[linux] 01/01: Update to 4.9.7

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Feb 3 14:02:56 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 7eec246dc0d6e4f4d3aeace7829c557452801617
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Fri Feb 3 13:47:40 2017 +0000

    Update to 4.9.7
    
    Drop patches applied upstream.
---
 debian/changelog                                   | 64 ++++++++++++++++-
 .../fbdev-color-map-coying-bounds-checking.patch   | 80 ----------------------
 ...r-overflow-in-temporary-allocation-layout.patch | 36 ----------
 ...urn-einval-on-the-overflow-checks-failing.patch | 27 --------
 debian/patches/series                              |  3 -
 5 files changed, 63 insertions(+), 147 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 0d05be4..a3661d89 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,66 @@
-linux (4.9.6-4) UNRELEASED; urgency=medium
+linux (4.9.7-1) UNRELEASED; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7
+    - drm: Schedule the output_poll_work with 1s delay if we have delayed event
+    - drm: Fix broken VT switch with video=1366x768 option
+    - [x86] drm/i915: Ignore bogus plane coordinates on SKL when the plane is
+      not visible
+    - [armhf,arm64] drm/vc4: Fix memory leak of the CRTC state.
+    - [armhf,arm64] drm/vc4: fix a bounds check
+    - Revert "drm/radeon: always apply pci shutdown callbacks"
+    - drm/atomic: clear out fence when duplicating state
+    - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
+    - mm/mempolicy.c: do not put mempolicy before using its nodemask
+    - mm, page_alloc: fix check for NULL preferred_zone
+    - mm, page_alloc: fix fast-path race with cpuset update or removal
+    - mm, page_alloc: move cpuset seqcount checking to slowpath
+    - mm, page_alloc: fix premature OOM when racing with cpuset mems update
+    - [armhf,arm64] vring: Force use of DMA API for ARM-based systems with
+      legacy devices
+    - userns: Make ucounts lock irq-safe
+    - sysctl: fix proc_doulongvec_ms_jiffies_minmax()
+    - xfs: prevent quotacheck from overloading inode lru
+    - ISDN: eicon: silence misleading array-bounds warning
+    - Btrfs: remove old tree_root case in btrfs_read_locked_inode()
+    - Btrfs: disable xattr operations on subvolume directories
+    - Btrfs: remove ->{get, set}_acl() from btrfs_dir_ro_inode_operations
+    - RDMA/cma: Fix unknown symbol when CONFIG_IPV6 is not enabled
+    - [s390x] mm: Fix cmma unused transfer from pgste into pte
+    - [s390x] ptrace: Preserve previous registers for short regset write
+    - IB/cxgb3: fix misspelling in header guard
+    - IB/iser: Fix sg_tablesize calculation
+    - IB/srp: fix mr allocation when the device supports sg gaps
+    - IB/srp: fix invalid indirect_sg_entries parameter value
+    - can: c_can_pci: fix null-pointer-deref in c_can_start() - set device
+      pointer
+    - can: ti_hecc: add missing prepare and unprepare of the clock
+    - [hppa] Don't use BITS_PER_LONG in userspace-exported swab.h header
+    - nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
+    - NFSv4.1: Fix a deadlock in layoutget
+    - NFSv4.0: always send mode in SETATTR after EXCLUSIVE4
+    - SUNRPC: cleanup ida information when removing sunrpc module
+    - iw_cxgb4: free EQ queue memory on last deref
+    - pctv452e: move buffer to heap, no mutex
+    - v4l: tvp5150: Reset device at probe time, not in get/set format handlers
+    - v4l: tvp5150: Fix comment regarding output pin muxing
+    - v4l: tvp5150: Don't override output pinmuxing at stream on/off time
+    - [x86] drm/i915: Clear ret before unbinding in i915_gem_evict_something()
+    - [x86] drm/i915: prevent crash with .disable_display parameter
+    - [x86] drm/i915: Don't leak edid in intel_crt_detect_ddc()
+    - [x86] drm/i915: Don't init hpd polling for vlv and chv from
+      runtime_suspend()
+    - [x86] drm/i915: Fix calculation of rotated x and y offsets for planar
+      formats
+    - [x86] drm/i915: Check for NULL atomic state in
+      intel_crtc_disable_noatomic()
+    - IB/umem: Release pid in error and ODP flow
+    - [x86] pinctrl: baytrail: Rectify debounce support
+    - memory_hotplug: make zone_can_shift() return a boolean value
+    - virtio_mmio: Set DMA masks appropriately
+    - mm, memcg: do not retry precharge charges
+    - perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
+    - [x86] drm/i915: Remove WaDisableLSQCROPERFforOCL KBL workaround.
 
   [ Ben Hutchings ]
   * Bump ABI to 2
diff --git a/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch b/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
deleted file mode 100644
index 10c6e2a..0000000
--- a/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Tue, 24 Jan 2017 15:18:24 -0800
-Subject: fbdev: color map copying bounds checking
-Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
-
-Copying color maps to userspace doesn't check the value of to->start,
-which will cause kernel heap buffer OOB read due to signedness wraps.
-
-CVE-2016-8405
-
-Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Reported-by: Peter Pi (@heisecode) of Trend Micro
-Cc: Min Chong <mchong at google.com>
-Cc: Dan Carpenter <dan.carpenter at oracle.com>
-Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
-Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
-index f89245b8ba8e..68a113594808 100644
---- a/drivers/video/fbdev/core/fbcmap.c
-+++ b/drivers/video/fbdev/core/fbcmap.c
-@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
- 
- int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- {
--	int tooff = 0, fromoff = 0;
--	int size;
-+	unsigned int tooff = 0, fromoff = 0;
-+	size_t size;
- 
- 	if (to->start > from->start)
- 		fromoff = to->start - from->start;
- 	else
- 		tooff = from->start - to->start;
--	size = to->len - tooff;
--	if (size > (int) (from->len - fromoff))
--		size = from->len - fromoff;
--	if (size <= 0)
-+	if (fromoff >= from->len || tooff >= to->len)
-+		return -EINVAL;
-+
-+	size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+	if (size == 0)
- 		return -EINVAL;
- 	size *= sizeof(u16);
- 
-@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- 
- int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
- {
--	int tooff = 0, fromoff = 0;
--	int size;
-+	unsigned int tooff = 0, fromoff = 0;
-+	size_t size;
- 
- 	if (to->start > from->start)
- 		fromoff = to->start - from->start;
- 	else
- 		tooff = from->start - to->start;
--	size = to->len - tooff;
--	if (size > (int) (from->len - fromoff))
--		size = from->len - fromoff;
--	if (size <= 0)
-+	if (fromoff >= from->len || tooff >= to->len)
-+		return -EINVAL;
-+
-+	size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+	if (size == 0)
- 		return -EINVAL;
- 	size *= sizeof(u16);
- 
diff --git a/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch b/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
deleted file mode 100644
index be77360..0000000
--- a/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Eric Anholt <eric at anholt.net>
-Date: Wed, 18 Jan 2017 07:20:49 +1100
-Subject: drm/vc4: Fix an integer overflow in temporary allocation layout.
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5576
-Origin: https://lkml.org/lkml/2017/1/17/761
-
-We copy the unvalidated ioctl arguments from the user into kernel
-temporary memory to run the validation from, to avoid a race where the
-user updates the unvalidate contents in between validating them and
-copying them into the validated BO.
-
-However, in setting up the layout of the kernel side, we failed to
-check one of the additions (the roundup() for shader_rec_offset)
-against integer overflow, allowing a nearly MAX_UINT value of
-bin_cl_size to cause us to under-allocate the temporary space that we
-then copy_from_user into.
-
-Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Signed-off-by: Eric Anholt <eric at anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, stru
- 					  args->shader_rec_count);
- 	struct vc4_bo *bo;
- 
--	if (uniforms_offset < shader_rec_offset ||
-+	if (shader_rec_offset < args->bin_cl_size ||
-+	    uniforms_offset < shader_rec_offset ||
- 	    exec_size < uniforms_offset ||
- 	    args->shader_rec_count >= (UINT_MAX /
- 					  sizeof(struct vc4_shader_state)) ||
diff --git a/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch b/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
deleted file mode 100644
index 95dc721..0000000
--- a/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Eric Anholt <eric at anholt.net>
-Date: Wed, 18 Jan 2017 07:20:50 +1100
-Subject: drm/vc4: Return -EINVAL on the overflow checks failing.
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5577
-Origin: https://lkml.org/lkml/2017/1/17/759
-
-By failing to set the errno, we'd continue on to trying to set up the
-RCL, and then oops on trying to dereference the tile_bo that binning
-validation should have set up.
-
-Reported-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Eric Anholt <eric at anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, stru
- 					  sizeof(struct vc4_shader_state)) ||
- 	    temp_size < exec_size) {
- 		DRM_ERROR("overflow in exec arguments\n");
-+		ret = -EINVAL;
- 		goto fail;
- 	}
- 
diff --git a/debian/patches/series b/debian/patches/series
index 3c9af8e..bc25a02 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -102,9 +102,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/fbdev-color-map-coying-bounds-checking.patch
-bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
-bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list