From fae8df0f68d2d818b95fb51a6f65d4d96da77894 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 29 Dec 2018 13:54:36 +0100 Subject: [PATCH] Update to 4.19.13 Drop iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch Drop usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch Add bug closer for #917569 Cleanup debian/changelog file --- debian/changelog | 54 ++++++++- ...iomap.c-get-put-the-page-in-iomap_pa.patch | 111 ------------------ ...ess-in-hso_probe-hso_get_config_data.patch | 67 ----------- debian/patches/series | 2 - 4 files changed, 49 insertions(+), 185 deletions(-) delete mode 100644 debian/patches/bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch delete mode 100644 debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch diff --git a/debian/changelog b/debian/changelog index 9625c4b08..674fb4834 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,52 @@ -linux (4.19.12-2) UNRELEASED; urgency=medium +linux (4.19.13-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.13 + - Revert "vfs: Allow userns root to call mknod on owned filesystems." + - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data + (CVE-2018-19985) + - xhci: Don't prevent USB2 bus suspend in state check intended for USB3 + only + - USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd + - USB: serial: option: add GosunCn ZTE WeLink ME3630 + - USB: serial: option: add HP lt4132 + - USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) + - USB: serial: option: add Fibocom NL668 series + - USB: serial: option: add Telit LN940 series + - ubifs: Handle re-linking of inodes correctly while recovery + - scsi: t10-pi: Return correct ref tag when queue has no integrity profile + - scsi: sd: use mempool for discard special page + - mmc: core: Reset HPI enabled state during re-init and in case of errors + - mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support + - mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl + - [armhf] mmc: omap_hsmmc: fix DMA API warning + - gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers + - posix-timers: Fix division by zero bug + - [x86] KVM: Fix NULL deref in vcpu_scan_ioapic + - [x86] kvm: Add AMD's EX_CFG to the list of ignored MSRs + - [x86] KVM: Fix UAF in nested posted interrupt processing + - [x86] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened + channels + - futex: Cure exit race + - [x86] mtrr: Don't copy uninitialized gentry fields back to userspace + - [x86] mm: Fix decoy address handling vs 32-bit builds (Closes: #917569) + - [x86] vdso: Pass --eh-frame-hdr to the linker + - panic: avoid deadlocks in re-entrant console drivers + - mm: add mm_pxd_folded checks to pgtable_bytes accounting functions + - mm: make the __PAGETABLE_PxD_FOLDED defines non-empty + - mm: introduce mm_[p4d|pud|pmd]_folded + - xfrm_user: fix freeing of xfrm states on acquire + - rtlwifi: Fix leak of skb when processing C2H_BT_INFO + - iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares + - Revert "mwifiex: restructure rx_reorder_tbl_lock usage" + - iwlwifi: add new cards for 9560, 9462, 9461 and killer series + - mm, memory_hotplug: initialize struct pages for the full memory section + - mm: thp: fix flags for pmd migration when split + - mm, page_alloc: fix has_unmovable_pages for HugePages + - mm: don't miss the last page because of round-off error + - Input: elantech - disable elan-i2c for P52 and P72 + - proc/sysctl: don't return ENOMEM on lookup when a table is unregistering + - drm/ioctl: Fix Spectre v1 vulnerabilities [ Uwe Kleine-König ] * [armhf] enable some kconfig items for Allwinner SoCs (SUNXI_CCU=y, @@ -17,10 +65,6 @@ linux (4.19.12-2) UNRELEASED; urgency=medium * Fix pycodestyle "line break after binary operator" warnings * Fix pycodestyle "inalid escape sequence" warnings - [ Salvatore Bonaccorso ] - * USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data - (CVE-2018-19985) - [ Romain Perier ] * [rt] Update to 4.19.10-rt8 diff --git a/debian/patches/bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch b/debian/patches/bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch deleted file mode 100644 index aa52bfe4a..000000000 --- a/debian/patches/bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: Dave Chinner -Date: Thu, 20 Dec 2018 23:23:24 +1100 -Subject: iomap: Revert "fs/iomap.c: get/put the page in - iomap_page_create/release()" -Origin: https://git.kernel.org/linus/a837eca2412051628c0529768c9bc4f3580b040e - -This reverts commit 61c6de667263184125d5ca75e894fcad632b0dd3. - -The reverted commit added page reference counting to iomap page -structures that are used to track block size < page size state. This -was supposed to align the code with page migration page accounting -assumptions, but what it has done instead is break XFS filesystems. -Every fstests run I've done on sub-page block size XFS filesystems -has since picking up this commit 2 days ago has failed with bad page -state errors such as: - -# ./run_check.sh "-m rmapbt=1,reflink=1 -i sparse=1 -b size=1k" "generic/038" -.... -SECTION -- xfs -FSTYP -- xfs (debug) -PLATFORM -- Linux/x86_64 test1 4.20.0-rc6-dgc+ -MKFS_OPTIONS -- -f -m rmapbt=1,reflink=1 -i sparse=1 -b size=1k /dev/sdc -MOUNT_OPTIONS -- /dev/sdc /mnt/scratch - -generic/038 454s ... - run fstests generic/038 at 2018-12-20 18:43:05 - XFS (sdc): Unmounting Filesystem - XFS (sdc): Mounting V5 Filesystem - XFS (sdc): Ending clean mount - BUG: Bad page state in process kswapd0 pfn:3a7fa - page:ffffea0000ccbeb0 count:0 mapcount:0 mapping:ffff88800d9b6360 index:0x1 - flags: 0xfffffc0000000() - raw: 000fffffc0000000 dead000000000100 dead000000000200 ffff88800d9b6360 - raw: 0000000000000001 0000000000000000 00000000ffffffff - page dumped because: non-NULL mapping - CPU: 0 PID: 676 Comm: kswapd0 Not tainted 4.20.0-rc6-dgc+ #915 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 - Call Trace: - dump_stack+0x67/0x90 - bad_page.cold.116+0x8a/0xbd - free_pcppages_bulk+0x4bf/0x6a0 - free_unref_page_list+0x10f/0x1f0 - shrink_page_list+0x49d/0xf50 - shrink_inactive_list+0x19d/0x3b0 - shrink_node_memcg.constprop.77+0x398/0x690 - ? shrink_slab.constprop.81+0x278/0x3f0 - shrink_node+0x7a/0x2f0 - kswapd+0x34b/0x6d0 - ? node_reclaim+0x240/0x240 - kthread+0x11f/0x140 - ? __kthread_bind_mask+0x60/0x60 - ret_from_fork+0x24/0x30 - Disabling lock debugging due to kernel taint -.... - -The failures are from anyway that frees pages and empties the -per-cpu page magazines, so it's not a predictable failure or an easy -to debug failure. - -generic/038 is a reliable reproducer of this problem - it has a 9 in -10 failure rate on one of my test machines. Failure on other -machines have been at random points in fstests runs but every run -has ended up tripping this problem. Hence generic/038 was used to -bisect the failure because it was the most reliable failure. - -It is too close to the 4.20 release (not to mention holidays) to -try to diagnose, fix and test the underlying cause of the problem, -so reverting the commit is the only option we have right now. The -revert has been tested against a current tot 4.20-rc7+ kernel across -multiple machines running sub-page block size XFs filesystems and -none of the bad page state failures have been seen. - -Signed-off-by: Dave Chinner -Cc: Piotr Jaroszynski -Cc: Christoph Hellwig -Cc: William Kucharski -Cc: Darrick J. Wong -Cc: Brian Foster -Signed-off-by: Linus Torvalds ---- - fs/iomap.c | 7 ------- - 1 file changed, 7 deletions(-) - -diff --git a/fs/iomap.c b/fs/iomap.c -index 5bc172f3dfe8..d6bc98ae8d35 100644 ---- a/fs/iomap.c -+++ b/fs/iomap.c -@@ -116,12 +116,6 @@ iomap_page_create(struct inode *inode, struct page *page) - atomic_set(&iop->read_count, 0); - atomic_set(&iop->write_count, 0); - bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE); -- -- /* -- * migrate_page_move_mapping() assumes that pages with private data have -- * their count elevated by 1. -- */ -- get_page(page); - set_page_private(page, (unsigned long)iop); - SetPagePrivate(page); - return iop; -@@ -138,7 +132,6 @@ iomap_page_release(struct page *page) - WARN_ON_ONCE(atomic_read(&iop->write_count)); - ClearPagePrivate(page); - set_page_private(page, 0); -- put_page(page); - kfree(iop); - } - --- -2.20.1 - diff --git a/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch b/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch deleted file mode 100644 index aba761c3b..000000000 --- a/debian/patches/bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: Hui Peng -Date: Wed, 12 Dec 2018 12:42:24 +0100 -Subject: USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data -Origin: https://git.kernel.org/linus/5146f95df782b0ac61abde36567e718692725c89 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19985 - -The function hso_probe reads if_num from the USB device (as an u8) and uses -it without a length check to index an array, resulting in an OOB memory read -in hso_probe or hso_get_config_data. - -Add a length check for both locations and updated hso_probe to bail on -error. - -This issue has been assigned CVE-2018-19985. - -Reported-by: Hui Peng -Reported-by: Mathias Payer -Signed-off-by: Hui Peng -Signed-off-by: Mathias Payer -Reviewed-by: Sebastian Andrzej Siewior -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: David S. Miller ---- - drivers/net/usb/hso.c | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c -index 184c24baca15..d6916f787fce 100644 ---- a/drivers/net/usb/hso.c -+++ b/drivers/net/usb/hso.c -@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface) - return -EIO; - } - -+ /* check if we have a valid interface */ -+ if (if_num > 16) { -+ kfree(config_data); -+ return -EINVAL; -+ } -+ - switch (config_data[if_num]) { - case 0x0: - result = 0; -@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface, - - /* Get the interface/port specification from either driver_info or from - * the device itself */ -- if (id->driver_info) -+ if (id->driver_info) { -+ /* if_num is controlled by the device, driver_info is a 0 terminated -+ * array. Make sure, the access is in bounds! */ -+ for (i = 0; i <= if_num; ++i) -+ if (((u32 *)(id->driver_info))[i] == 0) -+ goto exit; - port_spec = ((u32 *)(id->driver_info))[if_num]; -- else -+ } else { - port_spec = hso_get_config_data(interface); -+ if (port_spec < 0) -+ goto exit; -+ } - - /* Check if we need to switch to alt interfaces prior to port - * configuration */ --- -2.20.1 - diff --git a/debian/patches/series b/debian/patches/series index 49b340914..db059563a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -99,7 +99,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch -bugfix/all/iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch # Miscellaneous features @@ -139,7 +138,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch