diff --git a/debian/changelog b/debian/changelog index c85b97a1f..45785430e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -176,6 +176,110 @@ linux-2.6 (3.3~rc6-1~experimental.1) experimental; urgency=low -- Ben Hutchings Sun, 04 Mar 2012 20:27:42 +0000 +linux (3.2.32-1) unstable; urgency=low + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.31 + - target: Fix ->data_length re-assignment bug with SCSI overflow + - hpsa: fix handling of protocol error + - cifs: fix return value in cifsConvertToUTF16 + - asix: Support DLink DUB-E100 H/W Ver C1 (Closes: #687567) + - dj: memory scribble in logi_dj + - dm: handle requests beyond end of device instead of using BUG_ON + - md/raid10: fix "enough" function for detecting if array is failed. + - libata: Prevent interface errors with Seagate FreeAgent GoFlex + - vfs: dcache: fix deadlock in tree traversal + - Revert "drm/radeon: rework pll selection (v3)" (regression in 3.2.30) + - HID: hidraw: don't deallocate memory when it is in use + - xfrm: Workaround incompatibility of ESN and async crypto + - xfrm_user: fix various information leaks + - xfrm_user: ensure user supplied esn replay window is valid + - net: guard tcp_set_keepalive() to tcp sockets + - ipv4: raw: fix icmp_filter() + - ipv6: raw: fix icmpv6_filter() + - ipv6: mip6: fix mip6_mh_filter() + - netrom: copy_datagram_iovec can fail + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.32 + - mtd: nand: Use the mirror BBT descriptor when reading its version + - TTY: ttyprintk, don't touch behind tty->write_buf + - n_gsm: fix various serious bugs + - hpsa: Use LUN reset instead of target reset + - staging: comedi: don't dereference user memory for INSN_INTTRIG + - ext4: fix potential deadlock in ext4_nonda_switch() + - staging: comedi: fix memory leak for saved channel list + - scsi_remove_target: fix softlockup regression on hot remove + (Closes: #690990) + - usb: host: xhci: Fix Null pointer dereferencing with 71c731a for + non-x86 systems (regression in 3.2.30) + - ext4: online defrag is not supported for journaled files + - staging: comedi: s626: don't dereference insn->data + - serial: pl011: handle corruption at high clock speeds + - ext4: always set i_op in ext4_mknod() + - ext4: fix fdatasync() for files with only i_size changes + - [x86] drm/i915: use adjusted_mode instead of mode for checking the + 6bpc force flag (regression in 3.2.29) + - staging: comedi: jr3_pci: fix iomem dereference + - JFFS2: don't fail on bitflips in OOB + - mtd: nandsim: bugfix: fail if overridesize is too big + - pnfsblock: fix partial page buffer wirte + - target/file: Re-enable optional fd_buffered_io=1 operation + - iscsit: remove incorrect unlock in iscsit_build_sendtargets_resp + - rapidio/rionet: fix multicast packet transmit logic + - ALSA: aloop - add locking to timer access + - [armhf/omap] counter: add locking to read_persistent_clock + - mm: fix invalidate_complete_page2() lock ordering + - mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP + - mm: hugetlb: fix pgoff computation when unmapping page from vma + - hugetlb: do not use vma_hugecache_offset() for vma_prio_tree_foreach + - [x86] firewire: cdev: fix user memory corruption (i386 userland on + amd64 kernel) + - udf: fix retun value on error path in udf_load_logicalvol + - eCryptfs: Unlink lower inode when ecryptfs_create() fails + - eCryptfs: Initialize empty lower files when opening them + - eCryptfs: Revert to a writethrough cache model + - eCryptfs: Write out all dirty pages just before releasing the lower file + - eCryptfs: Call lower ->flush() from ecryptfs_flush() + - mempolicy: remove mempolicy sharing + - mempolicy: fix a race in shared_policy_replace() + - mempolicy: fix refcount leak in mpol_set_shared_policy() + - mempolicy: fix a memory corruption by refcount imbalance in + alloc_pages_vma() + - hpsa: dial down lockup detection during firmware flash + - netfilter: nf_ct_ipv4: packets with wrong ihl are invalid + - netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP + expectation + - netfilter: nf_ct_expect: fix possible access to uninitialized timer + - ipvs: fix oops on NAT reply in br_nf context + + [ Ben Hutchings ] + * codel: refine one condition to avoid a nul rec_inv_sqrt + * [mips,mipsel] Ignore NFS/SunRPC ABI changes in 3.2.30 (fixes FTBFS) + * tg3: Fix TSO CAP for 5704 devs w / ASF enabled + * SUNRPC: Set alloc_slot for backchannel tcp ops (regression in 3.2.30) + * iwlwifi: Do not request unreleased firmware for IWL6000 (Closes: #689416) + * aufs: Update to aufs3.2-20120827: + - Fix statfs() values when different block sizes are in use + * udeb: Add hid-logitech-dj to input-modules (Closes: #661379) + * connector: Make CONNECTOR built-in; enable PROC_EVENTS (Closes: #588200) + * e1000e: Change wthresh to 1 to avoid possible Tx stalls + * [x86] efi: Build EFI stub with EFI-appropriate options + * [rt] Update to 3.2.32-rt48: + - random: Make add_interrupt_randomness() work on rt + - softirq: Init softirq local lock after per cpu section is set up + - mm: slab: Fix potential deadlock + - mm: page_alloc: Use local_lock_on() instead of plain spinlock + - rt: rwsem/rwlock: lockdep annotations + - sched: Better debug output for might sleep + - stomp_machine: Use mutex_trylock when called from inactive cpu + * [x86] storvsc: Account for in-transit packets in the RESET path + * fs: handle failed audit_log_start properly + * fs: prevent use after free in auditing when symlink following was denied + * kernel/sys.c: fix stack memory content leak via UNAME26 (CVE-2012-0957) + * ALSA: hda: Fix oops caused by "Fix internal mic for Lenovo Ideapad U300s" + in 3.2.32 + + -- Ben Hutchings Mon, 22 Oct 2012 06:25:37 +0100 + linux (3.2.30-1) unstable; urgency=low * New upstream stable update: diff --git a/debian/config/config b/debian/config/config index 0a58a8381..7e55b3e44 100644 --- a/debian/config/config +++ b/debian/config/config @@ -288,7 +288,8 @@ CONFIG_IPWIRELESS=m ## ## file: drivers/connector/Kconfig ## -CONFIG_CONNECTOR=m +CONFIG_CONNECTOR=y +CONFIG_PROC_EVENTS=y ## ## file: drivers/cpufreq/Kconfig diff --git a/debian/installer/modules/input-modules b/debian/installer/modules/input-modules index 8f7f9b373..90317fc0a 100644 --- a/debian/installer/modules/input-modules +++ b/debian/installer/modules/input-modules @@ -4,6 +4,7 @@ hid-apple ? hid-belkin ? hid-microsoft ? hid-logitech ? +hid-logitech-dj hid-monterey ? hid-sunplus ? hid-cherry ? diff --git a/debian/patches/bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch b/debian/patches/bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch new file mode 100644 index 000000000..f39dd1ca5 --- /dev/null +++ b/debian/patches/bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch @@ -0,0 +1,45 @@ +From: Bryan Schumaker +Date: Mon, 24 Sep 2012 13:39:01 -0400 +Subject: SUNRPC: Set alloc_slot for backchannel tcp ops + +commit 84e28a307e376f271505af65a7b7e212dd6f61f4 upstream. + +f39c1bfb5a03e2d255451bff05be0d7255298fa4 (SUNRPC: Fix a UDP transport +regression) introduced the "alloc_slot" function for xprt operations, +but never created one for the backchannel operations. This patch fixes +a null pointer dereference when mounting NFS over v4.1. + +Call Trace: + [] ? xprt_reserve+0x47/0x50 [sunrpc] + [] call_reserve+0x34/0x60 [sunrpc] + [] __rpc_execute+0x90/0x400 [sunrpc] + [] rpc_async_schedule+0x2a/0x40 [sunrpc] + [] process_one_work+0x139/0x500 + [] ? alloc_worker+0x70/0x70 + [] ? __rpc_execute+0x400/0x400 [sunrpc] + [] worker_thread+0x15e/0x460 + [] ? preempt_schedule+0x49/0x70 + [] ? rescuer_thread+0x230/0x230 + [] kthread+0x93/0xa0 + [] kernel_thread_helper+0x4/0x10 + [] ? kthread_freezable_should_stop+0x70/0x70 + [] ? gs_change+0x13/0x13 + +Signed-off-by: Bryan Schumaker +Signed-off-by: Trond Myklebust +--- + net/sunrpc/xprtsock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index d1988cf..97f8918 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2539,6 +2539,7 @@ static struct rpc_xprt_ops xs_tcp_ops = { + static struct rpc_xprt_ops bc_tcp_ops = { + .reserve_xprt = xprt_reserve_xprt, + .release_xprt = xprt_release_xprt, ++ .alloc_slot = xprt_alloc_slot, + .rpcbind = xs_local_rpcbind, + .buf_alloc = bc_malloc, + .buf_free = bc_free, diff --git a/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch b/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch new file mode 100644 index 000000000..a8a86de0c --- /dev/null +++ b/debian/patches/bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch @@ -0,0 +1,60 @@ +From: Kees Cook +Date: Fri, 19 Oct 2012 13:56:51 -0700 +Subject: [1/2] kernel/sys.c: fix stack memory content leak via UNAME26 + +commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream. + +Calling uname() with the UNAME26 personality set allows a leak of kernel +stack contents. This fixes it by defensively calculating the length of +copy_to_user() call, making the len argument unsigned, and initializing +the stack buffer to zero (now technically unneeded, but hey, overkill). + +CVE-2012-0957 + +Reported-by: PaX Team +Signed-off-by: Kees Cook +Cc: Andi Kleen +Cc: PaX Team +Cc: Brad Spengler +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + kernel/sys.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index c5cb5b9..01865c6 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem); + * Work around broken programs that cannot handle "Linux 3.0". + * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 + */ +-static int override_release(char __user *release, int len) ++static int override_release(char __user *release, size_t len) + { + int ret = 0; +- char buf[65]; + + if (current->personality & UNAME26) { +- char *rest = UTS_RELEASE; ++ const char *rest = UTS_RELEASE; ++ char buf[65] = { 0 }; + int ndots = 0; + unsigned v; ++ size_t copy; + + while (*rest) { + if (*rest == '.' && ++ndots >= 3) +@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len) + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- snprintf(buf, len, "2.6.%u%s", v, rest); +- ret = copy_to_user(release, buf, len); ++ copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); ++ ret = copy_to_user(release, buf, copy + 1); + } + return ret; + } diff --git a/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch b/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch new file mode 100644 index 000000000..0f60973f9 --- /dev/null +++ b/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch @@ -0,0 +1,32 @@ +From: Kees Cook +Date: Fri, 19 Oct 2012 18:45:53 -0700 +Subject: [2/2] use clamp_t in UNAME26 fix + +commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream. + +The min/max call needed to have explicit types on some architectures +(e.g. mn10300). Use clamp_t instead to avoid the warning: + + kernel/sys.c: In function 'override_release': + kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default] + +Reported-by: Fengguang Wu +Signed-off-by: Kees Cook +Signed-off-by: Linus Torvalds +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 01865c6..e6e0ece 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len) + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = clamp_t(size_t, len, 1, sizeof(buf)); + copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); + ret = copy_to_user(release, buf, copy + 1); + } diff --git a/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch new file mode 100644 index 000000000..06b5a171b --- /dev/null +++ b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch @@ -0,0 +1,25 @@ +From: Ben Hutchings +Subject: iwlwifi: Do not request unreleased firmware for IWL6000 +Bug-Debian: http://bugs.debian.org/689416 + +The iwlwifi driver currently supports firmware API versions 4-6 for +these devices. It will request the file for the latest supported +version and then fall back to earlier versions. However, the latest +version that has actually been released is 4, so we expect the +requests for versions 6 and then 5 to fail. + +The installer appears to report any failed request, and it is probably +not easy to detect that this particular failure is harmless. So stop +requesting the unreleased firmware. + +--- a/drivers/net/wireless/iwlwifi/pcie/6000.c ++++ b/drivers/net/wireless/iwlwifi/pcie/6000.c +@@ -32,7 +32,7 @@ + #include "dvm/commands.h" /* needed for BT for now */ + + /* Highest firmware API version supported */ +-#define IWL6000_UCODE_API_MAX 6 ++#define IWL6000_UCODE_API_MAX 4 /* v5-6 are supported but not released */ + #define IWL6050_UCODE_API_MAX 5 + #define IWL6000G2_UCODE_API_MAX 6 + #define IWL6035_UCODE_API_MAX 6 diff --git a/debian/patches/series b/debian/patches/series index a157b2a49..4301211c5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -45,3 +45,7 @@ debian/debugfs-set-default-mode-to-700.patch bugfix/alpha/alpha-use-large-data-model.diff bugfix/all/speakup-lower-default-software-speech-rate.patch +bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch +debian/iwlwifi-do-not-request-unreleased-firmware.patch +bugfix/all/kernel-sys.c-fix-stack-memory-content-leak-via-UNAME.patch +bugfix/all/use-clamp_t-in-UNAME26-fix.patch