (pci_ext_cfg_avail()) - flags |= OSC_EXT_PCI_CONFIG_SUPPORT; - if (pcie_aspm_support_enabled()) { -@@ -471,7 +451,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - if (ACPI_FAILURE(status)) { - dev_info(&device->dev, "ACPI _OSC support " - "notification failed, disabling PCIe ASPM\n"); -- pcie_no_aspm(); -+ no_aspm = true; - flags = base_flags; - } - } -@@ -503,7 +483,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - * We have ASPM control, but the FADT indicates - * that it's unsupported. Clear it. - */ -- pcie_clear_aspm(root->bus); -+ clear_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -512,7 +492,14 @@ static int acpi_pci_root_add(struct acpi_device *device, - acpi_format_exception(status), flags); - dev_info(&device->dev, - "ACPI _OSC control for PCIe not granted, disabling ASPM\n"); -- pcie_no_aspm(); -+ /* -+ * We want to disable ASPM here, but aspm_disabled -+ * needs to remain in its state from boot so that we -+ * properly handle PCIe 1.1 devices. So we set this -+ * flag here, to defer the action until after the ACPI -+ * root scan. -+ */ -+ no_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -520,6 +507,33 @@ static int acpi_pci_root_add(struct acpi_device *device, - "(_OSC support mask: 0x%02x)\n", flags); - } - -+ /* -+ * TBD: Need PCI interface for enumeration/configuration of roots. -+ */ -+ -+ /* -+ * Scan the Root Bridge -+ * -------------------- -+ * Must do this prior to any attempt to bind the root device, as the -+ * PCI namespace does not get created until this call is made (and -+ * thus the root bridge's pci_dev does not exist). -+ */ -+ root->bus = pci_acpi_scan_root(root); -+ if (!root->bus) { -+ dev_err(&device->dev, -+ "Bus %04x:%02x not present in PCI namespace\n", -+ root->segment, (unsigned int)root->secondary.start); -+ result = -ENODEV; -+ goto end; -+ } -+ -+ if (clear_aspm) { -+ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n"); -+ pcie_clear_aspm(root->bus); -+ } -+ if (no_aspm) -+ pcie_no_aspm(); -+ - pci_acpi_add_bus_pm_notifier(device, root->bus); - if (device->wakeup.flags.run_wake) - device_set_run_wake(root->bus->bridge, true); diff --git a/crypto-fix-race-in-larval-lookup.patch b/crypto-fix-race-in-larval-lookup.patch deleted file mode 100644 index d1b1941..0000000 --- a/crypto-fix-race-in-larval-lookup.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa -Author: Herbert Xu -Date: Sun Sep 8 14:33:50 2013 +1000 - - crypto: api - Fix race condition in larval lookup - - crypto_larval_lookup should only return a larval if it created one. - Any larval created by another entity must be processed through - crypto_larval_wait before being returned. - - Otherwise this will lead to a larval being killed twice, which - will most likely lead to a crash. - - Cc: stable@vger.kernel.org - Reported-by: Kees Cook - Tested-by: Kees Cook - Signed-off-by: Herbert Xu - -diff --git a/crypto/api.c b/crypto/api.c -index 320ea4d..a2b39c5 100644 ---- a/crypto/api.c -+++ b/crypto/api.c -@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem); - BLOCKING_NOTIFIER_HEAD(crypto_chain); - EXPORT_SYMBOL_GPL(crypto_chain); - -+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); -+ - struct crypto_alg *crypto_mod_get(struct crypto_alg *alg) - { - return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL; -@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type, - } - up_write(&crypto_alg_sem); - -- if (alg != &larval->alg) -+ if (alg != &larval->alg) { - kfree(larval); -+ if (crypto_is_larval(alg)) -+ alg = crypto_larval_wait(alg); -+ } - - return alg; - } diff --git a/kernel.spec b/kernel.spec index 3e40b04..26c75c8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 1 +%define stable_update 2 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -779,12 +779,6 @@ Patch25078: rt2800-rearrange-bbp-rfcsr-initialization.patch #CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 Patch25099: HID-CVE-fixes-3.11.patch -#rhbz 963991 -Patch26000: acpi-pcie-hotplug-conflict.patch - -#rhbz 1002351 -Patch25100: crypto-fix-race-in-larval-lookup.patch - #CVE-2013-4343 rhbz 1007733 1007741 Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -794,9 +788,6 @@ Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch #CVE-2013-4345 rhbz 1007690 1009136 Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch -#rhbz 928561 -Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch - #rhbz 1008323 Patch25106: 0001-skge-fix-broken-driver.patch Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch @@ -1553,12 +1544,6 @@ ApplyPatch HID-CVE-fixes-3.11.patch #rhbz 1000679 ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch -#rhbz 963991 -ApplyPatch acpi-pcie-hotplug-conflict.patch - -#rhbz1002351 -ApplyPatch crypto-fix-race-in-larval-lookup.patch - #CVE-2013-4343 rhbz 1007733 1007741 ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -1568,9 +1553,6 @@ ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch #CVE-2013-4345 rhbz 1007690 1009136 ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch -#rhbz 928561 -ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch - #rhbz 985522 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch @@ -2392,6 +2374,9 @@ fi # ||----w | # || || %changelog +* Fri Sep 27 2013 Justin M. Forbes - 3.11.2-300 +- Linux v3.11.2 + * Wed Sep 25 2013 Josh Boyer - Fix debuginfo_args regex for + separator (rhbz 1009751) - Add another fix for skge (rhbz 1008323) diff --git a/sources b/sources index 1bb8782..9c3b879 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -43331cad943b9540afea49ad8ce5cf46 patch-3.11.1.xz +5aa3286dcc7d70ceb50c3cbc64bc1cd8 patch-3.11.2.xz