Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-06-07 23:44:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-05-31 12:12:22.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-06-07 23:44:29.000000000 +0200 @@ -1,0 +2,21 @@ +Thu Jun 2 07:51:56 CEST 2016 - [email protected] + +- Linux 4.6.1 (boo#978953 bsc#966849 bsc#971799 bsc#979715 + CVE-2016-3713). +- Delete + patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device. +- Delete + patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race. +- Delete patches.fixes/Bluetooth-vhci-purge-unhandled-skbs. +- Delete patches.fixes/kvm-remove-variable-physbase-mtrr.patch. +- Delete + patches.fixes/watchdog-sp5100_tco-properly-check-for-new-register. +- commit 9cdcddd + +------------------------------------------------------------------- +Wed May 25 22:08:51 CEST 2016 - [email protected] + +- Set CONFIG_NET_XGENE=y as a workaround for (bsc#973756) +- commit b829bc7 + +------------------------------------------------------------------- @@ -7,0 +29,18 @@ +Wed May 25 08:02:29 CEST 2016 - [email protected] + +- Update patch-mainline tags +- patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS +- patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca +- patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin +- patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device +- patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race +- patches.fixes/Bluetooth-vhci-purge-unhandled-skbs +- commit f3a62f6 + +------------------------------------------------------------------- +Wed May 25 07:57:09 CEST 2016 - [email protected] + +- Bluetooth: fix power_on vs close race (bsc#966849). +- commit d1682e1 + +------------------------------------------------------------------- @@ -12,0 +52,6 @@ + +------------------------------------------------------------------- +Tue May 24 16:36:09 CEST 2016 - [email protected] + +- Use CONFIG_64bit instead of IS_ENABLED in hv_storvsc +- commit 2369093 kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: A Debug Version of the Kernel License: GPL-2.0 Group: System/Kernel -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -27,9 +27,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -51,9 +51,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.6 -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:38.000000000 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.6.0 +Version: 4.6.1 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ kernel-vanilla.spec ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:39.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:39.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.0 +%define patchversion 4.6.1 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: The Standard Kernel - without any SUSE patches License: GPL-2.0 Group: System/Kernel -Version: 4.6.0 +Version: 4.6.1 %if 0%{?is_kotd} -Release: <RELEASE>.gd89346f +Release: <RELEASE>.g9cdcddd %else Release: 0 %endif ++++++ config.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/arm64/default new/config/arm64/default --- old/config/arm64/default 2016-05-24 20:15:00.000000000 +0200 +++ new/config/arm64/default 2016-05-25 22:08:51.000000000 +0200 @@ -1719,7 +1719,7 @@ CONFIG_OF_ADDRESS_PCI=y CONFIG_OF_IRQ=y CONFIG_OF_NET=y -CONFIG_OF_MDIO=m +CONFIG_OF_MDIO=y CONFIG_OF_PCI=y CONFIG_OF_PCI_IRQ=y CONFIG_OF_MTD=y @@ -2284,7 +2284,7 @@ CONFIG_PCNET32=m CONFIG_AMD_XGBE=m CONFIG_AMD_XGBE_DCB=y -CONFIG_NET_XGENE=m +CONFIG_NET_XGENE=y CONFIG_NET_VENDOR_ARC=y CONFIG_ARC_EMAC_CORE=m CONFIG_ARC_EMAC=m @@ -2532,7 +2532,7 @@ CONFIG_ROADRUNNER=m # CONFIG_ROADRUNNER_LARGE_RINGS is not set # CONFIG_NET_SB1000 is not set -CONFIG_PHYLIB=m +CONFIG_PHYLIB=y # # MII PHY device drivers ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS new/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS --- old/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS 2016-06-02 07:51:56.000000000 +0200 @@ -5,9 +5,8 @@ Mime-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v4.7-rc1 Git-commit: cec8f96e49d9be372fdb0c3836dcf31ec71e457e -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git References: CVE-2016-4569,bsc#979213 The stack object “tread” has a total size of 32 bytes. Its field diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca --- old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca 2016-06-02 07:51:56.000000000 +0200 @@ -5,9 +5,8 @@ Mime-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v4.7-rc1 Git-commit: 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git References: CVE-2016-4578,bsc#979879 The stack object “r1” has a total size of 32 bytes. Its field diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin --- old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin 2016-06-02 07:51:56.000000000 +0200 @@ -5,9 +5,8 @@ Mime-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit -Patch-mainline: Queued in subsystem maintainer repository +Patch-mainline: v4.7-rc1 Git-commit: e4ec8cc8039a7063e24204299b462bd1383184a5 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git References: CVE-2016-4578,bsc#979879 The stack object “r1” has a total size of 32 bytes. Its field diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-fix-power_on-vs-close-race new/patches.fixes/Bluetooth-fix-power_on-vs-close-race --- old/patches.fixes/Bluetooth-fix-power_on-vs-close-race 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/Bluetooth-fix-power_on-vs-close-race 2016-06-02 07:51:56.000000000 +0200 @@ -0,0 +1,55 @@ +From bf389cabb3b8079c23f9762e62b05f291e2d5e99 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <[email protected]> +Date: Fri, 13 May 2016 10:38:49 +0200 +Subject: [PATCH] Bluetooth: fix power_on vs close race +Patch-mainline: 4.7-rc1 +Git-commit: bf389cabb3b8079c23f9762e62b05f291e2d5e99 +References: bsc#966849 + +With all the latest fixes applied, I am still able to reproduce this +(and other) warning(s): +Warning: CPU: 1 PID: 19684 at ../kernel/workqueue.c:4092 destroy_workqueue+0x70a/0x770() +... +Call Trace: + [<ffffffff819fee81>] ? dump_stack+0xb3/0x112 + [<ffffffff8117377e>] ? warn_slowpath_common+0xde/0x140 + [<ffffffff811ce68a>] ? destroy_workqueue+0x70a/0x770 + [<ffffffff811739ae>] ? warn_slowpath_null+0x2e/0x40 + [<ffffffff811ce68a>] ? destroy_workqueue+0x70a/0x770 + [<ffffffffa0c944c9>] ? hci_unregister_dev+0x2a9/0x720 [bluetooth] + [<ffffffffa0b301db>] ? vhci_release+0x7b/0xf0 [hci_vhci] + [<ffffffffa0b30160>] ? vhci_flush+0x50/0x50 [hci_vhci] + [<ffffffff8117cd73>] ? do_exit+0x863/0x2b90 + +This is due to race present in the hci_unregister_dev path. +hdev->power_on work races with hci_dev_do_close. One tries to open, +the other tries to close, leading to warning like the above. (Another +example is a warning in kobject_get or kobject_put depending on who +wins the race.) + +Fix this by switching those two racers to ensure hdev->power_on never +triggers while hci_dev_do_close is in progress. + +Signed-off-by: Jiri Slaby <[email protected]> +Signed-off-by: Marcel Holtmann <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + net/bluetooth/hci_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3139,10 +3139,10 @@ void hci_unregister_dev(struct hci_dev * + list_del(&hdev->list); + write_unlock(&hci_dev_list_lock); + +- hci_dev_do_close(hdev); +- + cancel_work_sync(&hdev->power_on); + ++ hci_dev_do_close(hdev); ++ + if (!test_bit(HCI_INIT, &hdev->flags) && + !hci_dev_test_flag(hdev, HCI_SETUP) && + !hci_dev_test_flag(hdev, HCI_CONFIG)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device new/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device --- old/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device 1970-01-01 01:00:00.000000000 +0100 @@ -1,91 +0,0 @@ -From c7c999cb18da88a881e10e07f0724ad0bfaff770 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <[email protected]> -Date: Thu, 14 Apr 2016 17:32:19 +0200 -Subject: [PATCH] Bluetooth: vhci: Fix race at creating hci device -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git -Git-commit: c7c999cb18da88a881e10e07f0724ad0bfaff770 -References: bsc#971799,bsc#966849 - -hci_vhci driver creates a hci device object dynamically upon each -HCI_VENDOR_PKT write. Although it checks the already created object -and returns an error, it's still racy and may build multiple hci_dev -objects concurrently when parallel writes are performed, as the device -tracks only a single hci_dev object. - -This patch introduces a mutex to protect against the concurrent device -creations. - -Cc: <[email protected]> -Signed-off-by: Takashi Iwai <[email protected]> -Signed-off-by: Marcel Holtmann <[email protected]> - ---- - drivers/bluetooth/hci_vhci.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - ---- a/drivers/bluetooth/hci_vhci.c -+++ b/drivers/bluetooth/hci_vhci.c -@@ -50,6 +50,7 @@ struct vhci_data { - wait_queue_head_t read_wait; - struct sk_buff_head readq; - -+ struct mutex open_mutex; - struct delayed_work open_timeout; - }; - -@@ -87,12 +88,15 @@ static int vhci_send_frame(struct hci_de - return 0; - } - --static int vhci_create_device(struct vhci_data *data, __u8 opcode) -+static int __vhci_create_device(struct vhci_data *data, __u8 opcode) - { - struct hci_dev *hdev; - struct sk_buff *skb; - __u8 dev_type; - -+ if (data->hdev) -+ return -EBADFD; -+ - /* bits 0-1 are dev_type (BR/EDR or AMP) */ - dev_type = opcode & 0x03; - -@@ -151,6 +155,17 @@ static int vhci_create_device(struct vhc - return 0; - } - -+static int vhci_create_device(struct vhci_data *data, __u8 opcode) -+{ -+ int err; -+ -+ mutex_lock(&data->open_mutex); -+ err = __vhci_create_device(data, opcode); -+ mutex_unlock(&data->open_mutex); -+ -+ return err; -+} -+ - static inline ssize_t vhci_get_user(struct vhci_data *data, - struct iov_iter *from) - { -@@ -191,11 +206,6 @@ static inline ssize_t vhci_get_user(stru - case HCI_VENDOR_PKT: - cancel_delayed_work_sync(&data->open_timeout); - -- if (data->hdev) { -- kfree_skb(skb); -- return -EBADFD; -- } -- - opcode = *((__u8 *) skb->data); - skb_pull(skb, 1); - -@@ -320,6 +330,7 @@ static int vhci_open(struct inode *inode - skb_queue_head_init(&data->readq); - init_waitqueue_head(&data->read_wait); - -+ mutex_init(&data->open_mutex); - INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout); - - file->private_data = data; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race new/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race --- old/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race 1970-01-01 01:00:00.000000000 +0100 @@ -1,164 +0,0 @@ -From 373a32c848ae3a1c03618517cce85f9211a6facf Mon Sep 17 00:00:00 2001 -From: Jiri Slaby <[email protected]> -Date: Sat, 19 Mar 2016 11:05:18 +0100 -Subject: [PATCH] Bluetooth: vhci: fix open_timeout vs. hdev race -Patch-mainline: Queued in subsystem maintainer repository -Git-commit: 373a32c848ae3a1c03618517cce85f9211a6facf -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git -References: bsc#971799,bsc#966849 - -Both vhci_get_user and vhci_release race with open_timeout work. They -both contain cancel_delayed_work_sync, but do not test whether the -work actually created hdev or not. Since the work can be in progress -and _sync will wait for finishing it, we can have data->hdev allocated -when cancel_delayed_work_sync returns. But the call sites do 'if -(data->hdev)' *before* cancel_delayed_work_sync. - -As a result: -* vhci_get_user allocates a second hdev and puts it into - data->hdev. The former is leaked. -* vhci_release does not release data->hdev properly as it thinks there - is none. - -Fix both cases by moving the actual test *after* the call to -cancel_delayed_work_sync. - -This can be hit by this program: - #include <err.h> - #include <fcntl.h> - #include <stdio.h> - #include <stdlib.h> - #include <time.h> - #include <unistd.h> - - #include <sys/stat.h> - #include <sys/types.h> - - int main(int argc, char **argv) - { - int fd; - - srand(time(NULL)); - - while (1) { - const int delta = (rand() % 200 - 100) * 100; - - fd = open("/dev/vhci", O_RDWR); - if (fd < 0) - err(1, "open"); - - usleep(1000000 + delta); - - close(fd); - } - - return 0; - } - -And the result is: -Bug: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228 -Read of size 8 by task kworker/u13:1/32068 -============================================================================= -BUG kmalloc-192 (Tainted: G E ): kasan: bad access detected - -Acked-by: Takashi Iwai <[email protected]> -Signed-off-by: Takashi Iwai <[email protected]> - ------------------------------------------------------------------------------ - -Disabling lock debugging due to kernel taint -INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040 -... - kmem_cache_alloc_trace+0x150/0x190 - vhci_open+0x50/0x330 [hci_vhci] - misc_open+0x35b/0x4e0 - chrdev_open+0x23b/0x510 -... -INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040 -... - __slab_free+0x204/0x310 - vhci_release+0xa4/0xd0 [hci_vhci] -... -INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080 -INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600 -Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ -Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00 ...k............ -Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff ...k.......k.... -Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff .F.k.....F.k.... -Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00 ................ -Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff @[email protected].... -Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de P.n............. -Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00 .........b...... -Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff ........8..k.... -Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 .. ............. -Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ -Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff ...........=.... -Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . .............. -Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb ........ -Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00 ........ -CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G B E 4.4.6-0-default #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014 -Workqueue: hci0 hci_cmd_work [bluetooth] - 00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180 - ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320 - ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80 -Call Trace: -... - [<ffffffff81ec8ebe>] ? skb_queue_tail+0x13e/0x150 - [<ffffffffa06e027c>] ? vhci_send_frame+0xac/0x100 [hci_vhci] - [<ffffffffa0c61268>] ? hci_send_frame+0x188/0x320 [bluetooth] - [<ffffffffa0c61515>] ? hci_cmd_work+0x115/0x310 [bluetooth] - [<ffffffff811a1375>] ? process_one_work+0x815/0x1340 - [<ffffffff811a1f85>] ? worker_thread+0xe5/0x11f0 - [<ffffffff811a1ea0>] ? process_one_work+0x1340/0x1340 - [<ffffffff811b3c68>] ? kthread+0x1c8/0x230 -... -Memory state around the buggy address: - ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ->ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc - ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - -Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) -Signed-off-by: Jiri Slaby <[email protected]> -Signed-off-by: Marcel Holtmann <[email protected]> -Cc: Dmitry Vyukov <[email protected]> -Cc: stable 3.13+ <[email protected]> ---- - drivers/bluetooth/hci_vhci.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/drivers/bluetooth/hci_vhci.c -+++ b/drivers/bluetooth/hci_vhci.c -@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(stru - break; - - case HCI_VENDOR_PKT: -+ cancel_delayed_work_sync(&data->open_timeout); -+ - if (data->hdev) { - kfree_skb(skb); - return -EBADFD; - } - -- cancel_delayed_work_sync(&data->open_timeout); -- - opcode = *((__u8 *) skb->data); - skb_pull(skb, 1); - -@@ -333,10 +333,12 @@ static int vhci_open(struct inode *inode - static int vhci_release(struct inode *inode, struct file *file) - { - struct vhci_data *data = file->private_data; -- struct hci_dev *hdev = data->hdev; -+ struct hci_dev *hdev; - - cancel_delayed_work_sync(&data->open_timeout); - -+ hdev = data->hdev; -+ - if (hdev) { - hci_unregister_dev(hdev); - hci_free_dev(hdev); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs new/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs --- old/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs 1970-01-01 01:00:00.000000000 +0100 @@ -1,86 +0,0 @@ -From 13407376b255325fa817798800117a839f3aa055 Mon Sep 17 00:00:00 2001 -From: Jiri Slaby <[email protected]> -Date: Sat, 19 Mar 2016 11:49:43 +0100 -Subject: [PATCH] Bluetooth: vhci: purge unhandled skbs -Patch-mainline: Queued in subsystem maintainer repository -Git-commit: 13407376b255325fa817798800117a839f3aa055 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git -References: bsc#971799,bsc#966849 - -The write handler allocates skbs and queues them into data->readq. -Read side should read them, if there is any. If there is none, skbs -should be dropped by hdev->flush. But this happens only if the device -is HCI_UP, i.e. hdev->power_on work was triggered already. When it was -not, skbs stay allocated in the queue when /dev/vhci is closed. So -purge the queue in ->release. - -Program to reproduce: - #include <err.h> - #include <fcntl.h> - #include <stdio.h> - #include <unistd.h> - - #include <sys/stat.h> - #include <sys/types.h> - #include <sys/uio.h> - - int main() - { - char buf[] = { 0xff, 0 }; - struct iovec iov = { - .iov_base = buf, - .iov_len = sizeof(buf), - }; - int fd; - - while (1) { - fd = open("/dev/vhci", O_RDWR); - if (fd < 0) - err(1, "open"); - - usleep(50); - - if (writev(fd, &iov, 1) < 0) - err(1, "writev"); - - usleep(50); - - close(fd); - } - - return 0; - } - -Result: -Kmemleak: 4609 new suspected memory leaks -unreferenced object 0xffff88059f4d5440 (size 232): - comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s) - hex dump (first 32 bytes): - 20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff .#..... .#..... - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - backtrace: -... - [<ffffffff81ece010>] __alloc_skb+0x0/0x5a0 - [<ffffffffa021886c>] vhci_create_device+0x5c/0x580 [hci_vhci] - [<ffffffffa0219436>] vhci_write+0x306/0x4c8 [hci_vhci] - -Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) -Signed-off-by: Jiri Slaby <[email protected]> -Signed-off-by: Marcel Holtmann <[email protected]> -Cc: stable 3.13+ <[email protected]> -Acked-by: Takashi Iwai <[email protected]> - ---- - drivers/bluetooth/hci_vhci.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/bluetooth/hci_vhci.c -+++ b/drivers/bluetooth/hci_vhci.c -@@ -344,6 +344,7 @@ static int vhci_release(struct inode *in - hci_free_dev(hdev); - } - -+ skb_queue_purge(&data->readq); - file->private_data = NULL; - kfree(data); - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/kvm-remove-variable-physbase-mtrr.patch new/patches.fixes/kvm-remove-variable-physbase-mtrr.patch --- old/patches.fixes/kvm-remove-variable-physbase-mtrr.patch 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/kvm-remove-variable-physbase-mtrr.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,43 +0,0 @@ -From: Radim Krčmář <[email protected]> -Date: Mon May 16 11:43:31 CEST 2016 -Subject: kvm: Remove variable physbase MTRR 0x2f8 -Patch-mainline: not yet, early bird release -References: bsc#979715, CVE-2016-3713 - -MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support -was introduced by 9ba075a664df ("KVM: MTRR support"). - -0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the -size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, -which made access to index 124 out of bounds. The surrounding code only -WARNs in this situation, thus the guest gained a limited read/write -access to struct kvm_arch_vcpu. - -0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR -MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 -was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was -not implemented in KVM, therefore 0x2f8 could never do anything useful -and getting rid of it is safe. - -This fixes CVE-2016-3713. - -Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") -Cc: [email protected] -Reported-by: David Matlack <[email protected]> -Signed-off-by: Radim Krčmář <[email protected]> -Acked-by: Borislav Petkov <[email protected]> ---- - arch/x86/kvm/mtrr.c | 2 -- - 1 file changed, 2 deletions(-) - ---- a/arch/x86/kvm/mtrr.c -+++ b/arch/x86/kvm/mtrr.c -@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) - case MSR_MTRRdefType: - case MSR_IA32_CR_PAT: - return true; -- case 0x2f8: -- return true; - } - return false; - } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/watchdog-sp5100_tco-properly-check-for-new-register new/patches.fixes/watchdog-sp5100_tco-properly-check-for-new-register --- old/patches.fixes/watchdog-sp5100_tco-properly-check-for-new-register 2016-05-25 08:48:37.000000000 +0200 +++ new/patches.fixes/watchdog-sp5100_tco-properly-check-for-new-register 1970-01-01 01:00:00.000000000 +0100 @@ -1,79 +0,0 @@ -From 46856fabe40cc80f92134683cdec7dc0fc8f4000 Mon Sep 17 00:00:00 2001 -From: Lucas Stach <[email protected]> -Date: Tue, 3 May 2016 19:15:58 +0200 -Subject: [PATCH] watchdog: sp5100_tco: properly check for new register layouts -Git-commit: 46856fabe40cc80f92134683cdec7dc0fc8f4000 -Git-repo: git://www.linux-watchdog.org/linux-watchdog-next.git -Patch-mainline: Queued in subsystem maintainer repository -References: boo#978953 - -Commits 190aa4304de6 (Add AMD Mullins platform support) and -cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the -driver on a lot more devices, but the following commit missed -a single location in the code when checking if the SB800 register -offsets should be used. This leads to the wrong register being -written which in turn causes ACPI to go haywire. - -Fix this by introducing a helper function to check for the new -register layout and use this consistently. - -https://bugzilla.kernel.org/show_bug.cgi?id=114201 -https://bugzilla.redhat.com/show_bug.cgi?id=1329910 -Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800 -and later chipsets) - -Cc: [email protected] (4.5+) -Signed-off-by: Lucas Stach <[email protected]> -Signed-off-by: Guenter Roeck <[email protected]> -Signed-off-by: Wim Van Sebroeck <[email protected]> -Acked-by: Takashi Iwai <[email protected]> - ---- - drivers/watchdog/sp5100_tco.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/drivers/watchdog/sp5100_tco.c -+++ b/drivers/watchdog/sp5100_tco.c -@@ -73,6 +73,13 @@ MODULE_PARM_DESC(nowayout, "Watchdog can - /* - * Some TCO specific functions - */ -+ -+static bool tco_has_sp5100_reg_layout(struct pci_dev *dev) -+{ -+ return dev->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -+ dev->revision < 0x40; -+} -+ - static void tco_timer_start(void) - { - u32 val; -@@ -129,7 +136,7 @@ static void tco_timer_enable(void) - { - int val; - -- if (sp5100_tco_pci->revision >= 0x40) { -+ if (!tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - /* For SB800 or later */ - /* Set the Watchdog timer resolution to 1 sec */ - outb(SB800_PM_WATCHDOG_CONFIG, SB800_IO_PM_INDEX_REG); -@@ -342,8 +349,7 @@ static unsigned char sp5100_tco_setupdev - /* - * Determine type of southbridge chipset. - */ -- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -- sp5100_tco_pci->revision < 0x40) { -+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - dev_name = SP5100_DEVNAME; - index_reg = SP5100_IO_PM_INDEX_REG; - data_reg = SP5100_IO_PM_DATA_REG; -@@ -388,8 +394,7 @@ static unsigned char sp5100_tco_setupdev - * Secondly, Find the watchdog timer MMIO address - * from SBResource_MMIO register. - */ -- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -- sp5100_tco_pci->revision < 0x40) { -+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - /* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */ - pci_read_config_dword(sp5100_tco_pci, - SP5100_SB_RESOURCE_MMIO_BASE, &val); ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 4695 lines of diff (skipped) ++++++ patches.suse.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/suse-hv-storvsc-sg_tablesize.patch new/patches.suse/suse-hv-storvsc-sg_tablesize.patch --- old/patches.suse/suse-hv-storvsc-sg_tablesize.patch 2016-05-23 20:08:49.000000000 +0200 +++ new/patches.suse/suse-hv-storvsc-sg_tablesize.patch 2016-05-24 16:36:09.000000000 +0200 @@ -16,7 +16,7 @@ /* max cmd length */ host->max_cmd_len = STORVSC_MAX_CMD_LEN; -+#if IS_ENABLED(64BIT) ++#ifdef CONFIG_64BIT /* * set the table size based on the info we got * from the host. ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:40.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:40.000000000 +0200 @@ -27,6 +27,7 @@ # DO NOT MODIFY THEM! # Send separate patches upstream if you find a problem... ######################################################## + patches.kernel.org/patch-4.6.1 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -383,11 +384,8 @@ # Needs updating WRT d27769ec (block: add GENHD_FL_NO_PART_SCAN) +hare patches.suse/no-partition-scan - patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race - patches.fixes/Bluetooth-vhci-purge-unhandled-skbs - patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device + patches.fixes/Bluetooth-fix-power_on-vs-close-race - patches.fixes/watchdog-sp5100_tco-properly-check-for-new-register ######################################################## # Other drivers we have added to the tree @@ -470,7 +468,6 @@ ######################################################## # bsc#979715, CVE-2016-3713 - patches.fixes/kvm-remove-variable-physbase-mtrr.patch ######################################################## # Staging tree patches ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.sU2vnj/_old 2016-06-07 23:44:40.000000000 +0200 +++ /var/tmp/diff_new_pack.sU2vnj/_new 2016-06-07 23:44:40.000000000 +0200 @@ -1,3 +1,3 @@ -2016-05-25 09:44:54 +0200 -GIT Revision: d89346fc064496ec498530f3ebc5dc8f82dfc7d2 +2016-06-02 07:51:56 +0200 +GIT Revision: 9cdcddddcf64630baac14a35e2337738340fc836 GIT Branch: stable
