Update to 4.15.9
This has some ABI changes, which still need to be resolved.
This commit is contained in:
parent
7b3adb7e57
commit
17703a438b
|
@ -1,9 +1,388 @@
|
|||
linux (4.15.4-2) UNRELEASED; urgency=medium
|
||||
linux (4.15.9-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.5
|
||||
- IB/umad: Fix use of unprotected device pointer
|
||||
- IB/qib: Fix comparison error with qperf compare/swap test
|
||||
- IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH
|
||||
ports
|
||||
- IB/core: Fix two kernel warnings triggered by rxe registration
|
||||
- IB/core: Fix ib_wc structure size to remain in 64 bytes boundary
|
||||
- IB/core: Avoid a potential OOPs for an unused optional parameter
|
||||
- RDMA/rxe: Fix a race condition related to the QP error state
|
||||
- RDMA/rxe: Fix a race condition in rxe_requester()
|
||||
- RDMA/rxe: Fix rxe_qp_cleanup()
|
||||
- [powerpc*] cpufreq: powernv: Dont assume distinct pstate values for
|
||||
nominal and pmin
|
||||
- swiotlb: suppress warning when __GFP_NOWARN is set
|
||||
- PM / devfreq: Propagate error from devfreq_add_device()
|
||||
- mwifiex: resolve reset vs. remove()/shutdown() deadlocks
|
||||
- ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE
|
||||
- trace_uprobe: Display correct offset in uprobe_events
|
||||
- [powerpc*] radix: Remove trace_tlbie call from radix__flush_tlb_all
|
||||
- [powerpc*] kernel: Block interrupts when updating TIDR
|
||||
- [powerpc*] vas: Don't set uses_vas for kernel windows
|
||||
- [powerpc*] numa: Invalidate numa_cpu_lookup_table on cpu remove
|
||||
- [powerpc*] mm: Flush radix process translations when setting MMU type
|
||||
- [powerpc*] xive: Use hw CPU ids when configuring the CPU queues
|
||||
- dma-buf: fix reservation_object_wait_timeout_rcu once more v2
|
||||
- [s390x] fix handling of -1 in set{,fs}[gu]id16 syscalls
|
||||
- [arm64] dts: msm8916: Correct ipc references for smsm
|
||||
- [x86] gpu: add CFL to early quirks
|
||||
- [x86] kexec: Make kexec (mostly) work in 5-level paging mode
|
||||
- [x86] xen: init %gs very early to avoid page faults with stack protector
|
||||
- [x86] PM: Make APM idle driver initialize polling state
|
||||
- mm, memory_hotplug: fix memmap initialization
|
||||
- [amd64] entry: Clear extra registers beyond syscall arguments, to reduce
|
||||
speculation attack surface
|
||||
- [amd64] entry/compat: Clear registers for compat syscalls, to reduce
|
||||
speculation attack surface
|
||||
- [armhf] crypto: sun4i_ss_prng - fix return value of sun4i_ss_prng_generate
|
||||
- [armhf] crypto: sun4i_ss_prng - convert lock to _bh in
|
||||
sun4i_ss_prng_generate
|
||||
- [powerpc*] mm/radix: Split linear mapping on hot-unplug
|
||||
- [x86] speculation: Update Speculation Control microcode blacklist
|
||||
- [x86] speculation: Correct Speculation Control microcode blacklist again
|
||||
- [x86] Revert "x86/speculation: Simplify
|
||||
indirect_branch_prediction_barrier()"
|
||||
- [x86] KVM: Reduce retpoline performance impact in
|
||||
slot_handle_level_range(), by always inlining iterator helper methods
|
||||
- [X86] nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
|
||||
- [x86] KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02
|
||||
MSR bitmap
|
||||
- [x86] speculation: Clean up various Spectre related details
|
||||
- PM / runtime: Update links_count also if !CONFIG_SRCU
|
||||
- PM: cpuidle: Fix cpuidle_poll_state_init() prototype
|
||||
- [x86] platform: wmi: fix off-by-one write in wmi_dev_probe()
|
||||
- [amd64] entry: Clear registers for exceptions/interrupts, to reduce
|
||||
speculation attack surface
|
||||
- [amd64] entry: Merge SAVE_C_REGS and SAVE_EXTRA_REGS, remove unused
|
||||
extensions
|
||||
- [amd64] entry: Merge the POP_C_REGS and POP_EXTRA_REGS macros into a
|
||||
single POP_REGS macro
|
||||
- [amd64] entry: Interleave XOR register clearing with PUSH instructions
|
||||
- [amd64] entry: Introduce the PUSH_AND_CLEAN_REGS macro
|
||||
- [amd64] entry: Use PUSH_AND_CLEAN_REGS in more cases
|
||||
- [amd64] entry: Get rid of the ALLOC_PT_GPREGS_ON_STACK and
|
||||
SAVE_AND_CLEAR_REGS macros
|
||||
- [amd64] entry: Indent PUSH_AND_CLEAR_REGS and POP_REGS properly
|
||||
- [amd64] entry: Fix paranoid_entry() frame pointer warning
|
||||
- [amd64] entry: Remove the unused 'icebp' macro
|
||||
- gfs2: Fixes to "Implement iomap for block_map"
|
||||
- objtool: Fix segfault in ignore_unreachable_insn()
|
||||
- [x86] debug, objtool: Annotate WARN()-related UD2 as reachable
|
||||
- [x86] debug: Use UD2 for WARN()
|
||||
- [x86] speculation: Fix up array_index_nospec_mask() asm constraint
|
||||
- nospec: Move array_index_nospec() parameter checking into separate macro
|
||||
- [x86] speculation: Add <asm/msr-index.h> dependency
|
||||
- [x86] mm: Rename flush_tlb_single() and flush_tlb_one() to
|
||||
__flush_tlb_one_[user|kernel]()
|
||||
- [x86] cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
|
||||
- [x86] spectre: Fix an error message
|
||||
- [x86] cpu: Change type of x86_cache_size variable to unsigned int
|
||||
- [amd64] entry: Fix CR3 restore in paranoid_exit()
|
||||
- drm/ttm: Don't add swapped BOs to swap-LRU list
|
||||
- drm/ttm: Fix 'buf' pointer update in ttm_bo_vm_access_kmap() (v2)
|
||||
- drm/qxl: unref cursor bo when finished with it
|
||||
- drm/qxl: reapply cursor after resetting primary
|
||||
- drm/amd/powerplay: Fix smu_table_entry.handle type
|
||||
- drm/ast: Load lut in crtc_commit
|
||||
- drm: Check for lessee in DROP_MASTER ioctl
|
||||
- [arm64] Add missing Falkor part number for branch predictor hardening
|
||||
- drm/radeon: Add dpm quirk for Jet PRO (v2)
|
||||
- drm/radeon: adjust tested variable
|
||||
- [x86] smpboot: Fix uncore_pci_remove() indexing bug when hot-removing a
|
||||
physical CPU
|
||||
- [powerpc*] rtc-opal: Fix handling of firmware error codes, prevent busy
|
||||
loops
|
||||
- mbcache: initialize entry->e_referenced in mb_cache_entry_create()
|
||||
- mmc: sdhci: Implement an SDHCI-specific bounce buffer
|
||||
- [armhf,arm64] mmc: bcm2835: Don't overwrite max frequency unconditionally
|
||||
- [arm64] Revert "mmc: meson-gx: include tx phase in the tuning process"
|
||||
- mlx5: fix mlx5_get_vector_affinity to start from completion vector 0
|
||||
- [x86] Revert "apple-gmux: lock iGP IO to protect from vgaarb changes"
|
||||
- ext4: fix a race in the ext4 shutdown path
|
||||
- ext4: save error to disk in __ext4_grp_locked_error()
|
||||
- ext4: correct documentation for grpid mount option
|
||||
- mm: Fix memory size alignment in devm_memremap_pages_release()
|
||||
- [mips*] Fix typo BIG_ENDIAN to CPU_BIG_ENDIAN
|
||||
- [mips*] CPS: Fix MIPS_ISA_LEVEL_RAW fallout
|
||||
- [mips*] Fix incorrect mem=X@Y handling
|
||||
- [arm64] PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode
|
||||
- [armhf,arm64] PCI: iproc: Fix NULL pointer dereference for BCMA
|
||||
- [x86] PCI: pciehp: Assume NoCompl+ for Thunderbolt ports
|
||||
- console/dummy: leave .con_font_get set to NULL
|
||||
- rbd: whitelist RBD_FEATURE_OPERATIONS feature bit
|
||||
- xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating guests
|
||||
- xenbus: track caller request id
|
||||
- seq_file: fix incomplete reset on read from zero offset
|
||||
- tracing: Fix parsing of globs with a wildcard at the beginning
|
||||
- mpls, nospec: Sanitize array index in mpls_label_ok() (CVE-2017-5753)
|
||||
- rtlwifi: rtl8821ae: Fix connection lost problem correctly
|
||||
- [arm64] proc: Set PTE_NG for table entries to avoid traversing them twice
|
||||
- xprtrdma: Fix calculation of ri_max_send_sges
|
||||
- xprtrdma: Fix BUG after a device removal
|
||||
- blk-wbt: account flush requests correctly
|
||||
- target/iscsi: avoid NULL dereference in CHAP auth error path
|
||||
- iscsi-target: make sure to wake up sleeping login worker
|
||||
- dm: correctly handle chained bios in dec_pending()
|
||||
- Btrfs: fix deadlock in run_delalloc_nocow
|
||||
- Btrfs: fix crash due to not cleaning up tree log block's dirty bits
|
||||
- Btrfs: fix extent state leak from tree log
|
||||
- Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly
|
||||
- Btrfs: fix use-after-free on root->orphan_block_rsv
|
||||
- Btrfs: fix unexpected -EEXIST when creating new inode
|
||||
- 9p/trans_virtio: discard zero-length reply
|
||||
- mtd: nand: vf610: set correct ooblayout
|
||||
- ALSA: hda - Fix headset mic detection problem for two Dell machines
|
||||
- ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
|
||||
- ALSA: hda/realtek - Add headset mode support for Dell laptop
|
||||
- ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform
|
||||
- ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
|
||||
- ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
|
||||
- ALSA: usb: add more device quirks for USB DSD devices
|
||||
- ALSA: seq: Fix racy pool initializations (CVE-2018-7566)
|
||||
- [armhf,arm64] mvpp2: fix multicast address filter
|
||||
- usb: Move USB_UHCI_BIG_ENDIAN_* out of USB_SUPPORT
|
||||
- [x86] mm, mm/hwpoison: Don't unconditionally unmap kernel 1:1 pages
|
||||
- [armhf] dts: exynos: fix RTC interrupt for exynos5410
|
||||
- [arm64] dts: msm8916: Add missing #phy-cells
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.6
|
||||
- tun: fix tun_napi_alloc_frags() frag allocator
|
||||
- ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE
|
||||
- ptr_ring: try vmalloc() when kmalloc() fails
|
||||
- selinux: ensure the context is NUL terminated in
|
||||
security_context_to_sid_core()
|
||||
- selinux: skip bounded transition processing if the policy isn't loaded
|
||||
- media: pvrusb2: properly check endpoint types
|
||||
- [x86] crypto: twofish-3way - Fix %rbp usage
|
||||
- blk_rq_map_user_iov: fix error override
|
||||
- [x86] KVM: fix escape of guest dr6 to the host
|
||||
- kcov: detect double association with a single task
|
||||
- netfilter: x_tables: fix int overflow in xt_alloc_table_info()
|
||||
- netfilter: x_tables: avoid out-of-bounds reads in
|
||||
xt_request_find_{match|target}
|
||||
- netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in
|
||||
clusterip_tg_check()
|
||||
- netfilter: on sockopt() acquire sock lock only in the required scope
|
||||
- netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1()
|
||||
- netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
|
||||
- rds: tcp: correctly sequence cleanup on netns deletion.
|
||||
- rds: tcp: atomically purge entries from rds_tcp_conn_list during netns
|
||||
delete
|
||||
- net: avoid skb_warn_bad_offload on IS_ERR
|
||||
- net_sched: gen_estimator: fix lockdep splat
|
||||
- [arm64] dts: add #cooling-cells to CPU nodes
|
||||
- dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
|
||||
- xhci: Fix NULL pointer in xhci debugfs
|
||||
- xhci: Fix xhci debugfs devices node disappearance after hibernation
|
||||
- xhci: xhci debugfs device nodes weren't removed after device plugged out
|
||||
- xhci: fix xhci debugfs errors in xhci_stop
|
||||
- usbip: keep usbip_device sockfd state in sync with tcp_socket
|
||||
- [x86] mei: me: add cannon point device ids
|
||||
- [x86] mei: me: add cannon point device ids for 4th device
|
||||
- vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.7
|
||||
- netfilter: drop outermost socket lock in getsockopt()
|
||||
- [arm64] mm: don't write garbage into TTBR1_EL1 register
|
||||
- kconfig.h: Include compiler types to avoid missed struct attributes
|
||||
- scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
|
||||
- [mips*] Drop spurious __unused in struct compat_flock
|
||||
- cfg80211: fix cfg80211_beacon_dup
|
||||
- i2c: designware: must wait for enable
|
||||
- [armhf,arm64] i2c: bcm2835: Set up the rising/falling edge delays
|
||||
- X.509: fix BUG_ON() when hash algorithm is unsupported
|
||||
- X.509: fix NULL dereference when restricting key with unsupported_sig
|
||||
- PKCS#7: fix certificate chain verification
|
||||
- PKCS#7: fix certificate blacklisting
|
||||
- [x86] genirq/matrix: Handle CPU offlining proper
|
||||
- RDMA/uverbs: Protect from races between lookup and destroy of uobjects
|
||||
- RDMA/uverbs: Protect from command mask overflow
|
||||
- RDMA/uverbs: Fix bad unlock balance in ib_uverbs_close_xrcd
|
||||
- RDMA/uverbs: Fix circular locking dependency
|
||||
- RDMA/uverbs: Sanitize user entered port numbers prior to access it
|
||||
- iio: buffer: check if a buffer has been set up when poll is called
|
||||
- Kbuild: always define endianess in kconfig.h
|
||||
- [x86] apic/vector: Handle vector release on CPU unplug correctly
|
||||
- mm, swap, frontswap: fix THP swap if frontswap enabled
|
||||
- mm: don't defer struct page initialization for Xen pv guests
|
||||
- uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define
|
||||
- [armhf,arm64] irqchip/gic-v3: Use wmb() instead of smb_wmb() in
|
||||
gic_raise_softirq()
|
||||
- [mips*] irqchip/mips-gic: Avoid spuriously handling masked interrupts
|
||||
- PCI/cxgb4: Extend T3 PCI quirk to T4+ devices
|
||||
- [x86] net: thunderbolt: Tear down connection properly on suspend
|
||||
- [x86] net: thunderbolt: Run disconnect flow asynchronously when logout is
|
||||
received
|
||||
- ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and
|
||||
io_watchdog_func()
|
||||
- usb: ohci: Proper handling of ed_rm_list to handle race condition between
|
||||
usb_kill_urb() and finish_unlinks()
|
||||
- [arm64] Remove unimplemented syscall log message
|
||||
- [arm64] Disable unhandled signal log messages by default
|
||||
- [arm64] cpufeature: Fix CTR_EL0 field definitions
|
||||
- USB: Add delay-init quirk for Corsair K70 RGB keyboards
|
||||
- drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
|
||||
- usb: host: ehci: use correct device pointer for dma ops
|
||||
- usb: dwc3: gadget: Set maxpacket size for ep0 IN
|
||||
- usb: dwc3: ep0: Reset TRB counter for ep0 IN
|
||||
- usb: ldusb: add PIDs for new CASSY devices supported by this driver
|
||||
- Revert "usb: musb: host: don't start next rx urb if current one failed"
|
||||
- usb: gadget: f_fs: Process all descriptors during bind
|
||||
- usb: gadget: f_fs: Use config_ep_by_speed()
|
||||
- drm/cirrus: Load lut in crtc_commit
|
||||
- drm/atomic: Fix memleak on ERESTARTSYS during non-blocking commits
|
||||
- drm: Handle unexpected holes in color-eviction
|
||||
- drm/amdgpu: disable MMHUB power gating on raven
|
||||
- drm/amdgpu: fix VA hole handling on Vega10 v3
|
||||
- drm/amdgpu: Add dpm quirk for Jet PRO (v2)
|
||||
- drm/amdgpu: only check mmBIF_IOV_FUNC_IDENTIFIER on tonga/fiji
|
||||
- drm/amdgpu: add atpx quirk handling (v2)
|
||||
- drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
|
||||
- drm/amdgpu: add new device to use atpx quirk
|
||||
- [arm64] __show_regs: Only resolve kernel symbols when running at EL1
|
||||
- [x86] drm/i915/breadcrumbs: Ignore unsubmitted signalers
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.8
|
||||
- vsprintf: avoid misleading "(null)" for %px
|
||||
- hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
|
||||
- ipmi_si: Fix error handling of platform device
|
||||
- [x86] platform: dell-laptop: Allocate buffer on heap rather than globally
|
||||
- [powerpc*] pseries: Enable RAS hotplug events later
|
||||
- Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking
|
||||
- ixgbe: fix crash in build_skb Rx code path
|
||||
- [x86] tpm: st33zp24: fix potential buffer overruns caused by bit glitches
|
||||
on the bus
|
||||
- tpm: fix potential buffer overruns caused by bit glitches on the bus
|
||||
- [x86] tpm_i2c_infineon: fix potential buffer overruns caused by bit
|
||||
glitches on the bus
|
||||
- [x86] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit
|
||||
glitches on the bus
|
||||
- [x86] tpm_tis: fix potential buffer overruns caused by bit glitches on
|
||||
the bus
|
||||
- ALSA: usb-audio: Add a quirck for B&W PX headphones
|
||||
- ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
|
||||
- [x86] ALSA: x86: Fix missing spinlock and mutex initializations
|
||||
- ALSA: hda: Add a power_save blacklist
|
||||
- ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
|
||||
- mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
|
||||
- [armhf,arm64] mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
|
||||
- [armhf,arm64] mmc: dw_mmc: Avoid accessing registers in runtime suspended
|
||||
state
|
||||
- [armhf,arm64] mmc: dw_mmc: Factor out dw_mci_init_slot_caps
|
||||
- [armhf,arm64] mmc: dw_mmc: Fix out-of-bounds access for slot's caps
|
||||
- timers: Forward timer base before migrating timers
|
||||
- [hppa] Use cr16 interval timers unconditionally on qemu
|
||||
- [hppa] Reduce irq overhead when run in qemu
|
||||
- [hppa] Fix ordering of cache and TLB flushes
|
||||
- [hppa] Hide virtual kernel memory layout
|
||||
- btrfs: use proper endianness accessors for super_copy
|
||||
- block: fix the count of PGPGOUT for WRITE_SAME
|
||||
- block: kyber: fix domain token leak during requeue
|
||||
- block: pass inclusive 'lend' parameter to truncate_inode_pages_range
|
||||
- vfio: disable filesystem-dax page pinning
|
||||
- dax: fix vma_is_fsdax() helper
|
||||
- direct-io: Fix sleep in atomic due to sync AIO
|
||||
- [x86] xen: Zero MSR_IA32_SPEC_CTRL before suspend
|
||||
- [x86] cpu_entry_area: Sync cpu_entry_area to initial_page_table
|
||||
- bridge: check brport attr show in brport_show
|
||||
- fib_semantics: Don't match route with mismatching tclassid
|
||||
- hdlc_ppp: carrier detect ok, don't turn off negotiation
|
||||
- [arm64] net: amd-xgbe: fix comparison to bitshift when dealing with a mask
|
||||
- [armhf] net: ethernet: ti: cpsw: fix net watchdog timeout
|
||||
- net: fix race on decreasing number of TX queues
|
||||
- net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
|
||||
- netlink: ensure to loop over all netns in genlmsg_multicast_allns()
|
||||
- net: sched: report if filter is too large to dump
|
||||
- ppp: prevent unregistered channels from connecting to PPP units
|
||||
- sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803)
|
||||
- udplite: fix partial checksum initialization
|
||||
- net/mlx5e: Fix TCP checksum in LRO buffers
|
||||
- sctp: fix dst refcnt leak in sctp_v4_get_dst
|
||||
- net/mlx5e: Specify numa node when allocating drop rq
|
||||
- net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
|
||||
- tcp: Honor the eor bit in tcp_mtu_probe
|
||||
- rxrpc: Fix send in rxrpc_send_data_packet()
|
||||
- tcp_bbr: better deal with suboptimal GSO
|
||||
- doc: Change the min default value of tcp_wmem/tcp_rmem.
|
||||
- net/mlx5e: Fix loopback self test when GRO is off
|
||||
- net_sched: gen_estimator: fix broken estimators based on percpu stats
|
||||
- net/sched: cls_u32: fix cls_u32 on filter replace
|
||||
- sctp: do not pr_err for the duplicated node in transport rhlist
|
||||
- net: ipv4: Set addr_type in hash_keys for forwarded case
|
||||
- sctp: fix dst refcnt leak in sctp_v6_get_dst()
|
||||
- bridge: Fix VLAN reference count problem
|
||||
- net/mlx5e: Verify inline header size do not exceed SKB linear size
|
||||
- tls: Use correct sk->sk_prot for IPV6
|
||||
- [arm64] amd-xgbe: Restore PCI interrupt enablement setting on resume
|
||||
- cls_u32: fix use after free in u32_destroy_key()
|
||||
- netlink: put module reference if dump start fails
|
||||
- tcp: purge write queue upon RST
|
||||
- tuntap: correctly add the missing XDP flush
|
||||
- tuntap: disable preemption during XDP processing
|
||||
- virtio-net: disable NAPI only when enabled during XDP set
|
||||
- cxgb4: fix trailing zero in CIM LA dump
|
||||
- net/mlx5: Fix error handling when adding flow rules
|
||||
- net: phy: Restore phy_resume() locking assumption
|
||||
- tcp: tracepoint: only call trace_tcp_send_reset with full socket
|
||||
- l2tp: don't use inet_shutdown on tunnel destroy
|
||||
- l2tp: don't use inet_shutdown on ppp session destroy
|
||||
- l2tp: fix races with tunnel socket close
|
||||
- l2tp: fix race in pppol2tp_release with session object destroy
|
||||
- l2tp: fix tunnel lookup use-after-free race
|
||||
- [s390x] qeth: fix underestimated count of buffer elements
|
||||
- [s390x] qeth: fix SETIP command handling
|
||||
- [s390x] qeth: fix overestimated count of buffer elements
|
||||
- [s390x] qeth: fix IP removal on offline cards
|
||||
- [s390x] qeth: fix double-free on IP add/remove race
|
||||
- [s390x] Revert "s390/qeth: fix using of ref counter for rxip addresses"
|
||||
- [s390x] qeth: fix IP address lookup for L3 devices
|
||||
- [s390x] qeth: fix IPA command submission race
|
||||
- tcp: revert F-RTO middle-box workaround
|
||||
- tcp: revert F-RTO extension to detect more spurious timeouts
|
||||
- blk-mq: don't call io sched's .requeue_request when requeueing rq to
|
||||
->dispatch
|
||||
- media: m88ds3103: don't call a non-initalized function
|
||||
- [x86] EDAC, sb_edac: Fix out of bound writes during DIMM configuration on
|
||||
KNL
|
||||
- [s390x] KVM: take care of clock-comparator sign control
|
||||
- [s390x] KVM: provide only a single function for setting the tod (fix SCK)
|
||||
- [s390x] KVM: consider epoch index on hotplugged CPUs
|
||||
- [s390x] KVM: consider epoch index on TOD clock syncs
|
||||
- nospec: Allow index argument to have const-qualified type
|
||||
- [x86] mm: Fix {pmd,pud}_{set,clear}_flags()
|
||||
- [armhf] orion: fix orion_ge00_switch_board_info initialization
|
||||
- [armhf] dts: rockchip: Remove 1.8 GHz operation point from phycore som
|
||||
- [armhf] mvebu: Fix broken PL310_ERRATA_753970 selects
|
||||
- [x86] KVM: Fix SMRAM accessing even if VM is shutdown
|
||||
- KVM: mmu: Fix overlap between public and private memslots
|
||||
- [x86] KVM: Remove indirect MSR op calls from SPEC_CTRL
|
||||
- [x86] KVM: move LAPIC initialization after VMCS creation
|
||||
- [x86] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the
|
||||
RDMSR path as unlikely()
|
||||
- [x86] KVM: fix vcpu initialization with userspace lapic
|
||||
- [x86] KVM: remove WARN_ON() for when vm_munmap() fails
|
||||
- [x86] ACPI / bus: Parse tables as term_list for Dell XPS 9570 and
|
||||
Precision M5530
|
||||
- [armhf] dts: LogicPD SOM-LV: Fix I2C1 pinmux
|
||||
- [armhf] dts: LogicPD Torpedo: Fix I2C1 pinmux
|
||||
- [powerpc*] 64s/radix: Boot-time NULL pointer protection using a guard-PID
|
||||
- md: only allow remove_and_add_spares when no sync_thread running.
|
||||
- [x86] platform: dell-laptop: fix kbd_get_state's request value
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.9
|
||||
- bpf: fix mlock precharge on arraymaps
|
||||
- bpf: fix memory leak in lpm_trie map_free callback function
|
||||
- bpf: fix rcu lockdep warning for lpm_trie map_free callback
|
||||
- [amd64] bpf: implement retpoline for tail call (CVE-2017-5715)
|
||||
- [arm64] bpf: fix out of bounds access in tail call
|
||||
- bpf: add schedule points in percpu arrays management
|
||||
- bpf: allow xadd only on aligned memory
|
||||
- [powerpc*] bpf, ppc64: fix out of bounds access in tail call
|
||||
- scsi: mpt3sas: fix oops in error handlers after shutdown/unload
|
||||
- scsi: mpt3sas: wait for and flush running commands on shutdown/unload
|
||||
- [x86] KVM: fix backward migration with async_PF
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* Add ABI reference for 4.15.0-1
|
||||
* ALSA: seq: Fix racy pool initializations (CVE-2018-7566)
|
||||
* sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* aufs: gen-patch: Fix Subject generation to skip SPDX-License-Identifier
|
||||
|
|
|
@ -1,60 +0,0 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon, 12 Feb 2018 15:20:51 +0100
|
||||
Subject: ALSA: seq: Fix racy pool initializations
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/d15d662e89fc667b90cd294b0eb45694e33144da
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7566
|
||||
|
||||
ALSA sequencer core initializes the event pool on demand by invoking
|
||||
snd_seq_pool_init() when the first write happens and the pool is
|
||||
empty. Meanwhile user can reset the pool size manually via ioctl
|
||||
concurrently, and this may lead to UAF or out-of-bound accesses since
|
||||
the function tries to vmalloc / vfree the buffer.
|
||||
|
||||
A simple fix is to just wrap the snd_seq_pool_init() call with the
|
||||
recently introduced client->ioctl_mutex; as the calls for
|
||||
snd_seq_pool_init() from other side are always protected with this
|
||||
mutex, we can avoid the race.
|
||||
|
||||
Reported-by: 范龙飞 <long7573@126.com>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/seq/seq_clientmgr.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
|
||||
index 60db32785f62..04d4db44fae5 100644
|
||||
--- a/sound/core/seq/seq_clientmgr.c
|
||||
+++ b/sound/core/seq/seq_clientmgr.c
|
||||
@@ -1003,7 +1003,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
|
||||
{
|
||||
struct snd_seq_client *client = file->private_data;
|
||||
int written = 0, len;
|
||||
- int err = -EINVAL;
|
||||
+ int err;
|
||||
struct snd_seq_event event;
|
||||
|
||||
if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
|
||||
@@ -1018,11 +1018,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
|
||||
|
||||
/* allocate the pool now if the pool is not allocated yet */
|
||||
if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
|
||||
- if (snd_seq_pool_init(client->pool) < 0)
|
||||
+ mutex_lock(&client->ioctl_mutex);
|
||||
+ err = snd_seq_pool_init(client->pool);
|
||||
+ mutex_unlock(&client->ioctl_mutex);
|
||||
+ if (err < 0)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
/* only process whole events */
|
||||
+ err = -EINVAL;
|
||||
while (count >= sizeof(struct snd_seq_event)) {
|
||||
/* Read in the event header from the user */
|
||||
len = sizeof(event);
|
||||
--
|
||||
2.16.2
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
From: Alexey Kodanev <alexey.kodanev@oracle.com>
|
||||
Date: Fri, 9 Feb 2018 17:35:23 +0300
|
||||
Subject: sctp: verify size of a new chunk in _sctp_make_chunk()
|
||||
Origin: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5803
|
||||
|
||||
When SCTP makes INIT or INIT_ACK packet the total chunk length
|
||||
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
|
||||
transmitting these packets, e.g. the crash on sending INIT_ACK:
|
||||
|
||||
[ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
|
||||
put:120156 head:000000007aa47635 data:00000000d991c2de
|
||||
tail:0x1d640 end:0xfec0 dev:<NULL>
|
||||
...
|
||||
[ 597.976970] ------------[ cut here ]------------
|
||||
[ 598.033408] kernel BUG at net/core/skbuff.c:104!
|
||||
[ 600.314841] Call Trace:
|
||||
[ 600.345829] <IRQ>
|
||||
[ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
|
||||
[ 600.436934] skb_put+0x16c/0x200
|
||||
[ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp]
|
||||
[ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp]
|
||||
[ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
|
||||
[ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
|
||||
[ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp]
|
||||
[ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp]
|
||||
[ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
|
||||
[ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp]
|
||||
[ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
|
||||
[ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
|
||||
[ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
|
||||
[ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp]
|
||||
[ 601.233575] sctp_do_sm+0x182/0x560 [sctp]
|
||||
[ 601.284328] ? sctp_has_association+0x70/0x70 [sctp]
|
||||
[ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp]
|
||||
[ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp]
|
||||
...
|
||||
|
||||
Here the chunk size for INIT_ACK packet becomes too big, mostly
|
||||
because of the state cookie (INIT packet has large size with
|
||||
many address parameters), plus additional server parameters.
|
||||
|
||||
Later this chunk causes the panic in skb_put_data():
|
||||
|
||||
skb_packet_transmit()
|
||||
sctp_packet_pack()
|
||||
skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
|
||||
|
||||
'nskb' (head skb) was previously allocated with packet->size
|
||||
from u16 'chunk->chunk_hdr->length'.
|
||||
|
||||
As suggested by Marcelo we should check the chunk's length in
|
||||
_sctp_make_chunk() before trying to allocate skb for it and
|
||||
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
|
||||
|
||||
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
|
||||
Acked-by: Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>
|
||||
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/sm_make_chunk.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
|
||||
index 793b05ec692b..d01475f5f710 100644
|
||||
--- a/net/sctp/sm_make_chunk.c
|
||||
+++ b/net/sctp/sm_make_chunk.c
|
||||
@@ -1380,9 +1380,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
|
||||
struct sctp_chunk *retval;
|
||||
struct sk_buff *skb;
|
||||
struct sock *sk;
|
||||
+ int chunklen;
|
||||
+
|
||||
+ chunklen = SCTP_PAD4(sizeof(*chunk_hdr) + paylen);
|
||||
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
|
||||
+ goto nodata;
|
||||
|
||||
/* No need to allocate LL here, as this is only a chunk. */
|
||||
- skb = alloc_skb(SCTP_PAD4(sizeof(*chunk_hdr) + paylen), gfp);
|
||||
+ skb = alloc_skb(chunklen, gfp);
|
||||
if (!skb)
|
||||
goto nodata;
|
||||
|
||||
--
|
||||
2.16.2
|
||||
|
|
@ -120,8 +120,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch
|
||||
bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue