Hello community,
here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-05-16 12:03:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source (Old)
and /work/SRC/openSUSE:Factory/.kernel-source.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source"
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-05-08 10:45:05.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-05-16 12:03:36.000000000 +0200
@@ -1,0 +2,48 @@
+Wed May 11 17:23:21 CEST 2016 - jslaby@suse.cz
+
+- Linux 4.5.4 (bsc#969870).
+- Delete
+ patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand.
+- commit db90c25
+
+-------------------------------------------------------------------
+Wed May 11 08:14:40 CEST 2016 - tiwai@suse.de
+
+- ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+ (CVE-2016-4569,bsc#979213).
+- ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+ (CVE-2016-4569,bsc#979213).
+- ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+ (CVE-2016-4569,bsc#979213).
+- commit 875e079
+
+-------------------------------------------------------------------
+Wed May 11 07:59:38 CEST 2016 - tiwai@suse.de
+
+- Bluetooth: vhci: Fix race at creating hci device
+ (bsc#971799,bsc#966849).
+- Bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849).
+- Bluetooth: vhci: fix open_timeout vs. hdev race
+ (bsc#971799,bsc#966849).
+- commit ea94c66
+
+-------------------------------------------------------------------
+Tue May 10 14:35:43 CEST 2016 - mkubecek@suse.cz
+
+- net: fix infoleak in rtnetlink (CVE-2016-4486 bsc#978822).
+- commit 61212a2
+
+-------------------------------------------------------------------
+Tue May 10 14:35:11 CEST 2016 - mkubecek@suse.cz
+
+- bpf: fix refcnt overflow (CVE-2016-4558 bsc#979019).
+- commit 6f2153b
+
+-------------------------------------------------------------------
+Tue May 10 14:34:23 CEST 2016 - mkubecek@suse.cz
+
+- bpf: fix double-fdput in replace_map_fd_with_map_ptr()
+ (CVE-2016-4557 bsc#979018).
+- commit c96cd1e
+
+-------------------------------------------------------------------
kernel-default.changes: same change
kernel-docs.changes: same change
kernel-lpae.changes: same change
kernel-obs-build.changes: same change
kernel-obs-qa.changes: same change
kernel-pae.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-vanilla.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-debug.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.5
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: A Debug Version of the Kernel
License: GPL-2.0
Group: System/Kernel
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
kernel-default.spec: same change
++++++ kernel-docs.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -16,7 +16,7 @@
#
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -27,9 +27,9 @@
Summary: Kernel Documentation (man pages)
License: GPL-2.0
Group: Documentation/Man
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ kernel-lpae.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.5
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: Kernel for LPAE enabled systems
License: GPL-2.0
Group: System/Kernel
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ kernel-obs-build.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -19,7 +19,7 @@
#!BuildIgnore: post-build-checks
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -51,9 +51,9 @@
Summary: package kernel and initrd for OBS VM builds
License: GPL-2.0
Group: SLES
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ kernel-obs-qa.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -17,7 +17,7 @@
# needsrootforbuild
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -36,9 +36,9 @@
Summary: Basic QA tests for the kernel
License: GPL-2.0
Group: SLES
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.5
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: Kernel with PAE Support
License: GPL-2.0
Group: System/Kernel
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.5
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%define vanilla_only 0
@@ -30,9 +30,9 @@
Summary: The Linux Kernel Sources
License: GPL-2.0
Group: Development/Sources
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -24,10 +24,10 @@
Summary: Kernel Symbol Versions (modversions)
License: GPL-2.0
Group: Development/Sources
-Version: 4.5.3
+Version: 4.5.4
%if %using_buildservice
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ kernel-vanilla.spec ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:40.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:40.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.5
-%define patchversion 4.5.3
+%define patchversion 4.5.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: The Standard Kernel - without any SUSE patches
License: GPL-2.0
Group: System/Kernel
-Version: 4.5.3
+Version: 4.5.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd29747f
+Release: <RELEASE>.gdb90c25
%else
Release: 0
%endif
++++++ patches.arch.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand new/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand
--- old/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand 2016-05-05 07:03:39.000000000 +0200
+++ new/patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand 1970-01-01 01:00:00.000000000 +0100
@@ -1,163 +0,0 @@
-From a21211672c9a1d730a39aa65d4a5b3414700adfb Mon Sep 17 00:00:00 2001
-From: Srinivas Pandruvada
-Date: Wed, 23 Mar 2016 21:07:39 -0700
-Subject: [PATCH] ACPI / processor: Request native thermal interrupt handling via _OSC
-Patch-mainline: 4.6-rc2
-Git-commit: a21211672c9a1d730a39aa65d4a5b3414700adfb
-References: bsc#969870
-
-There are several reports of freeze on enabling HWP (Hardware PStates)
-feature on Skylake-based systems by the Intel P-states driver. The root
-cause is identified as the HWP interrupts causing BIOS code to freeze.
-
-HWP interrupts use the thermal LVT which can be handled by Linux
-natively, but on the affected Skylake-based systems SMM will respond
-to it by default. This is a problem for several reasons:
- - On the affected systems the SMM thermal LVT handler is broken (it
- will crash when invoked) and a BIOS update is necessary to fix it.
- - With thermal interrupt handled in SMM we lose all of the reporting
- features of the arch/x86/kernel/cpu/mcheck/therm_throt driver.
- - Some thermal drivers like x86-package-temp depend on the thermal
- threshold interrupts signaled via the thermal LVT.
- - The HWP interrupts are useful for debugging and tuning
- performance (if the kernel can handle them).
-The native handling of thermal interrupts needs to be enabled
-because of that.
-
-This requires some way to tell SMM that the OS can handle thermal
-interrupts. That can be done by using _OSC/_PDC in processor
-scope very early during ACPI initialization.
-
-The meaning of _OSC/_PDC bit 12 in processor scope is whether or
-not the OS supports native handling of interrupts for Collaborative
-Processor Performance Control (CPPC) notifications. Since on
-HWP-capable systems CPPC is a firmware interface to HWP, setting
-this bit effectively tells the firmware that the OS will handle
-thermal interrupts natively going forward.
-
-For details on _OSC/_PDC refer to:
-http://www.intel.com/content/www/us/en/standards/processor-vendor-specific-a...
-
-To implement the _OSC/_PDC handshake as described, introduce a new
-function, acpi_early_processor_osc(), that walks the ACPI
-namespace looking for ACPI processor objects and invokes _OSC for
-them with bit 12 in the capabilities buffer set and terminates the
-namespace walk on the first success.
-
-Also modify intel_thermal_interrupt() to clear HWP status bits in
-the HWP_STATUS MSR to acknowledge HWP interrupts (which prevents
-them from firing continuously).
-
-Signed-off-by: Srinivas Pandruvada
-[ rjw: Subject & changelog, function rename ]
-
-Signed-off-by: Rafael J. Wysocki
-Acked-by: Takashi Iwai
-
----
- arch/x86/kernel/cpu/mcheck/therm_throt.c | 3 +
- drivers/acpi/acpi_processor.c | 52 +++++++++++++++++++++++++++++++
- drivers/acpi/bus.c | 3 +
- drivers/acpi/internal.h | 6 +++
- 4 files changed, 64 insertions(+)
-
---- a/arch/x86/kernel/cpu/mcheck/therm_throt.c
-+++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c
-@@ -385,6 +385,9 @@ static void intel_thermal_interrupt(void
- {
- __u64 msr_val;
-
-+ if (static_cpu_has(X86_FEATURE_HWP))
-+ wrmsrl_safe(MSR_HWP_STATUS, 0);
-+
- rdmsrl(MSR_IA32_THERM_STATUS, msr_val);
-
- /* Check for violation of core thermal thresholds*/
---- a/drivers/acpi/acpi_processor.c
-+++ b/drivers/acpi/acpi_processor.c
-@@ -491,6 +491,58 @@ static void acpi_processor_remove(struct
- }
- #endif /* CONFIG_ACPI_HOTPLUG_CPU */
-
-+#ifdef CONFIG_X86
-+static bool acpi_hwp_native_thermal_lvt_set;
-+static acpi_status __init acpi_hwp_native_thermal_lvt_osc(acpi_handle handle,
-+ u32 lvl,
-+ void *context,
-+ void **rv)
-+{
-+ u8 sb_uuid_str[] = "4077A616-290C-47BE-9EBD-D87058713953";
-+ u32 capbuf[2];
-+ struct acpi_osc_context osc_context = {
-+ .uuid_str = sb_uuid_str,
-+ .rev = 1,
-+ .cap.length = 8,
-+ .cap.pointer = capbuf,
-+ };
-+
-+ if (acpi_hwp_native_thermal_lvt_set)
-+ return AE_CTRL_TERMINATE;
-+
-+ capbuf[0] = 0x0000;
-+ capbuf[1] = 0x1000; /* set bit 12 */
-+
-+ if (ACPI_SUCCESS(acpi_run_osc(handle, &osc_context))) {
-+ if (osc_context.ret.pointer && osc_context.ret.length > 1) {
-+ u32 *capbuf_ret = osc_context.ret.pointer;
-+
-+ if (capbuf_ret[1] & 0x1000) {
-+ acpi_handle_info(handle,
-+ "_OSC native thermal LVT Acked\n");
-+ acpi_hwp_native_thermal_lvt_set = true;
-+ }
-+ }
-+ kfree(osc_context.ret.pointer);
-+ }
-+
-+ return AE_OK;
-+}
-+
-+void __init acpi_early_processor_osc(void)
-+{
-+ if (boot_cpu_has(X86_FEATURE_HWP)) {
-+ acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT,
-+ ACPI_UINT32_MAX,
-+ acpi_hwp_native_thermal_lvt_osc,
-+ NULL, NULL, NULL);
-+ acpi_get_devices(ACPI_PROCESSOR_DEVICE_HID,
-+ acpi_hwp_native_thermal_lvt_osc,
-+ NULL, NULL);
-+ }
-+}
-+#endif
-+
- /*
- * The following ACPI IDs are known to be suitable for representing as
- * processor devices.
---- a/drivers/acpi/bus.c
-+++ b/drivers/acpi/bus.c
-@@ -1005,6 +1005,9 @@ static int __init acpi_bus_init(void)
- goto error1;
- }
-
-+ /* Set capability bits for _OSC under processor scope */
-+ acpi_early_processor_osc();
-+
- /*
- * _OSC method may exist in module level code,
- * so it must be run after ACPI_FULL_INITIALIZATION
---- a/drivers/acpi/internal.h
-+++ b/drivers/acpi/internal.h
-@@ -138,6 +138,12 @@ void acpi_early_processor_set_pdc(void);
- static inline void acpi_early_processor_set_pdc(void) {}
- #endif
-
-+#ifdef CONFIG_X86
-+void acpi_early_processor_osc(void);
-+#else
-+static inline void acpi_early_processor_osc(void) {}
-+#endif
-+
- /* --------------------------------------------------------------------------
- Embedded Controller
- -------------------------------------------------------------------------- */
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS new/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS
--- old/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,33 @@
+From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: [PATCH] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: cec8f96e49d9be372fdb0c3836dcf31ec71e457e
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+References: CVE-2016-4569,bsc#979213
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu
+Signed-off-by: Takashi Iwai
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct
+ if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ if (tu->tread) {
+ struct snd_timer_tread tread;
++ memset(&tread, 0, sizeof(tread));
+ tread.event = SNDRV_TIMER_EVENT_EARLY;
+ tread.tstamp.tv_sec = 0;
+ tread.tstamp.tv_nsec = 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca
--- old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,33 @@
+From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: [PATCH] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+References: CVE-2016-4569,bsc#979213
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu
+Signed-off-by: Takashi Iwai
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(str
+ tu->tstamp = *tstamp;
+ if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ return;
++ memset(&r1, 0, sizeof(r1));
+ r1.event = event;
+ r1.tstamp = *tstamp;
+ r1.val = resolution;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin
--- old/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,33 @@
+From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: [PATCH] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: e4ec8cc8039a7063e24204299b462bd1383184a5
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+References: CVE-2016-4569,bsc#979213
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu
+Signed-off-by: Takashi Iwai
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(st
+ }
+ if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ tu->last_resolution != resolution) {
++ memset(&r1, 0, sizeof(r1));
+ r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ r1.tstamp = tstamp;
+ r1.val = resolution;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device new/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device
--- old/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,91 @@
+From c7c999cb18da88a881e10e07f0724ad0bfaff770 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai
+Date: Thu, 14 Apr 2016 17:32:19 +0200
+Subject: [PATCH] Bluetooth: vhci: Fix race at creating hci device
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git
+Git-commit: c7c999cb18da88a881e10e07f0724ad0bfaff770
+References: bsc#971799,bsc#966849
+
+hci_vhci driver creates a hci device object dynamically upon each
+HCI_VENDOR_PKT write. Although it checks the already created object
+and returns an error, it's still racy and may build multiple hci_dev
+objects concurrently when parallel writes are performed, as the device
+tracks only a single hci_dev object.
+
+This patch introduces a mutex to protect against the concurrent device
+creations.
+
+Cc:
+Signed-off-by: Takashi Iwai
+Signed-off-by: Marcel Holtmann
+
+---
+ drivers/bluetooth/hci_vhci.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -50,6 +50,7 @@ struct vhci_data {
+ wait_queue_head_t read_wait;
+ struct sk_buff_head readq;
+
++ struct mutex open_mutex;
+ struct delayed_work open_timeout;
+ };
+
+@@ -87,12 +88,15 @@ static int vhci_send_frame(struct hci_de
+ return 0;
+ }
+
+-static int vhci_create_device(struct vhci_data *data, __u8 opcode)
++static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ {
+ struct hci_dev *hdev;
+ struct sk_buff *skb;
+ __u8 dev_type;
+
++ if (data->hdev)
++ return -EBADFD;
++
+ /* bits 0-1 are dev_type (BR/EDR or AMP) */
+ dev_type = opcode & 0x03;
+
+@@ -151,6 +155,17 @@ static int vhci_create_device(struct vhc
+ return 0;
+ }
+
++static int vhci_create_device(struct vhci_data *data, __u8 opcode)
++{
++ int err;
++
++ mutex_lock(&data->open_mutex);
++ err = __vhci_create_device(data, opcode);
++ mutex_unlock(&data->open_mutex);
++
++ return err;
++}
++
+ static inline ssize_t vhci_get_user(struct vhci_data *data,
+ struct iov_iter *from)
+ {
+@@ -191,11 +206,6 @@ static inline ssize_t vhci_get_user(stru
+ case HCI_VENDOR_PKT:
+ cancel_delayed_work_sync(&data->open_timeout);
+
+- if (data->hdev) {
+- kfree_skb(skb);
+- return -EBADFD;
+- }
+-
+ opcode = *((__u8 *) skb->data);
+ skb_pull(skb, 1);
+
+@@ -320,6 +330,7 @@ static int vhci_open(struct inode *inode
+ skb_queue_head_init(&data->readq);
+ init_waitqueue_head(&data->read_wait);
+
++ mutex_init(&data->open_mutex);
+ INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout);
+
+ file->private_data = data;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race new/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race
--- old/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,164 @@
+From 373a32c848ae3a1c03618517cce85f9211a6facf Mon Sep 17 00:00:00 2001
+From: Jiri Slaby
+Date: Sat, 19 Mar 2016 11:05:18 +0100
+Subject: [PATCH] Bluetooth: vhci: fix open_timeout vs. hdev race
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: 373a32c848ae3a1c03618517cce85f9211a6facf
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git
+References: bsc#971799,bsc#966849
+
+Both vhci_get_user and vhci_release race with open_timeout work. They
+both contain cancel_delayed_work_sync, but do not test whether the
+work actually created hdev or not. Since the work can be in progress
+and _sync will wait for finishing it, we can have data->hdev allocated
+when cancel_delayed_work_sync returns. But the call sites do 'if
+(data->hdev)' *before* cancel_delayed_work_sync.
+
+As a result:
+* vhci_get_user allocates a second hdev and puts it into
+ data->hdev. The former is leaked.
+* vhci_release does not release data->hdev properly as it thinks there
+ is none.
+
+Fix both cases by moving the actual test *after* the call to
+cancel_delayed_work_sync.
+
+This can be hit by this program:
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+ #include
+ #include
+
+ int main(int argc, char **argv)
+ {
+ int fd;
+
+ srand(time(NULL));
+
+ while (1) {
+ const int delta = (rand() % 200 - 100) * 100;
+
+ fd = open("/dev/vhci", O_RDWR);
+ if (fd < 0)
+ err(1, "open");
+
+ usleep(1000000 + delta);
+
+ close(fd);
+ }
+
+ return 0;
+ }
+
+And the result is:
+Bug: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228
+Read of size 8 by task kworker/u13:1/32068
+=============================================================================
+BUG kmalloc-192 (Tainted: G E ): kasan: bad access detected
+
+Acked-by: Takashi Iwai
+Signed-off-by: Takashi Iwai
+
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040
+...
+ kmem_cache_alloc_trace+0x150/0x190
+ vhci_open+0x50/0x330 [hci_vhci]
+ misc_open+0x35b/0x4e0
+ chrdev_open+0x23b/0x510
+...
+INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040
+...
+ __slab_free+0x204/0x310
+ vhci_release+0xa4/0xd0 [hci_vhci]
+...
+INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080
+INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600
+Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00 ...k............
+Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff ...k.......k....
+Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff .F.k.....F.k....
+Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00 ................
+Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff @..k....@..k....
+Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de P.n.............
+Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00 .........b......
+Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff ........8..k....
+Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 .. .............
+Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff ...........=....
+Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ..............
+Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb ........
+Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00 ........
+CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G B E 4.4.6-0-default #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
+Workqueue: hci0 hci_cmd_work [bluetooth]
+ 00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180
+ ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320
+ ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80
+Call Trace:
+...
+ [<ffffffff81ec8ebe>] ? skb_queue_tail+0x13e/0x150
+ [<ffffffffa06e027c>] ? vhci_send_frame+0xac/0x100 [hci_vhci]
+ [<ffffffffa0c61268>] ? hci_send_frame+0x188/0x320 [bluetooth]
+ [<ffffffffa0c61515>] ? hci_cmd_work+0x115/0x310 [bluetooth]
+ [<ffffffff811a1375>] ? process_one_work+0x815/0x1340
+ [<ffffffff811a1f85>] ? worker_thread+0xe5/0x11f0
+ [<ffffffff811a1ea0>] ? process_one_work+0x1340/0x1340
+ [<ffffffff811b3c68>] ? kthread+0x1c8/0x230
+...
+Memory state around the buggy address:
+ ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)
+Signed-off-by: Jiri Slaby
+Signed-off-by: Marcel Holtmann
+Cc: Dmitry Vyukov
+Cc: stable 3.13+
+---
+ drivers/bluetooth/hci_vhci.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(stru
+ break;
+
+ case HCI_VENDOR_PKT:
++ cancel_delayed_work_sync(&data->open_timeout);
++
+ if (data->hdev) {
+ kfree_skb(skb);
+ return -EBADFD;
+ }
+
+- cancel_delayed_work_sync(&data->open_timeout);
+-
+ opcode = *((__u8 *) skb->data);
+ skb_pull(skb, 1);
+
+@@ -333,10 +333,12 @@ static int vhci_open(struct inode *inode
+ static int vhci_release(struct inode *inode, struct file *file)
+ {
+ struct vhci_data *data = file->private_data;
+- struct hci_dev *hdev = data->hdev;
++ struct hci_dev *hdev;
+
+ cancel_delayed_work_sync(&data->open_timeout);
+
++ hdev = data->hdev;
++
+ if (hdev) {
+ hci_unregister_dev(hdev);
+ hci_free_dev(hdev);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs new/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs
--- old/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/Bluetooth-vhci-purge-unhandled-skbs 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,86 @@
+From 13407376b255325fa817798800117a839f3aa055 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby
+Date: Sat, 19 Mar 2016 11:49:43 +0100
+Subject: [PATCH] Bluetooth: vhci: purge unhandled skbs
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: 13407376b255325fa817798800117a839f3aa055
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git
+References: bsc#971799,bsc#966849
+
+The write handler allocates skbs and queues them into data->readq.
+Read side should read them, if there is any. If there is none, skbs
+should be dropped by hdev->flush. But this happens only if the device
+is HCI_UP, i.e. hdev->power_on work was triggered already. When it was
+not, skbs stay allocated in the queue when /dev/vhci is closed. So
+purge the queue in ->release.
+
+Program to reproduce:
+ #include
+ #include
+ #include
+ #include
+
+ #include
+ #include
+ #include
+
+ int main()
+ {
+ char buf[] = { 0xff, 0 };
+ struct iovec iov = {
+ .iov_base = buf,
+ .iov_len = sizeof(buf),
+ };
+ int fd;
+
+ while (1) {
+ fd = open("/dev/vhci", O_RDWR);
+ if (fd < 0)
+ err(1, "open");
+
+ usleep(50);
+
+ if (writev(fd, &iov, 1) < 0)
+ err(1, "writev");
+
+ usleep(50);
+
+ close(fd);
+ }
+
+ return 0;
+ }
+
+Result:
+Kmemleak: 4609 new suspected memory leaks
+unreferenced object 0xffff88059f4d5440 (size 232):
+ comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s)
+ hex dump (first 32 bytes):
+ 20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff .#..... .#.....
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+...
+ [<ffffffff81ece010>] __alloc_skb+0x0/0x5a0
+ [<ffffffffa021886c>] vhci_create_device+0x5c/0x580 [hci_vhci]
+ [<ffffffffa0219436>] vhci_write+0x306/0x4c8 [hci_vhci]
+
+Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)
+Signed-off-by: Jiri Slaby
+Signed-off-by: Marcel Holtmann
+Cc: stable 3.13+
+Acked-by: Takashi Iwai
+
+---
+ drivers/bluetooth/hci_vhci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -344,6 +344,7 @@ static int vhci_release(struct inode *in
+ hci_free_dev(hdev);
+ }
+
++ skb_queue_purge(&data->readq);
+ file->private_data = NULL;
+ kfree(data);
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch new/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
--- old/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,50 @@
+From: Jann Horn
+Date: Tue, 26 Apr 2016 22:26:26 +0200
+Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr()
+Patch-mainline: v4.6-rc6
+Git-commit: 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
+References: CVE-2016-4557 bsc#979018
+
+When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
+references a non-map file descriptor as a map file descriptor, the error
+handling code called fdput() twice instead of once (in __bpf_map_get() and
+in replace_map_fd_with_map_ptr()). If the file descriptor table of the
+current task is shared, this causes f_count to be decremented too much,
+allowing the struct file to be freed while it is still in use
+(use-after-free). This can be exploited to gain root privileges by an
+unprivileged user.
+
+This bug was introduced in
+commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
+exploitable since
+commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
+previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
+
+(posted publicly according to request by maintainer)
+
+Signed-off-by: Jann Horn
+Signed-off-by: Linus Torvalds
+Acked-by: Alexei Starovoitov
+Acked-by: Daniel Borkmann
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ kernel/bpf/verifier.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 2e7f7ab739e4..7520d7335336 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2003,7 +2003,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
+ if (IS_ERR(map)) {
+ verbose("fd %d is not pointing to valid bpf_map\n",
+ insn->imm);
+- fdput(f);
+ return PTR_ERR(map);
+ }
+
+--
+2.8.2
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/bpf-fix-refcnt-overflow.patch new/patches.fixes/bpf-fix-refcnt-overflow.patch
--- old/patches.fixes/bpf-fix-refcnt-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/bpf-fix-refcnt-overflow.patch 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,162 @@
+From: Alexei Starovoitov
+Date: Wed, 27 Apr 2016 18:56:20 -0700
+Subject: bpf: fix refcnt overflow
+Patch-mainline: v4.6-rc7
+Git-commit: 92117d8443bc5afacc8d5ba82e541946310f106e
+References: CVE-2016-4558 bsc#979019
+
+On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK,
+the malicious application may overflow 32-bit bpf program refcnt.
+It's also possible to overflow map refcnt on 1Tb system.
+Impose 32k hard limit which means that the same bpf program or
+map cannot be shared by more than 32k processes.
+
+Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
+Reported-by: Jann Horn
+Signed-off-by: Alexei Starovoitov
+Acked-by: Daniel Borkmann
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ include/linux/bpf.h | 3 ++-
+ kernel/bpf/inode.c | 7 ++++---
+ kernel/bpf/syscall.c | 24 ++++++++++++++++++++----
+ kernel/bpf/verifier.c | 11 +++++++----
+ 4 files changed, 33 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 83d1926c61e4..67bc2da5d233 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl);
+ void bpf_register_map_type(struct bpf_map_type_list *tl);
+
+ struct bpf_prog *bpf_prog_get(u32 ufd);
++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
+ void bpf_prog_put(struct bpf_prog *prog);
+ void bpf_prog_put_rcu(struct bpf_prog *prog);
+
+ struct bpf_map *bpf_map_get_with_uref(u32 ufd);
+ struct bpf_map *__bpf_map_get(struct fd f);
+-void bpf_map_inc(struct bpf_map *map, bool uref);
++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref);
+ void bpf_map_put_with_uref(struct bpf_map *map);
+ void bpf_map_put(struct bpf_map *map);
+
+diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
+index f2ece3c174a5..8f94ca1860cf 100644
+--- a/kernel/bpf/inode.c
++++ b/kernel/bpf/inode.c
+@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type)
+ {
+ switch (type) {
+ case BPF_TYPE_PROG:
+- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt);
++ raw = bpf_prog_inc(raw);
+ break;
+ case BPF_TYPE_MAP:
+- bpf_map_inc(raw, true);
++ raw = bpf_map_inc(raw, true);
+ break;
+ default:
+ WARN_ON_ONCE(1);
+@@ -297,7 +297,8 @@ static void *bpf_obj_do_get(const struct filename *pathname,
+ goto out;
+
+ raw = bpf_any_get(inode->i_private, *type);
+- touch_atime(&path);
++ if (!IS_ERR(raw))
++ touch_atime(&path);
+
+ path_put(&path);
+ return raw;
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 637397059f76..aa5f39772ac4 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -201,11 +201,18 @@ struct bpf_map *__bpf_map_get(struct fd f)
+ return f.file->private_data;
+ }
+
+-void bpf_map_inc(struct bpf_map *map, bool uref)
++/* prog's and map's refcnt limit */
++#define BPF_MAX_REFCNT 32768
++
++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
+ {
+- atomic_inc(&map->refcnt);
++ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
++ atomic_dec(&map->refcnt);
++ return ERR_PTR(-EBUSY);
++ }
+ if (uref)
+ atomic_inc(&map->usercnt);
++ return map;
+ }
+
+ struct bpf_map *bpf_map_get_with_uref(u32 ufd)
+@@ -217,7 +224,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd)
+ if (IS_ERR(map))
+ return map;
+
+- bpf_map_inc(map, true);
++ map = bpf_map_inc(map, true);
+ fdput(f);
+
+ return map;
+@@ -600,6 +607,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f)
+ return f.file->private_data;
+ }
+
++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
++{
++ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) {
++ atomic_dec(&prog->aux->refcnt);
++ return ERR_PTR(-EBUSY);
++ }
++ return prog;
++}
++
+ /* called by sockets/tracing/seccomp before attaching program to an event
+ * pairs with bpf_prog_put()
+ */
+@@ -612,7 +628,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
+ if (IS_ERR(prog))
+ return prog;
+
+- atomic_inc(&prog->aux->refcnt);
++ prog = bpf_prog_inc(prog);
+ fdput(f);
+
+ return prog;
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 2e7f7ab739e4..060e4c4c37ea 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
+ return -E2BIG;
+ }
+
+- /* remember this map */
+- env->used_maps[env->used_map_cnt++] = map;
+-
+ /* hold the map. If the program is rejected by verifier,
+ * the map will be released by release_maps() or it
+ * will be used by the valid program until it's unloaded
+ * and all maps are released in free_bpf_prog_info()
+ */
+- bpf_map_inc(map, false);
++ map = bpf_map_inc(map, false);
++ if (IS_ERR(map)) {
++ fdput(f);
++ return PTR_ERR(map);
++ }
++ env->used_maps[env->used_map_cnt++] = map;
++
+ fdput(f);
+ next_insn:
+ insn++;
+--
+2.8.2
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/net-fix-infoleak-in-rtnetlink.patch new/patches.fixes/net-fix-infoleak-in-rtnetlink.patch
--- old/patches.fixes/net-fix-infoleak-in-rtnetlink.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/net-fix-infoleak-in-rtnetlink.patch 2016-05-11 08:15:55.000000000 +0200
@@ -0,0 +1,54 @@
+From: Kangjie Lu
+Date: Tue, 3 May 2016 16:46:24 -0400
+Subject: net: fix infoleak in rtnetlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v4.6
+Git-commit: 5f8e44741f9f216e33736ea4ec65ca9ac03036e6
+References: CVE-2016-4486 bsc#978822
+
+The stack object “map” has a total size of 32 bytes. Its last 4
+bytes are padding generated by compiler. These padding bytes are
+not initialized and sent out via “nla_put”.
+
+Signed-off-by: Kangjie Lu
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/core/rtnetlink.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 215e6137f6ff..482c3717a45e 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
+
+ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
+ {
+- struct rtnl_link_ifmap map = {
+- .mem_start = dev->mem_start,
+- .mem_end = dev->mem_end,
+- .base_addr = dev->base_addr,
+- .irq = dev->irq,
+- .dma = dev->dma,
+- .port = dev->if_port,
+- };
++ struct rtnl_link_ifmap map;
++
++ memset(&map, 0, sizeof(map));
++ map.mem_start = dev->mem_start;
++ map.mem_end = dev->mem_end;
++ map.base_addr = dev->base_addr;
++ map.irq = dev->irq;
++ map.dma = dev->dma;
++ map.port = dev->if_port;
++
+ if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
+ return -EMSGSIZE;
+
+--
+2.8.2
+
++++++ patches.kernel.org.tar.bz2 ++++++
++++ 2459 lines of diff (skipped)
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:41.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:41.000000000 +0200
@@ -30,6 +30,7 @@
patches.kernel.org/patch-4.5.1
patches.kernel.org/patch-4.5.1-2
patches.kernel.org/patch-4.5.2-3
+ patches.kernel.org/patch-4.5.3-4
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -203,7 +204,6 @@
patches.arch/acpi_thermal_passive_blacklist.patch
- patches.arch/ACPI-processor-Request-native-thermal-interrupt-hand
########################################################
# CPUFREQ
@@ -226,6 +226,9 @@
########################################################
# Networking, IPv6
########################################################
+ patches.fixes/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
+ patches.fixes/bpf-fix-refcnt-overflow.patch
+ patches.fixes/net-fix-infoleak-in-rtnetlink.patch
########################################################
# Netfilter
@@ -381,6 +384,9 @@
##########################################################
# Sound
##########################################################
+ patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS
+ patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca
+ patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin
########################################################
# Char / serial
@@ -393,6 +399,10 @@
# Needs updating WRT d27769ec (block: add GENHD_FL_NO_PART_SCAN)
+hare patches.suse/no-partition-scan
+ patches.fixes/Bluetooth-vhci-fix-open_timeout-vs.-hdev-race
+ patches.fixes/Bluetooth-vhci-purge-unhandled-skbs
+ patches.fixes/Bluetooth-vhci-Fix-race-at-creating-hci-device
+
########################################################
# Other drivers we have added to the tree
########################################################
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.KILNuP/_old 2016-05-16 12:03:41.000000000 +0200
+++ /var/tmp/diff_new_pack.KILNuP/_new 2016-05-16 12:03:41.000000000 +0200
@@ -1,3 +1,3 @@
-2016-05-05 07:03:39 +0200
-GIT Revision: d29747fc112968f831670cbf4015a5dc5ea6a3fe
+2016-05-11 17:23:21 +0200
+GIT Revision: db90c25df14b3a2668f5ee1e59e0578d8a096e44
GIT Branch: stable