parent
b5cdf98158
commit
a873a1d79d
|
@ -1,4 +1,4 @@
|
|||
linux (4.9.5-1) UNRELEASED; urgency=medium
|
||||
linux (4.9.6-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.3
|
||||
|
@ -344,6 +344,100 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
|
|||
- [arm64] hugetlb: remove the wrong pmd check in find_num_contig()
|
||||
- [arm64] hugetlb: fix the wrong return value for
|
||||
huge_ptep_set_access_flags
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.6
|
||||
- IB/core: Release allocated memory in cache setup failure
|
||||
- IB/rxe: Increase max number of completions to 32k
|
||||
- IB/rxe: avoid putting a large struct rxe_qp on stack
|
||||
- IB/mlx5: Avoid system crash when enabling many VFs
|
||||
- IB/mlx5: Fix reported max SGE calculation
|
||||
- IB/mlx5: Assign SRQ type earlier
|
||||
- IB/mlx5: Wait for all async command completions to complete
|
||||
- IB/mlx4: Set traffic class in AH
|
||||
- IB/mlx4: Fix out-of-range array index in destroy qp flow
|
||||
- IB/mlx4: Handle well-known-gid in mad_demux processing
|
||||
- IB/mlx4: Fix port query for 56Gb Ethernet links
|
||||
- IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs
|
||||
- IB/mlx4: Check if GRH is available before using it
|
||||
- IB/IPoIB: Remove can't use GFP_NOIO warning
|
||||
- perf trace: Use the syscall raw_syscalls:sys_enter timestamp
|
||||
- perf mem: Fix --all-user/--all-kernel options
|
||||
- perf trace: Check if MAP_32BIT is defined (again)
|
||||
- perf diff: Do not overwrite valid build id
|
||||
- perf callchain: Fixup help/config for no-unwinding
|
||||
- perf scripting: Avoid leaking the scripting_context variable
|
||||
- perf jit: Enable jitdump support without dwarf
|
||||
- [armhf] dts: bcm283x: fix typo in mailbox address
|
||||
- [armhf] dts: imx6q-cm-fx6: fix fec pinctrl
|
||||
- [armhf] dts: omap3: Add DTS for Logic PD SOM-LV 37xx Dev Kit
|
||||
- tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
||||
- [x86] PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
|
||||
- rcu: Narrow early boot window of illegal synchronous grace periods
|
||||
- sunrpc: don't call sleeping functions from the notifier block callbacks
|
||||
- svcrpc: don't leak contexts on PROC_DESTROY
|
||||
- libnvdimm, namespace: fix pmem namespace leak, delete when size set to
|
||||
zero
|
||||
- fuse: clear FR_PENDING flag when moving requests out of pending queue
|
||||
- fuse: fix time_to_jiffies nsec sanity check
|
||||
- PCI: Enumerate switches below PCI-to-PCIe bridges
|
||||
- HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
|
||||
- HID: corsair: fix control-transfer error handling
|
||||
- mmc: sdhci-acpi: Only powered up enabled acpi child devices
|
||||
- ieee802154: atusb: do not use the stack for buffers to make them DMA able
|
||||
(CVE-2017-5548)
|
||||
- [s390x] KVM: do not expose random data via facility bitmap
|
||||
- [armhf,arm64] KVM: vgic: Fix deadlock on error handling
|
||||
- [powerpc*] icp-opal: Fix missing KVM case and harden replay
|
||||
- [powerpc*] perf: Fix PM_BRU_CMPL event code for power9
|
||||
- [powerpc*] ptrace: Preserve previous fprs/vsrs on short regset write
|
||||
- [powerpc*] ptrace: Preserve previous TM fprs/vsrs on short regset write
|
||||
- [powerpc*] Ignore reserved field in DCSR and PVR reads and writes
|
||||
- [x86] ioapic: Restore IO-APIC irq_chip retrigger callback
|
||||
- qla2xxx: Fix crash due to null pointer access
|
||||
- mac80211: implement multicast forwarding on fast-RX path
|
||||
- ubifs: Fix journal replay wrt. xattr nodes
|
||||
- [armhf] clocksource/exynos_mct: Clear interrupt when cpu is shut down
|
||||
- svcrdma: avoid duplicate dma unmapping during error recovery
|
||||
- ceph: fix bad endianness handling in parse_reply_info_extra
|
||||
- [armhf] dts: OMAP5 / DRA7: indicate that SATA port 0 is available.
|
||||
- [arm64] avoid returning from bad_mode
|
||||
- [arm64] ptrace: Preserve previous registers for short regset write
|
||||
- [arm64] ptrace: Avoid uninitialised struct padding in fpr_set()
|
||||
- [arm64] ptrace: Reject attempts to set incomplete hardware breakpoint
|
||||
fields
|
||||
- Input: ALPS - fix TrackStick support for SS5 hardware
|
||||
- libceph: ceph_x_encrypt_buflen() takes in_len
|
||||
- libceph: old_key in process_one_ticket() is redundant
|
||||
- libceph: introduce ceph_x_encrypt_offset()
|
||||
- libceph: introduce ceph_crypt() for in-place en/decryption
|
||||
- libceph: rename and align ceph_x_authorizer::reply_buf
|
||||
- libceph: tweak calcu_signature() a little
|
||||
- libceph: switch ceph_x_encrypt() to ceph_crypt()
|
||||
- libceph: switch ceph_x_decrypt() to ceph_crypt()
|
||||
- libceph: remove now unused ceph_*{en,de}crypt*() functions
|
||||
- [armhf] dts: Add an empty chosen node to top level DTSI
|
||||
- [armel,armhf] 8613/1: Fix the uaccess crash on PB11MPCore
|
||||
- ceph: fix scheduler warning due to nested blocking
|
||||
- ceph: fix ceph_get_caps() interruption
|
||||
- ceph: fix endianness of getattr mask in ceph_d_revalidate
|
||||
- ceph: fix endianness bug in frag_tree_split_cmp
|
||||
- libceph: make sure ceph_aes_crypt() IV is aligned
|
||||
- xprtrdma: Make FRWR send queue entry accounting more accurate
|
||||
- xprtrdma: Squelch "max send, max recv" messages at connect time
|
||||
- [arm64] mm: avoid name clash in __page_to_voff()
|
||||
- [arm64] Fix swiotlb fallback allocation
|
||||
- swiotlb: Convert swiotlb_force from int to enum
|
||||
- swiotlb: Add swiotlb=noforce debug option
|
||||
- scsi: ses: Fix SAS device detection in enclosure
|
||||
- scsi: mpt3sas: fix hang on ata passthrough commands
|
||||
- [armhf] PM / devfreq: exynos-bus: Fix the wrong return value
|
||||
- PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL
|
||||
- mtd: spi-nor: Off by one in cqspi_setup_flash()
|
||||
- mtd: spi-nor: Fix some error codes in cqspi_setup_flash()
|
||||
- [x86] ite-cir: initialize use_demodulator before using it
|
||||
- [armhf] dmaengine: pl330: Fix runtime PM support for terminated transfers
|
||||
- [armhf] soc: ti: wkup_m3_ipc: Fix error return code in wkup_m3_ipc_probe()
|
||||
- libceph: uninline ceph_crypto_key_destroy()
|
||||
- libceph: stop allocating a new cipher on every crypto request
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [armel,armhf,s390x,x86] linux-headers: Fix regression of multilib compiler
|
||||
|
@ -365,12 +459,6 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
|
|||
* fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
|
||||
* [rt] genpatch.py: Verify tag and tarball signatures
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
||||
* HID: corsair: fix DMA buffers on stack (CVE-2017-5547)
|
||||
* ieee802154: atusb: do not use the stack for buffers to make them DMA able
|
||||
(CVE-2017-5548)
|
||||
|
||||
[ Roger Shimizu ]
|
||||
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
|
||||
* drivers/input: Enable TOUCHSCREEN_GOODIX as module (Closes: #851821).
|
||||
|
|
|
@ -1,144 +0,0 @@
|
|||
From: Johan Hovold <johan@kernel.org>
|
||||
Date: Thu, 12 Jan 2017 18:17:42 +0100
|
||||
Subject: HID: corsair: fix DMA buffers on stack
|
||||
Origin: https://git.kernel.org/linus/6d104af38b570d37aa32a5803b04c354f8ed513d
|
||||
|
||||
Not all platforms support DMA to the stack, and specifically since v4.9
|
||||
this is no longer supported on x86 with VMAP_STACK either.
|
||||
|
||||
Note that the macro-mode buffer was larger than necessary.
|
||||
|
||||
Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Johan Hovold <johan@kernel.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-corsair.c | 54 ++++++++++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 42 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-corsair.c b/drivers/hid/hid-corsair.c
|
||||
index 717704e..5971907 100644
|
||||
--- a/drivers/hid/hid-corsair.c
|
||||
+++ b/drivers/hid/hid-corsair.c
|
||||
@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev)
|
||||
struct usb_interface *usbif = to_usb_interface(dev->parent);
|
||||
struct usb_device *usbdev = interface_to_usbdev(usbif);
|
||||
int brightness;
|
||||
- char data[8];
|
||||
+ char *data;
|
||||
+
|
||||
+ data = kmalloc(8, GFP_KERNEL);
|
||||
+ if (!data)
|
||||
+ return -ENOMEM;
|
||||
|
||||
ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
|
||||
K90_REQUEST_STATUS,
|
||||
@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev)
|
||||
if (ret < 0) {
|
||||
dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
|
||||
ret);
|
||||
- return -EIO;
|
||||
+ ret = -EIO;
|
||||
+ goto out;
|
||||
}
|
||||
brightness = data[4];
|
||||
if (brightness < 0 || brightness > 3) {
|
||||
dev_warn(dev,
|
||||
"Read invalid backlight brightness: %02hhx.\n",
|
||||
data[4]);
|
||||
- return -EIO;
|
||||
+ ret = -EIO;
|
||||
+ goto out;
|
||||
}
|
||||
- return brightness;
|
||||
+ ret = brightness;
|
||||
+out:
|
||||
+ kfree(data);
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev)
|
||||
@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struct device *dev,
|
||||
struct usb_interface *usbif = to_usb_interface(dev->parent);
|
||||
struct usb_device *usbdev = interface_to_usbdev(usbif);
|
||||
const char *macro_mode;
|
||||
- char data[8];
|
||||
+ char *data;
|
||||
+
|
||||
+ data = kmalloc(2, GFP_KERNEL);
|
||||
+ if (!data)
|
||||
+ return -ENOMEM;
|
||||
|
||||
ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
|
||||
K90_REQUEST_GET_MODE,
|
||||
@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struct device *dev,
|
||||
if (ret < 0) {
|
||||
dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
|
||||
ret);
|
||||
- return -EIO;
|
||||
+ ret = -EIO;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
switch (data[0]) {
|
||||
@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struct device *dev,
|
||||
default:
|
||||
dev_warn(dev, "K90 in unknown mode: %02hhx.\n",
|
||||
data[0]);
|
||||
- return -EIO;
|
||||
+ ret = -EIO;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
- return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
|
||||
+ ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
|
||||
+out:
|
||||
+ kfree(data);
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static ssize_t k90_store_macro_mode(struct device *dev,
|
||||
@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile(struct device *dev,
|
||||
struct usb_interface *usbif = to_usb_interface(dev->parent);
|
||||
struct usb_device *usbdev = interface_to_usbdev(usbif);
|
||||
int current_profile;
|
||||
- char data[8];
|
||||
+ char *data;
|
||||
+
|
||||
+ data = kmalloc(8, GFP_KERNEL);
|
||||
+ if (!data)
|
||||
+ return -ENOMEM;
|
||||
|
||||
ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
|
||||
K90_REQUEST_STATUS,
|
||||
@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile(struct device *dev,
|
||||
if (ret < 0) {
|
||||
dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
|
||||
ret);
|
||||
- return -EIO;
|
||||
+ ret = -EIO;
|
||||
+ goto out;
|
||||
}
|
||||
current_profile = data[7];
|
||||
if (current_profile < 1 || current_profile > 3) {
|
||||
dev_warn(dev, "Read invalid current profile: %02hhx.\n",
|
||||
data[7]);
|
||||
- return -EIO;
|
||||
+ ret = -EIO;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
- return snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
|
||||
+ ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
|
||||
+out:
|
||||
+ kfree(data);
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static ssize_t k90_store_current_profile(struct device *dev,
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,99 +0,0 @@
|
|||
From: Stefan Schmidt <stefan@osg.samsung.com>
|
||||
Date: Thu, 15 Dec 2016 18:40:14 +0100
|
||||
Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA
|
||||
able
|
||||
Origin: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655
|
||||
|
||||
From 4.9 we should really avoid using the stack here as this will not be DMA
|
||||
able on various platforms. This changes the buffers already being present in
|
||||
time of 4.9 being released. This should go into stable as well.
|
||||
|
||||
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
|
||||
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
||||
---
|
||||
drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++----
|
||||
1 file changed, 27 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
|
||||
index 1253f86..fa3e8c3 100644
|
||||
--- a/drivers/net/ieee802154/atusb.c
|
||||
+++ b/drivers/net/ieee802154/atusb.c
|
||||
@@ -117,13 +117,26 @@ static int atusb_read_reg(struct atusb *atusb, uint8_t reg)
|
||||
{
|
||||
struct usb_device *usb_dev = atusb->usb_dev;
|
||||
int ret;
|
||||
+ uint8_t *buffer;
|
||||
uint8_t value;
|
||||
|
||||
+ buffer = kmalloc(1, GFP_KERNEL);
|
||||
+ if (!buffer)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
|
||||
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||
ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
|
||||
- 0, reg, &value, 1, 1000);
|
||||
- return ret >= 0 ? value : ret;
|
||||
+ 0, reg, buffer, 1, 1000);
|
||||
+
|
||||
+ if (ret >= 0) {
|
||||
+ value = buffer[0];
|
||||
+ kfree(buffer);
|
||||
+ return value;
|
||||
+ } else {
|
||||
+ kfree(buffer);
|
||||
+ return ret;
|
||||
+ }
|
||||
}
|
||||
|
||||
static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
|
||||
@@ -608,9 +621,13 @@ static const struct ieee802154_ops atusb_ops = {
|
||||
static int atusb_get_and_show_revision(struct atusb *atusb)
|
||||
{
|
||||
struct usb_device *usb_dev = atusb->usb_dev;
|
||||
- unsigned char buffer[3];
|
||||
+ unsigned char *buffer;
|
||||
int ret;
|
||||
|
||||
+ buffer = kmalloc(3, GFP_KERNEL);
|
||||
+ if (!buffer)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
/* Get a couple of the ATMega Firmware values */
|
||||
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||
ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
|
||||
@@ -631,15 +648,20 @@ static int atusb_get_and_show_revision(struct atusb *atusb)
|
||||
dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
|
||||
}
|
||||
|
||||
+ kfree(buffer);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int atusb_get_and_show_build(struct atusb *atusb)
|
||||
{
|
||||
struct usb_device *usb_dev = atusb->usb_dev;
|
||||
- char build[ATUSB_BUILD_SIZE + 1];
|
||||
+ char *build;
|
||||
int ret;
|
||||
|
||||
+ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
|
||||
+ if (!build)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
|
||||
ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
|
||||
build, ATUSB_BUILD_SIZE, 1000);
|
||||
@@ -648,6 +670,7 @@ static int atusb_get_and_show_build(struct atusb *atusb)
|
||||
dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
|
||||
}
|
||||
|
||||
+ kfree(build);
|
||||
return ret;
|
||||
}
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
From: Gu Zheng <guzheng1@huawei.com>
|
||||
Date: Mon, 9 Jan 2017 09:34:48 +0800
|
||||
Subject: tmpfs: clear S_ISGID when setting posix ACLs
|
||||
Origin: https://git.kernel.org/linus/497de07d89c1410d76a15bec2bb41f24a2a89f31
|
||||
|
||||
This change was missed the tmpfs modification in In CVE-2016-7097
|
||||
commit 073931017b49 ("posix_acl: Clear SGID bit when setting
|
||||
file permissions")
|
||||
It can test by xfstest generic/375, which failed to clear
|
||||
setgid bit in the following test case on tmpfs:
|
||||
|
||||
touch $testfile
|
||||
chown 100:100 $testfile
|
||||
chmod 2755 $testfile
|
||||
_runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
|
||||
|
||||
Signed-off-by: Gu Zheng <guzheng1@huawei.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/posix_acl.c | 9 ++++-----
|
||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
|
||||
index 5955220..c9d48dc 100644
|
||||
--- a/fs/posix_acl.c
|
||||
+++ b/fs/posix_acl.c
|
||||
@@ -922,11 +922,10 @@ int simple_set_acl(struct inode *inode, struct posix_acl *acl, int type)
|
||||
int error;
|
||||
|
||||
if (type == ACL_TYPE_ACCESS) {
|
||||
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
|
||||
- if (error < 0)
|
||||
- return 0;
|
||||
- if (error == 0)
|
||||
- acl = NULL;
|
||||
+ error = posix_acl_update_mode(inode,
|
||||
+ &inode->i_mode, &acl);
|
||||
+ if (error)
|
||||
+ return error;
|
||||
}
|
||||
|
||||
inode->i_ctime = current_time(inode);
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -99,9 +99,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
|
||||
bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch
|
||||
bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue