Update to 4.1.5
This commit is contained in:
parent
a42e6ab606
commit
431395942e
|
@ -1,4 +1,334 @@
|
|||
linux (4.1.3-2) UNRELEASED; urgency=medium
|
||||
linux (4.1.5-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.4
|
||||
- [armhf] pinctrl: mvebu: armada-370: fix spi0 pin description
|
||||
- [armhf] pinctrl: mvebu: armada-xp: remove non-existing NAND pins
|
||||
- [armhf] pinctrl: mvebu: armada-xp: remove non-existing VDD cpu_pd
|
||||
functions
|
||||
- [armhf] pinctrl: mvebu: armada-xp: fix functions of MPP48
|
||||
- Bluetooth: Fix race condition with user channel and setup stage
|
||||
- Bluetooth: btusb: Fix memory leak in Intel setup routine
|
||||
- Bluetooth: btusb: Fix secure send command length alignment on Intel 8260
|
||||
- Bluetooth: btusb: Correct typo in Roper Class 1 Bluetooth Dongle
|
||||
- Bluetooth: btbcm: allow btbcm_read_verbose_config to fail on Apple
|
||||
- ath9k: fix DMA stop sequence for AR9003+
|
||||
- ath9k_htc: memory corruption calling set_bit()
|
||||
- rtlwifi: Remove the clear interrupt routine from all drivers
|
||||
- ieee802154: Fix sockaddr_ieee802154 implicit padding information leak.
|
||||
- staging: vt6656: check ieee80211_bss_conf bssid not NULL
|
||||
- staging: vt6655: check ieee80211_bss_conf bssid not NULL
|
||||
- staging: vt6655: device_rx_srv check sk_buff is NULL
|
||||
- staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
|
||||
- staging: comedi: cb_pcimdas: fix handlers for DI and DO subdevices
|
||||
- hid-sensor: Fix suspend/resume delay
|
||||
- ext4: fix race between truncate and __ext4_journalled_writepage()
|
||||
- ext4: call sync_blockdev() before invalidate_bdev() in put_super()
|
||||
- ext4: don't retry file block mapping on bigalloc fs with non-extent file
|
||||
- ext4: set lazytime on remount if MS_LAZYTIME is set by mount
|
||||
- ext4: fix fencepost error in lazytime optimization
|
||||
- bufferhead: Add _gfp version for sb_getblk()
|
||||
- ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp
|
||||
- ext4: fix reservation release on invalidatepage for delalloc fs
|
||||
- ext4: be more strict when migrating to non-extent based file
|
||||
- ext4: correctly migrate a file with a hole at the beginning
|
||||
- ext4: replace open coded nofail allocation in ext4_free_blocks()
|
||||
- jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail()
|
||||
- jbd2: fix ocfs2 corrupt when updating journal superblock fails
|
||||
- NFC: st21nfcb: Remove inappropriate kfree on a devm_kzalloc pointer
|
||||
- NFC: st21nfcb: Do not remove header once the payload is sent
|
||||
- NFC: st21nfcb: remove st21nfcb_nci_i2c_disable
|
||||
- [armhf] rtc: snvs: fix wakealarm by call enable_irq_wake earlier
|
||||
- i2c: mux: Use __i2c_transfer() instead of calling parent's master_xfer()
|
||||
- i2c: use parent adapter quirks in mux
|
||||
- vb2: Don't WARN when v4l2_buffer.bytesused is 0 for multiplanar buffers
|
||||
- media: Fix regression in some more dib0700 based devices
|
||||
- rc-core: fix dib0700 scancode generation for RC5
|
||||
- cx18: add missing caps for the PCM video device
|
||||
- cx24117: fix a buffer overflow when checking userspace params
|
||||
- af9013: Don't accept invalid bandwidth
|
||||
- saa7164: fix querycap warning
|
||||
- s5h1420: fix a buffer overflow when checking userspace params
|
||||
- cx24116: fix a buffer overflow when checking userspace params
|
||||
- [armhf] ASoC: omap: fix up SND_OMAP_SOC_OMAP_ABE_TWL6040 dependency, again
|
||||
- libata: Do not blacklist Micron M500DC
|
||||
- libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk
|
||||
VB0250EAVER
|
||||
- libata: increase the timeout when setting transfer mode
|
||||
- libata: Fall back to unqueued READ LOG EXT if the DMA variant fails
|
||||
- libata: Expose TRIM capability in sysfs
|
||||
- libata: add ATA_HORKAGE_NOTRIM
|
||||
- libata: add ATA_HORKAGE_MAX_SEC_1024 to revert back to previous
|
||||
max_sectors limit
|
||||
- libata: Do not blacklist M510DC
|
||||
- libata: force disable trim for SuperSSpeed S238
|
||||
- [armhf] usb: dwc3: gadget: return error if command sent to DGCMD register
|
||||
fails
|
||||
- [armhf] usb: dwc3: gadget: return error if command sent to DEPCMD
|
||||
register fails
|
||||
- [armhf] usb: dwc3: gadget: don't clear EP_BUSY too early
|
||||
- [armhf] usb: dwc3: Reset the transfer resource index on SET_INTERFACE
|
||||
- usb: core: Fix USB 3.0 devices lost in NOTATTACHED state after a hub port
|
||||
reset
|
||||
- USB: devio: fix a condition in async_completed()
|
||||
- [armhf] phy: twl4030-usb: remove incorrect pm_runtime_get_sync() in
|
||||
probe function.
|
||||
- [armhf] usb: phy: mxs: suspend to RAM causes NULL pointer dereference
|
||||
- usb: gadget: composite: Fix NULL pointer dereference
|
||||
- usb: gadget: f_fs: do not set cancel function on synchronous {read,write}
|
||||
- usb: gadget: mv_udc_core: fix phy_regs I/O memory leak
|
||||
- usb: f_mass_storage: limit number of reported LUNs
|
||||
- [armhf] usb: musb: host: rely on port_mode to call musb_start()
|
||||
- USB: cp210x: add ID for Aruba Networks controllers
|
||||
- USB: option: add 2020:4000 ID
|
||||
- USB: serial: Destroy serial_minors IDR on module exit
|
||||
- USB: OHCI: Fix race between ED unlink and URB submission
|
||||
- usb: core: lpm: set lpm_capable for root hub device
|
||||
- usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init()
|
||||
function
|
||||
- dm cache: fix race when issuing a POLICY_REPLACE operation
|
||||
- dm stats: fix divide by zero if 'number_of_areas' arg is zero
|
||||
- dm space map metadata: fix occasional leak of a metadata block on resize
|
||||
- dm btree remove: fix bug in redistribute3
|
||||
- dm thin: allocate the cell_sort_array dynamically
|
||||
- dm btree: silence lockdep lock inversion in dm_btree_del()
|
||||
- mmc: block: Add missing mmc_blk_put() in power_ro_lock_show()
|
||||
- block: loop: convert to per-device workqueue
|
||||
- block: loop: avoiding too many pending per work I/O
|
||||
- block: Do a full clone when splitting discard bios
|
||||
- drm/vgem: Set unique to "vgem"
|
||||
- [armhf] drm/tegra: dpaux: Fix transfers larger than 4 bytes
|
||||
- drm/qxl: Do not cause spice-server to clean our objects
|
||||
- drm/qxl: Do not leak memory if qxl_release_list_add fails
|
||||
- drm/atomic: fix out of bounds read in for_each_*_in_state helpers
|
||||
- drm/radeon: take the mode_config mutex when dealing with hpds (v2)
|
||||
- drm/radeon: clean up radeon_audio_enable
|
||||
- [x86] drm/i915/ppgtt: Break loop in gen8_ppgtt_clear_range failure path
|
||||
- [x86] drm/i915: Fix IPS related flicker
|
||||
- [x86] drm/i915: fix backlight after resume on 855gm
|
||||
- [x86] drm/i915: Declare the swizzling unknown for L-shaped configurations
|
||||
- [x86] drm/i915: Snapshot seqno of most recently submitted request.
|
||||
- [x86] drm/i915: Forward all core DRM ioctls to core compat handling
|
||||
- [x86] Revert "drm/i915: Declare the swizzling unknown for L-shaped
|
||||
configurations"
|
||||
- [x86] drm/i915: Use two 32bit reads for select 64bit REG_READ ioctls
|
||||
- drm/radeon: compute ring fix hibernation (CI GPU family) v2.
|
||||
- drm/radeon: SDMA fix hibernation (CI GPU family).
|
||||
- Revert "drm/radeon: dont switch vt on suspend"
|
||||
- drm/radeon: only check the sink type on DP connectors
|
||||
- drm/radeon: fix HDP flushing
|
||||
- drm/radeon: Handle irqs only based on irq ring, not irq status regs.
|
||||
- drm/radeon: Clean up reference counting and pinning of the cursor BOs
|
||||
- drm/radeon: unpin cursor BOs on suspend and pin them again on resume (v2)
|
||||
- drm/radeon: Don't flush the GART TLB if rdev->gart.ptr == NULL
|
||||
- drm/radeon: add a dpm quirk for Sapphire Radeon R9 270X 2GB GDDR5
|
||||
- drm/radeon: fix user ptr race condition
|
||||
- drm/radeon/ci: silence a harmless PCC warning
|
||||
- drm: add a check for x/y in drm_mode_setcrtc
|
||||
- drm: Provide compat ioctl for addfb2.1
|
||||
- drm: Stop resetting connector state to unknown
|
||||
- libata: Fix regression when the NCQ Send and Receive log page is absent
|
||||
- xfs: fix remote symlinks on V5/CRC filesystems
|
||||
- xfs: don't truncate attribute extents if no extents exist
|
||||
- w1_therm reference count family data
|
||||
- tpm, tpm_crb: fix le64_to_cpu conversions in crb_acpi_add()
|
||||
- vTPM: set virtual device before passing to ibmvtpm_reset_crq
|
||||
- tpm: Fix initialization of the cdev
|
||||
- tpm, tpm_crb: fail when TPM2 ACPI table contents look corrupted
|
||||
- KEYS: fix "ca_keys=" partial key matching
|
||||
- KEYS: ensure we free the assoc array edit if edit is valid
|
||||
- tracing/filter: Do not WARN on operand count going below zero
|
||||
- tracing/filter: Do not allow infix to exceed end of string
|
||||
- tracing: Fix typo from "static inlin" to "static inline"
|
||||
- tracing: Have branch tracer use recursive field of task struct
|
||||
- tracing: Fix sample output of dynamic arrays
|
||||
- [armel,armhf] dmaengine: mv_xor: bug fix for racing condition in
|
||||
descriptors cleanup
|
||||
- md: clear mddev->private when it has been freed.
|
||||
- md: unlock mddev_lock on an error path.
|
||||
- md: Skip cluster setup for dm-raid
|
||||
- Btrfs: don't invalidate root dentry when subvolume deletion fails
|
||||
- md: fix a build warning
|
||||
- Btrfs: use kmem_cache_free when freeing entry in inode cache
|
||||
- Btrfs: fix race between caching kthread and returning inode to inode cache
|
||||
- Btrfs: fix fsync data loss after append write
|
||||
- Btrfs: fix memory leak in the extent_same ioctl
|
||||
- Btrfs: fix list transaction->pending_ordered corruption
|
||||
- Btrfs: fix file corruption after cloning inline extents
|
||||
- selinux: don't waste ebitmap space when importing NetLabel categories
|
||||
- selinux: fix mprotect PROT_EXEC regression caused by mm change
|
||||
- fuse: initialize fc->release before calling it
|
||||
- crush: fix a bug in tree bucket decode
|
||||
- ACPI / resources: free memory on error in add_region_before()
|
||||
- ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage
|
||||
- ACPI / LPSS: Fix up acpi_lpss_create_device()
|
||||
- ACPICA: Tables: Enable both 32-bit and 64-bit FACS
|
||||
- ACPICA: Tables: Fix an issue that FACS initialization is performed twice
|
||||
- ACPICA: Tables: Enable default 64-bit FADT addresses favor
|
||||
- ACPI / PCI: Fix regressions caused by resource_size_t overflow with
|
||||
32-bit kernel
|
||||
- [armhf] serial: samsung: only use earlycon for console
|
||||
- mmc: card: Fixup request missing in mmc_blk_issue_rw_rq
|
||||
- mmc: sdhci: Restore behavior while creating OCR mask
|
||||
- PM / clk: Fix clock error check in __pm_clk_add()
|
||||
- RDMA/ocrdma: fix double free on pd
|
||||
- tty: remove platform_sysrq_reset_seq
|
||||
- mm/hugetlb: introduce minimum hugepage order
|
||||
- PM / sleep: Increase default DPM watchdog timeout to 60
|
||||
- firmware: dmi_scan: Only honor end-of-table for 64-bit tables
|
||||
- __bitmap_parselist: fix bug in empty string handling
|
||||
- security_syslog() should be called once only
|
||||
- mac80211: fix the beacon csa counter for mesh and ibss
|
||||
- iwlwifi: mvm: fix ROC reference accounting
|
||||
- cfg80211: ignore netif running state when changing iftype
|
||||
- mac80211: prevent possible crypto tx tailroom corruption
|
||||
- e1000e: Cleanup handling of VLAN_HLEN as a part of max frame size
|
||||
- clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier
|
||||
- [x86] ideapad_laptop: Lenovo G50-30 fix rfkill reports wireless blocked
|
||||
- [x86] ideapad: fix software rfkill setting
|
||||
- of/address: use atomic allocation in pci_register_io_range()
|
||||
- [x86] dell-laptop: Fix allocating & freeing SMI buffer page
|
||||
- ovl: lookup whiteouts outside iterate_dir()
|
||||
- of: return NUMA_NO_NODE from fallback of_node_to_nid()
|
||||
- watchdog: omap: assert the counter being stopped before reprogramming
|
||||
- gpiolib: Add missing dummies for the unified device properties interface
|
||||
- clk: Fix JSON output in debugfs
|
||||
- pNFS: Fix a memory leak when attempted pnfs fails
|
||||
- pNFS/flexfiles: Fix the reset of struct pgio_header when resending
|
||||
- NFS: Fix size of NFSACL SETACL operations
|
||||
- nfs: fixing infinite OPEN loop in 4.0 stateid recovery
|
||||
- nfs: increase size of EXCHANGE_ID name string buffer
|
||||
- NFS: Ensure we set NFS_CONTEXT_RESEND_WRITES when requeuing writes
|
||||
- nfs: fix potential credential leak in ff_layout_update_mirror_cred
|
||||
- nfs: always update creds in mirror, even when we have an already
|
||||
connected ds
|
||||
- SUNRPC: Fix a memory leak in the backchannel code
|
||||
- 9p: forgetting to cancel request on interrupted zero-copy RPC
|
||||
- 9p: don't leave a half-initialized inode sitting around
|
||||
- rbd: use GFP_NOIO in rbd_obj_request_create()
|
||||
- [x86] agp/intel: Fix typo in needs_ilk_vtd_wa()
|
||||
- [mips] EDAC, octeon: Fix broken build due to model helper renames
|
||||
- p9_client_write(): avoid double p9_free_req()
|
||||
- [arm64] smp: Fix suspicious RCU usage with ipi tracepoints
|
||||
- [arm64] bpf: fix out-of-bounds read in bpf2a64_offset()
|
||||
- [arm64] bpf: fix endianness conversion bugs
|
||||
- [arm64] Don't report clear pmds and puds as huge
|
||||
- [armel,armhf] 8393/1: smp: Fix suspicious RCU usage with ipi tracepoints
|
||||
- [armel,armhf] 8397/1: fix vdsomunge not to depend on glibc specific
|
||||
error.h
|
||||
- hpfs: kstrdup() out of memory handling
|
||||
- hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead
|
||||
- Fix firmware loader uevent buffer NULL pointer dereference
|
||||
- mm: avoid setting up anonymous pages into file mapping
|
||||
- [x86] mpx: Do not set ->vm_ops on MPX VMAs
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.5
|
||||
- [powerpc*] powernv: Fix race in updating core_idle_state
|
||||
- Revert "Input: synaptics - allocate 3 slots to keep stability in image
|
||||
sensors"
|
||||
- [hppa] Fix some PTE/TLB race conditions and optimize __flush_tlb_range
|
||||
based on timing results
|
||||
- [hppa] mm: Fix a memory leak related to pmd not attached to the pgd
|
||||
- [armel,armhf] 8404/1: dma-mapping: fix off-by-one error in bitmap size
|
||||
check
|
||||
- [armhf] imx6: gpc: always enable PU domain if CONFIG_PM is not set
|
||||
- [mips*] c-r4k: Fix cache flushing for MT cores
|
||||
- [mips*] Require O32 FP64 support for MIPS64 with O32 compat
|
||||
- can: replace timestamp as unique skb attribute
|
||||
- can: rcar_can: fix IRQ check
|
||||
- can: c_can: Fix default pinmux glitch at init
|
||||
- can: rcar_can: print signed IRQ #
|
||||
- can: mcp251x: fix resume when device is down
|
||||
- vfs: freeing unlinked file indefinitely delayed
|
||||
- [x86] init: Clear 'init_level4_pgt' earlier
|
||||
- [x86] kasan: Fix KASAN shadow region page tables
|
||||
- [x86] kasan: Flush TLBs after switching CR3
|
||||
- [x86] kasan: Fix boot crash on AMD processors
|
||||
- crypto: omap-des - Fix unmapping of dma channels
|
||||
- [s390x] process: fix sfpc inline assembly
|
||||
- [s390x] sclp: clear upper register halves in _sclp_print_early
|
||||
- [s390x] nmi: fix vector register corruption
|
||||
- [s390x] bpf: clear correct BPF accumulator register
|
||||
- bio integrity: do not assume bio_integrity_pool exists if bioset exists
|
||||
- dma-debug: skip debug_dma_assert_idle() when disabled
|
||||
- genirq: Prevent resend to interrupts marked IRQ_NESTED_THREAD
|
||||
- ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4
|
||||
- ALSA: line6: Fix -EBUSY error during active monitoring
|
||||
- ALSA: pcm: Fix lockdep warning with nonatomic PCM ops
|
||||
- [x86] ALSA: hda - Add headset mic support for Acer Aspire V5-573G
|
||||
- ALSA: hda: add new AMD PCI IDs with proper driver caps
|
||||
- ALSA: hda - Add new GPU codec ID 0x10de007d to snd-hda
|
||||
- [x86] ALSA: hda - Add headset mic pin quirk for a Dell device
|
||||
- [x86] ALSA: hda - Apply fixup for another Toshiba Satellite S50D
|
||||
- [x86] ALSA: hda - Apply a fixup to Dell Vostro 5480
|
||||
- ALSA: usb-audio: add dB range mapping for some devices
|
||||
- [x86] ALSA: hda - Fix MacBook Pro 5,2 quirk
|
||||
- [x86] perf: Fix static_key bug in load_mm_cr4()
|
||||
- Revert "dm: only run the queue on completion if congested or no requests
|
||||
pending"
|
||||
- [arm64] irqchip/gicv3-its: Fix mapping of LPIs to collections
|
||||
- scsi: fix host max depth checking for the 'queue_depth' sysfs interface
|
||||
- scsi: fix memory leak with scsi-mq
|
||||
- st: null pointer dereference panic caused by use after kref_put by st_open
|
||||
- drivers: clk: st: Fix flexgen lock init
|
||||
- drivers: clk: st: Fix mux bit-setting for Cortex A9 clocks
|
||||
- drivers: clk: st: Incorrect register offset used for lock_status
|
||||
- mac80211: clear subdir_stations when removing debugfs
|
||||
- mnt: Clarify and correct the disconnect logic in umount_tree
|
||||
- mnt: In detach_mounts detach the appropriate unmounted mount
|
||||
- ftrace: Fix breakage of set_ftrace_pid
|
||||
- [x86] iommu/vt-d: Fix VM domain ID leak
|
||||
- [armhf] mmc: omap_hsmmc: Fix DTO and DCRC handling
|
||||
- mmc: sdhci check parameters before call dma_free_coherent
|
||||
- mmc: sdhci-esdhc: Make 8BIT bus work
|
||||
- HID: cp2112: fix to force single data-report reply
|
||||
- iwlwifi: mvm: fix antenna selection when BT is active
|
||||
- iwlwifi: nvm: remove mac address byte swapping in 8000 family
|
||||
- iwlwifi: pcie: prepare the device before accessing it
|
||||
- md/raid1: fix test for 'was read error from last working device'.
|
||||
- [armhf] spi: imx: Fix small DMA transfers
|
||||
- Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen
|
||||
- blkcg: fix gendisk reference leak in blkg_conf_prep()
|
||||
- [armhf] regulator: s2mps11: Fix GPIO suspend enable shift wrapping bug
|
||||
- ata: pmp: add quirk for Marvell 4140 SATA PMP
|
||||
- usb-storage: ignore ZTE MF 823 card reader in mode 0x1225
|
||||
- [armhf] Revert "serial: imx: initialized DMA w/o HW flow enabled"
|
||||
- serial: core: Fix crashes while echoing when closing
|
||||
- xhci: Calculate old endpoints correctly on device reset
|
||||
- xhci: report U3 when link is in resume state
|
||||
- xhci: prevent bus_suspend if SS port resuming in phase 1
|
||||
- xhci: do not report PLC when link is in internal resume state
|
||||
- mei: prevent unloading mei hw modules while the device is opened.
|
||||
- [x86] mm: Add parenthesis for TLB tracepoint size calculation
|
||||
- efi: Handle memory error structures produced based on old versions of
|
||||
standard
|
||||
- [arm64] efi: map the entire UEFI vendor string before reading it
|
||||
- efi: Check for NULL efi kernel parameters
|
||||
- [x86] efi: Use all 64 bit of efi_memmap in setup_e820()
|
||||
- rds: rds_ib_device.refcount overflow
|
||||
- n_tty: signal and flush atomically
|
||||
- blk-mq: set default timeout as 30 seconds
|
||||
- [x86] perf/intel/cqm: Return cached counter value from IRQ context
|
||||
- vhost: actually track log eventfd file
|
||||
- NFS: Don't revalidate the mapping if both size and change attr are up to
|
||||
date
|
||||
- NFSv4: We must set NFS_OPEN_STATE flag in nfs_resync_open_stateid_locked
|
||||
- NFS: Fix a memory leak in nfs_do_recoalesce
|
||||
- IB/ipoib: Fix CONFIG_INFINIBAND_IPOIB_CM
|
||||
- iscsi-target: Fix use-after-free during TPG session shutdown
|
||||
- iscsi-target: Fix iscsit_start_kthreads failure OOPs
|
||||
- iscsi-target: Fix iser explicit logout TX kthread leak
|
||||
- [x86] intel_pstate: Add get_scaling cpu_defaults param to Knights Landing
|
||||
- qla2xxx: Fix hardware lock/unlock issue causing kernel panic.
|
||||
- qla2xxx: release request queue reservation.
|
||||
- qla2xxx: Remove msleep in qlt_send_term_exchange
|
||||
- qla2xxx: fix command initialization in target mode.
|
||||
- qla2xxx: kill sessions/log out initiator on RSCN and port down events
|
||||
- drm/nouveau/fbcon/nv11-: correctly account for ring space usage
|
||||
- drm/nouveau/kms/nv50-: guard against enabling cursor on disabled heads
|
||||
- drm/nouveau: hold mutex when calling nouveau_abi16_fini()
|
||||
- drm/nouveau/drm/nv04-nv40/instmem: protect access to priv->heap by mutex
|
||||
- xfs: remote attribute headers contain an invalid LSN
|
||||
- xfs: remote attributes need to be considered data
|
||||
|
||||
[ Ian Campbell ]
|
||||
* [armhf] Enable cpufreq on some sunxi platforms (Closes: #793185)
|
||||
|
|
|
@ -1,39 +0,0 @@
|
|||
From: Colin Ian King <colin.king@canonical.com>
|
||||
Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
|
||||
Origin: https://marc.info/?l=oss-security&m=143800676725867&w=2
|
||||
|
||||
__key_link_end is not freeing the associated array edit structure
|
||||
and this leads to a 512 byte memory leak each time an identical
|
||||
existing key is added with add_key().
|
||||
|
||||
The reason the add_key() system call returns okay is that
|
||||
key_create_or_update() calls __key_link_begin() before checking to see
|
||||
whether it can update a key directly rather than adding/replacing - which
|
||||
it turns out it can. Thus __key_link() is not called through
|
||||
__key_instantiate_and_link() and __key_link_end() must cancel the edit.
|
||||
|
||||
CVE-2015-1333
|
||||
|
||||
Signed-off-by: Colin Ian King <colin.king@canonical.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
|
||||
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
|
||||
index e72548b5897e..d33437007ad2 100644
|
||||
--- a/security/keys/keyring.c
|
||||
+++ b/security/keys/keyring.c
|
||||
@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring,
|
||||
if (index_key->type == &key_type_keyring)
|
||||
up_write(&keyring_serialise_link_sem);
|
||||
|
||||
- if (edit && !edit->dead_leaf) {
|
||||
- key_payload_reserve(keyring,
|
||||
- keyring->datalen - KEYQUOTA_LINK_BYTES);
|
||||
+ if (edit) {
|
||||
+ if (!edit->dead_leaf) {
|
||||
+ key_payload_reserve(keyring,
|
||||
+ keyring->datalen - KEYQUOTA_LINK_BYTES);
|
||||
+ }
|
||||
assoc_array_cancel_edit(edit);
|
||||
}
|
||||
up_write(&keyring->sem);
|
|
@ -1,51 +0,0 @@
|
|||
From: Heiko Carstens <heiko.carstens@de.ibm.com>
|
||||
Date: Mon, 27 Jul 2015 09:53:49 +0200
|
||||
Subject: s390/cachinfo: add missing facility check to init_cache_level()
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/s390/linux.git/commit/?id=0b991f5cdcd6201e5401f83ca3a672343c3bfc49
|
||||
Bug-Debian: https://bugs.debian.org/793929
|
||||
|
||||
Stephen Powell reported the following crash on a z890 machine:
|
||||
|
||||
Kernel BUG at 00000000001219d0 [verbose debug info unavailable]
|
||||
illegal operation: 0001 ilc:3 [#1] SMP
|
||||
Krnl PSW : 0704e00180000000 00000000001219d0 (init_cache_level+0x38/0xe0)
|
||||
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3
|
||||
Krnl Code: 00000000001219c2: a7840056 brc 8,121a6e
|
||||
00000000001219c6: a7190000 lghi %r1,0
|
||||
#00000000001219ca: eb101000004c ecag %r1,%r0,0(%r1)
|
||||
>00000000001219d0: a7390000 lghi %r3,0
|
||||
00000000001219d4: e310f0a00024 stg %r1,160(%r15)
|
||||
00000000001219da: a7080000 lhi %r0,0
|
||||
00000000001219de: a7b9f000 lghi %r11,-4096
|
||||
00000000001219e2: c0a0002899d9 larl %r10,634d94
|
||||
Call Trace:
|
||||
[<0000000000478ee2>] detect_cache_attributes+0x2a/0x2b8
|
||||
[<000000000097c9b0>] cacheinfo_sysfs_init+0x60/0xc8
|
||||
[<00000000001001c0>] do_one_initcall+0x98/0x1c8
|
||||
[<000000000094fdc2>] kernel_init_freeable+0x212/0x2d8
|
||||
[<000000000062352e>] kernel_init+0x26/0x118
|
||||
[<000000000062fd2e>] kernel_thread_starter+0x6/0xc
|
||||
|
||||
The illegal operation was executed because of a missing facility check,
|
||||
which should have made sure that the ECAG execution would only be executed
|
||||
on machines which have the general-instructions-extension facility
|
||||
installed.
|
||||
|
||||
Reported-and-tested-by: Stephen Powell <zlinuxman@wowway.com>
|
||||
Cc: stable@vger.kernel.org # v4.0+
|
||||
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
|
||||
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||
|
||||
diff --git a/arch/s390/kernel/cache.c b/arch/s390/kernel/cache.c
|
||||
index bff5e3b..8ba3243 100644
|
||||
--- a/arch/s390/kernel/cache.c
|
||||
+++ b/arch/s390/kernel/cache.c
|
||||
@@ -138,6 +138,8 @@ int init_cache_level(unsigned int cpu)
|
||||
union cache_topology ct;
|
||||
enum cache_type ctype;
|
||||
|
||||
+ if (!test_facility(34))
|
||||
+ return -EOPNOTSUPP;
|
||||
if (!this_cpu_ci)
|
||||
return -EINVAL;
|
||||
ct.raw = ecag(EXTRACT_TOPOLOGY, 0, 0);
|
|
@ -89,8 +89,6 @@ bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
|
|||
bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
|
||||
bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
|
||||
bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
|
||||
bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
|
||||
bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch
|
||||
bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
|
||||
|
||||
# Hardening from grsecurity
|
||||
|
|
Loading…
Reference in New Issue