diff --git a/debian/changelog b/debian/changelog index 146801074..f27f9bd52 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,239 @@ -linux (4.17.3-2) UNRELEASED; urgency=medium +linux (4.17.4-1) UNRELEASED; urgency=medium - * [armhf] DRM: Enable CONFIG_DRM_IMX_PARALLEL_DISPLAY + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.4 + - [x86] spectre_v1: Disable compiler optimizations over + array_index_mask_nospec() + - [x86] xen: Add call of speculative_store_bypass_ht_init() to PV paths + - [x86] UV: Add adjustable set memory block size function + - [x86] UV: Use new set memory block size function + - [x86] UV: Add kernel parameter to set memory block size + - [x86] mce: Improve error message when kernel cannot recover + - [x86] mce: Check for alternate indication of machine check recovery on + Skylake + - [x86] mce: Fix incorrect "Machine check from unknown source" message + - [x86] mce: Do not overwrite MCi_STATUS in mce_no_way_out() + - [x86] Call fixup_exception() before notify_die() in math_error() + - [m68k] mm: Adjust VM area to be unmapped by gap size for __iounmap() + - [m68k] mac: Fix SWIM memory resource end address + - hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs + - mtd: spi-nor: intel-spi: Fix atomic sequence handling + - serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version + - signal/xtensa: Consistenly use SIGBUS in do_unaligned_user + - PM / Domains: Fix error path during attach in genpd + - PCI / PM: Do not clear state_saved for devices that remain suspended + - ACPI / LPSS: Avoid PM quirks on suspend and resume from S3 + - PM / core: Fix supplier device runtime PM usage counter imbalance + - PM / OPP: Update voltage in case freq == old_freq + - mmc: renesas_sdhi: really fix WP logic regressions + - usb: do not reset if a low-speed or full-speed device timed out + - 1wire: family module autoload fails because of upper/lower case mismatch. + - ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it + - ASoC: cs35l35: Add use_single_rw to regmap config + - ASoC: mediatek: preallocate pages use platform device + - ASoC: cirrus: i2s: Fix LRCLK configuration + - ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup + - thermal: bcm2835: Stop using printk format %pCr + - lib/vsprintf: Remove atomic-unsafe support for %pCr + - ftrace/selftest: Have the reset_trigger code be a bit more careful + - mips: ftrace: fix static function graph tracing + - branch-check: fix long->int truncation when profiling branches + - ipmi:bt: Set the timeout before doing a capabilities check + - Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw + loader + - printk: fix possible reuse of va_list variable + - fuse: fix congested state leak on aborted connections + - fuse: atomic_o_trunc should truncate pagecache + - fuse: don't keep dead fuse_conn at fuse_fill_super(). + - fuse: fix control dir setup and teardown + - [powerpc*] mm/hash: Add missing isync prior to kernel stack SLB switch + - [powerpc*] pkeys: Detach execute_only key on !PROT_EXEC + - [powerpc*] ptrace: Fix setting 512B aligned breakpoints with + PTRACE_SET_DEBUGREG + - [powerpc*] perf: Fix memory allocation for core-imc based on + num_possible_cpus() + - [powerpc*] ptrace: Fix enforcement of DAWR constraints + - [powerpc*] powernv/ioda2: Remove redundant free of TCE pages + - [powerpc*] powernv: copy/paste - Mask SO bit in CR + - [powerpc*] powernv/cpuidle: Init all present cpus for deep states + - [powerpc*] cpuidle: powernv: Fix promotion from snooze if next state + disabled + - [powerpc*] fadump: Unregister fadump on kexec down path. + - libnvdimm, pmem: Do not flush power-fail protected CPU caches + - [armhf, arm64] soc: rockchip: power-domain: Fix wrong value when power + up pd with writemask + - [powerpc*] 64s/radix: Fix radix_kvm_prefetch_workaround paca access of not + possible CPU + - [powerpc] e500mc: Set assembler machine type to e500mc + - [powerpc*] 64s: Fix DT CPU features Power9 DD2.1 logic + - cxl: Configure PSL to not use APC virtual machines + - cxl: Disable prefault_mode in Radix mode + - [armhf] 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size + - [armhf] dts: Fix SPI node for Arria10 + - [armhf] dts: socfpga: Fix NAND controller node compatible + - [armhf] dts: socfpga: Fix NAND controller clock supply + - [armhf] dts: socfpga: Fix NAND controller node compatible for Arria10 + - hwrng: core - Always drop the RNG in hwrng_unregister() + - softirq: Reorder trace_softirqs_on to prevent lockdep splat + - [arm64] Fix syscall restarting around signal suppressed by tracer + - [arm64] crypto: arm64/aes-blk - fix and move skcipher_walk_done out of + kernel_neon_begin, _end + - [arm64] kpti: Use early_param for kpti= command-line option + - [arm64] mm: Ensure writes to swapper are ordered wrt subsequent cache + maintenance + - [arm64] dts: marvell: fix CP110 ICU node size + - [arm64] dts: meson: disable sd-uhs modes on the libretech-cc + - [arm64] dts: meson-gx: fix ATF reserved memory region + - of: overlay: validate offset from property fixups + - of: unittest: for strings, account for trailing \0 in property length + field + - of: platform: stop accessing invalid dev in of_platform_device_destroy + - tpm: fix use after free in tpm2_load_context() + - tpm: fix race condition in tpm_common_write() + - efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed + mode + - IB/qib: Fix DMA api warning with debug kernel + - IB/{hfi1, qib}: Add handling of kernel restart + - IB/mlx4: Mark user MR as writable if actual virtual memory is writable + - IB/core: Make testing MR flags for writability a static inline function + - IB/mlx5: Fetch soft WQE's on fatal error state + - IB/isert: Fix for lib/dma_debug check_sync warning + - IB/isert: fix T10-pi check mask setting + - IB/hfi1: Fix fault injection init/exit issues + - IB/hfi1: Reorder incorrect send context disable + - IB/hfi1: Optimize kthread pointer locking when queuing CQ entries + - IB/hfi1: Fix user context tail allocation for DMA_RTAIL + - IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write + - RDMA/mlx4: Discard unknown SQP work requests + - xprtrdma: Return -ENOBUFS when no pages are available + - RDMA/core: Save kernel caller name when creating CQ using ib_create_cq() + - mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op + - mtd: cfi_cmdset_0002: Change write buffer to check correct value + - mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally + - mtd: rawnand: fix return value check for bad block status + - mtd: rawnand: mxc: set spare area size register explicitly + - mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features + - mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS). + - mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() + - mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips + - mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary + - mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking. + - clk:aspeed: Fix reset bits for PCI/VGA and PECI + - [x86] PCI: hv: Make sure the bus domain is really unique + - PCI: Add ACS quirk for Intel 7th & 8th Gen mobile + - PCI: Add ACS quirk for Intel 300 series + - PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on + resume + - PCI: Account for all bridges on bus when distributing bus numbers + - auxdisplay: fix broken menu + - pinctrl: armada-37xx: Fix spurious irq management + - pinctrl: samsung: Correct EINTG banks order + - pinctrl: devicetree: Fix pctldev pointer overwrite + - cpufreq: intel_pstate: Fix scaling max/min limits with Turbo 3.0 + - [mips*] pb44: Fix i2c-gpio GPIO descriptor table + - [mips*] io: Add barrier after register read in inX() + - time: Make sure jiffies_to_msecs() preserves non-zero time periods + - irqchip/gic-v3-its: Don't bind LPI to unavailable NUMA node + - locking/rwsem: Fix up_read_non_owner() warning with DEBUG_RWSEMS + - X.509: unpack RSA signatureValue field from BIT STRING + - Btrfs: fix return value on rename exchange failure + - iio: adc: ad7791: remove sample freq sysfs attributes + - iio: sca3000: Fix an error handling path in 'sca3000_probe()' + - mm: fix __gup_device_huge vs unmap + - scsi: scsi_debug: Fix memory leak on module unload + - scsi: hpsa: disable device during shutdown + - scsi: qla2xxx: Delete session for nport id change + - scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails + - scsi: qla2xxx: Mask off Scope bits in retry delay + - scsi: qla2xxx: Spinlock recursion in qla_target + - scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler + - scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF + - scsi: zfcp: fix misleading REC trigger trace where erp_action setup + failed + - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early + return + - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for + ERP_FAILED + - scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED + - scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread + - linvdimm, pmem: Preserve read-only setting for pmem devices + - libnvdimm, pmem: Unconditionally deep flush on *sync + - [armhf] clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL + - [armhf] rtc: sun6i: Fix bit_idx value for clk_register_gate + - md: fix two problems with setting the "re-add" device state. + - rpmsg: smd: do not use mananged resources for endpoints and channels + - ubi: fastmap: Cancel work upon detach + - ubi: fastmap: Correctly handle interrupted erasures in EBA + - UBIFS: Fix potential integer overflow in allocation + - backlight: as3711_bl: Fix Device Tree node lookup + - backlight: max8925_bl: Fix Device Tree node lookup + - backlight: tps65217_bl: Fix Device Tree node lookup + - Revert "iommu/amd_iommu: Use CONFIG_DMA_DIRECT_OPS=y and + dma_direct_{alloc,free}()" + - f2fs: don't use GFP_ZERO for page caches + - um: Fix initialization of vector queues + - um: Fix raw interface options + - mfd: twl-core: Fix clock initialization + - mfd: intel-lpss: Program REMAP register in PIO mode + - mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock + - perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 + - [x86] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING + - [x86] perf intel-pt: Fix decoding to accept CBR between FUP and + corresponding TIP + - [x86] perf intel-pt: Fix MTC timing after overflow + - [x86] perf intel-pt: Fix "Unexpected indirect branch" error + - [x86] perf intel-pt: Fix packet decoding of CYC packets + - media: vsp1: Release buffers for each video node + - media: uvcvideo: Support realtek's UVC 1.5 device + - media: cx231xx: Ignore an i2c mux adapter + - media: v4l2-compat-ioctl32: prevent go past max size + - media: cx231xx: Add support for AverMedia DVD EZMaker 7 + - media: rc: mce_kbd decoder: fix stuck keys + - media: dvb_frontend: fix locking issues at dvb_frontend_get_event() + - nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir + - NFSv4: Fix possible 1-byte stack overflow in + nfs_idmap_read_and_verify_message + - NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..") + - NFSv4: Fix a typo in nfs41_sequence_process + - video: uvesafb: Fix integer overflow in allocation + - ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices + - Input: silead - add MSSL0002 ACPI HID + - Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID + - pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume + - rbd: flush rbd_dev->watch_dwork after watch is unregistered + - mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() + - mm: fix devmem_is_allowed() for sub-page System RAM intersections + - xen: Remove unnecessary BUG_ON from __unbind_from_irq() + - net: ethernet: fix suspend/resume in davinci_emac + - udf: Detect incorrect directory size + - Input: xpad - fix GPD Win 2 controller name + - Input: psmouse - fix button reporting for basic protocols + - Input: elan_i2c_smbus - fix more potential stack buffer overflows + - Input: elantech - enable middle button of touchpads on ThinkPad P52 + - Input: elantech - fix V4 report decoding for module with middle key + - ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl + - ALSA: hda - Force to link down at runtime suspend on ATI/AMD HDMI + - ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co + - ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 + - ALSA: hda/realtek - Fix the problem of two front mics on more machines + - Revert "i2c: algo-bit: init the bus to a known state" + - i2c: gpio: initialize SCL to HIGH again + - slub: fix failure when we delete and create a slab cache + - kasan: depend on CONFIG_SLUB_DEBUG + - dm: use bio_split() when splitting out the already processed bio + - pmem: only set QUEUE_FLAG_DAX for fsdax mode + - block: Fix transfer when chunk sectors exceeds max + - block: Fix cloning of requests with a special payload + - [x86] e820: put !E820_TYPE_RAM regions into memblock.reserved + - selinux: move user accesses in selinuxfs out of locked regions + - [x86] entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int + $0x80" + - [x86] efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y + - dm zoned: avoid triggering reclaim from inside dmz_map() + - dm thin: handle running out of data space vs concurrent discard + + [Sjoerd Simons] + * [armhf] DRM: Enable CONFIG_DRM_IMX_PARALLEL_DISPLAY -- Sjoerd Simons Wed, 04 Jul 2018 10:25:57 +0200 diff --git a/debian/patches/bugfix/all/tracing-check-for-no-filter-when-processing-event-fi.patch b/debian/patches/bugfix/all/tracing-check-for-no-filter-when-processing-event-fi.patch deleted file mode 100644 index b7fac2ec6..000000000 --- a/debian/patches/bugfix/all/tracing-check-for-no-filter-when-processing-event-fi.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: "Steven Rostedt (VMware)" -Date: Thu, 21 Jun 2018 13:20:53 -0400 -Subject: tracing: Check for no filter when processing event filters -Origin: https://git.kernel.org/linus/70303420b5721c38998cf987e6b7d30cc62d4ff1 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12714 - -The syzkaller detected a out-of-bounds issue with the events filter code, -specifically here: - - prog[N].pred = NULL; /* #13 */ - prog[N].target = 1; /* TRUE */ - prog[N+1].pred = NULL; - prog[N+1].target = 0; /* FALSE */ --> prog[N-1].target = N; - prog[N-1].when_to_branch = false; - -As that's the first reference to a "N-1" index, it appears that the code got -here with N = 0, which means the filter parser found no filter to parse -(which shouldn't ever happen, but apparently it did). - -Add a new error to the parsing code that will check to make sure that N is -not zero before going into this part of the code. If N = 0, then -EINVAL is -returned, and a error message is added to the filter. - -Cc: stable@vger.kernel.org -Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") -Reported-by: air icy -bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019 -Signed-off-by: Steven Rostedt (VMware) ---- - kernel/trace/trace_events_filter.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c -index e1c818dbc0d7..0dceb77d1d42 100644 ---- a/kernel/trace/trace_events_filter.c -+++ b/kernel/trace/trace_events_filter.c -@@ -78,7 +78,8 @@ static const char * ops[] = { OPS }; - C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \ - C(INVALID_FILTER, "Meaningless filter expression"), \ - C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \ -- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), -+ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \ -+ C(NO_FILTER, "No filter found"), - - #undef C - #define C(a, b) FILT_ERR_##a -@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, - goto out_free; - } - -+ if (!N) { -+ /* No program? */ -+ ret = -EINVAL; -+ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str); -+ goto out_free; -+ } -+ - prog[N].pred = NULL; /* #13 */ - prog[N].target = 1; /* TRUE */ - prog[N+1].pred = NULL; diff --git a/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch b/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch deleted file mode 100644 index 4f4db6fe2..000000000 --- a/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Wenwen Wang -Date: Tue, 8 May 2018 08:50:28 -0500 -Subject: virt: vbox: Only copy_from_user the request-header once -Origin: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12633 - -In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from -the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the -'version', 'size_in', and 'size_out' fields of 'hdr' are verified. - -Before this commit, after the checks a buffer for the entire request would -be allocated and then all data including the verified header would be -copied from the userspace 'arg' pointer again. - -Given that the 'arg' pointer resides in userspace, a malicious userspace -process can race to change the data pointed to by 'arg' between the two -copies. By doing so, the user can bypass the verifications on the ioctl -argument. - -This commit fixes this by using the already checked copy of the header -to fill the header part of the allocated buffer and only copying the -remainder of the data from userspace. - -Signed-off-by: Wenwen Wang -Reviewed-by: Hans de Goede -Signed-off-by: Greg Kroah-Hartman ---- - drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/virt/vboxguest/vboxguest_linux.c -+++ b/drivers/virt/vboxguest/vboxguest_linux.c -@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct - if (!buf) - return -ENOMEM; - -- if (copy_from_user(buf, (void *)arg, hdr.size_in)) { -+ *((struct vbg_ioctl_hdr *)buf) = hdr; -+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), -+ hdr.size_in - sizeof(hdr))) { - ret = -EFAULT; - goto out; - } diff --git a/debian/patches/series b/debian/patches/series index 54a970a2a..80d19d4d2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -131,8 +131,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch -bugfix/all/tracing-check-for-no-filter-when-processing-event-fi.patch bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch