diff --git a/debian/changelog b/debian/changelog index 2807301e2..b520823b5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,311 @@ -linux (4.19.20-2) UNRELEASED; urgency=medium +linux (4.19.21-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21 + - devres: Align data[] to ARCH_KMALLOC_MINALIGN + - drm/bufs: Fix Spectre v1 vulnerability + - drm/vgem: Fix vgem_init to get drm device available. + - [arm*] pinctrl: bcm2835: Use raw spinlock for RT compatibility + - [x86] ASoC: Intel: mrfld: fix uninitialized variable access + - gpiolib: Fix possible use after free on label + - [armhf] drm/sun4i: Initialize registers in tcon-top driver + - genirq/affinity: Spread IRQs to all available NUMA nodes + - [armhf] gpu: ipu-v3: image-convert: Prevent race between run and + unprepare + - wil6210: fix reset flow for Talyn-mb + - wil6210: fix memory leak in wil_find_tx_bcast_2 + - ath10k: assign 'n_cipher_suites' for WCN3990 + - ath9k: dynack: use authentication messages for 'late' ack + - scsi: lpfc: Correct LCB RJT handling + - scsi: mpt3sas: Call sas_remove_host before removing the target devices + - scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event + - [armhf] 8808/1: kexec:offline panic_smp_self_stop CPU + - [mips] clk: boston: fix possible memory leak in clk_boston_setup() + - dlm: Don't swamp the CPU with callbacks queued during recovery + - [x86] PCI: Fix Broadcom CNB20LE unintended sign extension (redux) + - [powerpc] pseries: add of_node_put() in dlpar_detach_node() + - crypto: aes_ti - disable interrupts while accessing S-box + - [arm*] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE + - serial: fsl_lpuart: clear parity enable bit when disable parity + - ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl + - [mips] Boston: Disable EG20T prefetch + - dpaa2-ptp: defer probe when portal allocation failed + - iwlwifi: fw: do not set sgi bits for HE connection + - fpga: altera-cvp: Fix registration for CvP incapable devices + - [x86] fpga: altera-cvp: fix 'bad IO access' on x86_64 + - [x86] vbox: fix link error with 'gcc -Og' + - platform/chrome: don't report EC_MKBP_EVENT_SENSOR_FIFO as wakeup + - i40e: prevent overlapping tx_timeout recover + - scsi: hisi_sas: change the time of SAS SSP connection + - usbnet: smsc95xx: fix rx packet alignment + - [armhf,arm64] drm/rockchip: fix for mailbox read size + - [arm*] OMAP2+: hwmod: Fix some section annotations + - drm/amd/display: fix gamma not being applied correctly + - drm/amd/display: calculate stream->phy_pix_clk before clock mapping + - bpf: libbpf: retry map creation without the name + - net/mlx5: EQ, Use the right place to store/read IRQ affinity hint + - modpost: validate symbol names also in find_elf_symbol + - perf tools: Add Hygon Dhyana support + - [armhf] soc/tegra: Don't leak device tree node reference + - media: rc: ensure close() is called on rc_unregister_device + - media: video-i2c: avoid accessing released memory area when removing + driver + - [armhf] media: mtk-vcodec: Release device nodes in + mtk_vcodec_init_enc_pm() + - ptp: Fix pass zero to ERR_PTR() in ptp_clock_register + - dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll + - [powerpc] 32: Add .data..Lubsan_data*/.data..Lubsan_type* sections + explicitly + - media: adv*/tc358743/ths8200: fill in min width/height/pixelclock + - ACPI: SPCR: Consider baud rate 0 as preconfigured state + - f2fs: move dir data flush to write checkpoint process + - f2fs: fix race between write_checkpoint and write_begin + - f2fs: fix wrong return value of f2fs_acl_create + - i2c: sh_mobile: add support for r8a77990 (R-Car E3) + - [arm64] io: Ensure calls to delay routines are ordered against prior + readX() + - net: aquantia: return 'err' if set MPI_DEINIT state fails + - [sparc*] sunvdc: Do not spin in an infinite loop when vio_ldc_send() + returns EAGAIN + - soc: bcm: brcmstb: Don't leak device tree node reference + - nfsd4: fix crash on writing v4_end_grace before nfsd startup + - drm: Clear state->acquire_ctx before leaving + drm_atomic_helper_commit_duplicated_state() + - perf: arm_spe: handle devm_kasprintf() failure + - [arm64] io: Ensure value passed to __iormb() is held in a 64-bit register + - Thermal: do not clear passive state during system sleep + - thermal: Fix locking in cooling device sysfs update cur_state + - firmware/efi: Add NULL pointer checks in efivars API functions + - [s390] zcrypt: improve special ap message cmd handling + - mt76x0: dfs: fix IBI_R11 configuration on non-radar channels + - [arm64] ftrace: don't adjust the LR value + - ARM: dts: mmp2: fix TWSI2 + - ARM: dts: aspeed: add missing memory unit-address + - [x86] fpu: Add might_fault() to user_insn() + - media: i2c: TDA1997x: select CONFIG_HDMI + - media: DaVinci-VPBE: fix error handling in vpbe_initialize() + - smack: fix access permissions for keyring + - usb: dwc3: Correct the logic for checking TRB full in + __dwc3_prepare_one_trb() + - usb: dwc2: Disable power down feature on Samsung SoCs + - usb: hub: delay hub autosuspend if USB3 port is still link training + - timekeeping: Use proper seqcount initializer + - usb: mtu3: fix the issue about SetFeature(U1/U2_Enable) + - [armhf] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module + clocks + - media: imx274: select REGMAP_I2C + - drm/amdgpu/powerplay: fix clock stretcher limits on polaris (v2) + - tipc: fix node keep alive interval calculation + - driver core: Move async_synchronize_full call + - kobject: return error code if writing /sys/.../uevent fails + - IB/hfi1: Unreserve a reserved request when it is completed + - usb: dwc3: trace: add missing break statement to make compiler happy + - [mips] gpio: mt7621: report failure of devm_kasprintf() + - [mips] gpio: mt7621: pass mediatek_gpio_bank_probe() failure up the stack + - [x86] iommu/amd: Fix amd_iommu=force_isolation + - [armhf] dts: Fix OMAP4430 SDP Ethernet startup + - [mips] bpf: fix encoding bug for mm_srlv32_op + - media: coda: fix H.264 deblocking filter controls + - [armel] dts: Fix up the D-Link DIR-685 MTD partition info + - watchdog: renesas_wdt: don't set divider while watchdog is running + - [armhf] dts: imx51-zii-rdu1: Do not specify "power-gpio" for hpa1 + - usb: dwc3: gadget: Disable CSP for stream OUT ep + - [arm64] iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI + payloads + - [arm64] iommu/arm-smmu: Add support for qcom,smmu-v2 variant + - [arm64] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer + - [armhf] clk: imx6sl: ensure MMDC CH0 handshake is bypassed + - [x86] platform: mlx-platform: Fix tachometer registers + - cpuidle: big.LITTLE: fix refcount leak + - OPP: Use opp_table->regulators to verify no regulator case + - tee: optee: avoid possible double list_del() + - drm/msm/dsi: fix dsi clock names in DSI 10nm PLL driver + - drm/msm: dpu: Only check flush register against pending flushes + - lightnvm: pblk: fix resubmission of overwritten write err lbas + - lightnvm: pblk: add lock protection to list operations + - i2c-axxia: check for error conditions first + - [armhf] phy: sun4i-usb: add support for missing USB PHY index + - udf: Fix BUG on corrupted inode + - selftests/bpf: use __bpf_constant_htons in test_prog.c + - [armel] pxa: avoid section mismatch warning + - [armhf] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M + - [powerpc] KVM: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv + machines + - [arm*] mmc: bcm2835: Recover from MMC_SEND_EXT_CSD + - [arm*] mmc: bcm2835: reset host on timeout + - memstick: Prevent memstick host from getting runtime suspended during + card detection + - mmc: sdhci-of-esdhc: Fix timeout checks + - mmc: sdhci-omap: Fix timeout checks + - mmc: sdhci-xenon: Fix timeout checks + - [mips] mmc: jz4740: Get CD/WP GPIOs from descriptors + - usb: renesas_usbhs: add support for RZ/G2E + - btrfs: harden agaist duplicate fsid on scanned devices + - serial: sh-sci: Fix locking in sci_submit_rx() + - serial: sh-sci: Resume PIO in sci_rx_interrupt() on DMA failure + - tty: serial: samsung: Properly set flags in autoCTS mode + - perf test: Fix perf_event_attr test failure + - perf dso: Fix unchecked usage of strncpy() + - perf header: Fix unchecked usage of strncpy() + - btrfs: use tagged writepage to mitigate livelock of snapshot + - perf probe: Fix unchecked usage of strncpy() + - i2c: sh_mobile: Add support for r8a774c0 (RZ/G2E) + - bnxt_en: Disable MSIX before re-reserving NQs/CMPL rings. + - [x86] tools/power/x86/intel_pstate_tracer: Fix non root execution for + post processing a trace file + - livepatch: check kzalloc return values + - [arm64] KVM: Skip MMIO insn after emulation + - usb: musb: dsps: fix otg state machine + - usb: musb: dsps: fix runtime pm for peripheral mode + - perf header: Fix up argument to ctime() + - perf tools: Cast off_t to s64 to avoid warning on bionic libc + - percpu: convert spin_lock_irq to spin_lock_irqsave. + - [arm64] net: hns3: fix incomplete uninitialization of IRQ in the + hns3_nic_uninit_vector_data() + - drm/amd/display: Add retry to read ddc_clock pin + - Bluetooth: hci_bcm: Handle deferred probing for the clock supply + - drm/amd/display: fix YCbCr420 blank color + - [powerpc] uaccess: fix warning/error with access_ok() + - mac80211: fix radiotap vendor presence bitmap handling + - xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi + - mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG + - scsi: smartpqi: correct host serial num for ssa + - scsi: smartpqi: correct volume status + - scsi: smartpqi: increase fw status register read timeout + - cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() + - [arm64] net: hns3: add max vector number check for pf + - [powerpc] perf: Fix thresholding counter data for unknown type + - iwlwifi: mvm: fix setting HE ppe FW config + - [powerpc] powernv/ioda: Allocate indirect TCE levels of cached userspace + addresses on demand + - mlx5: update timecounter at least twice per counter overflow + - drbd: narrow rcu_read_lock in drbd_sync_handshake + - drbd: disconnect, if the wrong UUIDs are attached on a connected peer + - drbd: skip spurious timeout (ping-timeo) when failing promote + - drbd: Avoid Clang warning about pointless switch statment + - drm/amd/display: validate extended dongle caps + - video: clps711x-fb: release disp device node in probe() + - md: fix raid10 hang issue caused by barrier + - fbdev: fbmem: behave better with small rotated displays and many CPUs + - i40e: define proper net_device::neigh_priv_len + - ice: Do not enable NAPI on q_vectors that have no rings + - igb: Fix an issue that PME is not enabled during runtime suspend + - ACPI/APEI: Clear GHES block_status before panic() + - fbdev: fbcon: Fix unregister crash when more than one framebuffer + - [powerpc] mm: Fix reporting of kernel execute faults on the 8xx + - [x86] KVM: svm: report MSR_IA32_MCG_EXT_CTL as unsupported + - [powerpc] fadump: Do not allow hot-remove memory from fadump reserved + area. + - kvm: Change offset in kvm_write_guest_offset_cached to unsigned + - NFS: nfs_compare_mount_options always compare auth flavors. + - perf build: Don't unconditionally link the libbfd feature test to + -liberty and -lz + - hwmon: (lm80) fix a missing check of the status of SMBus read + - hwmon: (lm80) fix a missing check of bus read in lm80 probe + - seq_buf: Make seq_buf_puts() null-terminate the buffer + - crypto: ux500 - Use proper enum in cryp_set_dma_transfer + - crypto: ux500 - Use proper enum in hash_set_dma_transfer + - [mips] ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 + - cifs: check ntwrk_buf_start for NULL before dereferencing it + - f2fs: fix use-after-free issue when accessing sbi->stat_info + - um: Avoid marking pages with "changed protection" + - niu: fix missing checks of niu_pci_eeprom_read + - f2fs: fix sbi->extent_list corruption issue + - cgroup: fix parsing empty mount option string + - perf python: Do not force closing original perf descriptor in + evlist.get_pollfd() + - scripts/decode_stacktrace: only strip base path when a prefix of the path + - arch/sh/boards/mach-kfr2r09/setup.c: fix struct mtd_oob_ops build warning + - ocfs2: don't clear bh uptodate for block read + - ocfs2: improve ocfs2 Makefile + - mm/page_alloc.c: don't call kasan_free_pages() at deferred mem init + - zram: fix lockdep warning of free block handling + - isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in + HFCPCI_l1hw() + - gdrom: fix a memory leak bug + - fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address() + - block/swim3: Fix -EBUSY error when re-opening device after unmount + - [arm*] thermal: bcm2835: enable hwmon explicitly + - kdb: Don't back trace on a cpu that didn't round up + - [armhf] PCI: imx: Enable MSI from downstream components + - thermal: generic-adc: Fix adc to temp interpolation + - [arm64] sve: ptrace: Fix SVE_PT_REGS_OFFSET definition + - kernel/hung_task.c: break RCU locks based on jiffies + - proc/sysctl: fix return error for proc_doulongvec_minmax() + - kernel/hung_task.c: force console verbose before panic + - fs/epoll: drop ovflist branch prediction + - exec: load_script: don't blindly truncate shebang string + - kernel/kcov.c: mark write_comp_data() as notrace + - scripts/gdb: fix lx-version string output + - xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat + - xfs: cancel COW blocks before swapext + - xfs: Fix error code in 'xfs_ioc_getbmap()' + - xfs: fix overflow in xfs_attr3_leaf_verify + - xfs: fix shared extent data corruption due to missing cow reservation + - xfs: fix transient reference count error in + xfs_buf_resubmit_failed_buffers + - xfs: delalloc -> unwritten COW fork allocation can go wrong + - fs/xfs: fix f_ffree value for statfs when project quota is set + - xfs: fix PAGE_MASK usage in xfs_free_file_space + - xfs: fix inverted return from xfs_btree_sblock_verify_crc + - thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set + - dccp: fool proof ccid_hc_[rt]x_parse_options() + - enic: fix checksum validation for IPv6 + - lib/test_rhashtable: Make test_insert_dup() allocate its hash table + dynamically + - net: dp83640: expire old TX-skb + - net: dsa: Fix lockdep false positive splat + - net: dsa: Fix NULL checking in dsa_slave_set_eee() + - net: dsa: mv88e6xxx: Fix counting of ATU violations + - net: dsa: slave: Don't propagate flag changes on down slave interfaces + - net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames + - net: systemport: Fix WoL with password after deep sleep + - rds: fix refcount bug in rds_sock_addref + - Revert "net: phy: marvell: avoid pause mode on SGMII-to-Copper for + 88e151x" + - rxrpc: bad unlock balance in rxrpc_recvmsg + - sctp: check and update stream->out_curr when allocating stream_out + - sctp: walk the list of asoc safely (CVE-2019-8956) + - skge: potential memory corruption in skge_get_regs() + - virtio_net: Account for tx bytes and packets on sending xdp_frames + - net/mlx5e: FPGA, fix Innova IPsec TX offload data path performance + - xfs: eof trim writeback mapping as soon as it is cached + - ALSA: compress: Fix stop handling on compressed capture streams + - ALSA: usb-audio: Add support for new T+A USB DAC + - ALSA: hda - Serialize codec registrations + - ALSA: hda/realtek - Fix lose hp_pins for disable auto mute + - ALSA: hda/realtek - Use a common helper for hp pin reference + - ALSA: hda/realtek - Headset microphone support for System76 darp5 + - fuse: call pipe_buf_release() under pipe lock + - fuse: decrement NR_WRITEBACK_TEMP on the right page + - fuse: handle zero sized retrieve correctly + - [arm*] dmaengine: bcm2835: Fix interrupt race on RT + - [arm*] dmaengine: bcm2835: Fix abort of transactions + - [armhf] dmaengine: imx-dma: fix wrong callback invoke + - futex: Handle early deadlock return correctly + - [arm64] irqchip/gic-v3-its: Plug allocation race for devices sharing a + DevID + - [armhf] usb: phy: am335x: fix race condition in _probe + - usb: dwc3: gadget: Handle 0 xfer length for OUT EP + - usb: gadget: udc: net2272: Fix bitwise and boolean operations + - usb: gadget: musb: fix short isoc packets with inventra dma + - staging: speakup: fix tty-operation NULL derefs + - scsi: cxlflash: Prevent deadlock when adapter probe fails + - scsi: aic94xx: fix module loading + - cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM + - [x86] perf/x86/intel/uncore: Add Node ID mask + - [x86] MCE: Initialize mce.bank in the case of a fatal error in + mce_no_way_out() + - perf/core: Don't WARN() for impossible ring-buffer sizes + - perf tests evsel-tp-sched: Fix bitwise operator + - serial: fix race between flush_to_ldisc and tty_open + - serial: 8250_pci: Make PCI class test non fatal + - serial: sh-sci: Do not free irqs that have already been freed + - cacheinfo: Keep the old value if of_property_read_u32 fails + - IB/hfi1: Add limit test for RC/UC send via loopback + - [x86] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() + - ath9k: dynack: make ewma estimation faster + - ath9k: dynack: check da->enabled first in sampling routines [ Ben Hutchings ] * [sparc64] udeb: Use standard module list in nic-modules; add i2c-modules diff --git a/debian/patches/bugfix/all/HID-debug-fix-the-ring-buffer-implementation.patch b/debian/patches/bugfix/all/HID-debug-fix-the-ring-buffer-implementation.patch deleted file mode 100644 index 5c7a0b408..000000000 --- a/debian/patches/bugfix/all/HID-debug-fix-the-ring-buffer-implementation.patch +++ /dev/null @@ -1,259 +0,0 @@ -From: Vladis Dronov -Date: Tue, 29 Jan 2019 11:58:35 +0100 -Subject: HID: debug: fix the ring buffer implementation -Origin: https://git.kernel.org/linus/13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3819 - -Ring buffer implementation in hid_debug_event() and hid_debug_events_read() -is strange allowing lost or corrupted data. After commit 717adfdaf147 -("HID: debug: check length before copy_to_user()") it is possible to enter -an infinite loop in hid_debug_events_read() by providing 0 as count, this -locks up a system. Fix this by rewriting the ring buffer implementation -with kfifo and simplify the code. - -This fixes CVE-2019-3819. - -v2: fix an execution logic and add a comment -v3: use __set_current_state() instead of set_current_state() - -Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187 -Cc: stable@vger.kernel.org # v4.18+ -Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping") -Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()") -Signed-off-by: Vladis Dronov -Reviewed-by: Oleg Nesterov -Signed-off-by: Benjamin Tissoires ---- - drivers/hid/hid-debug.c | 120 ++++++++++++++++++---------------------------- - include/linux/hid-debug.h | 9 ++-- - 2 files changed, 51 insertions(+), 78 deletions(-) - -diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c -index c530476edba6..ac9fda1b5a72 100644 ---- a/drivers/hid/hid-debug.c -+++ b/drivers/hid/hid-debug.c -@@ -30,6 +30,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -661,17 +662,12 @@ EXPORT_SYMBOL_GPL(hid_dump_device); - /* enqueue string to 'events' ring buffer */ - void hid_debug_event(struct hid_device *hdev, char *buf) - { -- unsigned i; - struct hid_debug_list *list; - unsigned long flags; - - spin_lock_irqsave(&hdev->debug_list_lock, flags); -- list_for_each_entry(list, &hdev->debug_list, node) { -- for (i = 0; buf[i]; i++) -- list->hid_debug_buf[(list->tail + i) % HID_DEBUG_BUFSIZE] = -- buf[i]; -- list->tail = (list->tail + i) % HID_DEBUG_BUFSIZE; -- } -+ list_for_each_entry(list, &hdev->debug_list, node) -+ kfifo_in(&list->hid_debug_fifo, buf, strlen(buf)); - spin_unlock_irqrestore(&hdev->debug_list_lock, flags); - - wake_up_interruptible(&hdev->debug_wait); -@@ -722,8 +718,7 @@ void hid_dump_input(struct hid_device *hdev, struct hid_usage *usage, __s32 valu - hid_debug_event(hdev, buf); - - kfree(buf); -- wake_up_interruptible(&hdev->debug_wait); -- -+ wake_up_interruptible(&hdev->debug_wait); - } - EXPORT_SYMBOL_GPL(hid_dump_input); - -@@ -1083,8 +1078,8 @@ static int hid_debug_events_open(struct inode *inode, struct file *file) - goto out; - } - -- if (!(list->hid_debug_buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_KERNEL))) { -- err = -ENOMEM; -+ err = kfifo_alloc(&list->hid_debug_fifo, HID_DEBUG_FIFOSIZE, GFP_KERNEL); -+ if (err) { - kfree(list); - goto out; - } -@@ -1104,77 +1099,57 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, - size_t count, loff_t *ppos) - { - struct hid_debug_list *list = file->private_data; -- int ret = 0, len; -+ int ret = 0, copied; - DECLARE_WAITQUEUE(wait, current); - - mutex_lock(&list->read_mutex); -- while (ret == 0) { -- if (list->head == list->tail) { -- add_wait_queue(&list->hdev->debug_wait, &wait); -- set_current_state(TASK_INTERRUPTIBLE); -- -- while (list->head == list->tail) { -- if (file->f_flags & O_NONBLOCK) { -- ret = -EAGAIN; -- break; -- } -- if (signal_pending(current)) { -- ret = -ERESTARTSYS; -- break; -- } -+ if (kfifo_is_empty(&list->hid_debug_fifo)) { -+ add_wait_queue(&list->hdev->debug_wait, &wait); -+ set_current_state(TASK_INTERRUPTIBLE); -+ -+ while (kfifo_is_empty(&list->hid_debug_fifo)) { -+ if (file->f_flags & O_NONBLOCK) { -+ ret = -EAGAIN; -+ break; -+ } - -- if (!list->hdev || !list->hdev->debug) { -- ret = -EIO; -- set_current_state(TASK_RUNNING); -- goto out; -- } -+ if (signal_pending(current)) { -+ ret = -ERESTARTSYS; -+ break; -+ } - -- /* allow O_NONBLOCK from other threads */ -- mutex_unlock(&list->read_mutex); -- schedule(); -- mutex_lock(&list->read_mutex); -- set_current_state(TASK_INTERRUPTIBLE); -+ /* if list->hdev is NULL we cannot remove_wait_queue(). -+ * if list->hdev->debug is 0 then hid_debug_unregister() -+ * was already called and list->hdev is being destroyed. -+ * if we add remove_wait_queue() here we can hit a race. -+ */ -+ if (!list->hdev || !list->hdev->debug) { -+ ret = -EIO; -+ set_current_state(TASK_RUNNING); -+ goto out; - } - -- set_current_state(TASK_RUNNING); -- remove_wait_queue(&list->hdev->debug_wait, &wait); -+ /* allow O_NONBLOCK from other threads */ -+ mutex_unlock(&list->read_mutex); -+ schedule(); -+ mutex_lock(&list->read_mutex); -+ set_current_state(TASK_INTERRUPTIBLE); - } - -- if (ret) -- goto out; -+ __set_current_state(TASK_RUNNING); -+ remove_wait_queue(&list->hdev->debug_wait, &wait); - -- /* pass the ringbuffer contents to userspace */ --copy_rest: -- if (list->tail == list->head) -+ if (ret) - goto out; -- if (list->tail > list->head) { -- len = list->tail - list->head; -- if (len > count) -- len = count; -- -- if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { -- ret = -EFAULT; -- goto out; -- } -- ret += len; -- list->head += len; -- } else { -- len = HID_DEBUG_BUFSIZE - list->head; -- if (len > count) -- len = count; -- -- if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { -- ret = -EFAULT; -- goto out; -- } -- list->head = 0; -- ret += len; -- count -= len; -- if (count > 0) -- goto copy_rest; -- } -- - } -+ -+ /* pass the fifo content to userspace, locking is not needed with only -+ * one concurrent reader and one concurrent writer -+ */ -+ ret = kfifo_to_user(&list->hid_debug_fifo, buffer, count, &copied); -+ if (ret) -+ goto out; -+ ret = copied; - out: - mutex_unlock(&list->read_mutex); - return ret; -@@ -1185,7 +1160,7 @@ static __poll_t hid_debug_events_poll(struct file *file, poll_table *wait) - struct hid_debug_list *list = file->private_data; - - poll_wait(file, &list->hdev->debug_wait, wait); -- if (list->head != list->tail) -+ if (!kfifo_is_empty(&list->hid_debug_fifo)) - return EPOLLIN | EPOLLRDNORM; - if (!list->hdev->debug) - return EPOLLERR | EPOLLHUP; -@@ -1200,7 +1175,7 @@ static int hid_debug_events_release(struct inode *inode, struct file *file) - spin_lock_irqsave(&list->hdev->debug_list_lock, flags); - list_del(&list->node); - spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags); -- kfree(list->hid_debug_buf); -+ kfifo_free(&list->hid_debug_fifo); - kfree(list); - - return 0; -@@ -1246,4 +1221,3 @@ void hid_debug_exit(void) - { - debugfs_remove_recursive(hid_debug_root); - } -- -diff --git a/include/linux/hid-debug.h b/include/linux/hid-debug.h -index 8663f216c563..2d6100edf204 100644 ---- a/include/linux/hid-debug.h -+++ b/include/linux/hid-debug.h -@@ -24,7 +24,10 @@ - - #ifdef CONFIG_DEBUG_FS - -+#include -+ - #define HID_DEBUG_BUFSIZE 512 -+#define HID_DEBUG_FIFOSIZE 512 - - void hid_dump_input(struct hid_device *, struct hid_usage *, __s32); - void hid_dump_report(struct hid_device *, int , u8 *, int); -@@ -37,11 +40,8 @@ void hid_debug_init(void); - void hid_debug_exit(void); - void hid_debug_event(struct hid_device *, char *); - -- - struct hid_debug_list { -- char *hid_debug_buf; -- int head; -- int tail; -+ DECLARE_KFIFO_PTR(hid_debug_fifo, char); - struct fasync_struct *fasync; - struct hid_device *hdev; - struct list_head node; -@@ -64,4 +64,3 @@ struct hid_debug_list { - #endif - - #endif -- --- -2.11.0 - diff --git a/debian/patches/bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch b/debian/patches/bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch deleted file mode 100644 index 0ac911484..000000000 --- a/debian/patches/bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Jann Horn -Date: Sat, 26 Jan 2019 01:54:33 +0100 -Subject: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) -Origin: https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6974 - -kvm_ioctl_create_device() does the following: - -1. creates a device that holds a reference to the VM object (with a borrowed - reference, the VM's refcount has not been bumped yet) -2. initializes the device -3. transfers the reference to the device to the caller's file descriptor table -4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real - reference - -The ownership transfer in step 3 must not happen before the reference to the VM -becomes a proper, non-borrowed reference, which only happens in step 4. -After step 3, an attacker can close the file descriptor and drop the borrowed -reference, which can cause the refcount of the kvm object to drop to zero. - -This means that we need to grab a reference for the device before -anon_inode_getfd(), otherwise the VM can disappear from under us. - -Fixes: 852b6d57dc7f ("kvm: add device control API") -Cc: stable@kernel.org -Signed-off-by: Jann Horn -Signed-off-by: Paolo Bonzini ---- - virt/kvm/kvm_main.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 5ecea812cb6a..585845203db8 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm, - if (ops->init) - ops->init(dev); - -+ kvm_get_kvm(kvm); - ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); - if (ret < 0) { -+ kvm_put_kvm(kvm); - mutex_lock(&kvm->lock); - list_del(&dev->vm_node); - mutex_unlock(&kvm->lock); -@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm, - return ret; - } - -- kvm_get_kvm(kvm); - cd->fd = ret; - return 0; - } --- -2.11.0 - diff --git a/debian/patches/bugfix/all/percpu-convert-spin_lock_irq-to-spin_lock_irqsave.patch b/debian/patches/bugfix/all/percpu-convert-spin_lock_irq-to-spin_lock_irqsave.patch deleted file mode 100644 index bffa68484..000000000 --- a/debian/patches/bugfix/all/percpu-convert-spin_lock_irq-to-spin_lock_irqsave.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Dennis Zhou -Date: Tue, 18 Dec 2018 08:42:27 -0800 -Subject: percpu: convert spin_lock_irq to spin_lock_irqsave. -Origin: https://git.kernel.org/linus/6ab7d47bcbf0144a8cb81536c2cead4cde18acfe - -From Michael Cree: - "Bisection lead to commit b38d08f3181c ("percpu: restructure - locking") as being the cause of lockups at initial boot on - the kernel built for generic Alpha. - - On a suggestion by Tejun Heo that: - - So, the only thing I can think of is that it's calling - spin_unlock_irq() while irq handling isn't set up yet. - Can you please try the followings? - - 1. Convert all spin_[un]lock_irq() to - spin_lock_irqsave/unlock_irqrestore()." - -Fixes: b38d08f3181c ("percpu: restructure locking") -Reported-and-tested-by: Michael Cree -Acked-by: Tejun Heo -Signed-off-by: Dennis Zhou ---- - mm/percpu-km.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/mm/percpu-km.c -+++ b/mm/percpu-km.c -@@ -50,6 +50,7 @@ static struct pcpu_chunk *pcpu_create_ch - const int nr_pages = pcpu_group_sizes[0] >> PAGE_SHIFT; - struct pcpu_chunk *chunk; - struct page *pages; -+ unsigned long flags; - int i; - - chunk = pcpu_alloc_chunk(gfp); -@@ -68,9 +69,9 @@ static struct pcpu_chunk *pcpu_create_ch - chunk->data = pages; - chunk->base_addr = page_address(pages) - pcpu_group_offsets[0]; - -- spin_lock_irq(&pcpu_lock); -+ spin_lock_irqsave(&pcpu_lock, flags); - pcpu_chunk_populated(chunk, 0, nr_pages, false); -- spin_unlock_irq(&pcpu_lock); -+ spin_unlock_irqrestore(&pcpu_lock, flags); - - pcpu_stats_chunk_alloc(); - trace_percpu_create_chunk(chunk->base_addr); diff --git a/debian/patches/bugfix/x86/KVM-nVMX-unconditionally-cancel-preemption-timer-in-.patch b/debian/patches/bugfix/x86/KVM-nVMX-unconditionally-cancel-preemption-timer-in-.patch deleted file mode 100644 index 9e55a4928..000000000 --- a/debian/patches/bugfix/x86/KVM-nVMX-unconditionally-cancel-preemption-timer-in-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Peter Shier -Date: Thu, 11 Oct 2018 11:46:46 -0700 -Subject: KVM: nVMX: unconditionally cancel preemption timer in free_nested - (CVE-2019-7221) -Origin: https://git.kernel.org/linus/ecec76885bcfe3294685dc363fd1273df0d5d65f -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7221 - -Bugzilla: 1671904 - -There are multiple code paths where an hrtimer may have been started to -emulate an L1 VMX preemption timer that can result in a call to free_nested -without an intervening L2 exit where the hrtimer is normally -cancelled. Unconditionally cancel in free_nested to cover all cases. - -Embargoed until Feb 7th 2019. - -Signed-off-by: Peter Shier -Reported-by: Jim Mattson -Reviewed-by: Jim Mattson -Reported-by: Felix Wilhelm -Cc: stable@kernel.org -Message-Id: <20181011184646.154065-1-pshier@google.com> -Signed-off-by: Paolo Bonzini -[carnil: Backport to 4.19. Adjust filename to arch/x86/kvm/vmx/vmx.c -as later refactoring moved nested code to dedicated files] ---- - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -8469,6 +8469,7 @@ static void free_nested(struct vcpu_vmx - if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) - return; - -+ hrtimer_cancel(&vmx->nested.preemption_timer); - vmx->nested.vmxon = false; - vmx->nested.smm.vmxon = false; - free_vpid(vmx->nested.vpid02); diff --git a/debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch b/debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch deleted file mode 100644 index 5f753bd78..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 29 Jan 2019 18:41:16 +0100 -Subject: KVM: x86: work around leak of uninitialized stack contents - (CVE-2019-7222) -Origin: https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7222 - -Bugzilla: 1671930 - -Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with -memory operand, INVEPT, INVVPID) can incorrectly inject a page fault -when passed an operand that points to an MMIO address. The page fault -will use uninitialized kernel stack memory as the CR2 and error code. - -The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR -exit to userspace; however, it is not an easy fix, so for now just -ensure that the error code and CR2 are zero. - -Embargoed until Feb 7th 2019. - -Reported-by: Felix Wilhelm -Cc: stable@kernel.org -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/x86.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 3d27206f6c01..e67ecf25e690 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu, - { - u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; - -+ /* -+ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED -+ * is returned, but our callers are not ready for that and they blindly -+ * call kvm_inject_page_fault. Ensure that they at least do not leak -+ * uninitialized kernel stack memory into cr2 and error code. -+ */ -+ memset(exception, 0, sizeof(*exception)); - return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, - exception); - } --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index efdee6915..1834c6f09 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -102,7 +102,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch -bugfix/all/percpu-convert-spin_lock_irq-to-spin_lock_irqsave.patch bugfix/all/mt76-use-the-correct-hweight8-function.patch bugfix/all/btrfs-fix-corruption-reading-shared-and-compressed-e.patch @@ -144,10 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch -bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch -bugfix/x86/KVM-nVMX-unconditionally-cancel-preemption-timer-in-.patch -bugfix/all/HID-debug-fix-the-ring-buffer-implementation.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch