debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.17.3 

Drop patches applied upstream.
This commit is contained in:
Ben Hutchings 2018-06-26 02:49:30 +01:00
parent 544f15ac72
commit 2202083eb0
8 changed files with 68 additions and 349 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
debian/changelog vendored
View File

@ -1,4 +1,71 @@
linux (4.17.2-1) UNRELEASED; urgency=medium
linux (4.17.3-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.3
- net: aquantia: fix unsigned numvecs comparison with less than zero
- bonding: re-evaluate force_primary when the primary slave name changes
- cdc_ncm: avoid padding beyond end of skb
- ipv6: allow PMTU exceptions to local routes
- [armhf,arm64] net: dsa: add error handling for pskb_trim_rcsum
- net/sched: act_simple: fix parsing of TCA_DEF_DATA
- tcp: verify the checksum of the first data segment in a new connection
- socket: close race condition between sock_close() and sockfs_setattr()
(CVE-2018-12232)
- udp: fix rx queue len reported by diag and proc interface
- net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds
vlan
- ACPICA: AML parser: attempt to continue loading table after error
- ext4: fix hole length detection in ext4_ind_map_blocks()
- ext4: update mtime in ext4_punch_hole even if no blocks are released
- ext4: do not allow external inodes for inline data (CVE-2018-11412)
- ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
- ext4: correctly handle a zero-length xattr with a non-zero e_value_offs
(CVE-2018-10840)
- ext4: fix fencepost error in check for inode count overflow during resize
- driver core: Don't ignore class_dir_create_and_add() failure.
- Btrfs: allow empty subvol= again
- Btrfs: fix clone vs chattr NODATASUM race
- Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2()
- btrfs: return error value if create_io_em failed in cow_file_range
- btrfs: scrub: Don't use inode pages for device replace
- ALSA: usb-audio: Disable the quirk for Nura headset
- ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
- [x86] MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read()
- smb3: fix various xid leaks
- smb3: on reconnect set PreviousSessionId field
- CIFS: 511c54a2f69195b28afb9dd119f03787b1625bb4 adds a check for session
expiry
- cifs: For SMB2 security informaion query, check for minimum sized
security descriptor instead of sizeof FileAllInformation class
- nbd: fix nbd device deletion
- nbd: update size when connected
- nbd: use bd_set_size when updating disk size
- blk-mq: reinit q->tag_set_list entry only after grace period
- bdi: Move cgroup bdi_writeback to a dedicated low concurrency workqueue
- cpufreq: Fix new policy initialization during limits updates via sysfs
- cpufreq: governors: Fix long idle detection logic in load calculation
- libata: zpodd: small read overflow in eject_tray()
- libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
- nvme/pci: Sync controller reset for AER slot_reset
- [x86] vector: Fix the args of vector_alloc tracepoint
- [x86] apic/vector: Prevent hlist corruption and leaks
- [x86] apic: Provide apic_ack_irq()
- [x86] ioapic: Use apic_ack_irq()
- [x86] platform/uv: Use apic_ack_irq()
- irq_remapping: Use apic_ack_irq()
- genirq/generic_pending: Do not lose pending affinity update
- genirq/affinity: Defer affinity setting if irq chip is busy
- genirq/migration: Avoid out of line call if pending is not set
- [x86] intel_rdt: Enable CMT and MBM on new Skylake stepping
- media: uvcvideo: Prevent setting unavailable flags
- media: rc: ensure input/lirc device can be opened after register
- iwlwifi: fw: harden page loading code
- [x86] HID: intel_ish-hid: ipc: register more pm callbacks to support
hibernation
- HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large
- vhost: fix info leak due to uninitialized memory (CVE-2018-1118)
- fs/binfmt_misc.c: do not allow offset overflow
- mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
[ Ben Hutchings ]
* [amd64,arm64,armhf] android: Build modules to support Anbox
@ -11,13 +78,6 @@ linux (4.17.2-1) UNRELEASED; urgency=medium
* [mips*] Increase RELOCATION_TABLE_SIZE to 0x00140000 (fixes FTBFS)
* Set ABI to 1
* [x86,arm64] Disable code signing for upload to unstable
* vhost: fix info leak due to uninitialized memory (CVE-2018-1118)
* ext4: correctly handle a zero-length xattr with a non-zero e_value_offs
(CVE-2018-10840)
* ext4: do not allow external inodes for inline data (CVE-2018-11412)
* ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
* socket: close race condition between sock_close() and sockfs_setattr()
(CVE-2018-12232)
* [x86] virt: vbox: Only copy_from_user the request-header once
(CVE-2018-12633)
* [x86] vboxguest: Enable VBOXGUEST and DRM_VBOXVIDEO as modules

61
debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch vendored
View File

@ -1,61 +0,0 @@
From: Theodore Ts'o <tytso@mit.edu>
Date: Tue, 22 May 2018 17:14:07 -0400
Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to
ext4_iget()
Origin: https://git.kernel.org/linus/eb9b5f01c33adebc31cbc236c02695f605b0e417
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412
If ext4_find_inline_data_nolock() returns an error it needs to get
reflected up to ext4_iget(). In order to fix this,
ext4_iget_extra_inode() needs to return an error (and not return
void).
This is related to "ext4: do not allow external inodes for inline
data" (which fixes CVE-2018-11412) in that in the errors=continue
case, it would be useful to for userspace to receive an error
indicating that file system is corrupted.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
---
fs/ext4/inode.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4701,19 +4701,21 @@ static blkcnt_t ext4_inode_blocks(struct
}
}
-static inline void ext4_iget_extra_inode(struct inode *inode,
+static inline int ext4_iget_extra_inode(struct inode *inode,
struct ext4_inode *raw_inode,
struct ext4_inode_info *ei)
{
__le32 *magic = (void *)raw_inode +
EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
+
if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
EXT4_INODE_SIZE(inode->i_sb) &&
*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
ext4_set_inode_state(inode, EXT4_STATE_XATTR);
- ext4_find_inline_data_nolock(inode);
+ return ext4_find_inline_data_nolock(inode);
} else
EXT4_I(inode)->i_inline_off = 0;
+ return 0;
}
int ext4_get_projid(struct inode *inode, kprojid_t *projid)
@@ -4893,7 +4895,9 @@ struct inode *ext4_iget(struct super_blo
ei->i_extra_isize = sizeof(struct ext4_inode) -
EXT4_GOOD_OLD_INODE_SIZE;
} else {
- ext4_iget_extra_inode(inode, raw_inode, ei);
+ ret = ext4_iget_extra_inode(inode, raw_inode, ei);
+ if (ret)
+ goto bad_inode;
}
}

65
debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch vendored
View File

@ -1,65 +0,0 @@
From: Theodore Ts'o <tytso@mit.edu>
Date: Wed, 23 May 2018 11:31:03 -0400
Subject: ext4: correctly handle a zero-length xattr with a non-zero
e_value_offs
Origin: https://git.kernel.org/linus/8a2b307c21d4b290e3cbe33f768f194286d07c23
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10840
Ext4 will always create ext4 extended attributes which do not have a
value (where e_value_size is zero) with e_value_offs set to zero. In
most places e_value_offs will not be used in a substantive way if
e_value_size is zero.
There was one exception to this, which is in ext4_xattr_set_entry(),
where if there is a maliciously crafted file system where there is an
extended attribute with e_value_offs is non-zero and e_value_size is
0, the attempt to remove this xattr will result in a negative value
getting passed to memmove, leading to the following sadness:
[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000
[ 44.538733] IP: __memmove+0x81/0x1a0
[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1
[ 44.538793] Oops: 0003 [#1] SMP PTI
[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1
...
[ 44.539475] Call Trace:
[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80
...
[ 44.539972] ext4_xattr_block_set+0x212/0xea0
...
[ 44.540041] ext4_xattr_set_handle+0x514/0x610
[ 44.540065] ext4_xattr_set+0x7f/0x120
[ 44.540090] __vfs_removexattr+0x4d/0x60
[ 44.540112] vfs_removexattr+0x75/0xe0
[ 44.540132] removexattr+0x4d/0x80
...
[ 44.540279] path_removexattr+0x91/0xb0
[ 44.540300] SyS_removexattr+0xf/0x20
[ 44.540322] do_syscall_64+0x71/0x120
[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86
https://bugzilla.kernel.org/show_bug.cgi?id=199347
This addresses CVE-2018-10840.
Reported-by: "Xu, Wen" <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication")
---
fs/ext4/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct e
/* No failures allowed past this point. */
- if (!s->not_found && here->e_value_offs) {
+ if (!s->not_found && here->e_value_size && here->e_value_offs) {
/* Remove the old value. */
void *first_val = s->base + min_offs;
size_t offs = le16_to_cpu(here->e_value_offs);

43
debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch vendored
View File

@ -1,43 +0,0 @@
From: Theodore Ts'o <tytso@mit.edu>
Date: Tue, 22 May 2018 16:15:24 -0400
Subject: ext4: do not allow external inodes for inline data
Origin: https://git.kernel.org/linus/117166efb1ee8f13c38f9e96b258f16d4923f888
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412
The inline data feature was implemented before we added support for
external inodes for xattrs. It makes no sense to support that
combination, but the problem is that there are a number of extended
attribute checks that are skipped if e_value_inum is non-zero.
Unfortunately, the inline data code is completely e_value_inum
unaware, and attempts to interpret the xattr fields as if it were an
inline xattr --- at which point, Hilarty Ensues.
This addresses CVE-2018-11412.
https://bugzilla.kernel.org/show_bug.cgi?id=199803
Reported-by: Jann Horn <jannh@google.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Cc: stable@kernel.org
---
fs/ext4/inline.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct
goto out;
if (!is.s.not_found) {
+ if (is.s.here->e_value_inum) {
+ EXT4_ERROR_INODE(inode, "inline data xattr refers "
+ "to an external xattr inode");
+ error = -EFSCORRUPTED;
+ goto out;
+ }
EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +

43
debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch vendored
View File

@ -1,43 +0,0 @@
From 52acf73b6e9a6962045feb2ba5a8921da2201915 Mon Sep 17 00:00:00 2001
From: Dexuan Cui <decui@microsoft.com>
Date: Wed, 6 Jun 2018 21:32:51 +0000
Subject: [PATCH] hv_netvsc: Fix a network regression after ifdown/ifup
Recently people reported the NIC stops working after
"ifdown eth0; ifup eth0". It turns out in this case the TX queues are not
enabled, after the refactoring of the common detach logic: when the NIC
has sub-channels, usually we enable all the TX queues after all
sub-channels are set up: see rndis_set_subchannel() ->
netif_device_attach(), but in the case of "ifdown eth0; ifup eth0" where
the number of channels doesn't change, we also must make sure the TX queues
are enabled. The patch fixes the regression.
Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic")
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/hyperv/netvsc_drv.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index bef4d55a108c..8eec156418ea 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -127,8 +127,10 @@ static int netvsc_open(struct net_device *net)
}
rdev = nvdev->extension;
- if (!rdev->link_state)
+ if (!rdev->link_state) {
netif_carrier_on(net);
+ netif_tx_wake_all_queues(net);
+ }
if (vf_netdev) {
/* Setting synthetic device up transparently sets
--
2.17.1

87
debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch vendored
View File

@ -1,87 +0,0 @@
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu, 7 Jun 2018 13:39:49 -0700
Subject: socket: close race condition between sock_close() and
sockfs_setattr()
Origin: https://git.kernel.org/linus/6d8c50dcb029872b298eea68cc6209c866fd3e14
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12232
fchownat() doesn't even hold refcnt of fd until it figures out
fd is really needed (otherwise is ignored) and releases it after
it resolves the path. This means sock_close() could race with
sockfs_setattr(), which leads to a NULL pointer dereference
since typically we set sock->sk to NULL in ->release().
As pointed out by Al, this is unique to sockfs. So we can fix this
in socket layer by acquiring inode_lock in sock_close() and
checking against NULL in sockfs_setattr().
sock_release() is called in many places, only the sock_close()
path matters here. And fortunately, this should not affect normal
sock_close() as it is only called when the last fd refcnt is gone.
It only affects sock_close() with a parallel sockfs_setattr() in
progress, which is not common.
Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
Reported-by: shankarapailoor <shankarapailoor@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/socket.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/net/socket.c
+++ b/net/socket.c
@@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry
if (!err && (iattr->ia_valid & ATTR_UID)) {
struct socket *sock = SOCKET_I(d_inode(dentry));
- sock->sk->sk_uid = iattr->ia_uid;
+ if (sock->sk)
+ sock->sk->sk_uid = iattr->ia_uid;
+ else
+ err = -ENOENT;
}
return err;
@@ -586,12 +589,16 @@ EXPORT_SYMBOL(sock_alloc);
* an inode not a file.
*/
-void sock_release(struct socket *sock)
+static void __sock_release(struct socket *sock, struct inode *inode)
{
if (sock->ops) {
struct module *owner = sock->ops->owner;
+ if (inode)
+ inode_lock(inode);
sock->ops->release(sock);
+ if (inode)
+ inode_unlock(inode);
sock->ops = NULL;
module_put(owner);
}
@@ -605,6 +612,11 @@ void sock_release(struct socket *sock)
}
sock->file = NULL;
}
+
+void sock_release(struct socket *sock)
+{
+ __sock_release(sock, NULL);
+}
EXPORT_SYMBOL(sock_release);
void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags)
@@ -1146,7 +1158,7 @@ static int sock_mmap(struct file *file,
static int sock_close(struct inode *inode, struct file *filp)
{
- sock_release(SOCKET_I(inode));
+ __sock_release(SOCKET_I(inode), inode);
return 0;
}

36
debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch vendored
View File

@ -1,36 +0,0 @@
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Sat, 12 May 2018 00:33:10 +0300
Subject: vhost: fix info leak due to uninitialized memory
Origin: https://git.kernel.org/linus/670ae9caaca467ea1bfd325cb2a5c98ba87f94ad
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1118
struct vhost_msg within struct vhost_msg_node is copied to userspace.
Unfortunately it turns out on 64 bit systems vhost_msg has padding after
type which gcc doesn't initialize, leaking 4 uninitialized bytes to
userspace.
This padding also unfortunately means 32 bit users of this interface are
broken on a 64 bit kernel which will need to be fixed separately.
Fixes: CVE-2018-1118
Cc: stable@vger.kernel.org
Reported-by: Kevin Easton <kevin@guarana.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
drivers/vhost/vhost.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(str
struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
if (!node)
return NULL;
+
+ /* Make sure all padding within the structure is initialized. */
+ memset(&node->msg, 0, sizeof node->msg);
node->vq = vq;
node->msg.type = type;
return node;

6
debian/patches/series vendored
View File

@ -91,7 +91,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
bugfix/all/i40e-build-for-64-bit-targets-only.patch
bugfix/all/ib-fix-rdma_rxe-and-infiniband_rdmavt-dependencies-f.patch
bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch
# Miscellaneous features
@ -131,11 +130,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch
bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch
bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch
bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch
bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch
# Fix exported symbol versions