Update to 4.12.6
This commit is contained in:
parent
5bc71d3ff6
commit
e58e3e6be9
|
@ -1,4 +1,4 @@
|
|||
linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
|
||||
linux (4.12.6-1~exp1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.3
|
||||
|
@ -250,6 +250,119 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
|
|||
- ipmi/watchdog: fix watchdog timeout set on reboot
|
||||
- dentry name snapshots (CVE-2017-7533)
|
||||
- mmc: tmio-mmc: fix bad pointer math
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.6
|
||||
- [hppa/parisc] Increase thread and stack size to 32kb
|
||||
- [hppa/parisc] Handle vma's whose context is not current in
|
||||
flush_cache_range
|
||||
- scsi: lpfc: fix linking against modular NVMe support
|
||||
- ACPI / LPSS: Only call pwm_add_table() for the first PWM controller
|
||||
- cgroup: don't call migration methods if there are no tasks to migrate
|
||||
- cgroup: create dfl_root files on subsys registration
|
||||
- cgroup: fix error return value from cgroup_subtree_control()
|
||||
- libata: array underflow in ata_find_dev()
|
||||
- workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
|
||||
- iwlwifi: dvm: prevent an out of bounds access
|
||||
- brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice
|
||||
- NFSv4: Fix EXCHANGE_ID corrupt verifier issue
|
||||
- mmc: sdhci-of-at91: force card detect value for non removable devices
|
||||
- mmc: core: Use device_property_read instead of of_property_read
|
||||
- mmc: dw_mmc: Use device_property_read instead of of_property_read
|
||||
- mm, mprotect: flush TLB if potentially racing with a parallel reclaim
|
||||
leaving stale TLB entries
|
||||
- mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page
|
||||
errors
|
||||
- userfaultfd: non-cooperative: notify about unmap of destination during
|
||||
mremap
|
||||
- userfaultfd_zeropage: return -ENOSPC in case mm has gone
|
||||
- userfaultfd: non-cooperative: flush event_wqh at release time
|
||||
- cpuset: fix a deadlock due to incomplete patching of cpusets_enabled()
|
||||
- ocfs2: don't clear SGID when inheriting ACLs
|
||||
- ALSA: hda - Fix speaker output from VAIO VPCL14M1R
|
||||
- [x86] drm/amdgpu: fix header on gfx9 clear state
|
||||
- [x86] drm/amdgpu: Fix undue fallthroughs in golden registers
|
||||
initialization
|
||||
- ASoC: fix pcm-creation regression
|
||||
- ASoC: ux500: Restore platform DAI assignments
|
||||
- ASoC: do not close shared backend dailink
|
||||
- KVM: arm/arm64: Handle hva aging while destroying the vm
|
||||
- KVM: async_pf: make rcu irq exit if not triggered from idle task
|
||||
- timers: Fix overflow in get_next_timer_interrupt
|
||||
- [powerpc*] tm: Fix saving of TM SPRs in core dump
|
||||
- [powerpc/powerpc64] Fix __check_irq_replay missing decrementer interrupt
|
||||
- iommu/amd: Enable ga_log_intr when enabling guest_mode
|
||||
- [arm64] dts: marvell: armada-37xx: Fix the number of GPIO on south bridge
|
||||
- gpiolib: skip unwanted events, don't convert them to opposite edge
|
||||
- ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
|
||||
- ext4: fix overflow caused by missing cast in ext4_resize_fs()
|
||||
- [mips*] ralink: Fix build error due to missing header
|
||||
- clk: sunxi-ng: sun5i: Add clk_set_rate_parent to the CPU clock
|
||||
- ARM: mvebu: use __pa_symbol in the mv98dx3236 platform SMP code
|
||||
- ARM: dts: armada-38x: Fix irq type for pca955
|
||||
- ARM: dts: tango4: Request RGMII RX and TX clock delays
|
||||
- media: pulse8-cec: persistent_config should be off by default
|
||||
- media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
|
||||
- media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
|
||||
ioctl
|
||||
- ir-spi: Fix issues with lirc API
|
||||
- tcmu: Fix flushing cmd entry dcache page
|
||||
- tcmu: Fix possbile memory leak / OOPs when recalculating cmd base size
|
||||
- ext4: preserve i_mode if __ext4_set_acl() fails
|
||||
- ext4: Don't clear SGID when inheriting ACLs
|
||||
- Btrfs: fix early ENOSPC due to delalloc
|
||||
- blk-mq: Include all present CPUs in the default queue mapping
|
||||
- blk-mq: Create hctx for each present CPU
|
||||
- block: disable runtime-pm for blk-mq
|
||||
- saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
|
||||
- sctp: fix an array overflow when all ext chunks are set
|
||||
- tcp_bbr: cut pacing rate only if filled pipe
|
||||
- tcp_bbr: introduce bbr_bw_to_pacing_rate() helper
|
||||
- tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper
|
||||
- tcp_bbr: remove sk_pacing_rate=0 transient during init
|
||||
- tcp_bbr: init pacing rate on first RTT sample
|
||||
- ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
|
||||
- wireless: wext: terminate ifr name coming from userspace
|
||||
- net: Zero terminate ifr_name in dev_ifname().
|
||||
- net: dsa: mv88e6xxx: Enable CMODE config support for 6390X
|
||||
- Revert "rtnetlink: Do not generate notifications for CHANGEADDR event"
|
||||
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
|
||||
- net: dsa: b53: Add missing ARL entries for BCM53125
|
||||
- ipv4: initialize fib_trie prior to register_netdev_notifier call.
|
||||
- rtnetlink: allocate more memory for dev_set_mac_address()
|
||||
- net: bonding: Fix transmit load balancing in balance-alb mode
|
||||
- mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled
|
||||
- openvswitch: fix potential out of bound access in parse_ct
|
||||
- packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
|
||||
- ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment()
|
||||
- net: ethernet: nb8800: Handle all 4 RGMII modes identically
|
||||
- bonding: commit link status change after propose
|
||||
- dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
|
||||
- dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly
|
||||
- dccp: fix a memleak for dccp_feat_init err process
|
||||
- net/mlx5: Consider tx_enabled in all modes on remap
|
||||
- net/mlx5: Fix command completion after timeout access invalid structure
|
||||
- net/mlx5: Fix command bad flow on command entry allocation failure
|
||||
- sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
|
||||
- sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
|
||||
- net/mlx5e: IPoIB, Modify add/remove underlay QPN flows
|
||||
- net/mlx5e: Fix outer_header_zero() check size
|
||||
- net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size
|
||||
- net/mlx5e: Add field select to MTPPS register
|
||||
- net/mlx5e: Fix broken disable 1PPS flow
|
||||
- net/mlx5e: Change 1PPS out scheme
|
||||
- net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request
|
||||
- net/mlx5e: Fix wrong delay calculation for overflow check scheduling
|
||||
- net/mlx5e: Schedule overflow check work to mlx5e workqueue
|
||||
- net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests
|
||||
- udp6: fix socket leak on early demux
|
||||
- net: phy: Correctly process PHY_HALTED in phy_stop_machine()
|
||||
- workqueue: implicit ordered attribute should be overridable
|
||||
- ipv4: fib: Fix NULL pointer deref during fib_sync_down_dev()
|
||||
- virtio_net: fix truesize for mergeable buffers
|
||||
- [sparc64] Measure receiver forward progress to avoid send mondo timeout
|
||||
- [sparc64] Prevent perf from running during super critical sections
|
||||
- [sparc64] Register hugepages during arch init
|
||||
- [sparc64] Fix exception handling in UltraSPARC-III memcpy.
|
||||
- drm/vmwgfx: Fix cursor hotspot issue with Wayland on Fedora
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* media: Enable USB_RAINSHADOW_CEC as module (see #868511)
|
||||
|
@ -267,8 +380,6 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
|
|||
linux-headers-*-common* (Closes: #869511)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
|
||||
* media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
|
||||
* packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
|
||||
* udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
|
||||
|
||||
|
|
|
@ -1,55 +0,0 @@
|
|||
From: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Date: Wed, 19 Jul 2017 22:28:55 +0200
|
||||
Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
|
||||
Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
|
||||
|
||||
In some cases, offset can overflow and can cause an infinite loop in
|
||||
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
|
||||
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
|
||||
|
||||
This problem has been here since before the beginning of git history.
|
||||
|
||||
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/output_core.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
|
||||
index e9065b8d3af8..abb2c307fbe8 100644
|
||||
--- a/net/ipv6/output_core.c
|
||||
+++ b/net/ipv6/output_core.c
|
||||
@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
|
||||
|
||||
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
{
|
||||
- u16 offset = sizeof(struct ipv6hdr);
|
||||
+ unsigned int offset = sizeof(struct ipv6hdr);
|
||||
unsigned int packet_len = skb_tail_pointer(skb) -
|
||||
skb_network_header(skb);
|
||||
int found_rhdr = 0;
|
||||
@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
while (offset <= packet_len) {
|
||||
struct ipv6_opt_hdr *exthdr;
|
||||
+ unsigned int len;
|
||||
|
||||
switch (**nexthdr) {
|
||||
|
||||
@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
|
||||
offset);
|
||||
- offset += ipv6_optlen(exthdr);
|
||||
+ len = ipv6_optlen(exthdr);
|
||||
+ if (len + offset >= IPV6_MAXPLEN)
|
||||
+ return -EINVAL;
|
||||
+ offset += len;
|
||||
*nexthdr = &exthdr->nexthdr;
|
||||
}
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
From: Steven Toth <stoth@kernellabs.com>
|
||||
Date: Tue, 6 Jun 2017 09:30:27 -0300
|
||||
Subject: [media] saa7164: fix double fetch PCIe access condition
|
||||
Origin: https://git.kernel.org/linus/6fb05e0dd32e566facb96ea61a48c7488daa5ac3
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8831
|
||||
|
||||
Avoid a double fetch by reusing the values from the prior transfer.
|
||||
|
||||
Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
|
||||
|
||||
Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting.
|
||||
|
||||
Signed-off-by: Steven Toth <stoth@kernellabs.com>
|
||||
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
---
|
||||
drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
|
||||
1 file changed, 1 insertion(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
|
||||
index b2ff82fa7116..ecfeac5cdbed 100644
|
||||
--- a/drivers/media/pci/saa7164/saa7164-bus.c
|
||||
+++ b/drivers/media/pci/saa7164/saa7164-bus.c
|
||||
@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
|
||||
msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
|
||||
msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
|
||||
msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
|
||||
+ memcpy(msg, &msg_tmp, sizeof(*msg));
|
||||
|
||||
/* No need to update the read positions, because this was a peek */
|
||||
/* If the caller specifically want to peek, return */
|
||||
if (peekonly) {
|
||||
- memcpy(msg, &msg_tmp, sizeof(*msg));
|
||||
goto peekout;
|
||||
}
|
||||
|
||||
@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
|
||||
space_rem = bus->m_dwSizeGetRing - curr_grp;
|
||||
|
||||
if (space_rem < sizeof(*msg)) {
|
||||
- /* msg wraps around the ring */
|
||||
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
|
||||
- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
|
||||
- sizeof(*msg) - space_rem);
|
||||
if (buf)
|
||||
memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
|
||||
space_rem, buf_size);
|
||||
|
||||
} else if (space_rem == sizeof(*msg)) {
|
||||
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
|
||||
if (buf)
|
||||
memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
|
||||
} else {
|
||||
/* Additional data wraps around the ring */
|
||||
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
|
||||
if (buf) {
|
||||
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
|
||||
sizeof(*msg), space_rem - sizeof(*msg));
|
||||
@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
|
||||
|
||||
} else {
|
||||
/* No wrapping */
|
||||
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
|
||||
if (buf)
|
||||
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
|
||||
buf_size);
|
||||
}
|
||||
- /* Convert from little endian to CPU */
|
||||
- msg->size = le16_to_cpu((__force __le16)msg->size);
|
||||
- msg->command = le32_to_cpu((__force __le32)msg->command);
|
||||
- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
|
||||
|
||||
/* Update the read positions, adjusting the ring */
|
||||
saa7164_writel(bus->m_dwGetReadPos, new_grp);
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -119,8 +119,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
||||
bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
|
||||
bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
|
||||
bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
|
||||
|
||||
|
|
Loading…
Reference in New Issue