diff options
| -rw-r--r-- | debian/changelog | 114 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/net-usb-cdc_ncm-don-t-spew-notifications.patch | 108 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch | 58 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
4 files changed, 111 insertions, 171 deletions
diff --git a/debian/changelog b/debian/changelog index 4dafa5a0383c..12fa905d46f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (5.10.42-1) UNRELEASED; urgency=medium +linux (5.10.43-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.41 @@ -215,6 +215,116 @@ linux (5.10.42-1) UNRELEASED; urgency=medium - net: hso: bail out on interrupt URB allocation failure - neighbour: Prevent Race condition in neighbour subsytem - usb: core: reduce power-on-good delay time of root hub + https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.43 + - btrfs: tree-checker: do not error out if extent ref hash doesn't match + - net: usb: cdc_ncm: don't spew notifications (Closes: #989451) + - [x86] hwmon: (dell-smm-hwmon) Fix index values + - netfilter: conntrack: unregister ipv4 sockopts on error unwind + - efi/fdt: fix panic when no valid fdt found + - efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared + - efi/libstub: prevent read overflow in find_file_option() + - [arm64,x86] efi: cper: fix snprintf() use in cper_dimm_err_location() + - vfio/pci: Fix error return code in vfio_ecap_init() + - ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service + - HID: logitech-hidpp: initialize level variable + - HID: pidff: fix error return code in hid_pidff_init() + - [arm64,x86] HID: i2c-hid: fix format string mismatch + - devlink: Correct VIRTUAL port to not have phys_port attributes + - net/sched: act_ct: Offload connections with commit action + - net/sched: act_ct: Fix ct template allocation for zone 0 + - nvme-rdma: fix in-casule data send for chained sgls + - ACPICA: Clean up context mutex during object deletion + - perf probe: Fix NULL pointer dereference in convert_variable_location() + - net: sock: fix in-kernel mark setting + - net/mlx5e: Fix incompatible casting + - net/mlx5: Check firmware sync reset requested is set before trying to abort it + - net/mlx5e: Check for needed capability for cvlan matching + - net/mlx5: DR, Create multi-destination flow table with level less than 64 + - nvmet: fix freeing unallocated p2pmem + - netfilter: nft_ct: skip expectations for confirmed conntrack + - netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches + - bpf: Simplify cases in bpf_base_func_proto + - bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks + - ieee802154: fix error return code in ieee802154_add_iface() + - ieee802154: fix error return code in ieee802154_llsec_getparams() + - igb: add correct exception tracing for XDP + - ixgbevf: add correct exception tracing for XDP + - cxgb4: fix regression with HASH tc prio value update + - ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions + - ice: Fix allowing VF to request more/less queues via virtchnl + - ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared + - ice: handle the VF VSI rebuild failure + - ice: report supported and advertised autoneg using PHY capabilities + - ice: Allow all LLDP packets from PF to Tx + - cxgb4: avoid link re-train during TC-MQPRIO configuration + - i40e: optimize for XDP_REDIRECT in xsk path + - i40e: add correct exception tracing for XDP + - ice: simplify ice_run_xdp + - ice: optimize for XDP_REDIRECT in xsk path + - ice: add correct exception tracing for XDP + - ixgbe: optimize for XDP_REDIRECT in xsk path + - ixgbe: add correct exception tracing for XDP + - [arm64] optee: use export_uuid() to copy client UUID + - [armhf] bus: ti-sysc: Fix am335x resume hang for usb otg module + - [arm64] dts: freescale: sl28: var4: fix RGMII clock and voltage + - [armhf] bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act + - tipc: add extack messages for bearer/media failure + - tipc: fix unique bearer names sanity check + - [armhf] serial: stm32: fix threaded interrupt handling + - io_uring: fix link timeout refs + - io_uring: use better types for cflags + - drm/amdgpu/vcn3: add cancel_delayed_work_sync before power gate + - drm/amdgpu/jpeg2.5: add cancel_delayed_work_sync before power gate + - drm/amdgpu/jpeg3: add cancel_delayed_work_sync before power gate + - Bluetooth: fix the erroneous flush_work() order (CVE-2021-3564) + - Bluetooth: use correct lock to prevent UAF of hdev object (CVE-2021-3573) + - wireguard: do not use -O3 + - wireguard: peer: allocate in kmem_cache + - wireguard: use synchronize_net rather than synchronize_rcu + - wireguard: allowedips: initialize list head in selftest + - wireguard: allowedips: remove nodes in O(1) + - wireguard: allowedips: allocate nodes in kmem_cache + - wireguard: allowedips: free empty intermediate nodes when removing single node + - [arm64,x86] HID: i2c-hid: Skip ELAN power-on command after reset + - HID: magicmouse: fix NULL-deref on disconnect + - HID: multitouch: require Finger field to mark Win8 reports as MT + - gfs2: fix scheduling while atomic bug in glocks + - ALSA: timer: Fix master timer notification + - ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx + - ALSA: hda: update the power_state during the direct-complete + - ext4: fix memory leak in ext4_fill_super + - ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed + - ext4: fix fast commit alignment issues + - ext4: fix memory leak in ext4_mb_init_backend on error path. + - ext4: fix accessing uninit percpu counter variable with fast_commit + - [arm*] usb: dwc2: Fix build in periphal-only mode + - pid: take a reference when initializing `cad_pid` + - ocfs2: fix data corruption by fallocate + - mm/page_alloc: fix counting of free pages after take off from buddy + - [x86] cpufeatures: Force disable X86_FEATURE_ENQCMD and remove update_pasid() + - nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (CVE-2021-3587) + - drm/amdgpu: Don't query CE and UE errors + - drm/amdgpu: make sure we unpin the UVD BO + - [x86] apic: Mark _all_ legacy interrupts when IO/APIC is missing + - [powerpc] kprobes: Fix validation of prefixed instructions across page boundary + - btrfs: mark ordered extent and inode with error if we fail to finish + - btrfs: fix error handling in btrfs_del_csums + - btrfs: return errors from btrfs_del_csums in cleanup_ref_head + - btrfs: fixup error handling in fixup_inode_link_counts + - btrfs: abort in rename_exchange if we fail to insert the second ref + - btrfs: fix deadlock when cloning inline extents and low on available space + - mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY + - [arm64] drm/msm/dpu: always use mdp device to scale bandwidth + - btrfs: fix unmountable seed device after fstrim + - [x86] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode + - [arm64] KVM: Fix debug register indexing + - [x86] kvm: Teardown PV features on boot CPU as well + - [x86] kvm: Disable kvmclock on all CPUs on shutdown + - [x86] kvm: Disable all PV features on crash + - lib/lz4: explicitly support in-place decompression + - netfilter: nf_tables: missing error reporting for not selected expressions + - xen-netback: take a reference to the RX task thread (CVE-2021-28691) + - neighbour: allow NUD_NOARP entries to be forced GCed [ Josua Mayer ] * [armhf] drivers/bluetooth: Enable BT_HCIUART as a module, with support @@ -227,8 +337,6 @@ linux (5.10.42-1) UNRELEASED; urgency=medium * [rt] Refresh "net/Qdisc: use a seqlock instead seqcount" * Ignore some ABI changes that should not affect OOT modules * Bump ABI to 8 - * net: usb: cdc_ncm: don't spew notifications (Closes: #989451) - * xen-netback: take a reference to the RX task thread (CVE-2021-28691) [ Vagrant Cascadian ] * [arm64] Add pwm-rockchip to fb-modules udeb. diff --git a/debian/patches/bugfix/all/net-usb-cdc_ncm-don-t-spew-notifications.patch b/debian/patches/bugfix/all/net-usb-cdc_ncm-don-t-spew-notifications.patch deleted file mode 100644 index fa9639076a10..000000000000 --- a/debian/patches/bugfix/all/net-usb-cdc_ncm-don-t-spew-notifications.patch +++ /dev/null @@ -1,108 +0,0 @@ -From: Grant Grundler <grundler@chromium.org> -Date: Tue, 19 Jan 2021 17:12:08 -0800 -Subject: net: usb: cdc_ncm: don't spew notifications -Origin: https://git.kernel.org/linus/de658a195ee23ca6aaffe197d1d2ea040beea0a2 -Bug-Debian: https://bugs.debian.org/989451 - -RTL8156 sends notifications about every 32ms. -Only display/log notifications when something changes. - -This issue has been reported by others: - https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1832472 - https://lkml.org/lkml/2020/8/27/1083 - -... -[785962.779840] usb 1-1: new high-speed USB device number 5 using xhci_hcd -[785962.929944] usb 1-1: New USB device found, idVendor=0bda, idProduct=8156, bcdDevice=30.00 -[785962.929949] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6 -[785962.929952] usb 1-1: Product: USB 10/100/1G/2.5G LAN -[785962.929954] usb 1-1: Manufacturer: Realtek -[785962.929956] usb 1-1: SerialNumber: 000000001 -[785962.991755] usbcore: registered new interface driver cdc_ether -[785963.017068] cdc_ncm 1-1:2.0: MAC-Address: 00:24:27:88:08:15 -[785963.017072] cdc_ncm 1-1:2.0: setting rx_max = 16384 -[785963.017169] cdc_ncm 1-1:2.0: setting tx_max = 16384 -[785963.017682] cdc_ncm 1-1:2.0 usb0: register 'cdc_ncm' at usb-0000:00:14.0-1, CDC NCM, 00:24:27:88:08:15 -[785963.019211] usbcore: registered new interface driver cdc_ncm -[785963.023856] usbcore: registered new interface driver cdc_wdm -[785963.025461] usbcore: registered new interface driver cdc_mbim -[785963.038824] cdc_ncm 1-1:2.0 enx002427880815: renamed from usb0 -[785963.089586] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected -[785963.121673] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected -[785963.153682] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected -... - -This is about 2KB per second and will overwrite all contents of a 1MB -dmesg buffer in under 10 minutes rendering them useless for debugging -many kernel problems. - -This is also an extra 180 MB/day in /var/logs (or 1GB per week) rendering -the majority of those logs useless too. - -When the link is up (expected state), spew amount is >2x higher: -... -[786139.600992] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected -[786139.632997] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink -[786139.665097] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected -[786139.697100] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink -[786139.729094] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected -[786139.761108] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink -... - -Chrome OS cannot support RTL8156 until this is fixed. - -Signed-off-by: Grant Grundler <grundler@chromium.org> -Reviewed-by: Hayes Wang <hayeswang@realtek.com> -Link: https://lore.kernel.org/r/20210120011208.3768105-1-grundler@chromium.org -Signed-off-by: Jakub Kicinski <kuba@kernel.org> ---- - drivers/net/usb/cdc_ncm.c | 12 +++++++++++- - include/linux/usb/usbnet.h | 2 ++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c -index 5a78848db93f..291e76d32abe 100644 ---- a/drivers/net/usb/cdc_ncm.c -+++ b/drivers/net/usb/cdc_ncm.c -@@ -1827,6 +1827,15 @@ cdc_ncm_speed_change(struct usbnet *dev, - uint32_t rx_speed = le32_to_cpu(data->DLBitRRate); - uint32_t tx_speed = le32_to_cpu(data->ULBitRate); - -+ /* if the speed hasn't changed, don't report it. -+ * RTL8156 shipped before 2021 sends notification about every 32ms. -+ */ -+ if (dev->rx_speed == rx_speed && dev->tx_speed == tx_speed) -+ return; -+ -+ dev->rx_speed = rx_speed; -+ dev->tx_speed = tx_speed; -+ - /* - * Currently the USB-NET API does not support reporting the actual - * device speed. Do print it instead. -@@ -1867,7 +1876,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) - * USB_CDC_NOTIFY_NETWORK_CONNECTION notification shall be - * sent by device after USB_CDC_NOTIFY_SPEED_CHANGE. - */ -- usbnet_link_change(dev, !!event->wValue, 0); -+ if (netif_carrier_ok(dev->net) != !!event->wValue) -+ usbnet_link_change(dev, !!event->wValue, 0); - break; - - case USB_CDC_NOTIFY_SPEED_CHANGE: -diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h -index 88a7673894d5..cfbfd6fe01df 100644 ---- a/include/linux/usb/usbnet.h -+++ b/include/linux/usb/usbnet.h -@@ -81,6 +81,8 @@ struct usbnet { - # define EVENT_LINK_CHANGE 11 - # define EVENT_SET_RX_MODE 12 - # define EVENT_NO_IP_ALIGN 13 -+ u32 rx_speed; /* in bps - NOT Mbps */ -+ u32 tx_speed; /* in bps - NOT Mbps */ - }; - - static inline struct usb_driver *driver_of(struct usb_interface *intf) --- -2.32.0.rc0 - diff --git a/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch b/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch deleted file mode 100644 index 927c0b4da2a0..000000000000 --- a/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Roger Pau Monne <roger.pau@citrix.com> -Date: Mon, 7 Jun 2021 15:13:15 +0200 -Subject: xen-netback: take a reference to the RX task thread -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/107866a8eb0b664675a260f1ba0655010fac1e08 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-28691 - -Do this in order to prevent the task from being freed if the thread -returns (which can be triggered by the frontend) before the call to -kthread_stop done as part of the backend tear down. Not taking the -reference will lead to a use-after-free in that scenario. Such -reference was taken before but dropped as part of the rework done in -2ac061ce97f4. - -Reintroduce the reference taking and add a comment this time -explaining why it's needed. - -This is XSA-374 / CVE-2021-28691. - -Fixes: 2ac061ce97f4 ('xen/netback: cleanup init and deinit code') -Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> -Cc: stable@vger.kernel.org -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Juergen Gross <jgross@suse.com> -Signed-off-by: Juergen Gross <jgross@suse.com> ---- - drivers/net/xen-netback/interface.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c -index 193b723fe3bd..c58996c1e230 100644 ---- a/drivers/net/xen-netback/interface.c -+++ b/drivers/net/xen-netback/interface.c -@@ -684,6 +684,7 @@ static void xenvif_disconnect_queue(struct xenvif_queue *queue) - { - if (queue->task) { - kthread_stop(queue->task); -+ put_task_struct(queue->task); - queue->task = NULL; - } - -@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_queue *queue, - if (IS_ERR(task)) - goto kthread_err; - queue->task = task; -+ /* -+ * Take a reference to the task in order to prevent it from being freed -+ * if the thread function returns before kthread_stop is called. -+ */ -+ get_task_struct(task); - - task = kthread_run(xenvif_dealloc_kthread, queue, - "%s-dealloc", queue->name); --- -2.32.0 - diff --git a/debian/patches/series b/debian/patches/series index d32cbd8dc4f2..e87179331f46 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -94,7 +94,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch -bugfix/all/net-usb-cdc_ncm-don-t-spew-notifications.patch # Miscellaneous features @@ -116,7 +115,6 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch -bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |