From a873a1d79d5ae1996d19b84ef2516f872003ac28 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 26 Jan 2017 19:24:33 +0000 Subject: [PATCH] Update to 4.9.6 Drop patches which are included in it. --- debian/changelog | 102 ++++++++++++- ...HID-corsair-fix-DMA-buffers-on-stack.patch | 144 ------------------ ...-do-not-use-the-stack-for-buffers-to.patch | 99 ------------ ...lear-S_ISGID-when-setting-posix-ACLs.patch | 45 ------ debian/patches/series | 3 - 5 files changed, 95 insertions(+), 298 deletions(-) delete mode 100644 debian/patches/bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch delete mode 100644 debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch delete mode 100644 debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch diff --git a/debian/changelog b/debian/changelog index 153220295..4eaa19682 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.9.5-1) UNRELEASED; urgency=medium +linux (4.9.6-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.3 @@ -344,6 +344,100 @@ linux (4.9.5-1) UNRELEASED; urgency=medium - [arm64] hugetlb: remove the wrong pmd check in find_num_contig() - [arm64] hugetlb: fix the wrong return value for huge_ptep_set_access_flags + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.6 + - IB/core: Release allocated memory in cache setup failure + - IB/rxe: Increase max number of completions to 32k + - IB/rxe: avoid putting a large struct rxe_qp on stack + - IB/mlx5: Avoid system crash when enabling many VFs + - IB/mlx5: Fix reported max SGE calculation + - IB/mlx5: Assign SRQ type earlier + - IB/mlx5: Wait for all async command completions to complete + - IB/mlx4: Set traffic class in AH + - IB/mlx4: Fix out-of-range array index in destroy qp flow + - IB/mlx4: Handle well-known-gid in mad_demux processing + - IB/mlx4: Fix port query for 56Gb Ethernet links + - IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs + - IB/mlx4: Check if GRH is available before using it + - IB/IPoIB: Remove can't use GFP_NOIO warning + - perf trace: Use the syscall raw_syscalls:sys_enter timestamp + - perf mem: Fix --all-user/--all-kernel options + - perf trace: Check if MAP_32BIT is defined (again) + - perf diff: Do not overwrite valid build id + - perf callchain: Fixup help/config for no-unwinding + - perf scripting: Avoid leaking the scripting_context variable + - perf jit: Enable jitdump support without dwarf + - [armhf] dts: bcm283x: fix typo in mailbox address + - [armhf] dts: imx6q-cm-fx6: fix fec pinctrl + - [armhf] dts: omap3: Add DTS for Logic PD SOM-LV 37xx Dev Kit + - tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) + - [x86] PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F + - rcu: Narrow early boot window of illegal synchronous grace periods + - sunrpc: don't call sleeping functions from the notifier block callbacks + - svcrpc: don't leak contexts on PROC_DESTROY + - libnvdimm, namespace: fix pmem namespace leak, delete when size set to + zero + - fuse: clear FR_PENDING flag when moving requests out of pending queue + - fuse: fix time_to_jiffies nsec sanity check + - PCI: Enumerate switches below PCI-to-PCIe bridges + - HID: corsair: fix DMA buffers on stack (CVE-2017-5547) + - HID: corsair: fix control-transfer error handling + - mmc: sdhci-acpi: Only powered up enabled acpi child devices + - ieee802154: atusb: do not use the stack for buffers to make them DMA able + (CVE-2017-5548) + - [s390x] KVM: do not expose random data via facility bitmap + - [armhf,arm64] KVM: vgic: Fix deadlock on error handling + - [powerpc*] icp-opal: Fix missing KVM case and harden replay + - [powerpc*] perf: Fix PM_BRU_CMPL event code for power9 + - [powerpc*] ptrace: Preserve previous fprs/vsrs on short regset write + - [powerpc*] ptrace: Preserve previous TM fprs/vsrs on short regset write + - [powerpc*] Ignore reserved field in DCSR and PVR reads and writes + - [x86] ioapic: Restore IO-APIC irq_chip retrigger callback + - qla2xxx: Fix crash due to null pointer access + - mac80211: implement multicast forwarding on fast-RX path + - ubifs: Fix journal replay wrt. xattr nodes + - [armhf] clocksource/exynos_mct: Clear interrupt when cpu is shut down + - svcrdma: avoid duplicate dma unmapping during error recovery + - ceph: fix bad endianness handling in parse_reply_info_extra + - [armhf] dts: OMAP5 / DRA7: indicate that SATA port 0 is available. + - [arm64] avoid returning from bad_mode + - [arm64] ptrace: Preserve previous registers for short regset write + - [arm64] ptrace: Avoid uninitialised struct padding in fpr_set() + - [arm64] ptrace: Reject attempts to set incomplete hardware breakpoint + fields + - Input: ALPS - fix TrackStick support for SS5 hardware + - libceph: ceph_x_encrypt_buflen() takes in_len + - libceph: old_key in process_one_ticket() is redundant + - libceph: introduce ceph_x_encrypt_offset() + - libceph: introduce ceph_crypt() for in-place en/decryption + - libceph: rename and align ceph_x_authorizer::reply_buf + - libceph: tweak calcu_signature() a little + - libceph: switch ceph_x_encrypt() to ceph_crypt() + - libceph: switch ceph_x_decrypt() to ceph_crypt() + - libceph: remove now unused ceph_*{en,de}crypt*() functions + - [armhf] dts: Add an empty chosen node to top level DTSI + - [armel,armhf] 8613/1: Fix the uaccess crash on PB11MPCore + - ceph: fix scheduler warning due to nested blocking + - ceph: fix ceph_get_caps() interruption + - ceph: fix endianness of getattr mask in ceph_d_revalidate + - ceph: fix endianness bug in frag_tree_split_cmp + - libceph: make sure ceph_aes_crypt() IV is aligned + - xprtrdma: Make FRWR send queue entry accounting more accurate + - xprtrdma: Squelch "max send, max recv" messages at connect time + - [arm64] mm: avoid name clash in __page_to_voff() + - [arm64] Fix swiotlb fallback allocation + - swiotlb: Convert swiotlb_force from int to enum + - swiotlb: Add swiotlb=noforce debug option + - scsi: ses: Fix SAS device detection in enclosure + - scsi: mpt3sas: fix hang on ata passthrough commands + - [armhf] PM / devfreq: exynos-bus: Fix the wrong return value + - PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL + - mtd: spi-nor: Off by one in cqspi_setup_flash() + - mtd: spi-nor: Fix some error codes in cqspi_setup_flash() + - [x86] ite-cir: initialize use_demodulator before using it + - [armhf] dmaengine: pl330: Fix runtime PM support for terminated transfers + - [armhf] soc: ti: wkup_m3_ipc: Fix error return code in wkup_m3_ipc_probe() + - libceph: uninline ceph_crypto_key_destroy() + - libceph: stop allocating a new cipher on every crypto request [ Ben Hutchings ] * [armel,armhf,s390x,x86] linux-headers: Fix regression of multilib compiler @@ -365,12 +459,6 @@ linux (4.9.5-1) UNRELEASED; urgency=medium * fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10 * [rt] genpatch.py: Verify tag and tarball signatures - [ Salvatore Bonaccorso ] - * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) - * HID: corsair: fix DMA buffers on stack (CVE-2017-5547) - * ieee802154: atusb: do not use the stack for buffers to make them DMA able - (CVE-2017-5548) - [ Roger Shimizu ] * [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL) * drivers/input: Enable TOUCHSCREEN_GOODIX as module (Closes: #851821). diff --git a/debian/patches/bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch b/debian/patches/bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch deleted file mode 100644 index a2240bdc4..000000000 --- a/debian/patches/bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch +++ /dev/null @@ -1,144 +0,0 @@ -From: Johan Hovold -Date: Thu, 12 Jan 2017 18:17:42 +0100 -Subject: HID: corsair: fix DMA buffers on stack -Origin: https://git.kernel.org/linus/6d104af38b570d37aa32a5803b04c354f8ed513d - -Not all platforms support DMA to the stack, and specifically since v4.9 -this is no longer supported on x86 with VMAP_STACK either. - -Note that the macro-mode buffer was larger than necessary. - -Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver") -Cc: stable -Signed-off-by: Johan Hovold -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-corsair.c | 54 ++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 42 insertions(+), 12 deletions(-) - -diff --git a/drivers/hid/hid-corsair.c b/drivers/hid/hid-corsair.c -index 717704e..5971907 100644 ---- a/drivers/hid/hid-corsair.c -+++ b/drivers/hid/hid-corsair.c -@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev) - struct usb_interface *usbif = to_usb_interface(dev->parent); - struct usb_device *usbdev = interface_to_usbdev(usbif); - int brightness; -- char data[8]; -+ char *data; -+ -+ data = kmalloc(8, GFP_KERNEL); -+ if (!data) -+ return -ENOMEM; - - ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), - K90_REQUEST_STATUS, -@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev) - if (ret < 0) { - dev_warn(dev, "Failed to get K90 initial state (error %d).\n", - ret); -- return -EIO; -+ ret = -EIO; -+ goto out; - } - brightness = data[4]; - if (brightness < 0 || brightness > 3) { - dev_warn(dev, - "Read invalid backlight brightness: %02hhx.\n", - data[4]); -- return -EIO; -+ ret = -EIO; -+ goto out; - } -- return brightness; -+ ret = brightness; -+out: -+ kfree(data); -+ -+ return ret; - } - - static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev) -@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struct device *dev, - struct usb_interface *usbif = to_usb_interface(dev->parent); - struct usb_device *usbdev = interface_to_usbdev(usbif); - const char *macro_mode; -- char data[8]; -+ char *data; -+ -+ data = kmalloc(2, GFP_KERNEL); -+ if (!data) -+ return -ENOMEM; - - ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), - K90_REQUEST_GET_MODE, -@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struct device *dev, - if (ret < 0) { - dev_warn(dev, "Failed to get K90 initial mode (error %d).\n", - ret); -- return -EIO; -+ ret = -EIO; -+ goto out; - } - - switch (data[0]) { -@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struct device *dev, - default: - dev_warn(dev, "K90 in unknown mode: %02hhx.\n", - data[0]); -- return -EIO; -+ ret = -EIO; -+ goto out; - } - -- return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode); -+ ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode); -+out: -+ kfree(data); -+ -+ return ret; - } - - static ssize_t k90_store_macro_mode(struct device *dev, -@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile(struct device *dev, - struct usb_interface *usbif = to_usb_interface(dev->parent); - struct usb_device *usbdev = interface_to_usbdev(usbif); - int current_profile; -- char data[8]; -+ char *data; -+ -+ data = kmalloc(8, GFP_KERNEL); -+ if (!data) -+ return -ENOMEM; - - ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), - K90_REQUEST_STATUS, -@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile(struct device *dev, - if (ret < 0) { - dev_warn(dev, "Failed to get K90 initial state (error %d).\n", - ret); -- return -EIO; -+ ret = -EIO; -+ goto out; - } - current_profile = data[7]; - if (current_profile < 1 || current_profile > 3) { - dev_warn(dev, "Read invalid current profile: %02hhx.\n", - data[7]); -- return -EIO; -+ ret = -EIO; -+ goto out; - } - -- return snprintf(buf, PAGE_SIZE, "%d\n", current_profile); -+ ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile); -+out: -+ kfree(data); -+ -+ return ret; - } - - static ssize_t k90_store_current_profile(struct device *dev, --- -2.1.4 - diff --git a/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch b/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch deleted file mode 100644 index 7fe5415c6..000000000 --- a/debian/patches/bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch +++ /dev/null @@ -1,99 +0,0 @@ -From: Stefan Schmidt -Date: Thu, 15 Dec 2016 18:40:14 +0100 -Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA - able -Origin: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 - -From 4.9 we should really avoid using the stack here as this will not be DMA -able on various platforms. This changes the buffers already being present in -time of 4.9 being released. This should go into stable as well. - -Reported-by: Dan Carpenter -Cc: stable@vger.kernel.org -Signed-off-by: Stefan Schmidt -Signed-off-by: Marcel Holtmann ---- - drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++---- - 1 file changed, 27 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c -index 1253f86..fa3e8c3 100644 ---- a/drivers/net/ieee802154/atusb.c -+++ b/drivers/net/ieee802154/atusb.c -@@ -117,13 +117,26 @@ static int atusb_read_reg(struct atusb *atusb, uint8_t reg) - { - struct usb_device *usb_dev = atusb->usb_dev; - int ret; -+ uint8_t *buffer; - uint8_t value; - -+ buffer = kmalloc(1, GFP_KERNEL); -+ if (!buffer) -+ return -ENOMEM; -+ - dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg); - ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), - ATUSB_REG_READ, ATUSB_REQ_FROM_DEV, -- 0, reg, &value, 1, 1000); -- return ret >= 0 ? value : ret; -+ 0, reg, buffer, 1, 1000); -+ -+ if (ret >= 0) { -+ value = buffer[0]; -+ kfree(buffer); -+ return value; -+ } else { -+ kfree(buffer); -+ return ret; -+ } - } - - static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask, -@@ -608,9 +621,13 @@ static const struct ieee802154_ops atusb_ops = { - static int atusb_get_and_show_revision(struct atusb *atusb) - { - struct usb_device *usb_dev = atusb->usb_dev; -- unsigned char buffer[3]; -+ unsigned char *buffer; - int ret; - -+ buffer = kmalloc(3, GFP_KERNEL); -+ if (!buffer) -+ return -ENOMEM; -+ - /* Get a couple of the ATMega Firmware values */ - ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), - ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0, -@@ -631,15 +648,20 @@ static int atusb_get_and_show_revision(struct atusb *atusb) - dev_info(&usb_dev->dev, "Please update to version 0.2 or newer"); - } - -+ kfree(buffer); - return ret; - } - - static int atusb_get_and_show_build(struct atusb *atusb) - { - struct usb_device *usb_dev = atusb->usb_dev; -- char build[ATUSB_BUILD_SIZE + 1]; -+ char *build; - int ret; - -+ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL); -+ if (!build) -+ return -ENOMEM; -+ - ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), - ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0, - build, ATUSB_BUILD_SIZE, 1000); -@@ -648,6 +670,7 @@ static int atusb_get_and_show_build(struct atusb *atusb) - dev_info(&usb_dev->dev, "Firmware: build %s\n", build); - } - -+ kfree(build); - return ret; - } - --- -2.1.4 - diff --git a/debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch b/debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch deleted file mode 100644 index faec91e99..000000000 --- a/debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Gu Zheng -Date: Mon, 9 Jan 2017 09:34:48 +0800 -Subject: tmpfs: clear S_ISGID when setting posix ACLs -Origin: https://git.kernel.org/linus/497de07d89c1410d76a15bec2bb41f24a2a89f31 - -This change was missed the tmpfs modification in In CVE-2016-7097 -commit 073931017b49 ("posix_acl: Clear SGID bit when setting -file permissions") -It can test by xfstest generic/375, which failed to clear -setgid bit in the following test case on tmpfs: - - touch $testfile - chown 100:100 $testfile - chmod 2755 $testfile - _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile - -Signed-off-by: Gu Zheng -Signed-off-by: Al Viro ---- - fs/posix_acl.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/fs/posix_acl.c b/fs/posix_acl.c -index 5955220..c9d48dc 100644 ---- a/fs/posix_acl.c -+++ b/fs/posix_acl.c -@@ -922,11 +922,10 @@ int simple_set_acl(struct inode *inode, struct posix_acl *acl, int type) - int error; - - if (type == ACL_TYPE_ACCESS) { -- error = posix_acl_equiv_mode(acl, &inode->i_mode); -- if (error < 0) -- return 0; -- if (error == 0) -- acl = NULL; -+ error = posix_acl_update_mode(inode, -+ &inode->i_mode, &acl); -+ if (error) -+ return error; - } - - inode->i_ctime = current_time(inode); --- -2.1.4 - diff --git a/debian/patches/series b/debian/patches/series index 79657e6e4..2f7f984bd 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -99,9 +99,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch -bugfix/all/HID-corsair-fix-DMA-buffers-on-stack.patch -bugfix/all/ieee802154-atusb-do-not-use-the-stack-for-buffers-to.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch