diff --git a/debian/changelog b/debian/changelog index 03493e67e..4ad7fc0dd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -96,6 +96,153 @@ linux (4.14~rc3-1~exp1) experimental; urgency=medium -- Ben Hutchings Mon, 02 Oct 2017 04:47:08 +0100 +linux (4.13.13-1) unstable; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11 + - workqueue: replace pool->manager_arb mutex with a flag + - [x86] ALSA: hda/realtek - Add support for ALC236/ALC3204 + - [x86] ALSA: hda - fix headset mic problem for Dell machines with alc236 + - ceph: unlock dangling spinlock in try_flush_caps() + - [powerpc*] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM + (CVE-2017-15306) + - [powerpc*] KVM: PPC: Book3S HV: POWER9 more doorbell fixes + - [powerpc*] KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU + - [s390x] kvm: fix detection of guest machine checks + - nbd: handle interrupted sendmsg with a sndtimeo set + - spi: uapi: spidev: add missing ioctl header + - spi: a3700: Return correct value on timeout detection + - spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path + - spi: armada-3700: Fix failing commands with quad-SPI + - ovl: add NULL check in ovl_alloc_inode + - ovl: fix EIO from lookup of non-indexed upper + - ovl: handle ENOENT on index lookup + - ovl: do not cleanup unsupported index entries + - fuse: fix READDIRPLUS skipping an entry + - xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() + - xen: fix booting ballooned down hvm guest + - cifs: Select all required crypto modules + - CIFS: Fix NULL pointer deref on SMB2_tcon() failure + - Input: elan_i2c - add ELAN0611 to the ACPI table + - Input: gtco - fix potential out-of-bound access (CVE-2017-16643) + - Fix encryption labels and lengths for SMB3.1.1 + - SMB3: Validate negotiate request must always be signed + - assoc_array: Fix a buggy node-splitting case (CVE-2017-12193) + - [s390x] scsi: zfcp: fix erp_action use-before-initialize in REC action + trace + - scsi: aacraid: Fix controller initialization failure + - scsi: qla2xxx: Initialize Work element before requesting IRQs + - scsi: sg: Re-fix off by one in sg_fill_request_table() + - [x86] cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't + - [x86] drm/amd/powerplay: fix uninitialized variable + - [x86] drm/i915/perf: fix perf enable/disable ioctls with 32bits + userspace + - [armhf] can: sun4i: fix loopback mode + - can: kvaser_usb: Correct return value in printout + - can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages + - cfg80211: fix connect/disconnect edge cases + - ipsec: Fix aborted xfrm policy dump crash + - [armhf] regulator: fan53555: fix I2C device ids (Closes: #879768) + - [powerpc*] xive: Fix the size of the cpumask used in + xive_find_target_in_mask() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.12 + - ALSA: timer: Add missing mutex lock for compat ioctls + - ALSA: seq: Fix nested rwsem annotation for lockdep splat + - cifs: check MaxPathNameComponentLength != 0 before using it + (Closes: #880504) + - KEYS: return full count in keyring_read() if buffer is too small + - KEYS: trusted: fix writing past end of buffer in trusted_read() + - KEYS: fix out-of-bounds read during ASN.1 parsing + - ASoC: adau17x1: Workaround for noise bug in ADC + - virtio_blk: Fix an SG_IO regression + - [arm64] ensure __dump_instr() checks addr_limit + - [arm64] KVM: its: Fix missing dynamic allocation check in scan_its_table + - [armhf, arm64] KVM: set right LR register value for 32 bit guest when + inject abort + - [armhf,arm64] kvm: Disable branch profiling in HYP code + - [armhf] dts: mvebu: pl310-cache disable double-linefill + - drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting + - drm/amdgpu: allow harvesting check for Polaris VCE + - userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of + i_size + - ocfs2: fstrim: Fix start offset of first cluster group during fstrim + - fs/hugetlbfs/inode.c: fix hwpoison reserve accounting + - mm, swap: fix race between swap count continuation operations + - [x86] drm/i915: Do not rely on wm preservation for ILK watermarks + - [x86] drm/i915/edp: read edp display control registers unconditionally + - [mips*] bpf: Fix a typo in build_one_insn() + - [mips*] smp-cmp: Use right include for task_struct + - [mips*] SMP: Fix deadlock & online race + - Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz"" + - [powerpc*] kprobes: Dereference function pointers only if the address + does not belong to kernel text + - futex: Fix more put_pi_state() vs. exit_pi_state_list() races + - perf/cgroup: Fix perf cgroup hierarchy support + - [x86] mcelog: Get rid of RCU remnants + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.13 + - netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to + rhashtable" + - netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) + - workqueue: Fix NULL pointer dereference + - crypto: ccm - preserve the IV buffer + - [x86] crypto: sha1-mb - fix panic due to unaligned access + - [x86] crypto: sha256-mb - fix panic due to unaligned access + - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] + - [x86] ACPI / PM: Blacklist Low Power S0 Idle _DSM for Dell XPS13 9360 + - ACPICA: Dispatch active GPEs at init time + - ACPICA: Make it possible to enable runtime GPEs earlier + - ACPI / scan: Enable GPEs before scanning the namespace + - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit + - ALSA: timer: Limit max instances per timer + - ALSA: usb-audio: support new Amanero Combo384 firmware version + - [x86] ALSA: hda - fix headset mic problem for Dell machines with alc274 + - ALSA: seq: Fix OSS sysex delivery in OSS emulation + - ALSA: seq: Avoid invalid lockdep class warning + - [mips*] Fix CM region target definitions + - [powerpc*] KVM: Book3S HV: Fix exclusion between HPT resizing and other + HPT updates + - Input: elan_i2c - add ELAN060C to the ACPI table + - rbd: use GFP_NOIO for parent stat and data requests + - [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue + - [armhf] can: sun4i: handle overrun in RX FIFO + - can: peak: Add support for new PCIe/M2 CAN FD interfaces + - [x86] debug: Handle warnings before the notifier chain, to fix KGDB crash + - [x86] smpboot: Make optimization of delay calibration work correctly + - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context + + [ Salvatore Bonaccorso ] + * mac80211: accept key reinstall without changing anything (CVE-2017-13080) + * sctp: do not peel off an assoc from one netns to another one + (CVE-2017-15115) + + [ Ben Hutchings ] + * linux-image: Recommend apparmor, as systemd units with an AppArmor + profile will fail without it (Closes: #880441) + * [powerpc*] kvm: Ignore ABI change in 4.13.6 (fixes FTBFS) + * swap: Avoid ABI change in 4.13.12 + * mac80211: use constant time comparison with keys + * mac80211: don't compare TKIP TX MIC key in reinstall prevention + * usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) + * media: cx231xx-cards: fix NULL-deref on missing association descriptor + (CVE-2017-16536) + * media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) + * media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) + * net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) + * net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) + * net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) + * nftables: Enable NFT_RT, NFT_SET_BITMAP, NFT_OBJREF as modules + (Closes: #881931) + * [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593) + * amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures + * amdgpu: Enable DRM_AMDGPU_SI, CONFIG_DRM_AMDGPU_CIK (Closes: #847570) + * [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568) + * [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567) + * [x86] rmi4: Disable RMI4_SMB (Closes: #880471) + * ALSA: timer: Avoid ABI change in 4.13.13 + * netfilter: nat: Avoid ABI change in 4.13.13 + + -- Ben Hutchings Thu, 16 Nov 2017 21:04:10 +0000 + linux (4.13.10-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/config/arm64/config b/debian/config/arm64/config index 6eb95d255..8b09bf579 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -631,6 +631,7 @@ CONFIG_WLCORE_SDIO=m ## file: drivers/nvmem/Kconfig ## CONFIG_QCOM_QFPROM=m +CONFIG_NVMEM_SUNXI_SID=m ## ## file: drivers/pci/dwc/Kconfig @@ -865,6 +866,11 @@ CONFIG_SPI_XLP=m CONFIG_SPMI=y CONFIG_SPMI_MSM_PMIC_ARB=y +## +## file: drivers/staging/rtl8723bs/Kconfig +## +CONFIG_RTL8723BS=m + ## ## file: drivers/tee/Kconfig ## diff --git a/debian/config/config b/debian/config/config index 4f5269302..2302f41f6 100644 --- a/debian/config/config +++ b/debian/config/config @@ -616,7 +616,9 @@ CONFIG_DRM_SAVAGE=m ## ## file: drivers/gpu/drm/amd/amdgpu/Kconfig ## -# CONFIG_DRM_AMDGPU_SI is not set +CONFIG_DRM_AMDGPU_SI=y +CONFIG_DRM_AMDGPU_CIK=y +CONFIG_DRM_AMDGPU_USERPTR=y # CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set ## @@ -6709,16 +6711,19 @@ CONFIG_NF_TABLES_INET=m CONFIG_NF_TABLES_NETDEV=m CONFIG_NFT_EXTHDR=m CONFIG_NFT_META=m +CONFIG_NFT_RT=m CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_SET_RBTREE=m CONFIG_NFT_SET_HASH=m +CONFIG_NFT_SET_BITMAP=m CONFIG_NFT_COUNTER=m CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m +CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m diff --git a/debian/config/defines b/debian/config/defines index 20d927421..62b0c9718 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -2,6 +2,7 @@ abiname: 1 ignore-changes: __cpuhp_* + __xive_vm_h_* bpf_analyzer cxl_* dax_flush @@ -9,6 +10,7 @@ ignore-changes: inet_del_protocol iommu_device_* kvm_async_pf_task_wait + kvmppc_* mm_iommu_* mv_mbus_* perf_* @@ -118,6 +120,7 @@ part-long-xen: This kernel also runs on a Xen hypervisor. [image] initramfs-generators: initramfs-tools initramfs-fallback +recommends: apparmor [relations] # compilers diff --git a/debian/config/kernelarch-powerpc/config-arch-64 b/debian/config/kernelarch-powerpc/config-arch-64 index aa873f319..329e7a225 100644 --- a/debian/config/kernelarch-powerpc/config-arch-64 +++ b/debian/config/kernelarch-powerpc/config-arch-64 @@ -73,6 +73,11 @@ CONFIG_CRYPTO_DEV_VMX=y ## CONFIG_CRYPTO_DEV_VMX_ENCRYPT=m +## +## file: drivers/gpu/drm/Kconfig +## +CONFIG_DRM_AMDGPU=m + ## ## file: drivers/gpu/drm/ast/Kconfig ## diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config index cb37f4f34..94215d3df 100644 --- a/debian/config/kernelarch-x86/config +++ b/debian/config/kernelarch-x86/config @@ -500,12 +500,6 @@ CONFIG_DRM_SIS=m ## CONFIG_DRM_AMD_ACP=y -## -## file: drivers/gpu/drm/amd/amdgpu/Kconfig -## -# CONFIG_DRM_AMDGPU_CIK is not set -CONFIG_DRM_AMDGPU_USERPTR=y - ## ## file: drivers/gpu/drm/amd/amdkfd/Kconfig ## @@ -785,11 +779,6 @@ CONFIG_MOUSE_ELAN_I2C_I2C=y CONFIG_MOUSE_ELAN_I2C_SMBUS=y CONFIG_MOUSE_VSXXXAA=m -## -## file: drivers/input/rmi4/Kconfig -## -CONFIG_RMI4_SMB=m - ## ## file: drivers/input/serio/Kconfig ## @@ -1623,6 +1612,11 @@ CONFIG_RTL8192E=m ## CONFIG_RTL8192U=m +## +## file: drivers/staging/rtl8723bs/Kconfig +## +CONFIG_RTL8723BS=m + ## ## file: drivers/staging/rts5208/Kconfig ## diff --git a/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch b/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch new file mode 100644 index 000000000..b6ad1e07d --- /dev/null +++ b/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch @@ -0,0 +1,36 @@ +From: Johan Hovold +Date: Thu, 21 Sep 2017 05:40:18 -0300 +Subject: [media] cx231xx-cards: fix NULL-deref on missing association + descriptor +Origin: https://git.kernel.org/linus/6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16536 + +Make sure to check that we actually have an Interface Association +Descriptor before dereferencing it during probe to avoid dereferencing a +NULL-pointer. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: stable # 2.6.30 +Reported-by: Andrey Konovalov +Signed-off-by: Johan Hovold +Tested-by: Andrey Konovalov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c +index e0daa9b6c2a0..9b742d569fb5 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface, + nr = dev->devno; + + assoc_desc = udev->actconfig->intf_assoc[0]; +- if (assoc_desc->bFirstInterface != ifnum) { ++ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) { + dev_err(d, "Not found matching IAD interface\n"); + retval = -ENODEV; + goto err_if; diff --git a/debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch b/debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch new file mode 100644 index 000000000..4da262676 --- /dev/null +++ b/debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch @@ -0,0 +1,191 @@ +From: Andrey Konovalov +Date: Thu, 2 Nov 2017 10:38:21 -0400 +Subject: media: dib0700: fix invalid dvb_detach argument +Origin: https://git.kernel.org/linus/eb0c19942288569e0ae492476534d5a485fb8ab4 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16646 + +dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer +to a function. Right now a pointer to state->dib7000p_ops is passed to +dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by +syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead. + +------------[ cut here ]------------ +kernel BUG at kernel/module.c:1081! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +Modules linked in: +CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G W +4.14.0-rc1-42251-gebb2c2437d80 #224 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +task: ffff88006a336300 task.stack: ffff88006a7c8000 +RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083 +RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000 +RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190 +RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4 +R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180 +R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000 +FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0 +Call Trace: + stk7070p_frontend_attach+0x515/0x610 +drivers/media/usb/dvb-usb/dib0700_devices.c:1013 + dvb_usb_adapter_frontend_init+0x32b/0x660 +drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286 + dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 + dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162 + dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277 + dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 + generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 + usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 +Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8 +de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f> +0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00 +RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210 +---[ end trace b75b357739e7e116 ]--- + +Signed-off-by: Andrey Konovalov + +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/usb/dvb-usb/dib0700_devices.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c +@@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(str + stk7700d_dib7000p_mt2266_config) + != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(stru + stk7700d_dib7000p_mt2266_config) + != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -478,7 +478,7 @@ static int stk7700ph_frontend_attach(str + &stk7700ph_dib7700_xc3028_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -1010,7 +1010,7 @@ static int stk7070p_frontend_attach(stru + &dib7070p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -1068,7 +1068,7 @@ static int stk7770p_frontend_attach(stru + &dib7770p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3050,7 +3050,7 @@ static int nim7090_frontend_attach(struc + + if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, &nim7090_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, 0x80, &nim7090_dib7000p_config); +@@ -3103,7 +3103,7 @@ static int tfe7090pvr_frontend0_attach(s + /* initialize IC 0 */ + if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, &tfe7090pvr_dib7000p_config[0]) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3133,7 +3133,7 @@ static int tfe7090pvr_frontend1_attach(s + i2c = state->dib7000p_ops.get_i2c_master(adap->dev->adapter[0].fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_6_7, 1); + if (state->dib7000p_ops.i2c_enumeration(i2c, 1, 0x10, &tfe7090pvr_dib7000p_config[1]) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3208,7 +3208,7 @@ static int tfe7790p_frontend_attach(stru + 1, 0x10, &tfe7790p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, +@@ -3303,7 +3303,7 @@ static int stk7070pd_frontend_attach0(st + stk7070pd_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3378,7 +3378,7 @@ static int novatd_frontend_attach(struct + stk7070pd_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -3614,7 +3614,7 @@ static int pctv340e_frontend_attach(stru + + if (state->dib7000p_ops.dib7000pc_detection(&adap->dev->i2c_adap) == 0) { + /* Demodulator not found for some reason? */ +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + diff --git a/debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch b/debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch new file mode 100644 index 000000000..40b26ad3d --- /dev/null +++ b/debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch @@ -0,0 +1,31 @@ +From: Arvind Yadav +Date: Mon, 9 Oct 2017 20:14:48 +0200 +Subject: media: imon: Fix null-ptr-deref in imon_probe +Origin: https://git.kernel.org/linus/58fd55e838276a0c13d1dc7c387f90f25063cbf3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16537 + +It seems that the return value of usb_ifnum_to_if() can be NULL and +needs to be checked. + +Signed-off-by: Arvind Yadav +Tested-by: Andrey Konovalov +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/rc/imon.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -2516,6 +2516,11 @@ static int imon_probe(struct usb_interfa + mutex_lock(&driver_lock); + + first_if = usb_ifnum_to_if(usbdev, 0); ++ if (!first_if) { ++ ret = -ENODEV; ++ goto fail; ++ } ++ + first_if_ctx = usb_get_intfdata(first_if); + + if (ifnum == 0) { diff --git a/debian/patches/series b/debian/patches/series index 92ab41846..925a4a50e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -112,6 +112,9 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch +bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch +bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch bugfix/all/media-dvb-core-always-call-invoke_release-in-fe_free.patch bugfix/all/dvb_frontend-don-t-use-after-free-the-frontend-struc.patch