[linux] 01/02: Update to 4.7.2

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Aug 24 22:54:35 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit f445dbb9d99266b6979a7aab4b636883b8967d45
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Aug 24 01:33:42 2016 +0100

    Update to 4.7.2
    
    Note the CVE IDs and Debian bugs fixed.
    
    Drop the patches that have gone upstream.
---
 debian/changelog                                   | 13 ++++-
 ...buf2-v4l2-verify-planes-array-in-buffer-d.patch | 52 -------------------
 ...lidate-signatures-on-force-loaded-modules.patch | 58 ----------------------
 ...core-fix-crash-after-fixing-cve-2016-4568.patch | 26 ----------
 debian/patches/series                              |  3 --
 5 files changed, 12 insertions(+), 140 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 98cbd1f..45873ec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,15 @@
-linux (4.7~rc7-1~exp2) UNRELEASED; urgency=medium
+linux (4.7.2-1) UNRELEASED; urgency=medium
+
+  * New upstream release: https://kernelnewbies.org/Linux_4.7
+    - media: fix airspy usb probe error path (CVE-2016-5400)
+    - libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971)
+    - tcp: make challenge acks less predictable (CVE-2016-5696)
+  * New stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.1
+    - vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.2
+    - [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412)
+    - audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136)
 
   [ Ben Hutchings ]
   * sched: Enable SCHEDSTATS (Closes: #796674)
diff --git a/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch b/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
deleted file mode 100644
index 5391ca0..0000000
--- a/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Sakari Ailus <sakari.ailus at linux.intel.com>
-Date: Sun, 3 Apr 2016 16:31:03 -0300
-Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
-Origin: https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab
-
-When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
-which will be dequeued is not known until the buffer has been removed from
-the queue. The number of planes is specific to a buffer, not to the queue.
-
-This does lead to the situation where multi-plane buffers may be requested
-and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
-struct with fewer planes.
-
-__fill_v4l2_buffer() however uses the number of planes from the dequeued
-videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
-in video_usercopy() in v4l2-ioctl.c)  if the user provided fewer
-planes than the dequeued buffer had. Oops!
-
-Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
-
-Signed-off-by: Sakari Ailus <sakari.ailus at linux.intel.com>
-Acked-by: Hans Verkuil <hans.verkuil at cisco.com>
-Cc: stable at vger.kernel.org # for v4.4 and later
-Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
----
- drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
-index 91f552124050..8da7470ca364 100644
---- a/drivers/media/v4l2-core/videobuf2-v4l2.c
-+++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
-@@ -74,6 +74,11 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer
- 	return 0;
- }
- 
-+static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
-+{
-+	return __verify_planes_array(vb, pb);
-+}
-+
- /**
-  * __verify_length() - Verify that the bytesused value for each plane fits in
-  * the plane length and that the data offset doesn't exceed the bytesused value.
-@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb,
- }
- 
- static const struct vb2_buf_ops v4l2_buf_ops = {
-+	.verify_planes_array	= __verify_planes_array_core,
- 	.fill_user_buffer	= __fill_v4l2_buffer,
- 	.fill_vb2_buffer	= __fill_vb2_buffer,
- 	.copy_timestamp		= __copy_timestamp,
diff --git a/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch b/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
deleted file mode 100644
index e751fd1..0000000
--- a/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 17 Apr 2016 22:59:03 +0100
-Subject: module: Invalidate signatures on force-loaded modules
-Forwarded: http://mid.gmane.org/20160423184501.GM3348@decadent.org.uk
-
-Signing a module should only make it trusted by the specific kernel it
-was built for, not anything else.  Loading a signed module meant for a
-kernel with a different ABI could have interesting effects.
-Therefore, treat all signatures as invalid when a module is
-force-loaded.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Cc: stable at vger.kernel.org
----
- kernel/module.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2597,13 +2597,18 @@ static inline void kmemleak_load_module(
- #endif
- 
- #ifdef CONFIG_MODULE_SIG
--static int module_sig_check(struct load_info *info)
-+static int module_sig_check(struct load_info *info, int flags)
- {
- 	int err = -ENOKEY;
- 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
- 	const void *mod = info->hdr;
- 
--	if (info->len > markerlen &&
-+	/*
-+	 * Require flags == 0, as a module with version information
-+	 * removed is no longer the module that was signed
-+	 */
-+	if (flags == 0 &&
-+	    info->len > markerlen &&
- 	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
- 		/* We truncate the module to discard the signature */
- 		info->len -= markerlen;
-@@ -2622,7 +2627,7 @@ static int module_sig_check(struct load_
- 	return err;
- }
- #else /* !CONFIG_MODULE_SIG */
--static int module_sig_check(struct load_info *info)
-+static int module_sig_check(struct load_info *info, int flags)
- {
- 	return 0;
- }
-@@ -3429,7 +3434,7 @@ static int load_module(struct load_info
- 	long err;
- 	char *after_dashes;
- 
--	err = module_sig_check(info);
-+	err = module_sig_check(info, flags);
- 	if (err)
- 		goto free_copy;
- 
diff --git a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch b/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
deleted file mode 100644
index c94f184..0000000
--- a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Mon, 16 May 2016 03:26:30 +0100
-Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
-Forwarded: no
-
-Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
-dequeueing" was reverted upstream by commit 93f0750dcdae.
-
-It's obvious from the log in the revert commit message that pb == NULL
-in __verify_planes_array().  We should treat this case as successful
-because vb2_core_dqbuf() won't attempt to copy anything to user
-buffers.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/drivers/media/v4l2-core/videobuf2-core.c
-+++ b/drivers/media/v4l2-core/videobuf2-core.c
-@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
- 	 * Only remove the buffer from done_list if v4l2_buffer can handle all
- 	 * the planes.
- 	 */
--	ret = call_bufop(q, verify_planes_array, *vb, pb);
-+	ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
- 	if (!ret)
- 		list_del(&(*vb)->done_entry);
- 	spin_unlock_irqrestore(&q->done_lock, flags);
diff --git a/debian/patches/series b/debian/patches/series
index 75bbe0f..ed061bd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -72,8 +72,6 @@ features/arm/arm64-tegra-correct-tegra210-xusb-mailbox-interrupt.patch
 bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
 bugfix/all/disable-some-marvell-phys.patch
 bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
-bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
-bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
 
 # Miscellaneous features
 
@@ -107,7 +105,6 @@ features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled
 # Security fixes
 bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
 
 # Tools bug fixes
 bugfix/all/usbip-document-tcp-wrappers.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list