[linux] 01/02: Update to 4.7.2
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Aug 24 22:54:35 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit f445dbb9d99266b6979a7aab4b636883b8967d45
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Aug 24 01:33:42 2016 +0100
Update to 4.7.2
Note the CVE IDs and Debian bugs fixed.
Drop the patches that have gone upstream.
---
debian/changelog | 13 ++++-
...buf2-v4l2-verify-planes-array-in-buffer-d.patch | 52 -------------------
...lidate-signatures-on-force-loaded-modules.patch | 58 ----------------------
...core-fix-crash-after-fixing-cve-2016-4568.patch | 26 ----------
debian/patches/series | 3 --
5 files changed, 12 insertions(+), 140 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 98cbd1f..45873ec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,15 @@
-linux (4.7~rc7-1~exp2) UNRELEASED; urgency=medium
+linux (4.7.2-1) UNRELEASED; urgency=medium
+
+ * New upstream release: https://kernelnewbies.org/Linux_4.7
+ - media: fix airspy usb probe error path (CVE-2016-5400)
+ - libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971)
+ - tcp: make challenge acks less predictable (CVE-2016-5696)
+ * New stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.1
+ - vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516)
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.2
+ - [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412)
+ - audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136)
[ Ben Hutchings ]
* sched: Enable SCHEDSTATS (Closes: #796674)
diff --git a/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch b/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
deleted file mode 100644
index 5391ca0..0000000
--- a/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Sakari Ailus <sakari.ailus at linux.intel.com>
-Date: Sun, 3 Apr 2016 16:31:03 -0300
-Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
-Origin: https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab
-
-When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
-which will be dequeued is not known until the buffer has been removed from
-the queue. The number of planes is specific to a buffer, not to the queue.
-
-This does lead to the situation where multi-plane buffers may be requested
-and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
-struct with fewer planes.
-
-__fill_v4l2_buffer() however uses the number of planes from the dequeued
-videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
-in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
-planes than the dequeued buffer had. Oops!
-
-Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
-
-Signed-off-by: Sakari Ailus <sakari.ailus at linux.intel.com>
-Acked-by: Hans Verkuil <hans.verkuil at cisco.com>
-Cc: stable at vger.kernel.org # for v4.4 and later
-Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
----
- drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
-index 91f552124050..8da7470ca364 100644
---- a/drivers/media/v4l2-core/videobuf2-v4l2.c
-+++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
-@@ -74,6 +74,11 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer
- return 0;
- }
-
-+static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
-+{
-+ return __verify_planes_array(vb, pb);
-+}
-+
- /**
- * __verify_length() - Verify that the bytesused value for each plane fits in
- * the plane length and that the data offset doesn't exceed the bytesused value.
-@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb,
- }
-
- static const struct vb2_buf_ops v4l2_buf_ops = {
-+ .verify_planes_array = __verify_planes_array_core,
- .fill_user_buffer = __fill_v4l2_buffer,
- .fill_vb2_buffer = __fill_vb2_buffer,
- .copy_timestamp = __copy_timestamp,
diff --git a/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch b/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
deleted file mode 100644
index e751fd1..0000000
--- a/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 17 Apr 2016 22:59:03 +0100
-Subject: module: Invalidate signatures on force-loaded modules
-Forwarded: http://mid.gmane.org/20160423184501.GM3348@decadent.org.uk
-
-Signing a module should only make it trusted by the specific kernel it
-was built for, not anything else. Loading a signed module meant for a
-kernel with a different ABI could have interesting effects.
-Therefore, treat all signatures as invalid when a module is
-force-loaded.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Cc: stable at vger.kernel.org
----
- kernel/module.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2597,13 +2597,18 @@ static inline void kmemleak_load_module(
- #endif
-
- #ifdef CONFIG_MODULE_SIG
--static int module_sig_check(struct load_info *info)
-+static int module_sig_check(struct load_info *info, int flags)
- {
- int err = -ENOKEY;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
- const void *mod = info->hdr;
-
-- if (info->len > markerlen &&
-+ /*
-+ * Require flags == 0, as a module with version information
-+ * removed is no longer the module that was signed
-+ */
-+ if (flags == 0 &&
-+ info->len > markerlen &&
- memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
- /* We truncate the module to discard the signature */
- info->len -= markerlen;
-@@ -2622,7 +2627,7 @@ static int module_sig_check(struct load_
- return err;
- }
- #else /* !CONFIG_MODULE_SIG */
--static int module_sig_check(struct load_info *info)
-+static int module_sig_check(struct load_info *info, int flags)
- {
- return 0;
- }
-@@ -3429,7 +3434,7 @@ static int load_module(struct load_info
- long err;
- char *after_dashes;
-
-- err = module_sig_check(info);
-+ err = module_sig_check(info, flags);
- if (err)
- goto free_copy;
-
diff --git a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch b/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
deleted file mode 100644
index c94f184..0000000
--- a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Mon, 16 May 2016 03:26:30 +0100
-Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
-Forwarded: no
-
-Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
-dequeueing" was reverted upstream by commit 93f0750dcdae.
-
-It's obvious from the log in the revert commit message that pb == NULL
-in __verify_planes_array(). We should treat this case as successful
-because vb2_core_dqbuf() won't attempt to copy anything to user
-buffers.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/drivers/media/v4l2-core/videobuf2-core.c
-+++ b/drivers/media/v4l2-core/videobuf2-core.c
-@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
- * Only remove the buffer from done_list if v4l2_buffer can handle all
- * the planes.
- */
-- ret = call_bufop(q, verify_planes_array, *vb, pb);
-+ ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
- if (!ret)
- list_del(&(*vb)->done_entry);
- spin_unlock_irqrestore(&q->done_lock, flags);
diff --git a/debian/patches/series b/debian/patches/series
index 75bbe0f..ed061bd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -72,8 +72,6 @@ features/arm/arm64-tegra-correct-tegra210-xusb-mailbox-interrupt.patch
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
-bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
-bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
# Miscellaneous features
@@ -107,7 +105,6 @@ features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled
# Security fixes
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
# Tools bug fixes
bugfix/all/usbip-document-tcp-wrappers.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list