Update to 4.19.13
Drop iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch Drop usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch Add bug closer for #917569 Cleanup debian/changelog file
This commit is contained in:
parent
f8450c79c8
commit
fae8df0f68
|
@ -1,4 +1,52 @@
|
|||
linux (4.19.12-2) UNRELEASED; urgency=medium
|
||||
linux (4.19.13-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.13
|
||||
- Revert "vfs: Allow userns root to call mknod on owned filesystems."
|
||||
- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
|
||||
(CVE-2018-19985)
|
||||
- xhci: Don't prevent USB2 bus suspend in state check intended for USB3
|
||||
only
|
||||
- USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
|
||||
- USB: serial: option: add GosunCn ZTE WeLink ME3630
|
||||
- USB: serial: option: add HP lt4132
|
||||
- USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
|
||||
- USB: serial: option: add Fibocom NL668 series
|
||||
- USB: serial: option: add Telit LN940 series
|
||||
- ubifs: Handle re-linking of inodes correctly while recovery
|
||||
- scsi: t10-pi: Return correct ref tag when queue has no integrity profile
|
||||
- scsi: sd: use mempool for discard special page
|
||||
- mmc: core: Reset HPI enabled state during re-init and in case of errors
|
||||
- mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
|
||||
- mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
|
||||
- [armhf] mmc: omap_hsmmc: fix DMA API warning
|
||||
- gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
|
||||
- posix-timers: Fix division by zero bug
|
||||
- [x86] KVM: Fix NULL deref in vcpu_scan_ioapic
|
||||
- [x86] kvm: Add AMD's EX_CFG to the list of ignored MSRs
|
||||
- [x86] KVM: Fix UAF in nested posted interrupt processing
|
||||
- [x86] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened
|
||||
channels
|
||||
- futex: Cure exit race
|
||||
- [x86] mtrr: Don't copy uninitialized gentry fields back to userspace
|
||||
- [x86] mm: Fix decoy address handling vs 32-bit builds (Closes: #917569)
|
||||
- [x86] vdso: Pass --eh-frame-hdr to the linker
|
||||
- panic: avoid deadlocks in re-entrant console drivers
|
||||
- mm: add mm_pxd_folded checks to pgtable_bytes accounting functions
|
||||
- mm: make the __PAGETABLE_PxD_FOLDED defines non-empty
|
||||
- mm: introduce mm_[p4d|pud|pmd]_folded
|
||||
- xfrm_user: fix freeing of xfrm states on acquire
|
||||
- rtlwifi: Fix leak of skb when processing C2H_BT_INFO
|
||||
- iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares
|
||||
- Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
|
||||
- iwlwifi: add new cards for 9560, 9462, 9461 and killer series
|
||||
- mm, memory_hotplug: initialize struct pages for the full memory section
|
||||
- mm: thp: fix flags for pmd migration when split
|
||||
- mm, page_alloc: fix has_unmovable_pages for HugePages
|
||||
- mm: don't miss the last page because of round-off error
|
||||
- Input: elantech - disable elan-i2c for P52 and P72
|
||||
- proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
|
||||
- drm/ioctl: Fix Spectre v1 vulnerabilities
|
||||
|
||||
[ Uwe Kleine-König ]
|
||||
* [armhf] enable some kconfig items for Allwinner SoCs (SUNXI_CCU=y,
|
||||
|
@ -17,10 +65,6 @@ linux (4.19.12-2) UNRELEASED; urgency=medium
|
|||
* Fix pycodestyle "line break after binary operator" warnings
|
||||
* Fix pycodestyle "inalid escape sequence" warnings
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
|
||||
(CVE-2018-19985)
|
||||
|
||||
[ Romain Perier ]
|
||||
* [rt] Update to 4.19.10-rt8
|
||||
|
||||
|
|
|
@ -1,111 +0,0 @@
|
|||
From: Dave Chinner <dchinner@redhat.com>
|
||||
Date: Thu, 20 Dec 2018 23:23:24 +1100
|
||||
Subject: iomap: Revert "fs/iomap.c: get/put the page in
|
||||
iomap_page_create/release()"
|
||||
Origin: https://git.kernel.org/linus/a837eca2412051628c0529768c9bc4f3580b040e
|
||||
|
||||
This reverts commit 61c6de667263184125d5ca75e894fcad632b0dd3.
|
||||
|
||||
The reverted commit added page reference counting to iomap page
|
||||
structures that are used to track block size < page size state. This
|
||||
was supposed to align the code with page migration page accounting
|
||||
assumptions, but what it has done instead is break XFS filesystems.
|
||||
Every fstests run I've done on sub-page block size XFS filesystems
|
||||
has since picking up this commit 2 days ago has failed with bad page
|
||||
state errors such as:
|
||||
|
||||
# ./run_check.sh "-m rmapbt=1,reflink=1 -i sparse=1 -b size=1k" "generic/038"
|
||||
....
|
||||
SECTION -- xfs
|
||||
FSTYP -- xfs (debug)
|
||||
PLATFORM -- Linux/x86_64 test1 4.20.0-rc6-dgc+
|
||||
MKFS_OPTIONS -- -f -m rmapbt=1,reflink=1 -i sparse=1 -b size=1k /dev/sdc
|
||||
MOUNT_OPTIONS -- /dev/sdc /mnt/scratch
|
||||
|
||||
generic/038 454s ...
|
||||
run fstests generic/038 at 2018-12-20 18:43:05
|
||||
XFS (sdc): Unmounting Filesystem
|
||||
XFS (sdc): Mounting V5 Filesystem
|
||||
XFS (sdc): Ending clean mount
|
||||
BUG: Bad page state in process kswapd0 pfn:3a7fa
|
||||
page:ffffea0000ccbeb0 count:0 mapcount:0 mapping:ffff88800d9b6360 index:0x1
|
||||
flags: 0xfffffc0000000()
|
||||
raw: 000fffffc0000000 dead000000000100 dead000000000200 ffff88800d9b6360
|
||||
raw: 0000000000000001 0000000000000000 00000000ffffffff
|
||||
page dumped because: non-NULL mapping
|
||||
CPU: 0 PID: 676 Comm: kswapd0 Not tainted 4.20.0-rc6-dgc+ #915
|
||||
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
|
||||
Call Trace:
|
||||
dump_stack+0x67/0x90
|
||||
bad_page.cold.116+0x8a/0xbd
|
||||
free_pcppages_bulk+0x4bf/0x6a0
|
||||
free_unref_page_list+0x10f/0x1f0
|
||||
shrink_page_list+0x49d/0xf50
|
||||
shrink_inactive_list+0x19d/0x3b0
|
||||
shrink_node_memcg.constprop.77+0x398/0x690
|
||||
? shrink_slab.constprop.81+0x278/0x3f0
|
||||
shrink_node+0x7a/0x2f0
|
||||
kswapd+0x34b/0x6d0
|
||||
? node_reclaim+0x240/0x240
|
||||
kthread+0x11f/0x140
|
||||
? __kthread_bind_mask+0x60/0x60
|
||||
ret_from_fork+0x24/0x30
|
||||
Disabling lock debugging due to kernel taint
|
||||
....
|
||||
|
||||
The failures are from anyway that frees pages and empties the
|
||||
per-cpu page magazines, so it's not a predictable failure or an easy
|
||||
to debug failure.
|
||||
|
||||
generic/038 is a reliable reproducer of this problem - it has a 9 in
|
||||
10 failure rate on one of my test machines. Failure on other
|
||||
machines have been at random points in fstests runs but every run
|
||||
has ended up tripping this problem. Hence generic/038 was used to
|
||||
bisect the failure because it was the most reliable failure.
|
||||
|
||||
It is too close to the 4.20 release (not to mention holidays) to
|
||||
try to diagnose, fix and test the underlying cause of the problem,
|
||||
so reverting the commit is the only option we have right now. The
|
||||
revert has been tested against a current tot 4.20-rc7+ kernel across
|
||||
multiple machines running sub-page block size XFs filesystems and
|
||||
none of the bad page state failures have been seen.
|
||||
|
||||
Signed-off-by: Dave Chinner <dchinner@redhat.com>
|
||||
Cc: Piotr Jaroszynski <pjaroszynski@nvidia.com>
|
||||
Cc: Christoph Hellwig <hch@lst.de>
|
||||
Cc: William Kucharski <william.kucharski@oracle.com>
|
||||
Cc: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
Cc: Brian Foster <bfoster@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/iomap.c | 7 -------
|
||||
1 file changed, 7 deletions(-)
|
||||
|
||||
diff --git a/fs/iomap.c b/fs/iomap.c
|
||||
index 5bc172f3dfe8..d6bc98ae8d35 100644
|
||||
--- a/fs/iomap.c
|
||||
+++ b/fs/iomap.c
|
||||
@@ -116,12 +116,6 @@ iomap_page_create(struct inode *inode, struct page *page)
|
||||
atomic_set(&iop->read_count, 0);
|
||||
atomic_set(&iop->write_count, 0);
|
||||
bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE);
|
||||
-
|
||||
- /*
|
||||
- * migrate_page_move_mapping() assumes that pages with private data have
|
||||
- * their count elevated by 1.
|
||||
- */
|
||||
- get_page(page);
|
||||
set_page_private(page, (unsigned long)iop);
|
||||
SetPagePrivate(page);
|
||||
return iop;
|
||||
@@ -138,7 +132,6 @@ iomap_page_release(struct page *page)
|
||||
WARN_ON_ONCE(atomic_read(&iop->write_count));
|
||||
ClearPagePrivate(page);
|
||||
set_page_private(page, 0);
|
||||
- put_page(page);
|
||||
kfree(iop);
|
||||
}
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -1,67 +0,0 @@
|
|||
From: Hui Peng <benquike@gmail.com>
|
||||
Date: Wed, 12 Dec 2018 12:42:24 +0100
|
||||
Subject: USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
|
||||
Origin: https://git.kernel.org/linus/5146f95df782b0ac61abde36567e718692725c89
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19985
|
||||
|
||||
The function hso_probe reads if_num from the USB device (as an u8) and uses
|
||||
it without a length check to index an array, resulting in an OOB memory read
|
||||
in hso_probe or hso_get_config_data.
|
||||
|
||||
Add a length check for both locations and updated hso_probe to bail on
|
||||
error.
|
||||
|
||||
This issue has been assigned CVE-2018-19985.
|
||||
|
||||
Reported-by: Hui Peng <benquike@gmail.com>
|
||||
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
|
||||
Signed-off-by: Hui Peng <benquike@gmail.com>
|
||||
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
|
||||
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/usb/hso.c | 18 ++++++++++++++++--
|
||||
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
|
||||
index 184c24baca15..d6916f787fce 100644
|
||||
--- a/drivers/net/usb/hso.c
|
||||
+++ b/drivers/net/usb/hso.c
|
||||
@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
+ /* check if we have a valid interface */
|
||||
+ if (if_num > 16) {
|
||||
+ kfree(config_data);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
switch (config_data[if_num]) {
|
||||
case 0x0:
|
||||
result = 0;
|
||||
@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
|
||||
|
||||
/* Get the interface/port specification from either driver_info or from
|
||||
* the device itself */
|
||||
- if (id->driver_info)
|
||||
+ if (id->driver_info) {
|
||||
+ /* if_num is controlled by the device, driver_info is a 0 terminated
|
||||
+ * array. Make sure, the access is in bounds! */
|
||||
+ for (i = 0; i <= if_num; ++i)
|
||||
+ if (((u32 *)(id->driver_info))[i] == 0)
|
||||
+ goto exit;
|
||||
port_spec = ((u32 *)(id->driver_info))[if_num];
|
||||
- else
|
||||
+ } else {
|
||||
port_spec = hso_get_config_data(interface);
|
||||
+ if (port_spec < 0)
|
||||
+ goto exit;
|
||||
+ }
|
||||
|
||||
/* Check if we need to switch to alt interfaces prior to port
|
||||
* configuration */
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -99,7 +99,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
|||
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
||||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
||||
bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
||||
|
@ -139,7 +138,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue