From 2f4b09240cd24148f138654eeafdeac9a2f08e47 Mon Sep 17 00:00:00 2001 From: Adrian Dudau Date: Tue, 22 Nov 2016 15:18:11 +0100 Subject: linux-yocto: Drop patches obsoleted by v4.4.26 Yocto upgraded kernel version to 4.4.26, which includes the CVE fixes maintained here. Signed-off-by: Adrian Dudau Signed-off-by: Martin Borg --- recipes-kernel/linux/files/CVE-2016-4951.patch | 43 -------- recipes-kernel/linux/files/CVE-2016-5195.patch | 100 ------------------- recipes-kernel/linux/files/CVE-2016-5400.patch | 57 ----------- .../CVE-2016-5696-limiting-of-all-challenge.patch | 109 --------------------- ...5696-make-challenge-acks-less-predictable.patch | 88 ----------------- recipes-kernel/linux/files/CVE-2016-6480.patch | 71 -------------- recipes-kernel/linux/files/hid-CVE-2016-5829.patch | 51 ---------- recipes-kernel/linux/linux-yocto_4.%.bbappend | 9 -- 8 files changed, 528 deletions(-) delete mode 100644 recipes-kernel/linux/files/CVE-2016-4951.patch delete mode 100644 recipes-kernel/linux/files/CVE-2016-5195.patch delete mode 100644 recipes-kernel/linux/files/CVE-2016-5400.patch delete mode 100644 recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch delete mode 100644 recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch delete mode 100644 recipes-kernel/linux/files/CVE-2016-6480.patch delete mode 100644 recipes-kernel/linux/files/hid-CVE-2016-5829.patch diff --git a/recipes-kernel/linux/files/CVE-2016-4951.patch b/recipes-kernel/linux/files/CVE-2016-4951.patch deleted file mode 100644 index 31eb29e..0000000 --- a/recipes-kernel/linux/files/CVE-2016-4951.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 23cdd8c3cbe9d790f23d7f9ae14e9b828f56f69c Mon Sep 17 00:00:00 2001 -From: Richard Alpe -Date: Mon, 16 May 2016 11:14:54 +0200 -Subject: tipc: check nl sock before parsing nested attributes - -[ Upstream commit 45e093ae2830cd1264677d47ff9a95a71f5d9f9c ] - -Make sure the socket for which the user is listing publication exists -before parsing the socket netlink attributes. - -Prior to this patch a call without any socket caused a NULL pointer -dereference in tipc_nl_publ_dump(). - -Upstream-Status: Backport -CVE: CVE-2016-4951 - -Tested-and-reported-by: Baozeng Ding -Signed-off-by: Richard Alpe -Acked-by: Jon Maloy -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - net/tipc/socket.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index e53003c..9b713e0 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -2814,6 +2814,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) - if (err) - return err; - -+ if (!attrs[TIPC_NLA_SOCK]) -+ return -EINVAL; -+ - err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, - attrs[TIPC_NLA_SOCK], - tipc_nl_sock_policy); --- -cgit v0.12 - diff --git a/recipes-kernel/linux/files/CVE-2016-5195.patch b/recipes-kernel/linux/files/CVE-2016-5195.patch deleted file mode 100644 index 3f81b19..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5195.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 1294d355881cc5c3421d24fee512f16974addb6c Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Thu, 13 Oct 2016 13:07:36 -0700 -Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages() - -commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. - -This is an ancient bug that was actually attempted to be fixed once -(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix -get_user_pages() race for write access") but that was then undone due to -problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). - -In the meantime, the s390 situation has long been fixed, and we can now -fix it by checking the pte_dirty() bit properly (and do it better). The -s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement -software dirty bits") which made it into v3.9. Earlier kernels will -have to look at the page state itself. - -Also, the VM has become more scalable, and what used a purely -theoretical race back then has become easier to trigger. - -To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, -we already did a COW" rather than play racy games with FOLL_WRITE that -is very fundamental, and then use the pte dirty flag to validate that -the FOLL_COW flag is still valid. - -Upstream-Status: Backport -CVE: CVE-2016-5195 - -Reported-and-tested-by: Phil "not Paul" Oester -Acked-by: Hugh Dickins -Reviewed-by: Michal Hocko -Cc: Andy Lutomirski -Cc: Kees Cook -Cc: Oleg Nesterov -Cc: Willy Tarreau -Cc: Nick Piggin -Cc: Greg Thelen -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - include/linux/mm.h | 1 + - mm/gup.c | 14 ++++++++++++-- - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/include/linux/mm.h b/include/linux/mm.h -index cfebb74..f0ffa01 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -2112,6 +2112,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, - #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */ - #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */ - #define FOLL_MLOCK 0x1000 /* lock present pages */ -+#define FOLL_COW 0x4000 /* internal GUP flag */ - - typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, - void *data); -diff --git a/mm/gup.c b/mm/gup.c -index deafa2c..4b0b7e7 100644 ---- a/mm/gup.c -+++ b/mm/gup.c -@@ -58,6 +58,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address, - return -EEXIST; - } - -+/* -+ * FOLL_FORCE can write to even unwritable pte's, but only -+ * after we've gone through a COW cycle and they are dirty. -+ */ -+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) -+{ -+ return pte_write(pte) || -+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); -+} -+ - static struct page *follow_page_pte(struct vm_area_struct *vma, - unsigned long address, pmd_t *pmd, unsigned int flags) - { -@@ -92,7 +102,7 @@ retry: - } - if ((flags & FOLL_NUMA) && pte_protnone(pte)) - goto no_page; -- if ((flags & FOLL_WRITE) && !pte_write(pte)) { -+ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) { - pte_unmap_unlock(ptep, ptl); - return NULL; - } -@@ -352,7 +362,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma, - * reCOWed by userspace write). - */ - if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) -- *flags &= ~FOLL_WRITE; -+ *flags |= FOLL_COW; - return 0; - } - --- -cgit v0.12 - diff --git a/recipes-kernel/linux/files/CVE-2016-5400.patch b/recipes-kernel/linux/files/CVE-2016-5400.patch deleted file mode 100644 index dd62bcd..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5400.patch +++ /dev/null @@ -1,57 +0,0 @@ -From d863bec646a590584eabcb40550bff0708c26b0d Mon Sep 17 00:00:00 2001 -From: James Patrick-Evans -Date: Fri, 15 Jul 2016 16:40:45 +0100 -Subject: media: fix airspy usb probe error path - -commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream. - -Fix a memory leak on probe error of the airspy usb device driver. - -The problem is triggered when more than 64 usb devices register with -v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV. - -The memory leak is caused by the probe function of the airspy driver -mishandeling errors and not freeing the corresponding control structures -when an error occours registering the device to v4l2 core. - -A badusb device can emulate 64 of these devices, and then through -continual emulated connect/disconnect of the 65th device, cause the -kernel to run out of RAM and crash the kernel, thus causing a local DOS -vulnerability. - -Fixes CVE-2016-5400 -CVE: CVE-2016-5400 - -Signed-off-by: James Patrick-Evans -Reviewed-by: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - drivers/media/usb/airspy/airspy.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c -index 565a593..34b35eb 100644 ---- a/drivers/media/usb/airspy/airspy.c -+++ b/drivers/media/usb/airspy/airspy.c -@@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf, - if (ret) { - dev_err(s->dev, "Failed to register as video device (%d)\n", - ret); -- goto err_unregister_v4l2_dev; -+ goto err_free_controls; - } - dev_info(s->dev, "Registered as %s\n", - video_device_node_name(&s->vdev)); -@@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf, - - err_free_controls: - v4l2_ctrl_handler_free(&s->hdl); --err_unregister_v4l2_dev: - v4l2_device_unregister(&s->v4l2_dev); - err_free_mem: - kfree(s); --- -cgit v0.12 - diff --git a/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch b/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch deleted file mode 100644 index f2c2364..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 5413f1a526d2d51d7a5768133c90936c017165c6 Mon Sep 17 00:00:00 2001 -From: Jason Baron -Date: Thu, 14 Jul 2016 11:38:40 -0400 -Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks' - -[ Upstream commit 083ae308280d13d187512b9babe3454342a7987e ] - -The per-socket rate limit for 'challenge acks' was introduced in the -context of limiting ack loops: - -commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock") - -And I think it can be extended to rate limit all 'challenge acks' on a -per-socket basis. - -Since we have the global tcp_challenge_ack_limit, this patch allows for -tcp_challenge_ack_limit to be set to a large value and effectively rely on -the per-socket limit, or set tcp_challenge_ack_limit to a lower value and -still prevents a single connections from consuming the entire challenge ack -quota. - -It further moves in the direction of eliminating the global limit at some -point, as Eric Dumazet has suggested. This a follow-up to: -Subject: tcp: make challenge acks less predictable - -CVE: CVE-2016-5696 -Upstream-Status: Backport - -Cc: Eric Dumazet -Cc: David S. Miller -Cc: Neal Cardwell -Cc: Yuchung Cheng -Cc: Yue Cao -Signed-off-by: Jason Baron -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++----------------- - 1 file changed, 22 insertions(+), 17 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 05f10df..12b98e2 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -3390,6 +3390,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 - return flag; - } - -+static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, -+ u32 *last_oow_ack_time) -+{ -+ if (*last_oow_ack_time) { -+ s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); -+ -+ if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { -+ NET_INC_STATS_BH(net, mib_idx); -+ return true; /* rate-limited: don't send yet! */ -+ } -+ } -+ -+ *last_oow_ack_time = tcp_time_stamp; -+ -+ return false; /* not rate-limited: go ahead, send dupack now! */ -+} -+ - /* Return true if we're currently rate-limiting out-of-window ACKs and - * thus shouldn't send a dupack right now. We rate-limit dupacks in - * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS -@@ -3403,21 +3420,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb, - /* Data packets without SYNs are not likely part of an ACK loop. */ - if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) && - !tcp_hdr(skb)->syn) -- goto not_rate_limited; -- -- if (*last_oow_ack_time) { -- s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); -- -- if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { -- NET_INC_STATS_BH(net, mib_idx); -- return true; /* rate-limited: don't send yet! */ -- } -- } -- -- *last_oow_ack_time = tcp_time_stamp; -+ return false; - --not_rate_limited: -- return false; /* not rate-limited: go ahead, send dupack now! */ -+ return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time); - } - - /* RFC 5961 7 [ACK Throttling] */ -@@ -3430,9 +3435,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - u32 count, now; - - /* First check our per-socket dupack rate limit. */ -- if (tcp_oow_rate_limited(sock_net(sk), skb, -- LINUX_MIB_TCPACKSKIPPEDCHALLENGE, -- &tp->last_oow_ack_time)) -+ if (__tcp_oow_rate_limited(sock_net(sk), -+ LINUX_MIB_TCPACKSKIPPEDCHALLENGE, -+ &tp->last_oow_ack_time)) - return; - - /* Then check host-wide RFC 5961 rate limit. */ --- -1.9.1 - diff --git a/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch b/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch deleted file mode 100644 index fe67b3b..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 72c2d3bccaba4a0a4de354f9d2d24eccd05bfccf Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sun, 10 Jul 2016 10:04:02 +0200 -Subject: [PATCH] tcp: make challenge acks less predictable - -[ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ] - -Yue Cao claims that current host rate limiting of challenge ACKS -(RFC 5961) could leak enough information to allow a patient attacker -to hijack TCP sessions. He will soon provide details in an academic -paper. - -This patch increases the default limit from 100 to 1000, and adds -some randomization so that the attacker can no longer hijack -sessions without spending a considerable amount of probes. - -Based on initial analysis and patch from Linus. - -Note that we also have per socket rate limiting, so it is tempting -to remove the host limit in the future. - -v2: randomize the count of challenge acks per second, not the period. - -CVE: CVE-2016-5696 -Upstream-Status: Backport - -Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") -Reported-by: Yue Cao -Signed-off-by: Eric Dumazet -Suggested-by: Linus Torvalds -Cc: Yuchung Cheng -Cc: Neal Cardwell -Acked-by: Neal Cardwell -Acked-by: Yuchung Cheng -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - net/ipv4/tcp_input.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index d4c5115..05f10df 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -89,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; - EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); - - /* rfc5961 challenge ack rate limiting */ --int sysctl_tcp_challenge_ack_limit = 100; -+int sysctl_tcp_challenge_ack_limit = 1000; - - int sysctl_tcp_stdurg __read_mostly; - int sysctl_tcp_rfc1337 __read_mostly; -@@ -3427,7 +3427,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - static u32 challenge_timestamp; - static unsigned int challenge_count; - struct tcp_sock *tp = tcp_sk(sk); -- u32 now; -+ u32 count, now; - - /* First check our per-socket dupack rate limit. */ - if (tcp_oow_rate_limited(sock_net(sk), skb, -@@ -3435,13 +3435,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - &tp->last_oow_ack_time)) - return; - -- /* Then check the check host-wide RFC 5961 rate limit. */ -+ /* Then check host-wide RFC 5961 rate limit. */ - now = jiffies / HZ; - if (now != challenge_timestamp) { -+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; -+ - challenge_timestamp = now; -- challenge_count = 0; -+ WRITE_ONCE(challenge_count, half + -+ prandom_u32_max(sysctl_tcp_challenge_ack_limit)); - } -- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { -+ count = READ_ONCE(challenge_count); -+ if (count > 0) { -+ WRITE_ONCE(challenge_count, count - 1); - NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); - tcp_send_ack(sk); - } --- -1.9.1 - diff --git a/recipes-kernel/linux/files/CVE-2016-6480.patch b/recipes-kernel/linux/files/CVE-2016-6480.patch deleted file mode 100644 index 2cd521a..0000000 --- a/recipes-kernel/linux/files/CVE-2016-6480.patch +++ /dev/null @@ -1,71 +0,0 @@ -From e4878ef66e5b8d01d6734b1952f9abb3eeea454c Mon Sep 17 00:00:00 2001 -From: Dave Carroll -Date: Fri, 5 Aug 2016 13:44:10 -0600 -Subject: aacraid: Check size values after double-fetch from user - -commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream. - -In aacraid's ioctl_send_fib() we do two fetches from userspace, one the -get the fib header's size and one for the fib itself. Later we use the -size field from the second fetch to further process the fib. If for some -reason the size from the second fetch is different than from the first -fix, we may encounter an out-of- bounds access in aac_fib_send(). We -also check the sender size to insure it is not out of bounds. This was -reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was -assigned CVE-2016-6480. - -CVE: CVE-2016-6480 -Upstream-Status: Backport - -Reported-by: Pengfei Wang -Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' -Signed-off-by: Dave Carroll -Reviewed-by: Johannes Thumshirn -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - drivers/scsi/aacraid/commctrl.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c -index 54195a1..f78cc94 100644 ---- a/drivers/scsi/aacraid/commctrl.c -+++ b/drivers/scsi/aacraid/commctrl.c -@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) - struct fib *fibptr; - struct hw_fib * hw_fib = (struct hw_fib *)0; - dma_addr_t hw_fib_pa = (dma_addr_t)0LL; -- unsigned size; -+ unsigned int size, osize; - int retval; - - if (dev->in_reset) { -@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) - * will not overrun the buffer when we copy the memory. Return - * an error if we would. - */ -- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); -+ osize = size = le16_to_cpu(kfib->header.Size) + -+ sizeof(struct aac_fibhdr); - if (size < le16_to_cpu(kfib->header.SenderSize)) - size = le16_to_cpu(kfib->header.SenderSize); - if (size > dev->max_fib_size) { -@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) - goto cleanup; - } - -+ /* Sanity check the second copy */ -+ if ((osize != le16_to_cpu(kfib->header.Size) + -+ sizeof(struct aac_fibhdr)) -+ || (size < le16_to_cpu(kfib->header.SenderSize))) { -+ retval = -EINVAL; -+ goto cleanup; -+ } -+ - if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { - aac_adapter_interrupt(dev); - /* --- -cgit v0.12 - diff --git a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch deleted file mode 100644 index fca7e51..0000000 --- a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Mon Sep 17 00:00:00 2001 -From: Scott Bauer -Date: Thu, 23 Jun 2016 08:59:47 -0600 -Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES - commands - -[ Upstream commit 93a2001bdfd5376c3dc2158653034c20392d15c5 ] - -This patch validates the num_values parameter from userland during the -HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set -to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter -leading to a heap overflow. - -CVE: CVE-2016-5829 -Upstream-Status: Backport - -Cc: stable@vger.kernel.org -Signed-off-by: Scott Bauer -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin -Signed-off-by: Sona Sarmadi ---- - drivers/hid/usbhid/hiddev.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c -index 2f1ddca..700145b 100644 ---- a/drivers/hid/usbhid/hiddev.c -+++ b/drivers/hid/usbhid/hiddev.c -@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, - goto inval; - } else if (uref->usage_index >= field->report_count) - goto inval; -- -- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && -- (uref_multi->num_values > HID_MAX_MULTI_USAGES || -- uref->usage_index + uref_multi->num_values > field->report_count)) -- goto inval; - } - -+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && -+ (uref_multi->num_values > HID_MAX_MULTI_USAGES || -+ uref->usage_index + uref_multi->num_values > field->report_count)) -+ goto inval; -+ - switch (cmd) { - case HIDIOCGUSAGE: - uref->value = field->value[uref->usage_index]; --- -cgit v0.12 - diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend index 1a22b88..c438328 100644 --- a/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -2,15 +2,6 @@ require recipes-kernel/linux/enea-common.inc FILESEXTRAPATHS_prepend := "${THISDIR}/files:" -SRC_URI += "file://hid-CVE-2016-5829.patch \ - file://CVE-2016-5696-limiting-of-all-challenge.patch \ - file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ - file://CVE-2016-4951.patch \ - file://CVE-2016-5195.patch \ - file://CVE-2016-5400.patch \ - file://CVE-2016-6480.patch \ - " - ENEA_KERNEL_FRAGMENTS += "\ cfg/localversion.cfg \ cfg/with_modules.cfg \ -- cgit v1.2.3-54-g00ecf