[linux] 01/01: Update to 4.12.6
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Aug 12 15:12:57 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch master
in repository linux.
commit e58e3e6be94fa74a631471ff37a562bf415dc53a
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sat Aug 12 16:10:56 2017 +0200
Update to 4.12.6
---
debian/changelog | 117 ++++++++++++++++++++-
...overflow-of-offset-in-ip6_find_1stfragopt.patch | 55 ----------
...64-fix-double-fetch-PCIe-access-condition.patch | 77 --------------
debian/patches/series | 2 -
4 files changed, 114 insertions(+), 137 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 60254a7..3a800fb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
+linux (4.12.6-1~exp1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.3
@@ -250,6 +250,119 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
- ipmi/watchdog: fix watchdog timeout set on reboot
- dentry name snapshots (CVE-2017-7533)
- mmc: tmio-mmc: fix bad pointer math
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.6
+ - [hppa/parisc] Increase thread and stack size to 32kb
+ - [hppa/parisc] Handle vma's whose context is not current in
+ flush_cache_range
+ - scsi: lpfc: fix linking against modular NVMe support
+ - ACPI / LPSS: Only call pwm_add_table() for the first PWM controller
+ - cgroup: don't call migration methods if there are no tasks to migrate
+ - cgroup: create dfl_root files on subsys registration
+ - cgroup: fix error return value from cgroup_subtree_control()
+ - libata: array underflow in ata_find_dev()
+ - workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
+ - iwlwifi: dvm: prevent an out of bounds access
+ - brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice
+ - NFSv4: Fix EXCHANGE_ID corrupt verifier issue
+ - mmc: sdhci-of-at91: force card detect value for non removable devices
+ - mmc: core: Use device_property_read instead of of_property_read
+ - mmc: dw_mmc: Use device_property_read instead of of_property_read
+ - mm, mprotect: flush TLB if potentially racing with a parallel reclaim
+ leaving stale TLB entries
+ - mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page
+ errors
+ - userfaultfd: non-cooperative: notify about unmap of destination during
+ mremap
+ - userfaultfd_zeropage: return -ENOSPC in case mm has gone
+ - userfaultfd: non-cooperative: flush event_wqh at release time
+ - cpuset: fix a deadlock due to incomplete patching of cpusets_enabled()
+ - ocfs2: don't clear SGID when inheriting ACLs
+ - ALSA: hda - Fix speaker output from VAIO VPCL14M1R
+ - [x86] drm/amdgpu: fix header on gfx9 clear state
+ - [x86] drm/amdgpu: Fix undue fallthroughs in golden registers
+ initialization
+ - ASoC: fix pcm-creation regression
+ - ASoC: ux500: Restore platform DAI assignments
+ - ASoC: do not close shared backend dailink
+ - KVM: arm/arm64: Handle hva aging while destroying the vm
+ - KVM: async_pf: make rcu irq exit if not triggered from idle task
+ - timers: Fix overflow in get_next_timer_interrupt
+ - [powerpc*] tm: Fix saving of TM SPRs in core dump
+ - [powerpc/powerpc64] Fix __check_irq_replay missing decrementer interrupt
+ - iommu/amd: Enable ga_log_intr when enabling guest_mode
+ - [arm64] dts: marvell: armada-37xx: Fix the number of GPIO on south bridge
+ - gpiolib: skip unwanted events, don't convert them to opposite edge
+ - ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
+ - ext4: fix overflow caused by missing cast in ext4_resize_fs()
+ - [mips*] ralink: Fix build error due to missing header
+ - clk: sunxi-ng: sun5i: Add clk_set_rate_parent to the CPU clock
+ - ARM: mvebu: use __pa_symbol in the mv98dx3236 platform SMP code
+ - ARM: dts: armada-38x: Fix irq type for pca955
+ - ARM: dts: tango4: Request RGMII RX and TX clock delays
+ - media: pulse8-cec: persistent_config should be off by default
+ - media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
+ - media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
+ ioctl
+ - ir-spi: Fix issues with lirc API
+ - tcmu: Fix flushing cmd entry dcache page
+ - tcmu: Fix possbile memory leak / OOPs when recalculating cmd base size
+ - ext4: preserve i_mode if __ext4_set_acl() fails
+ - ext4: Don't clear SGID when inheriting ACLs
+ - Btrfs: fix early ENOSPC due to delalloc
+ - blk-mq: Include all present CPUs in the default queue mapping
+ - blk-mq: Create hctx for each present CPU
+ - block: disable runtime-pm for blk-mq
+ - saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
+ - sctp: fix an array overflow when all ext chunks are set
+ - tcp_bbr: cut pacing rate only if filled pipe
+ - tcp_bbr: introduce bbr_bw_to_pacing_rate() helper
+ - tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper
+ - tcp_bbr: remove sk_pacing_rate=0 transient during init
+ - tcp_bbr: init pacing rate on first RTT sample
+ - ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
+ - wireless: wext: terminate ifr name coming from userspace
+ - net: Zero terminate ifr_name in dev_ifname().
+ - net: dsa: mv88e6xxx: Enable CMODE config support for 6390X
+ - Revert "rtnetlink: Do not generate notifications for CHANGEADDR event"
+ - ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
+ - net: dsa: b53: Add missing ARL entries for BCM53125
+ - ipv4: initialize fib_trie prior to register_netdev_notifier call.
+ - rtnetlink: allocate more memory for dev_set_mac_address()
+ - net: bonding: Fix transmit load balancing in balance-alb mode
+ - mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled
+ - openvswitch: fix potential out of bound access in parse_ct
+ - packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
+ - ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment()
+ - net: ethernet: nb8800: Handle all 4 RGMII modes identically
+ - bonding: commit link status change after propose
+ - dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
+ - dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly
+ - dccp: fix a memleak for dccp_feat_init err process
+ - net/mlx5: Consider tx_enabled in all modes on remap
+ - net/mlx5: Fix command completion after timeout access invalid structure
+ - net/mlx5: Fix command bad flow on command entry allocation failure
+ - sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
+ - sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
+ - net/mlx5e: IPoIB, Modify add/remove underlay QPN flows
+ - net/mlx5e: Fix outer_header_zero() check size
+ - net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size
+ - net/mlx5e: Add field select to MTPPS register
+ - net/mlx5e: Fix broken disable 1PPS flow
+ - net/mlx5e: Change 1PPS out scheme
+ - net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request
+ - net/mlx5e: Fix wrong delay calculation for overflow check scheduling
+ - net/mlx5e: Schedule overflow check work to mlx5e workqueue
+ - net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests
+ - udp6: fix socket leak on early demux
+ - net: phy: Correctly process PHY_HALTED in phy_stop_machine()
+ - workqueue: implicit ordered attribute should be overridable
+ - ipv4: fib: Fix NULL pointer deref during fib_sync_down_dev()
+ - virtio_net: fix truesize for mergeable buffers
+ - [sparc64] Measure receiver forward progress to avoid send mondo timeout
+ - [sparc64] Prevent perf from running during super critical sections
+ - [sparc64] Register hugepages during arch init
+ - [sparc64] Fix exception handling in UltraSPARC-III memcpy.
+ - drm/vmwgfx: Fix cursor hotspot issue with Wayland on Fedora
[ Ben Hutchings ]
* media: Enable USB_RAINSHADOW_CEC as module (see #868511)
@@ -267,8 +380,6 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
linux-headers-*-common* (Closes: #869511)
[ Salvatore Bonaccorso ]
- * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
- * media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
* packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
* udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
deleted file mode 100644
index d1b4d72..0000000
--- a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Sabrina Dubroca <sd at queasysnail.net>
-Date: Wed, 19 Jul 2017 22:28:55 +0200
-Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
-Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
-
-In some cases, offset can overflow and can cause an infinite loop in
-ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
-cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
-
-This problem has been here since before the beginning of git history.
-
-Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
-Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/output_core.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
-index e9065b8d3af8..abb2c307fbe8 100644
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
-
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
-- u16 offset = sizeof(struct ipv6hdr);
-+ unsigned int offset = sizeof(struct ipv6hdr);
- unsigned int packet_len = skb_tail_pointer(skb) -
- skb_network_header(skb);
- int found_rhdr = 0;
-@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- while (offset <= packet_len) {
- struct ipv6_opt_hdr *exthdr;
-+ unsigned int len;
-
- switch (**nexthdr) {
-
-@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- offset);
-- offset += ipv6_optlen(exthdr);
-+ len = ipv6_optlen(exthdr);
-+ if (len + offset >= IPV6_MAXPLEN)
-+ return -EINVAL;
-+ offset += len;
- *nexthdr = &exthdr->nexthdr;
- }
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch b/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
deleted file mode 100644
index bc642e1..0000000
--- a/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From: Steven Toth <stoth at kernellabs.com>
-Date: Tue, 6 Jun 2017 09:30:27 -0300
-Subject: [media] saa7164: fix double fetch PCIe access condition
-Origin: https://git.kernel.org/linus/6fb05e0dd32e566facb96ea61a48c7488daa5ac3
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8831
-
-Avoid a double fetch by reusing the values from the prior transfer.
-
-Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
-
-Thanks to Pengfei Wang <wpengfeinudt at gmail.com> for reporting.
-
-Signed-off-by: Steven Toth <stoth at kernellabs.com>
-Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
----
- drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
- 1 file changed, 1 insertion(+), 12 deletions(-)
-
-diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c
-index b2ff82fa7116..ecfeac5cdbed 100644
---- a/drivers/media/pci/saa7164/saa7164-bus.c
-+++ b/drivers/media/pci/saa7164/saa7164-bus.c
-@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
- msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
- msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
- msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
-+ memcpy(msg, &msg_tmp, sizeof(*msg));
-
- /* No need to update the read positions, because this was a peek */
- /* If the caller specifically want to peek, return */
- if (peekonly) {
-- memcpy(msg, &msg_tmp, sizeof(*msg));
- goto peekout;
- }
-
-@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
- space_rem = bus->m_dwSizeGetRing - curr_grp;
-
- if (space_rem < sizeof(*msg)) {
-- /* msg wraps around the ring */
-- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
-- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
-- sizeof(*msg) - space_rem);
- if (buf)
- memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
- space_rem, buf_size);
-
- } else if (space_rem == sizeof(*msg)) {
-- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
- if (buf)
- memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
- } else {
- /* Additional data wraps around the ring */
-- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
- if (buf) {
- memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
- sizeof(*msg), space_rem - sizeof(*msg));
-@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
-
- } else {
- /* No wrapping */
-- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
- if (buf)
- memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
- buf_size);
- }
-- /* Convert from little endian to CPU */
-- msg->size = le16_to_cpu((__force __le16)msg->size);
-- msg->command = le32_to_cpu((__force __le32)msg->command);
-- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
-
- /* Update the read positions, adjusting the ring */
- saa7164_writel(bus->m_dwGetReadPos, new_grp);
---
-2.11.0
-
diff --git a/debian/patches/series b/debian/patches/series
index c211945..6e7b536 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,8 +119,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
-bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list