Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-04-20 20:48:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Thu Apr 20 20:48:27 2017 rev:360 rq:487784 version:4.10.10 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-04-13 10:43:47.584262694 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-04-20 20:48:28.828915506 +0200 @@ -1,0 +2,18 @@ +Wed Apr 12 13:18:29 CEST 2017 - [email protected] + +- Linux 4.10.10 (CVE-2017-7261 CVE-2017-7294 bnc#1012628 + boo#1031052 boo#1031440). +- Delete + patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch. +- Delete + patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch. +- commit a78ebd0 + +------------------------------------------------------------------- +Tue Apr 11 09:09:39 CEST 2017 - [email protected] + +- drm/nouveau/kms/nv50: fix double dma_fence_put() when destroying + plane state (bsc#1032285). +- commit 739eada + +------------------------------------------------------------------- dtb-armv6l.changes: same change dtb-armv7l.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-syzkaller.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.527120059 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:41.531119493 +0200 @@ -16,15 +16,15 @@ # -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define vanilla_only 0 %include %_sourcedir/kernel-spec-macros Name: dtb-aarch64 -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.651102529 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:41.667100267 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0 Group: System/Kernel -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif kernel-debug.spec: same change kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.795082171 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:41.795082171 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -42,9 +42,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.827077648 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:41.831077082 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.863072558 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:41.871071427 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %define vanilla_only 0 @@ -57,9 +57,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.907066337 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:41.915065206 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.963058420 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:41.967057855 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:41.999053330 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:42.003052766 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:42.035048241 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:42.035048241 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.10.9 +Version: 4.10.10 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif ++++++ kernel-syzkaller.spec ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:42.067043718 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:42.071043152 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.9 +%define patchversion 4.10.10 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel used for fuzzing by syzkaller License: GPL-2.0 Group: System/Kernel -Version: 4.10.9 +Version: 4.10.10 %if 0%{?is_kotd} -Release: <RELEASE>.g195f937 +Release: <RELEASE>.ga78ebd0 %else Release: 0 %endif kernel-vanilla.spec: same change ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch new/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch --- old/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch 2017-04-04 12:46:31.000000000 +0200 +++ new/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -From: Murray McAllister <[email protected]> -Date: Mon Mar 27 11:12:53 2017 +0200 -Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() -Patch-mainline: Queued in driver maintainer repository -Git-repo: git://people.freedesktop.org/~thomash/linux -Git-commit: 36274ab8c596f1240c606bb514da329add2a1bcd -References: boo#1031052 CVE-2017-7261 - -Before memory allocations vmw_surface_define_ioctl() checks the -upper-bounds of a user-supplied size, but does not check if the -supplied size is 0. - -Add check to avoid NULL pointer dereferences. - -Cc: <[email protected]> -Signed-off-by: Murray McAllister <[email protected]> -Reviewed-by: Sinclair Yeh <[email protected]> -Signed-off-by: Max Staudt <[email protected]> ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index b445ce9..f410502 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, - for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) - num_sizes += req->mip_levels[i]; - -- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * -- DRM_VMW_MAX_MIP_LEVELS) -+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || -+ num_sizes == 0) - return -EINVAL; - - size = vmw_user_surface_size + 128 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch new/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch --- old/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch 2017-04-04 12:46:31.000000000 +0200 +++ new/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,39 +0,0 @@ -From: Li Qiang <[email protected]> -Date: Mon Mar 27 20:10:53 2017 -0700 -Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() -Patch-mainline: Queued in driver maintainer repository -Git-repo: git://people.freedesktop.org/~thomash/linux -Git-commit: e7e11f99564222d82f0ce84bd521e57d78a6b678 -References: boo#1031440 CVE-2017-7294 - -In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the -'req->mip_levels' array. This array can be assigned any value from -the user space. As both the 'num_sizes' and the array is uint32_t, -it is easy to make 'num_sizes' overflow. The later 'mip_levels' is -used as the loop count. This can lead an oob write. Add the check of -'req->mip_levels' to avoid this. - -Cc: <[email protected]> -Signed-off-by: Li Qiang <[email protected]> -Reviewed-by: Thomas Hellstrom <[email protected]> -Signed-off-by: Max Staudt <[email protected]> ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index f410502..96760a4 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, - 128; - - num_sizes = 0; -- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) -+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) { -+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS) -+ return -EINVAL; - num_sizes += req->mip_levels[i]; -+ } - - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || - num_sizes == 0) ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/drm-nouveau-kms-nv50-fix-double-dma_fence_put-when-d new/patches.fixes/drm-nouveau-kms-nv50-fix-double-dma_fence_put-when-d --- old/patches.fixes/drm-nouveau-kms-nv50-fix-double-dma_fence_put-when-d 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/drm-nouveau-kms-nv50-fix-double-dma_fence_put-when-d 2017-04-11 09:09:39.000000000 +0200 @@ -0,0 +1,41 @@ +From df60d1f23b09c5ce2a8e404012323d4deedcc589 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs <[email protected]> +Date: Wed, 5 Apr 2017 18:16:14 +1000 +Subject: [PATCH] drm/nouveau/kms/nv50: fix double dma_fence_put() when destroying plane state +Git-commit: df60d1f23b09c5ce2a8e404012323d4deedcc589 +References: bsc#1032285 +Git-repo: git://people.freedesktop.org/~airlied/linux.git +Patch-mainline: Queued in subsystem maintainer repository + +When the atomic support was added to nouveau, the DRM core did not do this. + +However, later in the same merge window, a commit (drm/fence: add in-fences +support) was merged that added it, leading to use-after-frees of the fence +object. + +Cc: [email protected] [4.10+] +Signed-off-by: Ben Skeggs <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + drivers/gpu/drm/nouveau/nv50_display.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nv50_display.c ++++ b/drivers/gpu/drm/nouveau/nv50_display.c +@@ -995,7 +995,6 @@ nv50_wndw_atomic_destroy_state(struct dr + { + struct nv50_wndw_atom *asyw = nv50_wndw_atom(state); + __drm_atomic_helper_plane_destroy_state(&asyw->state); +- dma_fence_put(asyw->state.fence); + kfree(asyw); + } + +@@ -1007,7 +1006,6 @@ nv50_wndw_atomic_duplicate_state(struct + if (!(asyw = kmalloc(sizeof(*asyw), GFP_KERNEL))) + return NULL; + __drm_atomic_helper_plane_duplicate_state(plane, &asyw->state); +- asyw->state.fence = NULL; + asyw->interval = 1; + asyw->sema = armw->sema; + asyw->ntfy = armw->ntfy; ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 4282 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:43.526837311 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:43.526837311 +0200 @@ -36,6 +36,7 @@ patches.kernel.org/patch-4.10.6-7 patches.kernel.org/patch-4.10.7-8 patches.kernel.org/patch-4.10.8-9 + patches.kernel.org/patch-4.10.9-10 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -332,9 +333,8 @@ ######################################################## patches.fixes/drm-i915-Fix-S4-resume-breakage patches.fixes/drm-fb-helper-Allow-var-x-yres-_virtual-fb-width-hei + patches.fixes/drm-nouveau-kms-nv50-fix-double-dma_fence_put-when-d - patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch - patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch ######################################################## # video4linux ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.OqBeA3/_old 2017-04-20 20:48:43.570831091 +0200 +++ /var/tmp/diff_new_pack.OqBeA3/_new 2017-04-20 20:48:43.574830525 +0200 @@ -1,3 +1,3 @@ -2017-04-08 17:30:03 +0200 -GIT Revision: 195f9370151c1957e58902b22d8b49d2db8bdd5f +2017-04-12 13:18:29 +0200 +GIT Revision: a78ebd0ac88d4ab861df7a7ea22850fa405da54f GIT Branch: stable
