diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index 83cea11ef..6d0e0fdc2 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -32,7 +32,6 @@ class Gencontrol(Base): 'image': { 'bootloaders': config.SchemaItemList(), 'configs': config.SchemaItemList(), - 'initramfs': config.SchemaItemBoolean(), 'initramfs-generators': config.SchemaItemList(), }, 'relations': { @@ -245,7 +244,6 @@ class Gencontrol(Base): override_localversion = config_image.get('override-localversion', None) if override_localversion is not None: vars['localversion-image'] = vars['localversion_headers'] + '-' + override_localversion - vars['initramfs'] = 'YES' if config_image.get('initramfs', True) else '' vars['image-stem'] = config_image.get('install-stem') self._setup_makeflags(self.flavour_makeflags_base, makeflags, config_base) @@ -278,19 +276,18 @@ class Gencontrol(Base): for field in 'Depends', 'Provides', 'Suggests', 'Recommends', 'Conflicts', 'Breaks': image_fields[field] = PackageRelation(config_entry_image.get(field.lower(), None), override_arches=(arch,)) - if config_entry_image.get('initramfs', True): - generators = config_entry_image['initramfs-generators'] - l = PackageRelationGroup() - for i in generators: - i = config_entry_relations.get(i, i) - l.append(i) - a = PackageRelationEntry(i) - if a.operator is not None: - a.operator = -a.operator - image_fields['Breaks'].append(PackageRelationGroup([a])) - for item in l: - item.arches = [arch] - image_fields['Depends'].append(l) + generators = config_entry_image['initramfs-generators'] + l = PackageRelationGroup() + for i in generators: + i = config_entry_relations.get(i, i) + l.append(i) + a = PackageRelationEntry(i) + if a.operator is not None: + a.operator = -a.operator + image_fields['Breaks'].append(PackageRelationGroup([a])) + for item in l: + item.arches = [arch] + image_fields['Depends'].append(l) bootloaders = config_entry_image.get('bootloaders') if bootloaders: diff --git a/debian/bin/stable-update.sh b/debian/bin/stable-update.sh index c3eafb7f0..b5ff44e27 100755 --- a/debian/bin/stable-update.sh +++ b/debian/bin/stable-update.sh @@ -65,7 +65,7 @@ dch -v "$new_pkg_ver" --preserve --multimaint-merge -D UNRELEASED \ echo "New upstream stable update: " while [ "v$cur_ver" != "v$new_ver" ]; do cur_ver="$(next_update "$cur_ver")" - echo "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-$cur_ver" + echo "https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-$cur_ver" done)" # Then insert the shortlogs with sed diff --git a/debian/changelog b/debian/changelog index 9a0e9c6e8..2acbdcc49 100644 --- a/debian/changelog +++ b/debian/changelog @@ -69,6 +69,72 @@ linux (3.15~rc5-1~exp1) experimental; urgency=medium -- maximilian attems Fri, 16 May 2014 14:33:57 +0200 +linux (3.14.9-1) unstable; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.8 + - Target/iscsi,iser: Avoid accepting transport connections during stop + stage + - iser-target: Fix multi network portal shutdown regression + https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.9 + - target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd + (regression in 3.14.6) + - iscsi-target: Reject mutual authentication with reflected CHAP_C + - ima: audit log files opened with O_DIRECT flag + - ima: introduce ima_kernel_read() (regression in 3.10) + - evm: prohibit userspace writing 'security.evm' HMAC value + - net: Use netlink_ns_capable to verify the permisions of netlink messages + (CVE-2014-0181) + - netlink: Only check file credentials for implicit destinations + - qlcnic: info leak in qlcnic_dcb_peer_app_info() + - ipv6: Fix regression caused by efe4208 in udp_v6_mcast_next() + (regression in 3.13) + - netlink: rate-limit leftover bytes warning and print process name + - bridge: Prevent insertion of FDB entry with disallowed vlan + - net: tunnels - enable module autoloading + - [sparc] net: filter: fix typo in sparc BPF JIT + - sfc: PIO:Restrict to 64bit arch and use 64-bit writes. + (regression in 3.13) + - ipv4: fix a race in ip4_datagram_release_cb() + - sctp: Fix sk_ack_backlog wrap-around problem + - udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup + (regression in 3.13) + - USB: cdc-acm: Fix various bugs in power management + - USB: cdc-acm: fix I/O after failed open + - [x86] hv: use correct order when freeing monitor_pages + - ASoC: dapm: Make sure to always update the DAPM graph in _put_volsw() + (regression in 3.12) + - lzo: properly check for overruns (CVE-2014-4608) + - lz4: ensure length does not wrap (CVE-2014-4608) + - ALSA: compress: Cancel the optimization of compiler and fix the size of + struct for all platform. + - ALSA: control: Protect user controls against concurrent access + (CVE-2014-4652) + - ALSA: control: Fix replacing user controls (CVE-2014-4654, CVE-2014-4655) + - ALSA: control: Don't access controls outside of protected regions + (CVE-2014-4653) + - ALSA: control: Make sure that id->index does not overflow; + Handle numid overflow (CVE-2014-4656) + + [ Ben Hutchings ] + * aufs: Update to aufs3.14-20140616: + - tiny, no msg in spinlock regeion + - minor bugfix, correct error value in link(2) + - O_TMPFILE support + - bugfix, handling an error in opening a FIFO + - propagate aufs file references to new vmas created by remap_file_pages() + * linux-image: Make initramfs support unconditional + * [x86] x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) + * [rt] Fix latency histogram after "hrtimer: Set expiry time before + switch_hrtimer_base()" in 3.14.6 + + [ Aurelien Jarno ] + * [arm64] Enable COMPAT to support 32-bit binaries. + * [mips,mipsel] Enable initramfs for all flavours, but keep the disk + related drivers built-in for now. + + -- Ben Hutchings Mon, 30 Jun 2014 13:57:11 +0100 + linux (3.14.7-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/config/arm64/config b/debian/config/arm64/config index 94d894b7f..b2e2a53a8 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -3,6 +3,7 @@ ## CONFIG_ARCH_VEXPRESS=y CONFIG_ARCH_XGENE=y +CONFIG_COMPAT=y CONFIG_SMP=y CONFIG_XEN=y diff --git a/debian/config/featureset-rt/config b/debian/config/featureset-rt/config index 1610bdc49..247fe31b6 100644 --- a/debian/config/featureset-rt/config +++ b/debian/config/featureset-rt/config @@ -1,10 +1,7 @@ # CONFIG_PREEMPT_VOLUNTARY is not set CONFIG_PREEMPT_RT_FULL=y CONFIG_SCHED_TRACER=y -#. This option is broken after commit 84ea7fe37908 -#. ('hrtimer: Set expiry time before switch_hrtimer_base()') but should be -#. enabled when this is resolved -# CONFIG_MISSED_TIMER_OFFSETS_HIST is not set +CONFIG_MISSED_TIMER_OFFSETS_HIST=y CONFIG_WAKEUP_LATENCY_HIST=y ## disable aufs as it's not needed on rt and conflicts with fs-dentry-use-seqlock.patch diff --git a/debian/config/mips/defines b/debian/config/mips/defines index e2f3af99b..80a168ef8 100644 --- a/debian/config/mips/defines +++ b/debian/config/mips/defines @@ -12,7 +12,6 @@ kernel-arch: mips image-file: vmlinux [image] -initramfs: false install-stem: vmlinux [r4k-ip22_description] diff --git a/debian/config/mipsel/defines b/debian/config/mipsel/defines index eea73f0e5..14a3d1856 100644 --- a/debian/config/mipsel/defines +++ b/debian/config/mipsel/defines @@ -12,7 +12,6 @@ kernel-arch: mips image-file: vmlinux [image] -initramfs: false install-stem: vmlinux [sb1-bcm91250a_description] diff --git a/debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch b/debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch new file mode 100644 index 000000000..a533f48f4 --- /dev/null +++ b/debian/patches/bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch @@ -0,0 +1,56 @@ +From: Andy Lutomirski +Date: Mon, 23 Jun 2014 14:22:15 -0700 +Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/554086d85e71f30abe46fc014fea31929a7c6a8a + +The bad syscall nr paths are their own incomprehensible route +through the entry control flow. Rearrange them to work just like +syscalls that return -ENOSYS. + +This fixes an OOPS in the audit code when fast-path auditing is +enabled and sysenter gets a bad syscall nr (CVE-2014-4508). + +This has probably been broken since Linux 2.6.27: +af0575bba0 i386 syscall audit fast-path + +Cc: stable@vger.kernel.org +Cc: Roland McGrath +Reported-by: Toralf Förster +Signed-off-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net +Signed-off-by: H. Peter Anvin +--- + arch/x86/kernel/entry_32.S | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -431,9 +431,10 @@ sysenter_past_esp: + jnz sysenter_audit + sysenter_do_call: + cmpl $(NR_syscalls), %eax +- jae syscall_badsys ++ jae sysenter_badsys + call *sys_call_table(,%eax,4) + movl %eax,PT_EAX(%esp) ++sysenter_after_call: + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +@@ -688,7 +689,12 @@ END(syscall_fault) + + syscall_badsys: + movl $-ENOSYS,PT_EAX(%esp) +- jmp resume_userspace ++ jmp syscall_exit ++END(syscall_badsys) ++ ++sysenter_badsys: ++ movl $-ENOSYS,PT_EAX(%esp) ++ jmp sysenter_after_call + END(syscall_badsys) + CFI_ENDPROC + /* diff --git a/debian/patches/debian/alsa-avoid-abi-change-for-cve-2014-4652-fix.patch b/debian/patches/debian/alsa-avoid-abi-change-for-cve-2014-4652-fix.patch new file mode 100644 index 000000000..8543612ac --- /dev/null +++ b/debian/patches/debian/alsa-avoid-abi-change-for-cve-2014-4652-fix.patch @@ -0,0 +1,33 @@ +From: Ben Hutchings +Date: Sun, 29 Jun 2014 02:05:57 +0100 +Subject: ALSA: Avoid ABI change for CVE-2014-4652 fix +Forwarded: not-needed + +Move the new member snd_card::user_ctl_lock to the end of the structure +and hide it from genksyms. struct snd_card is always allocated by +snd_card_create() in sound/core/init.c and user_ctl_lock is used in +sound/core/control.c, and these are part of the same module so they +are sure to be consistent. + +--- a/include/sound/core.h ++++ b/include/sound/core.h +@@ -121,8 +121,6 @@ struct snd_card { + int user_ctl_count; /* count of all user controls */ + struct list_head controls; /* all controls for this card */ + struct list_head ctl_files; /* active control files */ +- struct mutex user_ctl_lock; /* protects user controls against +- concurrent access */ + + struct snd_info_entry *proc_root; /* root for soundcard specific files */ + struct snd_info_entry *proc_id; /* the card id */ +@@ -149,6 +147,10 @@ struct snd_card { + struct snd_mixer_oss *mixer_oss; + int mixer_oss_change_count; + #endif ++#ifndef __GENKSYMS__ ++ struct mutex user_ctl_lock; /* protects user controls against ++ concurrent access */ ++#endif + }; + + #ifdef CONFIG_PM diff --git a/debian/patches/debian/arch-sh4-fix-uimage-build.patch b/debian/patches/debian/arch-sh4-fix-uimage-build.patch index fa66f450d..6fc5a08e8 100644 --- a/debian/patches/debian/arch-sh4-fix-uimage-build.patch +++ b/debian/patches/debian/arch-sh4-fix-uimage-build.patch @@ -1,6 +1,6 @@ From: Nobuhiro Iwamatsu Subject: [sh4] Fix uImage build -Bug-Debian: http://bugs.debian.org/569034 +Bug-Debian: https://bugs.debian.org/569034 Forwarded: not-needed [bwh: This was added without a description, but I think it is dealing diff --git a/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch index e4a094656..639fb3c34 100644 --- a/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch +++ b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch @@ -1,7 +1,7 @@ From: Ben Hutchings Subject: fs: Enable link security restrictions by default Date: Fri, 02 Nov 2012 05:32:06 +0000 -Bug-Debian: http://bugs.debian.org/609455 +Bug-Debian: https://bugs.debian.org/609455 Forwarded: not-needed This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 diff --git a/debian/patches/debian/ia64-hardcode-arch-script-output.patch b/debian/patches/debian/ia64-hardcode-arch-script-output.patch index 13cd5a865..756e1a43e 100644 --- a/debian/patches/debian/ia64-hardcode-arch-script-output.patch +++ b/debian/patches/debian/ia64-hardcode-arch-script-output.patch @@ -1,7 +1,7 @@ From: dann frazier Subject: Hardcode arch script output Date: Mon, 26 Mar 2007 16:30:51 -0600 -Bug-Debian: http://bugs.debian.org/392592 +Bug-Debian: https://bugs.debian.org/392592 Forwarded: not-needed Here's a patch that simply uses hardcoded definitions instead of diff --git a/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch index bad19fb06..7e05444c7 100644 --- a/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch +++ b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch @@ -1,6 +1,6 @@ From: Ben Hutchings Subject: iwlwifi: Do not request unreleased firmware for IWL6000 -Bug-Debian: http://bugs.debian.org/689416 +Bug-Debian: https://bugs.debian.org/689416 Forwarded: not-needed The iwlwifi driver currently supports firmware API versions 4-6 for diff --git a/debian/patches/debian/powerpcspe-omit-uimage.patch b/debian/patches/debian/powerpcspe-omit-uimage.patch index 6b113d112..d43ff5ec4 100644 --- a/debian/patches/debian/powerpcspe-omit-uimage.patch +++ b/debian/patches/debian/powerpcspe-omit-uimage.patch @@ -4,7 +4,7 @@ Description: Prevent building uImage with missing mkimage available in linux's build-dependencies, and the file is not strictly necessary, so we are omitting this step in the build process, Debian-specific. Author: Roland Stigge -Bug-Debian: http://bugs.debian.org/708094 +Bug-Debian: https://bugs.debian.org/708094 Forwarded: not-needed --- a/arch/powerpc/boot/Makefile diff --git a/debian/patches/debian/snd-pcsp-disable-autoload.patch b/debian/patches/debian/snd-pcsp-disable-autoload.patch index 4776edae1..5871dc6ef 100644 --- a/debian/patches/debian/snd-pcsp-disable-autoload.patch +++ b/debian/patches/debian/snd-pcsp-disable-autoload.patch @@ -2,7 +2,7 @@ From: Ben Hutchings Date: Wed, 05 Feb 2014 23:01:30 +0000 Subject: snd-pcsp: Disable autoload Forwarded: not-needed -Bug-Debian: http://bugs.debian.org/697709 +Bug-Debian: https://bugs.debian.org/697709 There are two drivers claiming the platform:pcspkr device: - pcspkr creates an input(!) device that can only beep diff --git a/debian/patches/debian/yama-disable-by-default.patch b/debian/patches/debian/yama-disable-by-default.patch index 4b665a6ae..f217a22b3 100644 --- a/debian/patches/debian/yama-disable-by-default.patch +++ b/debian/patches/debian/yama-disable-by-default.patch @@ -1,7 +1,7 @@ From: Ben Hutchings Subject: yama: Disable by default Date: Wed, 19 Jun 2013 04:35:28 +0100 -Bug-Debian: http://bugs.debian.org/712740 +Bug-Debian: https://bugs.debian.org/712740 Forwarded: not-needed --- a/security/yama/yama_lsm.c diff --git a/debian/patches/features/all/aufs3/gen-patch b/debian/patches/features/all/aufs3/gen-patch index b7e6c7a01..de50c5214 100755 --- a/debian/patches/features/all/aufs3/gen-patch +++ b/debian/patches/features/all/aufs3/gen-patch @@ -11,7 +11,7 @@ else echo >&2 "W: Cannot include a specific origin URL without an aufs git repo" origin_line='Origin: http://sourceforge.net/p/aufs/aufs3-standalone/ref/master/branches/' fi -bug_line='Bug-Debian: http://bugs.debian.org/541828' +bug_line='Bug-Debian: https://bugs.debian.org/541828' for patch in aufs3-{base,kbuild,mmap,standalone}.patch; do { diff --git a/debian/patches/features/all/rt/fix-latency-histogram-after-hrtimer-set-expiry-time-before-switch_hrtimer_base.patch b/debian/patches/features/all/rt/fix-latency-histogram-after-hrtimer-set-expiry-time-before-switch_hrtimer_base.patch new file mode 100644 index 000000000..25156e95a --- /dev/null +++ b/debian/patches/features/all/rt/fix-latency-histogram-after-hrtimer-set-expiry-time-before-switch_hrtimer_base.patch @@ -0,0 +1,39 @@ +From: Ben Hutchings +Date: Sat, 28 Jun 2014 23:34:48 +0100 +Subject: Fix latency histogram after "hrtimer: Set expiry time before switch_hrtimer_base()" +Forwarded: http://mid.gmane.org/1403994888.23472.116.camel@deadeye.wl.decadent.org.uk + +In an rt-kernel with CONFIG_MISSED_TIMER_OFFSETS_HIST enabled, +__hrtimer_start_range_ns() now crashes, as new_base is not assigned +before it is used. + +Signed-off-by: Ben Hutchings +Tested-by: Carsten Emde +Cc: stable-rt@vger.kernel.org +--- +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -1106,6 +1106,11 @@ int __hrtimer_start_range_ns(struct hrti + #endif + } + ++ hrtimer_set_expires_range_ns(timer, tim, delta_ns); ++ ++ /* Switch the timer base, if necessary: */ ++ new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED); ++ + #ifdef CONFIG_MISSED_TIMER_OFFSETS_HIST + { + ktime_t now = new_base->get_time(); +@@ -1117,11 +1122,6 @@ int __hrtimer_start_range_ns(struct hrti + } + #endif + +- hrtimer_set_expires_range_ns(timer, tim, delta_ns); +- +- /* Switch the timer base, if necessary: */ +- new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED); +- + timer_stats_hrtimer_set_start_info(timer); + + leftmost = enqueue_hrtimer(timer, new_base); diff --git a/debian/patches/series b/debian/patches/series index a04655875..85a27b487 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -96,3 +96,4 @@ features/arm/ARM-dts-sun7i-Add-reg_vcc3v3-to-sun7i-board-mmc-node.patch features/arm/ARM-dts-sun7i-cubietruck-set-mmc3-bus-width-property.patch features/arm/ARM-dts-imx6qdl-wandboard-Add-HDMI-support.patch features/arm/ARM-imx-add-HDMI-support-for-SolidRun-HummingBoard-a.patch +bugfix/x86/x86_32-entry-Do-syscall-exit-work-on-badsys-CVE-2014.patch diff --git a/debian/templates/image.plain.postinst.in b/debian/templates/image.plain.postinst.in index fe8ba9b5b..82c92fd68 100755 --- a/debian/templates/image.plain.postinst.in +++ b/debian/templates/image.plain.postinst.in @@ -16,7 +16,6 @@ my $link_in_boot = ""; my $no_symlink = ""; my $do_symlink = "Yes"; # target machine defined my $kimage = "@image-stem@"; -my $initrd = "@initramfs@"; my $mkimage = ""; # command to generate the initrd image my $use_hard_links = ''; # hardlinks do not work across fs boundaries my $postinst_hook = ''; #Normally we do not @@ -532,9 +531,7 @@ if (-d "$modules_base/$version") { # Only change the symlinks if we are not being upgraded if (! defined $ARGV[1] || ! $ARGV[1] || $ARGV[1] =~ m//o) { image_magic($kimage, $image_dest); - if ($initrd) { - image_magic("initrd.img", $image_dest); - } + image_magic("initrd.img", $image_dest); } else { lstat($kimage); @@ -542,12 +539,10 @@ else { handle_missing_link($kimage, $image_dest, "$kimage-$version", $realimageloc); } - if ($initrd) { - lstat("initrd.img"); - if (! -e _) { - handle_missing_link("initrd.img", $image_dest, "initrd.img-$version", - $realimageloc); - } + lstat("initrd.img"); + if (! -e _) { + handle_missing_link("initrd.img", $image_dest, "initrd.img-$version", + $realimageloc); } } diff --git a/debian/templates/image.plain.postrm.in b/debian/templates/image.plain.postrm.in index 016ba5489..3491dfab1 100755 --- a/debian/templates/image.plain.postrm.in +++ b/debian/templates/image.plain.postrm.in @@ -22,7 +22,6 @@ $|=1; my $version = "@abiname@@localversion@"; my $link_in_boot = ""; my $kimage = "@image-stem@"; -my $initrd = "@initramfs@"; my $postrm_hook = ''; #Normally we do not my $package_name = "linux-image-$version"; @@ -230,8 +229,8 @@ if ($ARGV[0] !~ /upgrade/) { # check and remove damaged and dangling symlinks image_magic($kimage, $image_dest); image_magic($kimage . ".old", $image_dest); - image_magic("initrd.img", $image_dest) if $initrd; - image_magic("initrd.img.old", $image_dest) if $initrd; + image_magic("initrd.img", $image_dest); + image_magic("initrd.img.old", $image_dest); }