Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-05-16 12:03:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-05-08 10:45:05.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-05-16 12:03:36.000000000 +0200 @@ -1,0 +2,48 @@ +Wed May 11 17:23:21 CEST 2016 - [email protected] + +- Linux 4.5.4 (bsc#969870). +- Delete + patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand. +- commit db90c25 + +------------------------------------------------------------------- +Wed May 11 08:14:40 CEST 2016 - [email protected] + +- ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt + (CVE-2016-4569,bsc#979213). +- ALSA: timer: Fix leak in events via snd_timer_user_ccallback + (CVE-2016-4569,bsc#979213). +- ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS + (CVE-2016-4569,bsc#979213). +- commit 875e079 + +------------------------------------------------------------------- +Wed May 11 07:59:38 CEST 2016 - [email protected] + +- Bluetooth: vhci: Fix race at creating hci device + (bsc#971799,bsc#966849). +- Bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849). +- Bluetooth: vhci: fix open_timeout vs. hdev race + (bsc#971799,bsc#966849). +- commit ea94c66 + +------------------------------------------------------------------- +Tue May 10 14:35:43 CEST 2016 - [email protected] + +- net: fix infoleak in rtnetlink (CVE-2016-4486 bsc#978822). +- commit 61212a2 + +------------------------------------------------------------------- +Tue May 10 14:35:11 CEST 2016 - [email protected] + +- bpf: fix refcnt overflow (CVE-2016-4558 bsc#979019). +- commit 6f2153b + +------------------------------------------------------------------- +Tue May 10 14:34:23 CEST 2016 - [email protected] + +- bpf: fix double-fdput in replace_map_fd_with_map_ptr() + (CVE-2016-4557 bsc#979018). +- commit c96cd1e + +------------------------------------------------------------------- kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.5 -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: A Debug Version of the Kernel License: GPL-2.0 Group: System/Kernel -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -27,9 +27,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.5 -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -51,9 +51,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.5 -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.5 -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.5.3 +Version: 4.5.4 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ kernel-vanilla.spec ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.5 -%define patchversion 4.5.3 +%define patchversion 4.5.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: The Standard Kernel - without any SUSE patches License: GPL-2.0 Group: System/Kernel -Version: 4.5.3 +Version: 4.5.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd29747f +Release: <RELEASE>.gdb90c25 %else Release: 0 %endif ++++++ patches.arch.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand new/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand --- old/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand 2016-05-05 07:03:39.000000000 +0200 +++ new/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand 1970-01-01 01:00:00.000000000 +0100 @@ -1,163 +0,0 @@ -From a21211672c9a1d730a39aa65d4a5b3414700adfb Mon Sep 17 00:00:00 2001 -From: Srinivas Pandruvada <[email protected]> -Date: Wed, 23 Mar 2016 21:07:39 -0700 -Subject: [PATCH] ACPI / processor: Request native thermal interrupt handling via _OSC -Patch-mainline: 4.6-rc2 -Git-commit: a21211672c9a1d730a39aa65d4a5b3414700adfb -References: bsc#969870 - -There are several reports of freeze on enabling HWP (Hardware PStates) -feature on Skylake-based systems by the Intel P-states driver. The root -cause is identified as the HWP interrupts causing BIOS code to freeze. - -HWP interrupts use the thermal LVT which can be handled by Linux -natively, but on the affected Skylake-based systems SMM will respond -to it by default. This is a problem for several reasons: - - On the affected systems the SMM thermal LVT handler is broken (it - will crash when invoked) and a BIOS update is necessary to fix it. - - With thermal interrupt handled in SMM we lose all of the reporting - features of the arch/x86/kernel/cpu/mcheck/therm_throt driver. - - Some thermal drivers like x86-package-temp depend on the thermal - threshold interrupts signaled via the thermal LVT. - - The HWP interrupts are useful for debugging and tuning - performance (if the kernel can handle them). -The native handling of thermal interrupts needs to be enabled -because of that. - -This requires some way to tell SMM that the OS can handle thermal -interrupts. That can be done by using _OSC/_PDC in processor -scope very early during ACPI initialization. - -The meaning of _OSC/_PDC bit 12 in processor scope is whether or -not the OS supports native handling of interrupts for Collaborative -Processor Performance Control (CPPC) notifications. Since on -HWP-capable systems CPPC is a firmware interface to HWP, setting -this bit effectively tells the firmware that the OS will handle -thermal interrupts natively going forward. - -For details on _OSC/_PDC refer to: -http://www.intel.com/content/www/us/en/standards/processor-vendor-specific-acpi-specification.html - -To implement the _OSC/_PDC handshake as described, introduce a new -function, acpi_early_processor_osc(), that walks the ACPI -namespace looking for ACPI processor objects and invokes _OSC for -them with bit 12 in the capabilities buffer set and terminates the -namespace walk on the first success. - -Also modify intel_thermal_interrupt() to clear HWP status bits in -the HWP_STATUS MSR to acknowledge HWP interrupts (which prevents -them from firing continuously). - -Signed-off-by: Srinivas Pandruvada <[email protected]> -[ rjw: Subject & changelog, function rename ] - -Signed-off-by: Rafael J. Wysocki <[email protected]> -Acked-by: Takashi Iwai <[email protected]> - ---- - arch/x86/kernel/cpu/mcheck/therm_throt.c | 3 + - drivers/acpi/acpi_processor.c | 52 +++++++++++++++++++++++++++++++ - drivers/acpi/bus.c | 3 + - drivers/acpi/internal.h | 6 +++ - 4 files changed, 64 insertions(+) - ---- a/arch/x86/kernel/cpu/mcheck/therm_throt.c -+++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c -@@ -385,6 +385,9 @@ static void intel_thermal_interrupt(void - { - __u64 msr_val; - -+ if (static_cpu_has(X86_FEATURE_HWP)) -+ wrmsrl_safe(MSR_HWP_STATUS, 0); -+ - rdmsrl(MSR_IA32_THERM_STATUS, msr_val); - - /* Check for violation of core thermal thresholds*/ ---- a/drivers/acpi/acpi_processor.c -+++ b/drivers/acpi/acpi_processor.c -@@ -491,6 +491,58 @@ static void acpi_processor_remove(struct - } - #endif /* CONFIG_ACPI_HOTPLUG_CPU */ - -+#ifdef CONFIG_X86 -+static bool acpi_hwp_native_thermal_lvt_set; -+static acpi_status __init acpi_hwp_native_thermal_lvt_osc(acpi_handle handle, -+ u32 lvl, -+ void *context, -+ void **rv) -+{ -+ u8 sb_uuid_str[] = "4077A616-290C-47BE-9EBD-D87058713953"; -+ u32 capbuf[2]; -+ struct acpi_osc_context osc_context = { -+ .uuid_str = sb_uuid_str, -+ .rev = 1, -+ .cap.length = 8, -+ .cap.pointer = capbuf, -+ }; -+ -+ if (acpi_hwp_native_thermal_lvt_set) -+ return AE_CTRL_TERMINATE; -+ -+ capbuf[0] = 0x0000; -+ capbuf[1] = 0x1000; /* set bit 12 */ -+ -+ if (ACPI_SUCCESS(acpi_run_osc(handle, &osc_context))) { -+ if (osc_context.ret.pointer && osc_context.ret.length > 1) { -+ u32 *capbuf_ret = osc_context.ret.pointer; -+ -+ if (capbuf_ret[1] & 0x1000) { -+ acpi_handle_info(handle, -+ "_OSC native thermal LVT Acked\n"); -+ acpi_hwp_native_thermal_lvt_set = true; -+ } -+ } -+ kfree(osc_context.ret.pointer); -+ } -+ -+ return AE_OK; -+} -+ -+void __init acpi_early_processor_osc(void) -+{ -+ if (boot_cpu_has(X86_FEATURE_HWP)) { -+ acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT, -+ ACPI_UINT32_MAX, -+ acpi_hwp_native_thermal_lvt_osc, -+ NULL, NULL, NULL); -+ acpi_get_devices(ACPI_PROCESSOR_DEVICE_HID, -+ acpi_hwp_native_thermal_lvt_osc, -+ NULL, NULL); -+ } -+} -+#endif -+ - /* - * The following ACPI IDs are known to be suitable for representing as - * processor devices. ---- a/drivers/acpi/bus.c -+++ b/drivers/acpi/bus.c -@@ -1005,6 +1005,9 @@ static int __init acpi_bus_init(void) - goto error1; - } - -+ /* Set capability bits for _OSC under processor scope */ -+ acpi_early_processor_osc(); -+ - /* - * _OSC method may exist in module level code, - * so it must be run after ACPI_FULL_INITIALIZATION ---- a/drivers/acpi/internal.h -+++ b/drivers/acpi/internal.h -@@ -138,6 +138,12 @@ void acpi_early_processor_set_pdc(void); - static inline void acpi_early_processor_set_pdc(void) {} - #endif - -+#ifdef CONFIG_X86 -+void acpi_early_processor_osc(void); -+#else -+static inline void acpi_early_processor_osc(void) {} -+#endif -+ - /* -------------------------------------------------------------------------- - Embedded Controller - -------------------------------------------------------------------------- */ ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS new/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS --- old/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,33 @@ +From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <[email protected]> +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: [PATCH] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: cec8f96e49d9be372fdb0c3836dcf31ec71e457e +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git +References: CVE-2016-4569,bsc#979213 + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <[email protected]> +Signed-off-by: Takashi Iwai <[email protected]> + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca --- old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,33 @@ +From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <[email protected]> +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: [PATCH] ALSA: timer: Fix leak in events via snd_timer_user_ccallback +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git +References: CVE-2016-4569,bsc#979213 + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <[email protected]> +Signed-off-by: Takashi Iwai <[email protected]> + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(str + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin --- old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,33 @@ +From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <[email protected]> +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: [PATCH] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: e4ec8cc8039a7063e24204299b462bd1383184a5 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git +References: CVE-2016-4569,bsc#979213 + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <[email protected]> +Signed-off-by: Takashi Iwai <[email protected]> + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(st + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device new/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device --- old/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,91 @@ +From c7c999cb18da88a881e10e07f0724ad0bfaff770 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <[email protected]> +Date: Thu, 14 Apr 2016 17:32:19 +0200 +Subject: [PATCH] Bluetooth: vhci: Fix race at creating hci device +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git +Git-commit: c7c999cb18da88a881e10e07f0724ad0bfaff770 +References: bsc#971799,bsc#966849 + +hci_vhci driver creates a hci device object dynamically upon each +HCI_VENDOR_PKT write. Although it checks the already created object +and returns an error, it's still racy and may build multiple hci_dev +objects concurrently when parallel writes are performed, as the device +tracks only a single hci_dev object. + +This patch introduces a mutex to protect against the concurrent device +creations. + +Cc: <[email protected]> +Signed-off-by: Takashi Iwai <[email protected]> +Signed-off-by: Marcel Holtmann <[email protected]> + +--- + drivers/bluetooth/hci_vhci.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -50,6 +50,7 @@ struct vhci_data { + wait_queue_head_t read_wait; + struct sk_buff_head readq; + ++ struct mutex open_mutex; + struct delayed_work open_timeout; + }; + +@@ -87,12 +88,15 @@ static int vhci_send_frame(struct hci_de + return 0; + } + +-static int vhci_create_device(struct vhci_data *data, __u8 opcode) ++static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + { + struct hci_dev *hdev; + struct sk_buff *skb; + __u8 dev_type; + ++ if (data->hdev) ++ return -EBADFD; ++ + /* bits 0-1 are dev_type (BR/EDR or AMP) */ + dev_type = opcode & 0x03; + +@@ -151,6 +155,17 @@ static int vhci_create_device(struct vhc + return 0; + } + ++static int vhci_create_device(struct vhci_data *data, __u8 opcode) ++{ ++ int err; ++ ++ mutex_lock(&data->open_mutex); ++ err = __vhci_create_device(data, opcode); ++ mutex_unlock(&data->open_mutex); ++ ++ return err; ++} ++ + static inline ssize_t vhci_get_user(struct vhci_data *data, + struct iov_iter *from) + { +@@ -191,11 +206,6 @@ static inline ssize_t vhci_get_user(stru + case HCI_VENDOR_PKT: + cancel_delayed_work_sync(&data->open_timeout); + +- if (data->hdev) { +- kfree_skb(skb); +- return -EBADFD; +- } +- + opcode = *((__u8 *) skb->data); + skb_pull(skb, 1); + +@@ -320,6 +330,7 @@ static int vhci_open(struct inode *inode + skb_queue_head_init(&data->readq); + init_waitqueue_head(&data->read_wait); + ++ mutex_init(&data->open_mutex); + INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout); + + file->private_data = data; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race new/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race --- old/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,164 @@ +From 373a32c848ae3a1c03618517cce85f9211a6facf Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <[email protected]> +Date: Sat, 19 Mar 2016 11:05:18 +0100 +Subject: [PATCH] Bluetooth: vhci: fix open_timeout vs. hdev race +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: 373a32c848ae3a1c03618517cce85f9211a6facf +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git +References: bsc#971799,bsc#966849 + +Both vhci_get_user and vhci_release race with open_timeout work. They +both contain cancel_delayed_work_sync, but do not test whether the +work actually created hdev or not. Since the work can be in progress +and _sync will wait for finishing it, we can have data->hdev allocated +when cancel_delayed_work_sync returns. But the call sites do 'if +(data->hdev)' *before* cancel_delayed_work_sync. + +As a result: +* vhci_get_user allocates a second hdev and puts it into + data->hdev. The former is leaked. +* vhci_release does not release data->hdev properly as it thinks there + is none. + +Fix both cases by moving the actual test *after* the call to +cancel_delayed_work_sync. + +This can be hit by this program: + #include <err.h> + #include <fcntl.h> + #include <stdio.h> + #include <stdlib.h> + #include <time.h> + #include <unistd.h> + + #include <sys/stat.h> + #include <sys/types.h> + + int main(int argc, char **argv) + { + int fd; + + srand(time(NULL)); + + while (1) { + const int delta = (rand() % 200 - 100) * 100; + + fd = open("/dev/vhci", O_RDWR); + if (fd < 0) + err(1, "open"); + + usleep(1000000 + delta); + + close(fd); + } + + return 0; + } + +And the result is: +Bug: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228 +Read of size 8 by task kworker/u13:1/32068 +============================================================================= +BUG kmalloc-192 (Tainted: G E ): kasan: bad access detected + +Acked-by: Takashi Iwai <[email protected]> +Signed-off-by: Takashi Iwai <[email protected]> + +----------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040 +... + kmem_cache_alloc_trace+0x150/0x190 + vhci_open+0x50/0x330 [hci_vhci] + misc_open+0x35b/0x4e0 + chrdev_open+0x23b/0x510 +... +INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040 +... + __slab_free+0x204/0x310 + vhci_release+0xa4/0xd0 [hci_vhci] +... +INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080 +INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600 +Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00 ...k............ +Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff ...k.......k.... +Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff .F.k.....F.k.... +Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00 ................ +Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff @[email protected].... +Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de P.n............. +Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00 .........b...... +Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff ........8..k.... +Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 .. ............. +Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff ...........=.... +Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . .............. +Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb ........ +Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00 ........ +CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G B E 4.4.6-0-default #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014 +Workqueue: hci0 hci_cmd_work [bluetooth] + 00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180 + ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320 + ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80 +Call Trace: +... + [<ffffffff81ec8ebe>] ? skb_queue_tail+0x13e/0x150 + [<ffffffffa06e027c>] ? vhci_send_frame+0xac/0x100 [hci_vhci] + [<ffffffffa0c61268>] ? hci_send_frame+0x188/0x320 [bluetooth] + [<ffffffffa0c61515>] ? hci_cmd_work+0x115/0x310 [bluetooth] + [<ffffffff811a1375>] ? process_one_work+0x815/0x1340 + [<ffffffff811a1f85>] ? worker_thread+0xe5/0x11f0 + [<ffffffff811a1ea0>] ? process_one_work+0x1340/0x1340 + [<ffffffff811b3c68>] ? kthread+0x1c8/0x230 +... +Memory state around the buggy address: + ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) +Signed-off-by: Jiri Slaby <[email protected]> +Signed-off-by: Marcel Holtmann <[email protected]> +Cc: Dmitry Vyukov <[email protected]> +Cc: stable 3.13+ <[email protected]> +--- + drivers/bluetooth/hci_vhci.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(stru + break; + + case HCI_VENDOR_PKT: ++ cancel_delayed_work_sync(&data->open_timeout); ++ + if (data->hdev) { + kfree_skb(skb); + return -EBADFD; + } + +- cancel_delayed_work_sync(&data->open_timeout); +- + opcode = *((__u8 *) skb->data); + skb_pull(skb, 1); + +@@ -333,10 +333,12 @@ static int vhci_open(struct inode *inode + static int vhci_release(struct inode *inode, struct file *file) + { + struct vhci_data *data = file->private_data; +- struct hci_dev *hdev = data->hdev; ++ struct hci_dev *hdev; + + cancel_delayed_work_sync(&data->open_timeout); + ++ hdev = data->hdev; ++ + if (hdev) { + hci_unregister_dev(hdev); + hci_free_dev(hdev); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs new/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs --- old/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,86 @@ +From 13407376b255325fa817798800117a839f3aa055 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <[email protected]> +Date: Sat, 19 Mar 2016 11:49:43 +0100 +Subject: [PATCH] Bluetooth: vhci: purge unhandled skbs +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: 13407376b255325fa817798800117a839f3aa055 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git +References: bsc#971799,bsc#966849 + +The write handler allocates skbs and queues them into data->readq. +Read side should read them, if there is any. If there is none, skbs +should be dropped by hdev->flush. But this happens only if the device +is HCI_UP, i.e. hdev->power_on work was triggered already. When it was +not, skbs stay allocated in the queue when /dev/vhci is closed. So +purge the queue in ->release. + +Program to reproduce: + #include <err.h> + #include <fcntl.h> + #include <stdio.h> + #include <unistd.h> + + #include <sys/stat.h> + #include <sys/types.h> + #include <sys/uio.h> + + int main() + { + char buf[] = { 0xff, 0 }; + struct iovec iov = { + .iov_base = buf, + .iov_len = sizeof(buf), + }; + int fd; + + while (1) { + fd = open("/dev/vhci", O_RDWR); + if (fd < 0) + err(1, "open"); + + usleep(50); + + if (writev(fd, &iov, 1) < 0) + err(1, "writev"); + + usleep(50); + + close(fd); + } + + return 0; + } + +Result: +Kmemleak: 4609 new suspected memory leaks +unreferenced object 0xffff88059f4d5440 (size 232): + comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s) + hex dump (first 32 bytes): + 20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff .#..... .#..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: +... + [<ffffffff81ece010>] __alloc_skb+0x0/0x5a0 + [<ffffffffa021886c>] vhci_create_device+0x5c/0x580 [hci_vhci] + [<ffffffffa0219436>] vhci_write+0x306/0x4c8 [hci_vhci] + +Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) +Signed-off-by: Jiri Slaby <[email protected]> +Signed-off-by: Marcel Holtmann <[email protected]> +Cc: stable 3.13+ <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + drivers/bluetooth/hci_vhci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -344,6 +344,7 @@ static int vhci_release(struct inode *in + hci_free_dev(hdev); + } + ++ skb_queue_purge(&data->readq); + file->private_data = NULL; + kfree(data); + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch new/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch --- old/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,50 @@ +From: Jann Horn <[email protected]> +Date: Tue, 26 Apr 2016 22:26:26 +0200 +Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr() +Patch-mainline: v4.6-rc6 +Git-commit: 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 +References: CVE-2016-4557 bsc#979018 + +When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode +references a non-map file descriptor as a map file descriptor, the error +handling code called fdput() twice instead of once (in __bpf_map_get() and +in replace_map_fd_with_map_ptr()). If the file descriptor table of the +current task is shared, this causes f_count to be decremented too much, +allowing the struct file to be freed while it is still in use +(use-after-free). This can be exploited to gain root privileges by an +unprivileged user. + +This bug was introduced in +commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only +exploitable since +commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because +previously, CAP_SYS_ADMIN was required to reach the vulnerable code. + +(posted publicly according to request by maintainer) + +Signed-off-by: Jann Horn <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Acked-by: Alexei Starovoitov <[email protected]> +Acked-by: Daniel Borkmann <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + kernel/bpf/verifier.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2e7f7ab739e4..7520d7335336 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2003,7 +2003,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + if (IS_ERR(map)) { + verbose("fd %d is not pointing to valid bpf_map\n", + insn->imm); +- fdput(f); + return PTR_ERR(map); + } + +-- +2.8.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/bpf-fix-refcnt-overflow.patch new/patches.fixes/bpf-fix-refcnt-overflow.patch --- old/patches.fixes/bpf-fix-refcnt-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/bpf-fix-refcnt-overflow.patch 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,162 @@ +From: Alexei Starovoitov <[email protected]> +Date: Wed, 27 Apr 2016 18:56:20 -0700 +Subject: bpf: fix refcnt overflow +Patch-mainline: v4.6-rc7 +Git-commit: 92117d8443bc5afacc8d5ba82e541946310f106e +References: CVE-2016-4558 bsc#979019 + +On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, +the malicious application may overflow 32-bit bpf program refcnt. +It's also possible to overflow map refcnt on 1Tb system. +Impose 32k hard limit which means that the same bpf program or +map cannot be shared by more than 32k processes. + +Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") +Reported-by: Jann Horn <[email protected]> +Signed-off-by: Alexei Starovoitov <[email protected]> +Acked-by: Daniel Borkmann <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + include/linux/bpf.h | 3 ++- + kernel/bpf/inode.c | 7 ++++--- + kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- + kernel/bpf/verifier.c | 11 +++++++---- + 4 files changed, 33 insertions(+), 12 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 83d1926c61e4..67bc2da5d233 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl); + void bpf_register_map_type(struct bpf_map_type_list *tl); + + struct bpf_prog *bpf_prog_get(u32 ufd); ++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); + void bpf_prog_put(struct bpf_prog *prog); + void bpf_prog_put_rcu(struct bpf_prog *prog); + + struct bpf_map *bpf_map_get_with_uref(u32 ufd); + struct bpf_map *__bpf_map_get(struct fd f); +-void bpf_map_inc(struct bpf_map *map, bool uref); ++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); + void bpf_map_put_with_uref(struct bpf_map *map); + void bpf_map_put(struct bpf_map *map); + +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c +index f2ece3c174a5..8f94ca1860cf 100644 +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type) + { + switch (type) { + case BPF_TYPE_PROG: +- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); ++ raw = bpf_prog_inc(raw); + break; + case BPF_TYPE_MAP: +- bpf_map_inc(raw, true); ++ raw = bpf_map_inc(raw, true); + break; + default: + WARN_ON_ONCE(1); +@@ -297,7 +297,8 @@ static void *bpf_obj_do_get(const struct filename *pathname, + goto out; + + raw = bpf_any_get(inode->i_private, *type); +- touch_atime(&path); ++ if (!IS_ERR(raw)) ++ touch_atime(&path); + + path_put(&path); + return raw; +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 637397059f76..aa5f39772ac4 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -201,11 +201,18 @@ struct bpf_map *__bpf_map_get(struct fd f) + return f.file->private_data; + } + +-void bpf_map_inc(struct bpf_map *map, bool uref) ++/* prog's and map's refcnt limit */ ++#define BPF_MAX_REFCNT 32768 ++ ++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) + { +- atomic_inc(&map->refcnt); ++ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { ++ atomic_dec(&map->refcnt); ++ return ERR_PTR(-EBUSY); ++ } + if (uref) + atomic_inc(&map->usercnt); ++ return map; + } + + struct bpf_map *bpf_map_get_with_uref(u32 ufd) +@@ -217,7 +224,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd) + if (IS_ERR(map)) + return map; + +- bpf_map_inc(map, true); ++ map = bpf_map_inc(map, true); + fdput(f); + + return map; +@@ -600,6 +607,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f) + return f.file->private_data; + } + ++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) ++{ ++ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { ++ atomic_dec(&prog->aux->refcnt); ++ return ERR_PTR(-EBUSY); ++ } ++ return prog; ++} ++ + /* called by sockets/tracing/seccomp before attaching program to an event + * pairs with bpf_prog_put() + */ +@@ -612,7 +628,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) + if (IS_ERR(prog)) + return prog; + +- atomic_inc(&prog->aux->refcnt); ++ prog = bpf_prog_inc(prog); + fdput(f); + + return prog; +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2e7f7ab739e4..060e4c4c37ea 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + return -E2BIG; + } + +- /* remember this map */ +- env->used_maps[env->used_map_cnt++] = map; +- + /* hold the map. If the program is rejected by verifier, + * the map will be released by release_maps() or it + * will be used by the valid program until it's unloaded + * and all maps are released in free_bpf_prog_info() + */ +- bpf_map_inc(map, false); ++ map = bpf_map_inc(map, false); ++ if (IS_ERR(map)) { ++ fdput(f); ++ return PTR_ERR(map); ++ } ++ env->used_maps[env->used_map_cnt++] = map; ++ + fdput(f); + next_insn: + insn++; +-- +2.8.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/net-fix-infoleak-in-rtnetlink.patch new/patches.fixes/net-fix-infoleak-in-rtnetlink.patch --- old/patches.fixes/net-fix-infoleak-in-rtnetlink.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/net-fix-infoleak-in-rtnetlink.patch 2016-05-11 08:15:55.000000000 +0200 @@ -0,0 +1,54 @@ +From: Kangjie Lu <[email protected]> +Date: Tue, 3 May 2016 16:46:24 -0400 +Subject: net: fix infoleak in rtnetlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: v4.6 +Git-commit: 5f8e44741f9f216e33736ea4ec65ca9ac03036e6 +References: CVE-2016-4486 bsc#978822 + +The stack object “map” has a total size of 32 bytes. Its last 4 +bytes are padding generated by compiler. These padding bytes are +not initialized and sent out via “nla_put”. + +Signed-off-by: Kangjie Lu <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + net/core/rtnetlink.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 215e6137f6ff..482c3717a45e 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + + static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) + { +- struct rtnl_link_ifmap map = { +- .mem_start = dev->mem_start, +- .mem_end = dev->mem_end, +- .base_addr = dev->base_addr, +- .irq = dev->irq, +- .dma = dev->dma, +- .port = dev->if_port, +- }; ++ struct rtnl_link_ifmap map; ++ ++ memset(&map, 0, sizeof(map)); ++ map.mem_start = dev->mem_start; ++ map.mem_end = dev->mem_end; ++ map.base_addr = dev->base_addr; ++ map.irq = dev->irq; ++ map.dma = dev->dma; ++ map.port = dev->if_port; ++ + if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) + return -EMSGSIZE; + +-- +2.8.2 + ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 2459 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:41.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:41.000000000 +0200 @@ -30,6 +30,7 @@ patches.kernel.org/patch-4.5.1 patches.kernel.org/patch-4.5.1-2 patches.kernel.org/patch-4.5.2-3 + patches.kernel.org/patch-4.5.3-4 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -203,7 +204,6 @@ patches.arch/acpi_thermal_passive_blacklist.patch - patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand ######################################################## # CPUFREQ @@ -226,6 +226,9 @@ ######################################################## # Networking, IPv6 ######################################################## + patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch + patches.fixes/bpf-fix-refcnt-overflow.patch + patches.fixes/net-fix-infoleak-in-rtnetlink.patch ######################################################## # Netfilter @@ -381,6 +384,9 @@ ########################################################## # Sound ########################################################## + patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS + patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca + patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin ######################################################## # Char / serial @@ -393,6 +399,10 @@ # Needs updating WRT d27769ec (block: add GENHD_FL_NO_PART_SCAN) +hare patches.suse/no-partition-scan + patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race + patches.fixes/Bluetooth-vhci-purge-unhandled-skbs + patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device + ######################################################## # Other drivers we have added to the tree ######################################################## ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:41.000000000 +0200 +++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:41.000000000 +0200 @@ -1,3 +1,3 @@ -2016-05-05 07:03:39 +0200 -GIT Revision: d29747fc112968f831670cbf4015a5dc5ea6a3fe +2016-05-11 17:23:21 +0200 +GIT Revision: db90c25df14b3a2668f5ee1e59e0578d8a096e44 GIT Branch: stable
