From 17703a438bbb792cdbe15a1e2101de00858b3396 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 13 Mar 2018 22:12:01 +0000 Subject: [PATCH] Update to 4.15.9 This has some ABI changes, which still need to be resolved. --- debian/changelog | 385 +++++++++++++++++- ...SA-seq-Fix-racy-pool-initializations.patch | 60 --- ...e-of-a-new-chunk-in-_sctp_make_chunk.patch | 86 ---- debian/patches/series | 2 - 4 files changed, 382 insertions(+), 151 deletions(-) delete mode 100644 debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch delete mode 100644 debian/patches/bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch diff --git a/debian/changelog b/debian/changelog index 8063ec26a..c79f76072 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,388 @@ -linux (4.15.4-2) UNRELEASED; urgency=medium +linux (4.15.9-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.5 + - IB/umad: Fix use of unprotected device pointer + - IB/qib: Fix comparison error with qperf compare/swap test + - IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH + ports + - IB/core: Fix two kernel warnings triggered by rxe registration + - IB/core: Fix ib_wc structure size to remain in 64 bytes boundary + - IB/core: Avoid a potential OOPs for an unused optional parameter + - RDMA/rxe: Fix a race condition related to the QP error state + - RDMA/rxe: Fix a race condition in rxe_requester() + - RDMA/rxe: Fix rxe_qp_cleanup() + - [powerpc*] cpufreq: powernv: Dont assume distinct pstate values for + nominal and pmin + - swiotlb: suppress warning when __GFP_NOWARN is set + - PM / devfreq: Propagate error from devfreq_add_device() + - mwifiex: resolve reset vs. remove()/shutdown() deadlocks + - ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE + - trace_uprobe: Display correct offset in uprobe_events + - [powerpc*] radix: Remove trace_tlbie call from radix__flush_tlb_all + - [powerpc*] kernel: Block interrupts when updating TIDR + - [powerpc*] vas: Don't set uses_vas for kernel windows + - [powerpc*] numa: Invalidate numa_cpu_lookup_table on cpu remove + - [powerpc*] mm: Flush radix process translations when setting MMU type + - [powerpc*] xive: Use hw CPU ids when configuring the CPU queues + - dma-buf: fix reservation_object_wait_timeout_rcu once more v2 + - [s390x] fix handling of -1 in set{,fs}[gu]id16 syscalls + - [arm64] dts: msm8916: Correct ipc references for smsm + - [x86] gpu: add CFL to early quirks + - [x86] kexec: Make kexec (mostly) work in 5-level paging mode + - [x86] xen: init %gs very early to avoid page faults with stack protector + - [x86] PM: Make APM idle driver initialize polling state + - mm, memory_hotplug: fix memmap initialization + - [amd64] entry: Clear extra registers beyond syscall arguments, to reduce + speculation attack surface + - [amd64] entry/compat: Clear registers for compat syscalls, to reduce + speculation attack surface + - [armhf] crypto: sun4i_ss_prng - fix return value of sun4i_ss_prng_generate + - [armhf] crypto: sun4i_ss_prng - convert lock to _bh in + sun4i_ss_prng_generate + - [powerpc*] mm/radix: Split linear mapping on hot-unplug + - [x86] speculation: Update Speculation Control microcode blacklist + - [x86] speculation: Correct Speculation Control microcode blacklist again + - [x86] Revert "x86/speculation: Simplify + indirect_branch_prediction_barrier()" + - [x86] KVM: Reduce retpoline performance impact in + slot_handle_level_range(), by always inlining iterator helper methods + - [X86] nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs + - [x86] KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02 + MSR bitmap + - [x86] speculation: Clean up various Spectre related details + - PM / runtime: Update links_count also if !CONFIG_SRCU + - PM: cpuidle: Fix cpuidle_poll_state_init() prototype + - [x86] platform: wmi: fix off-by-one write in wmi_dev_probe() + - [amd64] entry: Clear registers for exceptions/interrupts, to reduce + speculation attack surface + - [amd64] entry: Merge SAVE_C_REGS and SAVE_EXTRA_REGS, remove unused + extensions + - [amd64] entry: Merge the POP_C_REGS and POP_EXTRA_REGS macros into a + single POP_REGS macro + - [amd64] entry: Interleave XOR register clearing with PUSH instructions + - [amd64] entry: Introduce the PUSH_AND_CLEAN_REGS macro + - [amd64] entry: Use PUSH_AND_CLEAN_REGS in more cases + - [amd64] entry: Get rid of the ALLOC_PT_GPREGS_ON_STACK and + SAVE_AND_CLEAR_REGS macros + - [amd64] entry: Indent PUSH_AND_CLEAR_REGS and POP_REGS properly + - [amd64] entry: Fix paranoid_entry() frame pointer warning + - [amd64] entry: Remove the unused 'icebp' macro + - gfs2: Fixes to "Implement iomap for block_map" + - objtool: Fix segfault in ignore_unreachable_insn() + - [x86] debug, objtool: Annotate WARN()-related UD2 as reachable + - [x86] debug: Use UD2 for WARN() + - [x86] speculation: Fix up array_index_nospec_mask() asm constraint + - nospec: Move array_index_nospec() parameter checking into separate macro + - [x86] speculation: Add dependency + - [x86] mm: Rename flush_tlb_single() and flush_tlb_one() to + __flush_tlb_one_[user|kernel]() + - [x86] cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping + - [x86] spectre: Fix an error message + - [x86] cpu: Change type of x86_cache_size variable to unsigned int + - [amd64] entry: Fix CR3 restore in paranoid_exit() + - drm/ttm: Don't add swapped BOs to swap-LRU list + - drm/ttm: Fix 'buf' pointer update in ttm_bo_vm_access_kmap() (v2) + - drm/qxl: unref cursor bo when finished with it + - drm/qxl: reapply cursor after resetting primary + - drm/amd/powerplay: Fix smu_table_entry.handle type + - drm/ast: Load lut in crtc_commit + - drm: Check for lessee in DROP_MASTER ioctl + - [arm64] Add missing Falkor part number for branch predictor hardening + - drm/radeon: Add dpm quirk for Jet PRO (v2) + - drm/radeon: adjust tested variable + - [x86] smpboot: Fix uncore_pci_remove() indexing bug when hot-removing a + physical CPU + - [powerpc*] rtc-opal: Fix handling of firmware error codes, prevent busy + loops + - mbcache: initialize entry->e_referenced in mb_cache_entry_create() + - mmc: sdhci: Implement an SDHCI-specific bounce buffer + - [armhf,arm64] mmc: bcm2835: Don't overwrite max frequency unconditionally + - [arm64] Revert "mmc: meson-gx: include tx phase in the tuning process" + - mlx5: fix mlx5_get_vector_affinity to start from completion vector 0 + - [x86] Revert "apple-gmux: lock iGP IO to protect from vgaarb changes" + - ext4: fix a race in the ext4 shutdown path + - ext4: save error to disk in __ext4_grp_locked_error() + - ext4: correct documentation for grpid mount option + - mm: Fix memory size alignment in devm_memremap_pages_release() + - [mips*] Fix typo BIG_ENDIAN to CPU_BIG_ENDIAN + - [mips*] CPS: Fix MIPS_ISA_LEVEL_RAW fallout + - [mips*] Fix incorrect mem=X@Y handling + - [arm64] PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode + - [armhf,arm64] PCI: iproc: Fix NULL pointer dereference for BCMA + - [x86] PCI: pciehp: Assume NoCompl+ for Thunderbolt ports + - console/dummy: leave .con_font_get set to NULL + - rbd: whitelist RBD_FEATURE_OPERATIONS feature bit + - xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating guests + - xenbus: track caller request id + - seq_file: fix incomplete reset on read from zero offset + - tracing: Fix parsing of globs with a wildcard at the beginning + - mpls, nospec: Sanitize array index in mpls_label_ok() (CVE-2017-5753) + - rtlwifi: rtl8821ae: Fix connection lost problem correctly + - [arm64] proc: Set PTE_NG for table entries to avoid traversing them twice + - xprtrdma: Fix calculation of ri_max_send_sges + - xprtrdma: Fix BUG after a device removal + - blk-wbt: account flush requests correctly + - target/iscsi: avoid NULL dereference in CHAP auth error path + - iscsi-target: make sure to wake up sleeping login worker + - dm: correctly handle chained bios in dec_pending() + - Btrfs: fix deadlock in run_delalloc_nocow + - Btrfs: fix crash due to not cleaning up tree log block's dirty bits + - Btrfs: fix extent state leak from tree log + - Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly + - Btrfs: fix use-after-free on root->orphan_block_rsv + - Btrfs: fix unexpected -EEXIST when creating new inode + - 9p/trans_virtio: discard zero-length reply + - mtd: nand: vf610: set correct ooblayout + - ALSA: hda - Fix headset mic detection problem for two Dell machines + - ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute + - ALSA: hda/realtek - Add headset mode support for Dell laptop + - ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform + - ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 + - ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204 + - ALSA: usb: add more device quirks for USB DSD devices + - ALSA: seq: Fix racy pool initializations (CVE-2018-7566) + - [armhf,arm64] mvpp2: fix multicast address filter + - usb: Move USB_UHCI_BIG_ENDIAN_* out of USB_SUPPORT + - [x86] mm, mm/hwpoison: Don't unconditionally unmap kernel 1:1 pages + - [armhf] dts: exynos: fix RTC interrupt for exynos5410 + - [arm64] dts: msm8916: Add missing #phy-cells + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.6 + - tun: fix tun_napi_alloc_frags() frag allocator + - ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE + - ptr_ring: try vmalloc() when kmalloc() fails + - selinux: ensure the context is NUL terminated in + security_context_to_sid_core() + - selinux: skip bounded transition processing if the policy isn't loaded + - media: pvrusb2: properly check endpoint types + - [x86] crypto: twofish-3way - Fix %rbp usage + - blk_rq_map_user_iov: fix error override + - [x86] KVM: fix escape of guest dr6 to the host + - kcov: detect double association with a single task + - netfilter: x_tables: fix int overflow in xt_alloc_table_info() + - netfilter: x_tables: avoid out-of-bounds reads in + xt_request_find_{match|target} + - netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in + clusterip_tg_check() + - netfilter: on sockopt() acquire sock lock only in the required scope + - netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1() + - netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert + - rds: tcp: correctly sequence cleanup on netns deletion. + - rds: tcp: atomically purge entries from rds_tcp_conn_list during netns + delete + - net: avoid skb_warn_bad_offload on IS_ERR + - net_sched: gen_estimator: fix lockdep splat + - [arm64] dts: add #cooling-cells to CPU nodes + - dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock + - xhci: Fix NULL pointer in xhci debugfs + - xhci: Fix xhci debugfs devices node disappearance after hibernation + - xhci: xhci debugfs device nodes weren't removed after device plugged out + - xhci: fix xhci debugfs errors in xhci_stop + - usbip: keep usbip_device sockfd state in sync with tcp_socket + - [x86] mei: me: add cannon point device ids + - [x86] mei: me: add cannon point device ids for 4th device + - vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.7 + - netfilter: drop outermost socket lock in getsockopt() + - [arm64] mm: don't write garbage into TTBR1_EL1 register + - kconfig.h: Include compiler types to avoid missed struct attributes + - scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info + - [mips*] Drop spurious __unused in struct compat_flock + - cfg80211: fix cfg80211_beacon_dup + - i2c: designware: must wait for enable + - [armhf,arm64] i2c: bcm2835: Set up the rising/falling edge delays + - X.509: fix BUG_ON() when hash algorithm is unsupported + - X.509: fix NULL dereference when restricting key with unsupported_sig + - PKCS#7: fix certificate chain verification + - PKCS#7: fix certificate blacklisting + - [x86] genirq/matrix: Handle CPU offlining proper + - RDMA/uverbs: Protect from races between lookup and destroy of uobjects + - RDMA/uverbs: Protect from command mask overflow + - RDMA/uverbs: Fix bad unlock balance in ib_uverbs_close_xrcd + - RDMA/uverbs: Fix circular locking dependency + - RDMA/uverbs: Sanitize user entered port numbers prior to access it + - iio: buffer: check if a buffer has been set up when poll is called + - Kbuild: always define endianess in kconfig.h + - [x86] apic/vector: Handle vector release on CPU unplug correctly + - mm, swap, frontswap: fix THP swap if frontswap enabled + - mm: don't defer struct page initialization for Xen pv guests + - uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define + - [armhf,arm64] irqchip/gic-v3: Use wmb() instead of smb_wmb() in + gic_raise_softirq() + - [mips*] irqchip/mips-gic: Avoid spuriously handling masked interrupts + - PCI/cxgb4: Extend T3 PCI quirk to T4+ devices + - [x86] net: thunderbolt: Tear down connection properly on suspend + - [x86] net: thunderbolt: Run disconnect flow asynchronously when logout is + received + - ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and + io_watchdog_func() + - usb: ohci: Proper handling of ed_rm_list to handle race condition between + usb_kill_urb() and finish_unlinks() + - [arm64] Remove unimplemented syscall log message + - [arm64] Disable unhandled signal log messages by default + - [arm64] cpufeature: Fix CTR_EL0 field definitions + - USB: Add delay-init quirk for Corsair K70 RGB keyboards + - drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA + - usb: host: ehci: use correct device pointer for dma ops + - usb: dwc3: gadget: Set maxpacket size for ep0 IN + - usb: dwc3: ep0: Reset TRB counter for ep0 IN + - usb: ldusb: add PIDs for new CASSY devices supported by this driver + - Revert "usb: musb: host: don't start next rx urb if current one failed" + - usb: gadget: f_fs: Process all descriptors during bind + - usb: gadget: f_fs: Use config_ep_by_speed() + - drm/cirrus: Load lut in crtc_commit + - drm/atomic: Fix memleak on ERESTARTSYS during non-blocking commits + - drm: Handle unexpected holes in color-eviction + - drm/amdgpu: disable MMHUB power gating on raven + - drm/amdgpu: fix VA hole handling on Vega10 v3 + - drm/amdgpu: Add dpm quirk for Jet PRO (v2) + - drm/amdgpu: only check mmBIF_IOV_FUNC_IDENTIFIER on tonga/fiji + - drm/amdgpu: add atpx quirk handling (v2) + - drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) + - drm/amdgpu: add new device to use atpx quirk + - [arm64] __show_regs: Only resolve kernel symbols when running at EL1 + - [x86] drm/i915/breadcrumbs: Ignore unsubmitted signalers + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.8 + - vsprintf: avoid misleading "(null)" for %px + - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) + - ipmi_si: Fix error handling of platform device + - [x86] platform: dell-laptop: Allocate buffer on heap rather than globally + - [powerpc*] pseries: Enable RAS hotplug events later + - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking + - ixgbe: fix crash in build_skb Rx code path + - [x86] tpm: st33zp24: fix potential buffer overruns caused by bit glitches + on the bus + - tpm: fix potential buffer overruns caused by bit glitches on the bus + - [x86] tpm_i2c_infineon: fix potential buffer overruns caused by bit + glitches on the bus + - [x86] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit + glitches on the bus + - [x86] tpm_tis: fix potential buffer overruns caused by bit glitches on + the bus + - ALSA: usb-audio: Add a quirck for B&W PX headphones + - ALSA: control: Fix memory corruption risk in snd_ctl_elem_read + - [x86] ALSA: x86: Fix missing spinlock and mutex initializations + - ALSA: hda: Add a power_save blacklist + - ALSA: hda - Fix pincfg at resume on Lenovo T470 dock + - mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers + - [armhf,arm64] mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias + - [armhf,arm64] mmc: dw_mmc: Avoid accessing registers in runtime suspended + state + - [armhf,arm64] mmc: dw_mmc: Factor out dw_mci_init_slot_caps + - [armhf,arm64] mmc: dw_mmc: Fix out-of-bounds access for slot's caps + - timers: Forward timer base before migrating timers + - [hppa] Use cr16 interval timers unconditionally on qemu + - [hppa] Reduce irq overhead when run in qemu + - [hppa] Fix ordering of cache and TLB flushes + - [hppa] Hide virtual kernel memory layout + - btrfs: use proper endianness accessors for super_copy + - block: fix the count of PGPGOUT for WRITE_SAME + - block: kyber: fix domain token leak during requeue + - block: pass inclusive 'lend' parameter to truncate_inode_pages_range + - vfio: disable filesystem-dax page pinning + - dax: fix vma_is_fsdax() helper + - direct-io: Fix sleep in atomic due to sync AIO + - [x86] xen: Zero MSR_IA32_SPEC_CTRL before suspend + - [x86] cpu_entry_area: Sync cpu_entry_area to initial_page_table + - bridge: check brport attr show in brport_show + - fib_semantics: Don't match route with mismatching tclassid + - hdlc_ppp: carrier detect ok, don't turn off negotiation + - [arm64] net: amd-xgbe: fix comparison to bitshift when dealing with a mask + - [armhf] net: ethernet: ti: cpsw: fix net watchdog timeout + - net: fix race on decreasing number of TX queues + - net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 + - netlink: ensure to loop over all netns in genlmsg_multicast_allns() + - net: sched: report if filter is too large to dump + - ppp: prevent unregistered channels from connecting to PPP units + - sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803) + - udplite: fix partial checksum initialization + - net/mlx5e: Fix TCP checksum in LRO buffers + - sctp: fix dst refcnt leak in sctp_v4_get_dst + - net/mlx5e: Specify numa node when allocating drop rq + - net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT + - tcp: Honor the eor bit in tcp_mtu_probe + - rxrpc: Fix send in rxrpc_send_data_packet() + - tcp_bbr: better deal with suboptimal GSO + - doc: Change the min default value of tcp_wmem/tcp_rmem. + - net/mlx5e: Fix loopback self test when GRO is off + - net_sched: gen_estimator: fix broken estimators based on percpu stats + - net/sched: cls_u32: fix cls_u32 on filter replace + - sctp: do not pr_err for the duplicated node in transport rhlist + - net: ipv4: Set addr_type in hash_keys for forwarded case + - sctp: fix dst refcnt leak in sctp_v6_get_dst() + - bridge: Fix VLAN reference count problem + - net/mlx5e: Verify inline header size do not exceed SKB linear size + - tls: Use correct sk->sk_prot for IPV6 + - [arm64] amd-xgbe: Restore PCI interrupt enablement setting on resume + - cls_u32: fix use after free in u32_destroy_key() + - netlink: put module reference if dump start fails + - tcp: purge write queue upon RST + - tuntap: correctly add the missing XDP flush + - tuntap: disable preemption during XDP processing + - virtio-net: disable NAPI only when enabled during XDP set + - cxgb4: fix trailing zero in CIM LA dump + - net/mlx5: Fix error handling when adding flow rules + - net: phy: Restore phy_resume() locking assumption + - tcp: tracepoint: only call trace_tcp_send_reset with full socket + - l2tp: don't use inet_shutdown on tunnel destroy + - l2tp: don't use inet_shutdown on ppp session destroy + - l2tp: fix races with tunnel socket close + - l2tp: fix race in pppol2tp_release with session object destroy + - l2tp: fix tunnel lookup use-after-free race + - [s390x] qeth: fix underestimated count of buffer elements + - [s390x] qeth: fix SETIP command handling + - [s390x] qeth: fix overestimated count of buffer elements + - [s390x] qeth: fix IP removal on offline cards + - [s390x] qeth: fix double-free on IP add/remove race + - [s390x] Revert "s390/qeth: fix using of ref counter for rxip addresses" + - [s390x] qeth: fix IP address lookup for L3 devices + - [s390x] qeth: fix IPA command submission race + - tcp: revert F-RTO middle-box workaround + - tcp: revert F-RTO extension to detect more spurious timeouts + - blk-mq: don't call io sched's .requeue_request when requeueing rq to + ->dispatch + - media: m88ds3103: don't call a non-initalized function + - [x86] EDAC, sb_edac: Fix out of bound writes during DIMM configuration on + KNL + - [s390x] KVM: take care of clock-comparator sign control + - [s390x] KVM: provide only a single function for setting the tod (fix SCK) + - [s390x] KVM: consider epoch index on hotplugged CPUs + - [s390x] KVM: consider epoch index on TOD clock syncs + - nospec: Allow index argument to have const-qualified type + - [x86] mm: Fix {pmd,pud}_{set,clear}_flags() + - [armhf] orion: fix orion_ge00_switch_board_info initialization + - [armhf] dts: rockchip: Remove 1.8 GHz operation point from phycore som + - [armhf] mvebu: Fix broken PL310_ERRATA_753970 selects + - [x86] KVM: Fix SMRAM accessing even if VM is shutdown + - KVM: mmu: Fix overlap between public and private memslots + - [x86] KVM: Remove indirect MSR op calls from SPEC_CTRL + - [x86] KVM: move LAPIC initialization after VMCS creation + - [x86] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the + RDMSR path as unlikely() + - [x86] KVM: fix vcpu initialization with userspace lapic + - [x86] KVM: remove WARN_ON() for when vm_munmap() fails + - [x86] ACPI / bus: Parse tables as term_list for Dell XPS 9570 and + Precision M5530 + - [armhf] dts: LogicPD SOM-LV: Fix I2C1 pinmux + - [armhf] dts: LogicPD Torpedo: Fix I2C1 pinmux + - [powerpc*] 64s/radix: Boot-time NULL pointer protection using a guard-PID + - md: only allow remove_and_add_spares when no sync_thread running. + - [x86] platform: dell-laptop: fix kbd_get_state's request value + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.9 + - bpf: fix mlock precharge on arraymaps + - bpf: fix memory leak in lpm_trie map_free callback function + - bpf: fix rcu lockdep warning for lpm_trie map_free callback + - [amd64] bpf: implement retpoline for tail call (CVE-2017-5715) + - [arm64] bpf: fix out of bounds access in tail call + - bpf: add schedule points in percpu arrays management + - bpf: allow xadd only on aligned memory + - [powerpc*] bpf, ppc64: fix out of bounds access in tail call + - scsi: mpt3sas: fix oops in error handlers after shutdown/unload + - scsi: mpt3sas: wait for and flush running commands on shutdown/unload + - [x86] KVM: fix backward migration with async_PF [ Salvatore Bonaccorso ] * Add ABI reference for 4.15.0-1 - * ALSA: seq: Fix racy pool initializations (CVE-2018-7566) - * sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803) [ Ben Hutchings ] * aufs: gen-patch: Fix Subject generation to skip SPDX-License-Identifier diff --git a/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch b/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch deleted file mode 100644 index 62b095fa5..000000000 --- a/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Takashi Iwai -Date: Mon, 12 Feb 2018 15:20:51 +0100 -Subject: ALSA: seq: Fix racy pool initializations -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/d15d662e89fc667b90cd294b0eb45694e33144da -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7566 - -ALSA sequencer core initializes the event pool on demand by invoking -snd_seq_pool_init() when the first write happens and the pool is -empty. Meanwhile user can reset the pool size manually via ioctl -concurrently, and this may lead to UAF or out-of-bound accesses since -the function tries to vmalloc / vfree the buffer. - -A simple fix is to just wrap the snd_seq_pool_init() call with the -recently introduced client->ioctl_mutex; as the calls for -snd_seq_pool_init() from other side are always protected with this -mutex, we can avoid the race. - -Reported-by: 范龙飞 -Cc: -Signed-off-by: Takashi Iwai ---- - sound/core/seq/seq_clientmgr.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index 60db32785f62..04d4db44fae5 100644 ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -1003,7 +1003,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, - { - struct snd_seq_client *client = file->private_data; - int written = 0, len; -- int err = -EINVAL; -+ int err; - struct snd_seq_event event; - - if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT)) -@@ -1018,11 +1018,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, - - /* allocate the pool now if the pool is not allocated yet */ - if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) { -- if (snd_seq_pool_init(client->pool) < 0) -+ mutex_lock(&client->ioctl_mutex); -+ err = snd_seq_pool_init(client->pool); -+ mutex_unlock(&client->ioctl_mutex); -+ if (err < 0) - return -ENOMEM; - } - - /* only process whole events */ -+ err = -EINVAL; - while (count >= sizeof(struct snd_seq_event)) { - /* Read in the event header from the user */ - len = sizeof(event); --- -2.16.2 - diff --git a/debian/patches/bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch b/debian/patches/bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch deleted file mode 100644 index 91f35a85e..000000000 --- a/debian/patches/bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch +++ /dev/null @@ -1,86 +0,0 @@ -From: Alexey Kodanev -Date: Fri, 9 Feb 2018 17:35:23 +0300 -Subject: sctp: verify size of a new chunk in _sctp_make_chunk() -Origin: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5803 - -When SCTP makes INIT or INIT_ACK packet the total chunk length -can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when -transmitting these packets, e.g. the crash on sending INIT_ACK: - -[ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168 - put:120156 head:000000007aa47635 data:00000000d991c2de - tail:0x1d640 end:0xfec0 dev: -... -[ 597.976970] ------------[ cut here ]------------ -[ 598.033408] kernel BUG at net/core/skbuff.c:104! -[ 600.314841] Call Trace: -[ 600.345829] -[ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp] -[ 600.436934] skb_put+0x16c/0x200 -[ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp] -[ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp] -[ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp] -[ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp] -[ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp] -[ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp] -[ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp] -[ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp] -[ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp] -[ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp] -[ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp] -[ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp] -[ 601.233575] sctp_do_sm+0x182/0x560 [sctp] -[ 601.284328] ? sctp_has_association+0x70/0x70 [sctp] -[ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp] -[ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp] -... - -Here the chunk size for INIT_ACK packet becomes too big, mostly -because of the state cookie (INIT packet has large size with -many address parameters), plus additional server parameters. - -Later this chunk causes the panic in skb_put_data(): - - skb_packet_transmit() - sctp_packet_pack() - skb_put_data(nskb, chunk->skb->data, chunk->skb->len); - -'nskb' (head skb) was previously allocated with packet->size -from u16 'chunk->chunk_hdr->length'. - -As suggested by Marcelo we should check the chunk's length in -_sctp_make_chunk() before trying to allocate skb for it and -discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN. - -Signed-off-by: Alexey Kodanev -Acked-by: Marcelo Ricardo Leitner -Acked-by: Neil Horman -Signed-off-by: David S. Miller ---- - net/sctp/sm_make_chunk.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c -index 793b05ec692b..d01475f5f710 100644 ---- a/net/sctp/sm_make_chunk.c -+++ b/net/sctp/sm_make_chunk.c -@@ -1380,9 +1380,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc, - struct sctp_chunk *retval; - struct sk_buff *skb; - struct sock *sk; -+ int chunklen; -+ -+ chunklen = SCTP_PAD4(sizeof(*chunk_hdr) + paylen); -+ if (chunklen > SCTP_MAX_CHUNK_LEN) -+ goto nodata; - - /* No need to allocate LL here, as this is only a chunk. */ -- skb = alloc_skb(SCTP_PAD4(sizeof(*chunk_hdr) + paylen), gfp); -+ skb = alloc_skb(chunklen, gfp); - if (!skb) - goto nodata; - --- -2.16.2 - diff --git a/debian/patches/series b/debian/patches/series index 8fcda10eb..fa2e7a807 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -120,8 +120,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch -bugfix/all/sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch