Update to 4.19.13

Drop iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch Drop usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch Add bug closer for #917569 Cleanup debian/changelog file
2018-12-29 13:54:36 +01:00 · 2018-12-29 13:54:36 +01:00 · fae8df0f68
parent f8450c79c8
commit fae8df0f68
4 changed files with 49 additions and 185 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,4 +1,52 @@
-linux (4.19.12-2) UNRELEASED; urgency=medium
+linux (4.19.13-1) UNRELEASED; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.13
+    - Revert "vfs: Allow userns root to call mknod on owned filesystems."
+    - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
+      (CVE-2018-19985)
+    - xhci: Don't prevent USB2 bus suspend in state check intended for USB3
+      only
+    - USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
+    - USB: serial: option: add GosunCn ZTE WeLink ME3630
+    - USB: serial: option: add HP lt4132
+    - USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
+    - USB: serial: option: add Fibocom NL668 series
+    - USB: serial: option: add Telit LN940 series
+    - ubifs: Handle re-linking of inodes correctly while recovery
+    - scsi: t10-pi: Return correct ref tag when queue has no integrity profile
+    - scsi: sd: use mempool for discard special page
+    - mmc: core: Reset HPI enabled state during re-init and in case of errors
+    - mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
+    - mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
+    - [armhf] mmc: omap_hsmmc: fix DMA API warning
+    - gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
+    - posix-timers: Fix division by zero bug
+    - [x86] KVM: Fix NULL deref in vcpu_scan_ioapic
+    - [x86] kvm: Add AMD's EX_CFG to the list of ignored MSRs
+    - [x86] KVM: Fix UAF in nested posted interrupt processing
+    - [x86] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened
+      channels
+    - futex: Cure exit race
+    - [x86] mtrr: Don't copy uninitialized gentry fields back to userspace
+    - [x86] mm: Fix decoy address handling vs 32-bit builds (Closes: #917569)
+    - [x86] vdso: Pass --eh-frame-hdr to the linker
+    - panic: avoid deadlocks in re-entrant console drivers
+    - mm: add mm_pxd_folded checks to pgtable_bytes accounting functions
+    - mm: make the __PAGETABLE_PxD_FOLDED defines non-empty
+    - mm: introduce mm_[p4d|pud|pmd]_folded
+    - xfrm_user: fix freeing of xfrm states on acquire
+    - rtlwifi: Fix leak of skb when processing C2H_BT_INFO
+    - iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares
+    - Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
+    - iwlwifi: add new cards for 9560, 9462, 9461 and killer series
+    - mm, memory_hotplug: initialize struct pages for the full memory section
+    - mm: thp: fix flags for pmd migration when split
+    - mm, page_alloc: fix has_unmovable_pages for HugePages
+    - mm: don't miss the last page because of round-off error
+    - Input: elantech - disable elan-i2c for P52 and P72
+    - proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
+    - drm/ioctl: Fix Spectre v1 vulnerabilities

  [ Uwe Kleine-König ]
  * [armhf] enable some kconfig items for Allwinner SoCs (SUNXI_CCU=y,
@ -17,10 +65,6 @@ linux (4.19.12-2) UNRELEASED; urgency=medium
  * Fix pycodestyle "line break after binary operator" warnings
  * Fix pycodestyle "inalid escape sequence" warnings

-  [ Salvatore Bonaccorso ]
-  * USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
-    (CVE-2018-19985)
-
  [ Romain Perier ]
  * [rt] Update to 4.19.10-rt8

--- a/debian/patches/bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch
+++ b/debian/patches/bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch
@ -1,111 +0,0 @@
-From: Dave Chinner <dchinner@redhat.com>
-Date: Thu, 20 Dec 2018 23:23:24 +1100
-Subject: iomap: Revert "fs/iomap.c: get/put the page in
- iomap_page_create/release()"
-Origin: https://git.kernel.org/linus/a837eca2412051628c0529768c9bc4f3580b040e
-
-This reverts commit 61c6de667263184125d5ca75e894fcad632b0dd3.
-
-The reverted commit added page reference counting to iomap page
-structures that are used to track block size < page size state. This
-was supposed to align the code with page migration page accounting
-assumptions, but what it has done instead is break XFS filesystems.
-Every fstests run I've done on sub-page block size XFS filesystems
-has since picking up this commit 2 days ago has failed with bad page
-state errors such as:
-
-# ./run_check.sh "-m rmapbt=1,reflink=1 -i sparse=1 -b size=1k" "generic/038"
-....
-SECTION       -- xfs
-FSTYP         -- xfs (debug)
-PLATFORM      -- Linux/x86_64 test1 4.20.0-rc6-dgc+
-MKFS_OPTIONS  -- -f -m rmapbt=1,reflink=1 -i sparse=1 -b size=1k /dev/sdc
-MOUNT_OPTIONS -- /dev/sdc /mnt/scratch
-
-generic/038 454s ...
- run fstests generic/038 at 2018-12-20 18:43:05
- XFS (sdc): Unmounting Filesystem
- XFS (sdc): Mounting V5 Filesystem
- XFS (sdc): Ending clean mount
- BUG: Bad page state in process kswapd0  pfn:3a7fa
- page:ffffea0000ccbeb0 count:0 mapcount:0 mapping:ffff88800d9b6360 index:0x1
- flags: 0xfffffc0000000()
- raw: 000fffffc0000000 dead000000000100 dead000000000200 ffff88800d9b6360
- raw: 0000000000000001 0000000000000000 00000000ffffffff
- page dumped because: non-NULL mapping
- CPU: 0 PID: 676 Comm: kswapd0 Not tainted 4.20.0-rc6-dgc+ #915
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
- Call Trace:
-  dump_stack+0x67/0x90
-  bad_page.cold.116+0x8a/0xbd
-  free_pcppages_bulk+0x4bf/0x6a0
-  free_unref_page_list+0x10f/0x1f0
-  shrink_page_list+0x49d/0xf50
-  shrink_inactive_list+0x19d/0x3b0
-  shrink_node_memcg.constprop.77+0x398/0x690
-  ? shrink_slab.constprop.81+0x278/0x3f0
-  shrink_node+0x7a/0x2f0
-  kswapd+0x34b/0x6d0
-  ? node_reclaim+0x240/0x240
-  kthread+0x11f/0x140
-  ? __kthread_bind_mask+0x60/0x60
-  ret_from_fork+0x24/0x30
- Disabling lock debugging due to kernel taint
-....
-
-The failures are from anyway that frees pages and empties the
-per-cpu page magazines, so it's not a predictable failure or an easy
-to debug failure.
-
-generic/038 is a reliable reproducer of this problem - it has a 9 in
-10 failure rate on one of my test machines. Failure on other
-machines have been at random points in fstests runs but every run
-has ended up tripping this problem. Hence generic/038 was used to
-bisect the failure because it was the most reliable failure.
-
-It is too close to the 4.20 release (not to mention holidays) to
-try to diagnose, fix and test the underlying cause of the problem,
-so reverting the commit is the only option we have right now. The
-revert has been tested against a current tot 4.20-rc7+ kernel across
-multiple machines running sub-page block size XFs filesystems and
-none of the bad page state failures have been seen.
-
-Signed-off-by: Dave Chinner <dchinner@redhat.com>
-Cc: Piotr Jaroszynski <pjaroszynski@nvidia.com>
-Cc: Christoph Hellwig <hch@lst.de>
-Cc: William Kucharski <william.kucharski@oracle.com>
-Cc: Darrick J. Wong <darrick.wong@oracle.com>
-Cc: Brian Foster <bfoster@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
- fs/iomap.c | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/fs/iomap.c b/fs/iomap.c
-index 5bc172f3dfe8..d6bc98ae8d35 100644
--- a/fs/iomap.c
-+++ b/fs/iomap.c
-@@ -116,12 +116,6 @@ iomap_page_create(struct inode *inode, struct page *page)
- 	atomic_set(&iop->read_count, 0);
- 	atomic_set(&iop->write_count, 0);
- 	bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE);
-
-	/*
-	 * migrate_page_move_mapping() assumes that pages with private data have
-	 * their count elevated by 1.
-	 */
-	get_page(page);
- 	set_page_private(page, (unsigned long)iop);
- 	SetPagePrivate(page);
- 	return iop;
-@@ -138,7 +132,6 @@ iomap_page_release(struct page *page)
- 	WARN_ON_ONCE(atomic_read(&iop->write_count));
- 	ClearPagePrivate(page);
- 	set_page_private(page, 0);
-	put_page(page);
- 	kfree(iop);
- }
- 
-- 
-2.20.1
-
--- a/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch
+++ b/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch
@ -1,67 +0,0 @@
-From: Hui Peng <benquike@gmail.com>
-Date: Wed, 12 Dec 2018 12:42:24 +0100
-Subject: USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
-Origin: https://git.kernel.org/linus/5146f95df782b0ac61abde36567e718692725c89
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19985
-
-The function hso_probe reads if_num from the USB device (as an u8) and uses
-it without a length check to index an array, resulting in an OOB memory read
-in hso_probe or hso_get_config_data.
-
-Add a length check for both locations and updated hso_probe to bail on
-error.
-
-This issue has been assigned CVE-2018-19985.
-
-Reported-by: Hui Peng <benquike@gmail.com>
-Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
-Signed-off-by: Hui Peng <benquike@gmail.com>
-Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
-Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
---
- drivers/net/usb/hso.c | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
-index 184c24baca15..d6916f787fce 100644
--- a/drivers/net/usb/hso.c
-+++ b/drivers/net/usb/hso.c
-@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
- 		return -EIO;
- 	}
- 
-+	/* check if we have a valid interface */
-+	if (if_num > 16) {
-+		kfree(config_data);
-+		return -EINVAL;
-+	}
-+
- 	switch (config_data[if_num]) {
- 	case 0x0:
- 		result = 0;
-@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
- 
- 	/* Get the interface/port specification from either driver_info or from
- 	 * the device itself */
-	if (id->driver_info)
-+	if (id->driver_info) {
-+		/* if_num is controlled by the device, driver_info is a 0 terminated
-+		 * array. Make sure, the access is in bounds! */
-+		for (i = 0; i <= if_num; ++i)
-+			if (((u32 *)(id->driver_info))[i] == 0)
-+				goto exit;
- 		port_spec = ((u32 *)(id->driver_info))[if_num];
-	else
-+	} else {
- 		port_spec = hso_get_config_data(interface);
-+		if (port_spec < 0)
-+			goto exit;
-+	}
- 
- 	/* Check if we need to switch to alt interfaces prior to port
- 	 * configuration */
-- 
-2.20.1
-
--- a/debian/patches/series
+++ b/debian/patches/series
@ -99,7 +99,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
 bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 debian/revert-objtool-fix-config_stack_validation-y-warning.patch
-bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch

 # Miscellaneous features

@ -139,7 +138,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch

 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch