Update to 4.6.7

debian/changelog

@@ -1,4 +1,4 @@
-linux (4.6.6-1) UNRELEASED; urgency=medium
+linux (4.6.7-1) UNRELEASED; urgency=medium
 
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5
@@ -295,6 +295,62 @@ linux (4.6.6-1) UNRELEASED; urgency=medium
     - vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516)
     - vfs: fix deadlock in file_remove_privs() on overlayfs
     - [mips*] CM: Fix mips_cm_max_vp_width for UP kernels
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.7
+    - [x86] libnvdimm, dax: record the specified alignment of a dax-device instance
+    - [x86] libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment
+    - ppp: defer netns reference release for ppp channel
+    - tcp: make challenge acks less predictable (CVE-2016-5696)
+    - tcp: enable per-socket rate limiting of all 'challenge acks'
+    - bonding: set carrier off for devices created through netlink
+    - net: bgmac: Fix infinite loop in bgmac_dma_tx_add()
+    - vlan: use a valid default mtu value for vlan over macsec
+    - bridge: Fix incorrect re-injection of LLDP packets
+    - net: ipv6: Always leave anycast and multicast groups on link down
+    - net/irda: fix NULL pointer dereference on memory allocation failure
+    - qed: Fix setting/clearing bit in completion bitmap
+    - macsec: ensure rx_sa is set when validation is disabled
+    - tcp: consider recv buf for the initial window scale
+    - i2c: i801: Allow ACPI SystemIO OpRegion to conflict with PCI BAR
+    - [mips] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
+    - IB/hfi1: Correct issues with sc5 computation
+    - IB/hfi1: Fix deadlock with txreq allocation slow path
+    - apparmor: fix ref count leak when profile sha1 hash is read
+    - regulator: qcom_smd: Remove list_voltage callback for rpm_smps_ldo_ops_fixed
+    - random: strengthen input validation for RNDADDTOENTCNT
+    - [x86] mm/pat: Add support of non-default PAT MSR setting
+    - [x86] mm/pat: Add pat_disable() interface
+    - [x86] mm/pat: Replace cpu_has_pat with boot_cpu_has()
+    - [x86] mtrr: Fix Xorg crashes in Qemu sessions
+    - [x86] mtrr: Fix PAT init handling when MTRR is disabled
+    - [x86] xen, pat: Remove PAT table init code from Xen
+    - [x86] pat: Document the PAT initialization sequence
+    - [x86] mm/pat: Fix BUG_ON() in mmap_mem() on QEMU/i386
+    - udf: Prevent stack overflow on corrupted filesystem mount
+    - [powerpc] eeh: Fix invalid cached PE primary bus
+    - [powerpc] bpf/jit: Disable classic BPF JIT on ppc64le
+    - mm: memcontrol: fix swap counter leak on swapout from offline cgroup
+    - mm: memcontrol: fix memcg id ref counter on swap charge move
+    - [x86] syscalls/64: Add compat_sys_keyctl for 32-bit userspace
+    - block: fix use-after-free in seq file
+    - sysv, ipc: fix security-layer leaking
+    - radix-tree: account nodes to memcg only if explicitly requested
+    - [x86] microcode: Fix suspend to RAM with builtin microcode
+    - [x86] power/64: Fix hibernation return address corruption
+    - fuse: fsync() did not return IO errors
+    - fuse: fuse_flush must check mapping->flags for errors
+    - fuse: fix wrong assignment of ->flags in fuse_send_init()
+    - Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements"
+    - fs/dcache.c: avoid soft-lockup in dput()
+    - Revert "cpufreq: pcc-cpufreq: update default value of cpuinfo_transition_latency"
+    - crypto: gcm - Filter out async ghash if necessary
+    - crypto: scatterwalk - Fix test in scatterwalk_done
+    - serial: mvebu-uart: free the IRQ in ->shutdown()
+    - ext4: check for extents that wrap around
+    - ext4: fix deadlock during page writeback
+    - ext4: don't call ext4_should_journal_data() on the journal inode
+    - ext4: validate s_reserved_gdt_blocks on mount
+    - ext4: short-cut orphan cleanup on error
+    - ext4: fix reference counting bug on block allocation error
 
   [ Uwe Kleine-König ]
   * Fix perf to be able to find debug info based on build-id. (Closes:
@@ -308,9 +364,6 @@ linux (4.6.6-1) UNRELEASED; urgency=medium
   * [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412)
   * audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136)
 
-  [ Salvatore Bonaccorso ]
-  * tcp: make challenge acks less predictable (CVE-2016-5696)
-
  -- Ben Hutchings <ben@decadent.org.uk>  Sat, 30 Jul 2016 14:23:58 +0100
 
 linux (4.6.4-1) unstable; urgency=medium

debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch

@@ -1,77 +0,0 @@
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 10 Jul 2016 10:04:02 +0200
-Subject: tcp: make challenge acks less predictable
-Origin: https://git.kernel.org/linus/75ff39ccc1bd5d3c455b6822ab09e533c551f758
-
-Yue Cao claims that current host rate limiting of challenge ACKS
-(RFC 5961) could leak enough information to allow a patient attacker
-to hijack TCP sessions. He will soon provide details in an academic
-paper.
-
-This patch increases the default limit from 100 to 1000, and adds
-some randomization so that the attacker can no longer hijack
-sessions without spending a considerable amount of probes.
-
-Based on initial analysis and patch from Linus.
-
-Note that we also have per socket rate limiting, so it is tempting
-to remove the host limit in the future.
-
-v2: randomize the count of challenge acks per second, not the period.
-
-Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
-Reported-by: Yue Cao <ycao009@ucr.edu>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Neal Cardwell <ncardwell@google.com>
-Acked-by: Neal Cardwell <ncardwell@google.com>
-Acked-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[carnil: Backported to 4.6: adjust context]
----
- net/ipv4/tcp_input.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_most
- EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
- 
- /* rfc5961 challenge ack rate limiting */
--int sysctl_tcp_challenge_ack_limit = 100;
-+int sysctl_tcp_challenge_ack_limit = 1000;
- 
- int sysctl_tcp_stdurg __read_mostly;
- int sysctl_tcp_rfc1337 __read_mostly;
-@@ -3460,7 +3460,7 @@ static void tcp_send_challenge_ack(struc
- 	static u32 challenge_timestamp;
- 	static unsigned int challenge_count;
- 	struct tcp_sock *tp = tcp_sk(sk);
--	u32 now;
-+	u32 count, now;
- 
- 	/* First check our per-socket dupack rate limit. */
- 	if (tcp_oow_rate_limited(sock_net(sk), skb,
-@@ -3468,13 +3468,18 @@ static void tcp_send_challenge_ack(struc
- 				 &tp->last_oow_ack_time))
- 		return;
- 
--	/* Then check the check host-wide RFC 5961 rate limit. */
-+	/* Then check host-wide RFC 5961 rate limit. */
- 	now = jiffies / HZ;
- 	if (now != challenge_timestamp) {
-+		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
-+
- 		challenge_timestamp = now;
--		challenge_count = 0;
-+		WRITE_ONCE(challenge_count, half +
-+			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
- 	}
--	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
-+	count = READ_ONCE(challenge_count);
-+	if (count > 0) {
-+		WRITE_ONCE(challenge_count, count - 1);
- 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- 		tcp_send_ack(sk);
- 	}

debian/patches/series

@@ -104,7 +104,6 @@ bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
 bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
 bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
 bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
-bugfix/all/tcp-make-challenge-acks-less-predictable.patch
 bugfix/powerpc/kvm-ppc-book3s-hv-pull-out-tm-state-save-restore-int.patch
 bugfix/powerpc/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch
 bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch