debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 3.11.2 

svn path=/dists/trunk/linux/; revision=20689
This commit is contained in:
Ben Hutchings 2013-09-29 23:45:05 +00:00
parent 1e08031323
commit 7ba571c00f
10 changed files with 58 additions and 325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (3.11.1-1~exp1) UNRELEASED; urgency=low
linux (3.11.2-1~exp1) UNRELEASED; urgency=low
* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.11.1
@ -18,6 +18,54 @@ linux (3.11.1-1~exp1) UNRELEASED; urgency=low
- crypto: xor - Check for osxsave as well as avx in crypto/xor
- drivers/rtc/rtc-max77686.c: Fix wrong register
- mwifiex: do not create AP and P2P interfaces upon driver loading
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.11.2
- firmware loader: fix pending_fw_head list corruption
- zram: fix invalid memory access
- UBI: Fix PEB leak in wear_leveling_worker()
- SCSI: sd: Fix potential out-of-bounds access
- crypto: api - Fix race condition in larval lookup
- [s390] bpf,jit: fix address randomization
- [powerpc] Handle unaligned ldbrx/stdbrx
- xen-gnt: prevent adding duplicate gnt callbacks
- cpuidle: coupled: abort idle if pokes are pending
- cpuidle: coupled: fix race condition between pokes and safe state
- [armel/versatile] PCI: Fix map_irq function to match hardware
- cifs: ensure that srv_mutex is held when dealing with ssocket pointer
- CIFS: Fix a memory leak when a lease break comes
- CIFS: Fix missing lease break
- USB: mos7720: fix big-endian control requests
- USB: cdc-wdm: fix race between interrupt handler and tasklet
- usb: config->desc.bLength may not exceed amount of data returned by the
device
- rculist: list_first_or_null_rcu() should use list_entry_rcu()
- [x86] smap: Handle csum_partial_copy_*_user()
- [x86] amd_nb: Clarify F15h, model 30h GART and L3 support
- [x86] mce: Pay no attention to 'F' bit in MCACOD when parsing 'UC' errors
- ext4: fix ext4_writepages() in presence of truncate
- ext4: simplify truncation code in ext4_setattr()
- brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()
- ath9k: fix rx descriptor related race condition
- ath9k: avoid accessing MRC registers on single-chain devices
- HID: battery: don't do DMA from stack
- HID: hidraw: correctly deallocate memory on device disconnect
- media: siano: fix divide error on 0 counters (Closes: #719623)
- Btrfs: don't allow the replace procedure on read only filesystems
- target: Fix >= v3.9+ regression in PR APTPL + ALUA metadata write-out
- intel-iommu: Fix leaks in pagetable freeing
- pidns: Fix hang in zap_pid_ns_processes by sending a potentially extra
wakeup
- pidns: fix vfork() after unshare(CLONE_NEWPID)
- ocfs2: fix the end cluster offset of FIEMAP
- mm/huge_memory.c: fix potential NULL pointer dereference
- libceph: unregister request in __map_request failed and nofail == false
- libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc
- ceph: Don't forget the 'up_read(&osdc->map_sem)' if met error.
- rbd: fix I/O error propagation for reads
- of: Fix missing memory initialization on FDT unflattening
- fuse: postpone end_page_writeback() in fuse_writepage_locked()
- fuse: invalidate inode attributes on xattr modification
- fuse: hotfix truncate_pagecache() issue
- fuse: readdir: check for slash in names
[ Ben Hutchings ]
* udeb: Update config to match previous kernel config changes:

30
debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch vendored
View File

@ -1,30 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:32:01 +0200
Subject: [6/6] HID: check for NULL field when setting values
Origin: https://git.kernel.org/linus/be67b68d52fa28b9b721c47bb42068f0c1214855
Defensively check that the field to be worked on is not NULL.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
{
- unsigned size = field->report_size;
+ unsigned size;
+
+ if (!field)
+ return -1;
+
+ size = field->report_size;
hid_dump_input(field->report->device, field->usage + offset, value);

37
debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch vendored
View File

@ -1,37 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:31:28 +0200
Subject: [3/6] HID: ntrig: validate feature report details
Origin: https://git.kernel.org/linus/875b4e3763dbc941f15143dd1a18d10bb0be303b
A HID device could send a malicious feature report that would cause the
ntrig HID driver to trigger a NULL dereference during initialization:
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
...
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
CVE-2013-2896
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-ntrig.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
index 98d1fdf..600f207 100644
--- a/drivers/hid/hid-ntrig.c
+++ b/drivers/hid/hid-ntrig.c
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
report_id_hash[0x0d];
- if (!report)
+ if (!report || report->maxfield < 1 ||
+ report->field[0]->report_count < 1)
return -EINVAL;
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);

43
debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch vendored
View File

@ -1,43 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:30:49 +0200
Subject: [2/6] HID: pantherlord: validate output report details
Origin: https://git.kernel.org/linus/412f30105ec6735224535791eed5cdc02888ecb4
A HID device could send a malicious output report that would cause the
pantherlord HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
...
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2892
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-pl.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
index d29112f..2dcd7d9 100644
--- a/drivers/hid/hid-pl.c
+++ b/drivers/hid/hid-pl.c
@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
strong = &report->field[0]->value[2];
weak = &report->field[0]->value[3];
debug("detected single-field device");
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
+ } else if (report->field[0]->maxusage == 1 &&
+ report->field[0]->usage[0].hid ==
+ (HID_UP_LED | 0x43) &&
+ report->maxfield >= 4 &&
+ report->field[0]->report_count >= 1 &&
+ report->field[1]->report_count >= 1 &&
+ report->field[2]->report_count >= 1 &&
+ report->field[3]->report_count >= 1) {
report->field[0]->value[0] = 0x00;
report->field[1]->value[0] = 0x00;
strong = &report->field[2]->value[0];

45
debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch vendored
View File

@ -1,45 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:31:52 +0200
Subject: [5/6] HID: picolcd_core: validate output report details
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/1e87a2456b0227ca4ab881e19a11bb99d164e792
A HID device could send a malicious output report that would cause the
picolcd HID driver to trigger a NULL dereference during attr file writing.
[jkosina@suse.cz: changed
report->maxfield < 1
to
report->maxfield != 1
as suggested by Bruno].
CVE-2013-2899
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-picolcd_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index b48092d..acbb0210 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
buf += 10;
cnt -= 10;
}
- if (!report)
+ if (!report || report->maxfield != 1)
return -EINVAL;
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))

33
debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch vendored
View File

@ -1,33 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:31:44 +0200
Subject: [4/6] HID: sensor-hub: validate feature report details
Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4
A HID device could send a malicious feature report that would cause the
sensor-hub HID driver to read past the end of heap allocation, leaking
kernel memory contents to the caller.
CVE-2013-2898
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-sensor-hub.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
index ffc80cf..6fca30e 100644
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
mutex_lock(&data->mutex);
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
- if (!report || (field_index >= report->maxfield)) {
+ if (!report || (field_index >= report->maxfield) ||
+ report->field[field_index]->report_count < 1) {
ret = -EINVAL;
goto done_proc;
}

76
debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch vendored
View File

@ -1,76 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:29:55 +0200
Subject: [1/6] HID: validate HID report id size
Origin: https://git.kernel.org/linus/43622021d2e2b82ea03d883926605bdd0525e1d1
The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
CVE-2013-2888
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-core.c | 10 +++++++---
include/linux/hid.h | 4 +++-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 36668d1..5ea7d51 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
struct hid_report_enum *report_enum = device->report_enum + type;
struct hid_report *report;
+ if (id >= HID_MAX_IDS)
+ return NULL;
if (report_enum->report_id_hash[id])
return report_enum->report_id_hash[id];
@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
case HID_GLOBAL_ITEM_TAG_REPORT_ID:
parser->global.report_id = item_udata(item);
- if (parser->global.report_id == 0) {
- hid_err(parser->device, "report_id 0 is invalid\n");
+ if (parser->global.report_id == 0 ||
+ parser->global.report_id >= HID_MAX_IDS) {
+ hid_err(parser->device, "report_id %u is invalid\n",
+ parser->global.report_id);
return -1;
}
return 0;
@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
for (i = 0; i < HID_REPORT_TYPES; i++) {
struct hid_report_enum *report_enum = device->report_enum + i;
- for (j = 0; j < 256; j++) {
+ for (j = 0; j < HID_MAX_IDS; j++) {
struct hid_report *report = report_enum->report_id_hash[j];
if (report)
hid_free_report(report);
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 0c48991..ff545cc 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -393,10 +393,12 @@ struct hid_report {
struct hid_device *device; /* associated device */
};
+#define HID_MAX_IDS 256
+
struct hid_report_enum {
unsigned numbered;
struct list_head report_list;
- struct hid_report *report_id_hash[256];
+ struct hid_report *report_id_hash[HID_MAX_IDS];
};
#define HID_REPORT_TYPES 3

16
debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch vendored
View File

@ -57,7 +57,7 @@ removed in later patches.
fw_load_abort(fw_priv);
mutex_unlock(&fw_lock);
}
@@ -858,26 +870,29 @@ static int _request_firmware_load(struct
@@ -858,13 +870,15 @@ static int _request_firmware_load(struct
retval = device_add(f_dev);
if (retval) {
@ -75,8 +75,10 @@ removed in later patches.
goto err_del_dev;
}
retval = device_create_file(f_dev, &dev_attr_loading);
if (retval) {
@@ -877,14 +891,15 @@ static int _request_firmware_load(struct
mutex_lock(&fw_lock);
list_del_init(&buf->pending_list);
mutex_unlock(&fw_lock);
- dev_err(f_dev, "%s: device_create_file failed\n", __func__);
+ dev_err(f_dev->parent, "%s: device_create_file failed\n",
+ __func__);
@ -91,7 +93,7 @@ removed in later patches.
if (timeout != MAX_SCHEDULE_TIMEOUT)
schedule_delayed_work(&fw_priv->timeout_work, timeout);
@@ -990,7 +1005,8 @@ _request_firmware_prepare(struct firmwar
@@ -993,7 +1008,8 @@ _request_firmware_prepare(struct firmwar
}
if (fw_get_builtin_firmware(firmware, name)) {
@ -101,7 +103,7 @@ removed in later patches.
return 0; /* assigned */
}
@@ -1021,9 +1037,16 @@ static int assign_firmware_buf(struct fi
@@ -1024,9 +1040,16 @@ static int assign_firmware_buf(struct fi
struct firmware_buf *buf = fw->priv;
mutex_lock(&fw_lock);
@ -119,7 +121,7 @@ removed in later patches.
}
/*
@@ -1072,7 +1095,7 @@ _request_firmware(const struct firmware
@@ -1075,7 +1098,7 @@ _request_firmware(const struct firmware
if (nowait) {
timeout = usermodehelper_read_lock_wait(timeout);
if (!timeout) {
@ -128,7 +130,7 @@ removed in later patches.
name);
ret = -EBUSY;
goto out;
@@ -1100,6 +1123,9 @@ _request_firmware(const struct firmware
@@ -1103,6 +1126,9 @@ _request_firmware(const struct firmware
if (ret < 0) {
release_firmware(fw);
fw = NULL;

46
debian/patches/bugfix/x86/amd64_edac-Fix-single-channel-setups.patch vendored
View File

@ -1,46 +0,0 @@
From: Borislav Petkov <bp@suse.de>
Date: Tue, 23 Jul 2013 20:01:23 +0200
Subject: amd64_edac: Fix single-channel setups
Origin: https://git.kernel.org/linus/f0a56c480196a98479760862468cc95879df3de0
Bug-Debian: http://bugs.debian.org/717473
It can happen that configurations are running in a single-channel mode
even with a dual-channel memory controller, by, say, putting the DIMMs
only on the one channel and leaving the other empty. This causes a
problem in init_csrows which implicitly assumes that when the second
channel is enabled, i.e. channel 1, the struct dimm hierarchy will be
present. Which is not.
So always allocate two channels unconditionally.
This provides for the nice side effect that the data structures are
initialized so some day, when memory hotplug is supported, it should
just work out of the box when all of a sudden a second channel appears.
Reported-and-tested-by: Roger Leigh <rleigh@debian.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
---
drivers/edac/amd64_edac.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
index 8b6a034..8b3d901 100644
--- a/drivers/edac/amd64_edac.c
+++ b/drivers/edac/amd64_edac.c
@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struct pci_dev *F2)
layers[0].size = pvt->csels[0].b_cnt;
layers[0].is_virt_csrow = true;
layers[1].type = EDAC_MC_LAYER_CHANNEL;
- layers[1].size = pvt->channel_count;
+
+ /*
+ * Always allocate two channels since we can have setups with DIMMs on
+ * only one channel. Also, this simplifies handling later for the price
+ * of a couple of KBs tops.
+ */
+ layers[1].size = 2;
layers[1].is_virt_csrow = false;
+
mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0);
if (!mci)
goto err_siblings;

7
debian/patches/series vendored
View File

@ -80,10 +80,3 @@ bugfix/all/irq-Always-define-devm_-request_threaded-free-_irq.patch
# m68k IRQ bugfix
bugfix/m68k/atari-irqs.patch
bugfix/x86/amd64_edac-Fix-single-channel-setups.patch
bugfix/all/HID-validate-HID-report-id-size.patch
bugfix/all/HID-pantherlord-validate-output-report-details.patch
bugfix/all/HID-ntrig-validate-feature-report-details.patch
bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
bugfix/all/HID-picolcd_core-validate-output-report-details.patch
bugfix/all/HID-check-for-NULL-field-when-setting-values.patch