Update to 4.18.12

This updates to 4.18.12, including removal of applied upstream patches.
This also disables rt until 4.18.12-rt7 is integrated to this package

debian/changelog

@@ -1,4 +1,4 @@
-linux (4.18.11-1) UNRELEASED; urgency=medium
+linux (4.18.12-1) UNRELEASED; urgency=medium
 
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11
@@ -82,6 +82,187 @@ linux (4.18.11-1) UNRELEASED; urgency=medium
     - sched/fair: Fix vruntime_normalized() for remote non-migration wakeup
     - [x86] vmw_balloon: include asm/io.h
     - iw_cxgb4: only allow 1 flush on user qps
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.12
+    - tsl2550: fix lux1_input error in low light
+    - vmci: type promotion bug in qp_host_get_user_memory()
+    - [x86] numa_emulation: Fix emulated-to-physical node mapping
+    - staging: rts5208: fix missing error check on call to rtsx_write_register
+    - [armhf] power: supply: axp288_charger: Fix initial
+      constant_charge_current value
+    - [sh4] serial: sh-sci: Stop RX FIFO timer during port shutdown
+    - [arm64] power: vexpress: fix corruption in notifier registration
+    - [x86] iommu/amd: make sure TLB to be flushed before IOVA freed
+    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
+    - USB: serial: kobil_sct: fix modem-status error handling
+    - 6lowpan: iphc: reset mac_header after decompress to fix panic
+    - [s390x] mm: correct allocate_pgste proc_handler callback
+    - power: remove possible deadlock when unregistering power_supply
+    - cxgb4: Fix the condition to check if the card is T5
+    - RDMA/bnxt_re: Fix a couple off by one bugs
+    - RDMA/i40w: Hold read semaphore while looking after VMA
+    - RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
+    - IB/core: type promotion bug in rdma_rw_init_one_mr()
+    - IB/mlx4: Test port number before querying type.
+    - vhost_net: Avoid tx vring kicks during busyloop
+    - IB/mlx5: Fix GRE flow specification
+    - include/rdma/opa_addr.h: Fix an endianness issue
+    - x86/tsc: Add missing header to tsc_msr.c
+    - ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
+    - [x86] entry/64: Add two more instruction suffixes
+    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
+      buffer size
+    - scsi: klist: Make it safe to use klists in atomic context
+    - [powerpc*] scsi: ibmvscsi: Improve strings handling
+    - scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
+    - usb: wusbcore: security: cast sizeof to int for comparison
+    - ath10k: sdio: use same endpoint id for all packets in a bundle
+    - ath10k: sdio: set skb len for all rx packets
+    - [powerpc*] powerpc/powernv/ioda2: Reduce upper limit for DMA window size
+    - [x86] platform/x86: asus-wireless: Fix uninitialized symbol usage
+    - [x86] ACPI / button: increment wakeup count only when notified
+    - alarmtimer: Prevent overflow for relative nanosleep
+    - [s390x] s390/dasd: correct numa_node in dasd_alloc_queue
+    - [s390x] s390/scm_blk: correct numa_node in scm_blk_dev_setup
+    - posix-timers: Make forward callback return s64
+    - posix-timers: Sanitize overrun handling
+    - [powerpc*] ALSA: snd-aoa: add of_node_put() in error path
+    - ath10k: use locked skb_dequeue for rx completions
+    - [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial
+      data
+    - staging: android: ashmem: Fix mmap size validation
+    - staging: mt7621-eth: Fix memory leak in mtk_add_mac() error path
+    - [powerpc*, x86, alpha, m68k, hppa] drivers/tty: add error handling for
+      pcmcia_loop_config
+    - [arm64] dts: renesas: salvator-common: Fix adv7482 decimal unit addresses
+    - [x86] media: tm6000: add error handling for dvb_register_adapter
+    - [powerpc*, mips*, arm64, x86, alpha] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME
+      for AMD Raven Ridge
+    - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
+    - [armhf] drm/sun4i: Enable DW HDMI PHY clock
+    - [armhf] drm/sun4i: Fix releasing node when enumerating enpoints
+    - ath10k: transmit queued frames after processing rx packets
+    - mt76x2: fix mrr idx/count estimation in mt76x2_mac_fill_tx_status()
+    - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
+    - brcmsmac: fix wrap around in conversion from constant to s16
+    - bitfield: fix *_encode_bits()
+    - [arm64]wlcore: Add missing PM call for
+      wlcore_cmd_wait_for_event_or_timeout()
+    - [armhf] drm/omap: gem: Fix mm_list locking
+    - [armhf] mvebu: declare asm symbols as character arrays in pmsu.c
+    - RDMA/uverbs: Don't overwrite NULL pointer with ZERO_SIZE_PTR
+    - HID: hid-ntrig: add error handling for sysfs_create_group
+    - [x86] HID: i2c-hid: Use devm to allocate i2c_hid struct
+    - [arm64] dts: renesas: Fix VSPD registers range
+    - drm/v3d: Take a lock across GPU scheduler job creation and queuing.
+    - scsi: bnx2i: add error handling for ioremap_nocache
+    - [arm64] scsi: hisi_sas: Fix the conflict between dev gone and host reset
+    - [armhf] spi: orion: fix CS GPIO handling again
+    - scsi: megaraid_sas: Update controller info during resume
+    - [x86] ASoC: Intel: bytcr_rt5640: Fix Acer Iconia 8 over-current detect
+      threshold
+    - [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove
+    - [x86, arm64, armhf] ASoC: dapm: Fix potential DAI widget pointer deref
+      when linking DAIs
+    - module: exclude SHN_UNDEF symbols from kallsyms api
+    - nfsd: fix corrupted reply to badly ordered compound
+    - [mips*, arm64, x86] EDAC: Fix memleak in module init error path
+    - ath10k: fix incorrect size of dma_free_coherent in
+      ath10k_ce_alloc_src_ring_64
+    - ath10k: snoc: use correct bus-specific pointer in RX retry
+    - fs/lock: skip lock owner pid translation in case we are in init_pid_ns
+    - ath10k: fix memory leak of tpc_stats
+    - Input: xen-kbdfront - fix multi-touch XenStore node's locations
+    - drm/vc4: Add missing formats to vc4_format_mod_supported().
+    - [armhf] ARM: dts: dra7: fix DCAN node addresses
+    - drm/vc4: plane: Expand the lower bits by repeating the higher bits
+    - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
+    - block: fix deadline elevator drain for zoned block devices
+    - [x86] mm: Expand static page table for fixmap space
+    - [armhf] serial: imx: restore handshaking irq for imx1
+    - [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace
+    - [x86] intel_th: Fix device removal logic
+    - [x86] intel_th: Fix resource handling for ACPI glue layer
+    - spi: tegra20-slink: explicitly enable/disable clock
+    - [mips*, 'arm64', x86, armhf] regulator: fix crash caused by null driver
+      data
+    - [mips*, 'arm64', x86, armhf] regulator: Fix 'do-nothing' value for
+      regulators without suspend state
+    - USB: fix error handling in usb_driver_claim_interface()
+    - USB: handle NULL config in usb_find_alt_setting()
+    - usb: core: safely deal with the dynamic quirk lists
+    - [armhf] usb: musb: dsps: do not disable CPPI41 irq in driver teardown
+    - USB: usbdevfs: sanitize flags more
+    - USB: usbdevfs: restore warning for nonsensical flags
+    - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in
+      service_outstanding_interrupt()"
+    - USB: remove LPM management from usb_driver_claim_interface()
+    - uaccess: Fix is_source param for check_copy_size() in
+      copy_to_iter_mcsafe()
+    - filesystem-dax: Fix use of zero page
+    - Input: elantech - enable middle button of touchpad on ThinkPad P72
+    - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
+    - IB/hfi1: Fix SL array bounds check
+    - IB/hfi1: Invalid user input can result in crash
+    - IB/hfi1: Fix context recovery when PBC has an UnsupportedVL
+    - IB/hfi1: Fix destroy_qp hang after a link down
+    - [x86] ACPI / hotplug / PCI: Don't scan for non-hotplug bridges if slot
+      is not bridge
+    - RDMA/uverbs: Atomically flush and mark closed the comp event queue
+    - [arm64] KVM: Tighten guest core register access from userspace
+    - ARM: OMAP2+: Fix null hwmod for ti-sysc debug
+    - ARM: OMAP2+: Fix module address for modules using mpu_rt_idx
+    - bus: ti-sysc: Fix module register ioremap for larger offsets
+    - qed: Wait for ready indication before rereading the shmem
+    - qed: Wait for MCP halt and resume commands to take place
+    - qed: Prevent a possible deadlock during driver load and unload
+    - qed: Avoid sending mailbox commands when MFW is not responsive
+    - thermal: of-thermal: disable passive polling when thermal zone is disabled
+    - isofs: reject hardware sector size > 2048 bytes
+    - mmc: atmel-mci: fix bad logic of sg_copy_{from,to}_buffer conversion
+    - mmc: android-goldfish: fix bad logic of sg_copy_{from,to}_buffer
+      conversion
+    - bus: ti-sysc: Fix no_console_suspend handling
+    - [armhf] dts: omap4-droid4: fix vibrations on Droid 4
+    - bpf, sockmap: fix sock_hash_alloc and reject zero-sized keys
+    - bpf, sockmap: fix sock hash count in alloc_sock_hash_elem
+    - tls: possible hang when do_tcp_sendpages hits sndbuf is full case
+    - bpf: sockmap: write_space events need to be passed to TCP handler
+    - drm/amdgpu: fix VM clearing for the root PD
+    - drm/amdgpu: fix preamble handling
+    - amdgpu: fix multi-process hang issue
+    - net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler
+    - tcp_bbr: add bbr_check_probe_rtt_done() helper
+    - tcp_bbr: in restart from idle, see if we should exit PROBE_RTT
+    - net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
+    - net: hns: fix skb->truesize underestimation
+    - tools: bpftool: return from do_event_pipe() on bad arguments
+    - e1000: check on netif_running() before calling e1000_up()
+    - e1000: ensure to free old tx/rx rings in set_ringparam()
+    - ixgbe: fix driver behaviour after issuing VFLR
+    - i40e: Fix for Tx timeouts when interface is brought up if DCB is enabled
+    - i40e: fix condition of WARN_ONCE for stat strings
+    - [arm64] crypto: cavium/nitrox - fix for command corruption in queue full
+      case with backlog submissions.
+    - hwmon: (ina2xx) fix sysfs shunt resistor read access
+    - hwmon: (adt7475) Make adt7475_read_word() return errors
+    - Revert "ARM: dts: imx7d: Invert legacy PCI irq mapping"
+    - drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode
+    - drm/amdgpu: Update power state at the end of smu hw_init.
+    - ata: ftide010: Add a quirk for SQ201
+    - nvme-fcloop: Fix dropped LS's to removed target port
+    - [armhf] dts: omap4-droid4: Fix emmc errors seen on some devices
+    - drm/amdgpu: Need to set moved to true when evict bo
+    - [arm64, armhf] smccc-1.1: Make return values unsigned long
+    - [arm64, armhf] smccc-1.1: Handle function result as parameters
+    - i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
+    - clk: x86: Set default parent to 48Mhz
+    - [x86] pti: Fix section mismatch warning/error
+    - [powerpc*] KVM: PPC: Book3S HV: Fix guest r11 corruption with POWER9 TM
+      workarounds
+    - [powerpc*] fix csum_ipv6_magic() on little endian platforms
+    - [powerpc*] pkeys: Fix reading of ibm, processor-storage-keys property
+    - [powerpc*] pseries: Fix unitialized timer reset on migration
+    - [arm64] KVM: Sanitize PSTATE.M when being set from userspace
 
   [ Ben Hutchings ]
   * linux-perf: Fix BPF feature detection

debian/config/defines

@@ -122,7 +122,7 @@ debug-info: true
 signed-code: false
 
 [featureset-rt_base]
-enabled: true
+enabled: false
 
 [description]
 part-long-up: This kernel is not suitable for SMP (multi-processor,

debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch

@@ -1,48 +0,0 @@
-From: Andy Whitcroft <apw@canonical.com>
-Date: Thu, 20 Sep 2018 09:09:48 -0600
-Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
-Origin: https://git.kernel.org/linus/65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7755
-
-The final field of a floppy_struct is the field "name", which is a pointer
-to a string in kernel memory.  The kernel pointer should not be copied to
-user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
-including this "name" field.  This pointer cannot be used by the user
-and it will leak a kernel address to user-space, which will reveal the
-location of kernel code and data and undermine KASLR protection.
-
-Model this code after the compat ioctl which copies the returned data
-to a previously cleared temporary structure on the stack (excluding the
-name pointer) and copy out to userspace from there.  As we already have
-an inparam union with an appropriate member and that memory is already
-cleared even for read only calls make use of that as a temporary store.
-
-Based on an initial patch by Brian Belleville.
-
-CVE-2018-7755
-Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
-Broke up long line.
-
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
----
- drivers/block/floppy.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
-index 48f622728ce6..f2b6f4da1034 100644
---- a/drivers/block/floppy.c
-+++ b/drivers/block/floppy.c
-@@ -3467,6 +3467,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
- 					  (struct floppy_struct **)&outparam);
- 		if (ret)
- 			return ret;
-+		memcpy(&inparam.g, outparam,
-+				offsetof(struct floppy_struct, name));
-+		outparam = &inparam.g;
- 		break;
- 	case FDMSGON:
- 		UDP->flags |= FTD_MSG;
--- 
-2.11.0
-

debian/patches/bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch

@@ -1,58 +0,0 @@
-From: Marc Zyngier <marc.zyngier@arm.com>
-Date: Thu, 27 Sep 2018 16:53:22 +0100
-Subject: arm64: KVM: Sanitize PSTATE.M when being set from userspace
-Origin: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18021
-
-Not all execution modes are valid for a guest, and some of them
-depend on what the HW actually supports. Let's verify that what
-userspace provides is compatible with both the VM settings and
-the HW capabilities.
-
-Cc: <stable@vger.kernel.org>
-Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu")
-Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
-Reviewed-by: Mark Rutland <mark.rutland@arm.com>
-Reviewed-by: Dave Martin <Dave.Martin@arm.com>
-Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
-[carnil: Backport for 4.18: Cherrypick directly commit from 4.18.12 /
-926415e1e4c9]
----
- arch/arm64/kvm/guest.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
-index 4a177629862b..d5c6bb1562d8 100644
---- a/arch/arm64/kvm/guest.c
-+++ b/arch/arm64/kvm/guest.c
-@@ -152,17 +152,25 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
- 	}
- 
- 	if (off == KVM_REG_ARM_CORE_REG(regs.pstate)) {
--		u32 mode = (*(u32 *)valp) & COMPAT_PSR_MODE_MASK;
-+		u64 mode = (*(u64 *)valp) & COMPAT_PSR_MODE_MASK;
- 		switch (mode) {
- 		case COMPAT_PSR_MODE_USR:
-+			if (!system_supports_32bit_el0())
-+				return -EINVAL;
-+			break;
- 		case COMPAT_PSR_MODE_FIQ:
- 		case COMPAT_PSR_MODE_IRQ:
- 		case COMPAT_PSR_MODE_SVC:
- 		case COMPAT_PSR_MODE_ABT:
- 		case COMPAT_PSR_MODE_UND:
-+			if (!vcpu_el1_is_32bit(vcpu))
-+				return -EINVAL;
-+			break;
- 		case PSR_MODE_EL0t:
- 		case PSR_MODE_EL1t:
- 		case PSR_MODE_EL1h:
-+			if (vcpu_el1_is_32bit(vcpu))
-+				return -EINVAL;
- 			break;
- 		default:
- 			err = -EINVAL;
--- 
-2.11.0
-

debian/patches/bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch

@@ -1,99 +0,0 @@
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Thu, 27 Sep 2018 16:53:21 +0100
-Subject: arm64: KVM: Tighten guest core register access from userspace
-Origin: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18021
-
-We currently allow userspace to access the core register file
-in about any possible way, including straddling multiple
-registers and doing unaligned accesses.
-
-This is not the expected use of the ABI, and nobody is actually
-using it that way. Let's tighten it by explicitly checking
-the size and alignment for each field of the register file.
-
-Cc: <stable@vger.kernel.org>
-Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface")
-Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
-Reviewed-by: Mark Rutland <mark.rutland@arm.com>
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-[maz: rewrote Dave's initial patch to be more easily backported]
-Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
----
- arch/arm64/kvm/guest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 45 insertions(+)
-
-diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
-index 07256b08226c..3088463bafc1 100644
---- a/arch/arm64/kvm/guest.c
-+++ b/arch/arm64/kvm/guest.c
-@@ -57,6 +57,45 @@ static u64 core_reg_offset_from_id(u64 id)
- 	return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE);
- }
- 
-+static int validate_core_offset(const struct kvm_one_reg *reg)
-+{
-+	u64 off = core_reg_offset_from_id(reg->id);
-+	int size;
-+
-+	switch (off) {
-+	case KVM_REG_ARM_CORE_REG(regs.regs[0]) ...
-+	     KVM_REG_ARM_CORE_REG(regs.regs[30]):
-+	case KVM_REG_ARM_CORE_REG(regs.sp):
-+	case KVM_REG_ARM_CORE_REG(regs.pc):
-+	case KVM_REG_ARM_CORE_REG(regs.pstate):
-+	case KVM_REG_ARM_CORE_REG(sp_el1):
-+	case KVM_REG_ARM_CORE_REG(elr_el1):
-+	case KVM_REG_ARM_CORE_REG(spsr[0]) ...
-+	     KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]):
-+		size = sizeof(__u64);
-+		break;
-+
-+	case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ...
-+	     KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]):
-+		size = sizeof(__uint128_t);
-+		break;
-+
-+	case KVM_REG_ARM_CORE_REG(fp_regs.fpsr):
-+	case KVM_REG_ARM_CORE_REG(fp_regs.fpcr):
-+		size = sizeof(__u32);
-+		break;
-+
-+	default:
-+		return -EINVAL;
-+	}
-+
-+	if (KVM_REG_SIZE(reg->id) == size &&
-+	    IS_ALIGNED(off, size / sizeof(__u32)))
-+		return 0;
-+
-+	return -EINVAL;
-+}
-+
- static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
- {
- 	/*
-@@ -76,6 +115,9 @@ static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
- 	    (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
- 		return -ENOENT;
- 
-+	if (validate_core_offset(reg))
-+		return -EINVAL;
-+
- 	if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id)))
- 		return -EFAULT;
- 
-@@ -98,6 +140,9 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
- 	    (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
- 		return -ENOENT;
- 
-+	if (validate_core_offset(reg))
-+		return -EINVAL;
-+
- 	if (KVM_REG_SIZE(reg->id) > sizeof(tmp))
- 		return -EINVAL;
- 
--- 
-2.11.0
-

debian/patches/series

@@ -142,9 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
-bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
-bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch
-bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch
 bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch
 
 # Fix exported symbol versions