diff --git a/debian/changelog b/debian/changelog index ce0260ca7..201946fdb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,141 @@ -linux (4.9.13-2) UNRELEASED; urgency=medium +linux (4.9.14-1) UNRELEASED; urgency=medium + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.14 + - [mips*] Fix special case in 64 bit IP checksumming. + - [mips*/octeon] Fix copy_from_user fault handling for large buffers + - mmc: sdhci-acpi: support deferred probe + - uvcvideo: Fix a wrong macro + - media: fix dm1105.c build error + - lirc_dev: LIRC_{G,S}ET_REC_MODE do not work + - media: Properly pass through media entity types in entity enumeration + - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() + - [x86] ALSA: hda/realtek - Cannot adjust speaker's volume on a Dell AIO + - [x86] ALSA: hda - fix Lewisburg audio issue + - ALSA: timer: Reject user params with too small ticks + - ALSA: ctxfi: Fallback DMA mask to 32bit + - ALSA: seq: Fix link corruption by event error handling + - [x86] ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming + - [x86] ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine + - hwmon: (it87) Do not overwrite bit 2..6 of pwm control registers + - hwmon: (it87) Ensure that pwm control cache is current before updating + values + - [x86] staging/lustre/lnet: Fix allocation size for sv_cpt_data + - staging: rtl: fix possible NULL pointer dereference + - regulator: Fix regulator_summary for deviceless consumers + - tpm_tis: fix the error handling of init_tis() + - [x86] iommu/vt-d: Fix some macros that are incorrectly specified in + intel-iommu + - [x86] iommu/vt-d: Tylersburg isoch identity map check is done too late. + - CIFS: Fix splice read for non-cached files + - [x86] mm, devm_memremap_pages: hold device_hotplug lock over + mem_hotplug_{begin, done} + - mm/page_alloc: fix nodes for reclaim in fast path + - mm: vmpressure: fix sending wrong events on underflow + - mm: do not access page->mapping directly on page_endio + - mm balloon: umount balloon_mnt when removing vb device + - mm, vmscan: cleanup lru size claculations + - mm, vmscan: consider eligible zones in get_scan_count + - sigaltstack: support SS_AUTODISARM for CONFIG_COMPAT + - PM / devfreq: Fix available_governor sysfs + - PM / devfreq: Fix wrong trans_stat of passive devfreq device + - dm cache: fix corruption seen when using cache > 2TB + - dm stats: fix a leaked s->histogram_boundaries array + - dm round robin: revert "use percpu 'repeat_count' and 'current_path'" + - dm raid: fix data corruption on reshape request + - [x86] scsi: storvsc: use tagged SRB requests if supported by the device + - [x86] scsi: storvsc: properly handle SRB_ERROR when sense message is + present + - [x86] scsi: storvsc: properly set residual data length on errors + - scsi: aacraid: Reorder Adapter status check + - scsi: use 'scsi_device_from_queue()' for scsi_dh + - Fix: Disable sys_membarrier when nohz_full is enabled + - jbd2: don't leak modified metadata buffers on an aborted journal + - block/loop: fix race between I/O and set_status + - loop: fix LO_FLAGS_PARTSCAN hang + - ext4: Include forgotten start block on fallocate insert range + - ext4: do not polute the extents cache while shifting extents + - ext4: trim allocation requests to group size + - ext4: fix data corruption in data=journal mode + - ext4: fix use-after-iput when fscrypt contexts are inconsistent + - ext4: fix inline data error paths + - ext4: preserve the needs_recovery flag when the journal is aborted + - ext4: return EROFS if device is r/o and journal replay is needed + - mei: remove support for broken parallel read + - ath10k: fix boot failure in UTF mode/testmode + - ath5k: drop bogus warning on drv_set_key with unsupported cipher + - ath9k: fix race condition in enabling/disabling IRQs + - ath9k: use correct OTP register offsets for the AR9340 and AR9550 + - [x86] PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal + - [x86] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg() + - perf callchain: Reference count maps + - crypto: testmgr - Pad aes_ccm_enc_tv_template vector + - fuse: add missing FR_FORCE + - [x86] pkeys: Check against max pkey to avoid overflows + - [armhf,arm64] KVM: Enforce unconditional flush to PoC when mapping to + stage-2 + - [arm64] dma-mapping: Fix dma_mapping_error() when bypassing SWIOTLB + - [arm64] fix erroneous __raw_read_system_reg() cases + - [armhf,arm64] KVM: vgic: Stop injecting the MSI occurrence twice + - can: gs_usb: Don't use stack memory for USB transfers + - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer + - w1: don't leak refcount on slave attach failure in + w1_attach_slave_device() + - w1: ds2490: USB transfer buffers need to be DMAable + - usb: dwc3: gadget: skip Set/Clear Halt when invalid + - usb: host: xhci: plat: check hcc_params after add hcd + - usb: gadget: udc-core: Rescan pending list on driver unbind + - usb: gadget: f_hid: fix: Free out requests + - usb: gadget: f_hid: fix: Prevent accessing released memory + - usb: gadget: f_hid: Use spinlock instead of mutex + - [x86] hv: allocate synic pages for all present CPUs + - [x86] hv: init percpu_list in hv_synic_alloc() + - [x86] hv: don't reset hv_context.tsc_page on crash + - [x86] Drivers: hv: vmbus: Prevent sending data on a rescinded channel + - [x86] Drivers: hv: vmbus: Fix a rescind handling bug + - [x86] Drivers: hv: util: kvp: Fix a rescind processing issue + - [x86] Drivers: hv: util: Fcopy: Fix a rescind processing issue + - [x86] Drivers: hv: util: Backup: Fix a rescind processing issue + - RDMA/core: Fix incorrect structure packing for booleans + - rdma_cm: fail iwarp accepts w/o connection params + - gfs2: Add missing rcu locking for glock lookup + - [arm64] remoteproc: qcom: mdt_loader: Don't overwrite firmware object + - rtlwifi: Fix alignment issues + - rtlwifi: rtl8192c-common: Fix "BUG: KASAN: + - [m68k] VME: restore bus_remove function causing incomplete module unload + - nfsd: minor nfsd_setattr cleanup + - nfsd: special case truncates some more + - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state + - NFSv4: Fix reboot recovery in copy offload + - pNFS/flexfiles: If the layout is invalid, it must be updated before + retrying + - NFSv4: fix getacl head length estimation + - NFSv4: fix getacl ERANGE for some ACL buffer sizes + - f2fs: fix a problem of using memory after free + - f2fs: fix multiple f2fs_add_link() calls having same name + - f2fs: add ovp valid_blocks check for bg gc victim to fg_gc + - f2fs: avoid to issue redundant discard commands + - [armhf] rtc: sun6i: Disable the build as a module + - [armhf] rtc: sun6i: Add some locking + - [armhf] rtc: sun6i: Switch to the external oscillator + - md linear: fix a race between linear_add() and linear_congested() + - bcma: use (get|put)_device when probing/removing device driver + - [armhf] dmaengine: ipu: Make sure the interrupt routine checks all + interrupts. + - xprtrdma: Fix Read chunk padding + - xprtrdma: Per-connection pad optimization + - xprtrdma: Disable pad optimization by default + - xprtrdma: Reduce required number of send SGEs + - [powerpc*] xmon: Fix data-breakpoint + - [powerpc*] mm: Add MMU_FTR_KERNEL_RO to possible feature mask + - [powerpc*] mm/hash: Always clear UPRT and Host Radix bits when setting up + CPU + - scsi: lpfc: Correct WQ creation for pagesize + - ceph: update readpages osd request according to size of pages + - netfilter: conntrack: remove GC_MAX_EVICTS break + - netfilter: conntrack: refine gc worker heuristics, redux + + [ Ben Hutchings ] * [media] dvb-usb: don't use stack for firmware load or reset (Closes: #853894) * Kbuild.include: addtree: Remove quotes before matching path diff --git a/debian/config/defines b/debian/config/defines index 427b5a143..40ef45fcb 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -2,6 +2,7 @@ abiname: 2 ignore-changes: __cpuhp_* + module:drivers/hv/* module:drivers/iio/common/st_sensors/** module:drivers/net/wireless/** module:drivers/power/supply/bq27xxx_battery @@ -14,6 +15,12 @@ ignore-changes: # Exported for related protocols only can_rx_register ip6_xmit +# devfreq is unlikely to be useful for OOT modules + devfreq_* + devm_devfreq_* + update_devfreq +# Assume IB drivers are added/updated through OFED, which also updates IB core + module:drivers/infiniband/** [base] arches: diff --git a/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch b/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch deleted file mode 100644 index bed67eee4..000000000 --- a/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Davidlohr Bueso -Date: Thu, 23 Feb 2017 11:41:32 +1100 -Subject: ipc/shm: Fix shmat mmap nil-page protection -Origin: https://marc.info/?l=linux-mm&m=148605021927245&w=2 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5669 - -The issue is described here, with a nice testcase: - - https://bugzilla.kernel.org/show_bug.cgi?id=192931 - -The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the -address rounded down to 0. For the regular mmap case, the protection -mentioned above is that the kernel gets to generate the address -- -arch_get_unmapped_area() will always check for MAP_FIXED and return that -address. So by the time we do security_mmap_addr(0) things get funky for -shmat(). - -The testcase itself shows that while a regular user crashes, root will not -have a problem attaching a nil-page. There are two possible fixes to -this. The first, and which this patch does, is to simply allow root to -crash as well -- this is also regular mmap behavior, ie when hacking up -the testcase and adding mmap(... |MAP_FIXED). While this approach is the -safer option, the second alternative is to ignore SHM_RND if the rounded -address is 0, thus only having MAP_SHARED flags. This makes the behavior -of shmat() identical to the mmap() case. The downside of this is -obviously user visible, but does make sense in that it maintains semantics -after the round-down wrt 0 address and mmap. - -Passes shm related ltp tests. - -Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net -Signed-off-by: Davidlohr Bueso -Reported-by: Gareth Evans -Cc: Manfred Spraul -Cc: Michael Kerrisk -Cc: -Signed-off-by: Andrew Morton ---- - ipc/shm.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - ---- a/ipc/shm.c -+++ b/ipc/shm.c -@@ -1085,8 +1085,8 @@ out_unlock1: - * "raddr" thing points to kernel space, and there has to be a wrapper around - * this. - */ --long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, -- unsigned long shmlba) -+long do_shmat(int shmid, char __user *shmaddr, int shmflg, -+ ulong *raddr, unsigned long shmlba) - { - struct shmid_kernel *shp; - unsigned long addr; -@@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *sh - goto out; - else if ((addr = (ulong)shmaddr)) { - if (addr & (shmlba - 1)) { -- if (shmflg & SHM_RND) -- addr &= ~(shmlba - 1); /* round down */ -+ /* -+ * Round down to the nearest multiple of shmlba. -+ * For sane do_mmap_pgoff() parameters, avoid -+ * round downs that trigger nil-page and MAP_FIXED. -+ */ -+ if ((shmflg & SHM_RND) && addr >= shmlba) -+ addr &= ~(shmlba - 1); - else - #ifndef __ARCH_FORCE_SHMLBA - if (addr & ~PAGE_MASK) diff --git a/debian/patches/series b/debian/patches/series index c4eb8a9ec..f25eebea8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -112,7 +112,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch -bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch debian/time-mark-timer_stats-as-broken.patch bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch