diff --git a/debian/changelog b/debian/changelog index 6de677282..e69c76be8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.11.1-1~exp1) UNRELEASED; urgency=low +linux (3.11.2-1~exp1) UNRELEASED; urgency=low * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.11.1 @@ -18,6 +18,54 @@ linux (3.11.1-1~exp1) UNRELEASED; urgency=low - crypto: xor - Check for osxsave as well as avx in crypto/xor - drivers/rtc/rtc-max77686.c: Fix wrong register - mwifiex: do not create AP and P2P interfaces upon driver loading + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.11.2 + - firmware loader: fix pending_fw_head list corruption + - zram: fix invalid memory access + - UBI: Fix PEB leak in wear_leveling_worker() + - SCSI: sd: Fix potential out-of-bounds access + - crypto: api - Fix race condition in larval lookup + - [s390] bpf,jit: fix address randomization + - [powerpc] Handle unaligned ldbrx/stdbrx + - xen-gnt: prevent adding duplicate gnt callbacks + - cpuidle: coupled: abort idle if pokes are pending + - cpuidle: coupled: fix race condition between pokes and safe state + - [armel/versatile] PCI: Fix map_irq function to match hardware + - cifs: ensure that srv_mutex is held when dealing with ssocket pointer + - CIFS: Fix a memory leak when a lease break comes + - CIFS: Fix missing lease break + - USB: mos7720: fix big-endian control requests + - USB: cdc-wdm: fix race between interrupt handler and tasklet + - usb: config->desc.bLength may not exceed amount of data returned by the + device + - rculist: list_first_or_null_rcu() should use list_entry_rcu() + - [x86] smap: Handle csum_partial_copy_*_user() + - [x86] amd_nb: Clarify F15h, model 30h GART and L3 support + - [x86] mce: Pay no attention to 'F' bit in MCACOD when parsing 'UC' errors + - ext4: fix ext4_writepages() in presence of truncate + - ext4: simplify truncation code in ext4_setattr() + - brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error() + - ath9k: fix rx descriptor related race condition + - ath9k: avoid accessing MRC registers on single-chain devices + - HID: battery: don't do DMA from stack + - HID: hidraw: correctly deallocate memory on device disconnect + - media: siano: fix divide error on 0 counters (Closes: #719623) + - Btrfs: don't allow the replace procedure on read only filesystems + - target: Fix >= v3.9+ regression in PR APTPL + ALUA metadata write-out + - intel-iommu: Fix leaks in pagetable freeing + - pidns: Fix hang in zap_pid_ns_processes by sending a potentially extra + wakeup + - pidns: fix vfork() after unshare(CLONE_NEWPID) + - ocfs2: fix the end cluster offset of FIEMAP + - mm/huge_memory.c: fix potential NULL pointer dereference + - libceph: unregister request in __map_request failed and nofail == false + - libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc + - ceph: Don't forget the 'up_read(&osdc->map_sem)' if met error. + - rbd: fix I/O error propagation for reads + - of: Fix missing memory initialization on FDT unflattening + - fuse: postpone end_page_writeback() in fuse_writepage_locked() + - fuse: invalidate inode attributes on xattr modification + - fuse: hotfix truncate_pagecache() issue + - fuse: readdir: check for slash in names [ Ben Hutchings ] * udeb: Update config to match previous kernel config changes: diff --git a/debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch b/debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch deleted file mode 100644 index 2c204c673..000000000 --- a/debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Kees Cook -Date: Wed, 28 Aug 2013 22:32:01 +0200 -Subject: [6/6] HID: check for NULL field when setting values -Origin: https://git.kernel.org/linus/be67b68d52fa28b9b721c47bb42068f0c1214855 - -Defensively check that the field to be worked on is not NULL. - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); - - int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) - { -- unsigned size = field->report_size; -+ unsigned size; -+ -+ if (!field) -+ return -1; -+ -+ size = field->report_size; - - hid_dump_input(field->report->device, field->usage + offset, value); - diff --git a/debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch b/debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch deleted file mode 100644 index a437fb559..000000000 --- a/debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:28 +0200 -Subject: [3/6] HID: ntrig: validate feature report details -Origin: https://git.kernel.org/linus/875b4e3763dbc941f15143dd1a18d10bb0be303b - -A HID device could send a malicious feature report that would cause the -ntrig HID driver to trigger a NULL dereference during initialization: - -[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 -... -[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 -[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] - -CVE-2013-2896 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Rafi Rubin -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-ntrig.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c -index 98d1fdf..600f207 100644 ---- a/drivers/hid/hid-ntrig.c -+++ b/drivers/hid/hid-ntrig.c -@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) - struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. - report_id_hash[0x0d]; - -- if (!report) -+ if (!report || report->maxfield < 1 || -+ report->field[0]->report_count < 1) - return -EINVAL; - - hid_hw_request(hdev, report, HID_REQ_GET_REPORT); diff --git a/debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch b/debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch deleted file mode 100644 index 82b3f6930..000000000 --- a/debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Kees Cook -Date: Wed, 28 Aug 2013 22:30:49 +0200 -Subject: [2/6] HID: pantherlord: validate output report details -Origin: https://git.kernel.org/linus/412f30105ec6735224535791eed5cdc02888ecb4 - -A HID device could send a malicious output report that would cause the -pantherlord HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 -... -[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2892 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-pl.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c -index d29112f..2dcd7d9 100644 ---- a/drivers/hid/hid-pl.c -+++ b/drivers/hid/hid-pl.c -@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) - strong = &report->field[0]->value[2]; - weak = &report->field[0]->value[3]; - debug("detected single-field device"); -- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && -- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { -+ } else if (report->field[0]->maxusage == 1 && -+ report->field[0]->usage[0].hid == -+ (HID_UP_LED | 0x43) && -+ report->maxfield >= 4 && -+ report->field[0]->report_count >= 1 && -+ report->field[1]->report_count >= 1 && -+ report->field[2]->report_count >= 1 && -+ report->field[3]->report_count >= 1) { - report->field[0]->value[0] = 0x00; - report->field[1]->value[0] = 0x00; - strong = &report->field[2]->value[0]; diff --git a/debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch b/debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch deleted file mode 100644 index fe0b5f481..000000000 --- a/debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:52 +0200 -Subject: [5/6] HID: picolcd_core: validate output report details -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/1e87a2456b0227ca4ab881e19a11bb99d164e792 - -A HID device could send a malicious output report that would cause the -picolcd HID driver to trigger a NULL dereference during attr file writing. - -[jkosina@suse.cz: changed - - report->maxfield < 1 - -to - - report->maxfield != 1 - -as suggested by Bruno]. - -CVE-2013-2899 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Reviewed-by: Bruno Prémont -Acked-by: Bruno Prémont -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-picolcd_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c -index b48092d..acbb0210 100644 ---- a/drivers/hid/hid-picolcd_core.c -+++ b/drivers/hid/hid-picolcd_core.c -@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, - buf += 10; - cnt -= 10; - } -- if (!report) -+ if (!report || report->maxfield != 1) - return -EINVAL; - - while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) diff --git a/debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch b/debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch deleted file mode 100644 index 0bbdc3963..000000000 --- a/debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:44 +0200 -Subject: [4/6] HID: sensor-hub: validate feature report details -Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4 - -A HID device could send a malicious feature report that would cause the -sensor-hub HID driver to read past the end of heap allocation, leaking -kernel memory contents to the caller. - -CVE-2013-2898 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Reviewed-by: Mika Westerberg -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-sensor-hub.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c -index ffc80cf..6fca30e 100644 ---- a/drivers/hid/hid-sensor-hub.c -+++ b/drivers/hid/hid-sensor-hub.c -@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, - - mutex_lock(&data->mutex); - report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); -- if (!report || (field_index >= report->maxfield)) { -+ if (!report || (field_index >= report->maxfield) || -+ report->field[field_index]->report_count < 1) { - ret = -EINVAL; - goto done_proc; - } diff --git a/debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch b/debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch deleted file mode 100644 index 3be68ae50..000000000 --- a/debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Kees Cook -Date: Wed, 28 Aug 2013 22:29:55 +0200 -Subject: [1/6] HID: validate HID report id size -Origin: https://git.kernel.org/linus/43622021d2e2b82ea03d883926605bdd0525e1d1 - -The "Report ID" field of a HID report is used to build indexes of -reports. The kernel's index of these is limited to 256 entries, so any -malicious device that sets a Report ID greater than 255 will trigger -memory corruption on the host: - -[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 -[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b - -CVE-2013-2888 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 10 +++++++--- - include/linux/hid.h | 4 +++- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 36668d1..5ea7d51 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, - struct hid_report_enum *report_enum = device->report_enum + type; - struct hid_report *report; - -+ if (id >= HID_MAX_IDS) -+ return NULL; - if (report_enum->report_id_hash[id]) - return report_enum->report_id_hash[id]; - -@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) - - case HID_GLOBAL_ITEM_TAG_REPORT_ID: - parser->global.report_id = item_udata(item); -- if (parser->global.report_id == 0) { -- hid_err(parser->device, "report_id 0 is invalid\n"); -+ if (parser->global.report_id == 0 || -+ parser->global.report_id >= HID_MAX_IDS) { -+ hid_err(parser->device, "report_id %u is invalid\n", -+ parser->global.report_id); - return -1; - } - return 0; -@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) - for (i = 0; i < HID_REPORT_TYPES; i++) { - struct hid_report_enum *report_enum = device->report_enum + i; - -- for (j = 0; j < 256; j++) { -+ for (j = 0; j < HID_MAX_IDS; j++) { - struct hid_report *report = report_enum->report_id_hash[j]; - if (report) - hid_free_report(report); -diff --git a/include/linux/hid.h b/include/linux/hid.h -index 0c48991..ff545cc 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -393,10 +393,12 @@ struct hid_report { - struct hid_device *device; /* associated device */ - }; - -+#define HID_MAX_IDS 256 -+ - struct hid_report_enum { - unsigned numbered; - struct list_head report_list; -- struct hid_report *report_id_hash[256]; -+ struct hid_report *report_id_hash[HID_MAX_IDS]; - }; - - #define HID_REPORT_TYPES 3 diff --git a/debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch b/debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch index 2e2d83904..33343ad9d 100644 --- a/debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch +++ b/debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch @@ -57,7 +57,7 @@ removed in later patches. fw_load_abort(fw_priv); mutex_unlock(&fw_lock); } -@@ -858,26 +870,29 @@ static int _request_firmware_load(struct +@@ -858,13 +870,15 @@ static int _request_firmware_load(struct retval = device_add(f_dev); if (retval) { @@ -75,8 +75,10 @@ removed in later patches. goto err_del_dev; } - retval = device_create_file(f_dev, &dev_attr_loading); - if (retval) { +@@ -877,14 +891,15 @@ static int _request_firmware_load(struct + mutex_lock(&fw_lock); + list_del_init(&buf->pending_list); + mutex_unlock(&fw_lock); - dev_err(f_dev, "%s: device_create_file failed\n", __func__); + dev_err(f_dev->parent, "%s: device_create_file failed\n", + __func__); @@ -91,7 +93,7 @@ removed in later patches. if (timeout != MAX_SCHEDULE_TIMEOUT) schedule_delayed_work(&fw_priv->timeout_work, timeout); -@@ -990,7 +1005,8 @@ _request_firmware_prepare(struct firmwar +@@ -993,7 +1008,8 @@ _request_firmware_prepare(struct firmwar } if (fw_get_builtin_firmware(firmware, name)) { @@ -101,7 +103,7 @@ removed in later patches. return 0; /* assigned */ } -@@ -1021,9 +1037,16 @@ static int assign_firmware_buf(struct fi +@@ -1024,9 +1040,16 @@ static int assign_firmware_buf(struct fi struct firmware_buf *buf = fw->priv; mutex_lock(&fw_lock); @@ -119,7 +121,7 @@ removed in later patches. } /* -@@ -1072,7 +1095,7 @@ _request_firmware(const struct firmware +@@ -1075,7 +1098,7 @@ _request_firmware(const struct firmware if (nowait) { timeout = usermodehelper_read_lock_wait(timeout); if (!timeout) { @@ -128,7 +130,7 @@ removed in later patches. name); ret = -EBUSY; goto out; -@@ -1100,6 +1123,9 @@ _request_firmware(const struct firmware +@@ -1103,6 +1126,9 @@ _request_firmware(const struct firmware if (ret < 0) { release_firmware(fw); fw = NULL; diff --git a/debian/patches/bugfix/x86/amd64_edac-Fix-single-channel-setups.patch b/debian/patches/bugfix/x86/amd64_edac-Fix-single-channel-setups.patch deleted file mode 100644 index f2fb10882..000000000 --- a/debian/patches/bugfix/x86/amd64_edac-Fix-single-channel-setups.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Borislav Petkov -Date: Tue, 23 Jul 2013 20:01:23 +0200 -Subject: amd64_edac: Fix single-channel setups -Origin: https://git.kernel.org/linus/f0a56c480196a98479760862468cc95879df3de0 -Bug-Debian: http://bugs.debian.org/717473 - -It can happen that configurations are running in a single-channel mode -even with a dual-channel memory controller, by, say, putting the DIMMs -only on the one channel and leaving the other empty. This causes a -problem in init_csrows which implicitly assumes that when the second -channel is enabled, i.e. channel 1, the struct dimm hierarchy will be -present. Which is not. - -So always allocate two channels unconditionally. - -This provides for the nice side effect that the data structures are -initialized so some day, when memory hotplug is supported, it should -just work out of the box when all of a sudden a second channel appears. - -Reported-and-tested-by: Roger Leigh -Signed-off-by: Borislav Petkov ---- - drivers/edac/amd64_edac.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c -index 8b6a034..8b3d901 100644 ---- a/drivers/edac/amd64_edac.c -+++ b/drivers/edac/amd64_edac.c -@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struct pci_dev *F2) - layers[0].size = pvt->csels[0].b_cnt; - layers[0].is_virt_csrow = true; - layers[1].type = EDAC_MC_LAYER_CHANNEL; -- layers[1].size = pvt->channel_count; -+ -+ /* -+ * Always allocate two channels since we can have setups with DIMMs on -+ * only one channel. Also, this simplifies handling later for the price -+ * of a couple of KBs tops. -+ */ -+ layers[1].size = 2; - layers[1].is_virt_csrow = false; -+ - mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0); - if (!mci) - goto err_siblings; diff --git a/debian/patches/series b/debian/patches/series index f2f799bc2..5c17ea33e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -80,10 +80,3 @@ bugfix/all/irq-Always-define-devm_-request_threaded-free-_irq.patch # m68k IRQ bugfix bugfix/m68k/atari-irqs.patch -bugfix/x86/amd64_edac-Fix-single-channel-setups.patch -bugfix/all/HID-validate-HID-report-id-size.patch -bugfix/all/HID-pantherlord-validate-output-report-details.patch -bugfix/all/HID-ntrig-validate-feature-report-details.patch -bugfix/all/HID-sensor-hub-validate-feature-report-details.patch -bugfix/all/HID-picolcd_core-validate-output-report-details.patch -bugfix/all/HID-check-for-NULL-field-when-setting-values.patch