Merge tag 'debian/4.3.3-3'

Drop the ABI reference and ignored symbols.

Drop most of the patches, as they're already upstream.

debian/bin/gencontrol.py

@@ -44,6 +44,7 @@ class Gencontrol(Base):
         },
         'packages': {
             'docs': config.SchemaItemBoolean(),
+            'headers-all': config.SchemaItemBoolean(),
             'installer': config.SchemaItemBoolean(),
             'libc-dev': config.SchemaItemBoolean(),
 
@@ -134,10 +135,6 @@ class Gencontrol(Base):
         self._setup_makeflags(self.arch_makeflags, makeflags, config_base)
 
     def do_arch_packages(self, packages, makefile, arch, vars, makeflags, extra):
-        # Some userland architectures require kernels from another
-        # (Debian) architecture, e.g. x32/amd64.
-        foreign_kernel = not self.config['base', arch].get('featuresets')
-
         if self.version.linux_modifier is None:
             try:
                 abiname_part = '-%s' % self.config['abi', arch]['abiname']
@@ -146,14 +143,19 @@ class Gencontrol(Base):
             makeflags['ABINAME'] = vars['abiname'] = \
                 self.abiname_version + abiname_part
 
-        if foreign_kernel:
-            packages_headers_arch = []
-            makeflags['FOREIGN_KERNEL'] = True
-        else:
+        # Some userland architectures require kernels from another
+        # (Debian) architecture, e.g. x32/amd64.
+        # And some derivatives don't need the headers-all packages
+        # for other reasons.
+        if (self.config['base', arch].get('featuresets') and
+            self.config.merge('packages').get('headers-all', True)):
             headers_arch = self.templates["control.headers.arch"]
             packages_headers_arch = self.process_packages(headers_arch, vars)
             packages_headers_arch[-1]['Depends'].extend(PackageRelation())
             extra['headers_arch_depends'] = packages_headers_arch[-1]['Depends']
+        else:
+            packages_headers_arch = []
+            makeflags['DO_HEADERS_ALL'] = False
 
         if self.config.merge('packages').get('libc-dev', True):
             libc_dev = self.templates["control.libc-dev"]
@@ -364,7 +366,8 @@ class Gencontrol(Base):
             package_headers = self.process_package(headers[0], vars)
             package_headers['Depends'].extend(relations_compiler_headers)
             packages_own.append(package_headers)
-            extra['headers_arch_depends'].append('%s (= ${binary:Version})' % packages_own[-1]['Package'])
+            if extra.get('headers_arch_depends'):
+                extra['headers_arch_depends'].append('%s (= ${binary:Version})' % packages_own[-1]['Package'])
 
         build_debug = config_entry_build.get('debug-info')
 

debian/changelog

@@ -80,6 +80,38 @@ linux (4.4~rc4-1~exp1) experimental; urgency=medium
 
  -- Ben Hutchings <ben@decadent.org.uk>  Sun, 13 Dec 2015 16:25:45 +0000
 
+linux (4.3.3-3) unstable; urgency=medium
+
+  [ Ben Hutchings ]
+  * [ppc64*] drm: Enable DRM_AST as module (Closes: #808338)
+  * block: ensure to split after potentially bouncing a bio (Closes: #809082)
+  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569)
+  * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575)
+  * [xen] Fix race conditions in back-end drivers (CVE-2015-8550, XSA-155)
+  * [xen] pciback: Fix state validation in MSI control operations
+    (CVE-2015-8551, CVE-2015-8852, XSA-157)
+  * ptrace: being capable wrt a process requires mapped uids/gids
+    (CVE-2015-8709)
+  * KEYS: Fix race between read and revoke (CVE-2015-7550)
+  * [armhf] udeb: Add modular clock, GPIO, PCIe PHY and regulator drivers to
+    core-modules (Closes: #809521)
+  * [armhf] udeb: Add more USB PHY drivers to usb-modules
+  * drm/nouveau/pmu: do not assume a PMU is present (Closes: #809481)
+  * [x86] drm/i915: Don't compare has_drrs strictly in pipe config
+    (Closes: #808720)
+  * [armhf] crypto: sun4i-ss - add missing statesize (Closes: #808625)
+  * Revert "xhci: don't finish a TD if we get a short transfer event mid TD"
+    (Closes: #808602, #808953, regression in 4.3-rc7)
+  * [x86] pinctrl: Enable PINCTRL_CHERRYVIEW (Closes: #808044)
+  * [s390x] udeb: Add crc-modules package (Closes: #808051)
+
+  [ Salvatore Bonaccorso ]
+  * ovl: fix permission checking for setattr (CVE-2015-8660)
+  * [x86] kvm: Reload pit counters for all channels when restoring state
+    (CVE-2015-7513)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 02 Jan 2016 16:45:46 +0000
+
 linux (4.3.3-2) unstable; urgency=medium
 
   * [armhf,sparc64] Force ZONE_DMA to be enabled, reversing ABI change in

debian/config/kernelarch-powerpc/config-arch-64

@@ -58,6 +58,11 @@ CONFIG_PATA_AMD=m
 # CONFIG_MAC_FLOPPY is not set
 CONFIG_BLK_DEV_RSXX=m
 
+##
+## file: drivers/gpu/drm/ast/Kconfig
+##
+CONFIG_DRM_AST=m
+
 ##
 ## file: drivers/net/ethernet/ibm/Kconfig
 ##

debian/config/kernelarch-x86/config

@@ -1270,6 +1270,7 @@ CONFIG_TCIC=m
 ## file: drivers/pinctrl/intel/Kconfig
 ##
 CONFIG_PINCTRL_BAYTRAIL=y
+CONFIG_PINCTRL_CHERRYVIEW=y
 
 ##
 ## file: drivers/platform/chrome/Kconfig

debian/installer/armhf/modules/armhf-armmp/core-modules

@@ -1 +1,30 @@
 #include <core-modules>
+
+# Clocks
+clk-palmas ?
+clk-s2mps11 ?
+clk-twl6040 ?
+
+# GPIO
+gpio-da9052 ?
+gpio-pca953x ?
+gpio-viperboard ?
+
+# PCIe PHYs
+phy-omap-control ?
+phy-ti-pipe3 ?
+
+# Regulators
+anatop-regulator ?
+axp20x-regulator ?
+da9052-regulator ?
+gpio-regulator ?
+mc13783-regulator ?
+mc13892-regulator ?
+pbias-regulator ?
+pfuze100-regulator ?
+s2mpa01 ?
+s2mps11 ?
+s5m8767 ?
+ti-abb-regulator ?
+vexpress ?

debian/installer/armhf/modules/armhf-armmp/sata-modules

@@ -4,4 +4,6 @@ ahci_imx
 ahci_sunxi
 ahci_tegra
 sata_highbank
+
+# SATA PHYs
 phy-exynos5250-sata

debian/installer/armhf/modules/armhf-armmp/usb-modules

@@ -8,8 +8,19 @@ ehci-exynos
 ehci-omap
 ehci-orion
 ehci-tegra
-phy-exynos-usb2
-phy-omap-usb2
 ci_hdrc_imx
-phy-mxs-usb
 dwc2
+
+# USB PHYs
+phy-am335x ?
+phy-am335x-control ?
+phy-exynos-usb2
+phy-exynos5-usbdrd ?
+phy-generic ?
+phy-mxs-usb
+phy-omap-usb2
+phy-sun4i-usb ?
+phy-sun9i-usb ?
+phy-tegra-usb ?
+phy-twl4030-usb ?
+phy-twl6030-usb ?

debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch

@@ -0,0 +1,110 @@
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 18 Dec 2015 01:34:26 +0000
+Subject: KEYS: Fix race between read and revoke
+Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
+
+This fixes CVE-2015-7550.
+
+There's a race between keyctl_read() and keyctl_revoke().  If the revoke
+happens between keyctl_read() checking the validity of a key and the key's
+semaphore being taken, then the key type read method will see a revoked key.
+
+This causes a problem for the user-defined key type because it assumes in
+its read method that there will always be a payload in a non-revoked key
+and doesn't check for a NULL pointer.
+
+Fix this by making keyctl_read() check the validity of a key after taking
+semaphore instead of before.
+
+I think the bug was introduced with the original keyrings code.
+
+This was discovered by a multithreaded test program generated by syzkaller
+(http://github.com/google/syzkaller).  Here's a cleaned up version:
+
+	#include <sys/types.h>
+	#include <keyutils.h>
+	#include <pthread.h>
+	void *thr0(void *arg)
+	{
+		key_serial_t key = (unsigned long)arg;
+		keyctl_revoke(key);
+		return 0;
+	}
+	void *thr1(void *arg)
+	{
+		key_serial_t key = (unsigned long)arg;
+		char buffer[16];
+		keyctl_read(key, buffer, 16);
+		return 0;
+	}
+	int main()
+	{
+		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+		pthread_t th[5];
+		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+		pthread_join(th[0], 0);
+		pthread_join(th[1], 0);
+		pthread_join(th[2], 0);
+		pthread_join(th[3], 0);
+		return 0;
+	}
+
+Build as:
+
+	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+Run as:
+
+	while keyctl-race; do :; done
+
+as it may need several iterations to crash the kernel.  The crash can be
+summarised as:
+
+	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+	...
+	Call Trace:
+	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+---
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid,
+ 
+ 	/* the key is probably readable - now try to read it */
+ can_read_key:
+-	ret = key_validate(key);
+-	if (ret == 0) {
+-		ret = -EOPNOTSUPP;
+-		if (key->type->read) {
+-			/* read the data with the semaphore held (since we
+-			 * might sleep) */
+-			down_read(&key->sem);
++	ret = -EOPNOTSUPP;
++	if (key->type->read) {
++		/* Read the data with the semaphore held (since we might sleep)
++		 * to protect against the key being updated or revoked.
++		 */
++		down_read(&key->sem);
++		ret = key_validate(key);
++		if (ret == 0)
+ 			ret = key->type->read(key, buffer, buflen);
+-			up_read(&key->sem);
+-		}
++		up_read(&key->sem);
+ 	}
+ 
+ error2:

debian/patches/bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch

@@ -0,0 +1,104 @@
+From: Jann Horn <jann@thejh.net>
+Subject: ptrace: being capable wrt a process requires mapped uids/gids
+Date: Sat, 26 Dec 2015 03:52:31 +0100
+Origin: https://lkml.org/lkml/2015/12/25/71
+
+ptrace_has_cap() checks whether the current process should be
+treated as having a certain capability for ptrace checks
+against another process. Until now, this was equivalent to
+has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
+
+However, if a root-owned process wants to enter a user
+namespace for some reason without knowing who owns it and
+therefore can't change to the namespace owner's uid and gid
+before entering, as soon as it has entered the namespace,
+the namespace owner can attach to it via ptrace and thereby
+gain access to its uid and gid.
+
+While it is possible for the entering process to switch to
+the uid of a claimed namespace owner before entering,
+causing the attempt to enter to fail if the claimed uid is
+wrong, this doesn't solve the problem of determining an
+appropriate gid.
+
+With this change, the entering process can first enter the
+namespace and then safely inspect the namespace's
+properties, e.g. through /proc/self/{uid_map,gid_map},
+assuming that the namespace owner doesn't have access to
+uid 0.
+Changed in v2: The caller needs to be capable in the
+namespace into which tcred's uids/gids can be mapped.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+---
+ kernel/ptrace.c | 33 ++++++++++++++++++++++++++++-----
+ 1 file changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index b760bae..260a08d 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -20,6 +20,7 @@
+ #include <linux/uio.h>
+ #include <linux/audit.h>
+ #include <linux/pid_namespace.h>
++#include <linux/user_namespace.h>
+ #include <linux/syscalls.h>
+ #include <linux/uaccess.h>
+ #include <linux/regset.h>
+@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
+ 	return ret;
+ }
+ 
+-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
++static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
+ {
++	struct user_namespace *tns = tcred->user_ns;
++
++	/* When a root-owned process enters a user namespace created by a
++	 * malicious user, the user shouldn't be able to execute code under
++	 * uid 0 by attaching to the root-owned process via ptrace.
++	 * Therefore, similar to the capable_wrt_inode_uidgid() check,
++	 * verify that all the uids and gids of the target process are
++	 * mapped into a namespace below the current one in which the caller
++	 * is capable.
++	 * No fsuid/fsgid check because __ptrace_may_access doesn't do it
++	 * either.
++	 */
++	while (
++	    !kuid_has_mapping(tns, tcred->euid) ||
++	    !kuid_has_mapping(tns, tcred->suid) ||
++	    !kuid_has_mapping(tns, tcred->uid)  ||
++	    !kgid_has_mapping(tns, tcred->egid) ||
++	    !kgid_has_mapping(tns, tcred->sgid) ||
++	    !kgid_has_mapping(tns, tcred->gid)) {
++		tns = tns->parent;
++	}
++
+ 	if (mode & PTRACE_MODE_NOAUDIT)
+-		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
++		return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
+ 	else
+-		return has_ns_capability(current, ns, CAP_SYS_PTRACE);
++		return has_ns_capability(current, tns, CAP_SYS_PTRACE);
+ }
+ 
+ /* Returns 0 on success, -errno on denial. */
+@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	    gid_eq(cred->gid, tcred->sgid) &&
+ 	    gid_eq(cred->gid, tcred->gid))
+ 		goto ok;
+-	if (ptrace_has_cap(tcred->user_ns, mode))
++	if (ptrace_has_cap(tcred, mode))
+ 		goto ok;
+ 	rcu_read_unlock();
+ 	return -EPERM;
+@@ -252,7 +275,7 @@ ok:
+ 		dumpable = get_dumpable(task->mm);
+ 	rcu_read_lock();
+ 	if (dumpable != SUID_DUMP_USER &&
+-	    !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
++	    !ptrace_has_cap(__task_cred(task), mode)) {
+ 		rcu_read_unlock();
+ 		return -EPERM;
+ 	}

debian/patches/bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch

@@ -0,0 +1,36 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 02 Jan 2016 03:03:27 +0000
+Subject: Revert "xhci: don't finish a TD if we get a short transfer event mid TD"
+Bug-Debian: https://bugs.debian.org/808602
+Bug-Debian: https://bugs.debian.org/808953
+
+This reverts commit e210c422b6fdd2dc123bedc588f399aefd8bf9de.  It
+caused serious regressions as referenced above.
+
+---
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2192,10 +2192,6 @@ static int process_bulk_intr_td(struct x
+ 		}
+ 	/* Fast path - was this the last TRB in the TD for this URB? */
+ 	} else if (event_trb == td->last_trb) {
+-		if (td->urb_length_set && trb_comp_code == COMP_SHORT_TX)
+-			return finish_td(xhci, td, event_trb, event, ep,
+-					 status, false);
+-
+ 		if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
+ 			td->urb->actual_length =
+ 				td->urb->transfer_buffer_length -
+@@ -2247,12 +2243,6 @@ static int process_bulk_intr_td(struct x
+ 			td->urb->actual_length +=
+ 				TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) -
+ 				EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
+-
+-		if (trb_comp_code == COMP_SHORT_TX) {
+-			xhci_dbg(xhci, "mid bulk/intr SP, wait for last TRB event\n");
+-			td->urb_length_set = true;
+-			return 0;
+-		}
+ 	}
+ 
+ 	return finish_td(xhci, td, event_trb, event, ep, status, false);

debian/patches/bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch

@@ -0,0 +1,40 @@
+From: LABBE Corentin <clabbe.montjoie@gmail.com>
+Date: Mon, 16 Nov 2015 09:35:54 +0100
+Subject: crypto: sun4i-ss - add missing statesize
+Origin: https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git/commit?id=4f9ea86604e3ba64edd2817795798168fbb3c1a6
+Bug-Debian: https://bugs.debian.org/808625
+
+sun4i-ss implementaton of md5/sha1 is via ahash algorithms.
+Commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero")
+made impossible to load them without giving statesize. This patch
+specifiy statesize for sha1 and md5.
+
+Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Cc: <stable@vger.kernel.org> # v4.3+
+Tested-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
+index eab6fe2..107cd2a 100644
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
+@@ -39,6 +39,7 @@ static struct sun4i_ss_alg_template ss_algs[] = {
+ 		.import = sun4i_hash_import_md5,
+ 		.halg = {
+ 			.digestsize = MD5_DIGEST_SIZE,
++			.statesize = sizeof(struct md5_state),
+ 			.base = {
+ 				.cra_name = "md5",
+ 				.cra_driver_name = "md5-sun4i-ss",
+@@ -66,6 +67,7 @@ static struct sun4i_ss_alg_template ss_algs[] = {
+ 		.import = sun4i_hash_import_sha1,
+ 		.halg = {
+ 			.digestsize = SHA1_DIGEST_SIZE,
++			.statesize = sizeof(struct sha1_state),
+ 			.base = {
+ 				.cra_name = "sha1",
+ 				.cra_driver_name = "sha1-sun4i-ss",

debian/patches/series

@@ -92,3 +92,9 @@ features/arm/rpi/arm-bcm2835-split-the-dt-for-peripherals-from-the-dt.patch
 features/arm/rpi/arm-bcm2835-move-the-cpu-peripheral-include-out-of-c.patch
 features/arm/rpi/arm-bcm2835-add-devicetree-for-bcm2836-and-raspberry.patch
 features/arm/rpi/arm-bcm2835-add-the-auxiliary-clocks-to-the-device-t.patch
+
+# Security fixes
+bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
+bugfix/all/keys-fix-race-between-read-and-revoke.patch
+bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch
+bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch

debian/rules.real

@@ -50,7 +50,8 @@ MAKEOVERRIDES =
 #
 # Targets
 #
-ifneq ($(FOREIGN_KERNEL),True)
+binary-arch-arch:
+ifneq ($(DO_HEADERS_ALL),False)
   binary-arch-arch: install-headers_$(ARCH)
 endif
 ifneq ($(DO_LIBC),False)