Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2017-04-03 13:58:54 +0200
committerTakashi Iwai <tiwai@suse.de>2017-04-03 13:58:54 +0200
commit9d324493680099aa44658763f5b8b52f7c2ccc06 (patch)
tree19f202735f6293df3fd5a3396907aec8b6cc7019
parent7e90e1013f3786dbb5772dbef1afa6d532cacc79 (diff)
parent012a106c9b8ecd88246ebbc2561c624cc6f36966 (diff)
Merge branch 'SLE12-SP2' into SLE12-SP3
Conflicts: series.conf
-rw-r--r--patches.arch/x86-mce-fix-copy-paste-error-in-exception-table-entries.patch53
-rw-r--r--patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch34
-rw-r--r--patches.kernel.org/patch-4.4.58-592
-rw-r--r--series.conf2
4 files changed, 90 insertions, 1 deletions
diff --git a/patches.arch/x86-mce-fix-copy-paste-error-in-exception-table-entries.patch b/patches.arch/x86-mce-fix-copy-paste-error-in-exception-table-entries.patch
new file mode 100644
index 0000000000..3a329a2f83
--- /dev/null
+++ b/patches.arch/x86-mce-fix-copy-paste-error-in-exception-table-entries.patch
@@ -0,0 +1,53 @@
+From: Tony Luck <tony.luck@intel.com>
+Date: Mon, 20 Mar 2017 14:40:30 -0700
+Subject: x86/mce: Fix copy/paste error in exception table entries
+Git-commit: 26a37ab319a26d330bab298770d692bb9c852aff
+Patch-mainline: v4.11-rc5
+References: fate#319858
+
+Back in commit:
+
+ 92b0729c34cab ("x86/mm, x86/mce: Add memcpy_mcsafe()")
+
+... I made a copy/paste error setting up the exception table entries
+and ended up with two for label .L_cache_w3 and none for .L_cache_w2.
+
+This means that if we take a machine check on:
+
+ .L_cache_w2: movq 2*8(%rsi), %r10
+
+then we don't have an exception table entry for this instruction
+and we can't recover.
+
+Fix: s/3/2/
+
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Cc: <stable@vger.kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 92b0729c34cab ("x86/mm, x86/mce: Add memcpy_mcsafe()")
+Link: http://lkml.kernel.org/r/1490046030-25862-1-git-send-email-tony.luck@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/lib/memcpy_64.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/lib/memcpy_64.S
++++ b/arch/x86/lib/memcpy_64.S
+@@ -286,7 +286,7 @@ ENDPROC(memcpy_mcsafe)
+ _ASM_EXTABLE_FAULT(.L_copy_leading_bytes, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w0, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w1, .L_memcpy_mcsafe_fail)
+- _ASM_EXTABLE_FAULT(.L_cache_w3, .L_memcpy_mcsafe_fail)
++ _ASM_EXTABLE_FAULT(.L_cache_w2, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w3, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w4, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w5, .L_memcpy_mcsafe_fail)
diff --git a/patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch b/patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
new file mode 100644
index 0000000000..67b679f108
--- /dev/null
+++ b/patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
@@ -0,0 +1,34 @@
+From: peter chang <dpf@google.com>
+Date: Wed, 15 Feb 2017 14:11:54 -0800
+Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
+Git-commit: bf33f87dd04c371ea33feb821b60d63d754e3124
+Patch-mainline: v4.11-rc5
+References: bsc#1030213, CVE-2017-7187
+
+The user can control the size of the next command passed along, but the
+value passed to the ioctl isn't checked against the usable max command
+size.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Chang <dpf@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/scsi/sg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index e831e01..849ff81 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
+ result = get_user(val, ip);
+ if (result)
+ return result;
++ if (val > SG_MAX_CDB_SIZE)
++ return -ENOMEM;
+ sfp->next_cmd_len = (val > 0) ? val : 0;
+ return 0;
+ case SG_GET_VERSION_NUM:
+
diff --git a/patches.kernel.org/patch-4.4.58-59 b/patches.kernel.org/patch-4.4.58-59
index 2f9921a8c3..6a97b2eb56 100644
--- a/patches.kernel.org/patch-4.4.58-59
+++ b/patches.kernel.org/patch-4.4.58-59
@@ -1,6 +1,6 @@
From: Takashi Iwai <tiwai@suse.de>
Subject: Linux 4.4.59
-References: bnc#1012382
+References: bnc#1012382 CVE-2017-7374 bsc#1032006
Patch-mainline: 4.4.59
Git-commit: 619bd4a71874a8fd78eb6ccf9f272c5e98bcc7b7
Git-commit: 1b53cf9815bb4744958d41f3795d5d5a1d365e2d
diff --git a/series.conf b/series.conf
index 3a67039827..83856d69ea 100644
--- a/series.conf
+++ b/series.conf
@@ -3831,6 +3831,7 @@
patches.drivers/scsi-qla2xxx-Use-struct-t10_pi_tuple.patch
patches.drivers/scsi-sd-Move-DIF-protection-types-to-t10-pi.h.patch
patches.drivers/csiostor-Fix-completion-usage.patch
+ patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
patches.suse/fcoe-reduce-max_sectors
patches.fixes/libfc-Update-rport-reference-counting.patch
@@ -9900,6 +9901,7 @@
# fate#319858, see x86 section above
patches.arch/16-x86-pmem-use-memcpy_mcsafe-for-memcpy_from_pmem.patch
+ patches.arch/x86-mce-fix-copy-paste-error-in-exception-table-entries.patch
patches.drivers/0034-arm-8522-1-drivers-nvdimm-ensure-no-negative-value-gets-returned-on-positive-match.patch
patches.drivers/0035-nfit-tools-testing-nvdimm-add-format-interface-code-definitions.patch