debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

update to 4.19.21

This commit is contained in:
Marcin Juszkiewicz 2019-02-25 16:57:53 +01:00
parent 5cb904c8a9
commit 4a0b4cb79e
7 changed files with 308 additions and 456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

309
debian/changelog vendored
View File

@ -1,4 +1,311 @@
linux (4.19.20-2) UNRELEASED; urgency=medium
linux (4.19.21-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21
- devres: Align data[] to ARCH_KMALLOC_MINALIGN
- drm/bufs: Fix Spectre v1 vulnerability
- drm/vgem: Fix vgem_init to get drm device available.
- [arm*] pinctrl: bcm2835: Use raw spinlock for RT compatibility
- [x86] ASoC: Intel: mrfld: fix uninitialized variable access
- gpiolib: Fix possible use after free on label
- [armhf] drm/sun4i: Initialize registers in tcon-top driver
- genirq/affinity: Spread IRQs to all available NUMA nodes
- [armhf] gpu: ipu-v3: image-convert: Prevent race between run and
unprepare
- wil6210: fix reset flow for Talyn-mb
- wil6210: fix memory leak in wil_find_tx_bcast_2
- ath10k: assign 'n_cipher_suites' for WCN3990
- ath9k: dynack: use authentication messages for 'late' ack
- scsi: lpfc: Correct LCB RJT handling
- scsi: mpt3sas: Call sas_remove_host before removing the target devices
- scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event
- [armhf] 8808/1: kexec:offline panic_smp_self_stop CPU
- [mips] clk: boston: fix possible memory leak in clk_boston_setup()
- dlm: Don't swamp the CPU with callbacks queued during recovery
- [x86] PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
- [powerpc] pseries: add of_node_put() in dlpar_detach_node()
- crypto: aes_ti - disable interrupts while accessing S-box
- [arm*] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE
- serial: fsl_lpuart: clear parity enable bit when disable parity
- ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
- [mips] Boston: Disable EG20T prefetch
- dpaa2-ptp: defer probe when portal allocation failed
- iwlwifi: fw: do not set sgi bits for HE connection
- fpga: altera-cvp: Fix registration for CvP incapable devices
- [x86] fpga: altera-cvp: fix 'bad IO access' on x86_64
- [x86] vbox: fix link error with 'gcc -Og'
- platform/chrome: don't report EC_MKBP_EVENT_SENSOR_FIFO as wakeup
- i40e: prevent overlapping tx_timeout recover
- scsi: hisi_sas: change the time of SAS SSP connection
- usbnet: smsc95xx: fix rx packet alignment
- [armhf,arm64] drm/rockchip: fix for mailbox read size
- [arm*] OMAP2+: hwmod: Fix some section annotations
- drm/amd/display: fix gamma not being applied correctly
- drm/amd/display: calculate stream->phy_pix_clk before clock mapping
- bpf: libbpf: retry map creation without the name
- net/mlx5: EQ, Use the right place to store/read IRQ affinity hint
- modpost: validate symbol names also in find_elf_symbol
- perf tools: Add Hygon Dhyana support
- [armhf] soc/tegra: Don't leak device tree node reference
- media: rc: ensure close() is called on rc_unregister_device
- media: video-i2c: avoid accessing released memory area when removing
driver
- [armhf] media: mtk-vcodec: Release device nodes in
mtk_vcodec_init_enc_pm()
- ptp: Fix pass zero to ERR_PTR() in ptp_clock_register
- dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll
- [powerpc] 32: Add .data..Lubsan_data*/.data..Lubsan_type* sections
explicitly
- media: adv*/tc358743/ths8200: fill in min width/height/pixelclock
- ACPI: SPCR: Consider baud rate 0 as preconfigured state
- f2fs: move dir data flush to write checkpoint process
- f2fs: fix race between write_checkpoint and write_begin
- f2fs: fix wrong return value of f2fs_acl_create
- i2c: sh_mobile: add support for r8a77990 (R-Car E3)
- [arm64] io: Ensure calls to delay routines are ordered against prior
readX()
- net: aquantia: return 'err' if set MPI_DEINIT state fails
- [sparc*] sunvdc: Do not spin in an infinite loop when vio_ldc_send()
returns EAGAIN
- soc: bcm: brcmstb: Don't leak device tree node reference
- nfsd4: fix crash on writing v4_end_grace before nfsd startup
- drm: Clear state->acquire_ctx before leaving
drm_atomic_helper_commit_duplicated_state()
- perf: arm_spe: handle devm_kasprintf() failure
- [arm64] io: Ensure value passed to __iormb() is held in a 64-bit register
- Thermal: do not clear passive state during system sleep
- thermal: Fix locking in cooling device sysfs update cur_state
- firmware/efi: Add NULL pointer checks in efivars API functions
- [s390] zcrypt: improve special ap message cmd handling
- mt76x0: dfs: fix IBI_R11 configuration on non-radar channels
- [arm64] ftrace: don't adjust the LR value
- ARM: dts: mmp2: fix TWSI2
- ARM: dts: aspeed: add missing memory unit-address
- [x86] fpu: Add might_fault() to user_insn()
- media: i2c: TDA1997x: select CONFIG_HDMI
- media: DaVinci-VPBE: fix error handling in vpbe_initialize()
- smack: fix access permissions for keyring
- usb: dwc3: Correct the logic for checking TRB full in
__dwc3_prepare_one_trb()
- usb: dwc2: Disable power down feature on Samsung SoCs
- usb: hub: delay hub autosuspend if USB3 port is still link training
- timekeeping: Use proper seqcount initializer
- usb: mtu3: fix the issue about SetFeature(U1/U2_Enable)
- [armhf] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module
clocks
- media: imx274: select REGMAP_I2C
- drm/amdgpu/powerplay: fix clock stretcher limits on polaris (v2)
- tipc: fix node keep alive interval calculation
- driver core: Move async_synchronize_full call
- kobject: return error code if writing /sys/.../uevent fails
- IB/hfi1: Unreserve a reserved request when it is completed
- usb: dwc3: trace: add missing break statement to make compiler happy
- [mips] gpio: mt7621: report failure of devm_kasprintf()
- [mips] gpio: mt7621: pass mediatek_gpio_bank_probe() failure up the stack
- [x86] iommu/amd: Fix amd_iommu=force_isolation
- [armhf] dts: Fix OMAP4430 SDP Ethernet startup
- [mips] bpf: fix encoding bug for mm_srlv32_op
- media: coda: fix H.264 deblocking filter controls
- [armel] dts: Fix up the D-Link DIR-685 MTD partition info
- watchdog: renesas_wdt: don't set divider while watchdog is running
- [armhf] dts: imx51-zii-rdu1: Do not specify "power-gpio" for hpa1
- usb: dwc3: gadget: Disable CSP for stream OUT ep
- [arm64] iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI
payloads
- [arm64] iommu/arm-smmu: Add support for qcom,smmu-v2 variant
- [arm64] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
- [armhf] clk: imx6sl: ensure MMDC CH0 handshake is bypassed
- [x86] platform: mlx-platform: Fix tachometer registers
- cpuidle: big.LITTLE: fix refcount leak
- OPP: Use opp_table->regulators to verify no regulator case
- tee: optee: avoid possible double list_del()
- drm/msm/dsi: fix dsi clock names in DSI 10nm PLL driver
- drm/msm: dpu: Only check flush register against pending flushes
- lightnvm: pblk: fix resubmission of overwritten write err lbas
- lightnvm: pblk: add lock protection to list operations
- i2c-axxia: check for error conditions first
- [armhf] phy: sun4i-usb: add support for missing USB PHY index
- udf: Fix BUG on corrupted inode
- selftests/bpf: use __bpf_constant_htons in test_prog.c
- [armel] pxa: avoid section mismatch warning
- [armhf] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
- [powerpc] KVM: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv
machines
- [arm*] mmc: bcm2835: Recover from MMC_SEND_EXT_CSD
- [arm*] mmc: bcm2835: reset host on timeout
- memstick: Prevent memstick host from getting runtime suspended during
card detection
- mmc: sdhci-of-esdhc: Fix timeout checks
- mmc: sdhci-omap: Fix timeout checks
- mmc: sdhci-xenon: Fix timeout checks
- [mips] mmc: jz4740: Get CD/WP GPIOs from descriptors
- usb: renesas_usbhs: add support for RZ/G2E
- btrfs: harden agaist duplicate fsid on scanned devices
- serial: sh-sci: Fix locking in sci_submit_rx()
- serial: sh-sci: Resume PIO in sci_rx_interrupt() on DMA failure
- tty: serial: samsung: Properly set flags in autoCTS mode
- perf test: Fix perf_event_attr test failure
- perf dso: Fix unchecked usage of strncpy()
- perf header: Fix unchecked usage of strncpy()
- btrfs: use tagged writepage to mitigate livelock of snapshot
- perf probe: Fix unchecked usage of strncpy()
- i2c: sh_mobile: Add support for r8a774c0 (RZ/G2E)
- bnxt_en: Disable MSIX before re-reserving NQs/CMPL rings.
- [x86] tools/power/x86/intel_pstate_tracer: Fix non root execution for
post processing a trace file
- livepatch: check kzalloc return values
- [arm64] KVM: Skip MMIO insn after emulation
- usb: musb: dsps: fix otg state machine
- usb: musb: dsps: fix runtime pm for peripheral mode
- perf header: Fix up argument to ctime()
- perf tools: Cast off_t to s64 to avoid warning on bionic libc
- percpu: convert spin_lock_irq to spin_lock_irqsave.
- [arm64] net: hns3: fix incomplete uninitialization of IRQ in the
hns3_nic_uninit_vector_data()
- drm/amd/display: Add retry to read ddc_clock pin
- Bluetooth: hci_bcm: Handle deferred probing for the clock supply
- drm/amd/display: fix YCbCr420 blank color
- [powerpc] uaccess: fix warning/error with access_ok()
- mac80211: fix radiotap vendor presence bitmap handling
- xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
- mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG
- scsi: smartpqi: correct host serial num for ssa
- scsi: smartpqi: correct volume status
- scsi: smartpqi: increase fw status register read timeout
- cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
- [arm64] net: hns3: add max vector number check for pf
- [powerpc] perf: Fix thresholding counter data for unknown type
- iwlwifi: mvm: fix setting HE ppe FW config
- [powerpc] powernv/ioda: Allocate indirect TCE levels of cached userspace
addresses on demand
- mlx5: update timecounter at least twice per counter overflow
- drbd: narrow rcu_read_lock in drbd_sync_handshake
- drbd: disconnect, if the wrong UUIDs are attached on a connected peer
- drbd: skip spurious timeout (ping-timeo) when failing promote
- drbd: Avoid Clang warning about pointless switch statment
- drm/amd/display: validate extended dongle caps
- video: clps711x-fb: release disp device node in probe()
- md: fix raid10 hang issue caused by barrier
- fbdev: fbmem: behave better with small rotated displays and many CPUs
- i40e: define proper net_device::neigh_priv_len
- ice: Do not enable NAPI on q_vectors that have no rings
- igb: Fix an issue that PME is not enabled during runtime suspend
- ACPI/APEI: Clear GHES block_status before panic()
- fbdev: fbcon: Fix unregister crash when more than one framebuffer
- [powerpc] mm: Fix reporting of kernel execute faults on the 8xx
- [x86] KVM: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
- [powerpc] fadump: Do not allow hot-remove memory from fadump reserved
area.
- kvm: Change offset in kvm_write_guest_offset_cached to unsigned
- NFS: nfs_compare_mount_options always compare auth flavors.
- perf build: Don't unconditionally link the libbfd feature test to
-liberty and -lz
- hwmon: (lm80) fix a missing check of the status of SMBus read
- hwmon: (lm80) fix a missing check of bus read in lm80 probe
- seq_buf: Make seq_buf_puts() null-terminate the buffer
- crypto: ux500 - Use proper enum in cryp_set_dma_transfer
- crypto: ux500 - Use proper enum in hash_set_dma_transfer
- [mips] ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8
- cifs: check ntwrk_buf_start for NULL before dereferencing it
- f2fs: fix use-after-free issue when accessing sbi->stat_info
- um: Avoid marking pages with "changed protection"
- niu: fix missing checks of niu_pci_eeprom_read
- f2fs: fix sbi->extent_list corruption issue
- cgroup: fix parsing empty mount option string
- perf python: Do not force closing original perf descriptor in
evlist.get_pollfd()
- scripts/decode_stacktrace: only strip base path when a prefix of the path
- arch/sh/boards/mach-kfr2r09/setup.c: fix struct mtd_oob_ops build warning
- ocfs2: don't clear bh uptodate for block read
- ocfs2: improve ocfs2 Makefile
- mm/page_alloc.c: don't call kasan_free_pages() at deferred mem init
- zram: fix lockdep warning of free block handling
- isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in
HFCPCI_l1hw()
- gdrom: fix a memory leak bug
- fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address()
- block/swim3: Fix -EBUSY error when re-opening device after unmount
- [arm*] thermal: bcm2835: enable hwmon explicitly
- kdb: Don't back trace on a cpu that didn't round up
- [armhf] PCI: imx: Enable MSI from downstream components
- thermal: generic-adc: Fix adc to temp interpolation
- [arm64] sve: ptrace: Fix SVE_PT_REGS_OFFSET definition
- kernel/hung_task.c: break RCU locks based on jiffies
- proc/sysctl: fix return error for proc_doulongvec_minmax()
- kernel/hung_task.c: force console verbose before panic
- fs/epoll: drop ovflist branch prediction
- exec: load_script: don't blindly truncate shebang string
- kernel/kcov.c: mark write_comp_data() as notrace
- scripts/gdb: fix lx-version string output
- xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat
- xfs: cancel COW blocks before swapext
- xfs: Fix error code in 'xfs_ioc_getbmap()'
- xfs: fix overflow in xfs_attr3_leaf_verify
- xfs: fix shared extent data corruption due to missing cow reservation
- xfs: fix transient reference count error in
xfs_buf_resubmit_failed_buffers
- xfs: delalloc -> unwritten COW fork allocation can go wrong
- fs/xfs: fix f_ffree value for statfs when project quota is set
- xfs: fix PAGE_MASK usage in xfs_free_file_space
- xfs: fix inverted return from xfs_btree_sblock_verify_crc
- thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set
- dccp: fool proof ccid_hc_[rt]x_parse_options()
- enic: fix checksum validation for IPv6
- lib/test_rhashtable: Make test_insert_dup() allocate its hash table
dynamically
- net: dp83640: expire old TX-skb
- net: dsa: Fix lockdep false positive splat
- net: dsa: Fix NULL checking in dsa_slave_set_eee()
- net: dsa: mv88e6xxx: Fix counting of ATU violations
- net: dsa: slave: Don't propagate flag changes on down slave interfaces
- net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames
- net: systemport: Fix WoL with password after deep sleep
- rds: fix refcount bug in rds_sock_addref
- Revert "net: phy: marvell: avoid pause mode on SGMII-to-Copper for
88e151x"
- rxrpc: bad unlock balance in rxrpc_recvmsg
- sctp: check and update stream->out_curr when allocating stream_out
- sctp: walk the list of asoc safely (CVE-2019-8956)
- skge: potential memory corruption in skge_get_regs()
- virtio_net: Account for tx bytes and packets on sending xdp_frames
- net/mlx5e: FPGA, fix Innova IPsec TX offload data path performance
- xfs: eof trim writeback mapping as soon as it is cached
- ALSA: compress: Fix stop handling on compressed capture streams
- ALSA: usb-audio: Add support for new T+A USB DAC
- ALSA: hda - Serialize codec registrations
- ALSA: hda/realtek - Fix lose hp_pins for disable auto mute
- ALSA: hda/realtek - Use a common helper for hp pin reference
- ALSA: hda/realtek - Headset microphone support for System76 darp5
- fuse: call pipe_buf_release() under pipe lock
- fuse: decrement NR_WRITEBACK_TEMP on the right page
- fuse: handle zero sized retrieve correctly
- [arm*] dmaengine: bcm2835: Fix interrupt race on RT
- [arm*] dmaengine: bcm2835: Fix abort of transactions
- [armhf] dmaengine: imx-dma: fix wrong callback invoke
- futex: Handle early deadlock return correctly
- [arm64] irqchip/gic-v3-its: Plug allocation race for devices sharing a
DevID
- [armhf] usb: phy: am335x: fix race condition in _probe
- usb: dwc3: gadget: Handle 0 xfer length for OUT EP
- usb: gadget: udc: net2272: Fix bitwise and boolean operations
- usb: gadget: musb: fix short isoc packets with inventra dma
- staging: speakup: fix tty-operation NULL derefs
- scsi: cxlflash: Prevent deadlock when adapter probe fails
- scsi: aic94xx: fix module loading
- cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM
- [x86] perf/x86/intel/uncore: Add Node ID mask
- [x86] MCE: Initialize mce.bank in the case of a fatal error in
mce_no_way_out()
- perf/core: Don't WARN() for impossible ring-buffer sizes
- perf tests evsel-tp-sched: Fix bitwise operator
- serial: fix race between flush_to_ldisc and tty_open
- serial: 8250_pci: Make PCI class test non fatal
- serial: sh-sci: Do not free irqs that have already been freed
- cacheinfo: Keep the old value if of_property_read_u32 fails
- IB/hfi1: Add limit test for RC/UC send via loopback
- [x86] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu()
- ath9k: dynack: make ewma estimation faster
- ath9k: dynack: check da->enabled first in sampling routines
[ Ben Hutchings ]
* [sparc64] udeb: Use standard module list in nic-modules; add i2c-modules

259
debian/patches/bugfix/all/HID-debug-fix-the-ring-buffer-implementation.patch vendored
View File

@ -1,259 +0,0 @@
From: Vladis Dronov <vdronov@redhat.com>
Date: Tue, 29 Jan 2019 11:58:35 +0100
Subject: HID: debug: fix the ring buffer implementation
Origin: https://git.kernel.org/linus/13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3819
Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
is strange allowing lost or corrupted data. After commit 717adfdaf147
("HID: debug: check length before copy_to_user()") it is possible to enter
an infinite loop in hid_debug_events_read() by providing 0 as count, this
locks up a system. Fix this by rewriting the ring buffer implementation
with kfifo and simplify the code.
This fixes CVE-2019-3819.
v2: fix an execution logic and add a comment
v3: use __set_current_state() instead of set_current_state()
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
Cc: stable@vger.kernel.org # v4.18+
Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
---
drivers/hid/hid-debug.c | 120 ++++++++++++++++++----------------------------
include/linux/hid-debug.h | 9 ++--
2 files changed, 51 insertions(+), 78 deletions(-)
diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
index c530476edba6..ac9fda1b5a72 100644
--- a/drivers/hid/hid-debug.c
+++ b/drivers/hid/hid-debug.c
@@ -30,6 +30,7 @@
#include <linux/debugfs.h>
#include <linux/seq_file.h>
+#include <linux/kfifo.h>
#include <linux/sched/signal.h>
#include <linux/export.h>
#include <linux/slab.h>
@@ -661,17 +662,12 @@ EXPORT_SYMBOL_GPL(hid_dump_device);
/* enqueue string to 'events' ring buffer */
void hid_debug_event(struct hid_device *hdev, char *buf)
{
- unsigned i;
struct hid_debug_list *list;
unsigned long flags;
spin_lock_irqsave(&hdev->debug_list_lock, flags);
- list_for_each_entry(list, &hdev->debug_list, node) {
- for (i = 0; buf[i]; i++)
- list->hid_debug_buf[(list->tail + i) % HID_DEBUG_BUFSIZE] =
- buf[i];
- list->tail = (list->tail + i) % HID_DEBUG_BUFSIZE;
- }
+ list_for_each_entry(list, &hdev->debug_list, node)
+ kfifo_in(&list->hid_debug_fifo, buf, strlen(buf));
spin_unlock_irqrestore(&hdev->debug_list_lock, flags);
wake_up_interruptible(&hdev->debug_wait);
@@ -722,8 +718,7 @@ void hid_dump_input(struct hid_device *hdev, struct hid_usage *usage, __s32 valu
hid_debug_event(hdev, buf);
kfree(buf);
- wake_up_interruptible(&hdev->debug_wait);
-
+ wake_up_interruptible(&hdev->debug_wait);
}
EXPORT_SYMBOL_GPL(hid_dump_input);
@@ -1083,8 +1078,8 @@ static int hid_debug_events_open(struct inode *inode, struct file *file)
goto out;
}
- if (!(list->hid_debug_buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_KERNEL))) {
- err = -ENOMEM;
+ err = kfifo_alloc(&list->hid_debug_fifo, HID_DEBUG_FIFOSIZE, GFP_KERNEL);
+ if (err) {
kfree(list);
goto out;
}
@@ -1104,77 +1099,57 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
size_t count, loff_t *ppos)
{
struct hid_debug_list *list = file->private_data;
- int ret = 0, len;
+ int ret = 0, copied;
DECLARE_WAITQUEUE(wait, current);
mutex_lock(&list->read_mutex);
- while (ret == 0) {
- if (list->head == list->tail) {
- add_wait_queue(&list->hdev->debug_wait, &wait);
- set_current_state(TASK_INTERRUPTIBLE);
-
- while (list->head == list->tail) {
- if (file->f_flags & O_NONBLOCK) {
- ret = -EAGAIN;
- break;
- }
- if (signal_pending(current)) {
- ret = -ERESTARTSYS;
- break;
- }
+ if (kfifo_is_empty(&list->hid_debug_fifo)) {
+ add_wait_queue(&list->hdev->debug_wait, &wait);
+ set_current_state(TASK_INTERRUPTIBLE);
+
+ while (kfifo_is_empty(&list->hid_debug_fifo)) {
+ if (file->f_flags & O_NONBLOCK) {
+ ret = -EAGAIN;
+ break;
+ }
- if (!list->hdev || !list->hdev->debug) {
- ret = -EIO;
- set_current_state(TASK_RUNNING);
- goto out;
- }
+ if (signal_pending(current)) {
+ ret = -ERESTARTSYS;
+ break;
+ }
- /* allow O_NONBLOCK from other threads */
- mutex_unlock(&list->read_mutex);
- schedule();
- mutex_lock(&list->read_mutex);
- set_current_state(TASK_INTERRUPTIBLE);
+ /* if list->hdev is NULL we cannot remove_wait_queue().
+ * if list->hdev->debug is 0 then hid_debug_unregister()
+ * was already called and list->hdev is being destroyed.
+ * if we add remove_wait_queue() here we can hit a race.
+ */
+ if (!list->hdev || !list->hdev->debug) {
+ ret = -EIO;
+ set_current_state(TASK_RUNNING);
+ goto out;
}
- set_current_state(TASK_RUNNING);
- remove_wait_queue(&list->hdev->debug_wait, &wait);
+ /* allow O_NONBLOCK from other threads */
+ mutex_unlock(&list->read_mutex);
+ schedule();
+ mutex_lock(&list->read_mutex);
+ set_current_state(TASK_INTERRUPTIBLE);
}
- if (ret)
- goto out;
+ __set_current_state(TASK_RUNNING);
+ remove_wait_queue(&list->hdev->debug_wait, &wait);
- /* pass the ringbuffer contents to userspace */
-copy_rest:
- if (list->tail == list->head)
+ if (ret)
goto out;
- if (list->tail > list->head) {
- len = list->tail - list->head;
- if (len > count)
- len = count;
-
- if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
- ret = -EFAULT;
- goto out;
- }
- ret += len;
- list->head += len;
- } else {
- len = HID_DEBUG_BUFSIZE - list->head;
- if (len > count)
- len = count;
-
- if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
- ret = -EFAULT;
- goto out;
- }
- list->head = 0;
- ret += len;
- count -= len;
- if (count > 0)
- goto copy_rest;
- }
-
}
+
+ /* pass the fifo content to userspace, locking is not needed with only
+ * one concurrent reader and one concurrent writer
+ */
+ ret = kfifo_to_user(&list->hid_debug_fifo, buffer, count, &copied);
+ if (ret)
+ goto out;
+ ret = copied;
out:
mutex_unlock(&list->read_mutex);
return ret;
@@ -1185,7 +1160,7 @@ static __poll_t hid_debug_events_poll(struct file *file, poll_table *wait)
struct hid_debug_list *list = file->private_data;
poll_wait(file, &list->hdev->debug_wait, wait);
- if (list->head != list->tail)
+ if (!kfifo_is_empty(&list->hid_debug_fifo))
return EPOLLIN | EPOLLRDNORM;
if (!list->hdev->debug)
return EPOLLERR | EPOLLHUP;
@@ -1200,7 +1175,7 @@ static int hid_debug_events_release(struct inode *inode, struct file *file)
spin_lock_irqsave(&list->hdev->debug_list_lock, flags);
list_del(&list->node);
spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags);
- kfree(list->hid_debug_buf);
+ kfifo_free(&list->hid_debug_fifo);
kfree(list);
return 0;
@@ -1246,4 +1221,3 @@ void hid_debug_exit(void)
{
debugfs_remove_recursive(hid_debug_root);
}
-
diff --git a/include/linux/hid-debug.h b/include/linux/hid-debug.h
index 8663f216c563..2d6100edf204 100644
--- a/include/linux/hid-debug.h
+++ b/include/linux/hid-debug.h
@@ -24,7 +24,10 @@
#ifdef CONFIG_DEBUG_FS
+#include <linux/kfifo.h>
+
#define HID_DEBUG_BUFSIZE 512
+#define HID_DEBUG_FIFOSIZE 512
void hid_dump_input(struct hid_device *, struct hid_usage *, __s32);
void hid_dump_report(struct hid_device *, int , u8 *, int);
@@ -37,11 +40,8 @@ void hid_debug_init(void);
void hid_debug_exit(void);
void hid_debug_event(struct hid_device *, char *);
-
struct hid_debug_list {
- char *hid_debug_buf;
- int head;
- int tail;
+ DECLARE_KFIFO_PTR(hid_debug_fifo, char);
struct fasync_struct *fasync;
struct hid_device *hdev;
struct list_head node;
@@ -64,4 +64,3 @@ struct hid_debug_list {
#endif
#endif
-
--
2.11.0

57
debian/patches/bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch vendored
View File

@ -1,57 +0,0 @@
From: Jann Horn <jannh@google.com>
Date: Sat, 26 Jan 2019 01:54:33 +0100
Subject: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
Origin: https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6974
kvm_ioctl_create_device() does the following:
1. creates a device that holds a reference to the VM object (with a borrowed
reference, the VM's refcount has not been bumped yet)
2. initializes the device
3. transfers the reference to the device to the caller's file descriptor table
4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
reference
The ownership transfer in step 3 must not happen before the reference to the VM
becomes a proper, non-borrowed reference, which only happens in step 4.
After step 3, an attacker can close the file descriptor and drop the borrowed
reference, which can cause the refcount of the kvm object to drop to zero.
This means that we need to grab a reference for the device before
anon_inode_getfd(), otherwise the VM can disappear from under us.
Fixes: 852b6d57dc7f ("kvm: add device control API")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
virt/kvm/kvm_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 5ecea812cb6a..585845203db8 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
if (ops->init)
ops->init(dev);
+ kvm_get_kvm(kvm);
ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
if (ret < 0) {
+ kvm_put_kvm(kvm);
mutex_lock(&kvm->lock);
list_del(&dev->vm_node);
mutex_unlock(&kvm->lock);
@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
return ret;
}
- kvm_get_kvm(kvm);
cd->fd = ret;
return 0;
}
--
2.11.0

49
debian/patches/bugfix/all/percpu-convert-spin_lock_irq-to-spin_lock_irqsave.patch vendored
View File

@ -1,49 +0,0 @@
From: Dennis Zhou <dennis@kernel.org>
Date: Tue, 18 Dec 2018 08:42:27 -0800
Subject: percpu: convert spin_lock_irq to spin_lock_irqsave.
Origin: https://git.kernel.org/linus/6ab7d47bcbf0144a8cb81536c2cead4cde18acfe
From Michael Cree:
"Bisection lead to commit b38d08f3181c ("percpu: restructure
locking") as being the cause of lockups at initial boot on
the kernel built for generic Alpha.
On a suggestion by Tejun Heo that:
So, the only thing I can think of is that it's calling
spin_unlock_irq() while irq handling isn't set up yet.
Can you please try the followings?
1. Convert all spin_[un]lock_irq() to
spin_lock_irqsave/unlock_irqrestore()."
Fixes: b38d08f3181c ("percpu: restructure locking")
Reported-and-tested-by: Michael Cree <mcree@orcon.net.nz>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Dennis Zhou <dennis@kernel.org>
---
mm/percpu-km.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/mm/percpu-km.c
+++ b/mm/percpu-km.c
@@ -50,6 +50,7 @@ static struct pcpu_chunk *pcpu_create_ch
const int nr_pages = pcpu_group_sizes[0] >> PAGE_SHIFT;
struct pcpu_chunk *chunk;
struct page *pages;
+ unsigned long flags;
int i;
chunk = pcpu_alloc_chunk(gfp);
@@ -68,9 +69,9 @@ static struct pcpu_chunk *pcpu_create_ch
chunk->data = pages;
chunk->base_addr = page_address(pages) - pcpu_group_offsets[0];
- spin_lock_irq(&pcpu_lock);
+ spin_lock_irqsave(&pcpu_lock, flags);
pcpu_chunk_populated(chunk, 0, nr_pages, false);
- spin_unlock_irq(&pcpu_lock);
+ spin_unlock_irqrestore(&pcpu_lock, flags);
pcpu_stats_chunk_alloc();
trace_percpu_create_chunk(chunk->base_addr);

37
debian/patches/bugfix/x86/KVM-nVMX-unconditionally-cancel-preemption-timer-in-.patch vendored
View File

@ -1,37 +0,0 @@
From: Peter Shier <pshier@google.com>
Date: Thu, 11 Oct 2018 11:46:46 -0700
Subject: KVM: nVMX: unconditionally cancel preemption timer in free_nested
(CVE-2019-7221)
Origin: https://git.kernel.org/linus/ecec76885bcfe3294685dc363fd1273df0d5d65f
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7221
Bugzilla: 1671904
There are multiple code paths where an hrtimer may have been started to
emulate an L1 VMX preemption timer that can result in a call to free_nested
without an intervening L2 exit where the hrtimer is normally
cancelled. Unconditionally cancel in free_nested to cover all cases.
Embargoed until Feb 7th 2019.
Signed-off-by: Peter Shier <pshier@google.com>
Reported-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Message-Id: <20181011184646.154065-1-pshier@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[carnil: Backport to 4.19. Adjust filename to arch/x86/kvm/vmx/vmx.c
as later refactoring moved nested code to dedicated files]
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8469,6 +8469,7 @@ static void free_nested(struct vcpu_vmx
if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
return;
+ hrtimer_cancel(&vmx->nested.preemption_timer);
vmx->nested.vmxon = false;
vmx->nested.smm.vmxon = false;
free_vpid(vmx->nested.vpid02);

48
debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch vendored
View File

@ -1,48 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 29 Jan 2019 18:41:16 +0100
Subject: KVM: x86: work around leak of uninitialized stack contents
(CVE-2019-7222)
Origin: https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7222
Bugzilla: 1671930
Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
when passed an operand that points to an MMIO address. The page fault
will use uninitialized kernel stack memory as the CR2 and error code.
The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
exit to userspace; however, it is not an easy fix, so for now just
ensure that the error code and CR2 are zero.
Embargoed until Feb 7th 2019.
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/x86.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3d27206f6c01..e67ecf25e690 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
{
u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
+ /*
+ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+ * is returned, but our callers are not ready for that and they blindly
+ * call kvm_inject_page_fault. Ensure that they at least do not leak
+ * uninitialized kernel stack memory into cr2 and error code.
+ */
+ memset(exception, 0, sizeof(*exception));
return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
exception);
}
--
2.11.0

5
debian/patches/series vendored
View File

@ -102,7 +102,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
bugfix/all/percpu-convert-spin_lock_irq-to-spin_lock_irqsave.patch
bugfix/all/mt76-use-the-correct-hweight8-function.patch
bugfix/all/btrfs-fix-corruption-reading-shared-and-compressed-e.patch
@ -144,10 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch
bugfix/x86/KVM-nVMX-unconditionally-cancel-preemption-timer-in-.patch
bugfix/all/HID-debug-fix-the-ring-buffer-implementation.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch