diff --git a/debian/changelog b/debian/changelog index 392ff606b..5a266c016 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,71 @@ -linux (4.17.2-1) UNRELEASED; urgency=medium +linux (4.17.3-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.3 + - net: aquantia: fix unsigned numvecs comparison with less than zero + - bonding: re-evaluate force_primary when the primary slave name changes + - cdc_ncm: avoid padding beyond end of skb + - ipv6: allow PMTU exceptions to local routes + - [armhf,arm64] net: dsa: add error handling for pskb_trim_rcsum + - net/sched: act_simple: fix parsing of TCA_DEF_DATA + - tcp: verify the checksum of the first data segment in a new connection + - socket: close race condition between sock_close() and sockfs_setattr() + (CVE-2018-12232) + - udp: fix rx queue len reported by diag and proc interface + - net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds + vlan + - ACPICA: AML parser: attempt to continue loading table after error + - ext4: fix hole length detection in ext4_ind_map_blocks() + - ext4: update mtime in ext4_punch_hole even if no blocks are released + - ext4: do not allow external inodes for inline data (CVE-2018-11412) + - ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() + - ext4: correctly handle a zero-length xattr with a non-zero e_value_offs + (CVE-2018-10840) + - ext4: fix fencepost error in check for inode count overflow during resize + - driver core: Don't ignore class_dir_create_and_add() failure. + - Btrfs: allow empty subvol= again + - Btrfs: fix clone vs chattr NODATASUM race + - Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() + - btrfs: return error value if create_io_em failed in cow_file_range + - btrfs: scrub: Don't use inode pages for device replace + - ALSA: usb-audio: Disable the quirk for Nura headset + - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() + - [x86] MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read() + - smb3: fix various xid leaks + - smb3: on reconnect set PreviousSessionId field + - CIFS: 511c54a2f69195b28afb9dd119f03787b1625bb4 adds a check for session + expiry + - cifs: For SMB2 security informaion query, check for minimum sized + security descriptor instead of sizeof FileAllInformation class + - nbd: fix nbd device deletion + - nbd: update size when connected + - nbd: use bd_set_size when updating disk size + - blk-mq: reinit q->tag_set_list entry only after grace period + - bdi: Move cgroup bdi_writeback to a dedicated low concurrency workqueue + - cpufreq: Fix new policy initialization during limits updates via sysfs + - cpufreq: governors: Fix long idle detection logic in load calculation + - libata: zpodd: small read overflow in eject_tray() + - libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk + - nvme/pci: Sync controller reset for AER slot_reset + - [x86] vector: Fix the args of vector_alloc tracepoint + - [x86] apic/vector: Prevent hlist corruption and leaks + - [x86] apic: Provide apic_ack_irq() + - [x86] ioapic: Use apic_ack_irq() + - [x86] platform/uv: Use apic_ack_irq() + - irq_remapping: Use apic_ack_irq() + - genirq/generic_pending: Do not lose pending affinity update + - genirq/affinity: Defer affinity setting if irq chip is busy + - genirq/migration: Avoid out of line call if pending is not set + - [x86] intel_rdt: Enable CMT and MBM on new Skylake stepping + - media: uvcvideo: Prevent setting unavailable flags + - media: rc: ensure input/lirc device can be opened after register + - iwlwifi: fw: harden page loading code + - [x86] HID: intel_ish-hid: ipc: register more pm callbacks to support + hibernation + - HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large + - vhost: fix info leak due to uninitialized memory (CVE-2018-1118) + - fs/binfmt_misc.c: do not allow offset overflow + - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset [ Ben Hutchings ] * [amd64,arm64,armhf] android: Build modules to support Anbox @@ -11,13 +78,6 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * [mips*] Increase RELOCATION_TABLE_SIZE to 0x00140000 (fixes FTBFS) * Set ABI to 1 * [x86,arm64] Disable code signing for upload to unstable - * vhost: fix info leak due to uninitialized memory (CVE-2018-1118) - * ext4: correctly handle a zero-length xattr with a non-zero e_value_offs - (CVE-2018-10840) - * ext4: do not allow external inodes for inline data (CVE-2018-11412) - * ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() - * socket: close race condition between sock_close() and sockfs_setattr() - (CVE-2018-12232) * [x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633) * [x86] vboxguest: Enable VBOXGUEST and DRM_VBOXVIDEO as modules diff --git a/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch b/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch deleted file mode 100644 index 33dbe382e..000000000 --- a/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Theodore Ts'o -Date: Tue, 22 May 2018 17:14:07 -0400 -Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to - ext4_iget() -Origin: https://git.kernel.org/linus/eb9b5f01c33adebc31cbc236c02695f605b0e417 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 - -If ext4_find_inline_data_nolock() returns an error it needs to get -reflected up to ext4_iget(). In order to fix this, -ext4_iget_extra_inode() needs to return an error (and not return -void). - -This is related to "ext4: do not allow external inodes for inline -data" (which fixes CVE-2018-11412) in that in the errors=continue -case, it would be useful to for userspace to receive an error -indicating that file system is corrupted. - -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger -Cc: stable@kernel.org ---- - fs/ext4/inode.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -4701,19 +4701,21 @@ static blkcnt_t ext4_inode_blocks(struct - } - } - --static inline void ext4_iget_extra_inode(struct inode *inode, -+static inline int ext4_iget_extra_inode(struct inode *inode, - struct ext4_inode *raw_inode, - struct ext4_inode_info *ei) - { - __le32 *magic = (void *)raw_inode + - EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize; -+ - if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <= - EXT4_INODE_SIZE(inode->i_sb) && - *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { - ext4_set_inode_state(inode, EXT4_STATE_XATTR); -- ext4_find_inline_data_nolock(inode); -+ return ext4_find_inline_data_nolock(inode); - } else - EXT4_I(inode)->i_inline_off = 0; -+ return 0; - } - - int ext4_get_projid(struct inode *inode, kprojid_t *projid) -@@ -4893,7 +4895,9 @@ struct inode *ext4_iget(struct super_blo - ei->i_extra_isize = sizeof(struct ext4_inode) - - EXT4_GOOD_OLD_INODE_SIZE; - } else { -- ext4_iget_extra_inode(inode, raw_inode, ei); -+ ret = ext4_iget_extra_inode(inode, raw_inode, ei); -+ if (ret) -+ goto bad_inode; - } - } - diff --git a/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch b/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch deleted file mode 100644 index 623ffc0b6..000000000 --- a/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Theodore Ts'o -Date: Wed, 23 May 2018 11:31:03 -0400 -Subject: ext4: correctly handle a zero-length xattr with a non-zero - e_value_offs -Origin: https://git.kernel.org/linus/8a2b307c21d4b290e3cbe33f768f194286d07c23 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10840 - -Ext4 will always create ext4 extended attributes which do not have a -value (where e_value_size is zero) with e_value_offs set to zero. In -most places e_value_offs will not be used in a substantive way if -e_value_size is zero. - -There was one exception to this, which is in ext4_xattr_set_entry(), -where if there is a maliciously crafted file system where there is an -extended attribute with e_value_offs is non-zero and e_value_size is -0, the attempt to remove this xattr will result in a negative value -getting passed to memmove, leading to the following sadness: - -[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) -[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000 -[ 44.538733] IP: __memmove+0x81/0x1a0 -[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1 -[ 44.538793] Oops: 0003 [#1] SMP PTI -[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1 - ... -[ 44.539475] Call Trace: -[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80 - ... -[ 44.539972] ext4_xattr_block_set+0x212/0xea0 - ... -[ 44.540041] ext4_xattr_set_handle+0x514/0x610 -[ 44.540065] ext4_xattr_set+0x7f/0x120 -[ 44.540090] __vfs_removexattr+0x4d/0x60 -[ 44.540112] vfs_removexattr+0x75/0xe0 -[ 44.540132] removexattr+0x4d/0x80 - ... -[ 44.540279] path_removexattr+0x91/0xb0 -[ 44.540300] SyS_removexattr+0xf/0x20 -[ 44.540322] do_syscall_64+0x71/0x120 -[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86 - -https://bugzilla.kernel.org/show_bug.cgi?id=199347 - -This addresses CVE-2018-10840. - -Reported-by: "Xu, Wen" -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger -Cc: stable@kernel.org -Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication") ---- - fs/ext4/xattr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct e - - /* No failures allowed past this point. */ - -- if (!s->not_found && here->e_value_offs) { -+ if (!s->not_found && here->e_value_size && here->e_value_offs) { - /* Remove the old value. */ - void *first_val = s->base + min_offs; - size_t offs = le16_to_cpu(here->e_value_offs); diff --git a/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch b/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch deleted file mode 100644 index bb65b21b0..000000000 --- a/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Theodore Ts'o -Date: Tue, 22 May 2018 16:15:24 -0400 -Subject: ext4: do not allow external inodes for inline data -Origin: https://git.kernel.org/linus/117166efb1ee8f13c38f9e96b258f16d4923f888 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 - -The inline data feature was implemented before we added support for -external inodes for xattrs. It makes no sense to support that -combination, but the problem is that there are a number of extended -attribute checks that are skipped if e_value_inum is non-zero. - -Unfortunately, the inline data code is completely e_value_inum -unaware, and attempts to interpret the xattr fields as if it were an -inline xattr --- at which point, Hilarty Ensues. - -This addresses CVE-2018-11412. - -https://bugzilla.kernel.org/show_bug.cgi?id=199803 - -Reported-by: Jann Horn -Reviewed-by: Andreas Dilger -Signed-off-by: Theodore Ts'o -Fixes: e50e5129f384 ("ext4: xattr-in-inode support") -Cc: stable@kernel.org ---- - fs/ext4/inline.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct - goto out; - - if (!is.s.not_found) { -+ if (is.s.here->e_value_inum) { -+ EXT4_ERROR_INODE(inode, "inline data xattr refers " -+ "to an external xattr inode"); -+ error = -EFSCORRUPTED; -+ goto out; -+ } - EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - - (void *)ext4_raw_inode(&is.iloc)); - EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + diff --git a/debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch b/debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch deleted file mode 100644 index b5a97511d..000000000 --- a/debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 52acf73b6e9a6962045feb2ba5a8921da2201915 Mon Sep 17 00:00:00 2001 -From: Dexuan Cui -Date: Wed, 6 Jun 2018 21:32:51 +0000 -Subject: [PATCH] hv_netvsc: Fix a network regression after ifdown/ifup - -Recently people reported the NIC stops working after -"ifdown eth0; ifup eth0". It turns out in this case the TX queues are not -enabled, after the refactoring of the common detach logic: when the NIC -has sub-channels, usually we enable all the TX queues after all -sub-channels are set up: see rndis_set_subchannel() -> -netif_device_attach(), but in the case of "ifdown eth0; ifup eth0" where -the number of channels doesn't change, we also must make sure the TX queues -are enabled. The patch fixes the regression. - -Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic") -Signed-off-by: Dexuan Cui -Cc: Stephen Hemminger -Cc: K. Y. Srinivasan -Cc: Haiyang Zhang -Signed-off-by: David S. Miller ---- - drivers/net/hyperv/netvsc_drv.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c -index bef4d55a108c..8eec156418ea 100644 ---- a/drivers/net/hyperv/netvsc_drv.c -+++ b/drivers/net/hyperv/netvsc_drv.c -@@ -127,8 +127,10 @@ static int netvsc_open(struct net_device *net) - } - - rdev = nvdev->extension; -- if (!rdev->link_state) -+ if (!rdev->link_state) { - netif_carrier_on(net); -+ netif_tx_wake_all_queues(net); -+ } - - if (vf_netdev) { - /* Setting synthetic device up transparently sets --- -2.17.1 - diff --git a/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch b/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch deleted file mode 100644 index 1c8c8e56b..000000000 --- a/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Cong Wang -Date: Thu, 7 Jun 2018 13:39:49 -0700 -Subject: socket: close race condition between sock_close() and - sockfs_setattr() -Origin: https://git.kernel.org/linus/6d8c50dcb029872b298eea68cc6209c866fd3e14 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12232 - -fchownat() doesn't even hold refcnt of fd until it figures out -fd is really needed (otherwise is ignored) and releases it after -it resolves the path. This means sock_close() could race with -sockfs_setattr(), which leads to a NULL pointer dereference -since typically we set sock->sk to NULL in ->release(). - -As pointed out by Al, this is unique to sockfs. So we can fix this -in socket layer by acquiring inode_lock in sock_close() and -checking against NULL in sockfs_setattr(). - -sock_release() is called in many places, only the sock_close() -path matters here. And fortunately, this should not affect normal -sock_close() as it is only called when the last fd refcnt is gone. -It only affects sock_close() with a parallel sockfs_setattr() in -progress, which is not common. - -Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") -Reported-by: shankarapailoor -Cc: Tetsuo Handa -Cc: Lorenzo Colitti -Cc: Al Viro -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller ---- - net/socket.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - ---- a/net/socket.c -+++ b/net/socket.c -@@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry - if (!err && (iattr->ia_valid & ATTR_UID)) { - struct socket *sock = SOCKET_I(d_inode(dentry)); - -- sock->sk->sk_uid = iattr->ia_uid; -+ if (sock->sk) -+ sock->sk->sk_uid = iattr->ia_uid; -+ else -+ err = -ENOENT; - } - - return err; -@@ -586,12 +589,16 @@ EXPORT_SYMBOL(sock_alloc); - * an inode not a file. - */ - --void sock_release(struct socket *sock) -+static void __sock_release(struct socket *sock, struct inode *inode) - { - if (sock->ops) { - struct module *owner = sock->ops->owner; - -+ if (inode) -+ inode_lock(inode); - sock->ops->release(sock); -+ if (inode) -+ inode_unlock(inode); - sock->ops = NULL; - module_put(owner); - } -@@ -605,6 +612,11 @@ void sock_release(struct socket *sock) - } - sock->file = NULL; - } -+ -+void sock_release(struct socket *sock) -+{ -+ __sock_release(sock, NULL); -+} - EXPORT_SYMBOL(sock_release); - - void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags) -@@ -1146,7 +1158,7 @@ static int sock_mmap(struct file *file, - - static int sock_close(struct inode *inode, struct file *filp) - { -- sock_release(SOCKET_I(inode)); -+ __sock_release(SOCKET_I(inode), inode); - return 0; - } - diff --git a/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch b/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch deleted file mode 100644 index 86ed3b396..000000000 --- a/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Sat, 12 May 2018 00:33:10 +0300 -Subject: vhost: fix info leak due to uninitialized memory -Origin: https://git.kernel.org/linus/670ae9caaca467ea1bfd325cb2a5c98ba87f94ad -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1118 - -struct vhost_msg within struct vhost_msg_node is copied to userspace. -Unfortunately it turns out on 64 bit systems vhost_msg has padding after -type which gcc doesn't initialize, leaking 4 uninitialized bytes to -userspace. - -This padding also unfortunately means 32 bit users of this interface are -broken on a 64 bit kernel which will need to be fixed separately. - -Fixes: CVE-2018-1118 -Cc: stable@vger.kernel.org -Reported-by: Kevin Easton -Signed-off-by: Michael S. Tsirkin -Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com -Signed-off-by: Michael S. Tsirkin ---- - drivers/vhost/vhost.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(str - struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); - if (!node) - return NULL; -+ -+ /* Make sure all padding within the structure is initialized. */ -+ memset(&node->msg, 0, sizeof node->msg); - node->vq = vq; - node->msg.type = type; - return node; diff --git a/debian/patches/series b/debian/patches/series index 8951afe46..6736bbfa8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -91,7 +91,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch bugfix/all/i40e-build-for-64-bit-targets-only.patch bugfix/all/ib-fix-rdma_rxe-and-infiniband_rdmavt-dependencies-f.patch -bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch # Miscellaneous features @@ -131,11 +130,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch -bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch -bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch -bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch -bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch # Fix exported symbol versions