[linux] 01/02: Update to 3.16.48
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Sep 24 21:41:19 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 11d2358c61bd1d2736bbde248de7cd6f7d75db00
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Sep 19 17:11:31 2017 +0100
Update to 3.16.48
---
debian/changelog | 156 ++++++++++++++++++++-
...x-possible-buffer-overflow-in-brcmf_cfg80.patch | 42 ------
.../all/ipv6-fix-leak-in-ipv6_gso_segment.patch | 30 ----
...andle-errors-reported-by-xfrm6_find_1stfr.patch | 40 ------
...e-wrt-a-process-requires-mapped-uids-gids.patch | 10 +-
.../sanitize-move_pages-permission-checks.patch | 73 ----------
...alize-rcv_mss-to-tcp_min_mss-instead-of-0.patch | 35 -----
.../bugfix/all/xen-fix-bio-vec-merging.patch | 61 --------
.../xfrm-policy-check-policy-direction-value.patch | 40 ------
.../ptrace-avoid-abi-change-in-3.16.48.patch | 24 ++++
.../debian/xfrm-avoid-abi-change-in-3.16.48.patch | 25 ++++
debian/patches/series | 9 +-
12 files changed, 211 insertions(+), 334 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a4c4085..c2ed561 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (3.16.47-1) UNRELEASED; urgency=medium
+linux (3.16.48-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.44
@@ -411,12 +411,166 @@ linux (3.16.47-1) UNRELEASED; urgency=medium
- [arm64] uaccess: ensure extension of access_ok() addr
- usb: misc: legousbtower: Fix memory leak
- net/mlx4: Fix the check in attaching steering rules
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.48
+ - xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
+ - af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
+ - netxen_nic: set rcode to the return status from the call to
+ netxen_issue_cmd
+ - [s390x] qeth: handle sysfs error during initialization
+ - ]s390x] qeth: unbreak OSM and OSN support
+ - netem: fix skb_orphan_partial()
+ - tcp: avoid fragmenting peculiar skbs in SACK
+ - SMB2: Fix share type handling
+ - pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
+ - pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes()
+ - PowerCap: Fix an error code in powercap_register_zone()
+ - USB: serial: ftdi_sio: fix setting latency for unprivileged users
+ - staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
+ - staging: rtl8192e: fix 2 byte alignment of register BSSIDR.
+ - staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
+ - USB: serial: ir-usb: fix big-endian baud-rate debug printk
+ - USB: serial: mct_u232: fix big-endian baud-rate handling
+ - USB: serial: io_ti: fix div-by-zero in set_termios
+ - [x86] KVM: Fix load damaged SSEx MXCSR register
+ - dm thin metadata: call precommit before saving the roots
+ - dm space map disk: fix some book keeping in the disk space map
+ - [armhf,arm64] kvm: Fix race in resetting stage2 PGD
+ - [armhf,arm64] kvm: Force reading uncached stage2 PGD
+ - [armhf,arm64] kvm: Fix use after free of stage2 page table
+ - usb: dwc3: gadget: Prevent losing events in event cache
+ - btrfs: fix incorrect error return ret being passed to mapping_set_error
+ - tcp: eliminate negative reordering in tcp_clean_rtx_queue
+ - uio: add missing error codes
+ - uio: fix incorrect memory leak cleanup
+ - uwb: fix device quirk on big-endian hosts
+ - USB: iowarrior: fix info ioctl on big-endian hosts
+ - USB: gadget: dummy_hcd: fix hub-descriptor removable fields
+ - [x86] USB: usbip: fix nonconforming hub descriptor
+ - USB: hub: fix SS hub-descriptor handling
+ - USB: hub: fix non-SS hub-descriptor handling
+ - USB: hub: fix SS max number of ports
+ - mac80211: strictly check mesh address extension mode
+ - tracing/kprobes: Enforce kprobes teardown after testing
+ - xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
+ - usb: host: xhci-mem: allocate zeroed Scratchpad Buffer
+ - usb: host: xhci: simplify irq handler return
+ - USB: xhci: fix lock-inversion problem
+ - usb: host: xhci-plat: propagate return value of platform_get_irq()
+ - drivers: char: mem: Check for address space wraparound with mmap()
+ - watchdog: pcwd_usb: fix NULL-deref at probe
+ - [powerpc*] mm: Fix virt_addr_valid() etc. on 64-bit hash
+ - batman-adv: Fix rx packet/bytes stats on local ARP reply
+ - [x86] KVM: Fix read out-of-bounds vulnerability in kvm pio emulation
+ - [x86] KVM: zero base3 of unusable segments
+ - ext4: fix SEEK_HOLE
+ - ext4: keep existing extra fields when inode expands
+ - ext4: use __GFP_NOFAIL in ext4_free_blocks()
+ - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
+ - i2c: i2c-tiny-usb: fix buffer not being DMA capable
+ - crypto: gcm - wait for crypto op not signal safe
+ - block: fix an error code in add_partition()
+ - libceph: NULL deref on crush_decode() error path
+ - [x86] drm/gma500/psb: Actually use VBT mode when it is found
+ - netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
+ - ASoC: Fix use-after-free at card unregistration
+ - scsi: qla2xxx: don't disable a not previously enabled PCI device
+ - net: phy: marvell: Limit errata to 88m1101
+ - drm/radeon/ci: disable mclk switching for high refresh rates (v2)
+ - drm/radeon: Unbreak HPD handling for r600+
+ - xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff()
+ - xfs: Fix missed holes in SEEK_HOLE implementation
+ - tcp: avoid fastopen API to be used on AF_UNSPEC
+ - net: ethernet: ax88796: don't call free_irq without request_irq first
+ - ext4: fix data corruption for mmap writes
+ - ext4: fix fdatasync(2) after extent manipulation operations
+ - net: phy: fix marvell phy status reading
+ - iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race
+ - target/iscsi: Fix indentation in iscsi_target_start_negotiation()
+ - iscsi-target: Fix initial login PDU asynchronous socket close OOPs
+ - iscsi-target: Always wait for kthread_should_stop() before kthread exit
+ - [powerpc*] spufs: Fix coredump of SPU contexts
+ - btrfs: use correct types for page indices in btrfs_page_exists_in_range
+ - btrfs: fix memory leak in update_space_info failure path
+ - bnx2x: Fix Multi-Cos
+ - usb: gadget: f_mass_storage: Serialize wake and sleep execution
+ - mm/migrate: fix refcount handling when !hugepage_migration_supported()
+ - mlock: fix mlock count can not decrease in race condition
+ - [x86] staging/lustre/lov: remove set_fs() call from lov_getstripe()
+ - drivers: char: mem: Fix wraparound check to allow mappings up to the end
+ - alarmtimer: Prevent overflow of relative timers
+ - alarmtimer: Rate limit periodic intervals
+ - rc-core: race condition during ir_raw_event_register()
+ - fs/ufs: Set UFS default maximum bytes per file
+ - net: ping: do not abuse udp_poll()
+ - tags: honor COMPILED_SOURCE with apart output directory
+ - vb2: Fix an off by one error in 'vb2_plane_vaddr'
+ - kvm: async_pf: fix rcu_irq_enter() with irqs enabled
+ - [x86] KVM: nVMX: Fix exception injection
+ - [arm64] KVM: Preserve RES1 bits in SCTLR_EL2
+ - [arm64] KVM: Allow unaligned accesses at EL2
+ - [armhf] KVM: Allow unaligned accesses at HYP
+ - [x86] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
+ - [x86] KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid
+ emulation
+ - [mips*] kprobes: flush_insn_slot should flush only if probe initialised
+ - [powerpc*] net: emac: fix reset timeout with AR8035 phy
+ - rcu: Move preemption disabling out of __srcu_read_lock()
+ - srcu: Allow use of Classic SRCU from both process and interrupt context
+ - KEYS: fix dereferencing NULL payload with nonzero length
+ - target: Fix kref->refcount underflow in transport_cmd_finish_abort
+ - can: gs_usb: fix memory leak in gs_cmd_reset()
+ - ufs: fix ufs_isblockset()
+ - ufs: restore maintaining ->i_blocks
+ - ufs: set correct ->s_maxsize
+ - ufs: excessive checks in ufs_write_failed() and ufs_evict_inode()
+ - l2tp: cast l2tp traffic counter to unsigned
+ - KVM: async_pf: avoid async pf injection when in guest mode
+ - configfs: Fix race between create_link and configfs_rmdir
+ - cpufreq: conservative: Allow down_threshold to take values from 1 to 10
+ - genirq: Release resources in __setup_irq() error path
+ - [powerpc*] KVM: Book3S HV: Context-switch EBB registers properly
+ - selinux: fix double free in selinux_parse_opts_str()
+ - mac80211: don't look at the PM bit of BAR frames
+ - mac80211/wpa: use constant time memory comparison for MACs
+ - xfrm: Oops on error in pfkey_msg2xfrm_state()
+ - xfrm: NULL dereference on allocation failure
+ - IB/ipoib: Fix memory leak in create child syscall
+ - [powerpc*] KVM: Book3S HV: Preserve userspace HTM state properly
+ - [x86] i2c: ismt: fix wrong device address when unmap the data buffer
+ - [powerpc*] kprobes: Pause function_graph tracing during jprobes handling
+ - mm/memory-failure.c: use compound_head() flags for huge pages
+ - swap: cond_resched in swap_cgroup_prepare()
+ - mm: numa: avoid waiting on freed migrated pages
+ - signal: Only reschedule timers on signals timers have sent
+ - ipv6: Do not leak throw route references
+ - rtnetlink: add IFLA_GROUP to ifla_policy
+ - [armhf] i2c: imx: Use correct function to write to register
+ - ipv6: initialize route null entry in addrconf_init()
+ - ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf
+ - ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER
+ - ipv6: avoid unregistering inet6_dev for loopback
+ - [powerpc*/*64*] Initialise thread_info for emergency stacks
+ - ipv4: Should use consistent conditional judgement for ip fragment in
+ __ip_append_data and ip_finish_output
+ - net: account for current skb length when deciding about UFO
+ - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
+ - tcp: reset sk_rx_dst in tcp_disconnect()
+ - net: prevent sign extension in dev_get_stats()
+ - ALSA: hda - set input_path bitmap to zero after moving it to new place
+ - net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
+ - [armel,armhf] 8685/1: ensure memblock-limit is pmd-aligned
+ - [mips*] pm-cps: Drop manual cache-line alignment of ready_count
+ - [mips*] Fix IRQ tracing & lockdep when rescheduling
+ - tracing/kprobes: Allow to create probe with a module name starting with a
+ digit
+ - ptrace: use fsuid, fsgid, effective creds for fs access checks
[ Ben Hutchings ]
* SCSI: Revert "scsi: scsi_error: count medium access timeout only once per
EH run" to avoid ABI change
* ttm: Avoid ABI change for ttm_ref_object_add() require_existing param
* cxgbi, IB, libiscsi, l2tp, rds: Ignore ABI changes
+ * ptrace, xfrm: Avoid ABI changes in 3.16.48
-- Ben Hutchings <ben at decadent.org.uk> Sun, 06 Aug 2017 22:03:56 +0100
diff --git a/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch b/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
deleted file mode 100644
index b2dc207..0000000
--- a/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Arend van Spriel <arend.vanspriel at broadcom.com>
-Date: Fri, 7 Jul 2017 21:09:06 +0100
-Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/8f44c9a41386729fea410e688959ddaa9d51be7c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7541
-
-The lower level nl80211 code in cfg80211 ensures that "len" is between
-25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from
-"len" so thats's max of 2280. However, the action_frame->data[] buffer is
-only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
-overflow.
-
- memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
- le16_to_cpu(action_frame->len));
-
-Cc: stable at vger.kernel.org # 3.9.x
-Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
-Reported-by: "freenerguo(郭大兴)" <freenerguo at tencent.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[carnil: backport for 3.16: adjust filename]
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
-+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
-@@ -4119,6 +4119,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
- cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
- GFP_KERNEL);
- } else if (ieee80211_is_action(mgmt->frame_control)) {
-+ if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
-+ brcmf_err("invalid action frame length\n");
-+ err = -EINVAL;
-+ goto exit;
-+ }
- af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
- if (af_params == NULL) {
- brcmf_err("unable to allocate frame\n");
diff --git a/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
deleted file mode 100644
index 6ba3fc2..0000000
--- a/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Sun, 4 Jun 2017 21:41:10 -0400
-Subject: ipv6: Fix leak in ipv6_gso_segment().
-Origin: https://git.kernel.org/linus/e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-If ip6_find_1stfragopt() fails and we return an error we have to free
-up 'segs' because nobody else is going to.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Reported-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_offload.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -144,8 +144,10 @@ static struct sk_buff *ipv6_gso_segment(
-
- if (udpfrag) {
- int err = ip6_find_1stfragopt(skb, &prevhdr);
-- if (err < 0)
-+ if (err < 0) {
-+ kfree_skb_list(segs);
- return ERR_PTR(err);
-+ }
- fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
- fptr->frag_off = htons(offset);
- if (skb->next != NULL)
diff --git a/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
deleted file mode 100644
index 02ea18f..0000000
--- a/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Wed, 31 May 2017 13:15:41 +0100
-Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
-Origin: https://git.kernel.org/linus/6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-xfrm6_find_1stfragopt() may now return an error code and we must
-not treat it as a length.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Acked-by: Craig Gallek <kraig at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/xfrm6_mode_ro.c | 2 ++
- net/ipv6/xfrm6_mode_transport.c | 2 ++
- 2 files changed, 4 insertions(+)
-
---- a/net/ipv6/xfrm6_mode_ro.c
-+++ b/net/ipv6/xfrm6_mode_ro.c
-@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_s
- iph = ipv6_hdr(skb);
-
- hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
-+ if (hdr_len < 0)
-+ return hdr_len;
- skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
- skb_set_network_header(skb, -x->props.header_len);
- skb->transport_header = skb->network_header + hdr_len;
---- a/net/ipv6/xfrm6_mode_transport.c
-+++ b/net/ipv6/xfrm6_mode_transport.c
-@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct
- iph = ipv6_hdr(skb);
-
- hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
-+ if (hdr_len < 0)
-+ return hdr_len;
- skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
- skb_set_network_header(skb, -x->props.header_len);
- skb->transport_header = skb->network_header + hdr_len;
diff --git a/debian/patches/bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch b/debian/patches/bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
index f9c9c92..eb9f85f 100644
--- a/debian/patches/bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
+++ b/debian/patches/bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
@@ -44,7 +44,7 @@ Signed-off-by: Jann Horn <jann at thejh.net>
#include <linux/syscalls.h>
#include <linux/uaccess.h>
#include <linux/regset.h>
-@@ -213,12 +214,34 @@ static int ptrace_check_attach(struct ta
+@@ -219,12 +220,34 @@ static int ptrace_check_attach(struct ta
return ret;
}
@@ -82,16 +82,16 @@ Signed-off-by: Jann Horn <jann at thejh.net>
}
/* Returns 0 on success, -errno on denial. */
-@@ -247,7 +270,7 @@ static int __ptrace_may_access(struct ta
- gid_eq(cred->gid, tcred->sgid) &&
- gid_eq(cred->gid, tcred->gid))
+@@ -276,7 +299,7 @@ static int __ptrace_may_access(struct ta
+ gid_eq(caller_gid, tcred->sgid) &&
+ gid_eq(caller_gid, tcred->gid))
goto ok;
- if (ptrace_has_cap(tcred->user_ns, mode))
+ if (ptrace_has_cap(tcred, mode))
goto ok;
rcu_read_unlock();
return -EPERM;
-@@ -258,7 +281,7 @@ ok:
+@@ -287,7 +310,7 @@ ok:
dumpable = get_dumpable(task->mm);
rcu_read_lock();
if (dumpable != SUID_DUMP_USER &&
diff --git a/debian/patches/bugfix/all/sanitize-move_pages-permission-checks.patch b/debian/patches/bugfix/all/sanitize-move_pages-permission-checks.patch
deleted file mode 100644
index 8283639..0000000
--- a/debian/patches/bugfix/all/sanitize-move_pages-permission-checks.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Linus Torvalds <torvalds at linux-foundation.org>
-Date: Sun, 20 Aug 2017 13:26:27 -0700
-Subject: Sanitize 'move_pages()' permission checks
-Origin: https://git.kernel.org/linus/197e7e521384a23b9e585178f3f11c9fa08274b9
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14140
-
-The 'move_paghes()' system call was introduced long long ago with the
-same permission checks as for sending a signal (except using
-CAP_SYS_NICE instead of CAP_SYS_KILL for the overriding capability).
-
-That turns out to not be a great choice - while the system call really
-only moves physical page allocations around (and you need other
-capabilities to do a lot of it), you can check the return value to map
-out some the virtual address choices and defeat ASLR of a binary that
-still shares your uid.
-
-So change the access checks to the more common 'ptrace_may_access()'
-model instead.
-
-This tightens the access checks for the uid, and also effectively
-changes the CAP_SYS_NICE check to CAP_SYS_PTRACE, but it's unlikely that
-anybody really _uses_ this legacy system call any more (we hav ebetter
-NUMA placement models these days), so I expect nobody to notice.
-
-Famous last words.
-
-Reported-by: Otto Ebeling <otto.ebeling at iki.fi>
-Acked-by: Eric W. Biederman <ebiederm at xmission.com>
-Cc: Willy Tarreau <w at 1wt.eu>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.16: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-[bwh: Backported to 3.16.43: use just PTRACE_MODE_REAL]
----
- mm/migrate.c | 11 +++--------
- 1 file changed, 3 insertions(+), 8 deletions(-)
-
---- a/mm/migrate.c
-+++ b/mm/migrate.c
-@@ -38,6 +38,7 @@
- #include <linux/gfp.h>
- #include <linux/balloon_compaction.h>
- #include <linux/mmu_notifier.h>
-+#include <linux/ptrace.h>
-
- #include <asm/tlbflush.h>
-
-@@ -1484,7 +1485,6 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
- const int __user *, nodes,
- int __user *, status, int, flags)
- {
-- const struct cred *cred = current_cred(), *tcred;
- struct task_struct *task;
- struct mm_struct *mm;
- int err;
-@@ -1508,14 +1508,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
-
- /*
- * Check if this process has the right to modify the specified
-- * process. The right exists if the process has administrative
-- * capabilities, superuser privileges or the same
-- * userid as the target process.
-- */
-- tcred = __task_cred(task);
-- if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
-- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
-- !capable(CAP_SYS_NICE)) {
-+ * process. Use the regular "ptrace_may_access()" checks.
-+ */
-+ if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
- rcu_read_unlock();
- err = -EPERM;
- goto out;
diff --git a/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch b/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
deleted file mode 100644
index 3e2b303..0000000
--- a/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Wei Wang <weiwan at google.com>
-Date: Thu, 18 May 2017 11:22:33 -0700
-Subject: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
-Origin: https://git.kernel.org/linus/499350a5a6e7512d9ed369ed63a4244b6536f4f8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14106
-
-When tcp_disconnect() is called, inet_csk_delack_init() sets
-icsk->icsk_ack.rcv_mss to 0.
-This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
-__tcp_select_window() call path to have division by 0 issue.
-So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Wei Wang <weiwan at google.com>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: Neal Cardwell <ncardwell at google.com>
-Signed-off-by: Yuchung Cheng <ycheng at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/tcp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -2361,6 +2361,10 @@ int tcp_disconnect(struct sock *sk, int
- tcp_set_ca_state(sk, TCP_CA_Open);
- tcp_clear_retrans(tp);
- inet_csk_delack_init(sk);
-+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
-+ * issue in __tcp_select_window()
-+ */
-+ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
- tcp_init_send_head(sk);
- memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
- __sk_dst_reset(sk);
diff --git a/debian/patches/bugfix/all/xen-fix-bio-vec-merging.patch b/debian/patches/bugfix/all/xen-fix-bio-vec-merging.patch
deleted file mode 100644
index dd7afda..0000000
--- a/debian/patches/bugfix/all/xen-fix-bio-vec-merging.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From: Roger Pau Monne <roger.pau at citrix.com>
-Date: Tue, 18 Jul 2017 15:01:00 +0100
-Subject: xen: fix bio vec merging
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12134
-
-The current test for bio vec merging is not fully accurate and can be
-tricked into merging bios when certain grant combinations are used.
-The result of these malicious bio merges is a bio that extends past
-the memory page used by any of the originating bios.
-
-Take into account the following scenario, where a guest creates two
-grant references that point to the same mfn, ie: grant 1 -> mfn A,
-grant 2 -> mfn A.
-
-These references are then used in a PV block request, and mapped by
-the backend domain, thus obtaining two different pfns that point to
-the same mfn, pfn B -> mfn A, pfn C -> mfn A.
-
-If those grants happen to be used in two consecutive sectors of a disk
-IO operation becoming two different bios in the backend domain, the
-checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2
-(they both point to the same mfn). However due to the bio merging,
-the backend domain will end up with a bio that expands past mfn A into
-mfn A + 1.
-
-Fix this by making sure the check in xen_biovec_phys_mergeable takes
-into account the offset and the length of the bio, this basically
-replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus
-addresses). While there also remove the usage of
-__BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers
-of xen_biovec_phys_mergeable.
-
-Reported-by: "Jan H. Schönherr" <jschoenh at amazon.de>
-Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
-Reviewed-by: Juergen Gross <jgross at suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-[bwh: Backported to 3.16:
- - s/bfn/mfn/g
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- drivers/xen/biomerge.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/xen/biomerge.c b/drivers/xen/biomerge.c
-index 0edb91c0de6b..4a77fe802b37 100644
---- a/drivers/xen/biomerge.c
-+++ b/drivers/xen/biomerge.c
-@@ -9,7 +9,6 @@ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1,
- unsigned long mfn1 = pfn_to_mfn(page_to_pfn(vec1->bv_page));
- unsigned long mfn2 = pfn_to_mfn(page_to_pfn(vec2->bv_page));
-
-- return __BIOVEC_PHYS_MERGEABLE(vec1, vec2) &&
-- ((mfn1 == mfn2) || ((mfn1+1) == mfn2));
-+ return mfn1 + PFN_DOWN(vec1->bv_offset + vec1->bv_len) == mfn2;
- }
- EXPORT_SYMBOL(xen_biovec_phys_mergeable);
diff --git a/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch b/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch
deleted file mode 100644
index ff5fd29..0000000
--- a/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Wed, 2 Aug 2017 19:50:14 +0200
-Subject: xfrm: policy: check policy direction value
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11600
-
-The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
-as an array index. This can lead to an out-of-bound access, kernel lockup and
-DoS. Add a check for the 'dir' value.
-
-This fixes CVE-2017-11600.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
-Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
-Cc: <stable at vger.kernel.org> # v2.6.21-rc1
-Reported-by: "bo Zhang" <zhangbo5891001 at gmail.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
----
- net/xfrm/xfrm_policy.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -3170,9 +3170,15 @@ int xfrm_migrate(const struct xfrm_selec
- struct xfrm_state *x_new[XFRM_MAX_DEPTH];
- struct xfrm_migrate *mp;
-
-+ /* Stage 0 - sanity checks */
- if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
- goto out;
-
-+ if (dir >= XFRM_POLICY_MAX) {
-+ err = -EINVAL;
-+ goto out;
-+ }
-+
- /* Stage 1 - find policy */
- if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
- err = -ENOENT;
diff --git a/debian/patches/debian/ptrace-avoid-abi-change-in-3.16.48.patch b/debian/patches/debian/ptrace-avoid-abi-change-in-3.16.48.patch
new file mode 100644
index 0000000..2eb2d36
--- /dev/null
+++ b/debian/patches/debian/ptrace-avoid-abi-change-in-3.16.48.patch
@@ -0,0 +1,24 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 18 Sep 2017 00:30:42 +0100
+Subject: ptrace: Avoid ABI change in 3.16.48
+Forwarded: not-needed
+
+ptrace_may_access() now expects the given mode to include exactly one
+of the PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS flags, and always
+fails (-EPERM) otherwise. Old out-of-tree modules won't set either of
+these flags, so revert to the old behaviour in this case.
+
+---
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -260,6 +260,10 @@ static int __ptrace_may_access(struct ta
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
++ /* bwh: Use old behaviour for any out-of-tree modules */
++ if ((mode & (PTRACE_MODE_FSCREDS | PTRACE_MODE_REALCREDS)) == 0) {
++ mode |= PTRACE_MODE_REALCREDS;
++ } else
+ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) {
+ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n");
+ return -EPERM;
diff --git a/debian/patches/debian/xfrm-avoid-abi-change-in-3.16.48.patch b/debian/patches/debian/xfrm-avoid-abi-change-in-3.16.48.patch
new file mode 100644
index 0000000..8a0422e
--- /dev/null
+++ b/debian/patches/debian/xfrm-avoid-abi-change-in-3.16.48.patch
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 18 Sep 2017 00:37:17 +0100
+Subject: xfrm: Avoid ABI change in 3.16.48
+Forwarded: not-needed
+
+Commit 9b3eb54106cf6acd03f07cf0ab01c13676a226c2 "xfrm: fix stack
+access out of bounds with CONFIG_XFRM_SUB_POLICY" removed two members
+from xfrm_dst that were written and never read. We should retain them
+as always-zero to avoid ABI breakage.
+
+---
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -949,6 +949,11 @@ struct xfrm_dst {
+ struct flow_cache_object flo;
+ struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
+ int num_pols, num_xfrms;
++#ifdef CONFIG_XFRM_SUB_POLICY
++ /* bwh: unused, for binary compatibility */
++ struct flowi *origin;
++ struct xfrm_selector *partner;
++#endif
+ u32 xfrm_genid;
+ u32 policy_genid;
+ u32 route_mtu_cached;
diff --git a/debian/patches/series b/debian/patches/series
index c0fc3ed..cffa065 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -679,16 +679,9 @@ bugfix/all/pie-aslr/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-chan.patch
# Security fixes
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_alloc.patch
-bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
-bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
-bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
-bugfix/all/xfrm-policy-check-policy-direction-value.patch
-bugfix/all/xen-fix-bio-vec-merging.patch
bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
-bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
-bugfix/all/sanitize-move_pages-permission-checks.patch
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
bugfix/all/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-d.patch
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
@@ -754,3 +747,5 @@ debian/vfs-avoid-abi-change-for-mnt-add-a-per-mount-namespace-limit.patch
debian/mmc-avoid-abi-change-for-mmc-core-annotate-cmd_hdr-as-__le32.patch
debian/revert-scsi-scsi_error-count-medium-access-timeout-only-once.patch
debian/ttm-avoid-abi-change-for-ttm_ref_object_add-require_existed.patch
+debian/ptrace-avoid-abi-change-in-3.16.48.patch
+debian/xfrm-avoid-abi-change-in-3.16.48.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list