From: Greg Kroah-Hartman Date: Wed, 3 Aug 2016 05:23:54 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v3.14.75~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b6e1c883d0ac91852bda5adca156a1d121a1c8f3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch input-wacom_w8001-ignore-invalid-pen-data-packets.patch input-wacom_w8001-w8001_max_length-should-be-13.patch input-xpad-validate-usb-endpoint-count-during-probe.patch pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch --- diff --git a/queue-3.14/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch b/queue-3.14/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch new file mode 100644 index 00000000000..382d8323838 --- /dev/null +++ b/queue-3.14/alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch @@ -0,0 +1,34 @@ +From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream. + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1208,6 +1208,7 @@ static void snd_timer_user_ccallback(str + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; diff --git a/queue-3.14/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch b/queue-3.14/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch new file mode 100644 index 00000000000..b557b966678 --- /dev/null +++ b/queue-3.14/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch @@ -0,0 +1,34 @@ +From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream. + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1243,6 +1243,7 @@ static void snd_timer_user_tinterrupt(st + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; diff --git a/queue-3.14/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/queue-3.14/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch new file mode 100644 index 00000000000..aed113e193e --- /dev/null +++ b/queue-3.14/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch @@ -0,0 +1,34 @@ +From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream. + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1707,6 +1707,7 @@ static int snd_timer_user_params(struct + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; diff --git a/queue-3.14/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch b/queue-3.14/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch new file mode 100644 index 00000000000..60c4bc885ee --- /dev/null +++ b/queue-3.14/ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch @@ -0,0 +1,55 @@ +From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 5 Jul 2016 17:32:30 -0400 +Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it + +From: Jeff Mahoney + +commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream. + +There are legitimate reasons to disallow mmap on certain files, notably +in sysfs or procfs. We shouldn't emulate mmap support on file systems +that don't offer support natively. + +CVE-2016-1583 + +Signed-off-by: Jeff Mahoney +[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()] +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/file.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -178,6 +178,19 @@ out: + return rc; + } + ++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *lower_file = ecryptfs_file_to_lower(file); ++ /* ++ * Don't allow mmap on top of file systems that don't support it ++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs ++ * allows recursive mounting, this will need to be extended. ++ */ ++ if (!lower_file->f_op->mmap) ++ return -ENODEV; ++ return generic_file_mmap(file, vma); ++} ++ + /** + * ecryptfs_open + * @inode: inode speciying file to open +@@ -349,7 +362,7 @@ const struct file_operations ecryptfs_ma + #ifdef CONFIG_COMPAT + .compat_ioctl = ecryptfs_compat_ioctl, + #endif +- .mmap = generic_file_mmap, ++ .mmap = ecryptfs_mmap, + .open = ecryptfs_open, + .flush = ecryptfs_flush, + .release = ecryptfs_release, diff --git a/queue-3.14/input-wacom_w8001-ignore-invalid-pen-data-packets.patch b/queue-3.14/input-wacom_w8001-ignore-invalid-pen-data-packets.patch new file mode 100644 index 00000000000..191973c15e7 --- /dev/null +++ b/queue-3.14/input-wacom_w8001-ignore-invalid-pen-data-packets.patch @@ -0,0 +1,41 @@ +From 9e72ac7492149a229ce9039c680849cb682d7092 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Thu, 23 Jun 2016 10:55:11 -0700 +Subject: Input: wacom_w8001 - ignore invalid pen data packets + +From: Ping Cheng + +commit 9e72ac7492149a229ce9039c680849cb682d7092 upstream. + +ThinkPad X60 Tablet PC (pen only device) sometime posts +packets that are larger than W8001_PKTLEN_TPCPEN. + +Reported-by: Chris J Arges +Tested-by: Chris J Arges +Signed-off-by: Ping Cheng +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/wacom_w8001.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -342,6 +342,15 @@ static irqreturn_t w8001_interrupt(struc + w8001->idx = 0; + parse_multi_touch(w8001); + break; ++ ++ default: ++ /* ++ * ThinkPad X60 Tablet PC (pen only device) sometimes ++ * sends invalid data packets that are larger than ++ * W8001_PKTLEN_TPCPEN. Let's start over again. ++ */ ++ if (!w8001->touch_dev && w8001->idx > W8001_PKTLEN_TPCPEN - 1) ++ w8001->idx = 0; + } + + return IRQ_HANDLED; diff --git a/queue-3.14/input-wacom_w8001-w8001_max_length-should-be-13.patch b/queue-3.14/input-wacom_w8001-w8001_max_length-should-be-13.patch new file mode 100644 index 00000000000..c134360146b --- /dev/null +++ b/queue-3.14/input-wacom_w8001-w8001_max_length-should-be-13.patch @@ -0,0 +1,32 @@ +From 12afb34400eb2b301f06b2aa3535497d14faee59 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Thu, 23 Jun 2016 10:54:17 -0700 +Subject: Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 + +From: Ping Cheng + +commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream. + +Somehow the patch that added two-finger touch support forgot to update +W8001_MAX_LENGTH from 11 to 13. + +Signed-off-by: Ping Cheng +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/wacom_w8001.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar +Date: Wed, 29 Jun 2016 09:51:35 -0700 +Subject: Input: xpad - validate USB endpoint count during probe + +From: Cameron Gutman + +commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream. + +This prevents a malicious USB device from causing an oops. + +Signed-off-by: Cameron Gutman +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -844,6 +844,9 @@ static int xpad_probe(struct usb_interfa + struct usb_endpoint_descriptor *ep_irq_in; + int i, error; + ++ if (intf->cur_altsetting->desc.bNumEndpoints != 2) ++ return -ENODEV; ++ + for (i = 0; xpad_device[i].idVendor; i++) { + if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) && + (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct)) diff --git a/queue-3.14/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch b/queue-3.14/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch new file mode 100644 index 00000000000..0f99cabaccd --- /dev/null +++ b/queue-3.14/pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch @@ -0,0 +1,37 @@ +From 0ac3c0a4025f41748a083bdd4970cb3ede802b15 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 31 May 2016 14:17:06 -0700 +Subject: pinctrl: single: Fix missing flush of posted write for a wakeirq + +From: Tony Lindgren + +commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 upstream. + +With many repeated suspend resume cycles, the pin specific wakeirq +may not always work on omaps. This is because the write to enable the +pin interrupt may not have reached the device over the interconnect +before suspend happens. + +Let's fix the issue with a flush of posted write with a readback. + +Reported-by: Nishanth Menon +Signed-off-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-single.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1616,6 +1616,9 @@ static inline void pcs_irq_set(struct pc + else + mask &= ~soc_mask; + pcs->write(mask, pcswi->reg); ++ ++ /* flush posted write */ ++ mask = pcs->read(pcswi->reg); + raw_spin_unlock(&pcs->lock); + } + diff --git a/queue-3.14/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch b/queue-3.14/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch new file mode 100644 index 00000000000..bc3df5e8f71 --- /dev/null +++ b/queue-3.14/revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch @@ -0,0 +1,61 @@ +From 78c4e172412de5d0456dc00d2b34050aa0b683b5 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 5 Jul 2016 17:32:29 -0400 +Subject: Revert "ecryptfs: forbid opening files without mmap handler" + +From: Jeff Mahoney + +commit 78c4e172412de5d0456dc00d2b34050aa0b683b5 upstream. + +This reverts commit 2f36db71009304b3f0b95afacd8eba1f9f046b87. + +It fixed a local root exploit but also introduced a dependency on +the lower file system implementing an mmap operation just to open a file, +which is a bit of a heavy hammer. The right fix is to have mmap depend +on the existence of the mmap handler instead. + +Signed-off-by: Jeff Mahoney +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/kthread.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -148,7 +147,7 @@ int ecryptfs_privileged_open(struct file + flags |= IS_RDONLY(lower_dentry->d_inode) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto have_file; ++ goto out; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -166,16 +165,8 @@ int ecryptfs_privileged_open(struct file + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) { ++ if (IS_ERR(*lower_file)) + rc = PTR_ERR(*lower_file); +- goto out; +- } +-have_file: +- if ((*lower_file)->f_op->mmap == NULL) { +- fput(*lower_file); +- *lower_file = NULL; +- rc = -EMEDIUMTYPE; +- } + out: + return rc; + } diff --git a/queue-3.14/series b/queue-3.14/series index 2fbab0e1ddc..9fb7c9e7030 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -1,3 +1,12 @@ fs-nilfs2-fix-potential-underflow-in-call-to-crc32_le.patch arc-unwind-warn-only-once-if-dw2_unwind-is-disabled.patch xen-pciback-fix-conf_space-read-write-overlap-check.patch +alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch +alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch +alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch +input-wacom_w8001-w8001_max_length-should-be-13.patch +input-wacom_w8001-ignore-invalid-pen-data-packets.patch +input-xpad-validate-usb-endpoint-count-during-probe.patch +pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch +revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch +ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch