[linux] 01/02: Update to 4.9.22
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Apr 16 20:54:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit 31945f628c99b3a1074dc8ef64611a4cf6ee0f21
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Apr 16 21:46:39 2017 +0100
Update to 4.9.22
Drop patches applied upstream.
---
debian/changelog | 228 ++++++++++++++++++-
...ove-broken-support-for-detecting-keyring-.patch | 253 ---------------------
...y.c-fix-error-handling-in-set_mempolicy-a.patch | 76 -------
...sg-check-length-passed-to-sg_next_cmd_len.patch | 29 ---
...e-xfrm_msg_newae-incoming-esn-size-harder.patch | 34 ---
..._newae-xfrma_replay_esn_val-replay_window.patch | 42 ----
...eger-overflow-in-vmw_surface_define_ioctl.patch | 33 ---
...r-dereference-in-vmw_surface_define_ioctl.patch | 29 ---
debian/patches/debian/kernelvariables.patch | 2 +-
debian/patches/series | 7 -
10 files changed, 224 insertions(+), 509 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index bbbacf5..53f7466 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,226 @@
-linux (4.9.18-2) UNRELEASED; urgency=medium
+linux (4.9.22-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.19
+ - net/openvswitch: Set the ipv6 source tunnel key address attribute
+ correctly
+ - net: properly release sk_frag.page
+ - [arm64] amd-xgbe: Fix jumbo MTU processing on newer hardware
+ - openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD
+ - net: unix: properly re-increment inflight counter of GC discarded
+ candidates
+ - net: vrf: Reset rt6i_idev in local dst after put
+ - net/mlx5: Add missing entries for set/query rate limit commands
+ - net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
+ - net/mlx5: Increase number of max QPs in default profile
+ - net/mlx5e: Count GSO/LRO packets correctly
+ - ipv6: make sure to initialize sockc.tsflags before first use
+ - ipv4: provide stronger user input validation in nl_fib_input()
+ - socket, bpf: fix sk_filter use after free in sk_clone_lock
+ - tcp: initialize icsk_ack.lrcvtime at session start time
+ - Input: iforce,ims-pcu,hanwang,yealink,cm109,kbtab,sur40 - validate
+ number of endpoints before using them
+ - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
+ - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
+ - ALSA: hda - Adding a group of pin definition to fix headset problem
+ - ACM gadget: fix endianness in notifications
+ - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's
+ wBytesPerInterval
+ - USB: uss720,idmouse,wusbcore: fix NULL-deref at probe
+ - usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
+ - usb: hub: Fix crash after failure to read BOS descriptor
+ - USB: usbtmc: add missing endpoint sanity check
+ - USB: usbtmc: fix probe error path
+ - uwb: i1480-dfu: fix NULL-deref at probe
+ - mmc: ushc: fix NULL-deref at probe
+ - [armhf[ iio: adc: ti_am335x_adc: fix fifo overrun recovery
+ - iio: sw-device: Fix config group initialization
+ - iio: hid-sensor-trigger: Change get poll value function order to avoid
+ sensor properties losing after resume from S3
+ - parport: fix attempt to write duplicate procfiles
+ - ext4: mark inode dirty after converting inline directory
+ - ext4: lock the xattr block before checksuming it
+ - [powerpc*/*64*] Fix idle wakeup potential to clobber registers
+ - mmc: sdhci: Do not disable interrupts while waiting for clock
+ - mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power
+ - [x86] hwrng: amd - Revert managed API changes
+ - [x86] hwrng: geode - Revert managed API changes
+ - [armhf] clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module
+ clock
+ - [armhf] clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
+ - mwifiex: pcie: don't leak DMA buffers when removing
+ - [x86] crypto: ccp - Assign DMA commands to the channel's CCP
+ - xen/acpi: upload PM state from init-domain to Xen
+ - [x86] iommu/vt-d: Fix NULL pointer dereference in device_to_iommu
+ - [arm64] kaslr: Fix up the kernel image alignment
+ - cpufreq: Restore policy min/max limits on CPU online
+ - cgroup, net_cls: iterate the fds of only the tasks which are being
+ migrated
+ - blk-mq: don't complete un-started request in timeout handler
+ - [x86] drm/amdgpu: reinstate oland workaround for sclk
+ - jbd2: don't leak memory if setting up journal fails
+ - [x86] intel_th: Don't leak module refcount on failure to activate
+ - [x86] Drivers: hv: vmbus: Don't leak channel ids
+ - [x86] Drivers: hv: vmbus: Don't leak memory when a channel is rescinded
+ - libceph: don't set weight to IN when OSD is destroyed
+ - [x86] device-dax: fix pmd/pte fault fallback handling
+ - [armhf] drm/bridge: analogix dp: Fix runtime PM state on driver bind
+ - nl80211: fix dumpit error path RTNL deadlocks
+ - drm: reference count event->completion
+ - fbcon: Fix vc attr at deinit
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.20
+ - xfrm: policy: init locks early
+ - [x86] KVM: cleanup the page tracking SRCU instance
+ - virtio_balloon: init 1st buffer in stats vq
+ - [mips*] ptrace: Preserve previous registers for short regset write
+ - [sparc64] ptrace: Preserve previous registers for short regset write
+ - fscrypt: remove broken support for detecting keyring key revocation
+ (CVE-2017-7374)
+ - sched/rt: Add a missing rescheduling point
+ - [armhf] usb: musb: fix possible spinlock deadlock
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.21
+ - libceph: force GFP_NOIO for socket allocations
+ - xen/setup: Don't relocate p2m over existing one
+ - xfs: only update mount/resv fields on success in __xfs_ag_resv_init
+ - xfs: use per-AG reservations for the finobt
+ - xfs: pull up iolock from xfs_free_eofblocks()
+ - xfs: sync eofblocks scans under iolock are livelock prone
+ - xfs: fix eofblocks race with file extending async dio writes
+ - xfs: fix toctou race when locking an inode to access the data map
+ - xfs: fail _dir_open when readahead fails
+ - xfs: filter out obviously bad btree pointers
+ - xfs: check for obviously bad level values in the bmbt root
+ - xfs: verify free block header fields
+ - xfs: allow unwritten extents in the CoW fork
+ - xfs: mark speculative prealloc CoW fork extents unwritten
+ - xfs: reset b_first_retry_time when clear the retry status of xfs_buf_t
+ - xfs: update ctime and mtime on clone destinatation inodes
+ - xfs: reject all unaligned direct writes to reflinked files
+ - xfs: don't fail xfs_extent_busy allocation
+ - xfs: handle indlen shortage on delalloc extent merge
+ - xfs: split indlen reservations fairly when under reserved
+ - xfs: fix uninitialized variable in _reflink_convert_cow
+ - xfs: don't reserve blocks for right shift transactions
+ - xfs: Use xfs_icluster_size_fsb() to calculate inode chunk alignment
+ - xfs: tune down agno asserts in the bmap code
+ - xfs: only reclaim unwritten COW extents periodically
+ - xfs: fix and streamline error handling in xfs_end_io
+ - xfs: Use xfs_icluster_size_fsb() to calculate inode alignment mask
+ - xfs: use iomap new flag for newly allocated delalloc blocks
+ - xfs: try any AG when allocating the first btree block when reflinking
+ - scsi: libsas: fix ata xfer length
+ - scsi: scsi_dh_alua: Check scsi_device_get() return value
+ - scsi: scsi_dh_alua: Ensure that alua_activate() calls the completion
+ function
+ - ALSA: seq: Fix race during FIFO resize
+ - ALSA: hda - fix a problem for lineout on a Dell AIO machine
+ - [x86] ASoC: Intel: Skylake: fix invalid memory access due to wrong
+ reference of pointer
+ - HID: wacom: Don't add ghost interface as shared data
+ - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
+ - NFSv4.1 fix infinite loop on IO BAD_STATEID error
+ - nfsd: map the ENOKEY to nfserr_perm for avoiding warning
+ - [hppa] Clean up fixup routines for get_user()/put_user()
+ - [hppa] Avoid stalled CPU warnings after system shutdown
+ - [hppa] Fix access fault handling in pa_memcpy()
+ - ACPI: Fix incompatibility with mcount-based function graph tracing
+ - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
+ - USB: fix linked-list corruption in rh_call_control()
+ - [x86] KVM: clear bus pointer when destroyed
+ - KVM: kvm_io_bus_unregister_dev() should never fail
+ - drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
+ - [armhf,arm64] drm/vc4: Allocate the right amount of space for boot-time
+ CRTC state.
+ - [armhf] drm/etnaviv: (re-)protect fence allocation with GPU mutex
+ - [x86] mm/KASLR: Exclude EFI region from KASLR VA space randomization
+ - [x86] mce: Fix copy/paste error in exception table entries
+ - lib/syscall: Clear return values when no stack
+ - mm: rmap: fix huge file mmap accounting in the memcg stats
+ - mm, hugetlb: use pte_present() instead of pmd_present() in
+ follow_huge_pmd()
+ - qla2xxx: Allow vref count to timeout on vport delete.
+ - mm: workingset: fix premature shadow node shrinking with cgroups
+ - blk: improve order of bio handling in generic_make_request()
+ - blk: Ensure users for current->bio_list can see the full list.
+ - padata: avoid race in reordering
+ - nvme/core: Fix race kicking freed request_queue
+ - nvme/pci: Disable on removal when disconnected
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.22
+ - ppdev: check before attaching port
+ - ppdev: fix registering same device name
+ - [x86] drm/vmwgfx: Type-check lookups of fence objects
+ - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in
+ vmw_get_cap_3d_ioctl()
+ - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
+ - [x86] drm/vmwgfx: Remove getparam error message
+ - sysfs: be careful of error returns from ops->show()
+ - [armhf,arm64] KVM: Take mmap_sem in stage2_unmap_vm
+ - [armhf,arm64] KVM: Take mmap_sem in kvm_arch_prepare_memory_region
+ - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd
+ - [x86] iio: bmg160: reset chip when probing
+ - [arm64] mm: unaligned access by user-land should be received as SIGBUS
+ - cfg80211: check rdev resume callback only for registered wiphy
+ - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT
+ - mm/page_alloc.c: fix print order in show_free_areas()
+ - ptrace: fix PTRACE_LISTEN race corrupting task->state
+ - dm verity fec: limit error correction recursion
+ - dm verity fec: fix bufio leaks
+ - ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
+ - xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files
+ - ring-buffer: Fix return value check in test_ringbuffer()
+ - mac80211: unconditionally start new netdev queues with iTXQ support
+ - brcmfmac: use local iftype avoiding use-after-free of virtual interface
+ - [powerpc*] Disable HFSCR[TM] if TM is not supported
+ - [powerpc*] mm: Add missing global TLB invalidate if cxl is active
+ - [powerpc*/*64*]: Fix flush_(d|i)cache_range() called from modules
+ - [powerpc*] Don't try to fix up misaligned load-with-reservation
+ instructions
+ - [powerpc*] crypto/crc32c-vpmsum: Fix missing preempt_disable()
+ - dm raid: fix NULL pointer dereference for raid1 without bitmap
+ - [s390x] decompressor: fix initrd corruption caused by bss clear
+ - [s390x] uaccess: get_user() should zero on failure (again)
+ - [mips*el/loongson-3] Check TLB before handle_ri_rdhwr() for Loongson-3
+ - [mips*el/loongson-3] Add MIPS_CPU_FTLB for Loongson-3A R2
+ - [mips*el/loongson-3] Flush wrong invalid FTLB entry for huge page
+ - [mips*el/loongson-3] c-r4k: Fix Loongson-3's vcache/scache waysize
+ calculation
+ - mm/mempolicy.c: fix error handling in set_mempolicy and mbind
+ (CVE-2017-7616)
+ - random: use chacha20 for get_random_int/long
+ - [armhf] drm/sun4i: tcon: Move SoC specific quirks to a DT matched data
+ structure
+ - [armhf] drm/sun4i: Add compatible strings for A31/A31s display pipelines
+ - [armhf] drm/sun4i: Add compatible string for A31/A31s TCON (timing
+ controller)
+ - HID: i2c-hid: add a simple quirk to fix device defects
+ - usb: dwc3: gadget: delay unmap of bounced requests
+ - [x86] ASoC: Intel: bytct_rt5640: change default capture settings
+ - [armhf,arm64] clocksource/drivers/arm_arch_timer: Don't assume clock runs
+ in suspend
+ - scsi: ufs: introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk
+ - HID: multitouch: do not retrieve all reports for all devices
+ - [arm64] mmc: sdhci-msm: Enable few quirks
+ - scsi: ufs: ensure that host pa_tactivate is higher than device
+ - svcauth_gss: Close connection when dropping an incoming message
+ - scsi: ufs: add quirk to increase host PA_SaveConfigTime
+ - [x86] platform: acer-wmi: Only supports AMW0_GUID1 on acer family
+ - nvme: simplify stripe quirk
+ - ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding
+ - HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
+ - [x86] drm/i915: actually drive the BDW reserved IDs
+ - scsi: ufs: issue link starup 2 times if device isn't active
+ - [armhf] serial: 8250_omap: Add OMAP_DMA_TX_KICK quirk for AM437x
+ - ACPI / button: Change default behavior to lid_init_state=open
+ - [x86] ACPI: save NVS memory for Lenovo G50-45
+ - HID: wacom: don't apply generic settings to old devices
+ - [arm64] firmware: qcom: scm: Fix interrupted SCM calls
+ - [armhf] watchdog: s3c2410: Fix infinite interrupt in soft mode
+ - [x86] platform: asus-wmi: Set specified XUSB2PR value for X550LB
+ - [x86] platform: asus-wmi: Detect quirk_no_rfkill from the DSDT
+ - [x86] reboot/quirks: Add ASUS EeeBook X205TA reboot quirk
+ - [x86] reboot/quirks: Add ASUS EeeBook X205TA/W reboot quirk
+ - usb-storage: Add ignore-residue quirk for Initio INIC-3619
+ - [x86] reboot/quirks: Fix typo in ASUS EeeBook X205TA reboot quirk
[ Ben Hutchings ]
* w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
@@ -25,10 +247,6 @@ linux (4.9.18-2) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* ping: implement proper locking (CVE-2017-2671)
- * fscrypt: remove broken support for detecting keyring key revocation
- (CVE-2017-7374)
- * mm/mempolicy.c: fix error handling in set_mempolicy and mbind
- (CVE-2017-7616)
-- Ben Hutchings <ben at decadent.org.uk> Thu, 30 Mar 2017 18:27:30 +0100
diff --git a/debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch b/debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch
deleted file mode 100644
index 0e58294..0000000
--- a/debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Tue, 21 Feb 2017 15:07:11 -0800
-Subject: fscrypt: remove broken support for detecting keyring key revocation
-Origin: https://git.kernel.org/linus/1b53cf9815bb4744958d41f3795d5d5a1d365e2d
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7374
-
-Filesystem encryption ostensibly supported revoking a keyring key that
-had been used to "unlock" encrypted files, causing those files to become
-"locked" again. This was, however, buggy for several reasons, the most
-severe of which was that when key revocation happened to be detected for
-an inode, its fscrypt_info was immediately freed, even while other
-threads could be using it for encryption or decryption concurrently.
-This could be exploited to crash the kernel or worse.
-
-This patch fixes the use-after-free by removing the code which detects
-the keyring key having been revoked, invalidated, or expired. Instead,
-an encrypted inode that is "unlocked" now simply remains unlocked until
-it is evicted from memory. Note that this is no worse than the case for
-block device-level encryption, e.g. dm-crypt, and it still remains
-possible for a privileged user to evict unused pages, inodes, and
-dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
-simply unmounting the filesystem. In fact, one of those actions was
-already needed anyway for key revocation to work even somewhat sanely.
-This change is not expected to break any applications.
-
-In the future I'd like to implement a real API for fscrypt key
-revocation that interacts sanely with ongoing filesystem operations ---
-waiting for existing operations to complete and blocking new operations,
-and invalidating and sanitizing key material and plaintext from the VFS
-caches. But this is a hard problem, and for now this bug must be fixed.
-
-This bug affected almost all versions of ext4, f2fs, and ubifs
-encryption, and it was potentially reachable in any kernel configured
-with encryption support (CONFIG_EXT4_ENCRYPTION=y,
-CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
-CONFIG_UBIFS_FS_ENCRYPTION=y). Note that older kernels did not use the
-shared fs/crypto/ code, but due to the potential security implications
-of this bug, it may still be worthwhile to backport this fix to them.
-
-Fixes: b7236e21d55f ("ext4 crypto: reorganize how we store keys in the inode")
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: Theodore Ts'o <tytso at mit.edu>
-Acked-by: Michael Halcrow <mhalcrow at google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[carnil: backport synced with 2984e52c75c657db7901f6189f02e0251ca963c2 in 4.9.20]
----
- fs/crypto/crypto.c | 10 +---------
- fs/crypto/fname.c | 2 +-
- fs/crypto/keyinfo.c | 52 +++++++++---------------------------------------
- include/linux/fscrypto.h | 2 --
- 4 files changed, 11 insertions(+), 55 deletions(-)
-
-diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
-index 98f87fe8f186..61cfccea77bc 100644
---- a/fs/crypto/crypto.c
-+++ b/fs/crypto/crypto.c
-@@ -352,7 +352,6 @@ EXPORT_SYMBOL(fscrypt_zeroout_range);
- static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
- {
- struct dentry *dir;
-- struct fscrypt_info *ci;
- int dir_has_key, cached_with_key;
-
- if (flags & LOOKUP_RCU)
-@@ -364,18 +363,11 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
- return 0;
- }
-
-- ci = d_inode(dir)->i_crypt_info;
-- if (ci && ci->ci_keyring_key &&
-- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
-- (1 << KEY_FLAG_REVOKED) |
-- (1 << KEY_FLAG_DEAD))))
-- ci = NULL;
--
- /* this should eventually be an flag in d_flags */
- spin_lock(&dentry->d_lock);
- cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
- spin_unlock(&dentry->d_lock);
-- dir_has_key = (ci != NULL);
-+ dir_has_key = (d_inode(dir)->i_crypt_info != NULL);
- dput(dir);
-
- /*
-diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
-index 9b774f4b50c8..80bb956e14e5 100644
---- a/fs/crypto/fname.c
-+++ b/fs/crypto/fname.c
-@@ -350,7 +350,7 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
- fname->disk_name.len = iname->len;
- return 0;
- }
-- ret = get_crypt_info(dir);
-+ ret = fscrypt_get_encryption_info(dir);
- if (ret && ret != -EOPNOTSUPP)
- return ret;
-
-diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
-index 67fb6d8876d0..bb4606368eb1 100644
---- a/fs/crypto/keyinfo.c
-+++ b/fs/crypto/keyinfo.c
-@@ -99,6 +99,7 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
- kfree(full_key_descriptor);
- if (IS_ERR(keyring_key))
- return PTR_ERR(keyring_key);
-+ down_read(&keyring_key->sem);
-
- if (keyring_key->type != &key_type_logon) {
- printk_once(KERN_WARNING
-@@ -106,11 +107,9 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
- res = -ENOKEY;
- goto out;
- }
-- down_read(&keyring_key->sem);
- ukp = user_key_payload(keyring_key);
- if (ukp->datalen != sizeof(struct fscrypt_key)) {
- res = -EINVAL;
-- up_read(&keyring_key->sem);
- goto out;
- }
- master_key = (struct fscrypt_key *)ukp->data;
-@@ -121,17 +120,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
- "%s: key size incorrect: %d\n",
- __func__, master_key->size);
- res = -ENOKEY;
-- up_read(&keyring_key->sem);
- goto out;
- }
- res = derive_key_aes(ctx->nonce, master_key->raw, raw_key);
-- up_read(&keyring_key->sem);
-- if (res)
-- goto out;
--
-- crypt_info->ci_keyring_key = keyring_key;
-- return 0;
- out:
-+ up_read(&keyring_key->sem);
- key_put(keyring_key);
- return res;
- }
-@@ -173,12 +166,11 @@ static void put_crypt_info(struct fscrypt_info *ci)
- if (!ci)
- return;
-
-- key_put(ci->ci_keyring_key);
- crypto_free_skcipher(ci->ci_ctfm);
- kmem_cache_free(fscrypt_info_cachep, ci);
- }
-
--int get_crypt_info(struct inode *inode)
-+int fscrypt_get_encryption_info(struct inode *inode)
- {
- struct fscrypt_info *crypt_info;
- struct fscrypt_context ctx;
-@@ -188,21 +180,15 @@ int get_crypt_info(struct inode *inode)
- u8 *raw_key = NULL;
- int res;
-
-+ if (inode->i_crypt_info)
-+ return 0;
-+
- res = fscrypt_initialize();
- if (res)
- return res;
-
- if (!inode->i_sb->s_cop->get_context)
- return -EOPNOTSUPP;
--retry:
-- crypt_info = ACCESS_ONCE(inode->i_crypt_info);
-- if (crypt_info) {
-- if (!crypt_info->ci_keyring_key ||
-- key_validate(crypt_info->ci_keyring_key) == 0)
-- return 0;
-- fscrypt_put_encryption_info(inode, crypt_info);
-- goto retry;
-- }
-
- res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
- if (res < 0) {
-@@ -230,7 +216,6 @@ int get_crypt_info(struct inode *inode)
- crypt_info->ci_data_mode = ctx.contents_encryption_mode;
- crypt_info->ci_filename_mode = ctx.filenames_encryption_mode;
- crypt_info->ci_ctfm = NULL;
-- crypt_info->ci_keyring_key = NULL;
- memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
- sizeof(crypt_info->ci_master_key));
-
-@@ -285,14 +270,8 @@ int get_crypt_info(struct inode *inode)
- if (res)
- goto out;
-
-- kzfree(raw_key);
-- raw_key = NULL;
-- if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
-- put_crypt_info(crypt_info);
-- goto retry;
-- }
-- return 0;
--
-+ if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL)
-+ crypt_info = NULL;
- out:
- if (res == -ENOKEY)
- res = 0;
-@@ -300,6 +279,7 @@ int get_crypt_info(struct inode *inode)
- kzfree(raw_key);
- return res;
- }
-+EXPORT_SYMBOL(fscrypt_get_encryption_info);
-
- void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
- {
-@@ -317,17 +297,3 @@ void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
- put_crypt_info(ci);
- }
- EXPORT_SYMBOL(fscrypt_put_encryption_info);
--
--int fscrypt_get_encryption_info(struct inode *inode)
--{
-- struct fscrypt_info *ci = inode->i_crypt_info;
--
-- if (!ci ||
-- (ci->ci_keyring_key &&
-- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
-- (1 << KEY_FLAG_REVOKED) |
-- (1 << KEY_FLAG_DEAD)))))
-- return get_crypt_info(inode);
-- return 0;
--}
--EXPORT_SYMBOL(fscrypt_get_encryption_info);
-diff --git a/include/linux/fscrypto.h b/include/linux/fscrypto.h
-index ff8b11b26f31..f6dfc2950f76 100644
---- a/include/linux/fscrypto.h
-+++ b/include/linux/fscrypto.h
-@@ -79,7 +79,6 @@ struct fscrypt_info {
- u8 ci_filename_mode;
- u8 ci_flags;
- struct crypto_skcipher *ci_ctfm;
-- struct key *ci_keyring_key;
- u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE];
- };
-
-@@ -256,7 +255,6 @@ extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
- extern int fscrypt_inherit_context(struct inode *, struct inode *,
- void *, bool);
- /* keyinfo.c */
--extern int get_crypt_info(struct inode *);
- extern int fscrypt_get_encryption_info(struct inode *);
- extern void fscrypt_put_encryption_info(struct inode *, struct fscrypt_info *);
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
deleted file mode 100644
index 114a2b8..0000000
--- a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: Chris Salls <salls at cs.ucsb.edu>
-Date: Fri, 7 Apr 2017 23:48:11 -0700
-Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
-Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
-
-In the case that compat_get_bitmap fails we do not want to copy the
-bitmap to the user as it will contain uninitialized stack data and leak
-sensitive data.
-
-Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- mm/mempolicy.c | 20 ++++++++------------
- 1 file changed, 8 insertions(+), 12 deletions(-)
-
-diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 75b2745..37d0b33 100644
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1529,7 +1529,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,
- COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
- compat_ulong_t, maxnode)
- {
-- long err = 0;
- unsigned long __user *nm = NULL;
- unsigned long nr_bits, alloc_size;
- DECLARE_BITMAP(bm, MAX_NUMNODES);
-@@ -1538,14 +1537,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
- alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
-
- if (nmask) {
-- err = compat_get_bitmap(bm, nmask, nr_bits);
-+ if (compat_get_bitmap(bm, nmask, nr_bits))
-+ return -EFAULT;
- nm = compat_alloc_user_space(alloc_size);
-- err |= copy_to_user(nm, bm, alloc_size);
-+ if (copy_to_user(nm, bm, alloc_size))
-+ return -EFAULT;
- }
-
-- if (err)
-- return -EFAULT;
--
- return sys_set_mempolicy(mode, nm, nr_bits+1);
- }
-
-@@ -1553,7 +1551,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
- compat_ulong_t, mode, compat_ulong_t __user *, nmask,
- compat_ulong_t, maxnode, compat_ulong_t, flags)
- {
-- long err = 0;
- unsigned long __user *nm = NULL;
- unsigned long nr_bits, alloc_size;
- nodemask_t bm;
-@@ -1562,14 +1559,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
- alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
-
- if (nmask) {
-- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
-+ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
-+ return -EFAULT;
- nm = compat_alloc_user_space(alloc_size);
-- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
-+ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
-+ return -EFAULT;
- }
-
-- if (err)
-- return -EFAULT;
--
- return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
- }
-
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch b/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
deleted file mode 100644
index 7def878..0000000
--- a/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: peter chang <dpf at google.com>
-Date: Wed, 15 Feb 2017 14:11:54 -0800
-Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
-Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187
-
-The user can control the size of the next command passed along, but the
-value passed to the ioctl isn't checked against the usable max command
-size.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Peter Chang <dpf at google.com>
-Acked-by: Douglas Gilbert <dgilbert at interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
----
- drivers/scsi/sg.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int
- result = get_user(val, ip);
- if (result)
- return result;
-+ if (val > SG_MAX_CDB_SIZE)
-+ return -ENOMEM;
- sfp->next_cmd_len = (val > 0) ? val : 0;
- return 0;
- case SG_GET_VERSION_NUM:
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
deleted file mode 100644
index faf3861..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Thu, 23 Mar 2017 07:45:44 +0000
-Subject: [PATCH 2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size
- harder
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
-wrapping issues. To ensure we are correctly ensuring that the two ESN
-structures are the same size compare both the overall size as reported
-by xfrm_replay_state_esn_len() and the internal length are the same.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
----
- net/xfrm/xfrm_user.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index 81c4112..87e0c22 100644
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
- up = nla_data(rp);
- ulen = xfrm_replay_state_esn_len(up);
-
-- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
-+ /* Check the overall length and the internal bitmap length to avoid
-+ * potential overflow. */
-+ if (nla_len(rp) < ulen ||
-+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
-+ replay_esn->bmp_len != up->bmp_len)
- return -EINVAL;
-
- if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
deleted file mode 100644
index 758973e..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Wed, 22 Mar 2017 07:29:31 +0000
-Subject: [PATCH 1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
- replay_window
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
-the user supplied replay_esn to ensure that the size is valid and to ensure
-that the replay_window size is within the allocated buffer. However later
-it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
-There we again validate the size of the supplied buffer matches the
-existing state and if so inject the contents. We do not at this point
-check that the replay_window is within the allocated memory. This leads
-to out-of-bounds reads and writes triggered by netlink packets. This leads
-to memory corruption and the potential for priviledge escalation.
-
-We already attempt to validate the incoming replay information in
-xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the
-user is not trying to change the size of the replay state buffer which
-includes the replay_esn. It however does not check the replay_window
-remains within that buffer. Add validation of the contained replay_window.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
----
- net/xfrm/xfrm_user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index 0889209..81c4112 100644
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
- return -EINVAL;
-
-+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
-+ return -EINVAL;
-+
- return 0;
- }
-
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index 8514670..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
-From: Li Qiang <liq3ea at gmail.com>
-Date: Tue, 28 Mar 2017 03:10:53 +0000
-Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
-
-In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
-'req->mip_levels' array. This array can be assigned any value from
-the user space. As both the 'num_sizes' and the array is uint32_t,
-it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
-used as the loop count. This can lead an oob write. Add the check of
-'req->mip_levels' to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_
- 128;
-
- num_sizes = 0;
-- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
-+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
-+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
-+ return -EINVAL;
- num_sizes += req->mip_levels[i];
-+ }
-
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
- num_sizes == 0)
diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index b4dac5c..0000000
--- a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Murray McAllister <murray.mcallister at insomniasec.com>
-Date: Fri, 24 Mar 2017 20:33:00 -0700
-Subject: vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
-Origin: https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
-
-Before memory allocations vmw_surface_define_ioctl() checks the
-upper-bounds of a user-supplied size, but does not check if the
-supplied size is 0.
-
-Add check to avoid NULL pointer dereferences.
-
-Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Reviewed-by: Sinclair Yeh <syeh at vmware.com>
-[bwh: Fix filename]
----
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
- num_sizes += req->mip_levels[i];
-
-- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
-- DRM_VMW_MAX_MIP_LEVELS)
-+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
-+ num_sizes == 0)
- return -EINVAL;
-
- size = vmw_user_surface_size + 128 +
diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch
index f59d00b..d2bdec0 100644
--- a/debian/patches/debian/kernelvariables.patch
+++ b/debian/patches/debian/kernelvariables.patch
@@ -58,7 +58,7 @@ use of $(ARCH) needs to be moved after this.
export KCONFIG_CONFIG
@@ -373,6 +337,44 @@ LDFLAGS_vmlinux =
- CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized
+ CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+-include $(obj)/.kernelvariables
diff --git a/debian/patches/series b/debian/patches/series
index 69a9772..99a6cc7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -122,17 +122,10 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
debian/time-mark-timer_stats-as-broken.patch
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
-bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
-bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
-bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
bugfix/all/ping-implement-proper-locking.patch
-bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch
-bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list