debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.9.15 

Drop one patch included in 4.9.15

Ignore ABI changes for

  module:drivers/nvdimm/libnvdimm
  module:drivers/target/**
  debugfs_create_automount
This commit is contained in:
Salvatore Bonaccorso 2017-03-19 13:27:09 +01:00
parent 73b2f137b6
commit f271c6453d
4 changed files with 72 additions and 316 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.9.14-1) UNRELEASED; urgency=medium
linux (4.9.15-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.14
@ -134,6 +134,73 @@ linux (4.9.14-1) UNRELEASED; urgency=medium
- ceph: update readpages osd request according to size of pages
- netfilter: conntrack: remove GC_MAX_EVICTS break
- netfilter: conntrack: refine gc worker heuristics, redux
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.15
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636)
(Closes: #858122)
- serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
- [s390x] KVM: Disable dirty log retrieval for UCONTROL guests
- [x86] KVM: VMX: use correct vmcs_read/write for guest segment
selector/base
- Bluetooth: Add another AR3012 04ca:3018 device
- [s390x] qdio: clear DSCI prior to scanning multiple input queues
- [s390x] dcssblk: fix device size calculation in dcssblk_direct_access()
- [s390x] kdump: Use "LINUX" ELF note name instead of "CORE"
- [s390x] chsc: Add exception handler for CHSC instruction
- [s390x] TASK_SIZE for kernel threads
- [s390x] make setup_randomness work
- [s390x] use correct input data address for setup_randomness
- [armhf] net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
- [powerpc*] cxl: Prevent read/write to AFU config space while AFU not
configured
- [powerpc*] cxl: fix nested locking hang during EEH hotplug
- brcmfmac: fix incorrect event channel deduction
- mnt: Tuck mounts under others instead of creating shadow/side mounts.
- IB/ipoib: Fix deadlock between rmmod and set_mode
- IB/IPoIB: Add destination address when re-queue packet
- IB/mlx5: Fix out-of-bound access
- IB/SRP: Avoid using IB_MR_TYPE_SG_GAPS
- IB/srp: Avoid that duplicate responses trigger a kernel bug
- IB/srp: Fix race conditions related to task management
- fs: Better permission checking for submounts
- ceph: remove req from unsafe list when unregistering it
- [powerpc*] pci/hotplug/pnv-php: Remove WARN_ON() in pnv_php_put_slot()
- [powerpc*] pci/hotplug/pnv-php: Disable surprise hotplug capability on
conflicts
- target: Fix NULL dereference during LUN lookup + active I/O shutdown
- [powerpc*] drivers/pci/hotplug: Handle presence detection change
properly
- [powerpc*] drivers/pci/hotplug: Fix initial state for empty slot
- nlm: Ensure callback code also checks that the files match
- nfit, libnvdimm: fix interleave set cookie calculation
- mac80211: flush delayed work when entering suspend
- mac80211: don't reorder frames with SN smaller than SSN
- mac80211: don't handle filtered frames within a BA session
- mac80211: use driver-indicated transmitter STA only for data frames
- [x86] drm/amdgpu: add more cases to DCE11 possible crtc mask setup
- [arm64,powerpc*,x86] drm/ast: Fix test for VGA enabled
- [arm64,powerpc*,x86] drm/ast: Call open_key before enable_mmio in POST
code
- [arm64,powerpc*,x86] drm/ast: Fix AST2400 POST failure without BMC FW or
VBIOS
- drm/edid: Add EDID_QUIRK_FORCE_8BPC quirk for Rotel RSX-1058
- [x86] drm/vmwgfx: Work around drm removal of control nodes
- [armhf] dmaengine: imx-sdma - correct the dma transfer residue
calculation
- drm/atomic: fix an error code in mode_fixup()
- [x86] drm/i915/gvt: Disable access to stolen memory as a guest
- drm: Cancel drm_fb_helper_dirty_work on unload
- drm: Cancel drm_fb_helper_resume_work on unload
- [x86] drm/i915: Avoid spurious WARNs about the wrong pipe in the PPS
code
- [x86] drm/i915: Fix not finding the VBT when it overlaps with
OPREGION_ASLE_EXT
- libceph: use BUG() instead of BUG_ON(1)
- [x86] mm: fix gup_pte_range() vs DAX mappings
- [x86] tlb: Fix tlb flushing when lguest clears PGE
- thp: fix another corner case of munlock() vs. THPs
- mm: do not call mem_cgroup_free() from within mem_cgroup_alloc()
- fat: fix using uninitialized fields of fat_inode/fsinfo_inode
- [x86] drivers: hv: Turn off write permission on the hypercall page
[ Ben Hutchings ]
* [media] dvb-usb: don't use stack for firmware load or reset
@ -142,8 +209,6 @@ linux (4.9.14-1) UNRELEASED; urgency=medium
(regression in 4.8) (Closes: #856474)
* [rt] Update to 4.9.13-rt12:
- timer/hrtimer: check properly for a running timer
* tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636)
(Closes: #858122)
* [rt] Refresh one patch that had a textual conflict with 4.9.14
* Ignore ABI changes in rds and ufshcd, not useful to OOT modules
* ucount: Remove the atomicity from ucount->count (CVE-2017-6874)

4
debian/config/defines vendored
View File

@ -28,6 +28,10 @@ ignore-changes:
acpi_ec_remove_query_handler
# not declared in a public header
first_ec
# Ignore some ABI changes from 4.9.15 import
module:drivers/nvdimm/libnvdimm
module:drivers/target/**
debugfs_create_automount
[base]
arches:

312
debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch vendored
View File

@ -1,312 +0,0 @@
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 28 Feb 2017 19:54:40 +0300
Subject: tty: n_hdlc: get rid of racy n_hdlc.tbuf
Origin: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?id=82f2341c94d270421f383641b7cd670e474db56b
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2636
Currently N_HDLC line discipline uses a self-made singly linked list for
data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
an error.
The commit be10eb7589337e5defbe214dae038a53dd21add8
("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
one data buffer to tx_free_buf_list twice. That causes double free in
n_hdlc_release().
Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
in case of tx error put current data buffer after the head of tx_buf_list.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------
1 file changed, 69 insertions(+), 63 deletions(-)
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 1bacbc3..e94aea8 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -114,7 +114,7 @@
#define DEFAULT_TX_BUF_COUNT 3
struct n_hdlc_buf {
- struct n_hdlc_buf *link;
+ struct list_head list_item;
int count;
char buf[1];
};
@@ -122,8 +122,7 @@ struct n_hdlc_buf {
#define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
struct n_hdlc_buf_list {
- struct n_hdlc_buf *head;
- struct n_hdlc_buf *tail;
+ struct list_head list;
int count;
spinlock_t spinlock;
};
@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
* @backup_tty - TTY to use if tty gets closed
* @tbusy - reentrancy flag for tx wakeup code
* @woke_up - FIXME: describe this field
- * @tbuf - currently transmitting tx buffer
* @tx_buf_list - list of pending transmit frame buffers
* @rx_buf_list - list of received frame buffers
* @tx_free_buf_list - list unused transmit frame buffers
@@ -149,7 +147,6 @@ struct n_hdlc {
struct tty_struct *backup_tty;
int tbusy;
int woke_up;
- struct n_hdlc_buf *tbuf;
struct n_hdlc_buf_list tx_buf_list;
struct n_hdlc_buf_list rx_buf_list;
struct n_hdlc_buf_list tx_free_buf_list;
@@ -159,6 +156,8 @@ struct n_hdlc {
/*
* HDLC buffer list manipulation functions
*/
+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
+ struct n_hdlc_buf *buf);
static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
struct n_hdlc_buf *buf);
static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
{
struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
struct n_hdlc_buf *buf;
- unsigned long flags;
while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
- if (n_hdlc->tbuf) {
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
- n_hdlc->tbuf = NULL;
- }
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
}
static struct tty_ldisc_ops n_hdlc_ldisc = {
@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
} else
break;
}
- kfree(n_hdlc->tbuf);
kfree(n_hdlc);
} /* end of n_hdlc_release() */
@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
n_hdlc->woke_up = 0;
spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- /* get current transmit buffer or get new transmit */
- /* buffer from list of pending transmit buffers */
-
- tbuf = n_hdlc->tbuf;
- if (!tbuf)
- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
-
+ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
while (tbuf) {
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)sending frame %p, count=%d\n",
@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
/* rollback was possible and has been done */
if (actual == -ERESTARTSYS) {
- n_hdlc->tbuf = tbuf;
+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
break;
}
/* if transmit error, throw frame away by */
@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
/* free current transmit buffer */
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
-
- /* this tx buffer is done */
- n_hdlc->tbuf = NULL;
-
+
/* wait up sleeping writers */
wake_up_interruptible(&tty->write_wait);
@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)frame %p pending\n",
__FILE__,__LINE__,tbuf);
-
- /* buffer not accepted by driver */
- /* set this buffer as pending buffer */
- n_hdlc->tbuf = tbuf;
+
+ /*
+ * the buffer was not accepted by driver,
+ * return it back into tx queue
+ */
+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
break;
}
}
@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
int error = 0;
int count;
unsigned long flags;
-
+ struct n_hdlc_buf *buf = NULL;
+
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
__FILE__,__LINE__,cmd);
@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
/* report count of read data available */
/* in next available frame (if any) */
spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
- if (n_hdlc->rx_buf_list.head)
- count = n_hdlc->rx_buf_list.head->count;
+ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
+ struct n_hdlc_buf, list_item);
+ if (buf)
+ count = buf->count;
else
count = 0;
spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
count = tty_chars_in_buffer(tty);
/* add size of next output frame in queue */
spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
- if (n_hdlc->tx_buf_list.head)
- count += n_hdlc->tx_buf_list.head->count;
+ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
+ struct n_hdlc_buf, list_item);
+ if (buf)
+ count += buf->count;
spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
error = put_user(count, (int __user *)arg);
break;
@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
poll_wait(filp, &tty->write_wait, wait);
/* set bits for operations that won't block */
- if (n_hdlc->rx_buf_list.head)
+ if (!list_empty(&n_hdlc->rx_buf_list.list))
mask |= POLLIN | POLLRDNORM; /* readable */
if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
mask |= POLLHUP;
if (tty_hung_up_p(filp))
mask |= POLLHUP;
if (!tty_is_writelocked(tty) &&
- n_hdlc->tx_free_buf_list.head)
+ !list_empty(&n_hdlc->tx_free_buf_list.list))
mask |= POLLOUT | POLLWRNORM; /* writable */
}
return mask;
@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void)
spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
-
+
+ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
+
/* allocate free rx buffer list */
for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
@@ -884,53 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
} /* end of n_hdlc_alloc() */
/**
+ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
+ * @buf_list - pointer to the buffer list
+ * @buf - pointer to the buffer
+ */
+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
+ struct n_hdlc_buf *buf)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ list_add(&buf->list_item, &buf_list->list);
+ buf_list->count++;
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
+}
+
+/**
* n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
- * @list - pointer to buffer list
+ * @buf_list - pointer to buffer list
* @buf - pointer to buffer
*/
-static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
struct n_hdlc_buf *buf)
{
unsigned long flags;
- spin_lock_irqsave(&list->spinlock,flags);
-
- buf->link=NULL;
- if (list->tail)
- list->tail->link = buf;
- else
- list->head = buf;
- list->tail = buf;
- (list->count)++;
-
- spin_unlock_irqrestore(&list->spinlock,flags);
-
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ list_add_tail(&buf->list_item, &buf_list->list);
+ buf_list->count++;
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
} /* end of n_hdlc_buf_put() */
/**
* n_hdlc_buf_get - remove and return an HDLC buffer from list
- * @list - pointer to HDLC buffer list
+ * @buf_list - pointer to HDLC buffer list
*
* Remove and return an HDLC buffer from the head of the specified HDLC buffer
* list.
* Returns a pointer to HDLC buffer if available, otherwise %NULL.
*/
-static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
{
unsigned long flags;
struct n_hdlc_buf *buf;
- spin_lock_irqsave(&list->spinlock,flags);
-
- buf = list->head;
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ buf = list_first_entry_or_null(&buf_list->list,
+ struct n_hdlc_buf, list_item);
if (buf) {
- list->head = buf->link;
- (list->count)--;
+ list_del(&buf->list_item);
+ buf_list->count--;
}
- if (!list->head)
- list->tail = NULL;
-
- spin_unlock_irqrestore(&list->spinlock,flags);
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
return buf;
-
} /* end of n_hdlc_buf_get() */
static char hdlc_banner[] __initdata =

1
debian/patches/series vendored
View File

@ -119,7 +119,6 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
debian/time-mark-timer_stats-as-broken.patch
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch
bugfix/all/ucount-remove-the-atomicity-from-ucount-count.patch
# Fix exported symbol versions