Stable kernel update announcements posted on LWN have a certain tendency to be
followed by complaints about the amount of information which is made
available. It seems that there is a desire for a description of the
changes which is more accessible than the patches themselves, and for
attention to be drawn to the security-relevant fixes.
As an exercise in determining what kind of effort is being asked
of the kernel maintainers, your editor decided to make a pass
attempt to describe the impact of
each of the changes - all 93 of them. The results can be found below.
Disclaimers: there is no way to review 93 patches in a finite time and
fully understand each of them. So there are
certainly errors in what follows. The simple truth of the matter is that
it is very hard to say which fixes have security implications; a determined
attacker can find a way to exploit some very obscure bugs.
Your editor would also like to discourage anybody from thinking
that this will become a regular LWN feature. The amount of work required
is considerable; it's not something we're able to commit to doing for every
That said, here's a look at what's in this update.
Other bug fixes
- #1: Fix potential crash with
sys_move_pages. Fix an unreliable test which could cause a crash
in the page migration code. [Update: as has been pointed out
in the comments, this one is exploitable
and should have been in the
security list above.]
- #6: hwmon: (w83781d) Request I/O ports
individually for probing. More robust access to hardware
- #7: hwmon: (lm78) Request I/O ports
individually for probing. More robust access to hardware
- #8: hwmon: (adt7462) Wrong
ADT7462_VOLT_COUNT. Fixes a bug which could cause one voltage
measurement to be passed over.
- #9: ALSA: ctxfi - fix PTP address
initialization. Fixes an alignment bug in the ctxfi sound driver.
- #10: drm/i915: disable hotplug detect
before Ironlake CRT detect. Fixes a possible hang in the monitor
- #12: drm/i915: Disable SR when more than
one pipe is enabled. Fixes a flicker-causing i915 bug.
- #13: drm/i915: Fix DDC on some systems by
clearing BIOS GMBUS setup. Fixes a bug which can cause failure to
detect some monitors.
- #15: drm/i915: Fix the incorrect DMI
string for Samsung SX20S laptop. Incorrect identification
information was returned to user space.
- #17: usb: r8a66597-hcd: Flush the D-cache
for the pipe-in transfer buffers. Fixes a cache consistency
- #18: i2c-tiny-usb: Fix on big-endian
systems. An endianness bug in i2c-tiny-usb caused incorrect
information to be returned to user space.
- #19: drm/i915: handle FBC and self-refresh
better. Eliminates an i915 flicker problem.
- #20: drm/i915: Increase fb alignment to
64k. Fixes an obscure error in the i915 driver.
- #24: CPUFREQ: Fix use after free of struct
powernow_k8_data. Fixes a use-after-free bug in the cpufreq code;
does not appear to be user-triggerable.
- #25: freeze_bdev: dont deactivate
successfully frozen MS_RDONLY sb. Fixes a boot-time crash in the block
- #27: ioat: fix infinite timeout checking
in ioat2_quiesce. Fixes a typo in the IOAT code.
- #29: fs/exec.c: restrict initial stack
space expansion to rlimit. Fixes a bug which could cause process
creation failures in the presence of tight stack limits.a
- #30: cifs: fix length calculation for
converted unicode readdir names. Fixes a CIFS data consistency
- #31: NFS: Fix a reference leak in
nfs_wb_cancel_page(). Fixes a reference leak in the NFS
- #32: NFS: Try to commit unstable writes in
nfs_release_page(). Looks like a fix for a potential data loss
problem in the NFS code.
- #33: NFSv4: Dont allow posix locking
against servers that dont support it. Be sure to notice if a
server does not support POSIX locking.
- #34: NFSv4: Ensure that the NFSv4 locking
can recover from stateid errors. Fix an NFSv4 locking problem
with unknown effects.
- #37: NFS: Fix a bug in
nfs_fscache_release_page(). Removes a spurious BUG_ON()
- #38: NFS: Fix the mapping of the
NFSERR_SERVERFAULT error. Fix an incorrect error value returned
to user space.
- #39: md: fix degraded calculation when
starting a reshape. Some old code can cause the MD subsystem to
be unclear on whether a given array is running in a degraded mode or
not after a reshape.
- #42: kvmclock: count total_sleep_time when
updating guest clock. Fix an error which could lead to incorrect
wall clock time in KVM guests.
- #43: KVM: PIT: control word is
write-only. Prevent attempts to read a write-only register.
- #44: tpm_infineon: fix suspend/resume
handler for pnp_driver. Fixes a hang-on-suspend bug.
- #45: amd64_edac: Do not falsely trigger
kerneloops. Remove a spurious warning in the amd64 EDAC code.
- #46: netfilter: nf_conntrack: fix memory
corruption with multiple namespaces. Fixes a potential race
condition which could lead to memory corruption. Requires the
instantiation of a new namespace (and, thus, root privilege) to
- #48: netfilter: nf_conntrack: restrict
runtime expect hashsize modifications. Don't allow the connection
tracking expect_hashsize attribute to be modified, since the
code isn't prepared to handle that.
- #49: netfilter: xtables: compat out of
scope fix. Fixes a potential stack-based dangling pointer bug.
- #51: drm/i915: remove full registers dump
debug. Removes an i915 debug option which could hang the machine.
- #52: drm/i915: add i915_lp_ring_sync
helper. Code and performance improvement in the i915 driver.
- #53: drm/i915: Dont wait interruptible for
possible plane buffer flush. The i915 DRM driver can corrupt the
hardware state if a signal comes in at the wrong time. Could be seen
as a denial of service problem, but that's a big stretch.
- #56: wmi: Free the allocated acpi objects
through wmi_get_event_data. Fixes a memory leak in the WMI code.
- #58: /dev/mem: introduce
size_inside_page(). Eliminates some duplicate code and fixes the
alignment logic for /dev/kmem, which was described simply as
"buggy." But who uses /dev/kmem anymore?
- #59: devmem: check vmalloc address on kmem
read/write. A missing test for addresses in the
vmalloc() space could cause an oops from the
/dev/kmem code. Probably not triggerable by ordinary users,
though, even on systems where /dev/kmem is enabled.
- #60: devmem: fix kmem write bug on memory
holes. An attempt to write data to /dev/mem would get
confused if a memory hole is hit, causing incorrect data to be written
after the hole.
- #61: SCSI: mptfusion : mptscsih_abort
return value should be SUCCESS instead of value 0. The mptfusion
driver had an incorrect return value with unknown effects.
- #62: sh: Couple kernel and user write
page perm bits for CONFIG_X2TLB. The SuperH architecture had a
problem handling write faults for pages in the vmalloc()
space, which could cause problems with drivers that map such pages
into user space.
- #63: ALSA: hda - use WARN_ON_ONCE() for
zero-division detection. Avoid spamming the log files if the
hardware goes nuts.
- #64: dst: call cond_resched() in
dst_gc_task(). The network destination cache code can process
very long lists, leading to soft lockup warnings.
- #66: befs: fix leak. There is a
memory leak in the BeFS mount code; one would not normally expect it
to be user-triggerable.
- #67: rtc-fm3130: add missing braces.
Missing braces in the rtc-fm3130 would cause spurious warnings to be
- #68: [libata] Call flush_dcache_page after
PIO data transfers in libata-sff.c. Fix a cache coherency bug in
the ATA code.
- #70: pktgen: Fix freezing problem.
The packet generator could prevent the system from suspending or
- #71: x86/amd-iommu: Fix IOMMU-API
initialization for iommu=pt. Fix a boot-time initialization error
in the IOMMU code.
- #72: x86/amd-iommu: Fix deassignment of a
device from the pt_domain. Fix a KVM device assignment failure.
- #73: x86: Re-get cfg_new in case
reuse/move irq_desc. Fix a bug in interrupt migration with
- #74: Staging: fix rtl8187se compilation
errors with mac80211. Boring compilation problem fix.
- #76: serial: 8250: add serial transmitter
fully empty test. Fixes a serial driver problem which could cause
the loss of some transmitted data.
- #77: sysfs: sysfs_sd_setattr set iattrs
unconditionally. An omitted initialization can cause sysfs
attributes to have more restrictive permissions than desired.
- #78: class: Free the class private data in
class_release. Fix a memory leak in the sysfs class code.
Potentially user-exploitable if somebody were willing to dedicate a
month of their life to repeatedly plugging and unplugging a device.
- #80: USB: usbfs: properly clean up the as
structure on error paths. Fixes a memory leak in the usbfs error
- #83: ACPI: fix High cpu temperature with
2.6.32. Fixes behavior on a couple of laptops with problematic
power management operation.
- #84: drm/radeon/kms: use udelay for short
delays. Use of schedule_timeout() for short delays was
slowing bootstrap considerably on some systems.
- #85: NFS: Too many GETATTR and ACCESS
calls after direct I/O. Fixes a performance regression in the NFS
- #86: eCryptfs: Add getattr function.
The eCryptfs filesystem would show incorrect file sizes.
- #87: b43: Fix throughput regression.
Throughput on some BCM4311 devices is said to have dropped from 18Mb/s
to 0.7Mb/s, which is a bit more of a penalty than some users wanted to
- #88: ath9k: Fix sequence numbers for PAE
frames. Fixes a protocol error in the ath9k driver.
- #89: mac80211: Fix probe request filtering
in IBSS mode. The wireless code could reply to probe requests
directed at a different SSID.
- #90: iwlwifi: Fix to set correct ht
configuration. The iwlwifi driver was not configuring
associations correctly, leading to dropped connections.
- #91: dm stripe: avoid divide by zero with
invalid stripe count. Giving a bad stripe size to the device
mapper code would cause a division by zero.
- #93: dm mpath: fix stall when requeueing
io. Fixes a root-triggerable stall in the device mapper multipath
Out of 93 patches, 18 struck your editor as having clear security
implications. Quite a few other patches fix crashes which could possibly
be security problems; if they are not listed as such, it's because there
was no immediately evident way that a user could trigger the problem.
Doubtless people with more imagination will figure out ways to take
advantage of some of these bugs.
What it comes down to is that the identification of security problems is
often hard. In the kernel environment, almost any bug could potentially
create some kind of vulnerability. So it is not surprising to see developers
"silently fix" security bugs; they simply fix bugs without realizing the
implications. It is also not surprising that some developers are reluctant
to call attention to security-related fixes. The list above almost
certainly includes "security fixes" for bugs that nobody can exploit while
classifying true vulnerabilities as mere bug fixes. Any list of
security-relevant patches is sure to be an incomplete and partially
That said, it may well be that fixes which are truly known to have security
implications should be marked as such. Attackers will make the effort to
figure that out anyway; it's not clear that making life harder for
everybody else has any benefits. Still, those who would complain about how
the stable tree is managed would do well to remember that, a few years ago,
we had no such tree. It came into being because people stepped up to do
the work of maintaining it. There can be no doubt that a better job could
be done here (as is the case almost everywhere else too); its just a matter
of somebody finding the time and the energy to do it.
to post comments)