From 9b355e6846793b107e2b0518e7874fc88ce57537 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 23 Jan 2016 12:11:55 +0000 Subject: [PATCH 01/23] Update to 4.3.4 --- debian/changelog | 55 ++++++++ ...ing-ref-leak-in-join_session_keyring.patch | 75 ----------- ...te-socket-address-length-in-sco_sock.patch | 22 ---- ...eys-fix-race-between-read-and-revoke.patch | 110 ---------------- ...tion-for-the-socket-syscall-protocol.patch | 121 ------------------ ...addr_len-in-pptp_bind-and-pptp_conne.patch | 34 ----- ...ouble-free-and-memory-corruption-on-.patch | 55 -------- ...x-kfree_skb-of-uninitialised-pointer.patch | 29 ----- ...ree-and-memory-corruption-on-registe.patch | 95 -------------- debian/patches/series | 8 -- 10 files changed, 55 insertions(+), 549 deletions(-) delete mode 100644 debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch delete mode 100644 debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch delete mode 100644 debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch delete mode 100644 debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch delete mode 100644 debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch delete mode 100644 debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch delete mode 100644 debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch delete mode 100644 debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch diff --git a/debian/changelog b/debian/changelog index 83d54a0de..7d35ae95b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,58 @@ +linux (4.3.4-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4 + - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler + - ACPI: Using correct irq when waiting for events + - ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle + - tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0 + - toshiba_acpi: Initialize hotkey_event_type variable + - USB: cdc_acm: Ignore Infineon Flash Loader utility + - USB: serial: Another Infineon flash loader USB ID + - usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter + JMicron + - USB: cp210x: Remove CP2110 ID from compatibility list + - USB: add quirk for devices with broken LPM + - USB: whci-hcd: add check for dma mapping error + - usb: gadget: pxa27x: fix suspend callback + - USB: host: ohci-at91: fix a crash in ohci_hcd_at91_overcurrent_irq + - usb: musb: USB_TI_CPPI41_DMA requires dmaengine support + - usb: core : hub: Fix BOS 'NULL pointer' kernel panic + - usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message + - pppoe: fix memory corruption in padt work structure + - gre6: allow to update all parameters via rtnl + - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation + - ipv6: keep existing flags when setting IFA_F_OPTIMISTIC + - vxlan: fix incorrect RCO bit in VXLAN header + - sctp: use the same clock as if sock source timestamps were on + - sctp: update the netstamp_needed counter when copying sockets + - sctp: also copy sk_tsflags when copying the socket + - net: cdc_mbim: add "NDP to end" quirk for Huawei E3372 + - net: qca_spi: fix transmit queue timeout handling + - r8152: fix lockup when runtime PM is enabled + - ipv6: sctp: clone options to avoid use after free + - phy: micrel: Fix finding PHY properties in MAC node. + - openvswitch: Fix helper reference leak + - openvswitch: Respect conntrack zone even if invalid + - uapi: export ila.h + - sh_eth: fix kernel oops in skb_put() + - net: fix IP early demux races + - vlan: Fix untag operations of stacked vlans with REORDER_HEADER off + - skbuff: Fix offset error in skb_reorder_vlan_header + - net: check both type and procotol for tcp sockets + - net_sched: make qdisc_tree_decrease_qlen() work for non mq + - net: fix uninitialized variable issue + - ipv6: automatically enable stable privacy mode if stable_secret set + - inet: tcp: fix inetpeer_set_addr_v4() + - rhashtable: Enforce minimum size on initial hash table + - gianfar: Don't enable RX Filer if not supported + - fou: clean up socket with kfree_rcu + - af_unix: Revert 'lock_interruptible' in stream receive code + - tcp: restore fastopen with no data in SYN packet + - rhashtable: Fix walker list corruption + + -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 + linux (4.3.3-7) unstable; urgency=medium * linux-image-dbg: Don't rely on upstream makefile to make .build-id diff --git a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch deleted file mode 100644 index 9c6a96973..000000000 --- a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001 -From: Yevgeny Pats -Date: Mon, 11 Jan 2016 12:05:28 +0000 -Subject: KEYS: Fix keyring ref leak in join_session_keyring() - -If a thread is asked to join as a session keyring the keyring that's already -set as its session, we leak a keyring reference. - -This can be tested with the following program: - - #include - #include - #include - #include - - int main(int argc, const char *argv[]) - { - int i = 0; - key_serial_t serial; - - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - - if (keyctl(KEYCTL_SETPERM, serial, - KEY_POS_ALL | KEY_USR_ALL) < 0) { - perror("keyctl"); - return -1; - } - - for (i = 0; i < 100; i++) { - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - } - - return 0; - } - -If, after the program has run, there something like the following line in -/proc/keys: - -3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty - -with a usage count of 100 * the number of times the program has been run, -then the kernel is malfunctioning. If leaked-keyring has zero usages or -has been garbage collected, then the problem is fixed. - -Reported-by: Yevgeny Pats -Signed-off-by: David Howells ---- - security/keys/process_keys.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index a3f85d2..e6d50172 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) - ret = PTR_ERR(keyring); - goto error2; - } else if (keyring == new->session_keyring) { -+ key_put(keyring); - ret = 0; - goto error2; - } --- -2.7.0.rc3 - diff --git a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch b/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch deleted file mode 100644 index ab4bdf6bd..000000000 --- a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: "David S. Miller" -Date: Tue, 15 Dec 2015 15:39:08 -0500 -Subject: bluetooth: Validate socket address length in sco_sock_bind(). -Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4 - -Signed-off-by: David S. Miller ---- - net/bluetooth/sco.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/bluetooth/sco.c -+++ b/net/bluetooth/sco.c -@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket * - if (!addr || addr->sa_family != AF_BLUETOOTH) - return -EINVAL; - -+ if (addr_len < sizeof(struct sockaddr_sco)) -+ return -EINVAL; -+ - lock_sock(sk); - - if (sk->sk_state != BT_OPEN) { diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch deleted file mode 100644 index e75e67730..000000000 --- a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: David Howells -Date: Fri, 18 Dec 2015 01:34:26 +0000 -Subject: KEYS: Fix race between read and revoke -Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d - -This fixes CVE-2015-7550. - -There's a race between keyctl_read() and keyctl_revoke(). If the revoke -happens between keyctl_read() checking the validity of a key and the key's -semaphore being taken, then the key type read method will see a revoked key. - -This causes a problem for the user-defined key type because it assumes in -its read method that there will always be a payload in a non-revoked key -and doesn't check for a NULL pointer. - -Fix this by making keyctl_read() check the validity of a key after taking -semaphore instead of before. - -I think the bug was introduced with the original keyrings code. - -This was discovered by a multithreaded test program generated by syzkaller -(http://github.com/google/syzkaller). Here's a cleaned up version: - - #include - #include - #include - void *thr0(void *arg) - { - key_serial_t key = (unsigned long)arg; - keyctl_revoke(key); - return 0; - } - void *thr1(void *arg) - { - key_serial_t key = (unsigned long)arg; - char buffer[16]; - keyctl_read(key, buffer, 16); - return 0; - } - int main() - { - key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); - pthread_t th[5]; - pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); - pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); - pthread_join(th[0], 0); - pthread_join(th[1], 0); - pthread_join(th[2], 0); - pthread_join(th[3], 0); - return 0; - } - -Build as: - - cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread - -Run as: - - while keyctl-race; do :; done - -as it may need several iterations to crash the kernel. The crash can be -summarised as: - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 - IP: [] user_read+0x56/0xa3 - ... - Call Trace: - [] keyctl_read_key+0xb6/0xd7 - [] SyS_keyctl+0x83/0xe0 - [] entry_SYSCALL_64_fastpath+0x12/0x6f - -Reported-by: Dmitry Vyukov -Signed-off-by: David Howells -Tested-by: Dmitry Vyukov -Cc: stable@vger.kernel.org -Signed-off-by: James Morris ---- - security/keys/keyctl.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, - - /* the key is probably readable - now try to read it */ - can_read_key: -- ret = key_validate(key); -- if (ret == 0) { -- ret = -EOPNOTSUPP; -- if (key->type->read) { -- /* read the data with the semaphore held (since we -- * might sleep) */ -- down_read(&key->sem); -+ ret = -EOPNOTSUPP; -+ if (key->type->read) { -+ /* Read the data with the semaphore held (since we might sleep) -+ * to protect against the key being updated or revoked. -+ */ -+ down_read(&key->sem); -+ ret = key_validate(key); -+ if (ret == 0) - ret = key->type->read(key, buffer, buflen); -- up_read(&key->sem); -- } -+ up_read(&key->sem); - } - - error2: diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch deleted file mode 100644 index fb9a94c30..000000000 --- a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch +++ /dev/null @@ -1,121 +0,0 @@ -From: Hannes Frederic Sowa -Date: Mon, 14 Dec 2015 22:03:39 +0100 -Subject: net: add validation for the socket syscall protocol argument -Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9 - -郭永刚 reported that one could simply crash the kernel as root by -using a simple program: - - int socket_fd; - struct sockaddr_in addr; - addr.sin_port = 0; - addr.sin_addr.s_addr = INADDR_ANY; - addr.sin_family = 10; - - socket_fd = socket(10,3,0x40000000); - connect(socket_fd , &addr,16); - -AF_INET, AF_INET6 sockets actually only support 8-bit protocol -identifiers. inet_sock's skc_protocol field thus is sized accordingly, -thus larger protocol identifiers simply cut off the higher bits and -store a zero in the protocol fields. - -This could lead to e.g. NULL function pointer because as a result of -the cut off inet_num is zero and we call down to inet_autobind, which -is NULL for raw sockets. - -kernel: Call Trace: -kernel: [] ? inet_autobind+0x2e/0x70 -kernel: [] inet_dgram_connect+0x54/0x80 -kernel: [] SYSC_connect+0xd9/0x110 -kernel: [] ? ptrace_notify+0x5b/0x80 -kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 -kernel: [] SyS_connect+0xe/0x10 -kernel: [] tracesys_phase2+0x84/0x89 - -I found no particular commit which introduced this problem. - -CVE: CVE-2015-8543 -Cc: Cong Wang -Reported-by: 郭永刚 -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/sock.h | 1 + - net/ax25/af_ax25.c | 3 +++ - net/decnet/af_decnet.c | 3 +++ - net/ipv4/af_inet.c | 3 +++ - net/ipv6/af_inet6.c | 3 +++ - net/irda/af_irda.c | 3 +++ - 6 files changed, 16 insertions(+) - ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -387,6 +387,7 @@ struct sock { - sk_no_check_rx : 1, - sk_userlocks : 4, - sk_protocol : 8, -+#define SK_PROTOCOL_MAX U8_MAX - sk_type : 16; - kmemcheck_bitfield_end(flags); - int sk_wmem_queued; ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, - struct sock *sk; - ax25_cb *ax25; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (!net_eq(net, &init_net)) - return -EAFNOSUPPORT; - ---- a/net/decnet/af_decnet.c -+++ b/net/decnet/af_decnet.c -@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st - { - struct sock *sk; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (!net_eq(net, &init_net)) - return -EAFNOSUPPORT; - ---- a/net/ipv4/af_inet.c -+++ b/net/ipv4/af_inet.c -@@ -261,6 +261,9 @@ static int inet_create(struct net *net, - int try_loading_module = 0; - int err; - -+ if (protocol < 0 || protocol >= IPPROTO_MAX) -+ return -EINVAL; -+ - sock->state = SS_UNCONNECTED; - - /* Look for the requested type/protocol pair. */ ---- a/net/ipv6/af_inet6.c -+++ b/net/ipv6/af_inet6.c -@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, - int try_loading_module = 0; - int err; - -+ if (protocol < 0 || protocol >= IPPROTO_MAX) -+ return -EINVAL; -+ - /* Look for the requested type/protocol pair. */ - lookup_protocol: - err = -ESOCKTNOSUPPORT; ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, - struct sock *sk; - struct irda_sock *self; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (net != &init_net) - return -EAFNOSUPPORT; - diff --git a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch b/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch deleted file mode 100644 index ad192d1f6..000000000 --- a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: WANG Cong -Date: Mon, 14 Dec 2015 13:48:36 -0800 -Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect() -Origin: https://git.kernel.org/linus/09ccfd238e5a0e670d8178cf50180ea81ae09ae1 - -Reported-by: Dmitry Vyukov -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller ---- - drivers/net/ppp/pptp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/net/ppp/pptp.c -+++ b/drivers/net/ppp/pptp.c -@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock - struct pptp_opt *opt = &po->proto.pptp; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - lock_sock(sk); - - opt->src_addr = sp->sa_addr.pptp; -@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *s - struct flowi4 fl4; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - if (sp->sa_protocol != PX_PROTO_PPTP) - return -EINVAL; - diff --git a/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch b/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch deleted file mode 100644 index cd0f02e16..000000000 --- a/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Ben Hutchings -Date: Tue, 15 Dec 2015 15:26:45 +0000 -Subject: Revert "vrf: fix double free and memory corruption on register_netdevice failure" -Forwarded: http://mid.gmane.org/20151215153149.GO28542@decadent.org.uk - -This reverts commit b3abad339f8e268bb261e5844ab68b18a7797c29, which -was an attempt to backport commit 7f109f7cc37108cba7243bc832988525b0d85909 -upstream. The backport introduced a deadlock and other bugs. - -Signed-off-by: Ben Hutchings ---- - drivers/net/vrf.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index c9e309c..488c6f5 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - { - struct net_vrf *vrf = netdev_priv(dev); - struct net_vrf_dev *vrf_ptr; -+ int err; - - if (!data || !data[IFLA_VRF_TABLE]) - return -EINVAL; -@@ -589,16 +590,26 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - - dev->priv_flags |= IFF_VRF_MASTER; - -+ err = -ENOMEM; - vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL); - if (!vrf_ptr) -- return -ENOMEM; -+ goto out_fail; - - vrf_ptr->ifindex = dev->ifindex; - vrf_ptr->tb_id = vrf->tb_id; - -+ err = register_netdevice(dev); -+ if (err < 0) -+ goto out_fail; -+ - rcu_assign_pointer(dev->vrf_ptr, vrf_ptr); - -- return register_netdev(dev); -+ return 0; -+ -+out_fail: -+ kfree(vrf_ptr); -+ free_netdev(dev); -+ return err; - } - - static size_t vrf_nl_getsize(const struct net_device *dev) diff --git a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch b/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch deleted file mode 100644 index a584e73c5..000000000 --- a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch +++ /dev/null @@ -1,29 +0,0 @@ -Date: Tue, 15 Dec 2015 21:21:56 +0000 -From: Ben Hutchings -Subject: tipc: Fix kfree_skb() of uninitialised pointer -Forwarded: http://mid.gmane.org/20151215212156.GQ28542@decadent.org.uk - -Commit 7098356baca7 ("tipc: fix error handling of expanding buffer -headroom") added a "goto tx_error". This is fine upstream, but -when backported to 4.3 it results in attempting to free the clone -before it has been allocated. In this early error case, no -cleanup is needed. - -Signed-off-by: Ben Hutchings ---- - net/tipc/udp_media.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c -index 86f2e7c..73bdf1b 100644 ---- a/net/tipc/udp_media.c -+++ b/net/tipc/udp_media.c -@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb, - if (skb_headroom(skb) < UDP_MIN_HEADROOM) { - err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC); - if (err) -- goto tx_error; -+ return err; - } - - clone = skb_clone(skb, GFP_ATOMIC); diff --git a/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch b/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch deleted file mode 100644 index f387fdece..000000000 --- a/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: Nikolay Aleksandrov -Date: Sat, 21 Nov 2015 19:46:19 +0100 -Subject: vrf: fix double free and memory corruption on register_netdevice failure -Origin: https://git.kernel.org/linus/7f109f7cc37108cba7243bc832988525b0d85909 - -When vrf's ->newlink is called, if register_netdevice() fails then it -does free_netdev(), but that's also done by rtnl_newlink() so a second -free happens and memory gets corrupted, to reproduce execute the -following line a couple of times (1 - 5 usually is enough): -$ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done; -This works because we fail in register_netdevice() because of the wrong -name "vrf:". - -And here's a trace of one crash: -[ 28.792157] ------------[ cut here ]------------ -[ 28.792407] kernel BUG at fs/namei.c:246! -[ 28.792608] invalid opcode: 0000 [#1] SMP -[ 28.793240] Modules linked in: vrf nfsd auth_rpcgss oid_registry -nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul -crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64 psmouse -glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev -parport_pc parport serio_raw pcspkr virtio_balloon virtio_console -i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6 autofs4 -ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom -ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common ata_piix -libata virtio_pci virtio_ring virtio scsi_mod floppy -[ 28.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not tainted -4.4.0-rc1+ #24 -[ 28.796016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), -BIOS 1.8.1-20150318_183358- 04/01/2014 -[ 28.796016] task: ffff8800352561c0 ti: ffff88003592c000 task.ti: -ffff88003592c000 -[ 28.796016] RIP: 0010:[] [] -putname+0x43/0x60 -[ 28.796016] RSP: 0018:ffff88003592fe88 EFLAGS: 00010246 -[ 28.796016] RAX: 0000000000000000 RBX: ffff8800352561c0 RCX: -0000000000000001 -[ 28.796016] RDX: 0000000000000000 RSI: 0000000000000000 RDI: -ffff88003784f000 -[ 28.796016] RBP: ffff88003592ff08 R08: 0000000000000001 R09: -0000000000000000 -[ 28.796016] R10: 0000000000000000 R11: 0000000000000001 R12: -0000000000000000 -[ 28.796016] R13: 000000000000047c R14: ffff88003784f000 R15: -ffff8800358c4a00 -[ 28.796016] FS: 0000000000000000(0000) GS:ffff88003fc00000(0000) -knlGS:0000000000000000 -[ 28.796016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 28.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000 CR4: -00000000000406f0 -[ 28.796016] Stack: -[ 28.796016] ffffffff8121045d ffffffff812102d3 ffff8800352561c0 -ffff880035a91660 -[ 28.796016] ffff8800008a9880 0000000000000000 ffffffff81a49940 -00ffffff81218684 -[ 28.796016] ffff8800352561c0 000000000000047c 0000000000000000 -ffff880035b36d80 -[ 28.796016] Call Trace: -[ 28.796016] [] ? -do_execveat_common.isra.34+0x74d/0x930 -[ 28.796016] [] ? -do_execveat_common.isra.34+0x5c3/0x930 -[ 28.796016] [] do_execve+0x2c/0x30 -[ 28.796016] [] -call_usermodehelper_exec_async+0xf0/0x140 -[ 28.796016] [] ? umh_complete+0x40/0x40 -[ 28.796016] [] ret_from_fork+0x3f/0x70 -[ 28.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 89 fb 48 39 c6 -74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b 5d -f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb e9 -[ 28.796016] RIP [] putname+0x43/0x60 -[ 28.796016] RSP - -Fixes: 193125dbd8eb ("net: Introduce VRF device driver") -Signed-off-by: Nikolay Aleksandrov -Acked-by: David Ahern -Signed-off-by: David S. Miller -[bwh: For 4.3, retain the kfree() on failure] -Signed-off-by: Ben Hutchings ---- - drivers/net/vrf.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index 488c6f5..374feba 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - - out_fail: - kfree(vrf_ptr); -- free_netdev(dev); - return err; - } - diff --git a/debian/patches/series b/debian/patches/series index 82ac5d4c9..725582e07 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -106,13 +106,7 @@ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch -bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch -bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch -bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch -bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch bugfix/all/ovl-fix-permission-checking-for-setattr.patch -bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch -bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch bugfix/all/xen-add-ring_copy_request.patch bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch bugfix/all/xen-netback-use-ring_copy_request-throughout.patch @@ -127,7 +121,6 @@ bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/ptrace-fix-abi-change-for-priv-esc-fix.patch -bugfix/all/keys-fix-race-between-read-and-revoke.patch bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch @@ -147,4 +140,3 @@ bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch -bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch From 024851fa3a1ded52dbb6fb1bf228edac8145a532 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 23 Jan 2016 22:48:19 +0000 Subject: [PATCH 02/23] fuse: break infinite loop in fuse_fill_write_pages() This doesn't have a CVE ID yet. --- debian/changelog | 3 + ...finite-loop-in-fuse_fill_write_pages.patch | 56 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 60 insertions(+) create mode 100644 debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch diff --git a/debian/changelog b/debian/changelog index 7d35ae95b..914e3b752 100644 --- a/debian/changelog +++ b/debian/changelog @@ -51,6 +51,9 @@ linux (4.3.4-1) UNRELEASED; urgency=medium - tcp: restore fastopen with no data in SYN packet - rhashtable: Fix walker list corruption + [ Ben Hutchings ] + * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-XXXX) + -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 linux (4.3.3-7) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch b/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch new file mode 100644 index 000000000..3c67f75ea --- /dev/null +++ b/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch @@ -0,0 +1,56 @@ +From: Roman Gushchin +Date: Mon, 12 Oct 2015 16:33:44 +0300 +Subject: fuse: break infinite loop in fuse_fill_write_pages() +Origin: https://git.kernel.org/linus/3ca8138f014a913f98e6ef40e939868e1e9ea876 + +I got a report about unkillable task eating CPU. Further +investigation shows, that the problem is in the fuse_fill_write_pages() +function. If iov's first segment has zero length, we get an infinite +loop, because we never reach iov_iter_advance() call. + +Fix this by calling iov_iter_advance() before repeating an attempt to +copy data from userspace. + +A similar problem is described in 124d3b7041f ("fix writev regression: +pan hanging unkillable and un-straceable"). If zero-length segmend +is followed by segment with invalid address, +iov_iter_fault_in_readable() checks only first segment (zero-length), +iov_iter_copy_from_user_atomic() skips it, fails at second and +returns zero -> goto again without skipping zero-length segment. + +Patch calls iov_iter_advance() before goto again: we'll skip zero-length +segment at second iteraction and iov_iter_fault_in_readable() will detect +invalid address. + +Special thanks to Konstantin Khlebnikov, who helped a lot with the commit +description. + +Cc: Andrew Morton +Cc: Maxim Patlasov +Cc: Konstantin Khlebnikov +Signed-off-by: Roman Gushchin +Signed-off-by: Miklos Szeredi +Fixes: ea9b9907b82a ("fuse: implement perform_write") +Signed-off-by: Ben Hutchings +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1049,6 +1049,7 @@ static ssize_t fuse_fill_write_pages(str + tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes); + flush_dcache_page(page); + ++ iov_iter_advance(ii, tmp); + if (!tmp) { + unlock_page(page); + page_cache_release(page); +@@ -1061,7 +1062,6 @@ static ssize_t fuse_fill_write_pages(str + req->page_descs[req->num_pages].length = tmp; + req->num_pages++; + +- iov_iter_advance(ii, tmp); + count += tmp; + pos += tmp; + offset += tmp; diff --git a/debian/patches/series b/debian/patches/series index 725582e07..94af25d11 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -140,3 +140,4 @@ bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch +bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch From 20c41274fa7c9ab2d79844847e127bcbb8e3d221 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sun, 24 Jan 2016 19:19:30 +0100 Subject: [PATCH 03/23] Add CVE reference for CVE-2015-8785 --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 914e3b752..c7bce8575 100644 --- a/debian/changelog +++ b/debian/changelog @@ -52,7 +52,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium - rhashtable: Fix walker list corruption [ Ben Hutchings ] - * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-XXXX) + * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 From cdfc3b2f3067d742a3cdc0e18498c2fb20bcb19f Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Tue, 26 Jan 2016 08:58:09 +0100 Subject: [PATCH 04/23] tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) --- debian/changelog | 3 + ...-fix-zero-cwnd-in-tcp_cwnd_reduction.patch | 63 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 67 insertions(+) create mode 100644 debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch diff --git a/debian/changelog b/debian/changelog index c7bce8575..0fa86ab36 100644 --- a/debian/changelog +++ b/debian/changelog @@ -54,6 +54,9 @@ linux (4.3.4-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) + [ Salvatore Bonaccorso ] + tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) + -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 linux (4.3.3-7) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch b/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch new file mode 100644 index 000000000..bd192a17c --- /dev/null +++ b/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch @@ -0,0 +1,63 @@ +From: Yuchung Cheng +Date: Wed, 6 Jan 2016 12:42:38 -0800 +Subject: tcp: fix zero cwnd in tcp_cwnd_reduction +Origin: https://git.kernel.org/linus/8b8a321ff72c785ed5e8b4cf6eda20b35d427390 + +Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode +conditionally") introduced a bug that cwnd may become 0 when both +inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead +to a div-by-zero if the connection starts another cwnd reduction +phase by setting tp->prior_cwnd to the current cwnd (0) in +tcp_init_cwnd_reduction(). + +To prevent this we skip PRR operation when nothing is acked or +sacked. Then cwnd must be positive in all cases as long as ssthresh +is positive: + +1) The proportional reduction mode + inflight > ssthresh > 0 + +2) The reduction bound mode + a) inflight == ssthresh > 0 + + b) inflight < ssthresh + sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh + +Therefore in all cases inflight and sndcnt can not both be 0. +We check invalid tp->prior_cwnd to avoid potential div0 bugs. + +In reality this bug is triggered only with a sequence of less common +events. For example, the connection is terminating an ECN-triggered +cwnd reduction with an inflight 0, then it receives reordered/old +ACKs or DSACKs from prior transmission (which acks nothing). Or the +connection is in fast recovery stage that marks everything lost, +but fails to retransmit due to local issues, then receives data +packets from other end which acks nothing. + +Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally") +Reported-by: Oleksandr Natalenko +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/ipv4/tcp_input.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 2d656ee..d4c5115 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, + int newly_acked_sacked = prior_unsacked - + (tp->packets_out - tp->sacked_out); + ++ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) ++ return; ++ + tp->prr_delivered += newly_acked_sacked; + if (delta < 0) { + u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 94af25d11..ff4957ee7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -141,3 +141,4 @@ bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch +bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch From 2675c7c2e51849a263ce71a65a42f5098acf29ea Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Tue, 26 Jan 2016 09:44:59 +0100 Subject: [PATCH 05/23] Fix syntax error in changelog entry --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 0fa86ab36..6616c291c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -55,7 +55,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) [ Salvatore Bonaccorso ] - tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) + * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 From 76c256b5b8d8792af6a87632b3454e6ff9f2fe49 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 27 Jan 2016 01:32:15 +0000 Subject: [PATCH 06/23] SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) --- debian/changelog | 1 + ...-fix-crashes-in-sd-and-sr-runtime-pm.patch | 82 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 84 insertions(+) create mode 100644 debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch diff --git a/debian/changelog b/debian/changelog index 6616c291c..7fc722836 100644 --- a/debian/changelog +++ b/debian/changelog @@ -53,6 +53,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) + * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) [ Salvatore Bonaccorso ] * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) diff --git a/debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch b/debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch new file mode 100644 index 000000000..780732318 --- /dev/null +++ b/debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch @@ -0,0 +1,82 @@ +From: Alan Stern +Subject: SCSI: fix crashes in sd and sr runtime PM +Date: Wed, 20 Jan 2016 11:26:01 -0500 (EST) +Origin: http://article.gmane.org/gmane.linux.scsi/109795 +Bug-Debian: https://bugs.debian.org/801925 + +Runtime suspend during driver probe and removal can cause problems. +The driver's runtime_suspend or runtime_resume callbacks may invoked +before the driver has finished binding to the device or after the +driver has unbound from the device. + +This problem shows up with the sd and sr drivers, and can cause disk +or CD/DVD drives to become unusable as a result. The fix is simple. +The drivers store a pointer to the scsi_disk or scsi_cd structure as +their private device data when probing is finished, so we simply have +to be sure to clear the private data during removal and test it during +runtime suspend/resume. + +This fixes . + +Signed-off-by: Alan Stern +Reported-by: Paul Menzel +Reported-by: Erich Schubert +Reported-by: Alexandre Rossi +Tested-by: Paul Menzel +CC: "James E.J. Bottomley" +CC: Ben Hutchings +CC: + +--- + + +[as1795] + + + drivers/scsi/sd.c | 7 +++++-- + drivers/scsi/sr.c | 4 ++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3142,8 +3142,8 @@ static int sd_suspend_common(struct devi + struct scsi_disk *sdkp = dev_get_drvdata(dev); + int ret = 0; + +- if (!sdkp) +- return 0; /* this can happen */ ++ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */ ++ return 0; + + if (sdkp->WCE && sdkp->media_present) { + sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); +@@ -3182,6 +3182,9 @@ static int sd_resume(struct device *dev) + { + struct scsi_disk *sdkp = dev_get_drvdata(dev); + ++ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */ ++ return 0; ++ + if (!sdkp->device->manage_start_stop) + return 0; + +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -144,6 +144,9 @@ static int sr_runtime_suspend(struct dev + { + struct scsi_cd *cd = dev_get_drvdata(dev); + ++ if (!cd) /* E.g.: runtime suspend following sr_remove() */ ++ return 0; ++ + if (cd->media_present) + return -EBUSY; + else +@@ -985,6 +988,7 @@ static int sr_remove(struct device *dev) + scsi_autopm_get_device(cd->device); + + del_gendisk(cd->disk); ++ dev_set_drvdata(dev, NULL); + + mutex_lock(&sr_ref_mutex); + kref_put(&cd->kref, sr_kref_release); diff --git a/debian/patches/series b/debian/patches/series index ff4957ee7..3e8a2fb29 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -142,3 +142,4 @@ bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch +bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch From b1fa3fac8877ebad414c2829a02676aebdd06ae2 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 27 Jan 2016 19:24:21 +0100 Subject: [PATCH 07/23] netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) --- debian/changelog | 1 + ..._redirect-add-missing-NULL-pointer-c.patch | 81 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 83 insertions(+) create mode 100644 debian/patches/bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch diff --git a/debian/changelog b/debian/changelog index 7fc722836..b529baaee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -57,6 +57,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) + * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 diff --git a/debian/patches/bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch b/debian/patches/bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch new file mode 100644 index 000000000..fd17d1e98 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch @@ -0,0 +1,81 @@ +From: Munehisa Kamata +Date: Mon, 26 Oct 2015 19:10:52 -0700 +Subject: netfilter: nf_nat_redirect: add missing NULL pointer check +Origin: https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc + +Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT +redirect IPv4 to use it from nf_tables") has introduced a trivial logic +change which can result in the following crash. + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +IP: [] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect] +PGD 3ba662067 PUD 3ba661067 PMD 0 +Oops: 0000 [#1] SMP +Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) +CPU: 0 PID: 2536 Comm: ip Tainted: G E 4.1.7-15.23.amzn1.x86_64 #1 +Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015 +task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000 +[...] +Call Trace: + + [] redirect_tg4+0x15/0x20 [xt_REDIRECT] + [] ipt_do_table+0x2b9/0x5e1 [ip_tables] + [] iptable_nat_do_chain+0x25/0x30 [iptable_nat] + [] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4] + [] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat] + [] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4] + [] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat] + [] nf_iterate+0x57/0x80 + [] nf_hook_slow+0x97/0x100 + [] ip_rcv+0x314/0x400 + +unsigned int +nf_nat_redirect_ipv4(struct sk_buff *skb, +... +{ +... + rcu_read_lock(); + indev = __in_dev_get_rcu(skb->dev); + if (indev != NULL) { + ifa = indev->ifa_list; + newdst = ifa->ifa_local; <--- + } + rcu_read_unlock(); +... +} + +Before the commit, 'ifa' had been always checked before access. After the +commit, however, it could be accessed even if it's NULL. Interestingly, +this was once fixed in 2003. + +http://marc.info/?l=netfilter-devel&m=106668497403047&w=2 + +In addition to the original one, we have seen the crash when packets that +need to be redirected somehow arrive on an interface which hasn't been +yet fully configured. + +This change just reverts the logic to the old behavior to avoid the crash. + +Fixes: 8b13eddfdf04 ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables") +Signed-off-by: Munehisa Kamata +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nf_nat_redirect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c +index 97b75f9..d438698 100644 +--- a/net/netfilter/nf_nat_redirect.c ++++ b/net/netfilter/nf_nat_redirect.c +@@ -55,7 +55,7 @@ nf_nat_redirect_ipv4(struct sk_buff *skb, + + rcu_read_lock(); + indev = __in_dev_get_rcu(skb->dev); +- if (indev != NULL) { ++ if (indev && indev->ifa_list) { + ifa = indev->ifa_list; + newdst = ifa->ifa_local; + } +-- +2.7.0 + diff --git a/debian/patches/series b/debian/patches/series index 3e8a2fb29..a202989e4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -143,3 +143,4 @@ bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch +bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch From 237b83662e0640933bb89d2272746ac5489d1858 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Wed, 27 Jan 2016 22:33:18 +0100 Subject: [PATCH 08/23] [mips*] Backport math emulation fix from 4.5. --- debian/changelog | 3 + ...h-emu-correctly-handle-nop-emulation.patch | 140 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 144 insertions(+) create mode 100644 debian/patches/bugfix/mips/mips-math-emu-correctly-handle-nop-emulation.patch diff --git a/debian/changelog b/debian/changelog index b529baaee..2e6203d4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -59,6 +59,9 @@ linux (4.3.4-1) UNRELEASED; urgency=medium * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) + [ Aurelien Jarno ] + * [mips*] Backport math emulation fix from 4.5. + -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 linux (4.3.3-7) unstable; urgency=medium diff --git a/debian/patches/bugfix/mips/mips-math-emu-correctly-handle-nop-emulation.patch b/debian/patches/bugfix/mips/mips-math-emu-correctly-handle-nop-emulation.patch new file mode 100644 index 000000000..cb2e904bf --- /dev/null +++ b/debian/patches/bugfix/mips/mips-math-emu-correctly-handle-nop-emulation.patch @@ -0,0 +1,140 @@ +From: "Maciej W. Rozycki" +Date: Fri, 22 Jan 2016 05:20:26 +0000 +Subject: MIPS: math-emu: Correctly handle NOP emulation +Origin: https://git.kernel.org/linus/e4553573b37c3f72533683cb5f3a1ad300b18d37 + +Fix an issue introduced with commit 9ab4471c9f1b ("MIPS: math-emu: +Correct delay-slot exception propagation") where the emulation of a NOP +instruction signals the need to terminate the emulation loop. This in +turn, if the PC has not changed from the entry to the loop, will cause +the kernel to terminate the program with SIGILL. + +Consider this program: + +static double div(double d) +{ + do + d /= 2.0; + while (d > .5); + return d; +} + +int main(int argc, char **argv) +{ + return div(argc); +} + +which gets compiled to the following binary code: + +00400490
: + 400490: 44840000 mtc1 a0,$f0 + 400494: 3c020040 lui v0,0x40 + 400498: d44207f8 ldc1 $f2,2040(v0) + 40049c: 46800021 cvt.d.w $f0,$f0 + 4004a0: 46220002 mul.d $f0,$f0,$f2 + 4004a4: 4620103c c.lt.d $f2,$f0 + 4004a8: 4501fffd bc1t 4004a0 + 4004ac: 00000000 nop + 4004b0: 4620000d trunc.w.d $f0,$f0 + 4004b4: 03e00008 jr ra + 4004b8: 44020000 mfc1 v0,$f0 + 4004bc: 00000000 nop + +Where the FPU emulator is used, depending on the number of command-line +arguments this code will either run to completion or terminate with +SIGILL. + +If no arguments are specified, then BC1T will not be taken, NOP will not +be emulated and code will complete successfully. + +If one argument is specified, then BC1T will be taken once and NOP will +be emulated. At this point the entry PC value will be 0x400498 and the +new PC value, set by `mips_dsemul' will be 0x4004a0, the target of BC1T. +The emulation loop will terminate, but SIGILL will not be issued, +because the PC has changed. The FPU emulator will be entered again and +on the second execution BC1T will not be taken, NOP will not be emulated +and code will complete successfully. + +If two or more arguments are specified, then the first execution of BC1T +will proceed as above. Upon reentering the FPU emulator the emulation +loop will continue to BC1T, at which point the branch will be taken and +NOP emulated again. At this point however the entry PC value will be +0x4004a0, the same as the target of BC1T. This will make the emulator +conclude that execution has not advanced and therefore an unsupported +FPU instruction has been encountered, and SIGILL will be sent to the +process. + +Fix the problem by extending the internal API of `mips_dsemul', making +it return -1 if no delay slot emulation frame has been made, the +instruction has been handled and execution of the emulation loop needs +to continue as if nothing happened. Remove code from `mips_dsemul' to +reproduce steps made by the emulation loop at the conclusion of each +iteration, as those will be reached normally now. Adjust call sites +accordingly. Document the API. + +Signed-off-by: Maciej W. Rozycki +Cc: Aurelien Jarno +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/12172/ +Signed-off-by: Ralf Baechle +--- + arch/mips/math-emu/cp1emu.c | 4 ++++ + arch/mips/math-emu/dsemul.c | 14 ++++++++------ + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c +index 32f0e19..cdfd44f 100644 +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -1266,6 +1266,8 @@ branch_common: + */ + sig = mips_dsemul(xcp, ir, + contpc); ++ if (sig < 0) ++ break; + if (sig) + xcp->cp0_epc = bcpc; + /* +@@ -1319,6 +1321,8 @@ branch_common: + * instruction in the dslot + */ + sig = mips_dsemul(xcp, ir, contpc); ++ if (sig < 0) ++ break; + if (sig) + xcp->cp0_epc = bcpc; + /* SIGILL forces out of the emulation loop. */ +diff --git a/arch/mips/math-emu/dsemul.c b/arch/mips/math-emu/dsemul.c +index cbb36c1..70e4824 100644 +--- a/arch/mips/math-emu/dsemul.c ++++ b/arch/mips/math-emu/dsemul.c +@@ -31,18 +31,20 @@ struct emuframe { + unsigned long epc; + }; + ++/* ++ * Set up an emulation frame for instruction IR, from a delay slot of ++ * a branch jumping to CPC. Return 0 if successful, -1 if no emulation ++ * required, otherwise a signal number causing a frame setup failure. ++ */ + int mips_dsemul(struct pt_regs *regs, mips_instruction ir, unsigned long cpc) + { + struct emuframe __user *fr; + int err; + ++ /* NOP is easy */ + if ((get_isa16_mode(regs->cp0_epc) && ((ir >> 16) == MM_NOP16)) || +- (ir == 0)) { +- /* NOP is easy */ +- regs->cp0_epc = cpc; +- clear_delay_slot(regs); +- return 0; +- } ++ (ir == 0)) ++ return -1; + + pr_debug("dsemul %lx %lx\n", regs->cp0_epc, cpc); + +-- +2.7.0.rc3 + diff --git a/debian/patches/series b/debian/patches/series index a202989e4..6c7346ba6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -51,6 +51,7 @@ bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch bugfix/arm/arm-dts-kirkwood-fix-qnap-ts219-power-off.patch bugfix/x86/drm-i915-mark-uneven-memory-banks-on-gen4-desktop-as.patch bugfix/x86/bios-return-actual-size-of-the-buffer-retrieved-via-_rom.patch +bugfix/mips/mips-math-emu-correctly-handle-nop-emulation.patch # Arch features features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch From 985fe43552f6bb661903e675fc15158c779985fa Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Thu, 28 Jan 2016 17:52:56 +0100 Subject: [PATCH 09/23] [arm64] Enable RTC_DRV_EFI. --- debian/changelog | 1 + debian/config/arm64/config | 1 + 2 files changed, 2 insertions(+) diff --git a/debian/changelog b/debian/changelog index 2e6203d4d..a258de0e0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -61,6 +61,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium [ Aurelien Jarno ] * [mips*] Backport math emulation fix from 4.5. + * [arm64] Enable RTC_DRV_EFI. -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 diff --git a/debian/config/arm64/config b/debian/config/arm64/config index f9120839a..8f5ad6fcc 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -161,6 +161,7 @@ CONFIG_POWER_RESET_SYSCON_POWEROFF=y ## ## file: drivers/rtc/Kconfig ## +CONFIG_RTC_DRV_EFI=y CONFIG_RTC_DRV_PL031=y CONFIG_RTC_DRV_XGENE=y From 20ed8bdbacf68537870166104bc6747cfd3c49e5 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 29 Jan 2016 03:27:03 +0000 Subject: [PATCH 10/23] x86/mm: Add barriers and document switch_mm()-vs-flush synchronization (CVE-2016-2069) Plus a follow-up fix to the comments. --- debian/changelog | 3 + ...ers-and-document-switch_mm-vs-flush-.patch | 158 ++++++++++++++++++ ...m-Improve-switch_mm-barrier-comments.patch | 64 +++++++ debian/patches/series | 2 + 4 files changed, 227 insertions(+) create mode 100644 debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch create mode 100644 debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch diff --git a/debian/changelog b/debian/changelog index a258de0e0..1ad6903a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -54,6 +54,9 @@ linux (4.3.4-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) + * [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization + (CVE-2016-2069) + * [x86] mm: Improve switch_mm() barrier comments [ Salvatore Bonaccorso ] * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) diff --git a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch b/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch new file mode 100644 index 000000000..0ef087561 --- /dev/null +++ b/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch @@ -0,0 +1,158 @@ +From: Andy Lutomirski +Date: Wed, 6 Jan 2016 12:21:01 -0800 +Subject: x86/mm: Add barriers and document switch_mm()-vs-flush + synchronization +Origin: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e + +When switch_mm() activates a new PGD, it also sets a bit that +tells other CPUs that the PGD is in use so that TLB flush IPIs +will be sent. In order for that to work correctly, the bit +needs to be visible prior to loading the PGD and therefore +starting to fill the local TLB. + +Document all the barriers that make this work correctly and add +a couple that were missing. + +Signed-off-by: Andy Lutomirski +Cc: Andrew Morton +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Cc: stable@vger.kernel.org +Signed-off-by: Ingo Molnar +--- + arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++- + arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++--- + 2 files changed, 58 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index 379cd3658799..1edc9cd198b8 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -116,8 +116,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + #endif + cpumask_set_cpu(cpu, mm_cpumask(next)); + +- /* Re-load page tables */ ++ /* ++ * Re-load page tables. ++ * ++ * This logic has an ordering constraint: ++ * ++ * CPU 0: Write to a PTE for 'next' ++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI. ++ * CPU 1: set bit 1 in next's mm_cpumask ++ * CPU 1: load from the PTE that CPU 0 writes (implicit) ++ * ++ * We need to prevent an outcome in which CPU 1 observes ++ * the new PTE value and CPU 0 observes bit 1 clear in ++ * mm_cpumask. (If that occurs, then the IPI will never ++ * be sent, and CPU 0's TLB will contain a stale entry.) ++ * ++ * The bad outcome can occur if either CPU's load is ++ * reordered before that CPU's store, so both CPUs much ++ * execute full barriers to prevent this from happening. ++ * ++ * Thus, switch_mm needs a full barrier between the ++ * store to mm_cpumask and any operation that could load ++ * from next->pgd. This barrier synchronizes with ++ * remote TLB flushers. Fortunately, load_cr3 is ++ * serializing and thus acts as a full barrier. ++ * ++ */ + load_cr3(next->pgd); ++ + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); + + /* Stop flush ipis for the previous mm */ +@@ -156,10 +182,15 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * schedule, protecting us from simultaneous changes. + */ + cpumask_set_cpu(cpu, mm_cpumask(next)); ++ + /* + * We were in lazy tlb mode and leave_mm disabled + * tlb flush IPI delivery. We must reload CR3 + * to make sure to use no freed page tables. ++ * ++ * As above, this is a barrier that forces ++ * TLB repopulation to be ordered after the ++ * store to mm_cpumask. + */ + load_cr3(next->pgd); + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 8ddb5d0d66fb..8f4cc3dfac32 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -161,7 +161,10 @@ void flush_tlb_current_task(void) + preempt_disable(); + + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); ++ ++ /* This is an implicit full barrier that synchronizes with switch_mm. */ + local_flush_tlb(); ++ + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) + flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); +@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + unsigned long base_pages_to_flush = TLB_FLUSH_ALL; + + preempt_disable(); +- if (current->active_mm != mm) ++ if (current->active_mm != mm) { ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto out; ++ } + + if (!current->mm) { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto out; + } + + if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB)) + base_pages_to_flush = (end - start) >> PAGE_SHIFT; + ++ /* ++ * Both branches below are implicit full barriers (MOV to CR or ++ * INVLPG) that synchronize with switch_mm. ++ */ + if (base_pages_to_flush > tlb_single_page_flush_ceiling) { + base_pages_to_flush = TLB_FLUSH_ALL; + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); +@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start) + preempt_disable(); + + if (current->active_mm == mm) { +- if (current->mm) ++ if (current->mm) { ++ /* ++ * Implicit full barrier (INVLPG) that synchronizes ++ * with switch_mm. ++ */ + __flush_tlb_one(start); +- else ++ } else { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ } + } + + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) diff --git a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch b/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch new file mode 100644 index 000000000..5e3f9326c --- /dev/null +++ b/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch @@ -0,0 +1,64 @@ +From: Andy Lutomirski +Date: Tue, 12 Jan 2016 12:47:40 -0800 +Subject: x86/mm: Improve switch_mm() barrier comments +Origin: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b + +My previous comments were still a bit confusing and there was a +typo. Fix it up. + +Reported-by: Peter Zijlstra +Signed-off-by: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Rik van Riel +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization") +Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org +Signed-off-by: Ingo Molnar +--- + arch/x86/include/asm/mmu_context.h | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index 1edc9cd198b8..bfd9b2a35a0b 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -132,14 +132,16 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * be sent, and CPU 0's TLB will contain a stale entry.) + * + * The bad outcome can occur if either CPU's load is +- * reordered before that CPU's store, so both CPUs much ++ * reordered before that CPU's store, so both CPUs must + * execute full barriers to prevent this from happening. + * + * Thus, switch_mm needs a full barrier between the + * store to mm_cpumask and any operation that could load +- * from next->pgd. This barrier synchronizes with +- * remote TLB flushers. Fortunately, load_cr3 is +- * serializing and thus acts as a full barrier. ++ * from next->pgd. TLB fills are special and can happen ++ * due to instruction fetches or for no reason at all, ++ * and neither LOCK nor MFENCE orders them. ++ * Fortunately, load_cr3() is serializing and gives the ++ * ordering guarantee we need. + * + */ + load_cr3(next->pgd); +@@ -188,9 +190,8 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * tlb flush IPI delivery. We must reload CR3 + * to make sure to use no freed page tables. + * +- * As above, this is a barrier that forces +- * TLB repopulation to be ordered after the +- * store to mm_cpumask. ++ * As above, load_cr3() is serializing and orders TLB ++ * fills with respect to the mm_cpumask write. + */ + load_cr3(next->pgd); + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); diff --git a/debian/patches/series b/debian/patches/series index 6c7346ba6..9afb768e7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -145,3 +145,5 @@ bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch +bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch +bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch From ba1393105a51e21ed8813044437d9aee1f91f58d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 1 Feb 2016 08:53:39 +0100 Subject: [PATCH 11/23] Update to 4.3.5 Drop several patches that are included in it. Fix/ignore various ABI changes. --- debian/changelog | 163 +++++++++++++++++- debian/config/defines | 3 + ...cks-for-allocation-failure-in-isdn_p.patch | 37 ---- ...dia-vivid-osd-fix-info-leak-in-ioctl.patch | 31 ---- ...e-vj-compression-slot-parameters-com.patch | 128 -------------- ...-fix-zero-cwnd-in-tcp_cwnd_reduction.patch | 63 ------- ...count-for-FDs-passed-over-unix-socke.patch | 140 --------------- ...-maps-should-not-be-subject-to-numa-.patch | 38 ---- ...kvm-svm-unconditionally-intercept-DB.patch | 75 -------- ...ers-and-document-switch_mm-vs-flush-.patch | 158 ----------------- ...m-Improve-switch_mm-barrier-comments.patch | 64 ------- .../debian/usb-fix-abi-change-in-4.3.5.patch | 23 +++ debian/patches/series | 10 +- 13 files changed, 185 insertions(+), 748 deletions(-) delete mode 100644 debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch delete mode 100644 debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch delete mode 100644 debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch delete mode 100644 debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch delete mode 100644 debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch delete mode 100644 debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch delete mode 100644 debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch delete mode 100644 debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch delete mode 100644 debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch create mode 100644 debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch diff --git a/debian/changelog b/debian/changelog index 1ad6903a4..3d92a19c7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.3.4-1) UNRELEASED; urgency=medium +linux (4.3.5-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4 @@ -50,16 +50,169 @@ linux (4.3.4-1) UNRELEASED; urgency=medium - af_unix: Revert 'lock_interruptible' in stream receive code - tcp: restore fastopen with no data in SYN packet - rhashtable: Fix walker list corruption + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.5 + - [x86] smpboot: Re-enable init_udelay=0 by default on modern CPUs + - [x86] mpx: Fix instruction decoder condition + - [x86] signal: Fix restart_syscall number for x32 tasks + - [x86] paravirt: Prevent rtc_cmos platform device init on PV guests + - [x86] mce: Ensure offline CPUs don't participate in rendezvous process + - [x86] xen: don't reset vcpu_info on a cancelled suspend + - [x86] KVM: VMX: fix SMEP and SMAP without EPT + - [powerpc*] KVM: Book3S HV: Don't dynamically split core when already split + - [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state + in MSR + - [x86] KVM: expose MSR_TSC_AUX to userspace + - [x86] KVM: correctly print #AC in traces + - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] + - [x86] boot: Double BOOT_HEAP_SIZE to 64KB + - [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization + (CVE-2016-2069) + - [x86] mm: Improve switch_mm() barrier comments + - timers: Use proper base migration in add_timer_on() + - ipmi: Start the timer and thread on internal msgs + - ipmi: move timer init to before irq is setup + - [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after + resume back + - ALSA: hda - Disable 64bit address for Creative HDA controllers + - ALSA: hda - Fix lost 4k BDL boundary workaround + - [x86] ALSA: hda - Add Intel Lewisburg device IDs Audio + - [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b + - ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in + - ALSA: hda - Apply HP headphone fixups more generically + - [x86] ALSA: hda - Fix noise on Dell Latitude E6440 + - [x86] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 + - [x86] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back + from S3 + - [x86] ALSA: hda - Fix noise on Gigabyte Z170X mobo + - ALSA: hda - Skip ELD notification during system suspend + - ALSA: rme96: Fix unexpected volume reset after rate changes + - [x86] ALSA: hda - Add inverted dmic for Packard Bell DOTS + - ALSA: hda - Fixing speaker noise on the two latest thinkpad models + - [x86] ALSA: hda - Fix noise problems on Thinkpad T440s + - [x86] ALSA: hda/ca0132 - quirk for Alienware 17 2015 + - [x86] ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd + - [x86] ALSA: hda - Apply click noise workaround for Thinkpads generically + - [x86] ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines + - [x86] ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads + - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly + - ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly + - ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() + - [x86] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) + - [x86] ALSA: hda - Add mic mute hotkey quirk for Lenovo ThinkCentre AIO + - ALSA: hda - Add keycode map for alc input device + - [x86] ALSA: usb: Add native DSD support for Oppo HA-1 + - ALSA: hda - Fixup inverted internal mic for Lenovo E50-80 + - ALSA: seq: Fix missing NULL check at remove_events ioctl + - ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect + - ALSA: seq: Fix race at timer setup and close + - [x86] ALSA: hda - Fix white noise on Dell Latitude E5550 + - ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices + - ALSA: timer: Harden slave timer list handling + - [x86] ALSA: hda - fix the headset mic detection problem for a Dell laptop + - ALSA: timer: Fix race among timer ioctls + - ALSA: timer: Fix double unlink of active_list + - [x86] ALSA: hda - Add fixup for Dell Latitidue E6540 + - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode + - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode + - ALSA: hrtimer: Fix stall by hrtimer_cancel() + - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 + - [x86] ALSA: hda - Fix bass pin fixup for ASUS N550JX + - ALSA: hda - Flush the pending probe work at remove + - ALSA: timer: Handle disconnection more safely + - ASoC: rt286: Fix run time error while modifying const data + - ASoC: rsnd: fixup SCU_SYS_INT_EN1 address + - ASoC: wm8962: correct addresses for HPF_C_0/1 + - ASoC: es8328: Fix deemphasis values + - ASoC: wm8974: set cache type for regmap + - ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx + - ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz + - ASoC: wm5110: Fix PGA clear when disabling DRE + - ASoC: compress: Fix compress device direction check + - usb: xhci: fix config fail of FS hub behind a HS hub with MTT + - airspy: increase USB control message buffer size + - USB: fix invalid memory access in hub_activate() + - USB: ipaq.c: fix a timeout loop + - USB: cp210x: add ID for ELV Marble Sound Board 1 + - usb: core: lpm: fix usb3_hardware_lpm sysfs node + - xhci: refuse loading if nousb is used + - openvswitch: correct encoding of set tunnel action attributes + - veth: don’t modify ip_summed; doing so treats packets with bad checksums + as good. + - ipv6/addrlabel: fix ip6addrlbl_get() + - addrconf: always initialize sysctl table data + - net: cdc_ncm: avoid changing RX/TX buffers on MTU changes + - sctp: sctp should release assoc when sctp_make_abort_user return NULL + in sctp_close + - connector: bump skb->users before callback invocation + - af_unix: Fix splice-bind deadlock + - bridge: Only call /sbin/bridge-stp for the initial network namespace + - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X + - net: sched: fix missing free per cpu on qstats + - net: possible use after free in dst_release + - tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) + - vxlan: fix test which detect duplicate vxlan iface + - net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory + - ipv6: tcp: add rcu locking in tcp_v6_send_synack() + - tcp_yeah: don't set ssthresh below 2 + - sched,cls_flower: set key address type when present + - net: pktgen: fix null ptr deref in skb allocation + - udp: disallow UFO for sockets with SO_NO_CHECK option + - net: preserve IP control block during GSO segmentation + - bonding: Prevent IPv6 link local address on enslaved devices + - phonet: properly unshare skbs in phonet_rcv() + - net: bpf: reject invalid shifts + - ipv6: update skb->csum when CE mark is propagated + - bridge: fix lockdep addr_list_lock false positive splat + - batman-adv: Avoid recursive call_rcu for batadv_bla_claim + - batman-adv: Avoid recursive call_rcu for batadv_nc_node + - batman-adv: Drop immediate batadv_orig_ifinfo free function + - batman-adv: Drop immediate batadv_neigh_node free function + - batman-adv: Drop immediate neigh_ifinfo free function + - batman-adv: Drop immediate batadv_hard_iface free function + - batman-adv: Drop immediate orig_node free function + - net/mlx5_core: Fix trimming down IRQ number + - team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid + - xfrm: dst_entries_init() per-net dst_ops + - [powerpc*] tm: Block signal return setting invalid MSR state + - [powerpc*] tm: Check for already reclaimed tasks + - [powerpc*] opal-irqchip: Fix double endian conversion + - [powerpc*] opal-irqchip: Fix deadlock introduced by "Fix double endian + conversion" + - [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type + - [powerpc*] Make value-returning atomics fully ordered + - [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered + - [powerpc*] scripts/recordmcount.pl: support data in text section + - [powerpc*] module: Handle R_PPC64_ENTRY relocations + - [arm64] recordmcount: Replace the ignored mcount call into nop + - [arm64] bpf: fix div-by-zero case + - [arm64] bpf: fix mod-by-zero case + - [arm64] cmpxchg_dbl: fix return value type + - [arm64] kernel: pause/unpause function graph tracer in cpu_suspend() + - [arm*] KVM: test properly for a PTE's uncachedness + - [arm64] KVM: Fix AArch32 to AArch64 register mapping + - [arm*] KVM: correct PTE uncachedness check + - [arm64] Clear out any singlestep state on a ptrace detach operation + - [arm64] mm: ensure that the zero page is visible to the page table walker + - [arm64] kernel: enforce pmuserenr_el0 initialization and restore + - [arm*] iommu/arm-smmu: Fix error checking for ASID and VMID allocation + - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints + - [hppa] iommu: fix panic due to trying to allocate too large region + - HID: wacom: Tie cached HID_DG_CONTACTCOUNT indices to report ID + - HID: wacom: Expect 'touch_max' touches if HID_DG_CONTACTCOUNT not present + - HID: core: Avoid uninitialized buffer access + - staging: lustre: echo_copy.._lsm() dereferences userland pointers directly + - direct-io: Fix negative return from dio read beyond eof + - fix the regression from "direct-io: Fix negative return from dio read + beyond eof" + - [arm64] restore bogomips information in /proc/cpuinfo + - [arm64] KVM: Add workaround for Cortex-A57 erratum 834220 + - [arm64] kernel: fix architected PMU registers unconditional access [ Ben Hutchings ] * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) - * [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization - (CVE-2016-2069) - * [x86] mm: Improve switch_mm() barrier comments [ Salvatore Bonaccorso ] - * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) [ Aurelien Jarno ] diff --git a/debian/config/defines b/debian/config/defines index 475934be3..11edf5a50 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -16,6 +16,9 @@ ignore-changes: # Can't be used from OOT pin_is_valid pinctrl_* +# Shouldn't be used from OOT + module:drivers/net/ethernet/mellanox/** + pv_info [base] arches: diff --git a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch b/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch deleted file mode 100644 index 6826c67ae..000000000 --- a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Ben Hutchings -Date: Sun, 1 Nov 2015 16:21:24 +0000 -Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open() -Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 - -Compile-tested only. - -Signed-off-by: Ben Hutchings -Signed-off-by: David S. Miller ---- - drivers/isdn/i4l/isdn_ppp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c -index c4198fa..86f9abe 100644 ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) - is->compflags = 0; - - is->reset = isdn_ppp_ccp_reset_alloc(is); -+ if (!is->reset) -+ return -ENOMEM; - - is->lp = NULL; - is->mp_seqno = 0; /* MP sequence number */ -@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -+ if (!is->slcomp) { -+ isdn_ppp_ccp_reset_free(is); -+ return -ENOMEM; -+ } - #endif - #ifdef CONFIG_IPPP_FILTER - is->pass_filter = NULL; diff --git a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch b/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch deleted file mode 100644 index 8d551da49..000000000 --- a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: =?UTF-8?q?Salva=20Peir=C3=B3?= -Date: Wed, 7 Oct 2015 07:09:26 -0300 -Subject: [media] media/vivid-osd: fix info leak in ioctl -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c - -The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of -struct fb_vblank after the ->hcount member. Add an explicit -memset(0) before filling the structure to avoid the info leak. - -Signed-off-by: Salva Peiró -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/platform/vivid/vivid-osd.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c -index 084d346..e15eef6 100644 ---- a/drivers/media/platform/vivid/vivid-osd.c -+++ b/drivers/media/platform/vivid/vivid-osd.c -@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg) - case FBIOGET_VBLANK: { - struct fb_vblank vblank; - -+ memset(&vblank, 0, sizeof(vblank)); - vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT | - FB_VBLANK_HAVE_VSYNC; - vblank.count = 0; diff --git a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch b/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch deleted file mode 100644 index b70b25aba..000000000 --- a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch +++ /dev/null @@ -1,128 +0,0 @@ -From: Ben Hutchings -Date: Sun, 1 Nov 2015 16:22:53 +0000 -Subject: ppp, slip: Validate VJ compression slot parameters completely -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae - -Currently slhc_init() treats out-of-range values of rslots and tslots -as equivalent to 0, except that if tslots is too large it will -dereference a null pointer (CVE-2015-7799). - -Add a range-check at the top of the function and make it return an -ERR_PTR() on error instead of NULL. Change the callers accordingly. - -Compile-tested only. - -Reported-by: 郭永刚 -References: http://article.gmane.org/gmane.comp.security.oss.general/17908 -Signed-off-by: Ben Hutchings -Signed-off-by: David S. Miller ---- - drivers/isdn/i4l/isdn_ppp.c | 10 ++++------ - drivers/net/ppp/ppp_generic.c | 6 ++---- - drivers/net/slip/slhc.c | 12 ++++++++---- - drivers/net/slip/slip.c | 2 +- - 4 files changed, 15 insertions(+), 15 deletions(-) - ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -- if (!is->slcomp) { -+ if (IS_ERR(is->slcomp)) { - isdn_ppp_ccp_reset_free(is); -- return -ENOMEM; -+ return PTR_ERR(is->slcomp); - } - #endif - #ifdef CONFIG_IPPP_FILTER -@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *fil - is->maxcid = val; - #ifdef CONFIG_ISDN_PPP_VJ - sltmp = slhc_init(16, val); -- if (!sltmp) { -- printk(KERN_ERR "ippp, can't realloc slhc struct\n"); -- return -ENOMEM; -- } -+ if (IS_ERR(sltmp)) -+ return PTR_ERR(sltmp); - if (is->slcomp) - slhc_free(is->slcomp); - is->slcomp = sltmp; ---- a/drivers/net/ppp/ppp_generic.c -+++ b/drivers/net/ppp/ppp_generic.c -@@ -719,10 +719,8 @@ static long ppp_ioctl(struct file *file, - val &= 0xffff; - } - vj = slhc_init(val2+1, val+1); -- if (!vj) { -- netdev_err(ppp->dev, -- "PPP: no memory (VJ compressor)\n"); -- err = -ENOMEM; -+ if (IS_ERR(vj)) { -+ err = PTR_ERR(vj); - break; - } - ppp_lock(ppp); ---- a/drivers/net/slip/slhc.c -+++ b/drivers/net/slip/slhc.c -@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp); - static unsigned char * put16(unsigned char *cp, unsigned short x); - static unsigned short pull16(unsigned char **cpp); - --/* Initialize compression data structure -+/* Allocate compression data structure - * slots must be in range 0 to 255 (zero meaning no compression) -+ * Returns pointer to structure or ERR_PTR() on error. - */ - struct slcompress * - slhc_init(int rslots, int tslots) -@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots) - register struct cstate *ts; - struct slcompress *comp; - -+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255) -+ return ERR_PTR(-EINVAL); -+ - comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); - if (! comp) - goto out_fail; - -- if ( rslots > 0 && rslots < 256 ) { -+ if (rslots > 0) { - size_t rsize = rslots * sizeof(struct cstate); - comp->rstate = kzalloc(rsize, GFP_KERNEL); - if (! comp->rstate) -@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots) - comp->rslot_limit = rslots - 1; - } - -- if ( tslots > 0 && tslots < 256 ) { -+ if (tslots > 0) { - size_t tsize = tslots * sizeof(struct cstate); - comp->tstate = kzalloc(tsize, GFP_KERNEL); - if (! comp->tstate) -@@ -141,7 +145,7 @@ out_free2: - out_free: - kfree(comp); - out_fail: -- return NULL; -+ return ERR_PTR(-ENOMEM); - } - - ---- a/drivers/net/slip/slip.c -+++ b/drivers/net/slip/slip.c -@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl - if (cbuff == NULL) - goto err_exit; - slcomp = slhc_init(16, 16); -- if (slcomp == NULL) -+ if (IS_ERR(slcomp)) - goto err_exit; - #endif - spin_lock_bh(&sl->lock); diff --git a/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch b/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch deleted file mode 100644 index bd192a17c..000000000 --- a/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Yuchung Cheng -Date: Wed, 6 Jan 2016 12:42:38 -0800 -Subject: tcp: fix zero cwnd in tcp_cwnd_reduction -Origin: https://git.kernel.org/linus/8b8a321ff72c785ed5e8b4cf6eda20b35d427390 - -Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode -conditionally") introduced a bug that cwnd may become 0 when both -inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead -to a div-by-zero if the connection starts another cwnd reduction -phase by setting tp->prior_cwnd to the current cwnd (0) in -tcp_init_cwnd_reduction(). - -To prevent this we skip PRR operation when nothing is acked or -sacked. Then cwnd must be positive in all cases as long as ssthresh -is positive: - -1) The proportional reduction mode - inflight > ssthresh > 0 - -2) The reduction bound mode - a) inflight == ssthresh > 0 - - b) inflight < ssthresh - sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh - -Therefore in all cases inflight and sndcnt can not both be 0. -We check invalid tp->prior_cwnd to avoid potential div0 bugs. - -In reality this bug is triggered only with a sequence of less common -events. For example, the connection is terminating an ECN-triggered -cwnd reduction with an inflight 0, then it receives reordered/old -ACKs or DSACKs from prior transmission (which acks nothing). Or the -connection is in fast recovery stage that marks everything lost, -but fails to retransmit due to local issues, then receives data -packets from other end which acks nothing. - -Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally") -Reported-by: Oleksandr Natalenko -Signed-off-by: Yuchung Cheng -Signed-off-by: Neal Cardwell -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/ipv4/tcp_input.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 2d656ee..d4c5115 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, - int newly_acked_sacked = prior_unsacked - - (tp->packets_out - tp->sacked_out); - -+ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) -+ return; -+ - tp->prr_delivered += newly_acked_sacked; - if (delta < 0) { - u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + --- -2.1.4 - diff --git a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch deleted file mode 100644 index 8cd6bb4ac..000000000 --- a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch +++ /dev/null @@ -1,140 +0,0 @@ -From: willy tarreau -Date: Sun, 10 Jan 2016 07:54:56 +0100 -Subject: unix: properly account for FDs passed over unix sockets -Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593 - -It is possible for a process to allocate and accumulate far more FDs than -the process' limit by sending them over a unix socket then closing them -to keep the process' fd count low. - -This change addresses this problem by keeping track of the number of FDs -in flight per user and preventing non-privileged processes from having -more FDs in flight than their configured FD limit. - -Reported-by: socketpair@gmail.com -Reported-by: Tetsuo Handa -Mitigates: CVE-2013-4312 (Linux 2.0+) -Suggested-by: Linus Torvalds -Acked-by: Hannes Frederic Sowa -Signed-off-by: Willy Tarreau -Signed-off-by: David S. Miller ---- - include/linux/sched.h | 1 + - net/unix/af_unix.c | 24 ++++++++++++++++++++---- - net/unix/garbage.c | 13 ++++++++----- - 3 files changed, 29 insertions(+), 9 deletions(-) - -diff --git a/include/linux/sched.h b/include/linux/sched.h -index edad7a4..fbf25f1 100644 ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -830,6 +830,7 @@ struct user_struct { - unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ - #endif - unsigned long locked_shm; /* How many pages of mlocked shm ? */ -+ unsigned long unix_inflight; /* How many files in flight in unix sockets */ - - #ifdef CONFIG_KEYS - struct key *uid_keyring; /* UID specific keyring */ -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index ef05cd9..e3f85bc 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb) - sock_wfree(skb); - } - -+/* -+ * The "user->unix_inflight" variable is protected by the garbage -+ * collection lock, and we just read it locklessly here. If you go -+ * over the limit, there might be a tiny race in actually noticing -+ * it across threads. Tough. -+ */ -+static inline bool too_many_unix_fds(struct task_struct *p) -+{ -+ struct user_struct *user = current_user(); -+ -+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) -+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); -+ return false; -+} -+ - #define MAX_RECURSION_LEVEL 4 - - static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) -@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - unsigned char max_level = 0; - int unix_sock_count = 0; - -+ if (too_many_unix_fds(current)) -+ return -ETOOMANYREFS; -+ - for (i = scm->fp->count - 1; i >= 0; i--) { - struct sock *sk = unix_get_socket(scm->fp->fp[i]); - -@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - if (!UNIXCB(skb).fp) - return -ENOMEM; - -- if (unix_sock_count) { -- for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -- } -+ for (i = scm->fp->count - 1; i >= 0; i--) -+ unix_inflight(scm->fp->fp[i]); - return max_level; - } - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index a73a226..8fcdc22 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); -- - if (atomic_long_inc_return(&u->inflight) == 1) { - BUG_ON(!list_empty(&u->link)); - list_add_tail(&u->link, &gc_inflight_list); -@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp) - BUG_ON(list_empty(&u->link)); - } - unix_tot_inflight++; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight++; -+ spin_unlock(&unix_gc_lock); - } - - void unix_notinflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); - BUG_ON(list_empty(&u->link)); - - if (atomic_long_dec_and_test(&u->inflight)) - list_del_init(&u->link); - unix_tot_inflight--; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight--; -+ spin_unlock(&unix_gc_lock); - } - - static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), --- -2.7.0.rc3 - diff --git a/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch b/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch deleted file mode 100644 index 6da7b5eb8..000000000 --- a/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Boris Ostrovsky -Date: Tue, 10 Nov 2015 15:10:33 -0500 -Subject: xen/gntdev: Grant maps should not be subject to NUMA balancing -Origin: https://git.kernel.org/linus/9c17d96500f78d7ecdb71ca6942830158bc75a2b -Bug-Debian: https://bugs.debian.org/810472 - -Doing so will cause the grant to be unmapped and then, during -fault handling, the fault to be mistakenly treated as NUMA hint -fault. - -In addition, even if those maps could partcipate in NUMA -balancing, it wouldn't provide any benefit since we are unable -to determine physical page's node (even if/when VNUMA is -implemented). - -Marking grant maps' VMAs as VM_IO will exclude them from being -part of NUMA balancing. - -Signed-off-by: Boris Ostrovsky -Cc: stable@vger.kernel.org -Signed-off-by: David Vrabel ---- - drivers/xen/gntdev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c -index 2ea0b3b..1be5dd0 100644 ---- a/drivers/xen/gntdev.c -+++ b/drivers/xen/gntdev.c -@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) - - vma->vm_ops = &gntdev_vmops; - -- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; -+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO; - - if (use_ptemod) - vma->vm_flags |= VM_DONTCOPY; diff --git a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch deleted file mode 100644 index 7ed419edc..000000000 --- a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 10 Nov 2015 09:14:39 +0100 -Subject: KVM: svm: unconditionally intercept #DB -Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d - -This is needed to avoid the possibility that the guest triggers -an infinite stream of #DB exceptions (CVE-2015-8104). - -VMX is not affected: because it does not save DR6 in the VMCS, -it already intercepts #DB unconditionally. - -Reported-by: Jan Beulich -Cc: stable@vger.kernel.org -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/svm.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s - set_exception_intercept(svm, UD_VECTOR); - set_exception_intercept(svm, MC_VECTOR); - set_exception_intercept(svm, AC_VECTOR); -+ set_exception_intercept(svm, DB_VECTOR); - - set_intercept(svm, INTERCEPT_INTR); - set_intercept(svm, INTERCEPT_NMI); -@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v - mark_dirty(svm->vmcb, VMCB_SEG); - } - --static void update_db_bp_intercept(struct kvm_vcpu *vcpu) -+static void update_bp_intercept(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); - -- clr_exception_intercept(svm, DB_VECTOR); - clr_exception_intercept(svm, BP_VECTOR); - -- if (svm->nmi_singlestep) -- set_exception_intercept(svm, DB_VECTOR); -- - if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { -- if (vcpu->guest_debug & -- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) -- set_exception_intercept(svm, DB_VECTOR); - if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) - set_exception_intercept(svm, BP_VECTOR); - } else -@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s - if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) - svm->vmcb->save.rflags &= - ~(X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(&svm->vcpu); - } - - if (svm->vcpu.guest_debug & -@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm - */ - svm->nmi_singlestep = true; - svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(vcpu); - } - - static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) -@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = - .vcpu_load = svm_vcpu_load, - .vcpu_put = svm_vcpu_put, - -- .update_db_bp_intercept = update_db_bp_intercept, -+ .update_db_bp_intercept = update_bp_intercept, - .get_msr = svm_get_msr, - .set_msr = svm_set_msr, - .get_segment_base = svm_get_segment_base, diff --git a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch b/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch deleted file mode 100644 index 0ef087561..000000000 --- a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch +++ /dev/null @@ -1,158 +0,0 @@ -From: Andy Lutomirski -Date: Wed, 6 Jan 2016 12:21:01 -0800 -Subject: x86/mm: Add barriers and document switch_mm()-vs-flush - synchronization -Origin: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e - -When switch_mm() activates a new PGD, it also sets a bit that -tells other CPUs that the PGD is in use so that TLB flush IPIs -will be sent. In order for that to work correctly, the bit -needs to be visible prior to loading the PGD and therefore -starting to fill the local TLB. - -Document all the barriers that make this work correctly and add -a couple that were missing. - -Signed-off-by: Andy Lutomirski -Cc: Andrew Morton -Cc: Andy Lutomirski -Cc: Borislav Petkov -Cc: Brian Gerst -Cc: Dave Hansen -Cc: Denys Vlasenko -Cc: H. Peter Anvin -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Rik van Riel -Cc: Thomas Gleixner -Cc: linux-mm@kvack.org -Cc: stable@vger.kernel.org -Signed-off-by: Ingo Molnar ---- - arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++- - arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++--- - 2 files changed, 58 insertions(+), 4 deletions(-) - -diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index 379cd3658799..1edc9cd198b8 100644 ---- a/arch/x86/include/asm/mmu_context.h -+++ b/arch/x86/include/asm/mmu_context.h -@@ -116,8 +116,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - #endif - cpumask_set_cpu(cpu, mm_cpumask(next)); - -- /* Re-load page tables */ -+ /* -+ * Re-load page tables. -+ * -+ * This logic has an ordering constraint: -+ * -+ * CPU 0: Write to a PTE for 'next' -+ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI. -+ * CPU 1: set bit 1 in next's mm_cpumask -+ * CPU 1: load from the PTE that CPU 0 writes (implicit) -+ * -+ * We need to prevent an outcome in which CPU 1 observes -+ * the new PTE value and CPU 0 observes bit 1 clear in -+ * mm_cpumask. (If that occurs, then the IPI will never -+ * be sent, and CPU 0's TLB will contain a stale entry.) -+ * -+ * The bad outcome can occur if either CPU's load is -+ * reordered before that CPU's store, so both CPUs much -+ * execute full barriers to prevent this from happening. -+ * -+ * Thus, switch_mm needs a full barrier between the -+ * store to mm_cpumask and any operation that could load -+ * from next->pgd. This barrier synchronizes with -+ * remote TLB flushers. Fortunately, load_cr3 is -+ * serializing and thus acts as a full barrier. -+ * -+ */ - load_cr3(next->pgd); -+ - trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); - - /* Stop flush ipis for the previous mm */ -@@ -156,10 +182,15 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * schedule, protecting us from simultaneous changes. - */ - cpumask_set_cpu(cpu, mm_cpumask(next)); -+ - /* - * We were in lazy tlb mode and leave_mm disabled - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. -+ * -+ * As above, this is a barrier that forces -+ * TLB repopulation to be ordered after the -+ * store to mm_cpumask. - */ - load_cr3(next->pgd); - trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); -diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c -index 8ddb5d0d66fb..8f4cc3dfac32 100644 ---- a/arch/x86/mm/tlb.c -+++ b/arch/x86/mm/tlb.c -@@ -161,7 +161,10 @@ void flush_tlb_current_task(void) - preempt_disable(); - - count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); -+ -+ /* This is an implicit full barrier that synchronizes with switch_mm. */ - local_flush_tlb(); -+ - trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); - if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) - flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); -@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, - unsigned long base_pages_to_flush = TLB_FLUSH_ALL; - - preempt_disable(); -- if (current->active_mm != mm) -+ if (current->active_mm != mm) { -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ - goto out; -+ } - - if (!current->mm) { - leave_mm(smp_processor_id()); -+ -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ - goto out; - } - - if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB)) - base_pages_to_flush = (end - start) >> PAGE_SHIFT; - -+ /* -+ * Both branches below are implicit full barriers (MOV to CR or -+ * INVLPG) that synchronize with switch_mm. -+ */ - if (base_pages_to_flush > tlb_single_page_flush_ceiling) { - base_pages_to_flush = TLB_FLUSH_ALL; - count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); -@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start) - preempt_disable(); - - if (current->active_mm == mm) { -- if (current->mm) -+ if (current->mm) { -+ /* -+ * Implicit full barrier (INVLPG) that synchronizes -+ * with switch_mm. -+ */ - __flush_tlb_one(start); -- else -+ } else { - leave_mm(smp_processor_id()); -+ -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ } - } - - if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) diff --git a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch b/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch deleted file mode 100644 index 5e3f9326c..000000000 --- a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Andy Lutomirski -Date: Tue, 12 Jan 2016 12:47:40 -0800 -Subject: x86/mm: Improve switch_mm() barrier comments -Origin: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b - -My previous comments were still a bit confusing and there was a -typo. Fix it up. - -Reported-by: Peter Zijlstra -Signed-off-by: Andy Lutomirski -Cc: Andy Lutomirski -Cc: Borislav Petkov -Cc: Brian Gerst -Cc: Dave Hansen -Cc: Denys Vlasenko -Cc: H. Peter Anvin -Cc: Linus Torvalds -Cc: Rik van Riel -Cc: Thomas Gleixner -Cc: stable@vger.kernel.org -Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization") -Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org -Signed-off-by: Ingo Molnar ---- - arch/x86/include/asm/mmu_context.h | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index 1edc9cd198b8..bfd9b2a35a0b 100644 ---- a/arch/x86/include/asm/mmu_context.h -+++ b/arch/x86/include/asm/mmu_context.h -@@ -132,14 +132,16 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * be sent, and CPU 0's TLB will contain a stale entry.) - * - * The bad outcome can occur if either CPU's load is -- * reordered before that CPU's store, so both CPUs much -+ * reordered before that CPU's store, so both CPUs must - * execute full barriers to prevent this from happening. - * - * Thus, switch_mm needs a full barrier between the - * store to mm_cpumask and any operation that could load -- * from next->pgd. This barrier synchronizes with -- * remote TLB flushers. Fortunately, load_cr3 is -- * serializing and thus acts as a full barrier. -+ * from next->pgd. TLB fills are special and can happen -+ * due to instruction fetches or for no reason at all, -+ * and neither LOCK nor MFENCE orders them. -+ * Fortunately, load_cr3() is serializing and gives the -+ * ordering guarantee we need. - * - */ - load_cr3(next->pgd); -@@ -188,9 +190,8 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. - * -- * As above, this is a barrier that forces -- * TLB repopulation to be ordered after the -- * store to mm_cpumask. -+ * As above, load_cr3() is serializing and orders TLB -+ * fills with respect to the mm_cpumask write. - */ - load_cr3(next->pgd); - trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); diff --git a/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch b/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch new file mode 100644 index 000000000..32441eb51 --- /dev/null +++ b/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch @@ -0,0 +1,23 @@ +From: Ben Hutchings +Date: Mon, 01 Feb 2016 09:05:24 +0100 +Subject: usb: Fix ABI change in 4.3.5 +Forwarded: not-needed + +struct usb_device gained two new bitfields, but there were plenty of +padding bits to spare. Hide them from genksyms. + +--- +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -582,8 +582,11 @@ struct usb_device { + unsigned usb2_hw_lpm_enabled:1; + unsigned usb2_hw_lpm_allowed:1; + unsigned usb3_lpm_enabled:1; ++#ifndef __GENKSYMS__ + unsigned usb3_lpm_u1_enabled:1; + unsigned usb3_lpm_u2_enabled:1; ++ /* 18 bits spare */ ++#endif + int string_langid; + + /* static strings from the device */ diff --git a/debian/patches/series b/debian/patches/series index 9afb768e7..49a34c542 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -100,13 +100,9 @@ bugfix/all/selftests-breakpoints-actually-build-it.patch debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch # Security fixes -bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch -bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch -bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch -bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch bugfix/all/ovl-fix-permission-checking-for-setattr.patch bugfix/all/xen-add-ring_copy_request.patch bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch @@ -127,11 +123,9 @@ bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch -bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch -bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch @@ -142,8 +136,6 @@ bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch -bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch -bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch -bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch +debian/usb-fix-abi-change-in-4.3.5.patch From 3180443250b377ceb6e6eb2997d07f014dca270c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 1 Feb 2016 17:16:15 +0000 Subject: [PATCH 12/23] rt2x00: fix monitor mode regression (regression in 4.2) --- debian/changelog | 1 + .../rt2x00-fix-monitor-mode-regression.patch | 149 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 151 insertions(+) create mode 100644 debian/patches/bugfix/all/rt2x00-fix-monitor-mode-regression.patch diff --git a/debian/changelog b/debian/changelog index 3d92a19c7..f7ec1b505 100644 --- a/debian/changelog +++ b/debian/changelog @@ -211,6 +211,7 @@ linux (4.3.5-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) + * rt2x00: fix monitor mode regression (regression in 4.2) [ Salvatore Bonaccorso ] * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) diff --git a/debian/patches/bugfix/all/rt2x00-fix-monitor-mode-regression.patch b/debian/patches/bugfix/all/rt2x00-fix-monitor-mode-regression.patch new file mode 100644 index 000000000..c96ef41b4 --- /dev/null +++ b/debian/patches/bugfix/all/rt2x00-fix-monitor-mode-regression.patch @@ -0,0 +1,149 @@ +From: Eli Cooper +Date: Mon, 18 Jan 2016 19:30:19 +0800 +Subject: rt2x00: fix monitor mode regression +Origin: https://git.kernel.org/cgit/linux/kernel/git/wireless/wireless-testing.git/commit?id=262c741e0825b29447a9e53b6582afd6b14c3706 + +Since commit df1404650ccb ("mac80211: remove support for IFF_PROMISC") +monitor mode for rt2x00 has been made effectively useless because the +hardware filter is configured to drop packets whose intended recipient is +not the device, regardless of the presence of monitor mode interfaces. + +This patch fixes this regression by adding explicit monitor mode support, +and by configuring the hardware filter accordingly. + +Signed-off-by: Eli Cooper +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +[bwh: Backported to 4.3: adjust filenames] +--- + drivers/net/wireless/rt2x00/rt2400pci.c | 4 +++- + drivers/net/wireless/rt2x00/rt2500pci.c | 4 +++- + drivers/net/wireless/rt2x00/rt2500usb.c | 4 +++- + drivers/net/wireless/rt2x00/rt2800lib.c | 3 ++- + drivers/net/wireless/rt2x00/rt2x00.h | 1 + + drivers/net/wireless/rt2x00/rt2x00config.c | 5 +++++ + drivers/net/wireless/rt2x00/rt2x00mac.c | 5 ----- + drivers/net/wireless/rt2x00/rt61pci.c | 4 +++- + drivers/net/wireless/rt2x00/rt73usb.c | 4 +++- + 9 files changed, 23 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2400pci.c ++++ b/drivers/net/wireless/rt2x00/rt2400pci.c +@@ -273,8 +273,10 @@ static void rt2400pci_config_filter(stru + !(filter_flags & FIF_PLCPFAIL)); + rt2x00_set_field32(®, RXCSR0_DROP_CONTROL, + !(filter_flags & FIF_CONTROL)); +- rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME, 1); ++ rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags)); + rt2x00_set_field32(®, RXCSR0_DROP_TODS, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags) && + !rt2x00dev->intf_ap_count); + rt2x00_set_field32(®, RXCSR0_DROP_VERSION_ERROR, 1); + rt2x00mmio_register_write(rt2x00dev, RXCSR0, reg); +--- a/drivers/net/wireless/rt2x00/rt2500pci.c ++++ b/drivers/net/wireless/rt2x00/rt2500pci.c +@@ -274,8 +274,10 @@ static void rt2500pci_config_filter(stru + !(filter_flags & FIF_PLCPFAIL)); + rt2x00_set_field32(®, RXCSR0_DROP_CONTROL, + !(filter_flags & FIF_CONTROL)); +- rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME, 1); ++ rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags)); + rt2x00_set_field32(®, RXCSR0_DROP_TODS, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags) && + !rt2x00dev->intf_ap_count); + rt2x00_set_field32(®, RXCSR0_DROP_VERSION_ERROR, 1); + rt2x00_set_field32(®, RXCSR0_DROP_MCAST, +--- a/drivers/net/wireless/rt2x00/rt2500usb.c ++++ b/drivers/net/wireless/rt2x00/rt2500usb.c +@@ -434,8 +434,10 @@ static void rt2500usb_config_filter(stru + !(filter_flags & FIF_PLCPFAIL)); + rt2x00_set_field16(®, TXRX_CSR2_DROP_CONTROL, + !(filter_flags & FIF_CONTROL)); +- rt2x00_set_field16(®, TXRX_CSR2_DROP_NOT_TO_ME, 1); ++ rt2x00_set_field16(®, TXRX_CSR2_DROP_NOT_TO_ME, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags)); + rt2x00_set_field16(®, TXRX_CSR2_DROP_TODS, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags) && + !rt2x00dev->intf_ap_count); + rt2x00_set_field16(®, TXRX_CSR2_DROP_VERSION_ERROR, 1); + rt2x00_set_field16(®, TXRX_CSR2_DROP_MULTICAST, +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -1490,7 +1490,8 @@ void rt2800_config_filter(struct rt2x00_ + !(filter_flags & FIF_FCSFAIL)); + rt2x00_set_field32(®, RX_FILTER_CFG_DROP_PHY_ERROR, + !(filter_flags & FIF_PLCPFAIL)); +- rt2x00_set_field32(®, RX_FILTER_CFG_DROP_NOT_TO_ME, 1); ++ rt2x00_set_field32(®, RX_FILTER_CFG_DROP_NOT_TO_ME, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags)); + rt2x00_set_field32(®, RX_FILTER_CFG_DROP_NOT_MY_BSSD, 0); + rt2x00_set_field32(®, RX_FILTER_CFG_DROP_VER_ERROR, 1); + rt2x00_set_field32(®, RX_FILTER_CFG_DROP_MULTICAST, +--- a/drivers/net/wireless/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/rt2x00/rt2x00.h +@@ -669,6 +669,7 @@ enum rt2x00_state_flags { + CONFIG_POWERSAVING, + CONFIG_HT_DISABLED, + CONFIG_QOS_DISABLED, ++ CONFIG_MONITORING, + + /* + * Mark we currently are sequentially reading TX_STA_FIFO register +--- a/drivers/net/wireless/rt2x00/rt2x00config.c ++++ b/drivers/net/wireless/rt2x00/rt2x00config.c +@@ -277,6 +277,11 @@ void rt2x00lib_config(struct rt2x00_dev + else + clear_bit(CONFIG_POWERSAVING, &rt2x00dev->flags); + ++ if (conf->flags & IEEE80211_CONF_MONITOR) ++ set_bit(CONFIG_MONITORING, &rt2x00dev->flags); ++ else ++ clear_bit(CONFIG_MONITORING, &rt2x00dev->flags); ++ + rt2x00dev->curr_band = conf->chandef.chan->band; + rt2x00dev->curr_freq = conf->chandef.chan->center_freq; + rt2x00dev->tx_power = conf->power_level; +--- a/drivers/net/wireless/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c +@@ -385,11 +385,6 @@ void rt2x00mac_configure_filter(struct i + *total_flags |= FIF_PSPOLL; + } + +- /* +- * Check if there is any work left for us. +- */ +- if (rt2x00dev->packet_filter == *total_flags) +- return; + rt2x00dev->packet_filter = *total_flags; + + rt2x00dev->ops->lib->config_filter(rt2x00dev, *total_flags); +--- a/drivers/net/wireless/rt2x00/rt61pci.c ++++ b/drivers/net/wireless/rt2x00/rt61pci.c +@@ -530,8 +530,10 @@ static void rt61pci_config_filter(struct + !(filter_flags & FIF_PLCPFAIL)); + rt2x00_set_field32(®, TXRX_CSR0_DROP_CONTROL, + !(filter_flags & (FIF_CONTROL | FIF_PSPOLL))); +- rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME, 1); ++ rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags)); + rt2x00_set_field32(®, TXRX_CSR0_DROP_TO_DS, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags) && + !rt2x00dev->intf_ap_count); + rt2x00_set_field32(®, TXRX_CSR0_DROP_VERSION_ERROR, 1); + rt2x00_set_field32(®, TXRX_CSR0_DROP_MULTICAST, +--- a/drivers/net/wireless/rt2x00/rt73usb.c ++++ b/drivers/net/wireless/rt2x00/rt73usb.c +@@ -480,8 +480,10 @@ static void rt73usb_config_filter(struct + !(filter_flags & FIF_PLCPFAIL)); + rt2x00_set_field32(®, TXRX_CSR0_DROP_CONTROL, + !(filter_flags & (FIF_CONTROL | FIF_PSPOLL))); +- rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME, 1); ++ rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags)); + rt2x00_set_field32(®, TXRX_CSR0_DROP_TO_DS, ++ !test_bit(CONFIG_MONITORING, &rt2x00dev->flags) && + !rt2x00dev->intf_ap_count); + rt2x00_set_field32(®, TXRX_CSR0_DROP_VERSION_ERROR, 1); + rt2x00_set_field32(®, TXRX_CSR0_DROP_MULTICAST, diff --git a/debian/patches/series b/debian/patches/series index 49a34c542..c62983f1b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -139,3 +139,4 @@ bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch debian/usb-fix-abi-change-in-4.3.5.patch +bugfix/all/rt2x00-fix-monitor-mode-regression.patch From ef736f84407a14adafb095c41b5c80286216a31e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 4 Feb 2016 20:31:06 +0000 Subject: [PATCH 13/23] pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312) --- debian/changelog | 1 + ...er-user-amount-of-pages-allocated-in.patch | 237 ++++++++++++++++++ ...ix-abi-change-for-cve-2013-4312-fix.patch} | 10 +- debian/patches/series | 3 +- 4 files changed, 246 insertions(+), 5 deletions(-) create mode 100644 debian/patches/bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch rename debian/patches/{debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch => bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch} (70%) diff --git a/debian/changelog b/debian/changelog index f7ec1b505..7b5e47a32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -212,6 +212,7 @@ linux (4.3.5-1) UNRELEASED; urgency=medium * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) * rt2x00: fix monitor mode regression (regression in 4.2) + * pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312) [ Salvatore Bonaccorso ] * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) diff --git a/debian/patches/bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch b/debian/patches/bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch new file mode 100644 index 000000000..149818968 --- /dev/null +++ b/debian/patches/bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch @@ -0,0 +1,237 @@ +From: Willy Tarreau +Date: Mon, 18 Jan 2016 16:36:09 +0100 +Subject: pipe: limit the per-user amount of pages allocated in pipes +Origin: https://git.kernel.org/linus/759c01142a5d0f364a462346168a56de28a80f52 + +On no-so-small systems, it is possible for a single process to cause an +OOM condition by filling large pipes with data that are never read. A +typical process filling 4000 pipes with 1 MB of data will use 4 GB of +memory. On small systems it may be tricky to set the pipe max size to +prevent this from happening. + +This patch makes it possible to enforce a per-user soft limit above +which new pipes will be limited to a single page, effectively limiting +them to 4 kB each, as well as a hard limit above which no new pipes may +be created for this user. This has the effect of protecting the system +against memory abuse without hurting other users, and still allowing +pipes to work correctly though with less data at once. + +The limit are controlled by two new sysctls : pipe-user-pages-soft, and +pipe-user-pages-hard. Both may be disabled by setting them to zero. The +default soft limit allows the default number of FDs per process (1024) +to create pipes of the default size (64kB), thus reaching a limit of 64MB +before starting to create only smaller pipes. With 256 processes limited +to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB = +1084 MB of memory allocated for a user. The hard limit is disabled by +default to avoid breaking existing applications that make intensive use +of pipes (eg: for splicing). + +Reported-by: socketpair@gmail.com +Reported-by: Tetsuo Handa +Mitigates: CVE-2013-4312 (Linux 2.0+) +Suggested-by: Linus Torvalds +Signed-off-by: Willy Tarreau +Signed-off-by: Al Viro +--- + Documentation/sysctl/fs.txt | 23 ++++++++++++++++++++++ + fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++++-- + include/linux/pipe_fs_i.h | 4 ++++ + include/linux/sched.h | 1 + + kernel/sysctl.c | 14 ++++++++++++++ + 5 files changed, 87 insertions(+), 2 deletions(-) + +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/ + - nr_open + - overflowuid + - overflowgid ++- pipe-user-pages-hard ++- pipe-user-pages-soft + - protected_hardlinks + - protected_symlinks + - suid_dumpable +@@ -159,6 +161,27 @@ The default is 65534. + + ============================================================== + ++pipe-user-pages-hard: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes. ++Once this limit is reached, no new pipes may be allocated until usage goes ++below the limit again. When set to 0, no limit is applied, which is the default ++setting. ++ ++============================================================== ++ ++pipe-user-pages-soft: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes ++before the pipe size gets limited to a single page. Once this limit is reached, ++new pipes will be limited to a single page in size for this user in order to ++limit total memory usage, and trying to increase them using fcntl() will be ++denied until usage goes below the limit again. The default value allows to ++allocate up to 1024 pipes at their default size. When set to 0, no limit is ++applied. ++ ++============================================================== ++ + protected_hardlinks: + + A long-standing class of security issues is the hardlink-based +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -38,6 +38,12 @@ unsigned int pipe_max_size = 1048576; + */ + unsigned int pipe_min_size = PAGE_SIZE; + ++/* Maximum allocatable pages per user. Hard limit is unset by default, soft ++ * matches default values. ++ */ ++unsigned long pipe_user_pages_hard; ++unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR; ++ + /* + * We use a start+len construction, which provides full use of the + * allocated memory. +@@ -584,20 +590,49 @@ pipe_fasync(int fd, struct file *filp, i + return retval; + } + ++static void account_pipe_buffers(struct pipe_inode_info *pipe, ++ unsigned long old, unsigned long new) ++{ ++ atomic_long_add(new - old, &pipe->user->pipe_bufs); ++} ++ ++static bool too_many_pipe_buffers_soft(struct user_struct *user) ++{ ++ return pipe_user_pages_soft && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft; ++} ++ ++static bool too_many_pipe_buffers_hard(struct user_struct *user) ++{ ++ return pipe_user_pages_hard && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard; ++} ++ + struct pipe_inode_info *alloc_pipe_info(void) + { + struct pipe_inode_info *pipe; + + pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL); + if (pipe) { +- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL); ++ unsigned long pipe_bufs = PIPE_DEF_BUFFERS; ++ struct user_struct *user = get_current_user(); ++ ++ if (!too_many_pipe_buffers_hard(user)) { ++ if (too_many_pipe_buffers_soft(user)) ++ pipe_bufs = 1; ++ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL); ++ } ++ + if (pipe->bufs) { + init_waitqueue_head(&pipe->wait); + pipe->r_counter = pipe->w_counter = 1; +- pipe->buffers = PIPE_DEF_BUFFERS; ++ pipe->buffers = pipe_bufs; ++ pipe->user = user; ++ account_pipe_buffers(pipe, 0, pipe_bufs); + mutex_init(&pipe->mutex); + return pipe; + } ++ free_uid(user); + kfree(pipe); + } + +@@ -608,6 +643,8 @@ void free_pipe_info(struct pipe_inode_in + { + int i; + ++ account_pipe_buffers(pipe, pipe->buffers, 0); ++ free_uid(pipe->user); + for (i = 0; i < pipe->buffers; i++) { + struct pipe_buffer *buf = pipe->bufs + i; + if (buf->ops) +@@ -996,6 +1033,7 @@ static long pipe_set_size(struct pipe_in + memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer)); + } + ++ account_pipe_buffers(pipe, pipe->buffers, nr_pages); + pipe->curbuf = 0; + kfree(pipe->bufs); + pipe->bufs = bufs; +@@ -1067,6 +1105,11 @@ long pipe_fcntl(struct file *file, unsig + if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { + ret = -EPERM; + goto out; ++ } else if ((too_many_pipe_buffers_hard(pipe->user) || ++ too_many_pipe_buffers_soft(pipe->user)) && ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { ++ ret = -EPERM; ++ goto out; + } + ret = pipe_set_size(pipe, nr_pages); + break; +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -42,6 +42,7 @@ struct pipe_buffer { + * @fasync_readers: reader side fasync + * @fasync_writers: writer side fasync + * @bufs: the circular array of pipe buffers ++ * @user: the user who created this pipe + **/ + struct pipe_inode_info { + struct mutex mutex; +@@ -57,6 +58,7 @@ struct pipe_inode_info { + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; + struct pipe_buffer *bufs; ++ struct user_struct *user; + }; + + /* +@@ -123,6 +125,8 @@ void pipe_unlock(struct pipe_inode_info + void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *); + + extern unsigned int pipe_max_size, pipe_min_size; ++extern unsigned long pipe_user_pages_hard; ++extern unsigned long pipe_user_pages_soft; + int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *); + + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -831,6 +831,7 @@ struct user_struct { + #endif + unsigned long locked_shm; /* How many pages of mlocked shm ? */ + unsigned long unix_inflight; /* How many files in flight in unix sockets */ ++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ + + #ifdef CONFIG_KEYS + struct key *uid_keyring; /* UID specific keyring */ +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1714,6 +1714,20 @@ static struct ctl_table fs_table[] = { + .proc_handler = &pipe_proc_fn, + .extra1 = &pipe_min_size, + }, ++ { ++ .procname = "pipe-user-pages-hard", ++ .data = &pipe_user_pages_hard, ++ .maxlen = sizeof(pipe_user_pages_hard), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, ++ { ++ .procname = "pipe-user-pages-soft", ++ .data = &pipe_user_pages_soft, ++ .maxlen = sizeof(pipe_user_pages_soft), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, + { } + }; + diff --git a/debian/patches/debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch b/debian/patches/bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch similarity index 70% rename from debian/patches/debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch rename to debian/patches/bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch index a4a829398..cc7176852 100644 --- a/debian/patches/debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch +++ b/debian/patches/bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch @@ -3,8 +3,8 @@ Date: Sun, 17 Jan 2016 15:55:02 +0000 Subject: unix: Fix ABI change for CVE-2013-4312 Forwarded: not-needed -The fix for CVE-2013-4312 added a new structure member, -user_struct::unix_inflight. As this is always allocated in +The fixes for CVE-2013-4312 added new structure members, +user_struct::{unix_inflight,pipe_bufs}. As this is always allocated in kernel/user.c and the new member is only used by af_unix which is also built-in, we can safely add new members at the end. So move it to the end and hide it from genksyms. @@ -12,21 +12,23 @@ end and hide it from genksyms. --- --- a/include/linux/sched.h +++ b/include/linux/sched.h -@@ -830,7 +830,6 @@ struct user_struct { +@@ -830,8 +830,6 @@ struct user_struct { unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ #endif unsigned long locked_shm; /* How many pages of mlocked shm ? */ - unsigned long unix_inflight; /* How many files in flight in unix sockets */ +- atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ #ifdef CONFIG_KEYS struct key *uid_keyring; /* UID specific keyring */ -@@ -844,6 +843,10 @@ struct user_struct { +@@ -845,6 +843,11 @@ struct user_struct { #ifdef CONFIG_PERF_EVENTS atomic_long_t locked_vm; #endif + +#ifndef __GENKSYMS__ + unsigned long unix_inflight; /* How many files in flight in unix sockets */ ++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ +#endif }; diff --git a/debian/patches/series b/debian/patches/series index c62983f1b..a0c223a45 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -126,7 +126,6 @@ bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch -debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch @@ -140,3 +139,5 @@ bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch debian/usb-fix-abi-change-in-4.3.5.patch bugfix/all/rt2x00-fix-monitor-mode-regression.patch +bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch +bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch From 455507d34b2f36afb10ce9572850cffaa4711cab Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 6 Feb 2016 18:31:53 +0000 Subject: [PATCH 14/23] Improve changelog for stable updates 4.3.{4,5} Delete entries for commits that are unimportant. Add regression versions. --- debian/changelog | 145 +++++++++++------------------------------------ 1 file changed, 32 insertions(+), 113 deletions(-) diff --git a/debian/changelog b/debian/changelog index 7b5e47a32..ed1b83164 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,167 +2,94 @@ linux (4.3.5-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4 - - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler - - ACPI: Using correct irq when waiting for events - - ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle - - tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0 - - toshiba_acpi: Initialize hotkey_event_type variable - - USB: cdc_acm: Ignore Infineon Flash Loader utility - - USB: serial: Another Infineon flash loader USB ID - - usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter - JMicron - - USB: cp210x: Remove CP2110 ID from compatibility list + - toshiba_acpi: Initialize hotkey_event_type variable (regression in 4.3) - USB: add quirk for devices with broken LPM - - USB: whci-hcd: add check for dma mapping error - - usb: gadget: pxa27x: fix suspend callback - - USB: host: ohci-at91: fix a crash in ohci_hcd_at91_overcurrent_irq - - usb: musb: USB_TI_CPPI41_DMA requires dmaengine support - usb: core : hub: Fix BOS 'NULL pointer' kernel panic - - usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message - - pppoe: fix memory corruption in padt work structure - - gre6: allow to update all parameters via rtnl - - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation + - pppoe: fix memory corruption in padt work structure (regression in 4.1) - ipv6: keep existing flags when setting IFA_F_OPTIMISTIC - - vxlan: fix incorrect RCO bit in VXLAN header - - sctp: use the same clock as if sock source timestamps were on + (regression in 4.1) + - vxlan: fix incorrect RCO bit in VXLAN header (regression in 4.0) - sctp: update the netstamp_needed counter when copying sockets - - sctp: also copy sk_tsflags when copying the socket - - net: cdc_mbim: add "NDP to end" quirk for Huawei E3372 - - net: qca_spi: fix transmit queue timeout handling - - r8152: fix lockup when runtime PM is enabled + - sctp: also copy sk_tsflags when copying the socket (regression in 3.17) + - r8152: fix lockup when runtime PM is enabled (regression in 4.2) - ipv6: sctp: clone options to avoid use after free - - phy: micrel: Fix finding PHY properties in MAC node. + - phy: micrel: Fix finding PHY properties in MAC node. (regression in 4.2) - openvswitch: Fix helper reference leak - openvswitch: Respect conntrack zone even if invalid - - uapi: export ila.h - - sh_eth: fix kernel oops in skb_put() - net: fix IP early demux races - vlan: Fix untag operations of stacked vlans with REORDER_HEADER off - skbuff: Fix offset error in skb_reorder_vlan_header - net: check both type and procotol for tcp sockets - net_sched: make qdisc_tree_decrease_qlen() work for non mq + (regression in 4.3.3) - net: fix uninitialized variable issue - ipv6: automatically enable stable privacy mode if stable_secret set - - inet: tcp: fix inetpeer_set_addr_v4() - - rhashtable: Enforce minimum size on initial hash table - - gianfar: Don't enable RX Filer if not supported + - inet: tcp: fix inetpeer_set_addr_v4() (regression in 4.3) + - rhashtable: Enforce minimum size on initial hash table (regression in 4.1) - fou: clean up socket with kfree_rcu - af_unix: Revert 'lock_interruptible' in stream receive code - - tcp: restore fastopen with no data in SYN packet - - rhashtable: Fix walker list corruption + - tcp: restore fastopen with no data in SYN packet (regression in 4.0) + - rhashtable: Fix walker list corruption (regression in 4.1) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.5 - - [x86] smpboot: Re-enable init_udelay=0 by default on modern CPUs - [x86] mpx: Fix instruction decoder condition - [x86] signal: Fix restart_syscall number for x32 tasks - [x86] paravirt: Prevent rtc_cmos platform device init on PV guests - - [x86] mce: Ensure offline CPUs don't participate in rendezvous process - - [x86] xen: don't reset vcpu_info on a cancelled suspend - - [x86] KVM: VMX: fix SMEP and SMAP without EPT + (regression in 4.2) - [powerpc*] KVM: Book3S HV: Don't dynamically split core when already split + (regression in 4.3) - [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state in MSR - - [x86] KVM: expose MSR_TSC_AUX to userspace - - [x86] KVM: correctly print #AC in traces - - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] - [x86] boot: Double BOOT_HEAP_SIZE to 64KB - [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization (CVE-2016-2069) - - [x86] mm: Improve switch_mm() barrier comments - timers: Use proper base migration in add_timer_on() - - ipmi: Start the timer and thread on internal msgs - ipmi: move timer init to before irq is setup - - [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after - resume back - ALSA: hda - Disable 64bit address for Creative HDA controllers - - ALSA: hda - Fix lost 4k BDL boundary workaround - - [x86] ALSA: hda - Add Intel Lewisburg device IDs Audio - - [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b - - ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in - - ALSA: hda - Apply HP headphone fixups more generically - - [x86] ALSA: hda - Fix noise on Dell Latitude E6440 - - [x86] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 - - [x86] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back - from S3 - - [x86] ALSA: hda - Fix noise on Gigabyte Z170X mobo + - ALSA: hda - Fix lost 4k BDL boundary workaround (regression in 4.2) + - [x86] ALSA: hda - Fix noise on Dell Latitude E6440 (regression in 4.1) - ALSA: hda - Skip ELD notification during system suspend - - ALSA: rme96: Fix unexpected volume reset after rate changes - - [x86] ALSA: hda - Add inverted dmic for Packard Bell DOTS - - ALSA: hda - Fixing speaker noise on the two latest thinkpad models - - [x86] ALSA: hda - Fix noise problems on Thinkpad T440s - - [x86] ALSA: hda/ca0132 - quirk for Alienware 17 2015 - - [x86] ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd - - [x86] ALSA: hda - Apply click noise workaround for Thinkpads generically - - [x86] ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines - - [x86] ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads - - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly - - ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly - - ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() - - [x86] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) - - [x86] ALSA: hda - Add mic mute hotkey quirk for Lenovo ThinkCentre AIO - - ALSA: hda - Add keycode map for alc input device - - [x86] ALSA: usb: Add native DSD support for Oppo HA-1 - - ALSA: hda - Fixup inverted internal mic for Lenovo E50-80 + (regression in 4.3) - ALSA: seq: Fix missing NULL check at remove_events ioctl - ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect - ALSA: seq: Fix race at timer setup and close - [x86] ALSA: hda - Fix white noise on Dell Latitude E5550 + (regression in 4.1) - ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices + (regression in 3.19) - ALSA: timer: Harden slave timer list handling - - [x86] ALSA: hda - fix the headset mic detection problem for a Dell laptop - ALSA: timer: Fix race among timer ioctls - ALSA: timer: Fix double unlink of active_list - - [x86] ALSA: hda - Add fixup for Dell Latitidue E6540 + - [x86] ALSA: hda - Add fixup for Dell Latitidue E6540 (regression in 4.1) - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode - - ALSA: hrtimer: Fix stall by hrtimer_cancel() - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 - - [x86] ALSA: hda - Fix bass pin fixup for ASUS N550JX - - ALSA: hda - Flush the pending probe work at remove - ALSA: timer: Handle disconnection more safely - ASoC: rt286: Fix run time error while modifying const data - - ASoC: rsnd: fixup SCU_SYS_INT_EN1 address - - ASoC: wm8962: correct addresses for HPF_C_0/1 - - ASoC: es8328: Fix deemphasis values - - ASoC: wm8974: set cache type for regmap - - ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx - - ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz - - ASoC: wm5110: Fix PGA clear when disabling DRE - - ASoC: compress: Fix compress device direction check - - usb: xhci: fix config fail of FS hub behind a HS hub with MTT - - airspy: increase USB control message buffer size + (regression in 4.3) + - airspy: increase USB control message buffer size (regression in 3.17) - USB: fix invalid memory access in hub_activate() - - USB: ipaq.c: fix a timeout loop - - USB: cp210x: add ID for ELV Marble Sound Board 1 - - usb: core: lpm: fix usb3_hardware_lpm sysfs node - - xhci: refuse loading if nousb is used - openvswitch: correct encoding of set tunnel action attributes + (regression in 4.3) - veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. - ipv6/addrlabel: fix ip6addrlbl_get() - addrconf: always initialize sysctl table data - - net: cdc_ncm: avoid changing RX/TX buffers on MTU changes - - sctp: sctp should release assoc when sctp_make_abort_user return NULL - in sctp_close - connector: bump skb->users before callback invocation - af_unix: Fix splice-bind deadlock - bridge: Only call /sbin/bridge-stp for the initial network namespace - - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X - - net: sched: fix missing free per cpu on qstats + - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X (regression in 3.16) + - net: sched: fix missing free per cpu on qstats (regression in 3.18) - net: possible use after free in dst_release - tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) - - vxlan: fix test which detect duplicate vxlan iface + (regression in 4.3) - net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory - ipv6: tcp: add rcu locking in tcp_v6_send_synack() - tcp_yeah: don't set ssthresh below 2 - - sched,cls_flower: set key address type when present - - net: pktgen: fix null ptr deref in skb allocation - - udp: disallow UFO for sockets with SO_NO_CHECK option + - udp: disallow UFO for sockets with SO_NO_CHECK option (regression in 4.0) - net: preserve IP control block during GSO segmentation - - bonding: Prevent IPv6 link local address on enslaved devices - - phonet: properly unshare skbs in phonet_rcv() + - phonet: properly unshare skbs in phonet_rcv() (regression in 4.0) - net: bpf: reject invalid shifts - ipv6: update skb->csum when CE mark is propagated - - bridge: fix lockdep addr_list_lock false positive splat - batman-adv: Avoid recursive call_rcu for batadv_bla_claim - batman-adv: Avoid recursive call_rcu for batadv_nc_node - batman-adv: Drop immediate batadv_orig_ifinfo free function @@ -170,41 +97,33 @@ linux (4.3.5-1) UNRELEASED; urgency=medium - batman-adv: Drop immediate neigh_ifinfo free function - batman-adv: Drop immediate batadv_hard_iface free function - batman-adv: Drop immediate orig_node free function - - net/mlx5_core: Fix trimming down IRQ number - team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid - xfrm: dst_entries_init() per-net dst_ops - [powerpc*] tm: Block signal return setting invalid MSR state - [powerpc*] tm: Check for already reclaimed tasks - - [powerpc*] opal-irqchip: Fix double endian conversion + - [ppc64el] opal-irqchip: Fix double endian conversion (regression in 4.2) - [powerpc*] opal-irqchip: Fix deadlock introduced by "Fix double endian conversion" - [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type - [powerpc*] Make value-returning atomics fully ordered - [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered - - [powerpc*] scripts/recordmcount.pl: support data in text section - - [powerpc*] module: Handle R_PPC64_ENTRY relocations - - [arm64] recordmcount: Replace the ignored mcount call into nop - [arm64] bpf: fix div-by-zero case - [arm64] bpf: fix mod-by-zero case - - [arm64] cmpxchg_dbl: fix return value type - - [arm64] kernel: pause/unpause function graph tracer in cpu_suspend() + - [arm64] cmpxchg_dbl: fix return value type (regression in 4.3) - [arm*] KVM: test properly for a PTE's uncachedness - [arm64] KVM: Fix AArch32 to AArch64 register mapping - [arm*] KVM: correct PTE uncachedness check - - [arm64] Clear out any singlestep state on a ptrace detach operation - - [arm64] mm: ensure that the zero page is visible to the page table walker - [arm64] kernel: enforce pmuserenr_el0 initialization and restore - [arm*] iommu/arm-smmu: Fix error checking for ASID and VMID allocation - - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints - - [hppa] iommu: fix panic due to trying to allocate too large region - HID: wacom: Tie cached HID_DG_CONTACTCOUNT indices to report ID + (regression in 4.3) - HID: wacom: Expect 'touch_max' touches if HID_DG_CONTACTCOUNT not present + (regression in 4.3) - HID: core: Avoid uninitialized buffer access - staging: lustre: echo_copy.._lsm() dereferences userland pointers directly - direct-io: Fix negative return from dio read beyond eof - fix the regression from "direct-io: Fix negative return from dio read beyond eof" - - [arm64] restore bogomips information in /proc/cpuinfo - [arm64] KVM: Add workaround for Cortex-A57 erratum 834220 - [arm64] kernel: fix architected PMU registers unconditional access From 2e76aafc84ba63c8c3f0a60e61976e479c3de24e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 6 Feb 2016 20:15:55 +0000 Subject: [PATCH 15/23] [powerpc*] Enable CRYPTO_DEV_VMX and enable CRYPTO_DEV_VMX_ENCRYPT as module (Closes: #813640) --- debian/changelog | 2 ++ debian/config/kernelarch-powerpc/config-arch-64 | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/debian/changelog b/debian/changelog index ed1b83164..24c588a62 100644 --- a/debian/changelog +++ b/debian/changelog @@ -132,6 +132,8 @@ linux (4.3.5-1) UNRELEASED; urgency=medium * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) * rt2x00: fix monitor mode regression (regression in 4.2) * pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312) + * [powerpc*] Enable CRYPTO_DEV_VMX and enable CRYPTO_DEV_VMX_ENCRYPT as + module (Closes: #813640) [ Salvatore Bonaccorso ] * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) diff --git a/debian/config/kernelarch-powerpc/config-arch-64 b/debian/config/kernelarch-powerpc/config-arch-64 index 6389ceeb3..15fc2c09c 100644 --- a/debian/config/kernelarch-powerpc/config-arch-64 +++ b/debian/config/kernelarch-powerpc/config-arch-64 @@ -59,6 +59,16 @@ CONFIG_PATA_AMD=m # CONFIG_MAC_FLOPPY is not set CONFIG_BLK_DEV_RSXX=m +## +## file: drivers/crypto/Kconfig +## +CONFIG_CRYPTO_DEV_VMX=y + +## +## file: drivers/crypto/vmx/Kconfig +## +CONFIG_CRYPTO_DEV_VMX_ENCRYPT=m + ## ## file: drivers/gpu/drm/ast/Kconfig ## From 32d2f8cfc91ab53018aac85fcdf68a6f7210e912 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 6 Feb 2016 20:40:32 +0000 Subject: [PATCH 16/23] debian/copyright: Add licence information for drivers/crypto/vmx/*.pl Another GPL-compatible licence that needs an extra notice. --- debian/changelog | 1 + debian/copyright | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/debian/changelog b/debian/changelog index 24c588a62..0f88ffd40 100644 --- a/debian/changelog +++ b/debian/changelog @@ -134,6 +134,7 @@ linux (4.3.5-1) UNRELEASED; urgency=medium * pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312) * [powerpc*] Enable CRYPTO_DEV_VMX and enable CRYPTO_DEV_VMX_ENCRYPT as module (Closes: #813640) + * debian/copyright: Add licence information for drivers/crypto/vmx/*.pl [ Salvatore Bonaccorso ] * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) diff --git a/debian/copyright b/debian/copyright index b45eff04c..af6f613ba 100644 --- a/debian/copyright +++ b/debian/copyright @@ -26,6 +26,43 @@ Copyright: 1996-2006 Manoj Srivastava 2005-2012 Debian kernel team License: GPL-2 +Files: drivers/crypto/vmx/*.pl +Copyright: 2006,2014 Andy Polyakov +License: CRYPTOGAMS + All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + * Redistributions of source code must retain copyright notices, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + * Neither the name of the CRYPTOGAMS nor the names of its copyright + holder and contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + . + ALTERNATIVELY, provided that this notice is retained in full, this + product may be distributed under the terms of the GNU General Public + License (GPL), in which case the provisions of the GPL apply INSTEAD + OF those given above. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + Files: fs/nls/mac-* Copyright: 1991-2012 Unicode, Inc. License: Unicode-data From 13b0fb82e4cc7c2a8c2ed6de585fbd644e58f940 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 6 Feb 2016 20:57:29 +0000 Subject: [PATCH 17/23] udeb: Add hid-logitech-hidpp to input-modules (Closes: #796096) --- debian/changelog | 1 + debian/installer/modules/input-modules | 1 + 2 files changed, 2 insertions(+) diff --git a/debian/changelog b/debian/changelog index 0f88ffd40..bbb24ad72 100644 --- a/debian/changelog +++ b/debian/changelog @@ -135,6 +135,7 @@ linux (4.3.5-1) UNRELEASED; urgency=medium * [powerpc*] Enable CRYPTO_DEV_VMX and enable CRYPTO_DEV_VMX_ENCRYPT as module (Closes: #813640) * debian/copyright: Add licence information for drivers/crypto/vmx/*.pl + * udeb: Add hid-logitech-hidpp to input-modules (Closes: #796096) [ Salvatore Bonaccorso ] * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) diff --git a/debian/installer/modules/input-modules b/debian/installer/modules/input-modules index 8a906fd9c..aeac6491b 100644 --- a/debian/installer/modules/input-modules +++ b/debian/installer/modules/input-modules @@ -15,6 +15,7 @@ hid-kye ? hid-lenovo-tpkbd ? hid-logitech ? hid-logitech-dj +hid-logitech-hidpp ? hid-microsoft ? hid-monterey ? hid-multitouch ? From b6b5dc56d5bfc381baa7a50d783b1b15294c3bb0 Mon Sep 17 00:00:00 2001 From: Hendrik Brueckner Date: Fri, 22 Jan 2016 14:37:59 +0100 Subject: [PATCH 18/23] udeb: include modules to mount ISOs (loop device) To mount ISO images within the Debian Installer, the loop device support is required. Also the CD/DVD file systems are required too. Hence, add the ISO and UDF file systems modules, as well as, the loop device modules. Signed-off-by: Hendrik Brueckner --- debian/changelog | 4 ++++ debian/installer/s390x/modules/s390x/isofs-modules | 1 + debian/installer/s390x/modules/s390x/loop-modules | 1 + debian/installer/s390x/modules/s390x/udf-modules | 1 + 4 files changed, 7 insertions(+) create mode 100644 debian/installer/s390x/modules/s390x/isofs-modules create mode 100644 debian/installer/s390x/modules/s390x/loop-modules create mode 100644 debian/installer/s390x/modules/s390x/udf-modules diff --git a/debian/changelog b/debian/changelog index bbb24ad72..ea98c905a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -144,6 +144,10 @@ linux (4.3.5-1) UNRELEASED; urgency=medium * [mips*] Backport math emulation fix from 4.5. * [arm64] Enable RTC_DRV_EFI. + [ Hendrik Brueckner ] + * [s390x] udeb: include modules to mount ISOs (loop device) + (Closes: #812336) + -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 linux (4.3.3-7) unstable; urgency=medium diff --git a/debian/installer/s390x/modules/s390x/isofs-modules b/debian/installer/s390x/modules/s390x/isofs-modules new file mode 100644 index 000000000..da4fa9a3c --- /dev/null +++ b/debian/installer/s390x/modules/s390x/isofs-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/s390x/modules/s390x/loop-modules b/debian/installer/s390x/modules/s390x/loop-modules new file mode 100644 index 000000000..c1c948fa3 --- /dev/null +++ b/debian/installer/s390x/modules/s390x/loop-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/s390x/modules/s390x/udf-modules b/debian/installer/s390x/modules/s390x/udf-modules new file mode 100644 index 000000000..b90d7ee9b --- /dev/null +++ b/debian/installer/s390x/modules/s390x/udf-modules @@ -0,0 +1 @@ +#include From d77feea6dac634644bf9599718fbb28bbde38ba7 Mon Sep 17 00:00:00 2001 From: Hendrik Brueckner Date: Fri, 22 Jan 2016 15:39:53 +0100 Subject: [PATCH 19/23] udeb: include btrfs-modules Add btrfs-modules udeb. Also add zlib-modules udeb because btrfs requires zlib_deflate. Signed-off-by: Hendrik Brueckner --- debian/changelog | 1 + debian/installer/s390x/modules/s390x/btrfs-modules | 1 + debian/installer/s390x/modules/s390x/zlib-modules | 1 + 3 files changed, 3 insertions(+) create mode 100644 debian/installer/s390x/modules/s390x/btrfs-modules create mode 100644 debian/installer/s390x/modules/s390x/zlib-modules diff --git a/debian/changelog b/debian/changelog index ea98c905a..7576aafbd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -147,6 +147,7 @@ linux (4.3.5-1) UNRELEASED; urgency=medium [ Hendrik Brueckner ] * [s390x] udeb: include modules to mount ISOs (loop device) (Closes: #812336) + * [s390x] udeb: include btrfs-modules (Closes: #812340) -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 diff --git a/debian/installer/s390x/modules/s390x/btrfs-modules b/debian/installer/s390x/modules/s390x/btrfs-modules new file mode 100644 index 000000000..e261e1388 --- /dev/null +++ b/debian/installer/s390x/modules/s390x/btrfs-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/s390x/modules/s390x/zlib-modules b/debian/installer/s390x/modules/s390x/zlib-modules new file mode 100644 index 000000000..e02ad64bf --- /dev/null +++ b/debian/installer/s390x/modules/s390x/zlib-modules @@ -0,0 +1 @@ +#include From 8e44bb11eacc42d2a898d76564be6a1b877959d6 Mon Sep 17 00:00:00 2001 From: Martin Michlmayr Date: Sun, 10 Jan 2016 21:23:40 -0800 Subject: [PATCH 20/23] Include Device Tree model in reportbug script It would be nice to include the Device Tree model in the reportbug output. On DT based platforms, /proc/cpuinfo only includes quite generic information. Please note that the strange "echo ... $(cat ..)" construct is intentional. 'cat /proc/device-tree/model' leads to a strange character at the end because there's no newline and using echo gets rid of it. --- debian/changelog | 3 +++ debian/templates/image.plain.bug/include-model | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7576aafbd..f343f1d34 100644 --- a/debian/changelog +++ b/debian/changelog @@ -149,6 +149,9 @@ linux (4.3.5-1) UNRELEASED; urgency=medium (Closes: #812336) * [s390x] udeb: include btrfs-modules (Closes: #812340) + [ Martin Michlmayr ] + * Include Device Tree model in reportbug script + -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 linux (4.3.3-7) unstable; urgency=medium diff --git a/debian/templates/image.plain.bug/include-model b/debian/templates/image.plain.bug/include-model index 60a711266..9c6aedd6a 100644 --- a/debian/templates/image.plain.bug/include-model +++ b/debian/templates/image.plain.bug/include-model @@ -39,6 +39,11 @@ grep_model() { false ;; esac + + # Device Tree model + if [ -r /proc/device-tree/model ]; then + echo "Device Tree model:" $(cat /proc/device-tree/model) + fi } add_model() { From 0df8f2e3e7f7cb40af97fe7407359d6561b82821 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 6 Feb 2016 21:25:49 +0000 Subject: [PATCH 21/23] hwrng: n2 - Attach on T5/M5, T7/M7 SPARC CPUs (Closes: #809815) --- debian/changelog | 1 + ...-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch | 37 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 39 insertions(+) create mode 100644 debian/patches/features/sparc/hwrng-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch diff --git a/debian/changelog b/debian/changelog index f343f1d34..4adf313cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -136,6 +136,7 @@ linux (4.3.5-1) UNRELEASED; urgency=medium module (Closes: #813640) * debian/copyright: Add licence information for drivers/crypto/vmx/*.pl * udeb: Add hid-logitech-hidpp to input-modules (Closes: #796096) + * hwrng: n2 - Attach on T5/M5, T7/M7 SPARC CPUs (Closes: #809815) [ Salvatore Bonaccorso ] * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) diff --git a/debian/patches/features/sparc/hwrng-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch b/debian/patches/features/sparc/hwrng-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch new file mode 100644 index 000000000..972989a03 --- /dev/null +++ b/debian/patches/features/sparc/hwrng-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch @@ -0,0 +1,37 @@ +From: Anatoly Pugachev +Date: Tue, 26 Jan 2016 00:19:02 +0300 +Subject: hwrng: n2 - Attach on T5/M5, T7/M7 SPARC CPUs +Origin: https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git/commit?id=c1e9b3b0eea12899b7749571af21cc60822cf2b6 +Bug-Debian: https://bugs.debian.org/809815 + +n2rng: Attach on T5/M5, T7/M7 SPARC CPUs + +(space to tab fixes after variable names) + +Signed-off-by: Anatoly Pugachev +Signed-off-by: Herbert Xu +--- + drivers/char/hw_random/n2-drv.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/char/hw_random/n2-drv.c b/drivers/char/hw_random/n2-drv.c +index 843d6f6aee7a..3b06c1d6cfb2 100644 +--- a/drivers/char/hw_random/n2-drv.c ++++ b/drivers/char/hw_random/n2-drv.c +@@ -743,6 +743,16 @@ static const struct of_device_id n2rng_match[] = { + .compatible = "SUNW,kt-rng", + .data = (void *) 1, + }, ++ { ++ .name = "random-number-generator", ++ .compatible = "ORCL,m4-rng", ++ .data = (void *) 1, ++ }, ++ { ++ .name = "random-number-generator", ++ .compatible = "ORCL,m7-rng", ++ .data = (void *) 1, ++ }, + {}, + }; + MODULE_DEVICE_TABLE(of, n2rng_match); diff --git a/debian/patches/series b/debian/patches/series index a0c223a45..b53c5d40f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -141,3 +141,4 @@ debian/usb-fix-abi-change-in-4.3.5.patch bugfix/all/rt2x00-fix-monitor-mode-regression.patch bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch +features/sparc/hwrng-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch From af8b80ce07387b9b856e577029f2bb0f810388ed Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 6 Feb 2016 23:25:02 +0000 Subject: [PATCH 22/23] Fix yet another ABI change due to CVE-2013-4312 mitigation --- ... fix-abi-changes-for-cve-2013-4312-fix.patch} | 16 +++++++++++++++- debian/patches/series | 2 +- 2 files changed, 16 insertions(+), 2 deletions(-) rename debian/patches/bugfix/all/{user_struct-fix-abi-change-for-cve-2013-4312-fix.patch => fix-abi-changes-for-cve-2013-4312-fix.patch} (77%) diff --git a/debian/patches/bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch b/debian/patches/bugfix/all/fix-abi-changes-for-cve-2013-4312-fix.patch similarity index 77% rename from debian/patches/bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch rename to debian/patches/bugfix/all/fix-abi-changes-for-cve-2013-4312-fix.patch index cc7176852..779d0a423 100644 --- a/debian/patches/bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch +++ b/debian/patches/bugfix/all/fix-abi-changes-for-cve-2013-4312-fix.patch @@ -1,6 +1,6 @@ From: Ben Hutchings Date: Sun, 17 Jan 2016 15:55:02 +0000 -Subject: unix: Fix ABI change for CVE-2013-4312 +Subject: Fix ABI changes for CVE-2013-4312 Forwarded: not-needed The fixes for CVE-2013-4312 added new structure members, @@ -9,6 +9,8 @@ kernel/user.c and the new member is only used by af_unix which is also built-in, we can safely add new members at the end. So move it to the end and hide it from genksyms. +Similarly for pipe_inode_info::user. + --- --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -33,3 +35,15 @@ end and hide it from genksyms. }; extern int uids_sysfs_init(void); +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -58,7 +58,9 @@ struct pipe_inode_info { + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; + struct pipe_buffer *bufs; ++#ifndef __GENKSYMS__ + struct user_struct *user; ++#endif + }; + + /* diff --git a/debian/patches/series b/debian/patches/series index b53c5d40f..48392ef06 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -140,5 +140,5 @@ bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch debian/usb-fix-abi-change-in-4.3.5.patch bugfix/all/rt2x00-fix-monitor-mode-regression.patch bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch -bugfix/all/user_struct-fix-abi-change-for-cve-2013-4312-fix.patch +bugfix/all/fix-abi-changes-for-cve-2013-4312-fix.patch features/sparc/hwrng-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch From 4b5119edadfd685ff70b49cceac78c1cf6cb950f Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 6 Feb 2016 23:25:14 +0000 Subject: [PATCH 23/23] Prepare to release linux (4.3.5-1). --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 4adf313cc..745df9ed1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.3.5-1) UNRELEASED; urgency=medium +linux (4.3.5-1) unstable; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4 @@ -153,7 +153,7 @@ linux (4.3.5-1) UNRELEASED; urgency=medium [ Martin Michlmayr ] * Include Device Tree model in reportbug script - -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 + -- Ben Hutchings Sat, 06 Feb 2016 23:25:14 +0000 linux (4.3.3-7) unstable; urgency=medium