Mainline Builds | 1 Mar 03:00 2012

Mainline Build v3.0.23

The mainline build for v3.0.23 is now complete and available at the URL
below:

    http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.0.23-oneiric/

See the CHANGES file for the list of changes from the previous version:

    http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.0.23-oneiric/CHANGES

Note that these builds do not contain any Ubuntu specific patches and
are not supported.

Kernel Team

Mainline Builds | 1 Mar 03:30 2012

Mainline Build v3.2.9

The mainline build for v3.2.9 is now complete and available at the URL
below:

    http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.2.9-precise/

See the CHANGES file for the list of changes from the previous version:

    http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.2.9-precise/CHANGES

Note that these builds do not contain any Ubuntu specific patches and
are not supported.

Kernel Team

Tim Gardner | 1 Mar 04:50 2012
Picon

ALSA conflicts with 3.2.9 stable

David - the Precise rebase against 3.2.9 stable is causing some compile 
issues with the jack detection patches. In order to keep things building 
correctly I've simply ripped out all of the driver/sound/hda patches 
that appear after v3.2.9 and pushed that to master-next. I created a 
branch for you that exhibits the compile issues in master-next-alsa. If 
you would, please sort these jack detection patches and propose a pull 
request against master-next. Thanks.

git://kernel.ubuntu.com/ubuntu/ubuntu-precise.git master-next-alsa

rtg
--

-- 
Tim Gardner tim.gardner <at> canonical.com

David Henningsson | 1 Mar 06:44 2012

Re: ALSA conflicts with 3.2.9 stable

On 03/01/2012 04:50 AM, Tim Gardner wrote:
> David - the Precise rebase against 3.2.9 stable is causing some compile
> issues with the jack detection patches. In order to keep things building
> correctly I've simply ripped out all of the driver/sound/hda patches
> that appear after v3.2.9 and pushed that to master-next. I created a
> branch for you that exhibits the compile issues in master-next-alsa. If
> you would, please sort these jack detection patches and propose a pull
> request against master-next. Thanks.
>
> git://kernel.ubuntu.com/ubuntu/ubuntu-precise.git master-next-alsa

Hi,

This commit should be reverted:

 From 2a8e5e8a2df18812c60720fa0534c29c9f1c17b6 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai <at> suse.de>
Date: Wed, 22 Feb 2012 17:02:38 +0100
Subject: [PATCH] ALSA: hda - Fix redundant jack creations for cx5051

As the patch commit text says,
"The fix is needed only up to 3.2 kernel, since the HD-audio jack layer
was redesigned in the 3.3 kernel."

As we carry that redesigned jack layer, the problem addressed by this 
patch does not apply to our kernel.

Moreover, it seems like one of my patches (ALSA: hda - Integrate 
input-jack stuff into kctl-jack) was modified somehow in this branch to 
make it apply, it seems easier for everybody if I just tell you what to 
(Continue reading)

brad.figg | 1 Mar 08:00 2012

The Daily Bug Report for Thursday, 01. March 2012 06:36 UTC

The Daily Bug Report
Thursday, 01. March 2012 06:36 UTC

The linux package acquired 10 new bugs in the last 24 hrs.

Bug       Title                                                           Series      Importance      Status           Assignee
-------   ------------------------------------------------------------    --------    ------------   
-------------    ---------------------
943119    aufs.ko missing from the Precise kernels                        precise     Undecided       In Progress      Tim Gardner
943170    tty output of MSP430 garbled                                                Undecided       Incomplete       Unassigned
943181    BUG: unable to handle kernel NULL pointer dereference at ...    precise     Medium          Confirmed        Unassigned
943205    BUG: unable to handle kernel paging request at ffffffff7b...    precise     Medium          Confirmed        Unassigned
943263    PC display will not turn on in Oneiric with Llano APUs co...    oneiric     Undecided       Confirmed        Unassigned
943498    [HP Compaq 6000 Pro] - Wireless NOT working in 10.04.4          lucid       High            Confirmed        Unassigned
943516    Linux freeze when compiling                                     lucid       Medium          Confirmed        Unassigned
943585    All kernel's after 2.6.35-32-generic fail to boot               maverick    High            Incomplete       Unassigned
943625    [drm:drm_mode_getfb] *ERROR* invalid framebuffer id             precise     Medium          Confirmed        Unassigned
943673    Lenovo SL300 does not suspend when SD card is present           oneiric     Undecided       Confirmed        Unassigned

An online version of this report can be found at: http://people.canonical.com/~kernel/reports/1-day-new.html

The Top 10 Hot List Bugs (based on bug heat)

Bug       Title                                                           Series      Importance      Status           Heat     Assignee
-------   ------------------------------------------------------------    --------    ------------   
-------------    -----    ---------------------
818830    [Sandy Bridge] serious power regression from kernel 3.0.0...    oneiric     Medium          Triaged          674     
Canonical Kernel Team
914319    NULL pointer dereference at sd_revalidate_disk+0x30/0x2a0       precise     High            Triaged          136      Unknown
924400    kernel NULL pointer dereference at 00000000000001f0             precise     High            Confirmed        48       Unknown
(Continue reading)

Andy Whitcroft | 1 Mar 15:45 2012

[lucid, lucid/fsl-imx51 CVE 1/2] block: Fix io_context leak after clone with CLONE_IO

From: Louis Rilling <louis.rilling <at> kerlabs.com>

With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks.
However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks
reaches 0.

Always call put_io_context() in exit_io_context().

Signed-off-by: Louis Rilling <louis.rilling <at> kerlabs.com>
Signed-off-by: Jens Axboe <jens.axboe <at> oracle.com>

(cherry picked from commit 61cc74fbb87af6aa551a06a370590c9bc07e29d9)
CVE-2012-0879
BugLink: http://bugs.launchpad.net/bugs/940743
Signed-off-by: Andy Whitcroft <apw <at> canonical.com>
---
 block/blk-ioc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/blk-ioc.c b/block/blk-ioc.c
index d4ed600..dcd0412 100644
--- a/block/blk-ioc.c
+++ b/block/blk-ioc.c
 <at>  <at>  -80,8 +80,8  <at>  <at>  void exit_io_context(void)
 			ioc->aic->exit(ioc->aic);
 		cfq_exit(ioc);

-		put_io_context(ioc);
 	}
+	put_io_context(ioc);
(Continue reading)

Andy Whitcroft | 1 Mar 15:45 2012

[lucid, lucid/fsl-imx51 CVE 2/2] block: Fix io_context leak after failure of clone with CLONE_IO

From: Louis Rilling <louis.rilling <at> kerlabs.com>

With CLONE_IO, parent's io_context->nr_tasks is incremented, but never
decremented whenever copy_process() fails afterwards, which prevents
exit_io_context() from calling IO schedulers exit functions.

Give a task_struct to exit_io_context(), and call exit_io_context() instead of
put_io_context() in copy_process() cleanup path.

Signed-off-by: Louis Rilling <louis.rilling <at> kerlabs.com>
Signed-off-by: Jens Axboe <jens.axboe <at> oracle.com>

(cherry picked from commit b69f2292063d2caf37ca9aec7d63ded203701bf3)
CVE-2012-0879
BugLink: http://bugs.launchpad.net/bugs/940743
Signed-off-by: Andy Whitcroft <apw <at> canonical.com>
---
 block/blk-ioc.c           |   10 +++++-----
 include/linux/iocontext.h |    5 +++--
 kernel/exit.c             |    2 +-
 kernel/fork.c             |    3 ++-
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/block/blk-ioc.c b/block/blk-ioc.c
index dcd0412..cbdabb0 100644
--- a/block/blk-ioc.c
+++ b/block/blk-ioc.c
 <at>  <at>  -66,14 +66,14  <at>  <at>  static void cfq_exit(struct io_context *ioc)
 }

(Continue reading)

Andy Whitcroft | 1 Mar 15:45 2012

[CVE-2012-0879] CLONE_IO reference counting error

CVE-2012-0879
	With CLONE_IO, copy_io() increments both ioc->refcount and
	ioc->nr_tasks.	However exit_io_context() only decrements
	ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
	io_context->nr_tasks is incremented, but never decremented whenever
	copy_process() fails afterwards, which prevents exit_io_context()
	from calling IO schedulers exit functions. An unprivileged local
	user could use these flaws cause denial of service.

This was not introduced until after hardy, and fixes for this have hit
maverick and later via mainline and stable.  Following this email is a 2
patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
from mainline.

Proposing for lucid and lucid/fsl-imx51.

-apw

Herton Ronaldo Krzesinski | 1 Mar 16:13 2012

Ack: Re: [CVE-2012-0879] CLONE_IO reference counting error

On Thu, Mar 01, 2012 at 02:45:41PM +0000, Andy Whitcroft wrote:
> CVE-2012-0879
> 	With CLONE_IO, copy_io() increments both ioc->refcount and
> 	ioc->nr_tasks.	However exit_io_context() only decrements
> 	ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
> 	io_context->nr_tasks is incremented, but never decremented whenever
> 	copy_process() fails afterwards, which prevents exit_io_context()
> 	from calling IO schedulers exit functions. An unprivileged local
> 	user could use these flaws cause denial of service.
> 
> This was not introduced until after hardy, and fixes for this have hit
> maverick and later via mainline and stable.  Following this email is a 2
> patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
> from mainline.
> 
> Proposing for lucid and lucid/fsl-imx51.
> 
> -apw
> 
> -- 
> kernel-team mailing list
> kernel-team <at> lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 

Stefan Bader | 1 Mar 16:22 2012

ACK: [CVE-2012-0879] CLONE_IO reference counting error

On 01.03.2012 15:45, Andy Whitcroft wrote:
> CVE-2012-0879
> 	With CLONE_IO, copy_io() increments both ioc->refcount and
> 	ioc->nr_tasks.	However exit_io_context() only decrements
> 	ioc->refcount if ioc->nr_tasks reaches 0. With CLONE_IO, parent's
> 	io_context->nr_tasks is incremented, but never decremented whenever
> 	copy_process() fails afterwards, which prevents exit_io_context()
> 	from calling IO schedulers exit functions. An unprivileged local
> 	user could use these flaws cause denial of service.
>
> This was not introduced until after hardy, and fixes for this have hit
> maverick and later via mainline and stable.  Following this email is a 2
> patch series for lucid and lucid/fsl-imx51; both are trivial cherry-picks
> from mainline.
>
> Proposing for lucid and lucid/fsl-imx51.
>
> -apw
>
Looks ok

-Stefan


Gmane