Update to 4.9.14
Drop a patch applied upstream. Ignore ABI changes as they shouldn't affect OOT modules.
This commit is contained in:
parent
11d69f4069
commit
f96b366d00
|
@ -1,5 +1,141 @@
|
|||
linux (4.9.13-2) UNRELEASED; urgency=medium
|
||||
linux (4.9.14-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.14
|
||||
- [mips*] Fix special case in 64 bit IP checksumming.
|
||||
- [mips*/octeon] Fix copy_from_user fault handling for large buffers
|
||||
- mmc: sdhci-acpi: support deferred probe
|
||||
- uvcvideo: Fix a wrong macro
|
||||
- media: fix dm1105.c build error
|
||||
- lirc_dev: LIRC_{G,S}ET_REC_MODE do not work
|
||||
- media: Properly pass through media entity types in entity enumeration
|
||||
- ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
|
||||
- [x86] ALSA: hda/realtek - Cannot adjust speaker's volume on a Dell AIO
|
||||
- [x86] ALSA: hda - fix Lewisburg audio issue
|
||||
- ALSA: timer: Reject user params with too small ticks
|
||||
- ALSA: ctxfi: Fallback DMA mask to 32bit
|
||||
- ALSA: seq: Fix link corruption by event error handling
|
||||
- [x86] ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming
|
||||
- [x86] ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine
|
||||
- hwmon: (it87) Do not overwrite bit 2..6 of pwm control registers
|
||||
- hwmon: (it87) Ensure that pwm control cache is current before updating
|
||||
values
|
||||
- [x86] staging/lustre/lnet: Fix allocation size for sv_cpt_data
|
||||
- staging: rtl: fix possible NULL pointer dereference
|
||||
- regulator: Fix regulator_summary for deviceless consumers
|
||||
- tpm_tis: fix the error handling of init_tis()
|
||||
- [x86] iommu/vt-d: Fix some macros that are incorrectly specified in
|
||||
intel-iommu
|
||||
- [x86] iommu/vt-d: Tylersburg isoch identity map check is done too late.
|
||||
- CIFS: Fix splice read for non-cached files
|
||||
- [x86] mm, devm_memremap_pages: hold device_hotplug lock over
|
||||
mem_hotplug_{begin, done}
|
||||
- mm/page_alloc: fix nodes for reclaim in fast path
|
||||
- mm: vmpressure: fix sending wrong events on underflow
|
||||
- mm: do not access page->mapping directly on page_endio
|
||||
- mm balloon: umount balloon_mnt when removing vb device
|
||||
- mm, vmscan: cleanup lru size claculations
|
||||
- mm, vmscan: consider eligible zones in get_scan_count
|
||||
- sigaltstack: support SS_AUTODISARM for CONFIG_COMPAT
|
||||
- PM / devfreq: Fix available_governor sysfs
|
||||
- PM / devfreq: Fix wrong trans_stat of passive devfreq device
|
||||
- dm cache: fix corruption seen when using cache > 2TB
|
||||
- dm stats: fix a leaked s->histogram_boundaries array
|
||||
- dm round robin: revert "use percpu 'repeat_count' and 'current_path'"
|
||||
- dm raid: fix data corruption on reshape request
|
||||
- [x86] scsi: storvsc: use tagged SRB requests if supported by the device
|
||||
- [x86] scsi: storvsc: properly handle SRB_ERROR when sense message is
|
||||
present
|
||||
- [x86] scsi: storvsc: properly set residual data length on errors
|
||||
- scsi: aacraid: Reorder Adapter status check
|
||||
- scsi: use 'scsi_device_from_queue()' for scsi_dh
|
||||
- Fix: Disable sys_membarrier when nohz_full is enabled
|
||||
- jbd2: don't leak modified metadata buffers on an aborted journal
|
||||
- block/loop: fix race between I/O and set_status
|
||||
- loop: fix LO_FLAGS_PARTSCAN hang
|
||||
- ext4: Include forgotten start block on fallocate insert range
|
||||
- ext4: do not polute the extents cache while shifting extents
|
||||
- ext4: trim allocation requests to group size
|
||||
- ext4: fix data corruption in data=journal mode
|
||||
- ext4: fix use-after-iput when fscrypt contexts are inconsistent
|
||||
- ext4: fix inline data error paths
|
||||
- ext4: preserve the needs_recovery flag when the journal is aborted
|
||||
- ext4: return EROFS if device is r/o and journal replay is needed
|
||||
- mei: remove support for broken parallel read
|
||||
- ath10k: fix boot failure in UTF mode/testmode
|
||||
- ath5k: drop bogus warning on drv_set_key with unsupported cipher
|
||||
- ath9k: fix race condition in enabling/disabling IRQs
|
||||
- ath9k: use correct OTP register offsets for the AR9340 and AR9550
|
||||
- [x86] PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
|
||||
- [x86] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
|
||||
- perf callchain: Reference count maps
|
||||
- crypto: testmgr - Pad aes_ccm_enc_tv_template vector
|
||||
- fuse: add missing FR_FORCE
|
||||
- [x86] pkeys: Check against max pkey to avoid overflows
|
||||
- [armhf,arm64] KVM: Enforce unconditional flush to PoC when mapping to
|
||||
stage-2
|
||||
- [arm64] dma-mapping: Fix dma_mapping_error() when bypassing SWIOTLB
|
||||
- [arm64] fix erroneous __raw_read_system_reg() cases
|
||||
- [armhf,arm64] KVM: vgic: Stop injecting the MSI occurrence twice
|
||||
- can: gs_usb: Don't use stack memory for USB transfers
|
||||
- can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
|
||||
- w1: don't leak refcount on slave attach failure in
|
||||
w1_attach_slave_device()
|
||||
- w1: ds2490: USB transfer buffers need to be DMAable
|
||||
- usb: dwc3: gadget: skip Set/Clear Halt when invalid
|
||||
- usb: host: xhci: plat: check hcc_params after add hcd
|
||||
- usb: gadget: udc-core: Rescan pending list on driver unbind
|
||||
- usb: gadget: f_hid: fix: Free out requests
|
||||
- usb: gadget: f_hid: fix: Prevent accessing released memory
|
||||
- usb: gadget: f_hid: Use spinlock instead of mutex
|
||||
- [x86] hv: allocate synic pages for all present CPUs
|
||||
- [x86] hv: init percpu_list in hv_synic_alloc()
|
||||
- [x86] hv: don't reset hv_context.tsc_page on crash
|
||||
- [x86] Drivers: hv: vmbus: Prevent sending data on a rescinded channel
|
||||
- [x86] Drivers: hv: vmbus: Fix a rescind handling bug
|
||||
- [x86] Drivers: hv: util: kvp: Fix a rescind processing issue
|
||||
- [x86] Drivers: hv: util: Fcopy: Fix a rescind processing issue
|
||||
- [x86] Drivers: hv: util: Backup: Fix a rescind processing issue
|
||||
- RDMA/core: Fix incorrect structure packing for booleans
|
||||
- rdma_cm: fail iwarp accepts w/o connection params
|
||||
- gfs2: Add missing rcu locking for glock lookup
|
||||
- [arm64] remoteproc: qcom: mdt_loader: Don't overwrite firmware object
|
||||
- rtlwifi: Fix alignment issues
|
||||
- rtlwifi: rtl8192c-common: Fix "BUG: KASAN:
|
||||
- [m68k] VME: restore bus_remove function causing incomplete module unload
|
||||
- nfsd: minor nfsd_setattr cleanup
|
||||
- nfsd: special case truncates some more
|
||||
- NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
|
||||
- NFSv4: Fix reboot recovery in copy offload
|
||||
- pNFS/flexfiles: If the layout is invalid, it must be updated before
|
||||
retrying
|
||||
- NFSv4: fix getacl head length estimation
|
||||
- NFSv4: fix getacl ERANGE for some ACL buffer sizes
|
||||
- f2fs: fix a problem of using memory after free
|
||||
- f2fs: fix multiple f2fs_add_link() calls having same name
|
||||
- f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
|
||||
- f2fs: avoid to issue redundant discard commands
|
||||
- [armhf] rtc: sun6i: Disable the build as a module
|
||||
- [armhf] rtc: sun6i: Add some locking
|
||||
- [armhf] rtc: sun6i: Switch to the external oscillator
|
||||
- md linear: fix a race between linear_add() and linear_congested()
|
||||
- bcma: use (get|put)_device when probing/removing device driver
|
||||
- [armhf] dmaengine: ipu: Make sure the interrupt routine checks all
|
||||
interrupts.
|
||||
- xprtrdma: Fix Read chunk padding
|
||||
- xprtrdma: Per-connection pad optimization
|
||||
- xprtrdma: Disable pad optimization by default
|
||||
- xprtrdma: Reduce required number of send SGEs
|
||||
- [powerpc*] xmon: Fix data-breakpoint
|
||||
- [powerpc*] mm: Add MMU_FTR_KERNEL_RO to possible feature mask
|
||||
- [powerpc*] mm/hash: Always clear UPRT and Host Radix bits when setting up
|
||||
CPU
|
||||
- scsi: lpfc: Correct WQ creation for pagesize
|
||||
- ceph: update readpages osd request according to size of pages
|
||||
- netfilter: conntrack: remove GC_MAX_EVICTS break
|
||||
- netfilter: conntrack: refine gc worker heuristics, redux
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [media] dvb-usb: don't use stack for firmware load or reset
|
||||
(Closes: #853894)
|
||||
* Kbuild.include: addtree: Remove quotes before matching path
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
abiname: 2
|
||||
ignore-changes:
|
||||
__cpuhp_*
|
||||
module:drivers/hv/*
|
||||
module:drivers/iio/common/st_sensors/**
|
||||
module:drivers/net/wireless/**
|
||||
module:drivers/power/supply/bq27xxx_battery
|
||||
|
@ -14,6 +15,12 @@ ignore-changes:
|
|||
# Exported for related protocols only
|
||||
can_rx_register
|
||||
ip6_xmit
|
||||
# devfreq is unlikely to be useful for OOT modules
|
||||
devfreq_*
|
||||
devm_devfreq_*
|
||||
update_devfreq
|
||||
# Assume IB drivers are added/updated through OFED, which also updates IB core
|
||||
module:drivers/infiniband/**
|
||||
|
||||
[base]
|
||||
arches:
|
||||
|
|
|
@ -1,70 +0,0 @@
|
|||
From: Davidlohr Bueso <dave@stgolabs.net>
|
||||
Date: Thu, 23 Feb 2017 11:41:32 +1100
|
||||
Subject: ipc/shm: Fix shmat mmap nil-page protection
|
||||
Origin: https://marc.info/?l=linux-mm&m=148605021927245&w=2
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5669
|
||||
|
||||
The issue is described here, with a nice testcase:
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=192931
|
||||
|
||||
The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the
|
||||
address rounded down to 0. For the regular mmap case, the protection
|
||||
mentioned above is that the kernel gets to generate the address --
|
||||
arch_get_unmapped_area() will always check for MAP_FIXED and return that
|
||||
address. So by the time we do security_mmap_addr(0) things get funky for
|
||||
shmat().
|
||||
|
||||
The testcase itself shows that while a regular user crashes, root will not
|
||||
have a problem attaching a nil-page. There are two possible fixes to
|
||||
this. The first, and which this patch does, is to simply allow root to
|
||||
crash as well -- this is also regular mmap behavior, ie when hacking up
|
||||
the testcase and adding mmap(... |MAP_FIXED). While this approach is the
|
||||
safer option, the second alternative is to ignore SHM_RND if the rounded
|
||||
address is 0, thus only having MAP_SHARED flags. This makes the behavior
|
||||
of shmat() identical to the mmap() case. The downside of this is
|
||||
obviously user visible, but does make sense in that it maintains semantics
|
||||
after the round-down wrt 0 address and mmap.
|
||||
|
||||
Passes shm related ltp tests.
|
||||
|
||||
Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
|
||||
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
|
||||
Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
|
||||
Cc: Manfred Spraul <manfred@colorfullife.com>
|
||||
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
ipc/shm.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/ipc/shm.c
|
||||
+++ b/ipc/shm.c
|
||||
@@ -1085,8 +1085,8 @@ out_unlock1:
|
||||
* "raddr" thing points to kernel space, and there has to be a wrapper around
|
||||
* this.
|
||||
*/
|
||||
-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
|
||||
- unsigned long shmlba)
|
||||
+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
|
||||
+ ulong *raddr, unsigned long shmlba)
|
||||
{
|
||||
struct shmid_kernel *shp;
|
||||
unsigned long addr;
|
||||
@@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *sh
|
||||
goto out;
|
||||
else if ((addr = (ulong)shmaddr)) {
|
||||
if (addr & (shmlba - 1)) {
|
||||
- if (shmflg & SHM_RND)
|
||||
- addr &= ~(shmlba - 1); /* round down */
|
||||
+ /*
|
||||
+ * Round down to the nearest multiple of shmlba.
|
||||
+ * For sane do_mmap_pgoff() parameters, avoid
|
||||
+ * round downs that trigger nil-page and MAP_FIXED.
|
||||
+ */
|
||||
+ if ((shmflg & SHM_RND) && addr >= shmlba)
|
||||
+ addr &= ~(shmlba - 1);
|
||||
else
|
||||
#ifndef __ARCH_FORCE_SHMLBA
|
||||
if (addr & ~PAGE_MASK)
|
|
@ -112,7 +112,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
|
||||
debian/time-mark-timer_stats-as-broken.patch
|
||||
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
|
||||
bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch
|
||||
|
|
Loading…
Reference in New Issue