[linux] 01/01: Update to 4.9.7
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Feb 3 14:02:56 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit 7eec246dc0d6e4f4d3aeace7829c557452801617
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Fri Feb 3 13:47:40 2017 +0000
Update to 4.9.7
Drop patches applied upstream.
---
debian/changelog | 64 ++++++++++++++++-
.../fbdev-color-map-coying-bounds-checking.patch | 80 ----------------------
...r-overflow-in-temporary-allocation-layout.patch | 36 ----------
...urn-einval-on-the-overflow-checks-failing.patch | 27 --------
debian/patches/series | 3 -
5 files changed, 63 insertions(+), 147 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 0d05be4..a3661d89 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,66 @@
-linux (4.9.6-4) UNRELEASED; urgency=medium
+linux (4.9.7-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7
+ - drm: Schedule the output_poll_work with 1s delay if we have delayed event
+ - drm: Fix broken VT switch with video=1366x768 option
+ - [x86] drm/i915: Ignore bogus plane coordinates on SKL when the plane is
+ not visible
+ - [armhf,arm64] drm/vc4: Fix memory leak of the CRTC state.
+ - [armhf,arm64] drm/vc4: fix a bounds check
+ - Revert "drm/radeon: always apply pci shutdown callbacks"
+ - drm/atomic: clear out fence when duplicating state
+ - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
+ - mm/mempolicy.c: do not put mempolicy before using its nodemask
+ - mm, page_alloc: fix check for NULL preferred_zone
+ - mm, page_alloc: fix fast-path race with cpuset update or removal
+ - mm, page_alloc: move cpuset seqcount checking to slowpath
+ - mm, page_alloc: fix premature OOM when racing with cpuset mems update
+ - [armhf,arm64] vring: Force use of DMA API for ARM-based systems with
+ legacy devices
+ - userns: Make ucounts lock irq-safe
+ - sysctl: fix proc_doulongvec_ms_jiffies_minmax()
+ - xfs: prevent quotacheck from overloading inode lru
+ - ISDN: eicon: silence misleading array-bounds warning
+ - Btrfs: remove old tree_root case in btrfs_read_locked_inode()
+ - Btrfs: disable xattr operations on subvolume directories
+ - Btrfs: remove ->{get, set}_acl() from btrfs_dir_ro_inode_operations
+ - RDMA/cma: Fix unknown symbol when CONFIG_IPV6 is not enabled
+ - [s390x] mm: Fix cmma unused transfer from pgste into pte
+ - [s390x] ptrace: Preserve previous registers for short regset write
+ - IB/cxgb3: fix misspelling in header guard
+ - IB/iser: Fix sg_tablesize calculation
+ - IB/srp: fix mr allocation when the device supports sg gaps
+ - IB/srp: fix invalid indirect_sg_entries parameter value
+ - can: c_can_pci: fix null-pointer-deref in c_can_start() - set device
+ pointer
+ - can: ti_hecc: add missing prepare and unprepare of the clock
+ - [hppa] Don't use BITS_PER_LONG in userspace-exported swab.h header
+ - nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
+ - NFSv4.1: Fix a deadlock in layoutget
+ - NFSv4.0: always send mode in SETATTR after EXCLUSIVE4
+ - SUNRPC: cleanup ida information when removing sunrpc module
+ - iw_cxgb4: free EQ queue memory on last deref
+ - pctv452e: move buffer to heap, no mutex
+ - v4l: tvp5150: Reset device at probe time, not in get/set format handlers
+ - v4l: tvp5150: Fix comment regarding output pin muxing
+ - v4l: tvp5150: Don't override output pinmuxing at stream on/off time
+ - [x86] drm/i915: Clear ret before unbinding in i915_gem_evict_something()
+ - [x86] drm/i915: prevent crash with .disable_display parameter
+ - [x86] drm/i915: Don't leak edid in intel_crt_detect_ddc()
+ - [x86] drm/i915: Don't init hpd polling for vlv and chv from
+ runtime_suspend()
+ - [x86] drm/i915: Fix calculation of rotated x and y offsets for planar
+ formats
+ - [x86] drm/i915: Check for NULL atomic state in
+ intel_crtc_disable_noatomic()
+ - IB/umem: Release pid in error and ODP flow
+ - [x86] pinctrl: baytrail: Rectify debounce support
+ - memory_hotplug: make zone_can_shift() return a boolean value
+ - virtio_mmio: Set DMA masks appropriately
+ - mm, memcg: do not retry precharge charges
+ - perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
+ - [x86] drm/i915: Remove WaDisableLSQCROPERFforOCL KBL workaround.
[ Ben Hutchings ]
* Bump ABI to 2
diff --git a/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch b/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
deleted file mode 100644
index 10c6e2a..0000000
--- a/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Tue, 24 Jan 2017 15:18:24 -0800
-Subject: fbdev: color map copying bounds checking
-Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
-
-Copying color maps to userspace doesn't check the value of to->start,
-which will cause kernel heap buffer OOB read due to signedness wraps.
-
-CVE-2016-8405
-
-Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Reported-by: Peter Pi (@heisecode) of Trend Micro
-Cc: Min Chong <mchong at google.com>
-Cc: Dan Carpenter <dan.carpenter at oracle.com>
-Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
-Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
-index f89245b8ba8e..68a113594808 100644
---- a/drivers/video/fbdev/core/fbcmap.c
-+++ b/drivers/video/fbdev/core/fbcmap.c
-@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
-
- int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- {
-- int tooff = 0, fromoff = 0;
-- int size;
-+ unsigned int tooff = 0, fromoff = 0;
-+ size_t size;
-
- if (to->start > from->start)
- fromoff = to->start - from->start;
- else
- tooff = from->start - to->start;
-- size = to->len - tooff;
-- if (size > (int) (from->len - fromoff))
-- size = from->len - fromoff;
-- if (size <= 0)
-+ if (fromoff >= from->len || tooff >= to->len)
-+ return -EINVAL;
-+
-+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+ if (size == 0)
- return -EINVAL;
- size *= sizeof(u16);
-
-@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
-
- int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
- {
-- int tooff = 0, fromoff = 0;
-- int size;
-+ unsigned int tooff = 0, fromoff = 0;
-+ size_t size;
-
- if (to->start > from->start)
- fromoff = to->start - from->start;
- else
- tooff = from->start - to->start;
-- size = to->len - tooff;
-- if (size > (int) (from->len - fromoff))
-- size = from->len - fromoff;
-- if (size <= 0)
-+ if (fromoff >= from->len || tooff >= to->len)
-+ return -EINVAL;
-+
-+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+ if (size == 0)
- return -EINVAL;
- size *= sizeof(u16);
-
diff --git a/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch b/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
deleted file mode 100644
index be77360..0000000
--- a/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Eric Anholt <eric at anholt.net>
-Date: Wed, 18 Jan 2017 07:20:49 +1100
-Subject: drm/vc4: Fix an integer overflow in temporary allocation layout.
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5576
-Origin: https://lkml.org/lkml/2017/1/17/761
-
-We copy the unvalidated ioctl arguments from the user into kernel
-temporary memory to run the validation from, to avoid a race where the
-user updates the unvalidate contents in between validating them and
-copying them into the validated BO.
-
-However, in setting up the layout of the kernel side, we failed to
-check one of the additions (the roundup() for shader_rec_offset)
-against integer overflow, allowing a nearly MAX_UINT value of
-bin_cl_size to cause us to under-allocate the temporary space that we
-then copy_from_user into.
-
-Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Signed-off-by: Eric Anholt <eric at anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, stru
- args->shader_rec_count);
- struct vc4_bo *bo;
-
-- if (uniforms_offset < shader_rec_offset ||
-+ if (shader_rec_offset < args->bin_cl_size ||
-+ uniforms_offset < shader_rec_offset ||
- exec_size < uniforms_offset ||
- args->shader_rec_count >= (UINT_MAX /
- sizeof(struct vc4_shader_state)) ||
diff --git a/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch b/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
deleted file mode 100644
index 95dc721..0000000
--- a/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Eric Anholt <eric at anholt.net>
-Date: Wed, 18 Jan 2017 07:20:50 +1100
-Subject: drm/vc4: Return -EINVAL on the overflow checks failing.
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5577
-Origin: https://lkml.org/lkml/2017/1/17/759
-
-By failing to set the errno, we'd continue on to trying to set up the
-RCL, and then oops on trying to dereference the tile_bo that binning
-validation should have set up.
-
-Reported-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Eric Anholt <eric at anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, stru
- sizeof(struct vc4_shader_state)) ||
- temp_size < exec_size) {
- DRM_ERROR("overflow in exec arguments\n");
-+ ret = -EINVAL;
- goto fail;
- }
-
diff --git a/debian/patches/series b/debian/patches/series
index 3c9af8e..bc25a02 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -102,9 +102,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/fbdev-color-map-coying-bounds-checking.patch
-bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
-bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list