Commit fae8df0f authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso

Update to 4.19.13

Drop iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch

Drop usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch

Add bug closer for #917569

Cleanup debian/changelog file
parent f8450c79
linux (4.19.12-2) UNRELEASED; urgency=medium
linux (4.19.13-1) UNRELEASED; urgency=medium
* New upstream stable update:
- Revert "vfs: Allow userns root to call mknod on owned filesystems."
- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
- xhci: Don't prevent USB2 bus suspend in state check intended for USB3
- USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
- USB: serial: option: add GosunCn ZTE WeLink ME3630
- USB: serial: option: add HP lt4132
- USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
- USB: serial: option: add Fibocom NL668 series
- USB: serial: option: add Telit LN940 series
- ubifs: Handle re-linking of inodes correctly while recovery
- scsi: t10-pi: Return correct ref tag when queue has no integrity profile
- scsi: sd: use mempool for discard special page
- mmc: core: Reset HPI enabled state during re-init and in case of errors
- mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
- mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
- [armhf] mmc: omap_hsmmc: fix DMA API warning
- gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
- posix-timers: Fix division by zero bug
- [x86] KVM: Fix NULL deref in vcpu_scan_ioapic
- [x86] kvm: Add AMD's EX_CFG to the list of ignored MSRs
- [x86] KVM: Fix UAF in nested posted interrupt processing
- [x86] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened
- futex: Cure exit race
- [x86] mtrr: Don't copy uninitialized gentry fields back to userspace
- [x86] mm: Fix decoy address handling vs 32-bit builds (Closes: #917569)
- [x86] vdso: Pass --eh-frame-hdr to the linker
- panic: avoid deadlocks in re-entrant console drivers
- mm: add mm_pxd_folded checks to pgtable_bytes accounting functions
- mm: make the __PAGETABLE_PxD_FOLDED defines non-empty
- mm: introduce mm_[p4d|pud|pmd]_folded
- xfrm_user: fix freeing of xfrm states on acquire
- rtlwifi: Fix leak of skb when processing C2H_BT_INFO
- iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares
- Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
- iwlwifi: add new cards for 9560, 9462, 9461 and killer series
- mm, memory_hotplug: initialize struct pages for the full memory section
- mm: thp: fix flags for pmd migration when split
- mm, page_alloc: fix has_unmovable_pages for HugePages
- mm: don't miss the last page because of round-off error
- Input: elantech - disable elan-i2c for P52 and P72
- proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
- drm/ioctl: Fix Spectre v1 vulnerabilities
[ Uwe Kleine-König ]
* [armhf] enable some kconfig items for Allwinner SoCs (SUNXI_CCU=y,
......@@ -17,10 +65,6 @@ linux (4.19.12-2) UNRELEASED; urgency=medium
* Fix pycodestyle "line break after binary operator" warnings
* Fix pycodestyle "inalid escape sequence" warnings
[ Salvatore Bonaccorso ]
* USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
[ Romain Perier ]
* [rt] Update to 4.19.10-rt8
From: Dave Chinner <>
Date: Thu, 20 Dec 2018 23:23:24 +1100
Subject: iomap: Revert "fs/iomap.c: get/put the page in
This reverts commit 61c6de667263184125d5ca75e894fcad632b0dd3.
The reverted commit added page reference counting to iomap page
structures that are used to track block size < page size state. This
was supposed to align the code with page migration page accounting
assumptions, but what it has done instead is break XFS filesystems.
Every fstests run I've done on sub-page block size XFS filesystems
has since picking up this commit 2 days ago has failed with bad page
state errors such as:
# ./ "-m rmapbt=1,reflink=1 -i sparse=1 -b size=1k" "generic/038"
SECTION -- xfs
FSTYP -- xfs (debug)
PLATFORM -- Linux/x86_64 test1 4.20.0-rc6-dgc+
MKFS_OPTIONS -- -f -m rmapbt=1,reflink=1 -i sparse=1 -b size=1k /dev/sdc
MOUNT_OPTIONS -- /dev/sdc /mnt/scratch
generic/038 454s ...
run fstests generic/038 at 2018-12-20 18:43:05
XFS (sdc): Unmounting Filesystem
XFS (sdc): Mounting V5 Filesystem
XFS (sdc): Ending clean mount
BUG: Bad page state in process kswapd0 pfn:3a7fa
page:ffffea0000ccbeb0 count:0 mapcount:0 mapping:ffff88800d9b6360 index:0x1
flags: 0xfffffc0000000()
raw: 000fffffc0000000 dead000000000100 dead000000000200 ffff88800d9b6360
raw: 0000000000000001 0000000000000000 00000000ffffffff
page dumped because: non-NULL mapping
CPU: 0 PID: 676 Comm: kswapd0 Not tainted 4.20.0-rc6-dgc+ #915
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
Call Trace:
? shrink_slab.constprop.81+0x278/0x3f0
? node_reclaim+0x240/0x240
? __kthread_bind_mask+0x60/0x60
Disabling lock debugging due to kernel taint
The failures are from anyway that frees pages and empties the
per-cpu page magazines, so it's not a predictable failure or an easy
to debug failure.
generic/038 is a reliable reproducer of this problem - it has a 9 in
10 failure rate on one of my test machines. Failure on other
machines have been at random points in fstests runs but every run
has ended up tripping this problem. Hence generic/038 was used to
bisect the failure because it was the most reliable failure.
It is too close to the 4.20 release (not to mention holidays) to
try to diagnose, fix and test the underlying cause of the problem,
so reverting the commit is the only option we have right now. The
revert has been tested against a current tot 4.20-rc7+ kernel across
multiple machines running sub-page block size XFs filesystems and
none of the bad page state failures have been seen.
Signed-off-by: Dave Chinner <>
Cc: Piotr Jaroszynski <>
Cc: Christoph Hellwig <>
Cc: William Kucharski <>
Cc: Darrick J. Wong <>
Cc: Brian Foster <>
Signed-off-by: Linus Torvalds <>
fs/iomap.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/fs/iomap.c b/fs/iomap.c
index 5bc172f3dfe8..d6bc98ae8d35 100644
--- a/fs/iomap.c
+++ b/fs/iomap.c
@@ -116,12 +116,6 @@ iomap_page_create(struct inode *inode, struct page *page)
atomic_set(&iop->read_count, 0);
atomic_set(&iop->write_count, 0);
bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE);
- /*
- * migrate_page_move_mapping() assumes that pages with private data have
- * their count elevated by 1.
- */
- get_page(page);
set_page_private(page, (unsigned long)iop);
return iop;
@@ -138,7 +132,6 @@ iomap_page_release(struct page *page)
set_page_private(page, 0);
- put_page(page);
From: Hui Peng <>
Date: Wed, 12 Dec 2018 12:42:24 +0100
Subject: USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.
Add a length check for both locations and updated hso_probe to bail on
This issue has been assigned CVE-2018-19985.
Reported-by: Hui Peng <>
Reported-by: Mathias Payer <>
Signed-off-by: Hui Peng <>
Signed-off-by: Mathias Payer <>
Reviewed-by: Sebastian Andrzej Siewior <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: David S. Miller <>
drivers/net/usb/hso.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 184c24baca15..d6916f787fce 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
return -EIO;
+ /* check if we have a valid interface */
+ if (if_num > 16) {
+ kfree(config_data);
+ return -EINVAL;
+ }
switch (config_data[if_num]) {
case 0x0:
result = 0;
@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
/* Get the interface/port specification from either driver_info or from
* the device itself */
- if (id->driver_info)
+ if (id->driver_info) {
+ /* if_num is controlled by the device, driver_info is a 0 terminated
+ * array. Make sure, the access is in bounds! */
+ for (i = 0; i <= if_num; ++i)
+ if (((u32 *)(id->driver_info))[i] == 0)
+ goto exit;
port_spec = ((u32 *)(id->driver_info))[if_num];
- else
+ } else {
port_spec = hso_get_config_data(interface);
+ if (port_spec < 0)
+ goto exit;
+ }
/* Check if we need to switch to alt interfaces prior to port
* configuration */
......@@ -99,7 +99,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
# Miscellaneous features
......@@ -139,7 +138,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
# Fix exported symbol versions
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment