Update to 3.9.5

svn path=/dists/sid/linux/; revision=20218

debian/changelog

@@ -1,5 +1,51 @@
-linux (3.9.4-2) UNRELEASED; urgency=low
+linux (3.9.5-1) UNRELEASED; urgency=low
 
+  * New upstream stable update:
+    http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.9.5
+    - [arm] 7723/1: crypto: sha1-armv4-large.S: fix SP handling
+    - mac80211: use just spin_lock() in ieee80211_get_tkip_p2k()
+    - USB: cxacru: potential underflow in cxacru_cm_get_array()
+    - TTY: Fix tty miss restart after we turn off flow-control
+      (Closes: #465823)
+    - cifs: only set ops for inodes in I_NEW state
+    - drivers/char/random.c: fix priming of last_data
+    - random: fix accounting race condition with lockless irq entropy_count
+      update
+    - fat: fix possible overflow for fat_clusters
+    - tg3: Fix data corruption on 5725 with TSO
+    - ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in
+      ocfs2_fiemap()
+    - mm compaction: fix of improper cache flush in migration code
+    - klist: del waiter from klist_remove_waiters before wakeup waitting process
+    - wait: fix false timeouts when using wait_event_timeout()
+    - nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary
+    - mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
+    - mm: memcg: remove incorrect VM_BUG_ON for swap cache pages in uncharge
+    - mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas
+    - mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
+    - module: don't unlink the module until we've removed all exposure.
+    - xfs: kill suid/sgid through the truncate path.
+    - SUNRPC: Prevent an rpc_task wakeup race
+    - cifs: fix potential buffer overrun when composing a new options string
+    - cgroup: initialize xattr before calling d_instantiate()
+    - [powerpc] 32bit:Store temporary result in r0 instead of r8
+    - [powerpc] tm: Fix userspace stack corruption on signal delivery for active
+      transactions
+    - [powerpc] tm: Abort on emulation and alignment faults
+    - iscsi-target: fix heap buffer overflow on error
+    - KVM: fix sil/dil/bpl/spl in the mod/rm fields
+    - reiserfs: fix deadlock with nfs racing on create/lookup
+    - reiserfs: fix problems with chowning setuid file w/ xattrs
+    - reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
+    - jfs: fix a couple races
+    - IB/iser: Return error to upper layers on EAGAIN registration failures
+    - fuse: fix readdirplus Oops in fuse_dentry_revalidate
+    - target: Re-instate sess_wait_list for target_wait_for_sess_cmds
+    - xen-netback: Fix regressions caused by fix for CVE-2013-0216
+      + coalesce slots in TX path and fix regressions
+      + don't disconnect frontend when seeing oversize packet
+
+  [ Ben Hutchings ]
   * [powerpcspe] Remove installer udebs (really fixes FTBFS)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Sat, 08 Jun 2013 15:25:11 +0100

debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch

@@ -1,62 +0,0 @@
-From: Kees Cook <keescook@chromium.org>
-Date: Thu, 23 May 2013 17:32:17 +0000
-Subject: iscsi-target: fix heap buffer overflow on error
-
-commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
-
-If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
-error response packet, generated by iscsi_add_notunderstood_response(),
-would still attempt to copy the entire key into the packet, overflowing
-the structure on the heap.
-
-Remote preauthentication kernel memory corruption was possible if a
-target was configured and listening on the network.
-
-CVE-2013-2850
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
----
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
-index c2185fc..e382221 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.c
-+++ b/drivers/target/iscsi/iscsi_target_parameters.c
-@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
- 	}
- 	INIT_LIST_HEAD(&extra_response->er_list);
- 
--	strncpy(extra_response->key, key, strlen(key) + 1);
--	strncpy(extra_response->value, NOTUNDERSTOOD,
--			strlen(NOTUNDERSTOOD) + 1);
-+	strlcpy(extra_response->key, key, sizeof(extra_response->key));
-+	strlcpy(extra_response->value, NOTUNDERSTOOD,
-+		sizeof(extra_response->value));
- 
- 	list_add_tail(&extra_response->er_list,
- 			&param_list->extra_response_list);
-@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
- 
- 		if (phase & PHASE_SECURITY) {
- 			if (iscsi_check_for_auth_key(key) > 0) {
--				char *tmpptr = key + strlen(key);
--				*tmpptr = '=';
- 				kfree(tmpbuf);
- 				return 1;
- 			}
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
-index 915b067..a47046a 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.h
-+++ b/drivers/target/iscsi/iscsi_target_parameters.h
-@@ -1,8 +1,10 @@
- #ifndef ISCSI_PARAMETERS_H
- #define ISCSI_PARAMETERS_H
- 
-+#include <scsi/iscsi_proto.h>
-+
- struct iscsi_extra_response {
--	char key[64];
-+	char key[KEY_MAXLEN];
- 	char value[32];
- 	struct list_head er_list;
- } ____cacheline_aligned;

debian/patches/series

@@ -104,4 +104,3 @@ features/arm/imx53-qsb-usb-power.patch
 features/arm/0001-thermal-Add-driver-for-Armada-370-XP-SoC-thermal-man.patch
 features/arm/0001-ARM-mvebu-Add-thermal-support-to-Armada-XP-device-tr.patch 
 
-bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch