From 3a8185547513c05e20b7219da0c35db837fd4cf1 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sun, 28 Jan 2018 14:29:41 +0100 Subject: [PATCH] Update to 4.14.15 --- debian/changelog | 91 ++++++++++++++++++- .../all/alsa-seq-make-ioctls-race-free.patch | 64 ------------- ...sp-gf119-add-missing-drive-vfunc-ptr.patch | 47 ---------- ...asynchronous-aborts-for-SATA-devices.patch | 57 ------------ debian/patches/series | 3 - 5 files changed, 89 insertions(+), 173 deletions(-) delete mode 100644 debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch delete mode 100644 debian/patches/bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch delete mode 100644 debian/patches/bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch diff --git a/debian/changelog b/debian/changelog index bb64f2203..7491a2763 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.14.14-1) UNRELEASED; urgency=medium +linux (4.14.15-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.14 @@ -108,10 +108,97 @@ linux (4.14.14-1) UNRELEASED; urgency=medium - [x86] retpoline: Fill return stack buffer on vmexit - [x86] pti: Fix !PCID and sanitize defines - [x86] perf: Disable intel_bts when PTI + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.15 + - tools/objtool/Makefile: don't assume sync-check.sh is executable + - objtool: Fix seg fault with clang-compiled objects + - objtool: Fix Clang enum conversion warning + - objtool: Fix seg fault caused by missing parameter + - [powerpc*] pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper + - [powerpc*] 64: Add macros for annotating the destination of rfid/hrfid + - [powerpc*] 64s: Simple RFI macro conversions + - [powerpc*] 64: Convert the syscall exit path to use RFI_TO_USER/KERNEL + - [powerpc*] 64: Convert fast_exception_return to use RFI_TO_USER/KERNEL + - [powerpc*] 64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL + - [powerpc*] 64s: Add support for RFI flush of L1-D cache + - [powerpc*] 64s: Support disabling RFI flush with no_rfi_flush and nopti + - [powerpc*] pseries: Query hypervisor for RFI flush settings + - [powerpc*] powernv: Check device-tree for RFI flush settings + - futex: Avoid violating the 10th rule of futex + - futex: Prevent overflow by strengthen input validation + - ALSA: seq: Make ioctls race-free (CVE-2018-1000004) + - ALSA: pcm: Remove yet superfluous WARN_ON() + - ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant + - ALSA: hda - Apply the existing quirk to iMac 14,1 + - IB/hfi1: Prevent a NULL dereference + - RDMA/mlx5: Fix out-of-bound access while querying AH + - timers: Unconditionally check deferrable base + - af_key: fix buffer overread in verify_address_len() + - af_key: fix buffer overread in parse_exthdrs() + - iser-target: Fix possible use-after-free in connection establishment + error + - delayacct: Account blkio completion on the correct task + - objtool: Fix seg fault with gold linker + - [armhf] mmc: sdhci-esdhc-imx: Fix i.MX53 eSDHCv3 clock + - [x86] kasan: Panic if there is not enough memory to boot + - [x86] retpoline: Fill RSB on context switch for affected CPUs + - [x86] retpoline: Add LFENCE to the retpoline/RSB filling RSB macros + - objtool: Improve error message for bad file argument + - [x86] cpufeature: Move processor tracing out of scattered features + - module: Add retpoline tag to VERMAGIC + - [x86] intel_rdt/cqm: Prevent use after free + - [x86] mm/pkeys: Fix fill_sig_info_pkey + - [x86] idt: Mark IDT tables __initconst + - [x86] tsc: Future-proof native_calibrate_tsc() + - [x86] tsc: Fix erroneous TSC rate on Skylake Xeon + - pipe: avoid round_pipe_size() nr_pages overflow on 32-bit + - [x86] apic/vector: Fix off by one in error path + - [x86] mm: Clean up register saving in the __enc_copy() assembly code + - [x86] mm: Use a struct to reduce parameters for SME PGD mapping + - [x86] mm: Centralize PMD flags in sme_encrypt_kernel() + - [x86] mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption + - [armhf] OMAP3: hwmod_data: add missing module_offs for MMC3 + - [x86] mm: Encrypt the initrd earlier for BSP microcode update + - Input: ALPS - fix multi-touch decoding on SS4 plus touchpads + - Input: synaptics-rmi4 - prevent UAF reported by KASAN + - [armhf] Input: twl6040-vibra - fix child-node lookup + - [armhf] Input: twl4030-vibra - fix sibling-node lookup + - tracing: Fix converting enum's from the map in trace_event_eval_update() + - phy: work around 'phys' references to usb-nop-xceiv devices + - [arm64] dts: marvell: armada-cp110: Fix clock resources for various node + - [armhf] sunxi_defconfig: Enable CMA + - [armel] dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 + - can: peak: fix potential bug in packet fragmentation + - can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once + - can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once + - i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA + - proc: fix coredump vs read /proc/*/stat race + - libata: apply MAX_SEC_1024 to all LITEON EP1 series devices + - workqueue: avoid hard lockups in show_workqueue_state() + - [x86] drm/vmwgfx: fix memory corruption with legacy/sou connectors + - dm btree: fix serious bug in btree_split_beneath() + - dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 + - dm integrity: don't store cipher request on the stack + - dm crypt: fix crash by adding missing check for auth key size + - dm crypt: wipe kernel key copy after IV initialization + - dm crypt: fix error return code in crypt_ctr() + - [x86] x86: Use __nostackprotect for sme_encrypt_kernel + - [alpha] PCI: Fix noname IRQ level detection + - [mips*] CM: Drop WARN_ON(vp != 0) + - [arm*] KVM: Check pagesize when allocating a hugepage at Stage 2 + - [arm64] KVM: Fix SMCCC handling of unimplemented SMC/HVC calls + - [x86] mce: Make machine check speculation protected + - retpoline: Introduce start/end markers of indirect thunk + - [x86] kprobes: Blacklist indirect thunk functions for kprobes + - [x86] kprobes: Disable optimizing on the function jumps to indirect + thunk + - [x86] retpoline: Optimize inline assembler for vmexit_fill_RSB + - [x86] mm: Rework wbinvd, hlt operation in stop_this_cpu() + - mm, page_vma_mapped: Drop faulty pointer arithmetics in check_pte() + - [arm64, armhf] net: mvpp2: do not disable GMAC padding + - [mips]: AR7: ensure the port type's FCR value is used [ Salvatore Bonaccorso ] * loop: fix concurrent lo_open/lo_release (CVE-2018-5344) - * ALSA: seq: Make ioctls race-free (CVE-2018-1000004) [ Ben Hutchings ] * bpf: Avoid ABI change in 4.14.14 diff --git a/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch b/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch deleted file mode 100644 index 9f3b21507..000000000 --- a/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Takashi Iwai -Date: Tue, 9 Jan 2018 23:11:03 +0100 -Subject: ALSA: seq: Make ioctls race-free -Origin: https://git.kernel.org/linus/b3defb791b26ea0683a93a4f49c77ec45ec96f10 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000004 - -The ALSA sequencer ioctls have no protection against racy calls while -the concurrent operations may lead to interfere with each other. As -reported recently, for example, the concurrent calls of setting client -pool with a combination of write calls may lead to either the -unkillable dead-lock or UAF. - -As a slightly big hammer solution, this patch introduces the mutex to -make each ioctl exclusive. Although this may reduce performance via -parallel ioctl calls, usually it's not demanded for sequencer usages, -hence it should be negligible. - -Reported-by: Luo Quan -Reviewed-by: Kees Cook -Reviewed-by: Greg Kroah-Hartman -Cc: -Signed-off-by: Takashi Iwai ---- - sound/core/seq/seq_clientmgr.c | 3 +++ - sound/core/seq/seq_clientmgr.h | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index 6e22eea72654..d01913404581 100644 ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize) - rwlock_init(&client->ports_lock); - mutex_init(&client->ports_mutex); - INIT_LIST_HEAD(&client->ports_list_head); -+ mutex_init(&client->ioctl_mutex); - - /* find free slot in the client table */ - spin_lock_irqsave(&clients_lock, flags); -@@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd, - return -EFAULT; - } - -+ mutex_lock(&client->ioctl_mutex); - err = handler->func(client, &buf); -+ mutex_unlock(&client->ioctl_mutex); - if (err >= 0) { - /* Some commands includes a bug in 'dir' field. */ - if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT || -diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h -index c6614254ef8a..0611e1e0ed5b 100644 ---- a/sound/core/seq/seq_clientmgr.h -+++ b/sound/core/seq/seq_clientmgr.h -@@ -61,6 +61,7 @@ struct snd_seq_client { - struct list_head ports_list_head; - rwlock_t ports_lock; - struct mutex ports_mutex; -+ struct mutex ioctl_mutex; - int convert32; /* convert 32->64bit */ - - /* output pool */ --- -2.11.0 - diff --git a/debian/patches/bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch b/debian/patches/bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch deleted file mode 100644 index 8ede212fb..000000000 --- a/debian/patches/bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Rob Clark -Date: Sat, 6 Jan 2018 10:59:41 -0500 -Subject: drm/nouveau/disp/gf119: add missing drive vfunc ptr -Origin: https://git.kernel.org/linus/1b5c7ef3d0d0610bda9b63263f7c5b7178d11015 -Bug-Debian: https://bugs.debian.org/880660 - -Fixes broken dp on GF119: - - Call Trace: - ? nvkm_dp_train_drive+0x183/0x2c0 [nouveau] - nvkm_dp_acquire+0x4f3/0xcd0 [nouveau] - nv50_disp_super_2_2+0x5d/0x470 [nouveau] - ? nvkm_devinit_pll_set+0xf/0x20 [nouveau] - gf119_disp_super+0x19c/0x2f0 [nouveau] - process_one_work+0x193/0x3c0 - worker_thread+0x35/0x3b0 - kthread+0x125/0x140 - ? process_one_work+0x3c0/0x3c0 - ? kthread_park+0x60/0x60 - ret_from_fork+0x25/0x30 - Code: Bad RIP value. - RIP: (null) RSP: ffffb1e243e4bc38 - CR2: 0000000000000000 - -Fixes: af85389c614a drm/nouveau/disp: shuffle functions around -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103421 -Signed-off-by: Rob Clark -Signed-off-by: Ben Skeggs ---- - drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -index a2978a37b4f3..700fc754f28a 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -@@ -174,6 +174,7 @@ gf119_sor = { - .links = gf119_sor_dp_links, - .power = g94_sor_dp_power, - .pattern = gf119_sor_dp_pattern, -+ .drive = gf119_sor_dp_drive, - .vcpi = gf119_sor_dp_vcpi, - .audio = gf119_sor_dp_audio, - .audio_sym = gf119_sor_dp_audio_sym, --- -2.15.1 - diff --git a/debian/patches/bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch b/debian/patches/bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch deleted file mode 100644 index 797c13a4a..000000000 --- a/debian/patches/bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Hannes Reinecke -Date: Wed, 10 Jan 2018 08:34:02 +0100 -Subject: Disable asynchronous aborts for SATA devices -Origin: https://marc.info/?l=linux-scsi&m=151557324907914 - -Handling CD-ROM devices from libsas is decidedly odd, as libata -relies on SCSI EH to be started to figure out that no medium is -present. -So we cannot do asynchronous aborts for SATA devices. - -Fixes: 909657615d9 ("scsi: libsas: allow async aborts") -Cc: # 4.12+ -Signed-off-by: Hannes Reinecke -Reviewed-by: Christoph Hellwig -Tested-by: Yves-Alexis Perez ---- - drivers/scsi/libsas/sas_scsi_host.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c -index 58476b728c57..c9406852c3e9 100644 ---- a/drivers/scsi/libsas/sas_scsi_host.c -+++ b/drivers/scsi/libsas/sas_scsi_host.c -@@ -486,15 +486,28 @@ static int sas_queue_reset(struct domain_device *dev, int reset_type, - - int sas_eh_abort_handler(struct scsi_cmnd *cmd) - { -- int res; -+ int res = TMF_RESP_FUNC_FAILED; - struct sas_task *task = TO_SAS_TASK(cmd); - struct Scsi_Host *host = cmd->device->host; -+ struct domain_device *dev = cmd_to_domain_dev(cmd); - struct sas_internal *i = to_sas_internal(host->transportt); -+ unsigned long flags; - - if (!i->dft->lldd_abort_task) - return FAILED; - -- res = i->dft->lldd_abort_task(task); -+ spin_lock_irqsave(host->host_lock, flags); -+ /* We cannot do async aborts for SATA devices */ -+ if (dev_is_sata(dev) && !host->host_eh_scheduled) { -+ spin_unlock_irqrestore(host->host_lock, flags); -+ return FAILED; -+ } -+ spin_unlock_irqrestore(host->host_lock, flags); -+ -+ if (task) -+ res = i->dft->lldd_abort_task(task); -+ else -+ SAS_DPRINTK("no task to abort\n"); - if (res == TMF_RESP_FUNC_SUCC || res == TMF_RESP_FUNC_COMPLETE) - return SUCCESS; - --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 968622e91..8dc50c625 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -81,8 +81,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch bugfix/all/i40e-fix-flags-declaration.patch bugfix/all/xen-time-do-not-decrease-steal-time-after-live-migra.patch -bugfix/all/libsas-Disable-asynchronous-aborts-for-SATA-devices.patch -bugfix/all/drm-nouveau-disp-gf119-add-missing-drive-vfunc-ptr.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch # Miscellaneous features @@ -126,7 +124,6 @@ bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch -bugfix/all/alsa-seq-make-ioctls-race-free.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch