Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-11-12 17:51:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Sun Nov 12 17:51:04 2017 rev:388 rq:539861 version:4.13.12 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-11-07 09:57:15.899898361 +0100 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-11-12 17:51:13.193135095 +0100 @@ -1,0 +2,93 @@ +Wed Nov 8 12:21:09 CET 2017 - [email protected] + +- media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646 + bsc#1067105). +- commit 9151c66 + +------------------------------------------------------------------- +Wed Nov 8 12:15:20 CET 2017 - [email protected] + +- Input: ims-psu - check if CDC union descriptor is sane + (CVE-2017-16645 bsc#1067132). +- commit 0cfe4b6 + +------------------------------------------------------------------- +Wed Nov 8 12:11:42 CET 2017 - [email protected] + +- net: usb: asix: fill null-ptr-deref in asix_suspend + (CVE-2017-16647 bsc#1067102). +- commit a088160 + +------------------------------------------------------------------- +Wed Nov 8 10:36:03 CET 2017 - [email protected] + +- Linux 4.13.12 (bnc#1012628). +- irqchip/irq-mvebu-gicp: Add missing spin_lock init + (bnc#1012628). +- x86/mcelog: Get rid of RCU remnants (bnc#1012628). +- perf/cgroup: Fix perf cgroup hierarchy support (bnc#1012628). +- futex: Fix more put_pi_state() vs. exit_pi_state_list() races + (bnc#1012628). +- powerpc/kprobes: Dereference function pointers only if the + address does not belong to kernel text (bnc#1012628). +- x86: CPU: Fix up "cpu MHz" in /proc/cpuinfo (bnc#1012628). +- Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo + "cpu MHz"" (bnc#1012628). +- MIPS: SMP: Fix deadlock & online race (bnc#1012628). +- MIPS: microMIPS: Fix incorrect mask in insn_table_MM + (bnc#1012628). +- MIPS: smp-cmp: Use right include for task_struct (bnc#1012628). +- MIPS: bpf: Fix a typo in build_one_insn() (bnc#1012628). +- Revert "powerpc64/elfv1: Only dereference function descriptor + for non-text symbols" (bnc#1012628). +- drm/i915/edp: read edp display control registers unconditionally + (bnc#1012628). +- drm/i915: Do not rely on wm preservation for ILK watermarks + (bnc#1012628). +- mm, swap: fix race between swap count continuation operations + (bnc#1012628). +- fs/hugetlbfs/inode.c: fix hwpoison reserve accounting + (bnc#1012628). +- ocfs2: fstrim: Fix start offset of first cluster group during + fstrim (bnc#1012628). +- userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond + the end of i_size (bnc#1012628). +- drm/amdgpu: allow harvesting check for Polaris VCE + (bnc#1012628). +- drm/amdgpu: return -ENOENT from uvd 6.0 early init for + harvesting (bnc#1012628). +- ARM: 8715/1: add a private asm/unaligned.h (bnc#1012628). +- ARM: dts: mvebu: pl310-cache disable double-linefill + (bnc#1012628). +- arm/arm64: kvm: Disable branch profiling in HYP code + (bnc#1012628). +- arm/arm64: KVM: set right LR register value for 32 bit guest + when inject abort (bnc#1012628). +- KVM: arm64: its: Fix missing dynamic allocation check in + scan_its_table (bnc#1012628). +- arm64: ensure __dump_instr() checks addr_limit (bnc#1012628). +- virtio_blk: Fix an SG_IO regression (bnc#1012628). +- ASoC: adau17x1: Workaround for noise bug in ADC (bnc#1012628). +- KEYS: fix out-of-bounds read during ASN.1 parsing (bnc#1012628). +- KEYS: trusted: fix writing past end of buffer in trusted_read() + (bnc#1012628). +- KEYS: return full count in keyring_read() if buffer is too small + (bnc#1012628). +- cifs: check MaxPathNameComponentLength != 0 before using it + (bnc#1012628). +- ALSA: seq: Fix nested rwsem annotation for lockdep splat + (bnc#1012628). +- ALSA: timer: Add missing mutex lock for compat ioctls + (bnc#1012628). +- commit 19cf938 + +------------------------------------------------------------------- +Mon Nov 6 14:43:05 CET 2017 - [email protected] + +- media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537 + bsc#1066573). +- [media] cx231xx-cards: fix NULL-deref on missing association + descriptor (CVE-2017-16536 bsc#1066606). +- commit c9a1bf3 + +------------------------------------------------------------------- dtb-armv6l.changes: same change dtb-armv7l.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-syzkaller.changes: same change kernel-vanilla.changes: same change kernel-zfcpdump.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.024704150 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.028704004 +0100 @@ -17,7 +17,7 @@ %define srcversion 4.13 -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -29,9 +29,9 @@ %(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb}) Name: dtb-aarch64 -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.108701090 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.112700945 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0 Group: System/Kernel -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif kernel-debug.spec: same change kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.172698759 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.176698613 +0100 @@ -17,7 +17,7 @@ %define srcversion 4.13 -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -31,9 +31,9 @@ Summary: Kernel Documentation License: GPL-2.0 Group: Documentation/Man -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.200697739 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.204697594 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.228696720 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.232696574 +0100 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %define vanilla_only 0 @@ -57,9 +57,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.256695700 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.260695554 +0100 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.288694534 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.292694388 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.312693660 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.316693514 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.332692932 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.336692786 +0100 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.13.11 +Version: 4.13.12 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif ++++++ kernel-syzkaller.spec ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:25.356692058 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:25.356692058 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.11 +%define patchversion 4.13.12 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel used for fuzzing by syzkaller License: GPL-2.0 Group: System/Kernel -Version: 4.13.11 +Version: 4.13.12 %if 0%{?is_kotd} -Release: <RELEASE>.g0526da3 +Release: <RELEASE>.g9151c66 %else Release: 0 %endif kernel-vanilla.spec: same change kernel-zfcpdump.spec: same change ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/Input-ims-psu-check-if-CDC-union-descriptor-is-sane new/patches.drivers/Input-ims-psu-check-if-CDC-union-descriptor-is-sane --- old/patches.drivers/Input-ims-psu-check-if-CDC-union-descriptor-is-sane 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/Input-ims-psu-check-if-CDC-union-descriptor-is-sane 2017-11-08 12:21:09.000000000 +0100 @@ -0,0 +1,50 @@ +From ea04efee7635c9120d015dcdeeeb6988130cb67a Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov <[email protected]> +Date: Sat, 7 Oct 2017 11:07:47 -0700 +Subject: [PATCH] Input: ims-psu - check if CDC union descriptor is sane +Git-commit: ea04efee7635c9120d015dcdeeeb6988130cb67a +Patch-mainline: 4.14-rc6 +References: CVE-2017-16645 bsc#1067132 + +Before trying to use CDC union descriptor, try to validate whether that it +is sane by checking that intf->altsetting->extra is big enough and that +descriptor bLength is not too big and not too small. + +Reported-by: Andrey Konovalov <[email protected]> +Signed-off-by: Dmitry Torokhov <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + drivers/input/misc/ims-pcu.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_in + return NULL; + } + +- while (buflen > 0) { ++ while (buflen >= sizeof(*union_desc)) { + union_desc = (struct usb_cdc_union_desc *)buf; + ++ if (union_desc->bLength > buflen) { ++ dev_err(&intf->dev, "Too large descriptor\n"); ++ return NULL; ++ } ++ + if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE && + union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) { + dev_dbg(&intf->dev, "Found union header\n"); +- return union_desc; ++ ++ if (union_desc->bLength >= sizeof(*union_desc)) ++ return union_desc; ++ ++ dev_err(&intf->dev, ++ "Union descriptor to short (%d vs %zd\n)", ++ union_desc->bLength, sizeof(*union_desc)); ++ return NULL; + } + + buflen -= union_desc->bLength; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/media-cx231xx-cards-fix-NULL-deref-on-missing-associ new/patches.drivers/media-cx231xx-cards-fix-NULL-deref-on-missing-associ --- old/patches.drivers/media-cx231xx-cards-fix-NULL-deref-on-missing-associ 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/media-cx231xx-cards-fix-NULL-deref-on-missing-associ 2017-11-08 12:21:09.000000000 +0100 @@ -0,0 +1,38 @@ +From 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <[email protected]> +Date: Thu, 21 Sep 2017 05:40:18 -0300 +Subject: [PATCH] [media] cx231xx-cards: fix NULL-deref on missing association descriptor +Git-commit: 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 +Git-repo: git://linuxtv.org/mchehab/media-next.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2017-16536 bsc#1066606 + +Make sure to check that we actually have an Interface Association +Descriptor before dereferencing it during probe to avoid dereferencing a +NULL-pointer. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: stable <[email protected]> # 2.6.30 +Reported-by: Andrey Konovalov <[email protected]> +Signed-off-by: Johan Hovold <[email protected]> +Tested-by: Andrey Konovalov <[email protected]> +Signed-off-by: Hans Verkuil <[email protected]> +Signed-off-by: Mauro Carvalho Chehab <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_ + nr = dev->devno; + + assoc_desc = udev->actconfig->intf_assoc[0]; +- if (assoc_desc->bFirstInterface != ifnum) { ++ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) { + dev_err(d, "Not found matching IAD interface\n"); + retval = -ENODEV; + goto err_if; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/media-dib0700-fix-invalid-dvb_detach-argument new/patches.drivers/media-dib0700-fix-invalid-dvb_detach-argument --- old/patches.drivers/media-dib0700-fix-invalid-dvb_detach-argument 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/media-dib0700-fix-invalid-dvb_detach-argument 2017-11-08 12:21:09.000000000 +0100 @@ -0,0 +1,195 @@ +From eb0c19942288569e0ae492476534d5a485fb8ab4 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov <[email protected]> +Date: Thu, 2 Nov 2017 10:38:21 -0400 +Subject: [PATCH] media: dib0700: fix invalid dvb_detach argument +Git-commit: eb0c19942288569e0ae492476534d5a485fb8ab4 +Git-repo: git://linuxtv.org/mchehab/media-next.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2017-16646 bsc#1067105 + +dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer +to a function. Right now a pointer to state->dib7000p_ops is passed to +dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by +syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead. + +------------[ cut here ]------------ +kernel BUG at kernel/module.c:1081! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +Modules linked in: +CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G W +4.14.0-rc1-42251-gebb2c2437d80 #224 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +task: ffff88006a336300 task.stack: ffff88006a7c8000 +RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083 +RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000 +RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190 +RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4 +R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180 +R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000 +FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0 +Call Trace: + stk7070p_frontend_attach+0x515/0x610 +drivers/media/usb/dvb-usb/dib0700_devices.c:1013 + dvb_usb_adapter_frontend_init+0x32b/0x660 +drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286 + dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 + dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162 + dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277 + dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 + generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 + usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 +Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8 +de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f> +0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00 +RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210 +---[ end trace b75b357739e7e116 ]--- + +Signed-off-by: Andrey Konovalov <[email protected]> +Signed-off-by: Mauro Carvalho Chehab <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + drivers/media/usb/dvb-usb/dib0700_devices.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c +@@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(str + stk7700d_dib7000p_mt2266_config) + != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(stru + stk7700d_dib7000p_mt2266_config) + != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -478,7 +478,7 @@ static int stk7700ph_frontend_attach(str + &stk7700ph_dib7700_xc3028_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -1010,7 +1010,7 @@ static int stk7070p_frontend_attach(stru + &dib7070p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -1068,7 +1068,7 @@ static int stk7770p_frontend_attach(stru + &dib7770p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3056,7 +3056,7 @@ static int nim7090_frontend_attach(struc + + if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, &nim7090_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, 0x80, &nim7090_dib7000p_config); +@@ -3109,7 +3109,7 @@ static int tfe7090pvr_frontend0_attach(s + /* initialize IC 0 */ + if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, &tfe7090pvr_dib7000p_config[0]) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3139,7 +3139,7 @@ static int tfe7090pvr_frontend1_attach(s + i2c = state->dib7000p_ops.get_i2c_master(adap->dev->adapter[0].fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_6_7, 1); + if (state->dib7000p_ops.i2c_enumeration(i2c, 1, 0x10, &tfe7090pvr_dib7000p_config[1]) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3214,7 +3214,7 @@ static int tfe7790p_frontend_attach(stru + 1, 0x10, &tfe7790p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, +@@ -3309,7 +3309,7 @@ static int stk7070pd_frontend_attach0(st + stk7070pd_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3384,7 +3384,7 @@ static int novatd_frontend_attach(struct + stk7070pd_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -3620,7 +3620,7 @@ static int pctv340e_frontend_attach(stru + + if (state->dib7000p_ops.dib7000pc_detection(&adap->dev->i2c_adap) == 0) { + /* Demodulator not found for some reason? */ +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/media-imon-Fix-null-ptr-deref-in-imon_probe new/patches.drivers/media-imon-Fix-null-ptr-deref-in-imon_probe --- old/patches.drivers/media-imon-Fix-null-ptr-deref-in-imon_probe 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/media-imon-Fix-null-ptr-deref-in-imon_probe 2017-11-08 12:21:09.000000000 +0100 @@ -0,0 +1,36 @@ +From 58fd55e838276a0c13d1dc7c387f90f25063cbf3 Mon Sep 17 00:00:00 2001 +From: Arvind Yadav <[email protected]> +Date: Mon, 9 Oct 2017 20:14:48 +0200 +Subject: [PATCH] media: imon: Fix null-ptr-deref in imon_probe +Git-commit: 58fd55e838276a0c13d1dc7c387f90f25063cbf3 +Git-repo: git://linuxtv.org/mchehab/media-next.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2017-16537 bsc#1066573 + +It seems that the return value of usb_ifnum_to_if() can be NULL and +needs to be checked. + +Signed-off-by: Arvind Yadav <[email protected]> +Tested-by: Andrey Konovalov <[email protected]> +Signed-off-by: Sean Young <[email protected]> +Signed-off-by: Mauro Carvalho Chehab <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + drivers/media/rc/imon.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -2516,6 +2516,11 @@ static int imon_probe(struct usb_interfa + mutex_lock(&driver_lock); + + first_if = usb_ifnum_to_if(usbdev, 0); ++ if (!first_if) { ++ ret = -ENODEV; ++ goto fail; ++ } ++ + first_if_ctx = usb_get_intfdata(first_if); + + if (ifnum == 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch new/patches.drivers/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch --- old/patches.drivers/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch 2017-11-08 12:21:09.000000000 +0100 @@ -0,0 +1,76 @@ +From baedf68a068ca29624f241426843635920f16e1d Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov <[email protected]> +Date: Thu, 2 Nov 2017 21:26:59 +0100 +Subject: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend +Git-commit: baedf68a068ca29624f241426843635920f16e1d +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2017-16647 bsc#1067102 + +When asix_suspend() is called dev->driver_priv might not have been +assigned a value, so we need to check that it's not NULL. + +Found by syzkaller. + +Kasan: CONFIG_KASAN_INLINE enabled +Kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +Modules linked in: +Cpu: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc4-43422-geccacdd69a8c #400 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +Task: ffff88006bb36300 task.stack: ffff88006bba8000 +Rip: 0010:asix_suspend+0x76/0xc0 drivers/net/usb/asix_devices.c:629 +Rsp: 0018:ffff88006bbae718 EFLAGS: 00010202 +Rax: dffffc0000000000 RBX: ffff880061ba3b80 RCX: 1ffff1000c34d644 +Rdx: 0000000000000001 RSI: 0000000000000402 RDI: 0000000000000008 +Rbp: ffff88006bbae738 R08: 1ffff1000d775cad R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800630a8b40 +R13: 0000000000000000 R14: 0000000000000402 R15: ffff880061ba3b80 +Fs: 0000000000000000(0000) GS:ffff88006c600000(0000) knlGS:0000000000000000 +Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Cr2: 00007ff33cf89000 CR3: 0000000061c0a000 CR4: 00000000000006f0 +Call Trace: + usb_suspend_interface drivers/usb/core/driver.c:1209 + usb_suspend_both+0x27f/0x7e0 drivers/usb/core/driver.c:1314 + usb_runtime_suspend+0x41/0x120 drivers/usb/core/driver.c:1852 + __rpm_callback+0x339/0xb60 drivers/base/power/runtime.c:334 + rpm_callback+0x106/0x220 drivers/base/power/runtime.c:461 + rpm_suspend+0x465/0x1980 drivers/base/power/runtime.c:596 + __pm_runtime_suspend+0x11e/0x230 drivers/base/power/runtime.c:1009 + pm_runtime_put_sync_autosuspend ./include/linux/pm_runtime.h:251 + usb_new_device+0xa37/0x1020 drivers/usb/core/hub.c:2487 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 +Code: 8d 7c 24 20 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5b 48 b8 00 00 +00 00 00 fc ff df 4d 8b 6c 24 20 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> +3c 02 00 75 34 4d 8b 6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c + +Rip: asix_suspend+0x76/0xc0 RSP: ffff88006bbae718 +Acked-by: Takashi Iwai <[email protected]> + +---[ end trace dfc4f5649284342c ]--- + +Signed-off-by: Andrey Konovalov <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +--- + drivers/net/usb/asix_devices.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -626,7 +626,7 @@ static int asix_suspend(struct usb_inter + struct usbnet *dev = usb_get_intfdata(intf); + struct asix_common_private *priv = dev->driver_priv; + +- if (priv->suspend) ++ if (priv && priv->suspend) + priv->suspend(dev); + + return usbnet_suspend(intf, message); ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 2934 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:26.500650390 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:26.500650390 +0100 @@ -732,6 +732,41 @@ patches.kernel.org/4.13.11-042-regulator-fan53555-fix-I2C-device-ids.patch patches.kernel.org/4.13.11-043-powerpc-xive-Fix-the-size-of-the-cpumask-used.patch patches.kernel.org/4.13.11-044-Linux-4.13.11.patch + patches.kernel.org/4.13.12-001-ALSA-timer-Add-missing-mutex-lock-for-compat-.patch + patches.kernel.org/4.13.12-002-ALSA-seq-Fix-nested-rwsem-annotation-for-lock.patch + patches.kernel.org/4.13.12-003-cifs-check-MaxPathNameComponentLength-0-befor.patch + patches.kernel.org/4.13.12-004-KEYS-return-full-count-in-keyring_read-if-buf.patch + patches.kernel.org/4.13.12-005-KEYS-trusted-fix-writing-past-end-of-buffer-i.patch + patches.kernel.org/4.13.12-006-KEYS-fix-out-of-bounds-read-during-ASN.1-pars.patch + patches.kernel.org/4.13.12-007-ASoC-adau17x1-Workaround-for-noise-bug-in-ADC.patch + patches.kernel.org/4.13.12-008-virtio_blk-Fix-an-SG_IO-regression.patch + patches.kernel.org/4.13.12-009-arm64-ensure-__dump_instr-checks-addr_limit.patch + patches.kernel.org/4.13.12-010-KVM-arm64-its-Fix-missing-dynamic-allocation-.patch + patches.kernel.org/4.13.12-011-arm-arm64-KVM-set-right-LR-register-value-for.patch + patches.kernel.org/4.13.12-012-arm-arm64-kvm-Disable-branch-profiling-in-HYP.patch + patches.kernel.org/4.13.12-013-ARM-dts-mvebu-pl310-cache-disable-double-line.patch + patches.kernel.org/4.13.12-014-ARM-8715-1-add-a-private-asm-unaligned.h.patch + patches.kernel.org/4.13.12-015-drm-amdgpu-return-ENOENT-from-uvd-6.0-early-i.patch + patches.kernel.org/4.13.12-016-drm-amdgpu-allow-harvesting-check-for-Polaris.patch + patches.kernel.org/4.13.12-017-userfaultfd-hugetlbfs-prevent-UFFDIO_COPY-to-.patch + patches.kernel.org/4.13.12-018-ocfs2-fstrim-Fix-start-offset-of-first-cluste.patch + patches.kernel.org/4.13.12-019-fs-hugetlbfs-inode.c-fix-hwpoison-reserve-acc.patch + patches.kernel.org/4.13.12-020-mm-swap-fix-race-between-swap-count-continuat.patch + patches.kernel.org/4.13.12-021-drm-i915-Do-not-rely-on-wm-preservation-for-I.patch + patches.kernel.org/4.13.12-022-drm-i915-edp-read-edp-display-control-registe.patch + patches.kernel.org/4.13.12-023-Revert-powerpc64-elfv1-Only-dereference-funct.patch + patches.kernel.org/4.13.12-024-MIPS-bpf-Fix-a-typo-in-build_one_insn.patch + patches.kernel.org/4.13.12-025-MIPS-smp-cmp-Use-right-include-for-task_struc.patch + patches.kernel.org/4.13.12-026-MIPS-microMIPS-Fix-incorrect-mask-in-insn_tab.patch + patches.kernel.org/4.13.12-027-MIPS-SMP-Fix-deadlock-online-race.patch + patches.kernel.org/4.13.12-028-Revert-x86-do-not-use-cpufreq_quick_get-for-p.patch + patches.kernel.org/4.13.12-029-x86-CPU-Fix-up-cpu-MHz-in-proc-cpuinfo.patch + patches.kernel.org/4.13.12-030-powerpc-kprobes-Dereference-function-pointers.patch + patches.kernel.org/4.13.12-031-futex-Fix-more-put_pi_state-vs.-exit_pi_state.patch + patches.kernel.org/4.13.12-032-perf-cgroup-Fix-perf-cgroup-hierarchy-support.patch + patches.kernel.org/4.13.12-033-x86-mcelog-Get-rid-of-RCU-remnants.patch + patches.kernel.org/4.13.12-034-irqchip-irq-mvebu-gicp-Add-missing-spin_lock-.patch + patches.kernel.org/4.13.12-035-Linux-4.13.12.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -1028,10 +1063,14 @@ ######################################################## # video4linux ######################################################## + patches.drivers/media-cx231xx-cards-fix-NULL-deref-on-missing-associ + patches.drivers/media-imon-Fix-null-ptr-deref-in-imon_probe + patches.drivers/media-dib0700-fix-invalid-dvb_detach-argument ######################################################## # Network ######################################################## + patches.drivers/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch ######################################################## # Wireless Networking @@ -1072,6 +1111,7 @@ ######################################################## # patches.suse/SUSE-bootsplash # patches.suse/SUSE-bootsplash-mgadrmfb-workaround + patches.drivers/Input-ims-psu-check-if-CDC-union-descriptor-is-sane ########################################################## # Sound ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.HiLdsK/_old 2017-11-12 17:51:26.532649225 +0100 +++ /var/tmp/diff_new_pack.HiLdsK/_new 2017-11-12 17:51:26.532649225 +0100 @@ -1,3 +1,3 @@ -2017-11-04 09:00:26 +0100 -GIT Revision: 0526da3cc45db9c6b774d804920904bc4856d57f +2017-11-08 12:21:09 +0100 +GIT Revision: 9151c668cd24857042bb8960908cf90fbccc5bb2 GIT Branch: stable
