debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.12.6

This commit is contained in:
Salvatore Bonaccorso 2017-08-12 16:10:56 +02:00
parent 5bc71d3ff6
commit e58e3e6be9
4 changed files with 114 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
linux (4.12.6-1~exp1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.3
@ -250,6 +250,119 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
- ipmi/watchdog: fix watchdog timeout set on reboot
- dentry name snapshots (CVE-2017-7533)
- mmc: tmio-mmc: fix bad pointer math
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.6
- [hppa/parisc] Increase thread and stack size to 32kb
- [hppa/parisc] Handle vma's whose context is not current in
flush_cache_range
- scsi: lpfc: fix linking against modular NVMe support
- ACPI / LPSS: Only call pwm_add_table() for the first PWM controller
- cgroup: don't call migration methods if there are no tasks to migrate
- cgroup: create dfl_root files on subsys registration
- cgroup: fix error return value from cgroup_subtree_control()
- libata: array underflow in ata_find_dev()
- workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
- iwlwifi: dvm: prevent an out of bounds access
- brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice
- NFSv4: Fix EXCHANGE_ID corrupt verifier issue
- mmc: sdhci-of-at91: force card detect value for non removable devices
- mmc: core: Use device_property_read instead of of_property_read
- mmc: dw_mmc: Use device_property_read instead of of_property_read
- mm, mprotect: flush TLB if potentially racing with a parallel reclaim
leaving stale TLB entries
- mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page
errors
- userfaultfd: non-cooperative: notify about unmap of destination during
mremap
- userfaultfd_zeropage: return -ENOSPC in case mm has gone
- userfaultfd: non-cooperative: flush event_wqh at release time
- cpuset: fix a deadlock due to incomplete patching of cpusets_enabled()
- ocfs2: don't clear SGID when inheriting ACLs
- ALSA: hda - Fix speaker output from VAIO VPCL14M1R
- [x86] drm/amdgpu: fix header on gfx9 clear state
- [x86] drm/amdgpu: Fix undue fallthroughs in golden registers
initialization
- ASoC: fix pcm-creation regression
- ASoC: ux500: Restore platform DAI assignments
- ASoC: do not close shared backend dailink
- KVM: arm/arm64: Handle hva aging while destroying the vm
- KVM: async_pf: make rcu irq exit if not triggered from idle task
- timers: Fix overflow in get_next_timer_interrupt
- [powerpc*] tm: Fix saving of TM SPRs in core dump
- [powerpc/powerpc64] Fix __check_irq_replay missing decrementer interrupt
- iommu/amd: Enable ga_log_intr when enabling guest_mode
- [arm64] dts: marvell: armada-37xx: Fix the number of GPIO on south bridge
- gpiolib: skip unwanted events, don't convert them to opposite edge
- ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
- ext4: fix overflow caused by missing cast in ext4_resize_fs()
- [mips*] ralink: Fix build error due to missing header
- clk: sunxi-ng: sun5i: Add clk_set_rate_parent to the CPU clock
- ARM: mvebu: use __pa_symbol in the mv98dx3236 platform SMP code
- ARM: dts: armada-38x: Fix irq type for pca955
- ARM: dts: tango4: Request RGMII RX and TX clock delays
- media: pulse8-cec: persistent_config should be off by default
- media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
- media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
ioctl
- ir-spi: Fix issues with lirc API
- tcmu: Fix flushing cmd entry dcache page
- tcmu: Fix possbile memory leak / OOPs when recalculating cmd base size
- ext4: preserve i_mode if __ext4_set_acl() fails
- ext4: Don't clear SGID when inheriting ACLs
- Btrfs: fix early ENOSPC due to delalloc
- blk-mq: Include all present CPUs in the default queue mapping
- blk-mq: Create hctx for each present CPU
- block: disable runtime-pm for blk-mq
- saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
- sctp: fix an array overflow when all ext chunks are set
- tcp_bbr: cut pacing rate only if filled pipe
- tcp_bbr: introduce bbr_bw_to_pacing_rate() helper
- tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper
- tcp_bbr: remove sk_pacing_rate=0 transient during init
- tcp_bbr: init pacing rate on first RTT sample
- ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
- wireless: wext: terminate ifr name coming from userspace
- net: Zero terminate ifr_name in dev_ifname().
- net: dsa: mv88e6xxx: Enable CMODE config support for 6390X
- Revert "rtnetlink: Do not generate notifications for CHANGEADDR event"
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
- net: dsa: b53: Add missing ARL entries for BCM53125
- ipv4: initialize fib_trie prior to register_netdev_notifier call.
- rtnetlink: allocate more memory for dev_set_mac_address()
- net: bonding: Fix transmit load balancing in balance-alb mode
- mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled
- openvswitch: fix potential out of bound access in parse_ct
- packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
- ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment()
- net: ethernet: nb8800: Handle all 4 RGMII modes identically
- bonding: commit link status change after propose
- dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
- dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly
- dccp: fix a memleak for dccp_feat_init err process
- net/mlx5: Consider tx_enabled in all modes on remap
- net/mlx5: Fix command completion after timeout access invalid structure
- net/mlx5: Fix command bad flow on command entry allocation failure
- sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
- sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
- net/mlx5e: IPoIB, Modify add/remove underlay QPN flows
- net/mlx5e: Fix outer_header_zero() check size
- net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size
- net/mlx5e: Add field select to MTPPS register
- net/mlx5e: Fix broken disable 1PPS flow
- net/mlx5e: Change 1PPS out scheme
- net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request
- net/mlx5e: Fix wrong delay calculation for overflow check scheduling
- net/mlx5e: Schedule overflow check work to mlx5e workqueue
- net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests
- udp6: fix socket leak on early demux
- net: phy: Correctly process PHY_HALTED in phy_stop_machine()
- workqueue: implicit ordered attribute should be overridable
- ipv4: fib: Fix NULL pointer deref during fib_sync_down_dev()
- virtio_net: fix truesize for mergeable buffers
- [sparc64] Measure receiver forward progress to avoid send mondo timeout
- [sparc64] Prevent perf from running during super critical sections
- [sparc64] Register hugepages during arch init
- [sparc64] Fix exception handling in UltraSPARC-III memcpy.
- drm/vmwgfx: Fix cursor hotspot issue with Wayland on Fedora
[ Ben Hutchings ]
* media: Enable USB_RAINSHADOW_CEC as module (see #868511)
@ -267,8 +380,6 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
linux-headers-*-common* (Closes: #869511)
[ Salvatore Bonaccorso ]
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
* media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
* packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
* udp: consistently apply ufo or fragmentation (CVE-2017-1000112)

55
debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch vendored
View File

@ -1,55 +0,0 @@
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 19 Jul 2017 22:28:55 +0200
Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
This problem has been here since before the beginning of git history.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv6/output_core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index e9065b8d3af8..abb2c307fbe8 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
- u16 offset = sizeof(struct ipv6hdr);
+ unsigned int offset = sizeof(struct ipv6hdr);
unsigned int packet_len = skb_tail_pointer(skb) -
skb_network_header(skb);
int found_rhdr = 0;
@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
while (offset <= packet_len) {
struct ipv6_opt_hdr *exthdr;
+ unsigned int len;
switch (**nexthdr) {
@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
offset);
- offset += ipv6_optlen(exthdr);
+ len = ipv6_optlen(exthdr);
+ if (len + offset >= IPV6_MAXPLEN)
+ return -EINVAL;
+ offset += len;
*nexthdr = &exthdr->nexthdr;
}
--
2.11.0

77
debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch vendored
View File

@ -1,77 +0,0 @@
From: Steven Toth <stoth@kernellabs.com>
Date: Tue, 6 Jun 2017 09:30:27 -0300
Subject: [media] saa7164: fix double fetch PCIe access condition
Origin: https://git.kernel.org/linus/6fb05e0dd32e566facb96ea61a48c7488daa5ac3
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8831
Avoid a double fetch by reusing the values from the prior transfer.
Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting.
Signed-off-by: Steven Toth <stoth@kernellabs.com>
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
---
drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
index b2ff82fa7116..ecfeac5cdbed 100644
--- a/drivers/media/pci/saa7164/saa7164-bus.c
+++ b/drivers/media/pci/saa7164/saa7164-bus.c
@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
+ memcpy(msg, &msg_tmp, sizeof(*msg));
/* No need to update the read positions, because this was a peek */
/* If the caller specifically want to peek, return */
if (peekonly) {
- memcpy(msg, &msg_tmp, sizeof(*msg));
goto peekout;
}
@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
space_rem = bus->m_dwSizeGetRing - curr_grp;
if (space_rem < sizeof(*msg)) {
- /* msg wraps around the ring */
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
- sizeof(*msg) - space_rem);
if (buf)
memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
space_rem, buf_size);
} else if (space_rem == sizeof(*msg)) {
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf)
memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
} else {
/* Additional data wraps around the ring */
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf) {
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
sizeof(*msg), space_rem - sizeof(*msg));
@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
} else {
/* No wrapping */
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf)
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
buf_size);
}
- /* Convert from little endian to CPU */
- msg->size = le16_to_cpu((__force __le16)msg->size);
- msg->command = le32_to_cpu((__force __le32)msg->command);
- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
/* Update the read positions, adjusting the ring */
saa7164_writel(bus->m_dwGetReadPos, new_grp);
--
2.11.0

2
debian/patches/series vendored
View File

@ -119,8 +119,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch