diff --git a/debian/changelog b/debian/changelog index 454e7835806a..aff7d2794f68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.6.5-1) UNRELEASED; urgency=medium +linux (4.6.6-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5 @@ -204,15 +204,109 @@ linux (4.6.5-1) UNRELEASED; urgency=medium - [x86] drm/i915: Revert DisplayPort fast link training feature - ovl: Do d_type check only if work dir creation was successful - ovl: warn instead of error if d_type is not supported + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.6 + - USB: OHCI: Don't mark EDs as ED_OPER if scheduling fails + - x86/quirks: Apply nvidia_bugs quirk only on root bus + - x86/quirks: Reintroduce scanning of secondary buses + - x86/quirks: Add early quirk to reset Apple AirPort card + - dmaengine: at_xdmac: align descriptors on 64 bits + - dmaengine: at_xdmac: fix residue corruption + - dmaengine: at_xdmac: double FIFO flush needed to compute residue + - mm, sl[au]b: add __GFP_ATOMIC to the GFP reclaim mask + - memcg: mem_cgroup_migrate() may be called with irq disabled + - memcg: css_alloc should return an ERR_PTR value on error + - mm/swap.c: flush lru pvecs on compound page arrival + - mm, compaction: abort free scanner if split fails + - fs/nilfs2: fix potential underflow in call to crc32_le + - mm, compaction: prevent VM_BUG_ON when terminating freeing scanner + - uapi: export lirc.h header + - mm, meminit: always return a valid node from early_pfn_to_nid + - mm, meminit: ensure node is online before checking whether pages are uninitialised + - vmlinux.lds: account for destructor sections + - mm: thp: refix false positive BUG in page_move_anon_rmap() + - mm: memcontrol: fix cgroup creation failure after many small jobs + - radix-tree: fix radix_tree_iter_retry() for tagged iterators. + - pps: do not crash when failed to register + - kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w + - sched/debug: Fix deadlock when enabling sched events + - arc: unwind: warn only once if DW2_UNWIND is disabled + - ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) + - xen/pciback: Fix conf_space read/write overlap check. + - xen-blkfront: save uncompleted reqs in blkfront_resume() + - xenbus: don't BUG() on user mode induced condition + - xenbus: don't bail early from xenbus_dev_request_and_reply() + - xen-blkfront: fix resume issues after a migration + - xen-blkfront: don't call talk_to_blkback when already connected to blkback + - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS + - ALSA: timer: Fix leak in events via snd_timer_user_ccallback + - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt + - Input: vmmouse - remove port reservation + - Input: elantech - add more IC body types to the list + - Input: xpad - fix oops when attaching an unknown Xbox One gamepad + - Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 + - Input: wacom_w8001 - ignore invalid pen data packets + - Input: xpad - validate USB endpoint count during probe + - Revert "Input: wacom_w8001 - drop use of ABS_MT_TOOL_TYPE" + - Input: synaptics-rmi4 - fix maximum size check for F12 control register 8 + - Input: tsc200x - report proper input_dev name + - pvclock: Add CPU barriers to get correct version value + - pinctrl: single: Fix missing flush of posted write for a wakeirq + - pinctrl: imx: Do not treat a PIN without MUX register as an error + - cgroup: remove redundant cleanup in css_create + - cgroup: set css->id to -1 during init + - cgroup: Disable IRQs while holding css_set_lock + - power_supply: power_supply_read_temp only if use_cnt > 0 + - locks: use file_inode() + - Revert "ecryptfs: forbid opening files without mmap handler" + - ecryptfs: don't allow mmap when the lower fs doesn't support it + - ext4: verify extent header depth + - 9p: use file_dentry() + - cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy() + - devpts: fix null pointer dereference on failed memory allocation + - namespace: update event counter when umounting a deleted dentry + - spi: rockchip: Signal unfinished DMA transfers + - spi: sunxi: fix transfer timeout + - spi: sun4i: fix FIFO limit + - clk: rockchip: initialize flags of clk_init_data in mmc-phase clock + - clk: at91: fix clk_programmable_set_parent() + - lockd: unregister notifier blocks if the service fails to come up completely + - platform/chrome: cros_ec_dev - double fetch bug in ioctl + - qeth: delete napi struct when removing a qeth device + - init/Kconfig: keep Expert users menu together + - block: fix use-after-free in sys_ioprio_get() + - mmc: block: fix free of uninitialized 'idata->buf' + - mmc: block: fix packed command header endianness + - sched/fair: Fix effective_load() to consistently use smoothed load + - can: at91_can: RX queue could get stuck at high bus load + - can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access + - can: fix handling of unmodifiable configuration options fix + - can: fix oops caused by wrong rtnl dellink usage + - RDS: fix rds_tcp_init() error path + - irqchip/mips-gic: Map to VPs using HW VPNum + - irqchip/mips-gic: Match IPI IRQ domain by bus token only + - qla2xxx: Fix NULL pointer deref in QLA interrupt + - SCSI: fix new bug in scsi_dev_info_list string matching + - ipr: Clear interrupt on croc/crocodile when running with LSI + - media: fix airspy usb probe error path + - posix_cpu_timer: Exit early when process has been reaped + - cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble + - adv7604: Don't ignore pad number in subdev DV timings pad operations + - i2c: qup: Fix wrong value of index variable + - i2c: mux: reg: wrong condition checked for of_address_to_resource return value + - libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971) + - libceph: apply new_state before new_up_client on incrementals + - net: mvneta: set real interrupt per packet for tx_done + - cfg80211: handle failed skb allocation + - intel_th: pci: Add Kaby Lake PCH-H support + - intel_th: Fix a deadlock in modprobing + - vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516) + - vfs: fix deadlock in file_remove_privs() on overlayfs + - MIPS: CM: Fix mips_cm_max_vp_width for UP kernels [ Uwe Kleine-König ] * Fix perf to be able to find debug info based on build-id. (Closes: #833096) - [ Salvatore Bonaccorso ] - * vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516) - * libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971) - [ Ben Hutchings ] * linux-kbuild: Include headers_install.sh and unifdef (Closes: #832359) * Bump ABI to 2 diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch deleted file mode 100644 index 7881d70d884e..000000000000 --- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Kangjie Lu -Date: Tue, 3 May 2016 16:44:20 -0400 -Subject: [1/2] ALSA: timer: Fix leak in events via snd_timer_user_ccallback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu -Signed-off-by: Takashi Iwai ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1247,6 +1247,7 @@ static void snd_timer_user_ccallback(str - tu->tstamp = *tstamp; - if ((tu->filter & (1 << event)) == 0 || !tu->tread) - return; -+ memset(&r1, 0, sizeof(r1)); - r1.event = event; - r1.tstamp = *tstamp; - r1.val = resolution; diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch deleted file mode 100644 index cf9da77fc6c3..000000000000 --- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Kangjie Lu -Date: Tue, 3 May 2016 16:44:32 -0400 -Subject: [2/2] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5 - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu -Signed-off-by: Takashi Iwai ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1290,6 +1290,7 @@ static void snd_timer_user_tinterrupt(st - } - if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && - tu->last_resolution != resolution) { -+ memset(&r1, 0, sizeof(r1)); - r1.event = SNDRV_TIMER_EVENT_RESOLUTION; - r1.tstamp = tstamp; - r1.val = resolution; diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch deleted file mode 100644 index c67d2f71c0eb..000000000000 --- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Kangjie Lu -Date: Tue, 3 May 2016 16:44:07 -0400 -Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e - -The stack object “tread” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu -Signed-off-by: Takashi Iwai ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1755,6 +1755,7 @@ static int snd_timer_user_params(struct - if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { - if (tu->tread) { - struct snd_timer_tread tread; -+ memset(&tread, 0, sizeof(tread)); - tread.event = SNDRV_TIMER_EVENT_EARLY; - tread.tstamp.tv_sec = 0; - tread.tstamp.tv_nsec = 0; diff --git a/debian/patches/bugfix/all/libata-LITE-ON-CX1-JB256-HP-needs-lower-max_sectors.patch b/debian/patches/bugfix/all/libata-LITE-ON-CX1-JB256-HP-needs-lower-max_sectors.patch deleted file mode 100644 index 6fd9ca1ac447..000000000000 --- a/debian/patches/bugfix/all/libata-LITE-ON-CX1-JB256-HP-needs-lower-max_sectors.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Tejun Heo -Date: Mon, 18 Jul 2016 18:40:00 -0400 -Subject: libata: LITE-ON CX1-JB256-HP needs lower max_sectors -Origin: https://git.kernel.org/linus/1488a1e3828d60d74c9b802a05e24c0487babe4e - -Since 34b48db66e08 ("block: remove artifical max_hw_sectors cap"), -max_sectors is no longer limited to BLK_DEF_MAX_SECTORS and LITE-ON -CX1-JB256-HP keeps timing out with higher max_sectors. Revert it to -the previous value. - -Signed-off-by: Tejun Heo -Reported-by: dgerasimov@gmail.com -Link: https://bugzilla.kernel.org/show_bug.cgi?id=121671 -Cc: stable@vger.kernel.org # v3.19+ -Fixes: 34b48db66e08 ("block: remove artifical max_hw_sectors cap") -Signed-off-by: Tejun Heo ---- - drivers/ata/libata-core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/ata/libata-core.c -+++ b/drivers/ata/libata-core.c -@@ -4141,6 +4141,12 @@ static const struct ata_blacklist_entry - */ - { "ST380013AS", "3.20", ATA_HORKAGE_MAX_SEC_1024 }, - -+ /* -+ * Device times out with higher max sects. -+ * https://bugzilla.kernel.org/show_bug.cgi?id=121671 -+ */ -+ { "LITEON CX1-JB256-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 }, -+ - /* Devices we expect to fail diagnostics */ - - /* Devices where NCQ should be avoided */ diff --git a/debian/patches/bugfix/all/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch b/debian/patches/bugfix/all/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch deleted file mode 100644 index 7e90e8c61dbc..000000000000 --- a/debian/patches/bugfix/all/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Scott Bauer -Date: Wed, 27 Jul 2016 19:11:29 -0600 -Subject: vfs: ioctl: prevent double-fetch in dedupe ioctl -Origin: https://git.kernel.org/linus/10eec60ce79187686e052092e5383c99b4420a20 - -This prevents a double-fetch from user space that can lead to to an -undersized allocation and heap overflow. - -Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs") -Signed-off-by: Scott Bauer -Signed-off-by: Linus Torvalds ---- - fs/ioctl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/ioctl.c b/fs/ioctl.c -index 116a333..0f56deb 100644 ---- a/fs/ioctl.c -+++ b/fs/ioctl.c -@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(struct file *file, void __user *arg) - goto out; - } - -+ same->dest_count = count; - ret = vfs_dedupe_file_range(file, same); - if (ret) - goto out; --- -2.1.4 - diff --git a/debian/patches/series b/debian/patches/series index 2cf5f05e8b66..c3332e1bbec3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -66,7 +66,6 @@ bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch -bugfix/all/libata-LITE-ON-CX1-JB256-HP-needs-lower-max_sectors.patch # Miscellaneous features @@ -103,12 +102,8 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch -bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch -bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch -bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch -bugfix/all/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch # ABI maintenance debian/mips-siginfo-fix-abi-change-in-4.6.2.patch