Update to 4.14.15

2018-01-28 14:29:41 +01:00 · 2018-01-28 14:29:41 +01:00 · 3a81855475
parent 893c189290
commit 3a81855475
5 changed files with 89 additions and 173 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,4 +1,4 @@
-linux (4.14.14-1) UNRELEASED; urgency=medium
+linux (4.14.15-1) UNRELEASED; urgency=medium

  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.14
@ -108,10 +108,97 @@ linux (4.14.14-1) UNRELEASED; urgency=medium
    - [x86] retpoline: Fill return stack buffer on vmexit
    - [x86] pti: Fix !PCID and sanitize defines
    - [x86] perf: Disable intel_bts when PTI
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.15
+    - tools/objtool/Makefile: don't assume sync-check.sh is executable
+    - objtool: Fix seg fault with clang-compiled objects
+    - objtool: Fix Clang enum conversion warning
+    - objtool: Fix seg fault caused by missing parameter
+    - [powerpc*] pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
+    - [powerpc*] 64: Add macros for annotating the destination of rfid/hrfid
+    - [powerpc*] 64s: Simple RFI macro conversions
+    - [powerpc*] 64: Convert the syscall exit path to use RFI_TO_USER/KERNEL
+    - [powerpc*] 64: Convert fast_exception_return to use RFI_TO_USER/KERNEL
+    - [powerpc*] 64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL
+    - [powerpc*] 64s: Add support for RFI flush of L1-D cache
+    - [powerpc*] 64s: Support disabling RFI flush with no_rfi_flush and nopti
+    - [powerpc*] pseries: Query hypervisor for RFI flush settings
+    - [powerpc*] powernv: Check device-tree for RFI flush settings
+    - futex: Avoid violating the 10th rule of futex
+    - futex: Prevent overflow by strengthen input validation
+    - ALSA: seq: Make ioctls race-free (CVE-2018-1000004)
+    - ALSA: pcm: Remove yet superfluous WARN_ON()
+    - ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
+    - ALSA: hda - Apply the existing quirk to iMac 14,1
+    - IB/hfi1: Prevent a NULL dereference
+    - RDMA/mlx5: Fix out-of-bound access while querying AH
+    - timers: Unconditionally check deferrable base
+    - af_key: fix buffer overread in verify_address_len()
+    - af_key: fix buffer overread in parse_exthdrs()
+    - iser-target: Fix possible use-after-free in connection establishment
+      error
+    - delayacct: Account blkio completion on the correct task
+    - objtool: Fix seg fault with gold linker
+    - [armhf] mmc: sdhci-esdhc-imx: Fix i.MX53 eSDHCv3 clock
+    - [x86] kasan: Panic if there is not enough memory to boot
+    - [x86] retpoline: Fill RSB on context switch for affected CPUs
+    - [x86] retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
+    - objtool: Improve error message for bad file argument
+    - [x86] cpufeature: Move processor tracing out of scattered features
+    - module: Add retpoline tag to VERMAGIC
+    - [x86] intel_rdt/cqm: Prevent use after free
+    - [x86] mm/pkeys: Fix fill_sig_info_pkey
+    - [x86] idt: Mark IDT tables __initconst
+    - [x86] tsc: Future-proof native_calibrate_tsc()
+    - [x86] tsc: Fix erroneous TSC rate on Skylake Xeon
+    - pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
+    - [x86] apic/vector: Fix off by one in error path
+    - [x86] mm: Clean up register saving in the __enc_copy() assembly code
+    - [x86] mm: Use a struct to reduce parameters for SME PGD mapping
+    - [x86] mm: Centralize PMD flags in sme_encrypt_kernel()
+    - [x86] mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption
+    - [armhf] OMAP3: hwmod_data: add missing module_offs for MMC3
+    - [x86] mm: Encrypt the initrd earlier for BSP microcode update
+    - Input: ALPS - fix multi-touch decoding on SS4 plus touchpads
+    - Input: synaptics-rmi4 - prevent UAF reported by KASAN
+    - [armhf] Input: twl6040-vibra - fix child-node lookup
+    - [armhf] Input: twl4030-vibra - fix sibling-node lookup
+    - tracing: Fix converting enum's from the map in trace_event_eval_update()
+    - phy: work around 'phys' references to usb-nop-xceiv devices
+    - [arm64] dts: marvell: armada-cp110: Fix clock resources for various node
+    - [armhf] sunxi_defconfig: Enable CMA
+    - [armel] dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
+    - can: peak: fix potential bug in packet fragmentation
+    - can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
+    - can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
+    - i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
+    - proc: fix coredump vs read /proc/*/stat race
+    - libata: apply MAX_SEC_1024 to all LITEON EP1 series devices
+    - workqueue: avoid hard lockups in show_workqueue_state()
+    - [x86] drm/vmwgfx: fix memory corruption with legacy/sou connectors
+    - dm btree: fix serious bug in btree_split_beneath()
+    - dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6
+    - dm integrity: don't store cipher request on the stack
+    - dm crypt: fix crash by adding missing check for auth key size
+    - dm crypt: wipe kernel key copy after IV initialization
+    - dm crypt: fix error return code in crypt_ctr()
+    - [x86] x86: Use __nostackprotect for sme_encrypt_kernel
+    - [alpha] PCI: Fix noname IRQ level detection
+    - [mips*] CM: Drop WARN_ON(vp != 0)
+    - [arm*] KVM: Check pagesize when allocating a hugepage at Stage 2
+    - [arm64] KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
+    - [x86] mce: Make machine check speculation protected
+    - retpoline: Introduce start/end markers of indirect thunk
+    - [x86] kprobes: Blacklist indirect thunk functions for kprobes
+    - [x86] kprobes: Disable optimizing on the function jumps to indirect
+      thunk
+    - [x86] retpoline: Optimize inline assembler for vmexit_fill_RSB
+    - [x86] mm: Rework wbinvd, hlt operation in stop_this_cpu()
+    - mm, page_vma_mapped: Drop faulty pointer arithmetics in check_pte()
+    - [arm64, armhf] net: mvpp2: do not disable GMAC padding
+    - [mips]: AR7: ensure the port type's FCR value is used

  [ Salvatore Bonaccorso ]
  * loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
-  * ALSA: seq: Make ioctls race-free (CVE-2018-1000004)

  [ Ben Hutchings ]
  * bpf: Avoid ABI change in 4.14.14
--- a/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch
+++ b/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch
@ -1,64 +0,0 @@
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 9 Jan 2018 23:11:03 +0100
-Subject: ALSA: seq: Make ioctls race-free
-Origin: https://git.kernel.org/linus/b3defb791b26ea0683a93a4f49c77ec45ec96f10
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000004
-
-The ALSA sequencer ioctls have no protection against racy calls while
-the concurrent operations may lead to interfere with each other.  As
-reported recently, for example, the concurrent calls of setting client
-pool with a combination of write calls may lead to either the
-unkillable dead-lock or UAF.
-
-As a slightly big hammer solution, this patch introduces the mutex to
-make each ioctl exclusive.  Although this may reduce performance via
-parallel ioctl calls, usually it's not demanded for sequencer usages,
-hence it should be negligible.
-
-Reported-by: Luo Quan <a4651386@163.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
- sound/core/seq/seq_clientmgr.c | 3 +++
- sound/core/seq/seq_clientmgr.h | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index 6e22eea72654..d01913404581 100644
--- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
- 	rwlock_init(&client->ports_lock);
- 	mutex_init(&client->ports_mutex);
- 	INIT_LIST_HEAD(&client->ports_list_head);
-+	mutex_init(&client->ioctl_mutex);
- 
- 	/* find free slot in the client table */
- 	spin_lock_irqsave(&clients_lock, flags);
-@@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd,
- 			return -EFAULT;
- 	}
- 
-+	mutex_lock(&client->ioctl_mutex);
- 	err = handler->func(client, &buf);
-+	mutex_unlock(&client->ioctl_mutex);
- 	if (err >= 0) {
- 		/* Some commands includes a bug in 'dir' field. */
- 		if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT ||
-diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h
-index c6614254ef8a..0611e1e0ed5b 100644
--- a/sound/core/seq/seq_clientmgr.h
-+++ b/sound/core/seq/seq_clientmgr.h
-@@ -61,6 +61,7 @@ struct snd_seq_client {
- 	struct list_head ports_list_head;
- 	rwlock_t ports_lock;
- 	struct mutex ports_mutex;
-+	struct mutex ioctl_mutex;
- 	int convert32;		/* convert 32->64bit */
- 
- 	/* output pool */
-- 
-2.11.0
-
--- a/debian/patches/bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch
+++ b/debian/patches/bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch
@ -1,47 +0,0 @@
-From: Rob Clark <robdclark@gmail.com>
-Date: Sat, 6 Jan 2018 10:59:41 -0500
-Subject: drm/nouveau/disp/gf119: add missing drive vfunc ptr
-Origin: https://git.kernel.org/linus/1b5c7ef3d0d0610bda9b63263f7c5b7178d11015
-Bug-Debian: https://bugs.debian.org/880660
-
-Fixes broken dp on GF119:
-
-  Call Trace:
-   ? nvkm_dp_train_drive+0x183/0x2c0 [nouveau]
-   nvkm_dp_acquire+0x4f3/0xcd0 [nouveau]
-   nv50_disp_super_2_2+0x5d/0x470 [nouveau]
-   ? nvkm_devinit_pll_set+0xf/0x20 [nouveau]
-   gf119_disp_super+0x19c/0x2f0 [nouveau]
-   process_one_work+0x193/0x3c0
-   worker_thread+0x35/0x3b0
-   kthread+0x125/0x140
-   ? process_one_work+0x3c0/0x3c0
-   ? kthread_park+0x60/0x60
-   ret_from_fork+0x25/0x30
-  Code:  Bad RIP value.
-  RIP:           (null) RSP: ffffb1e243e4bc38
-  CR2: 0000000000000000
-
-Fixes: af85389c614a drm/nouveau/disp: shuffle functions around
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103421
-Signed-off-by: Rob Clark <robdclark@gmail.com>
-Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
---
- drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
-index a2978a37b4f3..700fc754f28a 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
-+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
-@@ -174,6 +174,7 @@ gf119_sor = {
- 		.links = gf119_sor_dp_links,
- 		.power = g94_sor_dp_power,
- 		.pattern = gf119_sor_dp_pattern,
-+		.drive = gf119_sor_dp_drive,
- 		.vcpi = gf119_sor_dp_vcpi,
- 		.audio = gf119_sor_dp_audio,
- 		.audio_sym = gf119_sor_dp_audio_sym,
-- 
-2.15.1
-
--- a/debian/patches/bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch
+++ b/debian/patches/bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch
@ -1,57 +0,0 @@
-From: Hannes Reinecke <hare@suse.de>
-Date: Wed, 10 Jan 2018 08:34:02 +0100
-Subject: Disable asynchronous aborts for SATA devices
-Origin: https://marc.info/?l=linux-scsi&m=151557324907914
-
-Handling CD-ROM devices from libsas is decidedly odd, as libata
-relies on SCSI EH to be started to figure out that no medium is
-present.
-So we cannot do asynchronous aborts for SATA devices.
-
-Fixes: 909657615d9 ("scsi: libsas: allow async aborts")
-Cc: <stable@vger.kernel.org> # 4.12+
-Signed-off-by: Hannes Reinecke <hare@suse.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Tested-by: Yves-Alexis Perez <corsac@debian.org>
---
- drivers/scsi/libsas/sas_scsi_host.c | 17 +++++++++++++++--
- 1 file changed, 15 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c
-index 58476b728c57..c9406852c3e9 100644
--- a/drivers/scsi/libsas/sas_scsi_host.c
-+++ b/drivers/scsi/libsas/sas_scsi_host.c
-@@ -486,15 +486,28 @@ static int sas_queue_reset(struct domain_device *dev, int reset_type,
- 
- int sas_eh_abort_handler(struct scsi_cmnd *cmd)
- {
-	int res;
-+	int res = TMF_RESP_FUNC_FAILED;
- 	struct sas_task *task = TO_SAS_TASK(cmd);
- 	struct Scsi_Host *host = cmd->device->host;
-+	struct domain_device *dev = cmd_to_domain_dev(cmd);
- 	struct sas_internal *i = to_sas_internal(host->transportt);
-+	unsigned long flags;
- 
- 	if (!i->dft->lldd_abort_task)
- 		return FAILED;
- 
-	res = i->dft->lldd_abort_task(task);
-+	spin_lock_irqsave(host->host_lock, flags);
-+	/* We cannot do async aborts for SATA devices */
-+	if (dev_is_sata(dev) && !host->host_eh_scheduled) {
-+		spin_unlock_irqrestore(host->host_lock, flags);
-+		return FAILED;
-+	}
-+	spin_unlock_irqrestore(host->host_lock, flags);
-+
-+	if (task)
-+		res = i->dft->lldd_abort_task(task);
-+	else
-+		SAS_DPRINTK("no task to abort\n");
- 	if (res == TMF_RESP_FUNC_SUCC || res == TMF_RESP_FUNC_COMPLETE)
- 		return SUCCESS;
- 
-- 
-2.11.0
-
--- a/debian/patches/series
+++ b/debian/patches/series
@ -81,8 +81,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch
 bugfix/all/i40e-fix-flags-declaration.patch
 bugfix/all/xen-time-do-not-decrease-steal-time-after-live-migra.patch
-bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch
-bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch
 debian/revert-objtool-fix-config_stack_validation-y-warning.patch

 # Miscellaneous features
@ -126,7 +124,6 @@ bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
 bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
 bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
 bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
-bugfix/all/alsa-seq-make-ioctls-race-free.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch