Addressed CVE-2016-0728 and i915 patch

author: Figue 2016-01-20 13:15:18 +0100
committer: Figue 2016-01-20 13:15:18 +0100
commit: a82f6ff28e52b051f69da3cb84c6c266bb25f99f (patch)
tree: 0e2a7f366f7c84c31f354384387aaa3fa1feeaa8
parent: 3ee1e716b22a52c09d6e18bc59cd27c072c188ab (diff)
download: aur-a82f6ff28e52b051f69da3cb84c6c266bb25f99f.tar.gz
4 files changed, 156 insertions, 5 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 0d219f57930e..a2c9ae13ae08 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,8 +1,8 @@
 # Generated by mksrcinfo v8
-# Wed Dec 16 01:07:54 UTC 2015
+# Wed Jan 20 12:12:14 UTC 2016
 pkgbase = linux-bld
 	pkgver = 4.3.3
-	pkgrel = 1
+	pkgrel = 3
 	url = https://github.com/rmullick/linux
 	arch = i686
 	arch = x86_64
@@ -24,6 +24,8 @@ pkgbase = linux-bld
 	source = http://algo.ing.unimo.it/people/paolo/disk_sched/patches/4.3.0-v7r8/0002-block-introduce-the-BFQ-v7r8-I-O-sched-for-4.3.patch
 	source = http://algo.ing.unimo.it/people/paolo/disk_sched/patches/4.3.0-v7r8/0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8-for-4.3.0.patch
 	source = https://raw.githubusercontent.com/rmullick/bld-patches/master/BLD-4.3.patch
+	source = 0001-disabling-primary-plane-in-the-noatomic-case.patch
+	source = CVE-2016-0728.patch
 	sha256sums = 4a622cc84b8a3c38d39bc17195b0c064d2b46945dfde0dae18f77b120bc9f3ae
 	sha256sums = SKIP
 	sha256sums = 95cd81fcbb87953f672150d60950548edc04a88474c42de713b91811557fefa5
@@ -37,6 +39,8 @@ pkgbase = linux-bld
 	sha256sums = 91b7cb42b8337b768e5329da205a6b61211628ec99b1e308e0e9d5283b2c86eb
 	sha256sums = 77430c7154670dd288b6d5bd45896222bf955f02029ee5d0cfe97cc5d9bc1a9d
 	sha256sums = 5abf7ed1ff7001926efdec319286bd0876c3f29e9e9cb75532a6865898dd5e38
+	sha256sums = abdd04bd6beecb7c961130a68d71e6332bd260462eeaa2f4f8e634de813dcc4d
+	sha256sums = c11bf7442041f2ddaf6aea62b897c0753200aa64ca0e7b9f2c9700ea16326997
 
 pkgname = linux-bld
 	pkgdesc = The Linux-bld kernel and modules with BLD patches
diff --git a/0001-disabling-primary-plane-in-the-noatomic-case.patch b/0001-disabling-primary-plane-in-the-noatomic-case.patch
new file mode 100644
index 000000000000..241b1012e02e
--- /dev/null
+++ b/0001-disabling-primary-plane-in-the-noatomic-case.patch
@@ -0,0 +1,56 @@
+From 634b3a4a476e96816d5d6cd5bb9f8900a53f56ba Mon Sep 17 00:00:00 2001
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Date: Mon, 23 Nov 2015 10:25:28 +0100
+Subject: drm/i915: Do a better job at disabling primary plane in the noatomic
+ case.
+
+When disable_noatomic is called plane_mask is not correct yet, and
+plane_state->visible = true is left as true after disabling the primary
+plane.
+
+Other planes are already disabled as part of crtc sanitization, only the
+primary is left active. But the plane_mask is not updated here. It gets
+updated during fb takeover in modeset_gem_init, or set to the new value
+on resume.
+
+This means that to disable the primary plane 1 << drm_plane_index(primary)
+needs to be used.
+
+Afterwards because the crtc is no longer active it's forbidden to keep
+plane_state->visible set, or a WARN_ON in
+intel_plane_atomic_calc_changes triggers. There are other code points
+that rely on accurate plane_state->visible too, so make sure the bool is
+cleared.
+
+The other planes are already disabled in intel_sanitize_crtc, so they
+don't have to be handled here.
+
+Cc: stable@vger.kernel.org #v4.3, v4.2?
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92655
+Tested-by: Tomas Mezzadra <tmezzadra@gmail.com>
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/5652DB88.9070208@linux.intel.com
+(cherry picked from commit 54a4196188eab82e6f0a5f05716626e9f18b8fb6)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index 22e86d2..62211ab 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -6309,9 +6309,11 @@ static void intel_crtc_disable_noatomic(struct drm_crtc *crtc)
+ 	if (to_intel_plane_state(crtc->primary->state)->visible) {
+ 		intel_crtc_wait_for_pending_flips(crtc);
+ 		intel_pre_disable_primary(crtc);
++
++		intel_crtc_disable_planes(crtc, 1 << drm_plane_index(crtc->primary));
++		to_intel_plane_state(crtc->primary->state)->visible = false;
+ 	}
+ 
+-	intel_crtc_disable_planes(crtc, crtc->state->plane_mask);
+ 	dev_priv->display.crtc_disable(crtc);
+ 	intel_crtc->active = false;
+ 	intel_update_watermarks(crtc);
+-- 
+cgit v0.10.2
+
diff --git a/CVE-2016-0728.patch b/CVE-2016-0728.patch
new file mode 100644
index 000000000000..49020d7dba33
--- /dev/null
+++ b/CVE-2016-0728.patch
@@ -0,0 +1,81 @@
+From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001
+From: Yevgeny Pats <yevgeny@perception-point.io>
+Date: Tue, 19 Jan 2016 22:09:04 +0000
+Subject: KEYS: Fix keyring ref leak in join_session_keyring()
+
+This fixes CVE-2016-0728.
+
+If a thread is asked to join as a session keyring the keyring that's already
+set as its session, we leak a keyring reference.
+
+This can be tested with the following program:
+
+	#include <stddef.h>
+	#include <stdio.h>
+	#include <sys/types.h>
+	#include <keyutils.h>
+
+	int main(int argc, const char *argv[])
+	{
+		int i = 0;
+		key_serial_t serial;
+
+		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+				"leaked-keyring");
+		if (serial < 0) {
+			perror("keyctl");
+			return -1;
+		}
+
+		if (keyctl(KEYCTL_SETPERM, serial,
+			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
+			perror("keyctl");
+			return -1;
+		}
+
+		for (i = 0; i < 100; i++) {
+			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+					"leaked-keyring");
+			if (serial < 0) {
+				perror("keyctl");
+				return -1;
+			}
+		}
+
+		return 0;
+	}
+
+If, after the program has run, there something like the following line in
+/proc/keys:
+
+3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
+
+with a usage count of 100 * the number of times the program has been run,
+then the kernel is malfunctioning.  If leaked-keyring has zero usages or
+has been garbage collected, then the problem is fixed.
+
+Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Don Zickus <dzickus@redhat.com>
+Acked-by: Prarit Bhargava <prarit@redhat.com>
+Acked-by: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+---
+ security/keys/process_keys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index a3f85d2..e6d50172 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
+-- 
+cgit v0.12
+
diff --git a/PKGBUILD b/PKGBUILD
index 8144df144924..76101873c34a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -8,7 +8,7 @@ _srcname=linux-4.3
 pkgname=(linux-bld linux-bld-headers)
 _kernelname=-bld
 pkgver=4.3.3
-pkgrel=1
+pkgrel=3
 arch=('i686' 'x86_64')
 url="https://github.com/rmullick/linux"
 license=('GPL2')
@@ -31,6 +31,8 @@ source=("http://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
 	"${_bfqpath}/0002-block-introduce-the-BFQ-v7r8-I-O-sched-for-4.3.patch"
 	"${_bfqpath}/0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8-for-4.3.0.patch"
         "https://raw.githubusercontent.com/rmullick/bld-patches/master/${_BLDpatch}"
+        "0001-disabling-primary-plane-in-the-noatomic-case.patch"
+        "CVE-2016-0728.patch"
         )
 
 sha256sums=('4a622cc84b8a3c38d39bc17195b0c064d2b46945dfde0dae18f77b120bc9f3ae'
@@ -45,7 +47,9 @@ sha256sums=('4a622cc84b8a3c38d39bc17195b0c064d2b46945dfde0dae18f77b120bc9f3ae'
             'ebeb62206999b2749ac43bb287a6a2a5db4f6b1b688a90cefa1ceb5db94aa490'
             '91b7cb42b8337b768e5329da205a6b61211628ec99b1e308e0e9d5283b2c86eb'
             '77430c7154670dd288b6d5bd45896222bf955f02029ee5d0cfe97cc5d9bc1a9d'
-            '5abf7ed1ff7001926efdec319286bd0876c3f29e9e9cb75532a6865898dd5e38')
+            '5abf7ed1ff7001926efdec319286bd0876c3f29e9e9cb75532a6865898dd5e38'
+            'abdd04bd6beecb7c961130a68d71e6332bd260462eeaa2f4f8e634de813dcc4d'
+            'c11bf7442041f2ddaf6aea62b897c0753200aa64ca0e7b9f2c9700ea16326997')
 
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -95,7 +99,13 @@ prepare() {
       patch -Np1 -i "$p"
   done
 
-#  msg2 "Patches from Archlinux"
+  msg2 "Patches from Archlinux"
+  # fix #46968
+  # hangs on older intel hardware
+  patch -Np1 -i "${srcdir}/0001-disabling-primary-plane-in-the-noatomic-case.patch"
+
+  # fixes #47820 CVE-2016-0728.patch
+  patch -Np1 -i "${srcdir}/CVE-2016-0728.patch"
 
   if [ "${CARCH}" = "x86_64" ]; then
     cat "${srcdir}/config.x86_64" > ./.config
author	Figue	2016-01-20 13:15:18 +0100
committer	Figue	2016-01-20 13:15:18 +0100
commit	a82f6ff28e52b051f69da3cb84c6c266bb25f99f (patch)
tree	0e2a7f366f7c84c31f354384387aaa3fa1feeaa8
parent	3ee1e716b22a52c09d6e18bc59cd27c072c188ab (diff)
download	aur-a82f6ff28e52b051f69da3cb84c6c266bb25f99f.tar.gz