Update to 4.14.15
This commit is contained in:
parent
893c189290
commit
3a81855475
|
@ -1,4 +1,4 @@
|
|||
linux (4.14.14-1) UNRELEASED; urgency=medium
|
||||
linux (4.14.15-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.14
|
||||
|
@ -108,10 +108,97 @@ linux (4.14.14-1) UNRELEASED; urgency=medium
|
|||
- [x86] retpoline: Fill return stack buffer on vmexit
|
||||
- [x86] pti: Fix !PCID and sanitize defines
|
||||
- [x86] perf: Disable intel_bts when PTI
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.15
|
||||
- tools/objtool/Makefile: don't assume sync-check.sh is executable
|
||||
- objtool: Fix seg fault with clang-compiled objects
|
||||
- objtool: Fix Clang enum conversion warning
|
||||
- objtool: Fix seg fault caused by missing parameter
|
||||
- [powerpc*] pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
|
||||
- [powerpc*] 64: Add macros for annotating the destination of rfid/hrfid
|
||||
- [powerpc*] 64s: Simple RFI macro conversions
|
||||
- [powerpc*] 64: Convert the syscall exit path to use RFI_TO_USER/KERNEL
|
||||
- [powerpc*] 64: Convert fast_exception_return to use RFI_TO_USER/KERNEL
|
||||
- [powerpc*] 64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL
|
||||
- [powerpc*] 64s: Add support for RFI flush of L1-D cache
|
||||
- [powerpc*] 64s: Support disabling RFI flush with no_rfi_flush and nopti
|
||||
- [powerpc*] pseries: Query hypervisor for RFI flush settings
|
||||
- [powerpc*] powernv: Check device-tree for RFI flush settings
|
||||
- futex: Avoid violating the 10th rule of futex
|
||||
- futex: Prevent overflow by strengthen input validation
|
||||
- ALSA: seq: Make ioctls race-free (CVE-2018-1000004)
|
||||
- ALSA: pcm: Remove yet superfluous WARN_ON()
|
||||
- ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
|
||||
- ALSA: hda - Apply the existing quirk to iMac 14,1
|
||||
- IB/hfi1: Prevent a NULL dereference
|
||||
- RDMA/mlx5: Fix out-of-bound access while querying AH
|
||||
- timers: Unconditionally check deferrable base
|
||||
- af_key: fix buffer overread in verify_address_len()
|
||||
- af_key: fix buffer overread in parse_exthdrs()
|
||||
- iser-target: Fix possible use-after-free in connection establishment
|
||||
error
|
||||
- delayacct: Account blkio completion on the correct task
|
||||
- objtool: Fix seg fault with gold linker
|
||||
- [armhf] mmc: sdhci-esdhc-imx: Fix i.MX53 eSDHCv3 clock
|
||||
- [x86] kasan: Panic if there is not enough memory to boot
|
||||
- [x86] retpoline: Fill RSB on context switch for affected CPUs
|
||||
- [x86] retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
|
||||
- objtool: Improve error message for bad file argument
|
||||
- [x86] cpufeature: Move processor tracing out of scattered features
|
||||
- module: Add retpoline tag to VERMAGIC
|
||||
- [x86] intel_rdt/cqm: Prevent use after free
|
||||
- [x86] mm/pkeys: Fix fill_sig_info_pkey
|
||||
- [x86] idt: Mark IDT tables __initconst
|
||||
- [x86] tsc: Future-proof native_calibrate_tsc()
|
||||
- [x86] tsc: Fix erroneous TSC rate on Skylake Xeon
|
||||
- pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
|
||||
- [x86] apic/vector: Fix off by one in error path
|
||||
- [x86] mm: Clean up register saving in the __enc_copy() assembly code
|
||||
- [x86] mm: Use a struct to reduce parameters for SME PGD mapping
|
||||
- [x86] mm: Centralize PMD flags in sme_encrypt_kernel()
|
||||
- [x86] mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption
|
||||
- [armhf] OMAP3: hwmod_data: add missing module_offs for MMC3
|
||||
- [x86] mm: Encrypt the initrd earlier for BSP microcode update
|
||||
- Input: ALPS - fix multi-touch decoding on SS4 plus touchpads
|
||||
- Input: synaptics-rmi4 - prevent UAF reported by KASAN
|
||||
- [armhf] Input: twl6040-vibra - fix child-node lookup
|
||||
- [armhf] Input: twl4030-vibra - fix sibling-node lookup
|
||||
- tracing: Fix converting enum's from the map in trace_event_eval_update()
|
||||
- phy: work around 'phys' references to usb-nop-xceiv devices
|
||||
- [arm64] dts: marvell: armada-cp110: Fix clock resources for various node
|
||||
- [armhf] sunxi_defconfig: Enable CMA
|
||||
- [armel] dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
|
||||
- can: peak: fix potential bug in packet fragmentation
|
||||
- can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
|
||||
- can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
|
||||
- i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
|
||||
- proc: fix coredump vs read /proc/*/stat race
|
||||
- libata: apply MAX_SEC_1024 to all LITEON EP1 series devices
|
||||
- workqueue: avoid hard lockups in show_workqueue_state()
|
||||
- [x86] drm/vmwgfx: fix memory corruption with legacy/sou connectors
|
||||
- dm btree: fix serious bug in btree_split_beneath()
|
||||
- dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6
|
||||
- dm integrity: don't store cipher request on the stack
|
||||
- dm crypt: fix crash by adding missing check for auth key size
|
||||
- dm crypt: wipe kernel key copy after IV initialization
|
||||
- dm crypt: fix error return code in crypt_ctr()
|
||||
- [x86] x86: Use __nostackprotect for sme_encrypt_kernel
|
||||
- [alpha] PCI: Fix noname IRQ level detection
|
||||
- [mips*] CM: Drop WARN_ON(vp != 0)
|
||||
- [arm*] KVM: Check pagesize when allocating a hugepage at Stage 2
|
||||
- [arm64] KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
|
||||
- [x86] mce: Make machine check speculation protected
|
||||
- retpoline: Introduce start/end markers of indirect thunk
|
||||
- [x86] kprobes: Blacklist indirect thunk functions for kprobes
|
||||
- [x86] kprobes: Disable optimizing on the function jumps to indirect
|
||||
thunk
|
||||
- [x86] retpoline: Optimize inline assembler for vmexit_fill_RSB
|
||||
- [x86] mm: Rework wbinvd, hlt operation in stop_this_cpu()
|
||||
- mm, page_vma_mapped: Drop faulty pointer arithmetics in check_pte()
|
||||
- [arm64, armhf] net: mvpp2: do not disable GMAC padding
|
||||
- [mips]: AR7: ensure the port type's FCR value is used
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
|
||||
* ALSA: seq: Make ioctls race-free (CVE-2018-1000004)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* bpf: Avoid ABI change in 4.14.14
|
||||
|
|
|
@ -1,64 +0,0 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 9 Jan 2018 23:11:03 +0100
|
||||
Subject: ALSA: seq: Make ioctls race-free
|
||||
Origin: https://git.kernel.org/linus/b3defb791b26ea0683a93a4f49c77ec45ec96f10
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000004
|
||||
|
||||
The ALSA sequencer ioctls have no protection against racy calls while
|
||||
the concurrent operations may lead to interfere with each other. As
|
||||
reported recently, for example, the concurrent calls of setting client
|
||||
pool with a combination of write calls may lead to either the
|
||||
unkillable dead-lock or UAF.
|
||||
|
||||
As a slightly big hammer solution, this patch introduces the mutex to
|
||||
make each ioctl exclusive. Although this may reduce performance via
|
||||
parallel ioctl calls, usually it's not demanded for sequencer usages,
|
||||
hence it should be negligible.
|
||||
|
||||
Reported-by: Luo Quan <a4651386@163.com>
|
||||
Reviewed-by: Kees Cook <keescook@chromium.org>
|
||||
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/seq/seq_clientmgr.c | 3 +++
|
||||
sound/core/seq/seq_clientmgr.h | 1 +
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
|
||||
index 6e22eea72654..d01913404581 100644
|
||||
--- a/sound/core/seq/seq_clientmgr.c
|
||||
+++ b/sound/core/seq/seq_clientmgr.c
|
||||
@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
|
||||
rwlock_init(&client->ports_lock);
|
||||
mutex_init(&client->ports_mutex);
|
||||
INIT_LIST_HEAD(&client->ports_list_head);
|
||||
+ mutex_init(&client->ioctl_mutex);
|
||||
|
||||
/* find free slot in the client table */
|
||||
spin_lock_irqsave(&clients_lock, flags);
|
||||
@@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd,
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
+ mutex_lock(&client->ioctl_mutex);
|
||||
err = handler->func(client, &buf);
|
||||
+ mutex_unlock(&client->ioctl_mutex);
|
||||
if (err >= 0) {
|
||||
/* Some commands includes a bug in 'dir' field. */
|
||||
if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT ||
|
||||
diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h
|
||||
index c6614254ef8a..0611e1e0ed5b 100644
|
||||
--- a/sound/core/seq/seq_clientmgr.h
|
||||
+++ b/sound/core/seq/seq_clientmgr.h
|
||||
@@ -61,6 +61,7 @@ struct snd_seq_client {
|
||||
struct list_head ports_list_head;
|
||||
rwlock_t ports_lock;
|
||||
struct mutex ports_mutex;
|
||||
+ struct mutex ioctl_mutex;
|
||||
int convert32; /* convert 32->64bit */
|
||||
|
||||
/* output pool */
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
From: Rob Clark <robdclark@gmail.com>
|
||||
Date: Sat, 6 Jan 2018 10:59:41 -0500
|
||||
Subject: drm/nouveau/disp/gf119: add missing drive vfunc ptr
|
||||
Origin: https://git.kernel.org/linus/1b5c7ef3d0d0610bda9b63263f7c5b7178d11015
|
||||
Bug-Debian: https://bugs.debian.org/880660
|
||||
|
||||
Fixes broken dp on GF119:
|
||||
|
||||
Call Trace:
|
||||
? nvkm_dp_train_drive+0x183/0x2c0 [nouveau]
|
||||
nvkm_dp_acquire+0x4f3/0xcd0 [nouveau]
|
||||
nv50_disp_super_2_2+0x5d/0x470 [nouveau]
|
||||
? nvkm_devinit_pll_set+0xf/0x20 [nouveau]
|
||||
gf119_disp_super+0x19c/0x2f0 [nouveau]
|
||||
process_one_work+0x193/0x3c0
|
||||
worker_thread+0x35/0x3b0
|
||||
kthread+0x125/0x140
|
||||
? process_one_work+0x3c0/0x3c0
|
||||
? kthread_park+0x60/0x60
|
||||
ret_from_fork+0x25/0x30
|
||||
Code: Bad RIP value.
|
||||
RIP: (null) RSP: ffffb1e243e4bc38
|
||||
CR2: 0000000000000000
|
||||
|
||||
Fixes: af85389c614a drm/nouveau/disp: shuffle functions around
|
||||
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103421
|
||||
Signed-off-by: Rob Clark <robdclark@gmail.com>
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
---
|
||||
drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
|
||||
index a2978a37b4f3..700fc754f28a 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
|
||||
@@ -174,6 +174,7 @@ gf119_sor = {
|
||||
.links = gf119_sor_dp_links,
|
||||
.power = g94_sor_dp_power,
|
||||
.pattern = gf119_sor_dp_pattern,
|
||||
+ .drive = gf119_sor_dp_drive,
|
||||
.vcpi = gf119_sor_dp_vcpi,
|
||||
.audio = gf119_sor_dp_audio,
|
||||
.audio_sym = gf119_sor_dp_audio_sym,
|
||||
--
|
||||
2.15.1
|
||||
|
|
@ -1,57 +0,0 @@
|
|||
From: Hannes Reinecke <hare@suse.de>
|
||||
Date: Wed, 10 Jan 2018 08:34:02 +0100
|
||||
Subject: Disable asynchronous aborts for SATA devices
|
||||
Origin: https://marc.info/?l=linux-scsi&m=151557324907914
|
||||
|
||||
Handling CD-ROM devices from libsas is decidedly odd, as libata
|
||||
relies on SCSI EH to be started to figure out that no medium is
|
||||
present.
|
||||
So we cannot do asynchronous aborts for SATA devices.
|
||||
|
||||
Fixes: 909657615d9 ("scsi: libsas: allow async aborts")
|
||||
Cc: <stable@vger.kernel.org> # 4.12+
|
||||
Signed-off-by: Hannes Reinecke <hare@suse.com>
|
||||
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
||||
Tested-by: Yves-Alexis Perez <corsac@debian.org>
|
||||
---
|
||||
drivers/scsi/libsas/sas_scsi_host.c | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c
|
||||
index 58476b728c57..c9406852c3e9 100644
|
||||
--- a/drivers/scsi/libsas/sas_scsi_host.c
|
||||
+++ b/drivers/scsi/libsas/sas_scsi_host.c
|
||||
@@ -486,15 +486,28 @@ static int sas_queue_reset(struct domain_device *dev, int reset_type,
|
||||
|
||||
int sas_eh_abort_handler(struct scsi_cmnd *cmd)
|
||||
{
|
||||
- int res;
|
||||
+ int res = TMF_RESP_FUNC_FAILED;
|
||||
struct sas_task *task = TO_SAS_TASK(cmd);
|
||||
struct Scsi_Host *host = cmd->device->host;
|
||||
+ struct domain_device *dev = cmd_to_domain_dev(cmd);
|
||||
struct sas_internal *i = to_sas_internal(host->transportt);
|
||||
+ unsigned long flags;
|
||||
|
||||
if (!i->dft->lldd_abort_task)
|
||||
return FAILED;
|
||||
|
||||
- res = i->dft->lldd_abort_task(task);
|
||||
+ spin_lock_irqsave(host->host_lock, flags);
|
||||
+ /* We cannot do async aborts for SATA devices */
|
||||
+ if (dev_is_sata(dev) && !host->host_eh_scheduled) {
|
||||
+ spin_unlock_irqrestore(host->host_lock, flags);
|
||||
+ return FAILED;
|
||||
+ }
|
||||
+ spin_unlock_irqrestore(host->host_lock, flags);
|
||||
+
|
||||
+ if (task)
|
||||
+ res = i->dft->lldd_abort_task(task);
|
||||
+ else
|
||||
+ SAS_DPRINTK("no task to abort\n");
|
||||
if (res == TMF_RESP_FUNC_SUCC || res == TMF_RESP_FUNC_COMPLETE)
|
||||
return SUCCESS;
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -81,8 +81,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
|||
bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch
|
||||
bugfix/all/i40e-fix-flags-declaration.patch
|
||||
bugfix/all/xen-time-do-not-decrease-steal-time-after-live-migra.patch
|
||||
bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch
|
||||
bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch
|
||||
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
@ -126,7 +124,6 @@ bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
|
|||
bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
|
||||
bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
|
||||
bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
|
||||
bugfix/all/alsa-seq-make-ioctls-race-free.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue