Release linux (4.13.13-1).
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAloODhAACgkQ57/I7JWG EQkFAg//Zb5RqwypcEFRZs6Oyi4jF6EekQW+UVXjAE8gAw3ae8+1uvkg3TyMY7uT C//3H1DGY/A3imqHsxku9NG5T9KhJL9cKn2EDRz8c/+lU949wXjzSFCQk+p9mwcb RSyuqES+FwtrMJoN0iXpVIiTSjImuu4IIpTmc6IsZo1frn5oHKmeC4mvsKuflL/S usdauRUkQewtTvi/Z8wDA5fJIDN2ff0DcSN8Km/QPlB2zUoGaQRM36ApZVeHDX3X 190bDAuBfJp9Pht3eFPUq6HwEht9hbiqSaSpMKB/jyPE8lWZ7AL8CM2qiOuZCXil ncELxkx+8Cqp4jAWc3wqGZ5mkeVHeHxZcmFv0b4hQaaifW5GtmlMo/XHhMeFIoCc tbcC55No2c3ZUhUH0kAQyf26zZ3f7hBAYT8EI5BNngPpZB4W7NJL8A2c09QYxAVB /uXNnCdd7LZ9Dnhgc0K1FjIEckd1XHVQgVZ6Seo4Pv2adMfLckla3Xvqj888515a akTL9LFAKySOqalakMl34G2FT1S0CR9+7I45KFcKjiGW5pF1RgDeLZy1W+nQq3Vd oH2KmWGovmouMEnrh8RgKJNwLkelVkLKl0AFhJ29PGeDrGAklz0Sy5egB8iqoxRh fiKph8IGdD8akqlI4d8mTWs01FmALkkSHUkLAxbME8HC3lpb7Ic= =TJmK -----END PGP SIGNATURE----- Merge tag 'debian/4.13.13-1' Release linux (4.13.13-1).
This commit is contained in:
commit
1a1f0ef065
|
@ -96,6 +96,153 @@ linux (4.14~rc3-1~exp1) experimental; urgency=medium
|
|||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 02 Oct 2017 04:47:08 +0100
|
||||
|
||||
linux (4.13.13-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11
|
||||
- workqueue: replace pool->manager_arb mutex with a flag
|
||||
- [x86] ALSA: hda/realtek - Add support for ALC236/ALC3204
|
||||
- [x86] ALSA: hda - fix headset mic problem for Dell machines with alc236
|
||||
- ceph: unlock dangling spinlock in try_flush_caps()
|
||||
- [powerpc*] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM
|
||||
(CVE-2017-15306)
|
||||
- [powerpc*] KVM: PPC: Book3S HV: POWER9 more doorbell fixes
|
||||
- [powerpc*] KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU
|
||||
- [s390x] kvm: fix detection of guest machine checks
|
||||
- nbd: handle interrupted sendmsg with a sndtimeo set
|
||||
- spi: uapi: spidev: add missing ioctl header
|
||||
- spi: a3700: Return correct value on timeout detection
|
||||
- spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path
|
||||
- spi: armada-3700: Fix failing commands with quad-SPI
|
||||
- ovl: add NULL check in ovl_alloc_inode
|
||||
- ovl: fix EIO from lookup of non-indexed upper
|
||||
- ovl: handle ENOENT on index lookup
|
||||
- ovl: do not cleanup unsupported index entries
|
||||
- fuse: fix READDIRPLUS skipping an entry
|
||||
- xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()
|
||||
- xen: fix booting ballooned down hvm guest
|
||||
- cifs: Select all required crypto modules
|
||||
- CIFS: Fix NULL pointer deref on SMB2_tcon() failure
|
||||
- Input: elan_i2c - add ELAN0611 to the ACPI table
|
||||
- Input: gtco - fix potential out-of-bound access (CVE-2017-16643)
|
||||
- Fix encryption labels and lengths for SMB3.1.1
|
||||
- SMB3: Validate negotiate request must always be signed
|
||||
- assoc_array: Fix a buggy node-splitting case (CVE-2017-12193)
|
||||
- [s390x] scsi: zfcp: fix erp_action use-before-initialize in REC action
|
||||
trace
|
||||
- scsi: aacraid: Fix controller initialization failure
|
||||
- scsi: qla2xxx: Initialize Work element before requesting IRQs
|
||||
- scsi: sg: Re-fix off by one in sg_fill_request_table()
|
||||
- [x86] cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't
|
||||
- [x86] drm/amd/powerplay: fix uninitialized variable
|
||||
- [x86] drm/i915/perf: fix perf enable/disable ioctls with 32bits
|
||||
userspace
|
||||
- [armhf] can: sun4i: fix loopback mode
|
||||
- can: kvaser_usb: Correct return value in printout
|
||||
- can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages
|
||||
- cfg80211: fix connect/disconnect edge cases
|
||||
- ipsec: Fix aborted xfrm policy dump crash
|
||||
- [armhf] regulator: fan53555: fix I2C device ids (Closes: #879768)
|
||||
- [powerpc*] xive: Fix the size of the cpumask used in
|
||||
xive_find_target_in_mask()
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.12
|
||||
- ALSA: timer: Add missing mutex lock for compat ioctls
|
||||
- ALSA: seq: Fix nested rwsem annotation for lockdep splat
|
||||
- cifs: check MaxPathNameComponentLength != 0 before using it
|
||||
(Closes: #880504)
|
||||
- KEYS: return full count in keyring_read() if buffer is too small
|
||||
- KEYS: trusted: fix writing past end of buffer in trusted_read()
|
||||
- KEYS: fix out-of-bounds read during ASN.1 parsing
|
||||
- ASoC: adau17x1: Workaround for noise bug in ADC
|
||||
- virtio_blk: Fix an SG_IO regression
|
||||
- [arm64] ensure __dump_instr() checks addr_limit
|
||||
- [arm64] KVM: its: Fix missing dynamic allocation check in scan_its_table
|
||||
- [armhf, arm64] KVM: set right LR register value for 32 bit guest when
|
||||
inject abort
|
||||
- [armhf,arm64] kvm: Disable branch profiling in HYP code
|
||||
- [armhf] dts: mvebu: pl310-cache disable double-linefill
|
||||
- drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting
|
||||
- drm/amdgpu: allow harvesting check for Polaris VCE
|
||||
- userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of
|
||||
i_size
|
||||
- ocfs2: fstrim: Fix start offset of first cluster group during fstrim
|
||||
- fs/hugetlbfs/inode.c: fix hwpoison reserve accounting
|
||||
- mm, swap: fix race between swap count continuation operations
|
||||
- [x86] drm/i915: Do not rely on wm preservation for ILK watermarks
|
||||
- [x86] drm/i915/edp: read edp display control registers unconditionally
|
||||
- [mips*] bpf: Fix a typo in build_one_insn()
|
||||
- [mips*] smp-cmp: Use right include for task_struct
|
||||
- [mips*] SMP: Fix deadlock & online race
|
||||
- Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz""
|
||||
- [powerpc*] kprobes: Dereference function pointers only if the address
|
||||
does not belong to kernel text
|
||||
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races
|
||||
- perf/cgroup: Fix perf cgroup hierarchy support
|
||||
- [x86] mcelog: Get rid of RCU remnants
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.13
|
||||
- netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to
|
||||
rhashtable"
|
||||
- netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
|
||||
- workqueue: Fix NULL pointer dereference
|
||||
- crypto: ccm - preserve the IV buffer
|
||||
- [x86] crypto: sha1-mb - fix panic due to unaligned access
|
||||
- [x86] crypto: sha256-mb - fix panic due to unaligned access
|
||||
- KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
|
||||
- [x86] ACPI / PM: Blacklist Low Power S0 Idle _DSM for Dell XPS13 9360
|
||||
- ACPICA: Dispatch active GPEs at init time
|
||||
- ACPICA: Make it possible to enable runtime GPEs earlier
|
||||
- ACPI / scan: Enable GPEs before scanning the namespace
|
||||
- [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit
|
||||
- ALSA: timer: Limit max instances per timer
|
||||
- ALSA: usb-audio: support new Amanero Combo384 firmware version
|
||||
- [x86] ALSA: hda - fix headset mic problem for Dell machines with alc274
|
||||
- ALSA: seq: Fix OSS sysex delivery in OSS emulation
|
||||
- ALSA: seq: Avoid invalid lockdep class warning
|
||||
- [mips*] Fix CM region target definitions
|
||||
- [powerpc*] KVM: Book3S HV: Fix exclusion between HPT resizing and other
|
||||
HPT updates
|
||||
- Input: elan_i2c - add ELAN060C to the ACPI table
|
||||
- rbd: use GFP_NOIO for parent stat and data requests
|
||||
- [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
|
||||
- [armhf] can: sun4i: handle overrun in RX FIFO
|
||||
- can: peak: Add support for new PCIe/M2 CAN FD interfaces
|
||||
- [x86] debug: Handle warnings before the notifier chain, to fix KGDB crash
|
||||
- [x86] smpboot: Make optimization of delay calibration work correctly
|
||||
- [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* mac80211: accept key reinstall without changing anything (CVE-2017-13080)
|
||||
* sctp: do not peel off an assoc from one netns to another one
|
||||
(CVE-2017-15115)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* linux-image: Recommend apparmor, as systemd units with an AppArmor
|
||||
profile will fail without it (Closes: #880441)
|
||||
* [powerpc*] kvm: Ignore ABI change in 4.13.6 (fixes FTBFS)
|
||||
* swap: Avoid ABI change in 4.13.12
|
||||
* mac80211: use constant time comparison with keys
|
||||
* mac80211: don't compare TKIP TX MIC key in reinstall prevention
|
||||
* usb: usbtest: fix NULL pointer dereference (CVE-2017-16532)
|
||||
* media: cx231xx-cards: fix NULL-deref on missing association descriptor
|
||||
(CVE-2017-16536)
|
||||
* media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537)
|
||||
* media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646)
|
||||
* net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647)
|
||||
* net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649)
|
||||
* net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650)
|
||||
* nftables: Enable NFT_RT, NFT_SET_BITMAP, NFT_OBJREF as modules
|
||||
(Closes: #881931)
|
||||
* [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593)
|
||||
* amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures
|
||||
* amdgpu: Enable DRM_AMDGPU_SI, CONFIG_DRM_AMDGPU_CIK (Closes: #847570)
|
||||
* [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568)
|
||||
* [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567)
|
||||
* [x86] rmi4: Disable RMI4_SMB (Closes: #880471)
|
||||
* ALSA: timer: Avoid ABI change in 4.13.13
|
||||
* netfilter: nat: Avoid ABI change in 4.13.13
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Thu, 16 Nov 2017 21:04:10 +0000
|
||||
|
||||
linux (4.13.10-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
@ -631,6 +631,7 @@ CONFIG_WLCORE_SDIO=m
|
|||
## file: drivers/nvmem/Kconfig
|
||||
##
|
||||
CONFIG_QCOM_QFPROM=m
|
||||
CONFIG_NVMEM_SUNXI_SID=m
|
||||
|
||||
##
|
||||
## file: drivers/pci/dwc/Kconfig
|
||||
|
@ -865,6 +866,11 @@ CONFIG_SPI_XLP=m
|
|||
CONFIG_SPMI=y
|
||||
CONFIG_SPMI_MSM_PMIC_ARB=y
|
||||
|
||||
##
|
||||
## file: drivers/staging/rtl8723bs/Kconfig
|
||||
##
|
||||
CONFIG_RTL8723BS=m
|
||||
|
||||
##
|
||||
## file: drivers/tee/Kconfig
|
||||
##
|
||||
|
|
|
@ -616,7 +616,9 @@ CONFIG_DRM_SAVAGE=m
|
|||
##
|
||||
## file: drivers/gpu/drm/amd/amdgpu/Kconfig
|
||||
##
|
||||
# CONFIG_DRM_AMDGPU_SI is not set
|
||||
CONFIG_DRM_AMDGPU_SI=y
|
||||
CONFIG_DRM_AMDGPU_CIK=y
|
||||
CONFIG_DRM_AMDGPU_USERPTR=y
|
||||
# CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set
|
||||
|
||||
##
|
||||
|
@ -6709,16 +6711,19 @@ CONFIG_NF_TABLES_INET=m
|
|||
CONFIG_NF_TABLES_NETDEV=m
|
||||
CONFIG_NFT_EXTHDR=m
|
||||
CONFIG_NFT_META=m
|
||||
CONFIG_NFT_RT=m
|
||||
CONFIG_NFT_NUMGEN=m
|
||||
CONFIG_NFT_CT=m
|
||||
CONFIG_NFT_SET_RBTREE=m
|
||||
CONFIG_NFT_SET_HASH=m
|
||||
CONFIG_NFT_SET_BITMAP=m
|
||||
CONFIG_NFT_COUNTER=m
|
||||
CONFIG_NFT_LOG=m
|
||||
CONFIG_NFT_LIMIT=m
|
||||
CONFIG_NFT_MASQ=m
|
||||
CONFIG_NFT_REDIR=m
|
||||
CONFIG_NFT_NAT=m
|
||||
CONFIG_NFT_OBJREF=m
|
||||
CONFIG_NFT_QUEUE=m
|
||||
CONFIG_NFT_QUOTA=m
|
||||
CONFIG_NFT_REJECT=m
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
abiname: 1
|
||||
ignore-changes:
|
||||
__cpuhp_*
|
||||
__xive_vm_h_*
|
||||
bpf_analyzer
|
||||
cxl_*
|
||||
dax_flush
|
||||
|
@ -9,6 +10,7 @@ ignore-changes:
|
|||
inet_del_protocol
|
||||
iommu_device_*
|
||||
kvm_async_pf_task_wait
|
||||
kvmppc_*
|
||||
mm_iommu_*
|
||||
mv_mbus_*
|
||||
perf_*
|
||||
|
@ -118,6 +120,7 @@ part-long-xen: This kernel also runs on a Xen hypervisor.
|
|||
|
||||
[image]
|
||||
initramfs-generators: initramfs-tools initramfs-fallback
|
||||
recommends: apparmor
|
||||
|
||||
[relations]
|
||||
# compilers
|
||||
|
|
|
@ -73,6 +73,11 @@ CONFIG_CRYPTO_DEV_VMX=y
|
|||
##
|
||||
CONFIG_CRYPTO_DEV_VMX_ENCRYPT=m
|
||||
|
||||
##
|
||||
## file: drivers/gpu/drm/Kconfig
|
||||
##
|
||||
CONFIG_DRM_AMDGPU=m
|
||||
|
||||
##
|
||||
## file: drivers/gpu/drm/ast/Kconfig
|
||||
##
|
||||
|
|
|
@ -500,12 +500,6 @@ CONFIG_DRM_SIS=m
|
|||
##
|
||||
CONFIG_DRM_AMD_ACP=y
|
||||
|
||||
##
|
||||
## file: drivers/gpu/drm/amd/amdgpu/Kconfig
|
||||
##
|
||||
# CONFIG_DRM_AMDGPU_CIK is not set
|
||||
CONFIG_DRM_AMDGPU_USERPTR=y
|
||||
|
||||
##
|
||||
## file: drivers/gpu/drm/amd/amdkfd/Kconfig
|
||||
##
|
||||
|
@ -785,11 +779,6 @@ CONFIG_MOUSE_ELAN_I2C_I2C=y
|
|||
CONFIG_MOUSE_ELAN_I2C_SMBUS=y
|
||||
CONFIG_MOUSE_VSXXXAA=m
|
||||
|
||||
##
|
||||
## file: drivers/input/rmi4/Kconfig
|
||||
##
|
||||
CONFIG_RMI4_SMB=m
|
||||
|
||||
##
|
||||
## file: drivers/input/serio/Kconfig
|
||||
##
|
||||
|
@ -1623,6 +1612,11 @@ CONFIG_RTL8192E=m
|
|||
##
|
||||
CONFIG_RTL8192U=m
|
||||
|
||||
##
|
||||
## file: drivers/staging/rtl8723bs/Kconfig
|
||||
##
|
||||
CONFIG_RTL8723BS=m
|
||||
|
||||
##
|
||||
## file: drivers/staging/rts5208/Kconfig
|
||||
##
|
||||
|
|
36
debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch
vendored
Normal file
36
debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch
vendored
Normal file
|
@ -0,0 +1,36 @@
|
|||
From: Johan Hovold <johan@kernel.org>
|
||||
Date: Thu, 21 Sep 2017 05:40:18 -0300
|
||||
Subject: [media] cx231xx-cards: fix NULL-deref on missing association
|
||||
descriptor
|
||||
Origin: https://git.kernel.org/linus/6c3b047fa2d2286d5e438bcb470c7b1a49f415f6
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16536
|
||||
|
||||
Make sure to check that we actually have an Interface Association
|
||||
Descriptor before dereferencing it during probe to avoid dereferencing a
|
||||
NULL-pointer.
|
||||
|
||||
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
|
||||
|
||||
Cc: stable <stable@vger.kernel.org> # 2.6.30
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Johan Hovold <johan@kernel.org>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c
|
||||
index e0daa9b6c2a0..9b742d569fb5 100644
|
||||
--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
|
||||
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
|
||||
@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface,
|
||||
nr = dev->devno;
|
||||
|
||||
assoc_desc = udev->actconfig->intf_assoc[0];
|
||||
- if (assoc_desc->bFirstInterface != ifnum) {
|
||||
+ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) {
|
||||
dev_err(d, "Not found matching IAD interface\n");
|
||||
retval = -ENODEV;
|
||||
goto err_if;
|
191
debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch
vendored
Normal file
191
debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch
vendored
Normal file
|
@ -0,0 +1,191 @@
|
|||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Thu, 2 Nov 2017 10:38:21 -0400
|
||||
Subject: media: dib0700: fix invalid dvb_detach argument
|
||||
Origin: https://git.kernel.org/linus/eb0c19942288569e0ae492476534d5a485fb8ab4
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16646
|
||||
|
||||
dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer
|
||||
to a function. Right now a pointer to state->dib7000p_ops is passed to
|
||||
dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by
|
||||
syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead.
|
||||
|
||||
------------[ cut here ]------------
|
||||
kernel BUG at kernel/module.c:1081!
|
||||
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
|
||||
Modules linked in:
|
||||
CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G W
|
||||
4.14.0-rc1-42251-gebb2c2437d80 #224
|
||||
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
|
||||
Workqueue: usb_hub_wq hub_event
|
||||
task: ffff88006a336300 task.stack: ffff88006a7c8000
|
||||
RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083
|
||||
RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246
|
||||
RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000
|
||||
RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190
|
||||
RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4
|
||||
R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180
|
||||
R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000
|
||||
FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0
|
||||
Call Trace:
|
||||
stk7070p_frontend_attach+0x515/0x610
|
||||
drivers/media/usb/dvb-usb/dib0700_devices.c:1013
|
||||
dvb_usb_adapter_frontend_init+0x32b/0x660
|
||||
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
|
||||
dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
|
||||
dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
|
||||
dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
|
||||
dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886
|
||||
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
|
||||
really_probe drivers/base/dd.c:413
|
||||
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
|
||||
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
|
||||
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
|
||||
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
|
||||
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
|
||||
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
|
||||
device_add+0xd0b/0x1660 drivers/base/core.c:1835
|
||||
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
|
||||
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
|
||||
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
|
||||
really_probe drivers/base/dd.c:413
|
||||
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
|
||||
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
|
||||
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
|
||||
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
|
||||
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
|
||||
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
|
||||
device_add+0xd0b/0x1660 drivers/base/core.c:1835
|
||||
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
|
||||
hub_port_connect drivers/usb/core/hub.c:4903
|
||||
hub_port_connect_change drivers/usb/core/hub.c:5009
|
||||
port_event drivers/usb/core/hub.c:5115
|
||||
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
|
||||
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
|
||||
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
|
||||
kthread+0x3a1/0x470 kernel/kthread.c:231
|
||||
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
|
||||
Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
|
||||
de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
|
||||
0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
|
||||
RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210
|
||||
---[ end trace b75b357739e7e116 ]---
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
---
|
||||
drivers/media/usb/dvb-usb/dib0700_devices.c | 24 ++++++++++++------------
|
||||
1 file changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
|
||||
+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
|
||||
@@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(str
|
||||
stk7700d_dib7000p_mt2266_config)
|
||||
!= 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
}
|
||||
@@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(stru
|
||||
stk7700d_dib7000p_mt2266_config)
|
||||
!= 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
}
|
||||
@@ -478,7 +478,7 @@ static int stk7700ph_frontend_attach(str
|
||||
&stk7700ph_dib7700_xc3028_config) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n",
|
||||
__func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
@@ -1010,7 +1010,7 @@ static int stk7070p_frontend_attach(stru
|
||||
&dib7070p_dib7000p_config) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n",
|
||||
__func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
@@ -1068,7 +1068,7 @@ static int stk7770p_frontend_attach(stru
|
||||
&dib7770p_dib7000p_config) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n",
|
||||
__func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
@@ -3050,7 +3050,7 @@ static int nim7090_frontend_attach(struc
|
||||
|
||||
if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, &nim7090_dib7000p_config) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, 0x80, &nim7090_dib7000p_config);
|
||||
@@ -3103,7 +3103,7 @@ static int tfe7090pvr_frontend0_attach(s
|
||||
/* initialize IC 0 */
|
||||
if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, &tfe7090pvr_dib7000p_config[0]) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
@@ -3133,7 +3133,7 @@ static int tfe7090pvr_frontend1_attach(s
|
||||
i2c = state->dib7000p_ops.get_i2c_master(adap->dev->adapter[0].fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_6_7, 1);
|
||||
if (state->dib7000p_ops.i2c_enumeration(i2c, 1, 0x10, &tfe7090pvr_dib7000p_config[1]) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
@@ -3208,7 +3208,7 @@ static int tfe7790p_frontend_attach(stru
|
||||
1, 0x10, &tfe7790p_dib7000p_config) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n",
|
||||
__func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap,
|
||||
@@ -3303,7 +3303,7 @@ static int stk7070pd_frontend_attach0(st
|
||||
stk7070pd_dib7000p_config) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n",
|
||||
__func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
@@ -3378,7 +3378,7 @@ static int novatd_frontend_attach(struct
|
||||
stk7070pd_dib7000p_config) != 0) {
|
||||
err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n",
|
||||
__func__);
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
}
|
||||
@@ -3614,7 +3614,7 @@ static int pctv340e_frontend_attach(stru
|
||||
|
||||
if (state->dib7000p_ops.dib7000pc_detection(&adap->dev->i2c_adap) == 0) {
|
||||
/* Demodulator not found for some reason? */
|
||||
- dvb_detach(&state->dib7000p_ops);
|
||||
+ dvb_detach(state->dib7000p_ops.set_wbd_ref);
|
||||
return -ENODEV;
|
||||
}
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From: Arvind Yadav <arvind.yadav.cs@gmail.com>
|
||||
Date: Mon, 9 Oct 2017 20:14:48 +0200
|
||||
Subject: media: imon: Fix null-ptr-deref in imon_probe
|
||||
Origin: https://git.kernel.org/linus/58fd55e838276a0c13d1dc7c387f90f25063cbf3
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16537
|
||||
|
||||
It seems that the return value of usb_ifnum_to_if() can be NULL and
|
||||
needs to be checked.
|
||||
|
||||
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Sean Young <sean@mess.org>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/rc/imon.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- a/drivers/media/rc/imon.c
|
||||
+++ b/drivers/media/rc/imon.c
|
||||
@@ -2516,6 +2516,11 @@ static int imon_probe(struct usb_interfa
|
||||
mutex_lock(&driver_lock);
|
||||
|
||||
first_if = usb_ifnum_to_if(usbdev, 0);
|
||||
+ if (!first_if) {
|
||||
+ ret = -ENODEV;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
first_if_ctx = usb_get_intfdata(first_if);
|
||||
|
||||
if (ifnum == 0) {
|
|
@ -112,6 +112,9 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch
|
||||
bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch
|
||||
bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch
|
||||
bugfix/all/media-dvb-core-always-call-invoke_release-in-fe_free.patch
|
||||
bugfix/all/dvb_frontend-don-t-use-after-free-the-frontend-struc.patch
|
||||
|
||||
|
|
Loading…
Reference in New Issue