Release linux (4.13.13-1).

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAloODhAACgkQ57/I7JWG
 EQkFAg//Zb5RqwypcEFRZs6Oyi4jF6EekQW+UVXjAE8gAw3ae8+1uvkg3TyMY7uT
 C//3H1DGY/A3imqHsxku9NG5T9KhJL9cKn2EDRz8c/+lU949wXjzSFCQk+p9mwcb
 RSyuqES+FwtrMJoN0iXpVIiTSjImuu4IIpTmc6IsZo1frn5oHKmeC4mvsKuflL/S
 usdauRUkQewtTvi/Z8wDA5fJIDN2ff0DcSN8Km/QPlB2zUoGaQRM36ApZVeHDX3X
 190bDAuBfJp9Pht3eFPUq6HwEht9hbiqSaSpMKB/jyPE8lWZ7AL8CM2qiOuZCXil
 ncELxkx+8Cqp4jAWc3wqGZ5mkeVHeHxZcmFv0b4hQaaifW5GtmlMo/XHhMeFIoCc
 tbcC55No2c3ZUhUH0kAQyf26zZ3f7hBAYT8EI5BNngPpZB4W7NJL8A2c09QYxAVB
 /uXNnCdd7LZ9Dnhgc0K1FjIEckd1XHVQgVZ6Seo4Pv2adMfLckla3Xvqj888515a
 akTL9LFAKySOqalakMl34G2FT1S0CR9+7I45KFcKjiGW5pF1RgDeLZy1W+nQq3Vd
 oH2KmWGovmouMEnrh8RgKJNwLkelVkLKl0AFhJ29PGeDrGAklz0Sy5egB8iqoxRh
 fiKph8IGdD8akqlI4d8mTWs01FmALkkSHUkLAxbME8HC3lpb7Ic=
 =TJmK
 -----END PGP SIGNATURE-----

Merge tag 'debian/4.13.13-1'

Release linux (4.13.13-1).

debian/changelog

@@ -96,6 +96,153 @@ linux (4.14~rc3-1~exp1) experimental; urgency=medium
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 02 Oct 2017 04:47:08 +0100
 
+linux (4.13.13-1) unstable; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11
+    - workqueue: replace pool->manager_arb mutex with a flag
+    - [x86] ALSA: hda/realtek - Add support for ALC236/ALC3204
+    - [x86] ALSA: hda - fix headset mic problem for Dell machines with alc236
+    - ceph: unlock dangling spinlock in try_flush_caps()
+    - [powerpc*] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM
+      (CVE-2017-15306)
+    - [powerpc*] KVM: PPC: Book3S HV: POWER9 more doorbell fixes
+    - [powerpc*] KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU
+    - [s390x] kvm: fix detection of guest machine checks
+    - nbd: handle interrupted sendmsg with a sndtimeo set
+    - spi: uapi: spidev: add missing ioctl header
+    - spi: a3700: Return correct value on timeout detection
+    - spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path
+    - spi: armada-3700: Fix failing commands with quad-SPI
+    - ovl: add NULL check in ovl_alloc_inode
+    - ovl: fix EIO from lookup of non-indexed upper
+    - ovl: handle ENOENT on index lookup
+    - ovl: do not cleanup unsupported index entries
+    - fuse: fix READDIRPLUS skipping an entry
+    - xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()
+    - xen: fix booting ballooned down hvm guest
+    - cifs: Select all required crypto modules
+    - CIFS: Fix NULL pointer deref on SMB2_tcon() failure
+    - Input: elan_i2c - add ELAN0611 to the ACPI table
+    - Input: gtco - fix potential out-of-bound access (CVE-2017-16643)
+    - Fix encryption labels and lengths for SMB3.1.1
+    - SMB3: Validate negotiate request must always be signed
+    - assoc_array: Fix a buggy node-splitting case (CVE-2017-12193)
+    - [s390x] scsi: zfcp: fix erp_action use-before-initialize in REC action
+      trace
+    - scsi: aacraid: Fix controller initialization failure
+    - scsi: qla2xxx: Initialize Work element before requesting IRQs
+    - scsi: sg: Re-fix off by one in sg_fill_request_table()
+    - [x86] cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't
+    - [x86] drm/amd/powerplay: fix uninitialized variable
+    - [x86] drm/i915/perf: fix perf enable/disable ioctls with 32bits
+      userspace
+    - [armhf] can: sun4i: fix loopback mode
+    - can: kvaser_usb: Correct return value in printout
+    - can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages
+    - cfg80211: fix connect/disconnect edge cases
+    - ipsec: Fix aborted xfrm policy dump crash
+    - [armhf] regulator: fan53555: fix I2C device ids (Closes: #879768)
+    - [powerpc*] xive: Fix the size of the cpumask used in
+      xive_find_target_in_mask()
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.12
+    - ALSA: timer: Add missing mutex lock for compat ioctls
+    - ALSA: seq: Fix nested rwsem annotation for lockdep splat
+    - cifs: check MaxPathNameComponentLength != 0 before using it
+      (Closes: #880504)
+    - KEYS: return full count in keyring_read() if buffer is too small
+    - KEYS: trusted: fix writing past end of buffer in trusted_read()
+    - KEYS: fix out-of-bounds read during ASN.1 parsing
+    - ASoC: adau17x1: Workaround for noise bug in ADC
+    - virtio_blk: Fix an SG_IO regression
+    - [arm64] ensure __dump_instr() checks addr_limit
+    - [arm64] KVM: its: Fix missing dynamic allocation check in scan_its_table
+    - [armhf, arm64] KVM: set right LR register value for 32 bit guest when
+      inject abort
+    - [armhf,arm64] kvm: Disable branch profiling in HYP code
+    - [armhf] dts: mvebu: pl310-cache disable double-linefill
+    - drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting
+    - drm/amdgpu: allow harvesting check for Polaris VCE
+    - userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of
+      i_size
+    - ocfs2: fstrim: Fix start offset of first cluster group during fstrim
+    - fs/hugetlbfs/inode.c: fix hwpoison reserve accounting
+    - mm, swap: fix race between swap count continuation operations
+    - [x86] drm/i915: Do not rely on wm preservation for ILK watermarks
+    - [x86] drm/i915/edp: read edp display control registers unconditionally
+    - [mips*] bpf: Fix a typo in build_one_insn()
+    - [mips*] smp-cmp: Use right include for task_struct
+    - [mips*] SMP: Fix deadlock & online race
+    - Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz""
+    - [powerpc*] kprobes: Dereference function pointers only if the address
+      does not belong to kernel text
+    - futex: Fix more put_pi_state() vs. exit_pi_state_list() races
+    - perf/cgroup: Fix perf cgroup hierarchy support
+    - [x86] mcelog: Get rid of RCU remnants
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.13
+    - netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to
+      rhashtable"
+    - netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
+    - workqueue: Fix NULL pointer dereference
+    - crypto: ccm - preserve the IV buffer
+    - [x86] crypto: sha1-mb - fix panic due to unaligned access
+    - [x86] crypto: sha256-mb - fix panic due to unaligned access
+    - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
+    - [x86] ACPI / PM: Blacklist Low Power S0 Idle _DSM for Dell XPS13 9360
+    - ACPICA: Dispatch active GPEs at init time
+    - ACPICA: Make it possible to enable runtime GPEs earlier
+    - ACPI / scan: Enable GPEs before scanning the namespace
+    - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit
+    - ALSA: timer: Limit max instances per timer
+    - ALSA: usb-audio: support new Amanero Combo384 firmware version
+    - [x86] ALSA: hda - fix headset mic problem for Dell machines with alc274
+    - ALSA: seq: Fix OSS sysex delivery in OSS emulation
+    - ALSA: seq: Avoid invalid lockdep class warning
+    - [mips*] Fix CM region target definitions
+    - [powerpc*] KVM: Book3S HV: Fix exclusion between HPT resizing and other
+      HPT updates
+    - Input: elan_i2c - add ELAN060C to the ACPI table
+    - rbd: use GFP_NOIO for parent stat and data requests
+    - [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
+    - [armhf] can: sun4i: handle overrun in RX FIFO
+    - can: peak: Add support for new PCIe/M2 CAN FD interfaces
+    - [x86] debug: Handle warnings before the notifier chain, to fix KGDB crash
+    - [x86] smpboot: Make optimization of delay calibration work correctly
+    - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context
+
+  [ Salvatore Bonaccorso ]
+  * mac80211: accept key reinstall without changing anything (CVE-2017-13080)
+  * sctp: do not peel off an assoc from one netns to another one
+    (CVE-2017-15115)
+
+  [ Ben Hutchings ]
+  * linux-image: Recommend apparmor, as systemd units with an AppArmor
+    profile will fail without it (Closes: #880441)
+  * [powerpc*] kvm: Ignore ABI change in 4.13.6 (fixes FTBFS)
+  * swap: Avoid ABI change in 4.13.12
+  * mac80211: use constant time comparison with keys
+  * mac80211: don't compare TKIP TX MIC key in reinstall prevention
+  * usb: usbtest: fix NULL pointer dereference (CVE-2017-16532)
+  * media: cx231xx-cards: fix NULL-deref on missing association descriptor
+    (CVE-2017-16536)
+  * media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537)
+  * media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646)
+  * net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647)
+  * net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649)
+  * net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650)
+  * nftables: Enable NFT_RT, NFT_SET_BITMAP, NFT_OBJREF as modules
+    (Closes: #881931)
+  * [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593)
+  * amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures
+  * amdgpu: Enable DRM_AMDGPU_SI, CONFIG_DRM_AMDGPU_CIK (Closes: #847570)
+  * [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568)
+  * [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567)
+  * [x86] rmi4: Disable RMI4_SMB (Closes: #880471)
+  * ALSA: timer: Avoid ABI change in 4.13.13
+  * netfilter: nat: Avoid ABI change in 4.13.13
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Thu, 16 Nov 2017 21:04:10 +0000
+
 linux (4.13.10-1) unstable; urgency=medium
 
   * New upstream stable update:

debian/config/arm64/config

@@ -631,6 +631,7 @@ CONFIG_WLCORE_SDIO=m
 ## file: drivers/nvmem/Kconfig
 ##
 CONFIG_QCOM_QFPROM=m
+CONFIG_NVMEM_SUNXI_SID=m
 
 ##
 ## file: drivers/pci/dwc/Kconfig
@@ -865,6 +866,11 @@ CONFIG_SPI_XLP=m
 CONFIG_SPMI=y
 CONFIG_SPMI_MSM_PMIC_ARB=y
 
+##
+## file: drivers/staging/rtl8723bs/Kconfig
+##
+CONFIG_RTL8723BS=m
+
 ##
 ## file: drivers/tee/Kconfig
 ##

debian/config/config

@@ -616,7 +616,9 @@ CONFIG_DRM_SAVAGE=m
 ##
 ## file: drivers/gpu/drm/amd/amdgpu/Kconfig
 ##
-# CONFIG_DRM_AMDGPU_SI is not set
+CONFIG_DRM_AMDGPU_SI=y
+CONFIG_DRM_AMDGPU_CIK=y
+CONFIG_DRM_AMDGPU_USERPTR=y
 # CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set
 
 ##
@@ -6709,16 +6711,19 @@ CONFIG_NF_TABLES_INET=m
 CONFIG_NF_TABLES_NETDEV=m
 CONFIG_NFT_EXTHDR=m
 CONFIG_NFT_META=m
+CONFIG_NFT_RT=m
 CONFIG_NFT_NUMGEN=m
 CONFIG_NFT_CT=m
 CONFIG_NFT_SET_RBTREE=m
 CONFIG_NFT_SET_HASH=m
+CONFIG_NFT_SET_BITMAP=m
 CONFIG_NFT_COUNTER=m
 CONFIG_NFT_LOG=m
 CONFIG_NFT_LIMIT=m
 CONFIG_NFT_MASQ=m
 CONFIG_NFT_REDIR=m
 CONFIG_NFT_NAT=m
+CONFIG_NFT_OBJREF=m
 CONFIG_NFT_QUEUE=m
 CONFIG_NFT_QUOTA=m
 CONFIG_NFT_REJECT=m

debian/config/defines

@@ -2,6 +2,7 @@
 abiname: 1
 ignore-changes:
  __cpuhp_*
+ __xive_vm_h_*
  bpf_analyzer
  cxl_*
  dax_flush
@@ -9,6 +10,7 @@ ignore-changes:
  inet_del_protocol
  iommu_device_*
  kvm_async_pf_task_wait
+ kvmppc_*
  mm_iommu_*
  mv_mbus_*
  perf_*
@@ -118,6 +120,7 @@ part-long-xen: This kernel also runs on a Xen hypervisor.
 
 [image]
 initramfs-generators: initramfs-tools initramfs-fallback
+recommends: apparmor
 
 [relations]
 # compilers

debian/config/kernelarch-powerpc/config-arch-64

@@ -73,6 +73,11 @@ CONFIG_CRYPTO_DEV_VMX=y
 ##
 CONFIG_CRYPTO_DEV_VMX_ENCRYPT=m
 
+##
+## file: drivers/gpu/drm/Kconfig
+##
+CONFIG_DRM_AMDGPU=m
+
 ##
 ## file: drivers/gpu/drm/ast/Kconfig
 ##

debian/config/kernelarch-x86/config

@@ -500,12 +500,6 @@ CONFIG_DRM_SIS=m
 ##
 CONFIG_DRM_AMD_ACP=y
 
-##
-## file: drivers/gpu/drm/amd/amdgpu/Kconfig
-##
-# CONFIG_DRM_AMDGPU_CIK is not set
-CONFIG_DRM_AMDGPU_USERPTR=y
-
 ##
 ## file: drivers/gpu/drm/amd/amdkfd/Kconfig
 ##
@@ -785,11 +779,6 @@ CONFIG_MOUSE_ELAN_I2C_I2C=y
 CONFIG_MOUSE_ELAN_I2C_SMBUS=y
 CONFIG_MOUSE_VSXXXAA=m
 
-##
-## file: drivers/input/rmi4/Kconfig
-##
-CONFIG_RMI4_SMB=m
-
 ##
 ## file: drivers/input/serio/Kconfig
 ##
@@ -1623,6 +1612,11 @@ CONFIG_RTL8192E=m
 ##
 CONFIG_RTL8192U=m
 
+##
+## file: drivers/staging/rtl8723bs/Kconfig
+##
+CONFIG_RTL8723BS=m
+
 ##
 ## file: drivers/staging/rts5208/Kconfig
 ##

debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch

@@ -0,0 +1,36 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 21 Sep 2017 05:40:18 -0300
+Subject: [media] cx231xx-cards: fix NULL-deref on missing association
+ descriptor
+Origin: https://git.kernel.org/linus/6c3b047fa2d2286d5e438bcb470c7b1a49f415f6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16536
+
+Make sure to check that we actually have an Interface Association
+Descriptor before dereferencing it during probe to avoid dereferencing a
+NULL-pointer.
+
+Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
+
+Cc: stable <stable@vger.kernel.org>     # 2.6.30
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+---
+ drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c
+index e0daa9b6c2a0..9b742d569fb5 100644
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface,
+ 	nr = dev->devno;
+ 
+ 	assoc_desc = udev->actconfig->intf_assoc[0];
+-	if (assoc_desc->bFirstInterface != ifnum) {
++	if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) {
+ 		dev_err(d, "Not found matching IAD interface\n");
+ 		retval = -ENODEV;
+ 		goto err_if;

debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch

@@ -0,0 +1,191 @@
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Thu, 2 Nov 2017 10:38:21 -0400
+Subject: media: dib0700: fix invalid dvb_detach argument
+Origin: https://git.kernel.org/linus/eb0c19942288569e0ae492476534d5a485fb8ab4
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16646
+
+dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer
+to a function. Right now a pointer to state->dib7000p_ops is passed to
+dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by
+syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead.
+
+------------[ cut here ]------------
+kernel BUG at kernel/module.c:1081!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+Modules linked in:
+CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G        W
+4.14.0-rc1-42251-gebb2c2437d80 #224
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+task: ffff88006a336300 task.stack: ffff88006a7c8000
+RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083
+RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000
+RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190
+RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4
+R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180
+R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000
+FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0
+Call Trace:
+ stk7070p_frontend_attach+0x515/0x610
+drivers/media/usb/dvb-usb/dib0700_devices.c:1013
+ dvb_usb_adapter_frontend_init+0x32b/0x660
+drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
+ dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
+ dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
+ dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
+ dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886
+ usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
+ generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
+ usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
+ hub_port_connect drivers/usb/core/hub.c:4903
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x3a1/0x470 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
+de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
+0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
+RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210
+---[ end trace b75b357739e7e116 ]---
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+---
+ drivers/media/usb/dvb-usb/dib0700_devices.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
+@@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(str
+ 					     stk7700d_dib7000p_mt2266_config)
+ 		    != 0) {
+ 			err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
+-			dvb_detach(&state->dib7000p_ops);
++			dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 			return -ENODEV;
+ 		}
+ 	}
+@@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(stru
+ 					     stk7700d_dib7000p_mt2266_config)
+ 		    != 0) {
+ 			err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
+-			dvb_detach(&state->dib7000p_ops);
++			dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 			return -ENODEV;
+ 		}
+ 	}
+@@ -478,7 +478,7 @@ static int stk7700ph_frontend_attach(str
+ 				     &stk7700ph_dib7700_xc3028_config) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
+ 		    __func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 
+@@ -1010,7 +1010,7 @@ static int stk7070p_frontend_attach(stru
+ 				     &dib7070p_dib7000p_config) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
+ 		    __func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 
+@@ -1068,7 +1068,7 @@ static int stk7770p_frontend_attach(stru
+ 				     &dib7770p_dib7000p_config) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
+ 		    __func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 
+@@ -3050,7 +3050,7 @@ static int nim7090_frontend_attach(struc
+ 
+ 	if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, &nim7090_dib7000p_config) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 	adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, 0x80, &nim7090_dib7000p_config);
+@@ -3103,7 +3103,7 @@ static int tfe7090pvr_frontend0_attach(s
+ 	/* initialize IC 0 */
+ 	if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, &tfe7090pvr_dib7000p_config[0]) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 
+@@ -3133,7 +3133,7 @@ static int tfe7090pvr_frontend1_attach(s
+ 	i2c = state->dib7000p_ops.get_i2c_master(adap->dev->adapter[0].fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_6_7, 1);
+ 	if (state->dib7000p_ops.i2c_enumeration(i2c, 1, 0x10, &tfe7090pvr_dib7000p_config[1]) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n", __func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 
+@@ -3208,7 +3208,7 @@ static int tfe7790p_frontend_attach(stru
+ 				1, 0x10, &tfe7790p_dib7000p_config) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
+ 				__func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 	adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap,
+@@ -3303,7 +3303,7 @@ static int stk7070pd_frontend_attach0(st
+ 				     stk7070pd_dib7000p_config) != 0) {
+ 		err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
+ 		    __func__);
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 
+@@ -3378,7 +3378,7 @@ static int novatd_frontend_attach(struct
+ 					     stk7070pd_dib7000p_config) != 0) {
+ 			err("%s: state->dib7000p_ops.i2c_enumeration failed.  Cannot continue\n",
+ 			    __func__);
+-			dvb_detach(&state->dib7000p_ops);
++			dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 			return -ENODEV;
+ 		}
+ 	}
+@@ -3614,7 +3614,7 @@ static int pctv340e_frontend_attach(stru
+ 
+ 	if (state->dib7000p_ops.dib7000pc_detection(&adap->dev->i2c_adap) == 0) {
+ 		/* Demodulator not found for some reason? */
+-		dvb_detach(&state->dib7000p_ops);
++		dvb_detach(state->dib7000p_ops.set_wbd_ref);
+ 		return -ENODEV;
+ 	}
+ 

debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch

@@ -0,0 +1,31 @@
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Mon, 9 Oct 2017 20:14:48 +0200
+Subject: media: imon: Fix null-ptr-deref in imon_probe
+Origin: https://git.kernel.org/linus/58fd55e838276a0c13d1dc7c387f90f25063cbf3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16537
+
+It seems that the return value of usb_ifnum_to_if() can be NULL and
+needs to be checked.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+---
+ drivers/media/rc/imon.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/rc/imon.c
++++ b/drivers/media/rc/imon.c
+@@ -2516,6 +2516,11 @@ static int imon_probe(struct usb_interfa
+ 	mutex_lock(&driver_lock);
+ 
+ 	first_if = usb_ifnum_to_if(usbdev, 0);
++	if (!first_if) {
++		ret = -ENODEV;
++		goto fail;
++	}
++
+ 	first_if_ctx = usb_get_intfdata(first_if);
+ 
+ 	if (ifnum == 0) {

debian/patches/series

@@ -112,6 +112,9 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch
+bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch
+bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch
 bugfix/all/media-dvb-core-always-call-invoke_release-in-fe_free.patch
 bugfix/all/dvb_frontend-don-t-use-after-free-the-frontend-struc.patch