From: Greg Kroah-Hartman Date: Fri, 6 May 2016 18:36:55 +0000 (-0400) Subject: 3.14-stable patches X-Git-Tag: v3.14.69~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58caf21aef291a3c872b9baf1a4098534ef79321;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch input-zforce_ts-fix-dual-touch-recognition.patch proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch --- diff --git a/queue-3.14/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch b/queue-3.14/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch new file mode 100644 index 00000000000..f5da310c804 --- /dev/null +++ b/queue-3.14/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch @@ -0,0 +1,34 @@ +From 5616f36713ea77f57ae908bf2fef641364403c9f Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 20 Apr 2016 13:34:31 +0000 +Subject: ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel + +From: Sascha Hauer + +commit 5616f36713ea77f57ae908bf2fef641364403c9f upstream. + +The secondary CPU starts up in ARM mode. When the kernel is compiled in +thumb2 mode we have to explicitly compile the secondary startup +trampoline in ARM mode, otherwise the CPU will go to Nirvana. + +Signed-off-by: Sascha Hauer +Reported-by: Steffen Trumtrar +Suggested-by: Ard Biesheuvel +Signed-off-by: Dinh Nguyen +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-socfpga/headsmp.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-socfpga/headsmp.S ++++ b/arch/arm/mach-socfpga/headsmp.S +@@ -11,6 +11,7 @@ + #include + + .arch armv7-a ++ .arm + + ENTRY(secondary_trampoline) + movw r2, #:lower16:cpu1start_addr diff --git a/queue-3.14/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch b/queue-3.14/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch new file mode 100644 index 00000000000..22c827ef4ac --- /dev/null +++ b/queue-3.14/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch @@ -0,0 +1,52 @@ +From c78296665c3d81f040117432ab9e1cb125521b0c Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Fri, 26 Feb 2016 17:56:13 +0100 +Subject: batman-adv: Check skb size before using encapsulated ETH+VLAN header + +From: Sven Eckelmann + +commit c78296665c3d81f040117432ab9e1cb125521b0c upstream. + +The encapsulated ethernet and VLAN header may be outside the received +ethernet frame. Thus the skb buffer size has to be checked before it can be +parsed to find out if it encapsulates another batman-adv packet. + +Fixes: 420193573f11 ("batman-adv: softif bridge loop avoidance") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/soft-interface.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -356,11 +356,17 @@ void batadv_interface_rx(struct net_devi + */ + nf_reset(skb); + ++ if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) ++ goto dropped; ++ + vid = batadv_get_vid(skb, 0); + ethhdr = eth_hdr(skb); + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, VLAN_ETH_HLEN)) ++ goto dropped; ++ + vhdr = (struct vlan_ethhdr *)skb->data; + + if (vhdr->h_vlan_encapsulated_proto != ethertype) +@@ -372,8 +378,6 @@ void batadv_interface_rx(struct net_devi + } + + /* skb->dev & skb->pkt_type are set here */ +- if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) +- goto dropped; + skb->protocol = eth_type_trans(skb, soft_iface); + + /* should not be necessary anymore as we use skb_pull_rcsum() diff --git a/queue-3.14/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch b/queue-3.14/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch new file mode 100644 index 00000000000..5c20a7ca25c --- /dev/null +++ b/queue-3.14/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch @@ -0,0 +1,45 @@ +From c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Fri, 11 Mar 2016 14:04:49 +0100 +Subject: batman-adv: Fix broadcast/ogm queue limit on a removed interface +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +commit c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f upstream. + +When removing a single interface while a broadcast or ogm packet is +still pending then we will free the forward packet without releasing the +queue slots again. + +This patch is supposed to fix this issue. + +Fixes: 6d5808d4ae1b ("batman-adv: Add missing hardif_free_ref in forw_packet_free") +Signed-off-by: Linus Lüssing +[sven@narfation.org: fix conflicts with current version] +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/send.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/batman-adv/send.c ++++ b/net/batman-adv/send.c +@@ -637,6 +637,12 @@ batadv_purge_outstanding_packets(struct + + if (pending) { + hlist_del(&forw_packet->list); ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->bcast_queue_left); ++ ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->batman_queue_left); ++ + batadv_forw_packet_free(forw_packet); + } + } diff --git a/queue-3.14/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch b/queue-3.14/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch new file mode 100644 index 00000000000..49c26164503 --- /dev/null +++ b/queue-3.14/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch @@ -0,0 +1,48 @@ +From d1a65f1741bfd9c69f9e4e2ad447a89b6810427d Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 20 Mar 2016 12:27:53 +0100 +Subject: batman-adv: Reduce refcnt of removed router when updating route + +From: Sven Eckelmann + +commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream. + +_batadv_update_route rcu_derefences orig_ifinfo->router outside of a +spinlock protected region to print some information messages to the debug +log. But this pointer is not checked again when the new pointer is assigned +in the spinlock protected region. Thus is can happen that the value of +orig_ifinfo->router changed in the meantime and thus the reference counter +of the wrong router gets reduced after the spinlock protected region. + +Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock +protected region (which also set the new pointer) is enough to get the +correct old router object. + +Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/routing.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -88,6 +88,15 @@ static void _batadv_update_route(struct + neigh_node = NULL; + + spin_lock_bh(&orig_node->neigh_list_lock); ++ /* curr_router used earlier may not be the current orig_ifinfo->router ++ * anymore because it was dereferenced outside of the neigh_list_lock ++ * protected region. After the new best neighbor has replace the current ++ * best neighbor the reference counter needs to decrease. Consequently, ++ * the code needs to ensure the curr_router variable contains a pointer ++ * to the replaced best neighbor. ++ */ ++ curr_router = rcu_dereference_protected(orig_ifinfo->router, true); ++ + rcu_assign_pointer(orig_ifinfo->router, neigh_node); + spin_unlock_bh(&orig_node->neigh_list_lock); + batadv_orig_ifinfo_free_ref(orig_ifinfo); diff --git a/queue-3.14/input-zforce_ts-fix-dual-touch-recognition.patch b/queue-3.14/input-zforce_ts-fix-dual-touch-recognition.patch new file mode 100644 index 00000000000..af70570a756 --- /dev/null +++ b/queue-3.14/input-zforce_ts-fix-dual-touch-recognition.patch @@ -0,0 +1,39 @@ +From 6984ab1ab35f422292b7781c65284038bcc0f6a6 Mon Sep 17 00:00:00 2001 +From: Knut Wohlrab +Date: Mon, 25 Apr 2016 14:08:25 -0700 +Subject: Input: zforce_ts - fix dual touch recognition + +From: Knut Wohlrab + +commit 6984ab1ab35f422292b7781c65284038bcc0f6a6 upstream. + +A wrong decoding of the touch coordinate message causes a wrong touch +ID. Touch ID for dual touch must be 0 or 1. + +According to the actual Neonode nine byte touch coordinate coding, +the state is transported in the lower nibble and the touch ID in +the higher nibble of payload byte five. + +Signed-off-by: Knut Wohlrab +Signed-off-by: Oleksij Rempel +Signed-off-by: Dirk Behme +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/zforce_ts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/input/touchscreen/zforce_ts.c ++++ b/drivers/input/touchscreen/zforce_ts.c +@@ -350,8 +350,8 @@ static int zforce_touch_event(struct zfo + point.coord_x = point.coord_y = 0; + } + +- point.state = payload[9 * i + 5] & 0x03; +- point.id = (payload[9 * i + 5] & 0xfc) >> 2; ++ point.state = payload[9 * i + 5] & 0x0f; ++ point.id = (payload[9 * i + 5] & 0xf0) >> 4; + + /* determine touch major, minor and orientation */ + point.area_major = max(payload[9 * i + 6], diff --git a/queue-3.14/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch b/queue-3.14/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch new file mode 100644 index 00000000000..32ae1943e67 --- /dev/null +++ b/queue-3.14/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch @@ -0,0 +1,57 @@ +From 8148a73c9901a8794a50f950083c00ccf97d43b3 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Thu, 5 May 2016 16:22:26 -0700 +Subject: proc: prevent accessing /proc//environ until it's ready + +From: Mathias Krause + +commit 8148a73c9901a8794a50f950083c00ccf97d43b3 upstream. + +If /proc//environ gets read before the envp[] array is fully set up +in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to +read more bytes than are actually written, as env_start will already be +set but env_end will still be zero, making the range calculation +underflow, allowing to read beyond the end of what has been written. + +Fix this as it is done for /proc//cmdline by testing env_end for +zero. It is, apparently, intentionally set last in create_*_tables(). + +This bug was found by the PaX size_overflow plugin that detected the +arithmetic underflow of 'this_len = env_end - (env_start + src)' when +env_end is still zero. + +The expected consequence is that userland trying to access +/proc//environ of a not yet fully set up process may get +inconsistent data as we're in the middle of copying in the environment +variables. + +Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363 +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461 +Signed-off-by: Mathias Krause +Cc: Emese Revfy +Cc: Pax Team +Cc: Al Viro +Cc: Mateusz Guzik +Cc: Alexey Dobriyan +Cc: Cyrill Gorcunov +Cc: Jarod Wilson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -844,7 +844,8 @@ static ssize_t environ_read(struct file + int ret = 0; + struct mm_struct *mm = file->private_data; + +- if (!mm) ++ /* Ensure the process spawned far enough to have an environment. */ ++ if (!mm || !mm->env_end) + return 0; + + page = (char *)__get_free_page(GFP_TEMPORARY); diff --git a/queue-3.14/series b/queue-3.14/series index 6c2d7d58b8d..a9ca5ec0c2b 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -3,3 +3,9 @@ nbd-ratelimit-error-msgs-after-socket-close.patch clk-versatile-sp810-support-reentrance.patch lpfc-fix-misleading-indentation.patch tracing-don-t-display-trigger-file-for-events-that-can-t-be-enabled.patch +arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch +input-zforce_ts-fix-dual-touch-recognition.patch +proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch +batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch +batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch +batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch