diff --git a/debian/changelog b/debian/changelog index acafac63e..da5338d2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.9.9-1) UNRELEASED; urgency=medium +linux (4.9.10-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7 @@ -161,6 +161,65 @@ linux (4.9.9-1) UNRELEASED; urgency=medium - iw_cxgb4: set correct FetchBurstMax for QPs - fs: break out of iomap_file_buffered_write on fatal signals - [x86] drm/i915/execlists: Reset RING registers upon resume + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.10 + - [x86] cpufreq: intel_pstate: Disable energy efficiency optimization + - acpi, nfit: fix acpi_nfit_flush_probe() crash + - [x86] libnvdimm, namespace: do not delete namespace-id 0 + - [x86] libnvdimm, pfn: fix memmap reservation size versus 4K alignment + - dm rq: cope with DM device destruction while in dm_old_request_fn() + - crypto: algif_aead - Fix kernel panic on list_del + - [x86] crypto: qat - fix bar discovery for c62x + - [x86] crypto: qat - zero esram only for DH85x devices + - [x86] crypto: ccp - Fix DMA operations when IOMMU is enabled + - [x86] crypto: ccp - Fix double add when creating new DMA command + - Input: uinput - fix crash when mixing old and new init style + - selinux: fix off-by-one in setprocattr (CVE-2017-2618) + - [x86] Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback" + - rtlwifi: rtl8192ce: Fix loading of incorrect firmware + - cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682) + - [armel,armhf] 8643/3: arm/ptrace: Preserve previous registers for short + regset write + - [x86] drm/i915: fix use-after-free in page_flip_completed() + - [x86] drm/i915/bxt: Add MST support when do DPLL calculation + - drm/atomic: Fix double free in drm_atomic_state_default_clear + - target: Don't BUG_ON during NodeACL dynamic -> explicit conversion + - target: Use correct SCSI status during EXTENDED_COPY exception + - target: Fix early transport_generic_handle_tmr abort scenario + - target: Fix multi-session dynamic se_node_acl double free OOPs + - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status + - [armhf] dts: imx6dl: fix GPIO4 range + - [armhf] 8642/1: LPAE: catch pending imprecise abort on unmask + - [x86] drm/i915: Always convert incoming exec offsets to non-canonical + - nl80211: Fix mesh HT operation check + - mac80211: Fix adding of mesh vendor IEs + - net/mlx5e: Modify TIRs hash only when it's needed + - [x86] Drivers: hv: vmbus: Base host signaling strictly on the ring state + - [x86] Drivers: hv: vmbus: On write cleanup the logic to interrupt the host + - [x86] Drivers: hv: vmbus: On the read path cleanup the logic to interrupt + the host + - [x86] Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read() + - [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close + on failed send + - scsi: aacraid: Fix INTx/MSI-x issue with older controllers + - scsi: mpt3sas: disable ASPM for MPI2 controllers + - scsi: qla2xxx: Avoid that issuing a LIP triggers a kernel crash + - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls + - [powerpc*] mm/radix: Update ERAT flushes when invalidating TLB + - [powerpc*] powernv: Fix CPU hotplug to handle waking on HVI + - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() + - ALSA: hda - adding a new NV HDMI/DP codec ID in the driver + - ALSA: seq: Fix race at creating a queue + - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() + - Revert "ALSA: line6: Only determine control port properties if needed" + - [x86] mm/ptdump: Fix soft lockup in page table walker + - [x86] CPU/AMD: Bring back Compute Unit ID + - [x86] CPU/AMD: Fix Zen SMT topology + - IB/rxe: Fix resid update + - IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636) + - stacktrace, lockdep: Fix address, newline ugliness + - perf diff: Fix -o/--order option behavior (again) + - perf diff: Fix segfault on 'perf diff -o N' option + - perf/core: Fix crash in perf_event_read() [ Ben Hutchings ] * Bump ABI to 2 @@ -184,7 +243,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium - rt: Drop mutex_disable() on !DEBUG configs and the GPL suffix from export symbol - cpuset: Convert callback_lock to raw_spinlock_t - * cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682) * pegasus: Use heap buffers for all register access (Closes: #852556) * test-patches: Use the pkg.linux.notools build profile * test-patches: Set default number of jobs to number of available processors @@ -196,8 +254,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium * [armel] ARM: orion5x: fix Makefile for linkstation-lschl.dtb [ Salvatore Bonaccorso ] - * IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636) - * selinux: fix off-by-one in setprocattr (CVE-2017-2618) * ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970) * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986) diff --git a/debian/patches/bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch b/debian/patches/bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch deleted file mode 100644 index 952a7a158..000000000 --- a/debian/patches/bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Eyal Itkin -Date: Tue, 7 Feb 2017 16:45:19 +0300 -Subject: IB/rxe: Fix mem_check_range integer overflow -Origin: https://git.kernel.org/linus/647bf3d8a8e5777319da92af672289b2a6c4dc66 - -Update the range check to avoid integer-overflow in edge case. -Resolves CVE 2016-8636. - -Signed-off-by: Eyal Itkin -Signed-off-by: Dan Carpenter -Reviewed-by: Leon Romanovsky -Signed-off-by: Doug Ledford ---- - drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c -index d0faca294006..86a6585b847d 100644 ---- a/drivers/infiniband/sw/rxe/rxe_mr.c -+++ b/drivers/infiniband/sw/rxe/rxe_mr.c -@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length) - - case RXE_MEM_TYPE_MR: - case RXE_MEM_TYPE_FMR: -- return ((iova < mem->iova) || -- ((iova + length) > (mem->iova + mem->length))) ? -- -EFAULT : 0; -+ if (iova < mem->iova || -+ length > mem->length || -+ iova > mem->iova + mem->length - length) -+ return -EFAULT; -+ return 0; - - default: - return -EFAULT; --- -2.11.0 - diff --git a/debian/patches/bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch b/debian/patches/bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch deleted file mode 100644 index 1d36806e9..000000000 --- a/debian/patches/bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch +++ /dev/null @@ -1,77 +0,0 @@ -Date: Mon, 6 Feb 2017 13:24:42 -0500 -From: Tejun Heo -Subject: cpumask: use nr_cpumask_bits for parsing functions -Bug-Debian: https://bugs.debian.org/848682 -Origin: https://lkml.org/lkml/2017/2/6/720 - -513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and -parsing functions") converted both cpumask printing and parsing -functions to use nr_cpu_ids instead of nr_cpumask_bits. While this -was okay for the printing functions as it just picked one of the two -output formats that we were alternating between depending on a kernel -config, doing the same for parsing wasn't okay. - -nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS. We can always -use nr_cpu_ids but that is a variable while NR_CPUS is a constant, so -it can be more efficient to use NR_CPUS when we can get away with it. -Converting the printing functions to nr_cpu_ids makes sense because it -affects how the masks get presented to userspace and doesn't break -anything; however, using nr_cpu_ids for parsing functions can -incorrectly leave the higher bits uninitialized while reading in these -masks from userland. As all testing and comparison functions use -nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed -cpumasks can erroneously yield false negative results. - -This made the taskstats interface incorrectly return -EINVAL even when -the inputs were correct. - -Fix it by restoring the parse functions to use nr_cpumask_bits instead -of nr_cpu_ids. - -Signed-off-by: Tejun Heo -Fixes: 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and parsing functions") -Cc: stable@vger.kernel.org # v4.0+ -Reported-by: Martin Steigerwald -Debugged-by: Ben Hutchings ---- - include/linux/cpumask.h | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/include/linux/cpumask.h -+++ b/include/linux/cpumask.h -@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct c - static inline int cpumask_parse_user(const char __user *buf, int len, - struct cpumask *dstp) - { -- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids); -+ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits); - } - - /** -@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user - struct cpumask *dstp) - { - return bitmap_parselist_user(buf, len, cpumask_bits(dstp), -- nr_cpu_ids); -+ nr_cpumask_bits); - } - - /** -@@ -590,7 +590,7 @@ static inline int cpumask_parse(const ch - char *nl = strchr(buf, '\n'); - unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf); - -- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids); -+ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits); - } - - /** -@@ -602,7 +602,7 @@ static inline int cpumask_parse(const ch - */ - static inline int cpulist_parse(const char *buf, struct cpumask *dstp) - { -- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids); -+ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits); - } - - /** diff --git a/debian/patches/bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch b/debian/patches/bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch deleted file mode 100644 index fcb9491e3..000000000 --- a/debian/patches/bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Stephen Smalley -Date: Tue, 31 Jan 2017 11:54:04 -0500 -Subject: selinux: fix off-by-one in setprocattr -Origin: https://git.kernel.org/linus/0c461cb727d146c9ef2d3e86214f498b78b7d125 - -SELinux tries to support setting/clearing of /proc/pid/attr attributes -from the shell by ignoring terminating newlines and treating an -attribute value that begins with a NUL or newline as an attempt to -clear the attribute. However, the test for clearing attributes has -always been wrong; it has an off-by-one error, and this could further -lead to reading past the end of the allocated buffer since commit -bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write(): -switch to memdup_user()"). Fix the off-by-one error. - -Even with this fix, setting and clearing /proc/pid/attr attributes -from the shell is not straightforward since the interface does not -support multiple write() calls (so shells that write the value and -newline separately will set and then immediately clear the attribute, -requiring use of echo -n to set the attribute), whereas trying to use -echo -n "" to clear the attribute causes the shell to skip the -write() call altogether since POSIX says that a zero-length write -causes no side effects. Thus, one must use echo -n to set and echo -without -n to clear, as in the following example: -$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate -$ cat /proc/$$/attr/fscreate -unconfined_u:object_r:user_home_t:s0 -$ echo "" > /proc/$$/attr/fscreate -$ cat /proc/$$/attr/fscreate - -Note the use of /proc/$$ rather than /proc/self, as otherwise -the cat command will read its own attribute value, not that of the shell. - -There are no users of this facility to my knowledge; possibly we -should just get rid of it. - -UPDATE: Upon further investigation it appears that a local process -with the process:setfscreate permission can cause a kernel panic as a -result of this bug. This patch fixes CVE-2017-2618. - -Signed-off-by: Stephen Smalley -[PM: added the update about CVE-2017-2618 to the commit description] -Cc: stable@vger.kernel.org # 3.5: d6ea83ec6864e -Signed-off-by: Paul Moore - -Signed-off-by: James Morris ---- - security/selinux/hooks.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index c7c6619..d98550a 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -5887,7 +5887,7 @@ static int selinux_setprocattr(struct task_struct *p, - return error; - - /* Obtain a SID for the context, if one was specified. */ -- if (size && str[1] && str[1] != '\n') { -+ if (size && str[0] && str[0] != '\n') { - if (str[size-1] == '\n') { - str[size-1] = 0; - size--; --- -2.1.4 - diff --git a/debian/patches/series b/debian/patches/series index 9ae396fdb..9f05b49cf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -73,7 +73,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch bugfix/all/ath9k-fix-null-pointer-dereference.patch bugfix/all/nbd-fix-64-bit-division.patch -bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch # Miscellaneous features @@ -104,8 +103,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch -bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch