debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.9.10

This commit is contained in:
Ben Hutchings 2017-02-16 19:03:31 +00:00
parent 452d9f1e7d
commit 10f2dad569
5 changed files with 60 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.9.9-1) UNRELEASED; urgency=medium
linux (4.9.10-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7
@ -161,6 +161,65 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
- iw_cxgb4: set correct FetchBurstMax for QPs
- fs: break out of iomap_file_buffered_write on fatal signals
- [x86] drm/i915/execlists: Reset RING registers upon resume
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.10
- [x86] cpufreq: intel_pstate: Disable energy efficiency optimization
- acpi, nfit: fix acpi_nfit_flush_probe() crash
- [x86] libnvdimm, namespace: do not delete namespace-id 0
- [x86] libnvdimm, pfn: fix memmap reservation size versus 4K alignment
- dm rq: cope with DM device destruction while in dm_old_request_fn()
- crypto: algif_aead - Fix kernel panic on list_del
- [x86] crypto: qat - fix bar discovery for c62x
- [x86] crypto: qat - zero esram only for DH85x devices
- [x86] crypto: ccp - Fix DMA operations when IOMMU is enabled
- [x86] crypto: ccp - Fix double add when creating new DMA command
- Input: uinput - fix crash when mixing old and new init style
- selinux: fix off-by-one in setprocattr (CVE-2017-2618)
- [x86] Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
- rtlwifi: rtl8192ce: Fix loading of incorrect firmware
- cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682)
- [armel,armhf] 8643/3: arm/ptrace: Preserve previous registers for short
regset write
- [x86] drm/i915: fix use-after-free in page_flip_completed()
- [x86] drm/i915/bxt: Add MST support when do DPLL calculation
- drm/atomic: Fix double free in drm_atomic_state_default_clear
- target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
- target: Use correct SCSI status during EXTENDED_COPY exception
- target: Fix early transport_generic_handle_tmr abort scenario
- target: Fix multi-session dynamic se_node_acl double free OOPs
- target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
- [armhf] dts: imx6dl: fix GPIO4 range
- [armhf] 8642/1: LPAE: catch pending imprecise abort on unmask
- [x86] drm/i915: Always convert incoming exec offsets to non-canonical
- nl80211: Fix mesh HT operation check
- mac80211: Fix adding of mesh vendor IEs
- net/mlx5e: Modify TIRs hash only when it's needed
- [x86] Drivers: hv: vmbus: Base host signaling strictly on the ring state
- [x86] Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
- [x86] Drivers: hv: vmbus: On the read path cleanup the logic to interrupt
the host
- [x86] Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()
- [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close
on failed send
- scsi: aacraid: Fix INTx/MSI-x issue with older controllers
- scsi: mpt3sas: disable ASPM for MPI2 controllers
- scsi: qla2xxx: Avoid that issuing a LIP triggers a kernel crash
- btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
- [powerpc*] mm/radix: Update ERAT flushes when invalidating TLB
- [powerpc*] powernv: Fix CPU hotplug to handle waking on HVI
- xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
- ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
- ALSA: seq: Fix race at creating a queue
- ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
- Revert "ALSA: line6: Only determine control port properties if needed"
- [x86] mm/ptdump: Fix soft lockup in page table walker
- [x86] CPU/AMD: Bring back Compute Unit ID
- [x86] CPU/AMD: Fix Zen SMT topology
- IB/rxe: Fix resid update
- IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
- stacktrace, lockdep: Fix address, newline ugliness
- perf diff: Fix -o/--order option behavior (again)
- perf diff: Fix segfault on 'perf diff -o N' option
- perf/core: Fix crash in perf_event_read()
[ Ben Hutchings ]
* Bump ABI to 2
@ -184,7 +243,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
- rt: Drop mutex_disable() on !DEBUG configs and the GPL suffix from export
symbol
- cpuset: Convert callback_lock to raw_spinlock_t
* cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682)
* pegasus: Use heap buffers for all register access (Closes: #852556)
* test-patches: Use the pkg.linux.notools build profile
* test-patches: Set default number of jobs to number of available processors
@ -196,8 +254,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
* [armel] ARM: orion5x: fix Makefile for linkstation-lschl.dtb
[ Salvatore Bonaccorso ]
* IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
* selinux: fix off-by-one in setprocattr (CVE-2017-2618)
* ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970)
* sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)

38
debian/patches/bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch vendored
View File

@ -1,38 +0,0 @@
From: Eyal Itkin <eyal.itkin@gmail.com>
Date: Tue, 7 Feb 2017 16:45:19 +0300
Subject: IB/rxe: Fix mem_check_range integer overflow
Origin: https://git.kernel.org/linus/647bf3d8a8e5777319da92af672289b2a6c4dc66
Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.
Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
index d0faca294006..86a6585b847d 100644
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
case RXE_MEM_TYPE_MR:
case RXE_MEM_TYPE_FMR:
- return ((iova < mem->iova) ||
- ((iova + length) > (mem->iova + mem->length))) ?
- -EFAULT : 0;
+ if (iova < mem->iova ||
+ length > mem->length ||
+ iova > mem->iova + mem->length - length)
+ return -EFAULT;
+ return 0;
default:
return -EFAULT;
--
2.11.0

77
debian/patches/bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch vendored
View File

@ -1,77 +0,0 @@
Date: Mon, 6 Feb 2017 13:24:42 -0500
From: Tejun Heo <tj@kernel.org>
Subject: cpumask: use nr_cpumask_bits for parsing functions
Bug-Debian: https://bugs.debian.org/848682
Origin: https://lkml.org/lkml/2017/2/6/720
513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and
parsing functions") converted both cpumask printing and parsing
functions to use nr_cpu_ids instead of nr_cpumask_bits. While this
was okay for the printing functions as it just picked one of the two
output formats that we were alternating between depending on a kernel
config, doing the same for parsing wasn't okay.
nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS. We can always
use nr_cpu_ids but that is a variable while NR_CPUS is a constant, so
it can be more efficient to use NR_CPUS when we can get away with it.
Converting the printing functions to nr_cpu_ids makes sense because it
affects how the masks get presented to userspace and doesn't break
anything; however, using nr_cpu_ids for parsing functions can
incorrectly leave the higher bits uninitialized while reading in these
masks from userland. As all testing and comparison functions use
nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed
cpumasks can erroneously yield false negative results.
This made the taskstats interface incorrectly return -EINVAL even when
the inputs were correct.
Fix it by restoring the parse functions to use nr_cpumask_bits instead
of nr_cpu_ids.
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and parsing functions")
Cc: stable@vger.kernel.org # v4.0+
Reported-by: Martin Steigerwald <martin.steigerwald@teamix.de>
Debugged-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
include/linux/cpumask.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct c
static inline int cpumask_parse_user(const char __user *buf, int len,
struct cpumask *dstp)
{
- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids);
+ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
}
/**
@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user
struct cpumask *dstp)
{
return bitmap_parselist_user(buf, len, cpumask_bits(dstp),
- nr_cpu_ids);
+ nr_cpumask_bits);
}
/**
@@ -590,7 +590,7 @@ static inline int cpumask_parse(const ch
char *nl = strchr(buf, '\n');
unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf);
- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids);
+ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
}
/**
@@ -602,7 +602,7 @@ static inline int cpumask_parse(const ch
*/
static inline int cpulist_parse(const char *buf, struct cpumask *dstp)
{
- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids);
+ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits);
}
/**

65
debian/patches/bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch vendored
View File

@ -1,65 +0,0 @@
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 31 Jan 2017 11:54:04 -0500
Subject: selinux: fix off-by-one in setprocattr
Origin: https://git.kernel.org/linus/0c461cb727d146c9ef2d3e86214f498b78b7d125
SELinux tries to support setting/clearing of /proc/pid/attr attributes
from the shell by ignoring terminating newlines and treating an
attribute value that begins with a NUL or newline as an attempt to
clear the attribute. However, the test for clearing attributes has
always been wrong; it has an off-by-one error, and this could further
lead to reading past the end of the allocated buffer since commit
bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
switch to memdup_user()"). Fix the off-by-one error.
Even with this fix, setting and clearing /proc/pid/attr attributes
from the shell is not straightforward since the interface does not
support multiple write() calls (so shells that write the value and
newline separately will set and then immediately clear the attribute,
requiring use of echo -n to set the attribute), whereas trying to use
echo -n "" to clear the attribute causes the shell to skip the
write() call altogether since POSIX says that a zero-length write
causes no side effects. Thus, one must use echo -n to set and echo
without -n to clear, as in the following example:
$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
$ cat /proc/$$/attr/fscreate
unconfined_u:object_r:user_home_t:s0
$ echo "" > /proc/$$/attr/fscreate
$ cat /proc/$$/attr/fscreate
Note the use of /proc/$$ rather than /proc/self, as otherwise
the cat command will read its own attribute value, not that of the shell.
There are no users of this facility to my knowledge; possibly we
should just get rid of it.
UPDATE: Upon further investigation it appears that a local process
with the process:setfscreate permission can cause a kernel panic as a
result of this bug. This patch fixes CVE-2017-2618.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: added the update about CVE-2017-2618 to the commit description]
Cc: stable@vger.kernel.org # 3.5: d6ea83ec6864e
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c7c6619..d98550a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5887,7 +5887,7 @@ static int selinux_setprocattr(struct task_struct *p,
return error;
/* Obtain a SID for the context, if one was specified. */
- if (size && str[1] && str[1] != '\n') {
+ if (size && str[0] && str[0] != '\n') {
if (str[size-1] == '\n') {
str[size-1] = 0;
size--;
--
2.1.4

3
debian/patches/series vendored
View File

@ -73,7 +73,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch
bugfix/all/ath9k-fix-null-pointer-dereference.patch
bugfix/all/nbd-fix-64-bit-division.patch
bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch
bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
# Miscellaneous features
@ -104,8 +103,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch
bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch