debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.15.9 

This has some ABI changes, which still need to be resolved.
This commit is contained in:
Ben Hutchings 2018-03-13 22:12:01 +00:00
parent 7b3adb7e57
commit 17703a438b
4 changed files with 382 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

385
debian/changelog vendored
View File

@ -1,9 +1,388 @@
linux (4.15.4-2) UNRELEASED; urgency=medium
linux (4.15.9-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.5
- IB/umad: Fix use of unprotected device pointer
- IB/qib: Fix comparison error with qperf compare/swap test
- IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH
ports
- IB/core: Fix two kernel warnings triggered by rxe registration
- IB/core: Fix ib_wc structure size to remain in 64 bytes boundary
- IB/core: Avoid a potential OOPs for an unused optional parameter
- RDMA/rxe: Fix a race condition related to the QP error state
- RDMA/rxe: Fix a race condition in rxe_requester()
- RDMA/rxe: Fix rxe_qp_cleanup()
- [powerpc*] cpufreq: powernv: Dont assume distinct pstate values for
nominal and pmin
- swiotlb: suppress warning when __GFP_NOWARN is set
- PM / devfreq: Propagate error from devfreq_add_device()
- mwifiex: resolve reset vs. remove()/shutdown() deadlocks
- ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE
- trace_uprobe: Display correct offset in uprobe_events
- [powerpc*] radix: Remove trace_tlbie call from radix__flush_tlb_all
- [powerpc*] kernel: Block interrupts when updating TIDR
- [powerpc*] vas: Don't set uses_vas for kernel windows
- [powerpc*] numa: Invalidate numa_cpu_lookup_table on cpu remove
- [powerpc*] mm: Flush radix process translations when setting MMU type
- [powerpc*] xive: Use hw CPU ids when configuring the CPU queues
- dma-buf: fix reservation_object_wait_timeout_rcu once more v2
- [s390x] fix handling of -1 in set{,fs}[gu]id16 syscalls
- [arm64] dts: msm8916: Correct ipc references for smsm
- [x86] gpu: add CFL to early quirks
- [x86] kexec: Make kexec (mostly) work in 5-level paging mode
- [x86] xen: init %gs very early to avoid page faults with stack protector
- [x86] PM: Make APM idle driver initialize polling state
- mm, memory_hotplug: fix memmap initialization
- [amd64] entry: Clear extra registers beyond syscall arguments, to reduce
speculation attack surface
- [amd64] entry/compat: Clear registers for compat syscalls, to reduce
speculation attack surface
- [armhf] crypto: sun4i_ss_prng - fix return value of sun4i_ss_prng_generate
- [armhf] crypto: sun4i_ss_prng - convert lock to _bh in
sun4i_ss_prng_generate
- [powerpc*] mm/radix: Split linear mapping on hot-unplug
- [x86] speculation: Update Speculation Control microcode blacklist
- [x86] speculation: Correct Speculation Control microcode blacklist again
- [x86] Revert "x86/speculation: Simplify
indirect_branch_prediction_barrier()"
- [x86] KVM: Reduce retpoline performance impact in
slot_handle_level_range(), by always inlining iterator helper methods
- [X86] nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
- [x86] KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02
MSR bitmap
- [x86] speculation: Clean up various Spectre related details
- PM / runtime: Update links_count also if !CONFIG_SRCU
- PM: cpuidle: Fix cpuidle_poll_state_init() prototype
- [x86] platform: wmi: fix off-by-one write in wmi_dev_probe()
- [amd64] entry: Clear registers for exceptions/interrupts, to reduce
speculation attack surface
- [amd64] entry: Merge SAVE_C_REGS and SAVE_EXTRA_REGS, remove unused
extensions
- [amd64] entry: Merge the POP_C_REGS and POP_EXTRA_REGS macros into a
single POP_REGS macro
- [amd64] entry: Interleave XOR register clearing with PUSH instructions
- [amd64] entry: Introduce the PUSH_AND_CLEAN_REGS macro
- [amd64] entry: Use PUSH_AND_CLEAN_REGS in more cases
- [amd64] entry: Get rid of the ALLOC_PT_GPREGS_ON_STACK and
SAVE_AND_CLEAR_REGS macros
- [amd64] entry: Indent PUSH_AND_CLEAR_REGS and POP_REGS properly
- [amd64] entry: Fix paranoid_entry() frame pointer warning
- [amd64] entry: Remove the unused 'icebp' macro
- gfs2: Fixes to "Implement iomap for block_map"
- objtool: Fix segfault in ignore_unreachable_insn()
- [x86] debug, objtool: Annotate WARN()-related UD2 as reachable
- [x86] debug: Use UD2 for WARN()
- [x86] speculation: Fix up array_index_nospec_mask() asm constraint
- nospec: Move array_index_nospec() parameter checking into separate macro
- [x86] speculation: Add <asm/msr-index.h> dependency
- [x86] mm: Rename flush_tlb_single() and flush_tlb_one() to
__flush_tlb_one_[user|kernel]()
- [x86] cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
- [x86] spectre: Fix an error message
- [x86] cpu: Change type of x86_cache_size variable to unsigned int
- [amd64] entry: Fix CR3 restore in paranoid_exit()
- drm/ttm: Don't add swapped BOs to swap-LRU list
- drm/ttm: Fix 'buf' pointer update in ttm_bo_vm_access_kmap() (v2)
- drm/qxl: unref cursor bo when finished with it
- drm/qxl: reapply cursor after resetting primary
- drm/amd/powerplay: Fix smu_table_entry.handle type
- drm/ast: Load lut in crtc_commit
- drm: Check for lessee in DROP_MASTER ioctl
- [arm64] Add missing Falkor part number for branch predictor hardening
- drm/radeon: Add dpm quirk for Jet PRO (v2)
- drm/radeon: adjust tested variable
- [x86] smpboot: Fix uncore_pci_remove() indexing bug when hot-removing a
physical CPU
- [powerpc*] rtc-opal: Fix handling of firmware error codes, prevent busy
loops
- mbcache: initialize entry->e_referenced in mb_cache_entry_create()
- mmc: sdhci: Implement an SDHCI-specific bounce buffer
- [armhf,arm64] mmc: bcm2835: Don't overwrite max frequency unconditionally
- [arm64] Revert "mmc: meson-gx: include tx phase in the tuning process"
- mlx5: fix mlx5_get_vector_affinity to start from completion vector 0
- [x86] Revert "apple-gmux: lock iGP IO to protect from vgaarb changes"
- ext4: fix a race in the ext4 shutdown path
- ext4: save error to disk in __ext4_grp_locked_error()
- ext4: correct documentation for grpid mount option
- mm: Fix memory size alignment in devm_memremap_pages_release()
- [mips*] Fix typo BIG_ENDIAN to CPU_BIG_ENDIAN
- [mips*] CPS: Fix MIPS_ISA_LEVEL_RAW fallout
- [mips*] Fix incorrect mem=X@Y handling
- [arm64] PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode
- [armhf,arm64] PCI: iproc: Fix NULL pointer dereference for BCMA
- [x86] PCI: pciehp: Assume NoCompl+ for Thunderbolt ports
- console/dummy: leave .con_font_get set to NULL
- rbd: whitelist RBD_FEATURE_OPERATIONS feature bit
- xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating guests
- xenbus: track caller request id
- seq_file: fix incomplete reset on read from zero offset
- tracing: Fix parsing of globs with a wildcard at the beginning
- mpls, nospec: Sanitize array index in mpls_label_ok() (CVE-2017-5753)
- rtlwifi: rtl8821ae: Fix connection lost problem correctly
- [arm64] proc: Set PTE_NG for table entries to avoid traversing them twice
- xprtrdma: Fix calculation of ri_max_send_sges
- xprtrdma: Fix BUG after a device removal
- blk-wbt: account flush requests correctly
- target/iscsi: avoid NULL dereference in CHAP auth error path
- iscsi-target: make sure to wake up sleeping login worker
- dm: correctly handle chained bios in dec_pending()
- Btrfs: fix deadlock in run_delalloc_nocow
- Btrfs: fix crash due to not cleaning up tree log block's dirty bits
- Btrfs: fix extent state leak from tree log
- Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly
- Btrfs: fix use-after-free on root->orphan_block_rsv
- Btrfs: fix unexpected -EEXIST when creating new inode
- 9p/trans_virtio: discard zero-length reply
- mtd: nand: vf610: set correct ooblayout
- ALSA: hda - Fix headset mic detection problem for two Dell machines
- ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
- ALSA: hda/realtek - Add headset mode support for Dell laptop
- ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform
- ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
- ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
- ALSA: usb: add more device quirks for USB DSD devices
- ALSA: seq: Fix racy pool initializations (CVE-2018-7566)
- [armhf,arm64] mvpp2: fix multicast address filter
- usb: Move USB_UHCI_BIG_ENDIAN_* out of USB_SUPPORT
- [x86] mm, mm/hwpoison: Don't unconditionally unmap kernel 1:1 pages
- [armhf] dts: exynos: fix RTC interrupt for exynos5410
- [arm64] dts: msm8916: Add missing #phy-cells
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.6
- tun: fix tun_napi_alloc_frags() frag allocator
- ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE
- ptr_ring: try vmalloc() when kmalloc() fails
- selinux: ensure the context is NUL terminated in
security_context_to_sid_core()
- selinux: skip bounded transition processing if the policy isn't loaded
- media: pvrusb2: properly check endpoint types
- [x86] crypto: twofish-3way - Fix %rbp usage
- blk_rq_map_user_iov: fix error override
- [x86] KVM: fix escape of guest dr6 to the host
- kcov: detect double association with a single task
- netfilter: x_tables: fix int overflow in xt_alloc_table_info()
- netfilter: x_tables: avoid out-of-bounds reads in
xt_request_find_{match|target}
- netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in
clusterip_tg_check()
- netfilter: on sockopt() acquire sock lock only in the required scope
- netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1()
- netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
- rds: tcp: correctly sequence cleanup on netns deletion.
- rds: tcp: atomically purge entries from rds_tcp_conn_list during netns
delete
- net: avoid skb_warn_bad_offload on IS_ERR
- net_sched: gen_estimator: fix lockdep splat
- [arm64] dts: add #cooling-cells to CPU nodes
- dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
- xhci: Fix NULL pointer in xhci debugfs
- xhci: Fix xhci debugfs devices node disappearance after hibernation
- xhci: xhci debugfs device nodes weren't removed after device plugged out
- xhci: fix xhci debugfs errors in xhci_stop
- usbip: keep usbip_device sockfd state in sync with tcp_socket
- [x86] mei: me: add cannon point device ids
- [x86] mei: me: add cannon point device ids for 4th device
- vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.7
- netfilter: drop outermost socket lock in getsockopt()
- [arm64] mm: don't write garbage into TTBR1_EL1 register
- kconfig.h: Include compiler types to avoid missed struct attributes
- scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
- [mips*] Drop spurious __unused in struct compat_flock
- cfg80211: fix cfg80211_beacon_dup
- i2c: designware: must wait for enable
- [armhf,arm64] i2c: bcm2835: Set up the rising/falling edge delays
- X.509: fix BUG_ON() when hash algorithm is unsupported
- X.509: fix NULL dereference when restricting key with unsupported_sig
- PKCS#7: fix certificate chain verification
- PKCS#7: fix certificate blacklisting
- [x86] genirq/matrix: Handle CPU offlining proper
- RDMA/uverbs: Protect from races between lookup and destroy of uobjects
- RDMA/uverbs: Protect from command mask overflow
- RDMA/uverbs: Fix bad unlock balance in ib_uverbs_close_xrcd
- RDMA/uverbs: Fix circular locking dependency
- RDMA/uverbs: Sanitize user entered port numbers prior to access it
- iio: buffer: check if a buffer has been set up when poll is called
- Kbuild: always define endianess in kconfig.h
- [x86] apic/vector: Handle vector release on CPU unplug correctly
- mm, swap, frontswap: fix THP swap if frontswap enabled
- mm: don't defer struct page initialization for Xen pv guests
- uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define
- [armhf,arm64] irqchip/gic-v3: Use wmb() instead of smb_wmb() in
gic_raise_softirq()
- [mips*] irqchip/mips-gic: Avoid spuriously handling masked interrupts
- PCI/cxgb4: Extend T3 PCI quirk to T4+ devices
- [x86] net: thunderbolt: Tear down connection properly on suspend
- [x86] net: thunderbolt: Run disconnect flow asynchronously when logout is
received
- ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and
io_watchdog_func()
- usb: ohci: Proper handling of ed_rm_list to handle race condition between
usb_kill_urb() and finish_unlinks()
- [arm64] Remove unimplemented syscall log message
- [arm64] Disable unhandled signal log messages by default
- [arm64] cpufeature: Fix CTR_EL0 field definitions
- USB: Add delay-init quirk for Corsair K70 RGB keyboards
- drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
- usb: host: ehci: use correct device pointer for dma ops
- usb: dwc3: gadget: Set maxpacket size for ep0 IN
- usb: dwc3: ep0: Reset TRB counter for ep0 IN
- usb: ldusb: add PIDs for new CASSY devices supported by this driver
- Revert "usb: musb: host: don't start next rx urb if current one failed"
- usb: gadget: f_fs: Process all descriptors during bind
- usb: gadget: f_fs: Use config_ep_by_speed()
- drm/cirrus: Load lut in crtc_commit
- drm/atomic: Fix memleak on ERESTARTSYS during non-blocking commits
- drm: Handle unexpected holes in color-eviction
- drm/amdgpu: disable MMHUB power gating on raven
- drm/amdgpu: fix VA hole handling on Vega10 v3
- drm/amdgpu: Add dpm quirk for Jet PRO (v2)
- drm/amdgpu: only check mmBIF_IOV_FUNC_IDENTIFIER on tonga/fiji
- drm/amdgpu: add atpx quirk handling (v2)
- drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
- drm/amdgpu: add new device to use atpx quirk
- [arm64] __show_regs: Only resolve kernel symbols when running at EL1
- [x86] drm/i915/breadcrumbs: Ignore unsubmitted signalers
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.8
- vsprintf: avoid misleading "(null)" for %px
- hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
- ipmi_si: Fix error handling of platform device
- [x86] platform: dell-laptop: Allocate buffer on heap rather than globally
- [powerpc*] pseries: Enable RAS hotplug events later
- Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking
- ixgbe: fix crash in build_skb Rx code path
- [x86] tpm: st33zp24: fix potential buffer overruns caused by bit glitches
on the bus
- tpm: fix potential buffer overruns caused by bit glitches on the bus
- [x86] tpm_i2c_infineon: fix potential buffer overruns caused by bit
glitches on the bus
- [x86] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit
glitches on the bus
- [x86] tpm_tis: fix potential buffer overruns caused by bit glitches on
the bus
- ALSA: usb-audio: Add a quirck for B&W PX headphones
- ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
- [x86] ALSA: x86: Fix missing spinlock and mutex initializations
- ALSA: hda: Add a power_save blacklist
- ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
- mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
- [armhf,arm64] mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
- [armhf,arm64] mmc: dw_mmc: Avoid accessing registers in runtime suspended
state
- [armhf,arm64] mmc: dw_mmc: Factor out dw_mci_init_slot_caps
- [armhf,arm64] mmc: dw_mmc: Fix out-of-bounds access for slot's caps
- timers: Forward timer base before migrating timers
- [hppa] Use cr16 interval timers unconditionally on qemu
- [hppa] Reduce irq overhead when run in qemu
- [hppa] Fix ordering of cache and TLB flushes
- [hppa] Hide virtual kernel memory layout
- btrfs: use proper endianness accessors for super_copy
- block: fix the count of PGPGOUT for WRITE_SAME
- block: kyber: fix domain token leak during requeue
- block: pass inclusive 'lend' parameter to truncate_inode_pages_range
- vfio: disable filesystem-dax page pinning
- dax: fix vma_is_fsdax() helper
- direct-io: Fix sleep in atomic due to sync AIO
- [x86] xen: Zero MSR_IA32_SPEC_CTRL before suspend
- [x86] cpu_entry_area: Sync cpu_entry_area to initial_page_table
- bridge: check brport attr show in brport_show
- fib_semantics: Don't match route with mismatching tclassid
- hdlc_ppp: carrier detect ok, don't turn off negotiation
- [arm64] net: amd-xgbe: fix comparison to bitshift when dealing with a mask
- [armhf] net: ethernet: ti: cpsw: fix net watchdog timeout
- net: fix race on decreasing number of TX queues
- net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
- netlink: ensure to loop over all netns in genlmsg_multicast_allns()
- net: sched: report if filter is too large to dump
- ppp: prevent unregistered channels from connecting to PPP units
- sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803)
- udplite: fix partial checksum initialization
- net/mlx5e: Fix TCP checksum in LRO buffers
- sctp: fix dst refcnt leak in sctp_v4_get_dst
- net/mlx5e: Specify numa node when allocating drop rq
- net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
- tcp: Honor the eor bit in tcp_mtu_probe
- rxrpc: Fix send in rxrpc_send_data_packet()
- tcp_bbr: better deal with suboptimal GSO
- doc: Change the min default value of tcp_wmem/tcp_rmem.
- net/mlx5e: Fix loopback self test when GRO is off
- net_sched: gen_estimator: fix broken estimators based on percpu stats
- net/sched: cls_u32: fix cls_u32 on filter replace
- sctp: do not pr_err for the duplicated node in transport rhlist
- net: ipv4: Set addr_type in hash_keys for forwarded case
- sctp: fix dst refcnt leak in sctp_v6_get_dst()
- bridge: Fix VLAN reference count problem
- net/mlx5e: Verify inline header size do not exceed SKB linear size
- tls: Use correct sk->sk_prot for IPV6
- [arm64] amd-xgbe: Restore PCI interrupt enablement setting on resume
- cls_u32: fix use after free in u32_destroy_key()
- netlink: put module reference if dump start fails
- tcp: purge write queue upon RST
- tuntap: correctly add the missing XDP flush
- tuntap: disable preemption during XDP processing
- virtio-net: disable NAPI only when enabled during XDP set
- cxgb4: fix trailing zero in CIM LA dump
- net/mlx5: Fix error handling when adding flow rules
- net: phy: Restore phy_resume() locking assumption
- tcp: tracepoint: only call trace_tcp_send_reset with full socket
- l2tp: don't use inet_shutdown on tunnel destroy
- l2tp: don't use inet_shutdown on ppp session destroy
- l2tp: fix races with tunnel socket close
- l2tp: fix race in pppol2tp_release with session object destroy
- l2tp: fix tunnel lookup use-after-free race
- [s390x] qeth: fix underestimated count of buffer elements
- [s390x] qeth: fix SETIP command handling
- [s390x] qeth: fix overestimated count of buffer elements
- [s390x] qeth: fix IP removal on offline cards
- [s390x] qeth: fix double-free on IP add/remove race
- [s390x] Revert "s390/qeth: fix using of ref counter for rxip addresses"
- [s390x] qeth: fix IP address lookup for L3 devices
- [s390x] qeth: fix IPA command submission race
- tcp: revert F-RTO middle-box workaround
- tcp: revert F-RTO extension to detect more spurious timeouts
- blk-mq: don't call io sched's .requeue_request when requeueing rq to
->dispatch
- media: m88ds3103: don't call a non-initalized function
- [x86] EDAC, sb_edac: Fix out of bound writes during DIMM configuration on
KNL
- [s390x] KVM: take care of clock-comparator sign control
- [s390x] KVM: provide only a single function for setting the tod (fix SCK)
- [s390x] KVM: consider epoch index on hotplugged CPUs
- [s390x] KVM: consider epoch index on TOD clock syncs
- nospec: Allow index argument to have const-qualified type
- [x86] mm: Fix {pmd,pud}_{set,clear}_flags()
- [armhf] orion: fix orion_ge00_switch_board_info initialization
- [armhf] dts: rockchip: Remove 1.8 GHz operation point from phycore som
- [armhf] mvebu: Fix broken PL310_ERRATA_753970 selects
- [x86] KVM: Fix SMRAM accessing even if VM is shutdown
- KVM: mmu: Fix overlap between public and private memslots
- [x86] KVM: Remove indirect MSR op calls from SPEC_CTRL
- [x86] KVM: move LAPIC initialization after VMCS creation
- [x86] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the
RDMSR path as unlikely()
- [x86] KVM: fix vcpu initialization with userspace lapic
- [x86] KVM: remove WARN_ON() for when vm_munmap() fails
- [x86] ACPI / bus: Parse tables as term_list for Dell XPS 9570 and
Precision M5530
- [armhf] dts: LogicPD SOM-LV: Fix I2C1 pinmux
- [armhf] dts: LogicPD Torpedo: Fix I2C1 pinmux
- [powerpc*] 64s/radix: Boot-time NULL pointer protection using a guard-PID
- md: only allow remove_and_add_spares when no sync_thread running.
- [x86] platform: dell-laptop: fix kbd_get_state's request value
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.9
- bpf: fix mlock precharge on arraymaps
- bpf: fix memory leak in lpm_trie map_free callback function
- bpf: fix rcu lockdep warning for lpm_trie map_free callback
- [amd64] bpf: implement retpoline for tail call (CVE-2017-5715)
- [arm64] bpf: fix out of bounds access in tail call
- bpf: add schedule points in percpu arrays management
- bpf: allow xadd only on aligned memory
- [powerpc*] bpf, ppc64: fix out of bounds access in tail call
- scsi: mpt3sas: fix oops in error handlers after shutdown/unload
- scsi: mpt3sas: wait for and flush running commands on shutdown/unload
- [x86] KVM: fix backward migration with async_PF
[ Salvatore Bonaccorso ]
* Add ABI reference for 4.15.0-1
* ALSA: seq: Fix racy pool initializations (CVE-2018-7566)
* sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803)
[ Ben Hutchings ]
* aufs: gen-patch: Fix Subject generation to skip SPDX-License-Identifier

60
debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch vendored
View File

@ -1,60 +0,0 @@
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 12 Feb 2018 15:20:51 +0100
Subject: ALSA: seq: Fix racy pool initializations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/d15d662e89fc667b90cd294b0eb45694e33144da
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7566
ALSA sequencer core initializes the event pool on demand by invoking
snd_seq_pool_init() when the first write happens and the pool is
empty. Meanwhile user can reset the pool size manually via ioctl
concurrently, and this may lead to UAF or out-of-bound accesses since
the function tries to vmalloc / vfree the buffer.
A simple fix is to just wrap the snd_seq_pool_init() call with the
recently introduced client->ioctl_mutex; as the calls for
snd_seq_pool_init() from other side are always protected with this
mutex, we can avoid the race.
Reported-by: 范龙飞 <long7573@126.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/seq/seq_clientmgr.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 60db32785f62..04d4db44fae5 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1003,7 +1003,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
{
struct snd_seq_client *client = file->private_data;
int written = 0, len;
- int err = -EINVAL;
+ int err;
struct snd_seq_event event;
if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
@@ -1018,11 +1018,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
/* allocate the pool now if the pool is not allocated yet */
if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
- if (snd_seq_pool_init(client->pool) < 0)
+ mutex_lock(&client->ioctl_mutex);
+ err = snd_seq_pool_init(client->pool);
+ mutex_unlock(&client->ioctl_mutex);
+ if (err < 0)
return -ENOMEM;
}
/* only process whole events */
+ err = -EINVAL;
while (count >= sizeof(struct snd_seq_event)) {
/* Read in the event header from the user */
len = sizeof(event);
--
2.16.2

86
debian/patches/bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch vendored
View File

@ -1,86 +0,0 @@
From: Alexey Kodanev <alexey.kodanev@oracle.com>
Date: Fri, 9 Feb 2018 17:35:23 +0300
Subject: sctp: verify size of a new chunk in _sctp_make_chunk()
Origin: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5803
When SCTP makes INIT or INIT_ACK packet the total chunk length
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
transmitting these packets, e.g. the crash on sending INIT_ACK:
[ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
put:120156 head:000000007aa47635 data:00000000d991c2de
tail:0x1d640 end:0xfec0 dev:<NULL>
...
[ 597.976970] ------------[ cut here ]------------
[ 598.033408] kernel BUG at net/core/skbuff.c:104!
[ 600.314841] Call Trace:
[ 600.345829] <IRQ>
[ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
[ 600.436934] skb_put+0x16c/0x200
[ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp]
[ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp]
[ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
[ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
[ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp]
[ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp]
[ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
[ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp]
[ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
[ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
[ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
[ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp]
[ 601.233575] sctp_do_sm+0x182/0x560 [sctp]
[ 601.284328] ? sctp_has_association+0x70/0x70 [sctp]
[ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp]
[ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp]
...
Here the chunk size for INIT_ACK packet becomes too big, mostly
because of the state cookie (INIT packet has large size with
many address parameters), plus additional server parameters.
Later this chunk causes the panic in skb_put_data():
skb_packet_transmit()
sctp_packet_pack()
skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
'nskb' (head skb) was previously allocated with packet->size
from u16 'chunk->chunk_hdr->length'.
As suggested by Marcelo we should check the chunk's length in
_sctp_make_chunk() before trying to allocate skb for it and
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/sctp/sm_make_chunk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 793b05ec692b..d01475f5f710 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1380,9 +1380,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
struct sctp_chunk *retval;
struct sk_buff *skb;
struct sock *sk;
+ int chunklen;
+
+ chunklen = SCTP_PAD4(sizeof(*chunk_hdr) + paylen);
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
+ goto nodata;
/* No need to allocate LL here, as this is only a chunk. */
- skb = alloc_skb(SCTP_PAD4(sizeof(*chunk_hdr) + paylen), gfp);
+ skb = alloc_skb(chunklen, gfp);
if (!skb)
goto nodata;
--
2.16.2

2
debian/patches/series vendored
View File

@ -120,8 +120,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch
bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch