shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-11 13:27:06 +09:00
Code Issues Packages Projects Releases Wiki Activity

Update to 4.6.6

Browse Source
This commit is contained in:
Salvatore Bonaccorso
2016-08-11 16:14:40 +02:00
parent d5ac562bf2
commit 457d8bb6bd
7 changed files with 99 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
debian/changelog vendored
View File

@@ -1,4 +1,4 @@
linux (4.6.5-1) UNRELEASED; urgency=medium
linux (4.6.6-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5
@@ -204,15 +204,109 @@ linux (4.6.5-1) UNRELEASED; urgency=medium
- [x86] drm/i915: Revert DisplayPort fast link training feature
- ovl: Do d_type check only if work dir creation was successful
- ovl: warn instead of error if d_type is not supported
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.6
- USB: OHCI: Don't mark EDs as ED_OPER if scheduling fails
- x86/quirks: Apply nvidia_bugs quirk only on root bus
- x86/quirks: Reintroduce scanning of secondary buses
- x86/quirks: Add early quirk to reset Apple AirPort card
- dmaengine: at_xdmac: align descriptors on 64 bits
- dmaengine: at_xdmac: fix residue corruption
- dmaengine: at_xdmac: double FIFO flush needed to compute residue
- mm, sl[au]b: add __GFP_ATOMIC to the GFP reclaim mask
- memcg: mem_cgroup_migrate() may be called with irq disabled
- memcg: css_alloc should return an ERR_PTR value on error
- mm/swap.c: flush lru pvecs on compound page arrival
- mm, compaction: abort free scanner if split fails
- fs/nilfs2: fix potential underflow in call to crc32_le
- mm, compaction: prevent VM_BUG_ON when terminating freeing scanner
- uapi: export lirc.h header
- mm, meminit: always return a valid node from early_pfn_to_nid
- mm, meminit: ensure node is online before checking whether pages are uninitialised
- vmlinux.lds: account for destructor sections
- mm: thp: refix false positive BUG in page_move_anon_rmap()
- mm: memcontrol: fix cgroup creation failure after many small jobs
- radix-tree: fix radix_tree_iter_retry() for tagged iterators.
- pps: do not crash when failed to register
- kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w
- sched/debug: Fix deadlock when enabling sched events
- arc: unwind: warn only once if DW2_UNWIND is disabled
- ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame)
- xen/pciback: Fix conf_space read/write overlap check.
- xen-blkfront: save uncompleted reqs in blkfront_resume()
- xenbus: don't BUG() on user mode induced condition
- xenbus: don't bail early from xenbus_dev_request_and_reply()
- xen-blkfront: fix resume issues after a migration
- xen-blkfront: don't call talk_to_blkback when already connected to blkback
- ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
- ALSA: timer: Fix leak in events via snd_timer_user_ccallback
- ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
- Input: vmmouse - remove port reservation
- Input: elantech - add more IC body types to the list
- Input: xpad - fix oops when attaching an unknown Xbox One gamepad
- Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
- Input: wacom_w8001 - ignore invalid pen data packets
- Input: xpad - validate USB endpoint count during probe
- Revert "Input: wacom_w8001 - drop use of ABS_MT_TOOL_TYPE"
- Input: synaptics-rmi4 - fix maximum size check for F12 control register 8
- Input: tsc200x - report proper input_dev name
- pvclock: Add CPU barriers to get correct version value
- pinctrl: single: Fix missing flush of posted write for a wakeirq
- pinctrl: imx: Do not treat a PIN without MUX register as an error
- cgroup: remove redundant cleanup in css_create
- cgroup: set css->id to -1 during init
- cgroup: Disable IRQs while holding css_set_lock
- power_supply: power_supply_read_temp only if use_cnt > 0
- locks: use file_inode()
- Revert "ecryptfs: forbid opening files without mmap handler"
- ecryptfs: don't allow mmap when the lower fs doesn't support it
- ext4: verify extent header depth
- 9p: use file_dentry()
- cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy()
- devpts: fix null pointer dereference on failed memory allocation
- namespace: update event counter when umounting a deleted dentry
- spi: rockchip: Signal unfinished DMA transfers
- spi: sunxi: fix transfer timeout
- spi: sun4i: fix FIFO limit
- clk: rockchip: initialize flags of clk_init_data in mmc-phase clock
- clk: at91: fix clk_programmable_set_parent()
- lockd: unregister notifier blocks if the service fails to come up completely
- platform/chrome: cros_ec_dev - double fetch bug in ioctl
- qeth: delete napi struct when removing a qeth device
- init/Kconfig: keep Expert users menu together
- block: fix use-after-free in sys_ioprio_get()
- mmc: block: fix free of uninitialized 'idata->buf'
- mmc: block: fix packed command header endianness
- sched/fair: Fix effective_load() to consistently use smoothed load
- can: at91_can: RX queue could get stuck at high bus load
- can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access
- can: fix handling of unmodifiable configuration options fix
- can: fix oops caused by wrong rtnl dellink usage
- RDS: fix rds_tcp_init() error path
- irqchip/mips-gic: Map to VPs using HW VPNum
- irqchip/mips-gic: Match IPI IRQ domain by bus token only
- qla2xxx: Fix NULL pointer deref in QLA interrupt
- SCSI: fix new bug in scsi_dev_info_list string matching
- ipr: Clear interrupt on croc/crocodile when running with LSI
- media: fix airspy usb probe error path
- posix_cpu_timer: Exit early when process has been reaped
- cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble
- adv7604: Don't ignore pad number in subdev DV timings pad operations
- i2c: qup: Fix wrong value of index variable
- i2c: mux: reg: wrong condition checked for of_address_to_resource return value
- libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971)
- libceph: apply new_state before new_up_client on incrementals
- net: mvneta: set real interrupt per packet for tx_done
- cfg80211: handle failed skb allocation
- intel_th: pci: Add Kaby Lake PCH-H support
- intel_th: Fix a deadlock in modprobing
- vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516)
- vfs: fix deadlock in file_remove_privs() on overlayfs
- MIPS: CM: Fix mips_cm_max_vp_width for UP kernels
[ Uwe Kleine-König ]
* Fix perf to be able to find debug info based on build-id. (Closes:
#833096)
[ Salvatore Bonaccorso ]
* vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516)
* libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971)
[ Ben Hutchings ]
* linux-kbuild: Include headers_install.sh and unifdef (Closes: #832359)
* Bump ABI to 2

28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch vendored
View File

@@ -1,28 +0,0 @@
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:20 -0400
Subject: [1/2] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1247,6 +1247,7 @@ static void snd_timer_user_ccallback(str
tu->tstamp = *tstamp;
if ((tu->filter & (1 << event)) == 0 || !tu->tread)
return;
+ memset(&r1, 0, sizeof(r1));
r1.event = event;
r1.tstamp = *tstamp;
r1.val = resolution;

28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch vendored
View File

@@ -1,28 +0,0 @@
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:32 -0400
Subject: [2/2] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1290,6 +1290,7 @@ static void snd_timer_user_tinterrupt(st
}
if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
tu->last_resolution != resolution) {
+ memset(&r1, 0, sizeof(r1));
r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
r1.tstamp = tstamp;
r1.val = resolution;

28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch vendored
View File

@@ -1,28 +0,0 @@
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:07 -0400
Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1755,6 +1755,7 @@ static int snd_timer_user_params(struct
if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
if (tu->tread) {
struct snd_timer_tread tread;
+ memset(&tread, 0, sizeof(tread));
tread.event = SNDRV_TIMER_EVENT_EARLY;
tread.tstamp.tv_sec = 0;
tread.tstamp.tv_nsec = 0;

35
debian/patches/bugfix/all/libata-LITE-ON-CX1-JB256-HP-needs-lower-max_sectors.patch vendored
View File

@@ -1,35 +0,0 @@
From: Tejun Heo <tj@kernel.org>
Date: Mon, 18 Jul 2016 18:40:00 -0400
Subject: libata: LITE-ON CX1-JB256-HP needs lower max_sectors
Origin: https://git.kernel.org/linus/1488a1e3828d60d74c9b802a05e24c0487babe4e
Since 34b48db66e08 ("block: remove artifical max_hw_sectors cap"),
max_sectors is no longer limited to BLK_DEF_MAX_SECTORS and LITE-ON
CX1-JB256-HP keeps timing out with higher max_sectors. Revert it to
the previous value.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: dgerasimov@gmail.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=121671
Cc: stable@vger.kernel.org # v3.19+
Fixes: 34b48db66e08 ("block: remove artifical max_hw_sectors cap")
Signed-off-by: Tejun Heo <tj@kernel.org>
---
drivers/ata/libata-core.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4141,6 +4141,12 @@ static const struct ata_blacklist_entry
*/
{ "ST380013AS", "3.20", ATA_HORKAGE_MAX_SEC_1024 },
+ /*
+ * Device times out with higher max sects.
+ * https://bugzilla.kernel.org/show_bug.cgi?id=121671
+ */
+ { "LITEON CX1-JB256-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 },
+
/* Devices we expect to fail diagnostics */
/* Devices where NCQ should be avoided */

30
debian/patches/bugfix/all/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch vendored
View File

@@ -1,30 +0,0 @@
From: Scott Bauer <sbauer@plzdonthack.me>
Date: Wed, 27 Jul 2016 19:11:29 -0600
Subject: vfs: ioctl: prevent double-fetch in dedupe ioctl
Origin: https://git.kernel.org/linus/10eec60ce79187686e052092e5383c99b4420a20
This prevents a double-fetch from user space that can lead to to an
undersized allocation and heap overflow.
Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
fs/ioctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ioctl.c b/fs/ioctl.c
index 116a333..0f56deb 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(struct file *file, void __user *arg)
goto out;
}
+ same->dest_count = count;
ret = vfs_dedupe_file_range(file, same);
if (ret)
goto out;
--
2.1.4

5
debian/patches/series vendored
View File

@@ -66,7 +66,6 @@ bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
bugfix/all/libata-LITE-ON-CX1-JB256-HP-needs-lower-max_sectors.patch
# Miscellaneous features
@@ -103,12 +102,8 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
bugfix/all/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
# ABI maintenance
debian/mips-siginfo-fix-abi-change-in-4.6.2.patch