diff --git a/debian/changelog b/debian/changelog index 3a6a1bfeb..8b1bf67e5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.9.14-1) UNRELEASED; urgency=medium +linux (4.9.15-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.14 @@ -134,6 +134,73 @@ linux (4.9.14-1) UNRELEASED; urgency=medium - ceph: update readpages osd request according to size of pages - netfilter: conntrack: remove GC_MAX_EVICTS break - netfilter: conntrack: refine gc worker heuristics, redux + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.15 + - tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636) + (Closes: #858122) + - serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards + - [s390x] KVM: Disable dirty log retrieval for UCONTROL guests + - [x86] KVM: VMX: use correct vmcs_read/write for guest segment + selector/base + - Bluetooth: Add another AR3012 04ca:3018 device + - [s390x] qdio: clear DSCI prior to scanning multiple input queues + - [s390x] dcssblk: fix device size calculation in dcssblk_direct_access() + - [s390x] kdump: Use "LINUX" ELF note name instead of "CORE" + - [s390x] chsc: Add exception handler for CHSC instruction + - [s390x] TASK_SIZE for kernel threads + - [s390x] make setup_randomness work + - [s390x] use correct input data address for setup_randomness + - [armhf] net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put() + - [powerpc*] cxl: Prevent read/write to AFU config space while AFU not + configured + - [powerpc*] cxl: fix nested locking hang during EEH hotplug + - brcmfmac: fix incorrect event channel deduction + - mnt: Tuck mounts under others instead of creating shadow/side mounts. + - IB/ipoib: Fix deadlock between rmmod and set_mode + - IB/IPoIB: Add destination address when re-queue packet + - IB/mlx5: Fix out-of-bound access + - IB/SRP: Avoid using IB_MR_TYPE_SG_GAPS + - IB/srp: Avoid that duplicate responses trigger a kernel bug + - IB/srp: Fix race conditions related to task management + - fs: Better permission checking for submounts + - ceph: remove req from unsafe list when unregistering it + - [powerpc*] pci/hotplug/pnv-php: Remove WARN_ON() in pnv_php_put_slot() + - [powerpc*] pci/hotplug/pnv-php: Disable surprise hotplug capability on + conflicts + - target: Fix NULL dereference during LUN lookup + active I/O shutdown + - [powerpc*] drivers/pci/hotplug: Handle presence detection change + properly + - [powerpc*] drivers/pci/hotplug: Fix initial state for empty slot + - nlm: Ensure callback code also checks that the files match + - nfit, libnvdimm: fix interleave set cookie calculation + - mac80211: flush delayed work when entering suspend + - mac80211: don't reorder frames with SN smaller than SSN + - mac80211: don't handle filtered frames within a BA session + - mac80211: use driver-indicated transmitter STA only for data frames + - [x86] drm/amdgpu: add more cases to DCE11 possible crtc mask setup + - [arm64,powerpc*,x86] drm/ast: Fix test for VGA enabled + - [arm64,powerpc*,x86] drm/ast: Call open_key before enable_mmio in POST + code + - [arm64,powerpc*,x86] drm/ast: Fix AST2400 POST failure without BMC FW or + VBIOS + - drm/edid: Add EDID_QUIRK_FORCE_8BPC quirk for Rotel RSX-1058 + - [x86] drm/vmwgfx: Work around drm removal of control nodes + - [armhf] dmaengine: imx-sdma - correct the dma transfer residue + calculation + - drm/atomic: fix an error code in mode_fixup() + - [x86] drm/i915/gvt: Disable access to stolen memory as a guest + - drm: Cancel drm_fb_helper_dirty_work on unload + - drm: Cancel drm_fb_helper_resume_work on unload + - [x86] drm/i915: Avoid spurious WARNs about the wrong pipe in the PPS + code + - [x86] drm/i915: Fix not finding the VBT when it overlaps with + OPREGION_ASLE_EXT + - libceph: use BUG() instead of BUG_ON(1) + - [x86] mm: fix gup_pte_range() vs DAX mappings + - [x86] tlb: Fix tlb flushing when lguest clears PGE + - thp: fix another corner case of munlock() vs. THPs + - mm: do not call mem_cgroup_free() from within mem_cgroup_alloc() + - fat: fix using uninitialized fields of fat_inode/fsinfo_inode + - [x86] drivers: hv: Turn off write permission on the hypercall page [ Ben Hutchings ] * [media] dvb-usb: don't use stack for firmware load or reset @@ -142,8 +209,6 @@ linux (4.9.14-1) UNRELEASED; urgency=medium (regression in 4.8) (Closes: #856474) * [rt] Update to 4.9.13-rt12: - timer/hrtimer: check properly for a running timer - * tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636) - (Closes: #858122) * [rt] Refresh one patch that had a textual conflict with 4.9.14 * Ignore ABI changes in rds and ufshcd, not useful to OOT modules * ucount: Remove the atomicity from ucount->count (CVE-2017-6874) diff --git a/debian/config/defines b/debian/config/defines index cdab0bd8f..8e24bf9cb 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -28,6 +28,10 @@ ignore-changes: acpi_ec_remove_query_handler # not declared in a public header first_ec +# Ignore some ABI changes from 4.9.15 import + module:drivers/nvdimm/libnvdimm + module:drivers/target/** + debugfs_create_automount [base] arches: diff --git a/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch b/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch deleted file mode 100644 index 21d471cc6..000000000 --- a/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch +++ /dev/null @@ -1,312 +0,0 @@ -From: Alexander Popov -Date: Tue, 28 Feb 2017 19:54:40 +0300 -Subject: tty: n_hdlc: get rid of racy n_hdlc.tbuf -Origin: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?id=82f2341c94d270421f383641b7cd670e474db56b -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2636 - -Currently N_HDLC line discipline uses a self-made singly linked list for -data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after -an error. - -The commit be10eb7589337e5defbe214dae038a53dd21add8 -("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf. -After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put -one data buffer to tx_free_buf_list twice. That causes double free in -n_hdlc_release(). - -Let's use standard kernel linked list and get rid of n_hdlc.tbuf: -in case of tx error put current data buffer after the head of tx_buf_list. - -Signed-off-by: Alexander Popov -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------ - 1 file changed, 69 insertions(+), 63 deletions(-) - -diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c -index 1bacbc3..e94aea8 100644 ---- a/drivers/tty/n_hdlc.c -+++ b/drivers/tty/n_hdlc.c -@@ -114,7 +114,7 @@ - #define DEFAULT_TX_BUF_COUNT 3 - - struct n_hdlc_buf { -- struct n_hdlc_buf *link; -+ struct list_head list_item; - int count; - char buf[1]; - }; -@@ -122,8 +122,7 @@ struct n_hdlc_buf { - #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe) - - struct n_hdlc_buf_list { -- struct n_hdlc_buf *head; -- struct n_hdlc_buf *tail; -+ struct list_head list; - int count; - spinlock_t spinlock; - }; -@@ -136,7 +135,6 @@ struct n_hdlc_buf_list { - * @backup_tty - TTY to use if tty gets closed - * @tbusy - reentrancy flag for tx wakeup code - * @woke_up - FIXME: describe this field -- * @tbuf - currently transmitting tx buffer - * @tx_buf_list - list of pending transmit frame buffers - * @rx_buf_list - list of received frame buffers - * @tx_free_buf_list - list unused transmit frame buffers -@@ -149,7 +147,6 @@ struct n_hdlc { - struct tty_struct *backup_tty; - int tbusy; - int woke_up; -- struct n_hdlc_buf *tbuf; - struct n_hdlc_buf_list tx_buf_list; - struct n_hdlc_buf_list rx_buf_list; - struct n_hdlc_buf_list tx_free_buf_list; -@@ -159,6 +156,8 @@ struct n_hdlc { - /* - * HDLC buffer list manipulation functions - */ -+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list, -+ struct n_hdlc_buf *buf); - static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, - struct n_hdlc_buf *buf); - static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list); -@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty) - { - struct n_hdlc *n_hdlc = tty2n_hdlc(tty); - struct n_hdlc_buf *buf; -- unsigned long flags; - - while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list))) - n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf); -- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags); -- if (n_hdlc->tbuf) { -- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf); -- n_hdlc->tbuf = NULL; -- } -- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); - } - - static struct tty_ldisc_ops n_hdlc_ldisc = { -@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc) - } else - break; - } -- kfree(n_hdlc->tbuf); - kfree(n_hdlc); - - } /* end of n_hdlc_release() */ -@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) - n_hdlc->woke_up = 0; - spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); - -- /* get current transmit buffer or get new transmit */ -- /* buffer from list of pending transmit buffers */ -- -- tbuf = n_hdlc->tbuf; -- if (!tbuf) -- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list); -- -+ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list); - while (tbuf) { - if (debuglevel >= DEBUG_LEVEL_INFO) - printk("%s(%d)sending frame %p, count=%d\n", -@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) - - /* rollback was possible and has been done */ - if (actual == -ERESTARTSYS) { -- n_hdlc->tbuf = tbuf; -+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf); - break; - } - /* if transmit error, throw frame away by */ -@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) - - /* free current transmit buffer */ - n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf); -- -- /* this tx buffer is done */ -- n_hdlc->tbuf = NULL; -- -+ - /* wait up sleeping writers */ - wake_up_interruptible(&tty->write_wait); - -@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) - if (debuglevel >= DEBUG_LEVEL_INFO) - printk("%s(%d)frame %p pending\n", - __FILE__,__LINE__,tbuf); -- -- /* buffer not accepted by driver */ -- /* set this buffer as pending buffer */ -- n_hdlc->tbuf = tbuf; -+ -+ /* -+ * the buffer was not accepted by driver, -+ * return it back into tx queue -+ */ -+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf); - break; - } - } -@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file, - int error = 0; - int count; - unsigned long flags; -- -+ struct n_hdlc_buf *buf = NULL; -+ - if (debuglevel >= DEBUG_LEVEL_INFO) - printk("%s(%d)n_hdlc_tty_ioctl() called %d\n", - __FILE__,__LINE__,cmd); -@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file, - /* report count of read data available */ - /* in next available frame (if any) */ - spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags); -- if (n_hdlc->rx_buf_list.head) -- count = n_hdlc->rx_buf_list.head->count; -+ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list, -+ struct n_hdlc_buf, list_item); -+ if (buf) -+ count = buf->count; - else - count = 0; - spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags); -@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file, - count = tty_chars_in_buffer(tty); - /* add size of next output frame in queue */ - spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags); -- if (n_hdlc->tx_buf_list.head) -- count += n_hdlc->tx_buf_list.head->count; -+ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list, -+ struct n_hdlc_buf, list_item); -+ if (buf) -+ count += buf->count; - spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags); - error = put_user(count, (int __user *)arg); - break; -@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp, - poll_wait(filp, &tty->write_wait, wait); - - /* set bits for operations that won't block */ -- if (n_hdlc->rx_buf_list.head) -+ if (!list_empty(&n_hdlc->rx_buf_list.list)) - mask |= POLLIN | POLLRDNORM; /* readable */ - if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) - mask |= POLLHUP; - if (tty_hung_up_p(filp)) - mask |= POLLHUP; - if (!tty_is_writelocked(tty) && -- n_hdlc->tx_free_buf_list.head) -+ !list_empty(&n_hdlc->tx_free_buf_list.list)) - mask |= POLLOUT | POLLWRNORM; /* writable */ - } - return mask; -@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void) - spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock); - spin_lock_init(&n_hdlc->rx_buf_list.spinlock); - spin_lock_init(&n_hdlc->tx_buf_list.spinlock); -- -+ -+ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list); -+ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list); -+ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list); -+ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list); -+ - /* allocate free rx buffer list */ - for(i=0;ispinlock, flags); -+ -+ list_add(&buf->list_item, &buf_list->list); -+ buf_list->count++; -+ -+ spin_unlock_irqrestore(&buf_list->spinlock, flags); -+} -+ -+/** - * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list -- * @list - pointer to buffer list -+ * @buf_list - pointer to buffer list - * @buf - pointer to buffer - */ --static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, -+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list, - struct n_hdlc_buf *buf) - { - unsigned long flags; -- spin_lock_irqsave(&list->spinlock,flags); -- -- buf->link=NULL; -- if (list->tail) -- list->tail->link = buf; -- else -- list->head = buf; -- list->tail = buf; -- (list->count)++; -- -- spin_unlock_irqrestore(&list->spinlock,flags); -- -+ -+ spin_lock_irqsave(&buf_list->spinlock, flags); -+ -+ list_add_tail(&buf->list_item, &buf_list->list); -+ buf_list->count++; -+ -+ spin_unlock_irqrestore(&buf_list->spinlock, flags); - } /* end of n_hdlc_buf_put() */ - - /** - * n_hdlc_buf_get - remove and return an HDLC buffer from list -- * @list - pointer to HDLC buffer list -+ * @buf_list - pointer to HDLC buffer list - * - * Remove and return an HDLC buffer from the head of the specified HDLC buffer - * list. - * Returns a pointer to HDLC buffer if available, otherwise %NULL. - */ --static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list) -+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list) - { - unsigned long flags; - struct n_hdlc_buf *buf; -- spin_lock_irqsave(&list->spinlock,flags); -- -- buf = list->head; -+ -+ spin_lock_irqsave(&buf_list->spinlock, flags); -+ -+ buf = list_first_entry_or_null(&buf_list->list, -+ struct n_hdlc_buf, list_item); - if (buf) { -- list->head = buf->link; -- (list->count)--; -+ list_del(&buf->list_item); -+ buf_list->count--; - } -- if (!list->head) -- list->tail = NULL; -- -- spin_unlock_irqrestore(&list->spinlock,flags); -+ -+ spin_unlock_irqrestore(&buf_list->spinlock, flags); - return buf; -- - } /* end of n_hdlc_buf_get() */ - - static char hdlc_banner[] __initdata = - diff --git a/debian/patches/series b/debian/patches/series index e8baa5c4a..ef86a9f7c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -119,7 +119,6 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch debian/time-mark-timer_stats-as-broken.patch bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch -bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch bugfix/all/ucount-remove-the-atomicity-from-ucount-count.patch # Fix exported symbol versions