[linux] 02/04: Update to 3.2.92
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Sep 18 00:30:40 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 10504aeadf1743987c421f3dbc21f06c900d5b63
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Aug 31 20:42:41 2017 +0100
Update to 3.2.92
Refresh drm-3.4.patch.
Drop patches included in it.
---
debian/changelog | 57 ++++++++++++--
...overflow-of-offset-in-ip6_find_1stfragopt.patch | 50 ------------
...eue-fix-a-use-after-free-in-sys_mq_notify.patch | 45 -----------
...et-fix-tp_reserve-race-in-packet_set_ring.patch | 46 -----------
...protect-the-might-cancel-mechanism-proper.patch | 92 ----------------------
debian/patches/features/all/drm/drm-3.4.patch | 14 +++-
debian/patches/series | 4 -
7 files changed, 65 insertions(+), 243 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index bd76182..847c6dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (3.2.91-1) UNRELEASED; urgency=medium
+linux (3.2.92-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.90
@@ -90,13 +90,60 @@ linux (3.2.91-1) UNRELEASED; urgency=medium
- ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
(CVE-2017-1000380)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.92
+ - pvrusb2: reduce stack usage pvr2_eeprom_analyze()
+ - zd1211rw: fix NULL-deref at probe
+ - usb: hub: Fix error loop seen after hub communication errors
+ - usb: hub: Do not attempt to autosuspend disconnected devices
+ - mceusb: fix NULL-deref at probe
+ - USB: Proper handling of Race Condition when two USB class drivers try to
+ call init_usb_class simultaneously
+ - cdc-acm: fix possible invalid access when processing notification
+ - ath9k_htc: fix NULL-deref at probe
+ - gspca: konica: add missing endpoint sanity check
+ - usbvision: fix NULL-deref at probe
+ - cx231xx: fix double free and leaks on failure path in cx231xx_usb_probe()
+ - cx231xx-cards: fix NULL-deref at probe
+ - cx231xx-audio: fix init error path
+ - cx231xx-audio: fix NULL-deref at probe
+ - padata: free correct variable
+ - PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
+ - digitv: limit messages to buffer size
+ - zr364xx: enforce minimum size when reading header
+ - PCI: Ignore write combining when mapping I/O port space
+ - PCI: Fix another sanity check bug in /proc/pci mmap
+ - PCI: Only allow WC mmap on prefetchable resources
+ - PCI: Freeze PME scan before suspending devices
+ - ttusb2: Don't use stack variables for DMA
+ - ttusb2: limit messages to buffer size
+ - dw2102: Don't use dynamic static allocation
+ - dw2102: some missing unlocks on error
+ - dw2102: limit messages to buffer size
+ - ov2640: fix vflip control
+ - usb: host: xhci: print correct command ring address
+ - [x86] boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
+ - netfilter: ctnetlink: make it safer when updating ct->status
+ - PCI: Disable boot interrupt quirk for ASUS M2N-LR
+ - usb: Make sure usb/phy/of gets built-in
+ - IB/core: If the MGID/MLID pair is not on the list return an error
+ - IB/core: For multicast functions, verify that LIDs are multicast LIDs
+ - libata: reject passthrough WRITE SAME requests
+ - net: ethernet: ucc_geth: fix MEM_PART_MURAM mode
+ - Bluetooth: Fix user channel for 32bit userspace on 64bit kernel
+ - ip6_tunnel: Fix missing tunnel encapsulation limit option
+ - ipv6: Need to export ipv6_push_frag_opts for tunneling now.
+ - tcp: fix wraparound issue in tcp_lp
+ - cifs: small underflow in cnvrtDosUnixTm()
+ - CIFS: Set unicode flag on cifs echo request to avoid Mac error
+ - fbdev: sti: don't select CONFIG_VT
+ - [i386] mm: Set the '__vmalloc_start_set' flag in initmem_init()
+ - ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
+ - timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
+ - mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
+ - packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
[ Ben Hutchings ]
- * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
- * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
- * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
* xfrm: policy: check policy direction value (CVE-2017-11600)
- * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 03 Jul 2017 17:17:55 +0100
diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
deleted file mode 100644
index db8854e..0000000
--- a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Sabrina Dubroca <sd at queasysnail.net>
-Date: Wed, 19 Jul 2017 22:28:55 +0200
-Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
-Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
-
-In some cases, offset can overflow and can cause an infinite loop in
-ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
-cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
-
-This problem has been here since before the beginning of git history.
-
-Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
-Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust filename, context]
----
- net/ipv6/ip6_output.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -561,13 +561,14 @@ static void ip6_copy_metadata(struct sk_
-
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
-- u16 offset = sizeof(struct ipv6hdr);
-+ unsigned int offset = sizeof(struct ipv6hdr);
- unsigned int packet_len = skb->tail - skb->network_header;
- int found_rhdr = 0;
- *nexthdr = &ipv6_hdr(skb)->nexthdr;
-
- while (offset <= packet_len) {
- struct ipv6_opt_hdr *exthdr;
-+ unsigned int len;
-
- switch (**nexthdr) {
-
-@@ -593,7 +594,10 @@ int ip6_find_1stfragopt(struct sk_buff *
-
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- offset);
-- offset += ipv6_optlen(exthdr);
-+ len = ipv6_optlen(exthdr);
-+ if (len + offset >= IPV6_MAXPLEN)
-+ return -EINVAL;
-+ offset += len;
- *nexthdr = &exthdr->nexthdr;
- }
-
diff --git a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
deleted file mode 100644
index baa937b..0000000
--- a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Cong Wang <xiyou.wangcong at gmail.com>
-Date: Sun, 9 Jul 2017 13:19:55 -0700
-Subject: mqueue: fix a use-after-free in sys_mq_notify()
-Origin: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11176
-
-The retry logic for netlink_attachskb() inside sys_mq_notify()
-is nasty and vulnerable:
-
-1) The sock refcnt is already released when retry is needed
-2) The fd is controllable by user-space because we already
- release the file refcnt
-
-so we when retry but the fd has been just closed by user-space
-during this small window, we end up calling netlink_detachskb()
-on the error path which releases the sock again, later when
-the user-space closes this socket a use-after-free could be
-triggered.
-
-Setting 'sock' to NULL here should be sufficient to fix it.
-
-Reported-by: GeneBlue <geneblue.mail at gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Cc: Andrew Morton <akpm at linux-foundation.org>
-Cc: Manfred Spraul <manfred at colorfullife.com>
-Cc: stable at kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- ipc/mqueue.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/ipc/mqueue.c
-+++ b/ipc/mqueue.c
-@@ -1095,8 +1095,10 @@ retry:
-
- timeo = MAX_SCHEDULE_TIMEOUT;
- ret = netlink_attachskb(sock, nc, &timeo, NULL);
-- if (ret == 1)
-+ if (ret == 1) {
-+ sock = NULL;
- goto retry;
-+ }
- if (ret) {
- sock = NULL;
- nc = NULL;
diff --git a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
deleted file mode 100644
index 8a58909..0000000
--- a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Thu, 10 Aug 2017 12:41:58 -0400
-Subject: packet: fix tp_reserve race in packet_set_ring
-Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
-
-Updates to tp_reserve can race with reads of the field in
-packet_set_ring. Avoid this by holding the socket lock during
-updates in setsockopt PACKET_RESERVE.
-
-This bug was discovered by syzkaller.
-
-Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3132,14 +3132,19 @@ packet_setsockopt(struct socket *sock, i
-
- if (optlen != sizeof(val))
- return -EINVAL;
-- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
- if (val > INT_MAX)
- return -EINVAL;
-- po->tp_reserve = val;
-- return 0;
-+ lock_sock(sk);
-+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+ ret = -EBUSY;
-+ } else {
-+ po->tp_reserve = val;
-+ ret = 0;
-+ }
-+ release_sock(sk);
-+ return ret;
- }
- case PACKET_LOSS:
- {
diff --git a/debian/patches/bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch b/debian/patches/bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
deleted file mode 100644
index 1ec46f7..0000000
--- a/debian/patches/bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From: Thomas Gleixner <tglx at linutronix.de>
-Date: Tue, 31 Jan 2017 15:24:03 +0100
-Subject: timerfd: Protect the might cancel mechanism proper
-Origin: https://git.kernel.org/linus/1e38da300e1e395a15048b0af1e5305bd91402f6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10661
-
-The handling of the might_cancel queueing is not properly protected, so
-parallel operations on the file descriptor can race with each other and
-lead to list corruptions or use after free.
-
-Protect the context for these operations with a seperate lock.
-
-The wait queue lock cannot be reused for this because that would create a
-lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
-atomic (atomic_t or atomic bit) does not help either because it still can
-race vs. the actual list operation.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
-Cc: "linux-fsdevel at vger.kernel.org"
-Cc: syzkaller <syzkaller at googlegroups.com>
-Cc: Al Viro <viro at zeniv.linux.org.uk>
-Cc: linux-fsdevel at vger.kernel.org
-Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
-Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
-[bwh: Backported to 3.2: adjust context]
----
- fs/timerfd.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
---- a/fs/timerfd.c
-+++ b/fs/timerfd.c
-@@ -34,6 +34,7 @@ struct timerfd_ctx {
- int clockid;
- struct rcu_head rcu;
- struct list_head clist;
-+ spinlock_t cancel_lock;
- bool might_cancel;
- };
-
-@@ -86,7 +87,7 @@ void timerfd_clock_was_set(void)
- rcu_read_unlock();
- }
-
--static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
-+static void __timerfd_remove_cancel(struct timerfd_ctx *ctx)
- {
- if (ctx->might_cancel) {
- ctx->might_cancel = false;
-@@ -96,6 +97,13 @@ static void timerfd_remove_cancel(struct
- }
- }
-
-+static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
-+{
-+ spin_lock(&ctx->cancel_lock);
-+ __timerfd_remove_cancel(ctx);
-+ spin_unlock(&ctx->cancel_lock);
-+}
-+
- static bool timerfd_canceled(struct timerfd_ctx *ctx)
- {
- if (!ctx->might_cancel || ctx->moffs.tv64 != KTIME_MAX)
-@@ -106,6 +114,7 @@ static bool timerfd_canceled(struct time
-
- static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
- {
-+ spin_lock(&ctx->cancel_lock);
- if (ctx->clockid == CLOCK_REALTIME && (flags & TFD_TIMER_ABSTIME) &&
- (flags & TFD_TIMER_CANCEL_ON_SET)) {
- if (!ctx->might_cancel) {
-@@ -114,9 +123,10 @@ static void timerfd_setup_cancel(struct
- list_add_rcu(&ctx->clist, &cancel_list);
- spin_unlock(&cancel_lock);
- }
-- } else if (ctx->might_cancel) {
-- timerfd_remove_cancel(ctx);
-+ } else {
-+ __timerfd_remove_cancel(ctx);
- }
-+ spin_unlock(&ctx->cancel_lock);
- }
-
- static ktime_t timerfd_get_remaining(struct timerfd_ctx *ctx)
-@@ -268,6 +278,7 @@ SYSCALL_DEFINE2(timerfd_create, int, clo
- return -ENOMEM;
-
- init_waitqueue_head(&ctx->wqh);
-+ spin_lock_init(&ctx->cancel_lock);
- ctx->clockid = clockid;
- hrtimer_init(&ctx->tmr, clockid, HRTIMER_MODE_ABS);
- ctx->moffs = ktime_get_monotonic_offset();
diff --git a/debian/patches/features/all/drm/drm-3.4.patch b/debian/patches/features/all/drm/drm-3.4.patch
index 5f5548d..1831e44 100644
--- a/debian/patches/features/all/drm/drm-3.4.patch
+++ b/debian/patches/features/all/drm/drm-3.4.patch
@@ -47803,7 +47803,7 @@ index fee0ad02c6d0..b4f71c22e07d 100644
drm_encoder_helper_add(&crt->base.base, &intel_crt_helper_funcs);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 27999d990da8..c975c996ff5f 100644
+index c7b54280e2b7..c975c996ff5f 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -76,7 +76,7 @@ struct intel_limit {
@@ -49006,6 +49006,18 @@ index 27999d990da8..c975c996ff5f 100644
drm_gem_object_unreference(&work->pending_flip_obj->base);
drm_gem_object_unreference(&work->old_fb_obj->base);
+@@ -6995,9 +7301,9 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
+ &obj->pending_flip.counter);
+
+ wake_up(&dev_priv->pending_flip_queue);
+- trace_i915_flip_complete(intel_crtc->plane, work->pending_flip_obj);
+-
+ schedule_work(&work->work);
++
++ trace_i915_flip_complete(intel_crtc->plane, work->pending_flip_obj);
+ }
+
+ void intel_finish_page_flip(struct drm_device *dev, int pipe)
@@ -7058,7 +7364,7 @@ static int intel_gen2_queue_flip(struct drm_device *dev,
goto err;
diff --git a/debian/patches/series b/debian/patches/series
index acd7a80..e3d566c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1113,11 +1113,7 @@ bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
features/all/net-add-kfree_skb_list.patch
bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
bugfix/arm/mm-larger-stack-guard-gap-between-vmas-arm-topdown.patch
-bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
-bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
-bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
bugfix/all/xfrm-policy-check-policy-direction-value.patch
-bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list