[linux] 01/01: Merge tag 'debian/4.2.6-1'
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Nov 10 16:17:30 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit b531af692925f1f2f905b16b3b26381b4bb15d75
Merge: 868f3e2 2d9a6bc
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Nov 10 16:12:32 2015 +0000
Merge tag 'debian/4.2.6-1'
Refresh some patches.
debian/changelog | 90 ++++++++++++++++++++++
...ia-media-vivid-osd-fix-info-leak-in-ioctl.patch | 31 ++++++++
...-when-sending-a-message-on-unbound-socket.patch | 69 +++++++++++++++++
...sbvision-fix-overflow-of-interfaces-array.patch | 31 ++++++++
...-intercept-ac-to-avoid-guest-host-exploit.patch | 38 +++++++++
...x-avoid-guest-host-dos-by-intercepting-ac.patch | 34 ++++++++
debian/patches/series | 5 ++
7 files changed, 298 insertions(+)
diff --cc debian/changelog
index beb93c2,44ffe2b..438e035
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,76 -1,93 +1,166 @@@
+linux (4.3-1~exp2) UNRELEASED; urgency=medium
+
+ [ Ben Hutchings ]
+ * qxl: Enable by default (Closes: #779515)
+ * mv643xx_eth: Re-enable TSO, fixed upstream in 4.3
+ * debian/control: Move patchutils from Build-Depends to Build-Depends-Indep,
+ as we only use filterdiff when building linux-source-<version>
+ * debian/control,debian/rules: Support a 'stage1' build profile which
+ builds only linux-libc-dev (Closes: #695243)
+ * debian/control: Add ':any' to Build-Depends on python3, to support cross-
+ bootstrap
+ * [s390*] Update linux-compiler metapackage to gcc-4.9
+
+ [ Ian Campbell ]
+ * [armel/orion5x] Enable Device Tree for orion5x. Patch from Roger Shimizu
+ (Closes: #803159)
+ * [armel/orion5x] Enable CONFIG_DEBUG_LL_UART_8250.
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 07 Nov 2015 14:18:48 +0000
+
+linux (4.3-1~exp1) experimental; urgency=medium
+
+ * New upstream release
+
+ [ Ben Hutchings ]
+ * netfilter: Enable NFT_DUP_IPV4, NFT_DUP_IPV6 as modules (Closes: #803370)
+ * tests: Add autopkgtest support
+ * [x86] Compile with gcc-5
+ * [x86] Enable PINCTRL_BAYTRAIL (Closes: #797949)
+
+ [ Salvatore Bonaccorso ]
+ * Fix typo in image.plain.postinst template.
+ Add missing space in warn message causing typo "dangling linkto".
+ Thanks to Jakub Wilk <jwilk at debian.org> (Closes: #803323)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Wed, 04 Nov 2015 07:45:13 +0000
+
+linux (4.3~rc7-1~exp1) experimental; urgency=medium
+
+ * New upstream release candidate
+ - [x86] smpboot: Fix CPU #1 boot timeout (Closes: #802464)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Wed, 28 Oct 2015 11:04:27 +0900
+
+linux (4.3~rc5-1~exp1) experimental; urgency=medium
+
+ * New upstream release candidate
+
+ -- Ben Hutchings <ben at decadent.org.uk> Wed, 14 Oct 2015 00:48:41 +0100
+
+linux (4.3~rc4-1~exp1) experimental; urgency=medium
+
+ * New upstream release candidate
+
+ [ Ben Hutchings ]
+ * [armhf] dts: Fix Makefile target for sun4i-a10-itead-iteaduino-plus
+ (fixes FTBFS)
+ * [mips*] io: Define ioremap_uc (fixes FTBFS)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Tue, 06 Oct 2015 23:27:45 +0100
+
+linux (4.3~rc3-1~exp1) experimental; urgency=medium
+
+ * New upstream release candidate
+
+ [ Ben Hutchings ]
+ * Disable CRAMFS; it was obsoleted by squashfs and initramfs
+ * [i386] Replace 586 flavour with 686
+ - Enable support for OLPC and other Geode-based systems in the 686 flavour
+ - udeb: Update kernel-versions
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 27 Sep 2015 21:02:54 +0100
+
+ linux (4.2.6-1) unstable; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.6
+ - mmc: core: Fix init_card in 52Mhz (regression in 4.2)
+ - rtlwifi: rtl8821ae: Fix system lockups on boot (regression in 4.2)
+ - iwlwifi: mvm: init card correctly on ctkill exit check
+ (regression in 3.18)
+ - iwlwifi: mvm: flush fw_dump_wk when mvm fails to start
+ (regression in 3.18)
+ - [x86] iommu/vt-d: fix range computation when making room for large pages
+ - [x86] iommu/amd: Fix BUG when faulting a PROT_NONE VMA
+ - [x86] iommu/amd: Don't clear DTE flags when modifying it
+ - drm: fix mutex leak in drm_dp_get_mst_branch_device
+ - drm: Correct arguments to list_tail_add in create blob ioctl
+ - drm: crtc: integer overflow in drm_property_create_blob()
+ - rtl28xxu: fix control message flaws (regression in 4.0)
+ - ALSA: hda - Fix deadlock at error in building PCM
+ - [x86] ioapic: Prevent NULL pointer dereference in setup_ioapic_dest()
+ (regression in 4.2.4)
+ - mm: make sendfile(2) killable
+ - drm/radeon/dpm: don't add pwm attributes if DPM is disabled
+ (regression in 4.0)
+ - [x86] drm/i915: Restore lost DPLL register write on gen2-4
+ (regression in 3.18)
+ - [x86] drm/i915: Deny wrapping an userptr into a framebuffer
+ - drm/radeon: don't try to recreate sysfs entries on resume
+ (regression in 4.2.5)
+ - drm/radeon: fix dpms when driver backlight control is disabled
+ (regression in 4.2.4)
+ - drm/radeon: move bl encoder assignment into bl init
+ - rbd: require stable pages if message data CRCs are enabled
+ - rbd: don't leak parent_spec in rbd_dev_probe_parent()
+ - rbd: prevent kernel stack blow up on rbd map
+ - [armhf] EXYNOS: Fix double of_node_put() when parsing child power domains
+ (regression in 4.2)
+ - [armhf] dts: Fix audio card detection on Peach boards (regression in 4.1)
+ - [arm64] Revert "ARM64: unwind: Fix PC calculation"
+ - block: don't release bdi while request_queue has live references
+ (regression in 4.2)
+ - dm btree remove: fix a bug when rebalancing nodes after removal
+ - dm cache: the CLEAN_SHUTDOWN flag was not being set
+ - dm btree: fix leak of bufio-backed block in btree_split_beneath error path
+ - Revert "serial: 8250_dma: don't bother DMA with small transfers"
+ (regression in 4.0)
+ - [armel] i2c: mv64xxx: really allow I2C offloading (regression in 3.19)
+ - clkdev: fix clk_add_alias() with a NULL alias device name
+ (regression in 4.2)
+ - fbcon: initialize blink interval before calling fb_set_par
+ (regression in 4.2)
+ - PCI: Prevent out of bounds access in numa_node override
+ - ovl: free stack of paths in ovl_fill_super (regression in 4.0)
+ - ovl: free lower_mnt array in ovl_put_super (regression in 4.0)
+ - ovl: fix dentry reference leak
+ - ovl: fix open in stacked overlay (regression in 4.2)
+ - [x86] Input: alps - only the Dell Latitude D420/430/620/630 have separate
+ stick button bits (regression in 4.1)
+ - crypto: api - Only abort operations on fatal signal
+ - md/raid1: submit_bio_wait() returns 0 on success (regression in 3.10)
+ - md/raid10: submit_bio_wait() returns 0 on success (regression in 3.10)
+ - md/raid5: fix locking in handle_stripe_clean_event() (regression in 3.13)
+ - Revert "md: allow a partially recovered device to be hot-added to an
+ array." (regression in 3.14)
+ - [amd64] EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs()
+ (regression in 4.2)
+ - mvsas: Fix NULL pointer dereference in mvs_slot_task_free
+ - netfilter: ipset: Fix sleeping memory allocation in atomic context
+ (regression in 4.2)
+ - btrfs: fix possible leak in btrfs_ioctl_balance() (regression in 4.2.5)
+ - kvm: irqchip: fix memory leak (regression in 4.2)
+ - [armhf] thermal: exynos: Fix register read in TMU (regression in 4.2)
+ - blk-mq: fix use-after-free in blk_mq_free_tag_set() (regression in 4.2)
+ - IB/cm: Fix rb-tree duplicate free and use-after-free
+ - sched/deadline: Fix migration of SCHED_DEADLINE tasks (regression in 4.2)
+ - [arm64] compat: fix stxr failure case in SWP emulation
+ - NVMe: Fix memory leak on retried commands
+ - [x86] drm/vmwgfx: Fix up user_dmabuf refcounting
+ - thp: use is_zero_pfn() only after pte_present() check (regression in 4.1)
+ - xen: fix backport of previous kexec patch
+
+ [ Ben Hutchings ]
+ * usbvision: fix overflow of interfaces array (CVE-2015-7833)
+ * RDS: fix race condition when sending a message on unbound socket
+ (CVE-2015-7990)
+ * media/vivid-osd: fix info leak in ioctl (CVE-2015-7884)
+ * [x86] KVM: Intercept #AC to avoid guest->host denial-of-service
+ (CVE-2015-5307)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Tue, 10 Nov 2015 14:35:05 +0000
+
linux (4.2.5-1) unstable; urgency=medium
* New upstream stable update:
diff --cc debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
index 0000000,a6c0f6a..299242e
mode 000000,100644..100644
--- a/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+++ b/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
@@@ -1,0 -1,69 +1,69 @@@
+ From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+ Subject: RDS: fix race condition when sending a message on unbound socket.
+ Date: Fri, 16 Oct 2015 17:11:42 +0200
+ Origin: https://lkml.org/lkml/2015/10/16/530
+
+ Sasha's found a NULL pointer dereference in the RDS connection code when
+ sending a message to an apparently unbound socket. The problem is caused
+ by the code checking if the socket is bound in rds_sendmsg(), which checks
+ the rs_bound_addr field without taking a lock on the socket. This opens a
+ race where rs_bound_addr is temporarily set but where the transport is not
+ in rds_bind(), leading to a NULL pointer dereference when trying to
+ dereference 'trans' in __rds_conn_create().
+
+ Vegard wrote a reproducer for this issue, so kindly ask him to share if
+ you're interested.
+
+ I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+ with this patch, whereas I could without.
+
+ Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+ Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+ Reviewed-by: Vegard Nossum <vegard.nossum at oracle.com>
+ Reviewed-by: Sasha Levin <sasha.levin at oracle.com>
+ Cc: Vegard Nossum <vegard.nossum at oracle.com>
+ Cc: Sasha Levin <sasha.levin at oracle.com>
+ Cc: Chien Yen <chien.yen at oracle.com>
+ Cc: Santosh Shilimkar <santosh.shilimkar at oracle.com>
+ Cc: David S. Miller <davem at davemloft.net>
+ Cc: stable at vger.kernel.org
+ ---
+ net/rds/connection.c | 6 ------
+ net/rds/send.c | 4 +++-
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+ --- a/net/rds/connection.c
+ +++ b/net/rds/connection.c
-@@ -187,12 +187,6 @@ new_conn:
++@@ -190,12 +190,6 @@ new_conn:
+ }
+ }
+
+ - if (trans == NULL) {
+ - kmem_cache_free(rds_conn_slab, conn);
+ - conn = ERR_PTR(-ENODEV);
+ - goto out;
+ - }
+ -
+ conn->c_trans = trans;
+
+ ret = trans->conn_alloc(conn, gfp);
+ --- a/net/rds/send.c
+ +++ b/net/rds/send.c
-@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, str
++@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, str
+ release_sock(sk);
+ }
+
+ - /* racing with another thread binding seems ok here */
+ + lock_sock(sk);
+ if (daddr == 0 || rs->rs_bound_addr == 0) {
+ + release_sock(sk);
+ ret = -ENOTCONN; /* XXX not a great errno */
+ goto out;
+ }
+ + release_sock(sk);
+
- /* size of rm including all sgs */
- ret = rds_rm_size(msg, payload_len);
++ if (payload_len > rds_sk_sndbuf(rs)) {
++ ret = -EMSGSIZE;
diff --cc debian/patches/series
index d590375,14939bf..13d3234
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -77,11 -86,25 +77,16 @@@ features/all/grsecurity/grsecurity-kcon
#features/all/grsecurity/grsecurity-kbuild.patch
features/all/grsecurity/grkernsec_perf_harden.patch
-bugfix/all/gfs2-make-statistics-unsigned-suitable-for-use-with-.patch
-bugfix/all/dcache-reduce-the-scope-of-i_lock-in-d_splice_alias.patch
-bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch
-bugfix/mips/mips-pgtable-bits.h-correct-_page_global_shift-build.patch
-features/all/ath10k-add-qca6164-support.patch
-debian/block-fix-abi-change-in-4.2.2.patch
-bugfix/all/nbd-fix-timeout-detection.patch
-bugfix/all/nbd-remove-variable-pid.patch
-bugfix/all/nbd-add-locking-for-tasks.patch
-bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
-bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
-bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
-
-debian/target-fix-abi-change-in-4.2.4.patch
-debian/signal-fix-abi-change-in-4.2.4.patch
+bugfix/all/selftests-add-missing-include-directives.patch
+bugfix/all/selftests-memfd-stop-unnecessary-rebuilds.patch
+bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch
+bugfix/all/selftests-make-scripts-executable.patch
+bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch
+bugfix/all/selftests-breakpoints-actually-build-it.patch
+ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+ bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+ bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
+ bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
+ bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list