Update to 4.9.10
This commit is contained in:
parent
452d9f1e7d
commit
10f2dad569
|
@ -1,4 +1,4 @@
|
||||||
linux (4.9.9-1) UNRELEASED; urgency=medium
|
linux (4.9.10-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7
|
||||||
|
@ -161,6 +161,65 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
|
||||||
- iw_cxgb4: set correct FetchBurstMax for QPs
|
- iw_cxgb4: set correct FetchBurstMax for QPs
|
||||||
- fs: break out of iomap_file_buffered_write on fatal signals
|
- fs: break out of iomap_file_buffered_write on fatal signals
|
||||||
- [x86] drm/i915/execlists: Reset RING registers upon resume
|
- [x86] drm/i915/execlists: Reset RING registers upon resume
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.10
|
||||||
|
- [x86] cpufreq: intel_pstate: Disable energy efficiency optimization
|
||||||
|
- acpi, nfit: fix acpi_nfit_flush_probe() crash
|
||||||
|
- [x86] libnvdimm, namespace: do not delete namespace-id 0
|
||||||
|
- [x86] libnvdimm, pfn: fix memmap reservation size versus 4K alignment
|
||||||
|
- dm rq: cope with DM device destruction while in dm_old_request_fn()
|
||||||
|
- crypto: algif_aead - Fix kernel panic on list_del
|
||||||
|
- [x86] crypto: qat - fix bar discovery for c62x
|
||||||
|
- [x86] crypto: qat - zero esram only for DH85x devices
|
||||||
|
- [x86] crypto: ccp - Fix DMA operations when IOMMU is enabled
|
||||||
|
- [x86] crypto: ccp - Fix double add when creating new DMA command
|
||||||
|
- Input: uinput - fix crash when mixing old and new init style
|
||||||
|
- selinux: fix off-by-one in setprocattr (CVE-2017-2618)
|
||||||
|
- [x86] Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
|
||||||
|
- rtlwifi: rtl8192ce: Fix loading of incorrect firmware
|
||||||
|
- cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682)
|
||||||
|
- [armel,armhf] 8643/3: arm/ptrace: Preserve previous registers for short
|
||||||
|
regset write
|
||||||
|
- [x86] drm/i915: fix use-after-free in page_flip_completed()
|
||||||
|
- [x86] drm/i915/bxt: Add MST support when do DPLL calculation
|
||||||
|
- drm/atomic: Fix double free in drm_atomic_state_default_clear
|
||||||
|
- target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
|
||||||
|
- target: Use correct SCSI status during EXTENDED_COPY exception
|
||||||
|
- target: Fix early transport_generic_handle_tmr abort scenario
|
||||||
|
- target: Fix multi-session dynamic se_node_acl double free OOPs
|
||||||
|
- target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
|
||||||
|
- [armhf] dts: imx6dl: fix GPIO4 range
|
||||||
|
- [armhf] 8642/1: LPAE: catch pending imprecise abort on unmask
|
||||||
|
- [x86] drm/i915: Always convert incoming exec offsets to non-canonical
|
||||||
|
- nl80211: Fix mesh HT operation check
|
||||||
|
- mac80211: Fix adding of mesh vendor IEs
|
||||||
|
- net/mlx5e: Modify TIRs hash only when it's needed
|
||||||
|
- [x86] Drivers: hv: vmbus: Base host signaling strictly on the ring state
|
||||||
|
- [x86] Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
|
||||||
|
- [x86] Drivers: hv: vmbus: On the read path cleanup the logic to interrupt
|
||||||
|
the host
|
||||||
|
- [x86] Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()
|
||||||
|
- [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close
|
||||||
|
on failed send
|
||||||
|
- scsi: aacraid: Fix INTx/MSI-x issue with older controllers
|
||||||
|
- scsi: mpt3sas: disable ASPM for MPI2 controllers
|
||||||
|
- scsi: qla2xxx: Avoid that issuing a LIP triggers a kernel crash
|
||||||
|
- btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
|
||||||
|
- [powerpc*] mm/radix: Update ERAT flushes when invalidating TLB
|
||||||
|
- [powerpc*] powernv: Fix CPU hotplug to handle waking on HVI
|
||||||
|
- xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
|
||||||
|
- ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
|
||||||
|
- ALSA: seq: Fix race at creating a queue
|
||||||
|
- ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
|
||||||
|
- Revert "ALSA: line6: Only determine control port properties if needed"
|
||||||
|
- [x86] mm/ptdump: Fix soft lockup in page table walker
|
||||||
|
- [x86] CPU/AMD: Bring back Compute Unit ID
|
||||||
|
- [x86] CPU/AMD: Fix Zen SMT topology
|
||||||
|
- IB/rxe: Fix resid update
|
||||||
|
- IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
|
||||||
|
- stacktrace, lockdep: Fix address, newline ugliness
|
||||||
|
- perf diff: Fix -o/--order option behavior (again)
|
||||||
|
- perf diff: Fix segfault on 'perf diff -o N' option
|
||||||
|
- perf/core: Fix crash in perf_event_read()
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* Bump ABI to 2
|
* Bump ABI to 2
|
||||||
|
@ -184,7 +243,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
|
||||||
- rt: Drop mutex_disable() on !DEBUG configs and the GPL suffix from export
|
- rt: Drop mutex_disable() on !DEBUG configs and the GPL suffix from export
|
||||||
symbol
|
symbol
|
||||||
- cpuset: Convert callback_lock to raw_spinlock_t
|
- cpuset: Convert callback_lock to raw_spinlock_t
|
||||||
* cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682)
|
|
||||||
* pegasus: Use heap buffers for all register access (Closes: #852556)
|
* pegasus: Use heap buffers for all register access (Closes: #852556)
|
||||||
* test-patches: Use the pkg.linux.notools build profile
|
* test-patches: Use the pkg.linux.notools build profile
|
||||||
* test-patches: Set default number of jobs to number of available processors
|
* test-patches: Set default number of jobs to number of available processors
|
||||||
|
@ -196,8 +254,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
|
||||||
* [armel] ARM: orion5x: fix Makefile for linkstation-lschl.dtb
|
* [armel] ARM: orion5x: fix Makefile for linkstation-lschl.dtb
|
||||||
|
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
|
|
||||||
* selinux: fix off-by-one in setprocattr (CVE-2017-2618)
|
|
||||||
* ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970)
|
* ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970)
|
||||||
* sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
|
* sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
|
||||||
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
From: Eyal Itkin <eyal.itkin@gmail.com>
|
|
||||||
Date: Tue, 7 Feb 2017 16:45:19 +0300
|
|
||||||
Subject: IB/rxe: Fix mem_check_range integer overflow
|
|
||||||
Origin: https://git.kernel.org/linus/647bf3d8a8e5777319da92af672289b2a6c4dc66
|
|
||||||
|
|
||||||
Update the range check to avoid integer-overflow in edge case.
|
|
||||||
Resolves CVE 2016-8636.
|
|
||||||
|
|
||||||
Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
|
|
||||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
|
||||||
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
|
|
||||||
Signed-off-by: Doug Ledford <dledford@redhat.com>
|
|
||||||
---
|
|
||||||
drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++---
|
|
||||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
|
|
||||||
index d0faca294006..86a6585b847d 100644
|
|
||||||
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
|
|
||||||
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
|
|
||||||
@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
|
|
||||||
|
|
||||||
case RXE_MEM_TYPE_MR:
|
|
||||||
case RXE_MEM_TYPE_FMR:
|
|
||||||
- return ((iova < mem->iova) ||
|
|
||||||
- ((iova + length) > (mem->iova + mem->length))) ?
|
|
||||||
- -EFAULT : 0;
|
|
||||||
+ if (iova < mem->iova ||
|
|
||||||
+ length > mem->length ||
|
|
||||||
+ iova > mem->iova + mem->length - length)
|
|
||||||
+ return -EFAULT;
|
|
||||||
+ return 0;
|
|
||||||
|
|
||||||
default:
|
|
||||||
return -EFAULT;
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,77 +0,0 @@
|
||||||
Date: Mon, 6 Feb 2017 13:24:42 -0500
|
|
||||||
From: Tejun Heo <tj@kernel.org>
|
|
||||||
Subject: cpumask: use nr_cpumask_bits for parsing functions
|
|
||||||
Bug-Debian: https://bugs.debian.org/848682
|
|
||||||
Origin: https://lkml.org/lkml/2017/2/6/720
|
|
||||||
|
|
||||||
513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and
|
|
||||||
parsing functions") converted both cpumask printing and parsing
|
|
||||||
functions to use nr_cpu_ids instead of nr_cpumask_bits. While this
|
|
||||||
was okay for the printing functions as it just picked one of the two
|
|
||||||
output formats that we were alternating between depending on a kernel
|
|
||||||
config, doing the same for parsing wasn't okay.
|
|
||||||
|
|
||||||
nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS. We can always
|
|
||||||
use nr_cpu_ids but that is a variable while NR_CPUS is a constant, so
|
|
||||||
it can be more efficient to use NR_CPUS when we can get away with it.
|
|
||||||
Converting the printing functions to nr_cpu_ids makes sense because it
|
|
||||||
affects how the masks get presented to userspace and doesn't break
|
|
||||||
anything; however, using nr_cpu_ids for parsing functions can
|
|
||||||
incorrectly leave the higher bits uninitialized while reading in these
|
|
||||||
masks from userland. As all testing and comparison functions use
|
|
||||||
nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed
|
|
||||||
cpumasks can erroneously yield false negative results.
|
|
||||||
|
|
||||||
This made the taskstats interface incorrectly return -EINVAL even when
|
|
||||||
the inputs were correct.
|
|
||||||
|
|
||||||
Fix it by restoring the parse functions to use nr_cpumask_bits instead
|
|
||||||
of nr_cpu_ids.
|
|
||||||
|
|
||||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
|
||||||
Fixes: 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and parsing functions")
|
|
||||||
Cc: stable@vger.kernel.org # v4.0+
|
|
||||||
Reported-by: Martin Steigerwald <martin.steigerwald@teamix.de>
|
|
||||||
Debugged-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
|
|
||||||
---
|
|
||||||
include/linux/cpumask.h | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/include/linux/cpumask.h
|
|
||||||
+++ b/include/linux/cpumask.h
|
|
||||||
@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct c
|
|
||||||
static inline int cpumask_parse_user(const char __user *buf, int len,
|
|
||||||
struct cpumask *dstp)
|
|
||||||
{
|
|
||||||
- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids);
|
|
||||||
+ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user
|
|
||||||
struct cpumask *dstp)
|
|
||||||
{
|
|
||||||
return bitmap_parselist_user(buf, len, cpumask_bits(dstp),
|
|
||||||
- nr_cpu_ids);
|
|
||||||
+ nr_cpumask_bits);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -590,7 +590,7 @@ static inline int cpumask_parse(const ch
|
|
||||||
char *nl = strchr(buf, '\n');
|
|
||||||
unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf);
|
|
||||||
|
|
||||||
- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids);
|
|
||||||
+ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -602,7 +602,7 @@ static inline int cpumask_parse(const ch
|
|
||||||
*/
|
|
||||||
static inline int cpulist_parse(const char *buf, struct cpumask *dstp)
|
|
||||||
{
|
|
||||||
- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids);
|
|
||||||
+ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
|
@ -1,65 +0,0 @@
|
||||||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
|
||||||
Date: Tue, 31 Jan 2017 11:54:04 -0500
|
|
||||||
Subject: selinux: fix off-by-one in setprocattr
|
|
||||||
Origin: https://git.kernel.org/linus/0c461cb727d146c9ef2d3e86214f498b78b7d125
|
|
||||||
|
|
||||||
SELinux tries to support setting/clearing of /proc/pid/attr attributes
|
|
||||||
from the shell by ignoring terminating newlines and treating an
|
|
||||||
attribute value that begins with a NUL or newline as an attempt to
|
|
||||||
clear the attribute. However, the test for clearing attributes has
|
|
||||||
always been wrong; it has an off-by-one error, and this could further
|
|
||||||
lead to reading past the end of the allocated buffer since commit
|
|
||||||
bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
|
|
||||||
switch to memdup_user()"). Fix the off-by-one error.
|
|
||||||
|
|
||||||
Even with this fix, setting and clearing /proc/pid/attr attributes
|
|
||||||
from the shell is not straightforward since the interface does not
|
|
||||||
support multiple write() calls (so shells that write the value and
|
|
||||||
newline separately will set and then immediately clear the attribute,
|
|
||||||
requiring use of echo -n to set the attribute), whereas trying to use
|
|
||||||
echo -n "" to clear the attribute causes the shell to skip the
|
|
||||||
write() call altogether since POSIX says that a zero-length write
|
|
||||||
causes no side effects. Thus, one must use echo -n to set and echo
|
|
||||||
without -n to clear, as in the following example:
|
|
||||||
$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
|
|
||||||
$ cat /proc/$$/attr/fscreate
|
|
||||||
unconfined_u:object_r:user_home_t:s0
|
|
||||||
$ echo "" > /proc/$$/attr/fscreate
|
|
||||||
$ cat /proc/$$/attr/fscreate
|
|
||||||
|
|
||||||
Note the use of /proc/$$ rather than /proc/self, as otherwise
|
|
||||||
the cat command will read its own attribute value, not that of the shell.
|
|
||||||
|
|
||||||
There are no users of this facility to my knowledge; possibly we
|
|
||||||
should just get rid of it.
|
|
||||||
|
|
||||||
UPDATE: Upon further investigation it appears that a local process
|
|
||||||
with the process:setfscreate permission can cause a kernel panic as a
|
|
||||||
result of this bug. This patch fixes CVE-2017-2618.
|
|
||||||
|
|
||||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
||||||
[PM: added the update about CVE-2017-2618 to the commit description]
|
|
||||||
Cc: stable@vger.kernel.org # 3.5: d6ea83ec6864e
|
|
||||||
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
||||||
|
|
||||||
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
|
||||||
---
|
|
||||||
security/selinux/hooks.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
|
||||||
index c7c6619..d98550a 100644
|
|
||||||
--- a/security/selinux/hooks.c
|
|
||||||
+++ b/security/selinux/hooks.c
|
|
||||||
@@ -5887,7 +5887,7 @@ static int selinux_setprocattr(struct task_struct *p,
|
|
||||||
return error;
|
|
||||||
|
|
||||||
/* Obtain a SID for the context, if one was specified. */
|
|
||||||
- if (size && str[1] && str[1] != '\n') {
|
|
||||||
+ if (size && str[0] && str[0] != '\n') {
|
|
||||||
if (str[size-1] == '\n') {
|
|
||||||
str[size-1] = 0;
|
|
||||||
size--;
|
|
||||||
--
|
|
||||||
2.1.4
|
|
||||||
|
|
|
@ -73,7 +73,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
||||||
bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch
|
bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch
|
||||||
bugfix/all/ath9k-fix-null-pointer-dereference.patch
|
bugfix/all/ath9k-fix-null-pointer-dereference.patch
|
||||||
bugfix/all/nbd-fix-64-bit-division.patch
|
bugfix/all/nbd-fix-64-bit-division.patch
|
||||||
bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch
|
|
||||||
bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
|
bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
|
||||||
|
|
||||||
# Miscellaneous features
|
# Miscellaneous features
|
||||||
|
@ -104,8 +103,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch
|
|
||||||
bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
|
|
||||||
bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
|
bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
|
||||||
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
|
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue