Update to 4.9.10
This commit is contained in:
parent
452d9f1e7d
commit
10f2dad569
|
@ -1,4 +1,4 @@
|
|||
linux (4.9.9-1) UNRELEASED; urgency=medium
|
||||
linux (4.9.10-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7
|
||||
|
@ -161,6 +161,65 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
|
|||
- iw_cxgb4: set correct FetchBurstMax for QPs
|
||||
- fs: break out of iomap_file_buffered_write on fatal signals
|
||||
- [x86] drm/i915/execlists: Reset RING registers upon resume
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.10
|
||||
- [x86] cpufreq: intel_pstate: Disable energy efficiency optimization
|
||||
- acpi, nfit: fix acpi_nfit_flush_probe() crash
|
||||
- [x86] libnvdimm, namespace: do not delete namespace-id 0
|
||||
- [x86] libnvdimm, pfn: fix memmap reservation size versus 4K alignment
|
||||
- dm rq: cope with DM device destruction while in dm_old_request_fn()
|
||||
- crypto: algif_aead - Fix kernel panic on list_del
|
||||
- [x86] crypto: qat - fix bar discovery for c62x
|
||||
- [x86] crypto: qat - zero esram only for DH85x devices
|
||||
- [x86] crypto: ccp - Fix DMA operations when IOMMU is enabled
|
||||
- [x86] crypto: ccp - Fix double add when creating new DMA command
|
||||
- Input: uinput - fix crash when mixing old and new init style
|
||||
- selinux: fix off-by-one in setprocattr (CVE-2017-2618)
|
||||
- [x86] Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
|
||||
- rtlwifi: rtl8192ce: Fix loading of incorrect firmware
|
||||
- cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682)
|
||||
- [armel,armhf] 8643/3: arm/ptrace: Preserve previous registers for short
|
||||
regset write
|
||||
- [x86] drm/i915: fix use-after-free in page_flip_completed()
|
||||
- [x86] drm/i915/bxt: Add MST support when do DPLL calculation
|
||||
- drm/atomic: Fix double free in drm_atomic_state_default_clear
|
||||
- target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
|
||||
- target: Use correct SCSI status during EXTENDED_COPY exception
|
||||
- target: Fix early transport_generic_handle_tmr abort scenario
|
||||
- target: Fix multi-session dynamic se_node_acl double free OOPs
|
||||
- target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
|
||||
- [armhf] dts: imx6dl: fix GPIO4 range
|
||||
- [armhf] 8642/1: LPAE: catch pending imprecise abort on unmask
|
||||
- [x86] drm/i915: Always convert incoming exec offsets to non-canonical
|
||||
- nl80211: Fix mesh HT operation check
|
||||
- mac80211: Fix adding of mesh vendor IEs
|
||||
- net/mlx5e: Modify TIRs hash only when it's needed
|
||||
- [x86] Drivers: hv: vmbus: Base host signaling strictly on the ring state
|
||||
- [x86] Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
|
||||
- [x86] Drivers: hv: vmbus: On the read path cleanup the logic to interrupt
|
||||
the host
|
||||
- [x86] Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()
|
||||
- [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close
|
||||
on failed send
|
||||
- scsi: aacraid: Fix INTx/MSI-x issue with older controllers
|
||||
- scsi: mpt3sas: disable ASPM for MPI2 controllers
|
||||
- scsi: qla2xxx: Avoid that issuing a LIP triggers a kernel crash
|
||||
- btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
|
||||
- [powerpc*] mm/radix: Update ERAT flushes when invalidating TLB
|
||||
- [powerpc*] powernv: Fix CPU hotplug to handle waking on HVI
|
||||
- xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
|
||||
- ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
|
||||
- ALSA: seq: Fix race at creating a queue
|
||||
- ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
|
||||
- Revert "ALSA: line6: Only determine control port properties if needed"
|
||||
- [x86] mm/ptdump: Fix soft lockup in page table walker
|
||||
- [x86] CPU/AMD: Bring back Compute Unit ID
|
||||
- [x86] CPU/AMD: Fix Zen SMT topology
|
||||
- IB/rxe: Fix resid update
|
||||
- IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
|
||||
- stacktrace, lockdep: Fix address, newline ugliness
|
||||
- perf diff: Fix -o/--order option behavior (again)
|
||||
- perf diff: Fix segfault on 'perf diff -o N' option
|
||||
- perf/core: Fix crash in perf_event_read()
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* Bump ABI to 2
|
||||
|
@ -184,7 +243,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
|
|||
- rt: Drop mutex_disable() on !DEBUG configs and the GPL suffix from export
|
||||
symbol
|
||||
- cpuset: Convert callback_lock to raw_spinlock_t
|
||||
* cpumask: use nr_cpumask_bits for parsing functions (Closes: #848682)
|
||||
* pegasus: Use heap buffers for all register access (Closes: #852556)
|
||||
* test-patches: Use the pkg.linux.notools build profile
|
||||
* test-patches: Set default number of jobs to number of available processors
|
||||
|
@ -196,8 +254,6 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
|
|||
* [armel] ARM: orion5x: fix Makefile for linkstation-lschl.dtb
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
|
||||
* selinux: fix off-by-one in setprocattr (CVE-2017-2618)
|
||||
* ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970)
|
||||
* sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
|
||||
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
From: Eyal Itkin <eyal.itkin@gmail.com>
|
||||
Date: Tue, 7 Feb 2017 16:45:19 +0300
|
||||
Subject: IB/rxe: Fix mem_check_range integer overflow
|
||||
Origin: https://git.kernel.org/linus/647bf3d8a8e5777319da92af672289b2a6c4dc66
|
||||
|
||||
Update the range check to avoid integer-overflow in edge case.
|
||||
Resolves CVE 2016-8636.
|
||||
|
||||
Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
|
||||
Signed-off-by: Doug Ledford <dledford@redhat.com>
|
||||
---
|
||||
drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
|
||||
index d0faca294006..86a6585b847d 100644
|
||||
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
|
||||
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
|
||||
@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
|
||||
|
||||
case RXE_MEM_TYPE_MR:
|
||||
case RXE_MEM_TYPE_FMR:
|
||||
- return ((iova < mem->iova) ||
|
||||
- ((iova + length) > (mem->iova + mem->length))) ?
|
||||
- -EFAULT : 0;
|
||||
+ if (iova < mem->iova ||
|
||||
+ length > mem->length ||
|
||||
+ iova > mem->iova + mem->length - length)
|
||||
+ return -EFAULT;
|
||||
+ return 0;
|
||||
|
||||
default:
|
||||
return -EFAULT;
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
Date: Mon, 6 Feb 2017 13:24:42 -0500
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
Subject: cpumask: use nr_cpumask_bits for parsing functions
|
||||
Bug-Debian: https://bugs.debian.org/848682
|
||||
Origin: https://lkml.org/lkml/2017/2/6/720
|
||||
|
||||
513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and
|
||||
parsing functions") converted both cpumask printing and parsing
|
||||
functions to use nr_cpu_ids instead of nr_cpumask_bits. While this
|
||||
was okay for the printing functions as it just picked one of the two
|
||||
output formats that we were alternating between depending on a kernel
|
||||
config, doing the same for parsing wasn't okay.
|
||||
|
||||
nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS. We can always
|
||||
use nr_cpu_ids but that is a variable while NR_CPUS is a constant, so
|
||||
it can be more efficient to use NR_CPUS when we can get away with it.
|
||||
Converting the printing functions to nr_cpu_ids makes sense because it
|
||||
affects how the masks get presented to userspace and doesn't break
|
||||
anything; however, using nr_cpu_ids for parsing functions can
|
||||
incorrectly leave the higher bits uninitialized while reading in these
|
||||
masks from userland. As all testing and comparison functions use
|
||||
nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed
|
||||
cpumasks can erroneously yield false negative results.
|
||||
|
||||
This made the taskstats interface incorrectly return -EINVAL even when
|
||||
the inputs were correct.
|
||||
|
||||
Fix it by restoring the parse functions to use nr_cpumask_bits instead
|
||||
of nr_cpu_ids.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Fixes: 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and parsing functions")
|
||||
Cc: stable@vger.kernel.org # v4.0+
|
||||
Reported-by: Martin Steigerwald <martin.steigerwald@teamix.de>
|
||||
Debugged-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
|
||||
---
|
||||
include/linux/cpumask.h | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/include/linux/cpumask.h
|
||||
+++ b/include/linux/cpumask.h
|
||||
@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct c
|
||||
static inline int cpumask_parse_user(const char __user *buf, int len,
|
||||
struct cpumask *dstp)
|
||||
{
|
||||
- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids);
|
||||
+ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user
|
||||
struct cpumask *dstp)
|
||||
{
|
||||
return bitmap_parselist_user(buf, len, cpumask_bits(dstp),
|
||||
- nr_cpu_ids);
|
||||
+ nr_cpumask_bits);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -590,7 +590,7 @@ static inline int cpumask_parse(const ch
|
||||
char *nl = strchr(buf, '\n');
|
||||
unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf);
|
||||
|
||||
- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids);
|
||||
+ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -602,7 +602,7 @@ static inline int cpumask_parse(const ch
|
||||
*/
|
||||
static inline int cpulist_parse(const char *buf, struct cpumask *dstp)
|
||||
{
|
||||
- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids);
|
||||
+ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits);
|
||||
}
|
||||
|
||||
/**
|
|
@ -1,65 +0,0 @@
|
|||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Date: Tue, 31 Jan 2017 11:54:04 -0500
|
||||
Subject: selinux: fix off-by-one in setprocattr
|
||||
Origin: https://git.kernel.org/linus/0c461cb727d146c9ef2d3e86214f498b78b7d125
|
||||
|
||||
SELinux tries to support setting/clearing of /proc/pid/attr attributes
|
||||
from the shell by ignoring terminating newlines and treating an
|
||||
attribute value that begins with a NUL or newline as an attempt to
|
||||
clear the attribute. However, the test for clearing attributes has
|
||||
always been wrong; it has an off-by-one error, and this could further
|
||||
lead to reading past the end of the allocated buffer since commit
|
||||
bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
|
||||
switch to memdup_user()"). Fix the off-by-one error.
|
||||
|
||||
Even with this fix, setting and clearing /proc/pid/attr attributes
|
||||
from the shell is not straightforward since the interface does not
|
||||
support multiple write() calls (so shells that write the value and
|
||||
newline separately will set and then immediately clear the attribute,
|
||||
requiring use of echo -n to set the attribute), whereas trying to use
|
||||
echo -n "" to clear the attribute causes the shell to skip the
|
||||
write() call altogether since POSIX says that a zero-length write
|
||||
causes no side effects. Thus, one must use echo -n to set and echo
|
||||
without -n to clear, as in the following example:
|
||||
$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
|
||||
$ cat /proc/$$/attr/fscreate
|
||||
unconfined_u:object_r:user_home_t:s0
|
||||
$ echo "" > /proc/$$/attr/fscreate
|
||||
$ cat /proc/$$/attr/fscreate
|
||||
|
||||
Note the use of /proc/$$ rather than /proc/self, as otherwise
|
||||
the cat command will read its own attribute value, not that of the shell.
|
||||
|
||||
There are no users of this facility to my knowledge; possibly we
|
||||
should just get rid of it.
|
||||
|
||||
UPDATE: Upon further investigation it appears that a local process
|
||||
with the process:setfscreate permission can cause a kernel panic as a
|
||||
result of this bug. This patch fixes CVE-2017-2618.
|
||||
|
||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
[PM: added the update about CVE-2017-2618 to the commit description]
|
||||
Cc: stable@vger.kernel.org # 3.5: d6ea83ec6864e
|
||||
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
||||
|
||||
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
||||
---
|
||||
security/selinux/hooks.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index c7c6619..d98550a 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -5887,7 +5887,7 @@ static int selinux_setprocattr(struct task_struct *p,
|
||||
return error;
|
||||
|
||||
/* Obtain a SID for the context, if one was specified. */
|
||||
- if (size && str[1] && str[1] != '\n') {
|
||||
+ if (size && str[0] && str[0] != '\n') {
|
||||
if (str[size-1] == '\n') {
|
||||
str[size-1] = 0;
|
||||
size--;
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -73,7 +73,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
|||
bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch
|
||||
bugfix/all/ath9k-fix-null-pointer-dereference.patch
|
||||
bugfix/all/nbd-fix-64-bit-division.patch
|
||||
bugfix/all/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch
|
||||
bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
@ -104,8 +103,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch
|
||||
bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
|
||||
bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
|
||||
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
|
||||
|
||||
|
|
Loading…
Reference in New Issue