--- /dev/null
+From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream.
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1208,6 +1208,7 @@ static void snd_timer_user_ccallback(str
+ tu->tstamp = *tstamp;
+ if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ return;
++ memset(&r1, 0, sizeof(r1));
+ r1.event = event;
+ r1.tstamp = *tstamp;
+ r1.val = resolution;
--- /dev/null
+From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream.
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1243,6 +1243,7 @@ static void snd_timer_user_tinterrupt(st
+ }
+ if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ tu->last_resolution != resolution) {
++ memset(&r1, 0, sizeof(r1));
+ r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ r1.tstamp = tstamp;
+ r1.val = resolution;
--- /dev/null
+From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream.
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1707,6 +1707,7 @@ static int snd_timer_user_params(struct
+ if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ if (tu->tread) {
+ struct snd_timer_tread tread;
++ memset(&tread, 0, sizeof(tread));
+ tread.event = SNDRV_TIMER_EVENT_EARLY;
+ tread.tstamp.tv_sec = 0;
+ tread.tstamp.tv_nsec = 0;
--- /dev/null
+From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 5 Jul 2016 17:32:30 -0400
+Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream.
+
+There are legitimate reasons to disallow mmap on certain files, notably
+in sysfs or procfs. We shouldn't emulate mmap support on file systems
+that don't offer support natively.
+
+CVE-2016-1583
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/file.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -178,6 +178,19 @@ out:
+ return rc;
+ }
+
++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
++{
++ struct file *lower_file = ecryptfs_file_to_lower(file);
++ /*
++ * Don't allow mmap on top of file systems that don't support it
++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
++ * allows recursive mounting, this will need to be extended.
++ */
++ if (!lower_file->f_op->mmap)
++ return -ENODEV;
++ return generic_file_mmap(file, vma);
++}
++
+ /**
+ * ecryptfs_open
+ * @inode: inode speciying file to open
+@@ -349,7 +362,7 @@ const struct file_operations ecryptfs_ma
+ #ifdef CONFIG_COMPAT
+ .compat_ioctl = ecryptfs_compat_ioctl,
+ #endif
+- .mmap = generic_file_mmap,
++ .mmap = ecryptfs_mmap,
+ .open = ecryptfs_open,
+ .flush = ecryptfs_flush,
+ .release = ecryptfs_release,
--- /dev/null
+From 9e72ac7492149a229ce9039c680849cb682d7092 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 23 Jun 2016 10:55:11 -0700
+Subject: Input: wacom_w8001 - ignore invalid pen data packets
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 9e72ac7492149a229ce9039c680849cb682d7092 upstream.
+
+ThinkPad X60 Tablet PC (pen only device) sometime posts
+packets that are larger than W8001_PKTLEN_TPCPEN.
+
+Reported-by: Chris J Arges <christopherarges@gmail.com>
+Tested-by: Chris J Arges <christopherarges@gmail.com>
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/wacom_w8001.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/wacom_w8001.c
++++ b/drivers/input/touchscreen/wacom_w8001.c
+@@ -342,6 +342,15 @@ static irqreturn_t w8001_interrupt(struc
+ w8001->idx = 0;
+ parse_multi_touch(w8001);
+ break;
++
++ default:
++ /*
++ * ThinkPad X60 Tablet PC (pen only device) sometimes
++ * sends invalid data packets that are larger than
++ * W8001_PKTLEN_TPCPEN. Let's start over again.
++ */
++ if (!w8001->touch_dev && w8001->idx > W8001_PKTLEN_TPCPEN - 1)
++ w8001->idx = 0;
+ }
+
+ return IRQ_HANDLED;
--- /dev/null
+From 12afb34400eb2b301f06b2aa3535497d14faee59 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 23 Jun 2016 10:54:17 -0700
+Subject: Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream.
+
+Somehow the patch that added two-finger touch support forgot to update
+W8001_MAX_LENGTH from 11 to 13.
+
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/wacom_w8001.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/wacom_w8001.c
++++ b/drivers/input/touchscreen/wacom_w8001.c
+@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar <jayakumar.lkm
+ MODULE_DESCRIPTION(DRIVER_DESC);
+ MODULE_LICENSE("GPL");
+
+-#define W8001_MAX_LENGTH 11
++#define W8001_MAX_LENGTH 13
+ #define W8001_LEAD_MASK 0x80
+ #define W8001_LEAD_BYTE 0x80
+ #define W8001_TAB_MASK 0x40
--- /dev/null
+From caca925fca4fb30c67be88cacbe908eec6721e43 Mon Sep 17 00:00:00 2001
+From: Cameron Gutman <aicommander@gmail.com>
+Date: Wed, 29 Jun 2016 09:51:35 -0700
+Subject: Input: xpad - validate USB endpoint count during probe
+
+From: Cameron Gutman <aicommander@gmail.com>
+
+commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.
+
+This prevents a malicious USB device from causing an oops.
+
+Signed-off-by: Cameron Gutman <aicommander@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -844,6 +844,9 @@ static int xpad_probe(struct usb_interfa
+ struct usb_endpoint_descriptor *ep_irq_in;
+ int i, error;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
++ return -ENODEV;
++
+ for (i = 0; xpad_device[i].idVendor; i++) {
+ if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
+ (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
--- /dev/null
+From 0ac3c0a4025f41748a083bdd4970cb3ede802b15 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 31 May 2016 14:17:06 -0700
+Subject: pinctrl: single: Fix missing flush of posted write for a wakeirq
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 upstream.
+
+With many repeated suspend resume cycles, the pin specific wakeirq
+may not always work on omaps. This is because the write to enable the
+pin interrupt may not have reached the device over the interconnect
+before suspend happens.
+
+Let's fix the issue with a flush of posted write with a readback.
+
+Reported-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-single.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1616,6 +1616,9 @@ static inline void pcs_irq_set(struct pc
+ else
+ mask &= ~soc_mask;
+ pcs->write(mask, pcswi->reg);
++
++ /* flush posted write */
++ mask = pcs->read(pcswi->reg);
+ raw_spin_unlock(&pcs->lock);
+ }
+
--- /dev/null
+From 78c4e172412de5d0456dc00d2b34050aa0b683b5 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 5 Jul 2016 17:32:29 -0400
+Subject: Revert "ecryptfs: forbid opening files without mmap handler"
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 78c4e172412de5d0456dc00d2b34050aa0b683b5 upstream.
+
+This reverts commit 2f36db71009304b3f0b95afacd8eba1f9f046b87.
+
+It fixed a local root exploit but also introduced a dependency on
+the lower file system implementing an mmap operation just to open a file,
+which is a bit of a heavy hammer. The right fix is to have mmap depend
+on the existence of the mmap handler instead.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/kthread.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -25,7 +25,6 @@
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/mount.h>
+-#include <linux/file.h>
+ #include "ecryptfs_kernel.h"
+
+ struct ecryptfs_open_req {
+@@ -148,7 +147,7 @@ int ecryptfs_privileged_open(struct file
+ flags |= IS_RDONLY(lower_dentry->d_inode) ? O_RDONLY : O_RDWR;
+ (*lower_file) = dentry_open(&req.path, flags, cred);
+ if (!IS_ERR(*lower_file))
+- goto have_file;
++ goto out;
+ if ((flags & O_ACCMODE) == O_RDONLY) {
+ rc = PTR_ERR((*lower_file));
+ goto out;
+@@ -166,16 +165,8 @@ int ecryptfs_privileged_open(struct file
+ mutex_unlock(&ecryptfs_kthread_ctl.mux);
+ wake_up(&ecryptfs_kthread_ctl.wait);
+ wait_for_completion(&req.done);
+- if (IS_ERR(*lower_file)) {
++ if (IS_ERR(*lower_file))
+ rc = PTR_ERR(*lower_file);
+- goto out;
+- }
+-have_file:
+- if ((*lower_file)->f_op->mmap == NULL) {
+- fput(*lower_file);
+- *lower_file = NULL;
+- rc = -EMEDIUMTYPE;
+- }
+ out:
+ return rc;
+ }
fs-nilfs2-fix-potential-underflow-in-call-to-crc32_le.patch
arc-unwind-warn-only-once-if-dw2_unwind-is-disabled.patch
xen-pciback-fix-conf_space-read-write-overlap-check.patch
+alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch
+alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch
+input-wacom_w8001-w8001_max_length-should-be-13.patch
+input-wacom_w8001-ignore-invalid-pen-data-packets.patch
+input-xpad-validate-usb-endpoint-count-during-probe.patch
+pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch
+revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch
+ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
